kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-07-17 14:04:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Solved oauth2 configuration bugs

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-07-14 00:33:39 +02:00
parent ce68391b4e
commit c6f49dc6e2
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
View File

@ -16,7 +16,7 @@ server
{% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
{% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
{% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', True) | default({}) %}
{% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', False, {}) %}
{% if acl.blacklist is defined %}
{# 1. Expose everything by default, then protect blacklisted paths #}

4
roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -1,7 +1,7 @@
http_address = "0.0.0.0:4180"
cookie_secret = "{{ applications | get_app_conf(oauth2_proxy_application_id, 'credentials.oauth2_proxy_cookie_secret', True) }}"
cookie_secure = "true" # True is necessary to force the cookie set via https
upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}"
upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.port', True) }}"
cookie_domains = ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('keycloak') }}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{ primary_domain }}"] # Required to allow redirection back to original requested target.
@ -13,7 +13,7 @@ oidc_issuer_url = "{{ oidc.client.issuer_url }}"
provider = "oidc"
provider_display_name = "{{ oidc.button_text }}"
{% if applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', True) is defined %}
{% if applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', False) %}
{# role based restrictions #}
scope = "openid email profile {{ oidc.claims.groups }}"
oidc_groups_claim = "{{ oidc.claims.groups }}"