kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Solved oauth2 bugs and deactivated health-csp role temporary

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-05-13 14:34:16 +02:00
parent 687f9b0703
commit dc4964eda1
14 changed files with 38 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/docker-oauth2-proxy/templates/container.yml.j2
View File

@@ -1,11 +1,11 @@
{% if applications | is_feature_enabled('oauth2',application_id) %}
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:{{applications.oauth2_proxy.version}}
image: quay.io/oauth2-proxy/oauth2-proxy:{{applications['oauth2-proxy'].version}}
restart: {{docker_restart_policy}}
command: --config /oauth2-proxy.cfg
hostname: oauth2-proxy
ports:
- {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
volumes:
- "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"
- "{{docker_compose.directories.volumes}}{{applications['oauth2-proxy'].configuration_file}}:/oauth2-proxy.cfg"
{% endif %}

6
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@@ -3,18 +3,18 @@ cookie_secret = "{{ applications[oauth2_proxy_application_id].creden
email_domains = "{{ primary_domain }}"
cookie_secure = "true" # True is necessary to force the cookie set via https
upstreams = "http://{{ applications[oauth2_proxy_application_id].oauth2_proxy.application }}:{{ applications[oauth2_proxy_application_id].oauth2_proxy.port }}"
cookie_domains = ["{{ domain }}", "{{ domains.keycloak }}"] # Required so cookie can be read on all subdomains.
cookie_domains = ["{{ domains[oauth2_proxy_application_id] }}", "{{ domains.keycloak }}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{ primary_domain }}"] # Required to allow redirection back to original requested target.
# keycloak provider
client_secret = "{{ oidc.client.secret }}"
client_id = "{{ oidc.client.id }}"
redirect_url = "{{ web_protocol }}://{{domain}}/oauth2/callback"
redirect_url = "{{ web_protocol }}://{{domains[oauth2_proxy_application_id]}}/oauth2/callback"
oidc_issuer_url = "{{ oidc.client.issuer_url }}"
provider = "oidc"
provider_display_name = "Keycloak"
# role restrictions
#cookie_roles = "realm_access.roles"
#allowed_groups = "{{ applications[oauth2_proxy_application_id].allowed_roles }}" # This is not correct here. needs to be placed in applications @todo move there when implementing
#allowed_groups = "{{ applications[application_id].allowed_roles }}" # This is not correct here. needs to be placed in applications @todo move there when implementing
# @see https://chatgpt.com/share/67f42607-bf68-800f-b587-bd56fe9067b5