kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-06 02:11:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized RBAC implementation

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-07-03 22:51:42 +02:00
parent 1486862327
commit a93e1520d4
20 changed files with 106 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@@ -1,6 +1,5 @@
http_address = "0.0.0.0:4180"
cookie_secret = "{{ applications[oauth2_proxy_application_id].credentials.oauth2_proxy_cookie_secret }}"
email_domains = "{{ primary_domain }}"
cookie_secure = "true" # True is necessary to force the cookie set via https
upstreams = "http://{{ applications[oauth2_proxy_application_id].oauth2_proxy.application }}:{{ applications[oauth2_proxy_application_id].oauth2_proxy.port }}"
cookie_domains = ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('keycloak') }}"] # Required so cookie can be read on all subdomains.
@@ -14,7 +13,11 @@ oidc_issuer_url = "{{ oidc.client.issuer_url }}"
provider = "oidc"
provider_display_name = "Keycloak"
# role restrictions
#cookie_roles = "realm_access.roles"
#allowed_groups = "{{ applications[application_id].allowed_roles }}" # This is not correct here. needs to be placed in applications @todo move there when implementing
# @see https://chatgpt.com/share/67f42607-bf68-800f-b587-bd56fe9067b5
{% if applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups is defined %}
{# role based restrictions #}
scope = "openid email profile groups"
oidc_groups_claim = "realm_access.roles"
allowed_groups = {{ applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups | tojson }}
{% else %}
email_domains = "{{ primary_domain }}"
{% endif %}