diff --git a/roles/web-app-keycloak/tasks/02_update_client_redirects.yml b/roles/web-app-keycloak/tasks/02_update_client_redirects.yml index 203114f5..1ef3c32d 100644 --- a/roles/web-app-keycloak/tasks/02_update_client_redirects.yml +++ b/roles/web-app-keycloak/tasks/02_update_client_redirects.yml @@ -54,11 +54,6 @@ | select('string') | list | unique }} -#- name: "Build post.logout.redirect.uris value ('+' plus explicit URIs without /*)" -# set_fact: -# kc_desired_post_logout_uris: >- -# {{ (['+'] + (kc_redirect_uris | map('regex_replace','/\\*$','') | list)) | join('\n') }} - # 2) Resolve client id (strictly by provided clientId, no fallback) - name: "Resolve client internal id for {{ keycloak_client_id }}" shell: > @@ -104,15 +99,28 @@ kc_desired_post_logout_uris_list: >- {{ "+" | split('\n') | reject('equalto','') | list | sort }} +# after "Read current client configuration" +- name: "Extract current frontchannel logout url" + set_fact: + kc_current_frontchannel_logout_url: >- + {{ + ( + (kc_client_obj.stdout | from_json).attributes['frontchannel.logout.url'] + if 'frontchannel.logout.url' in (kc_client_obj.stdout | from_json).attributes + else '' + ) + }} + # 4) Update only when changed -- name: "Update redirectUris, webOrigins, post.logout.redirect.uris" +- name: "Update client with redirectUris, webOrigins, frontchannelLogout" shell: > {{ keycloak_kcadm_path }} update clients/{{ kc_client.stdout }} -r {{ keycloak_realm }} -s 'redirectUris={{ kc_redirect_uris | to_json }}' -s 'webOrigins={{ kc_web_origins | to_json }}' - -s 'attributes."post.logout.redirect.uris"={{ kc_desired_post_logout_uris | to_json }}' + -s 'frontchannelLogout=true' + -s 'attributes."frontchannel.logout.url"={{ kc_desired_frontchannel_logout_url | to_json }}' when: kc_current_redirect_uris != kc_desired_redirect_uris or kc_current_web_origins != kc_desired_web_origins - or kc_current_logout_uris != kc_desired_post_logout_uris_list + or kc_current_frontchannel_logout_url != kc_desired_frontchannel_logout_url diff --git a/roles/web-app-keycloak/templates/import/realm.json.j2 b/roles/web-app-keycloak/templates/import/realm.json.j2 index d07c9cf0..dec51fd5 100644 --- a/roles/web-app-keycloak/templates/import/realm.json.j2 +++ b/roles/web-app-keycloak/templates/import/realm.json.j2 @@ -527,9 +527,10 @@ "directAccessGrantsEnabled": false, "serviceAccountsEnabled": false, "publicClient": true, - "frontchannelLogout": false, + "frontchannelLogout": true, "protocol": "openid-connect", "attributes": { + "frontchannel.logout.url": "{{ kc_desired_frontchannel_logout_url }}", "realm_client": "false", "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", diff --git a/roles/web-app-keycloak/vars/main.yml b/roles/web-app-keycloak/vars/main.yml index e8d771a5..8c3d4b1f 100644 --- a/roles/web-app-keycloak/vars/main.yml +++ b/roles/web-app-keycloak/vars/main.yml @@ -21,6 +21,7 @@ keycloak_client_id: "{{ OIDC.CLIENT.ID }}" keycloak_ldap_component_name: "{{ ldap.server.domain }}" # Name of the LDAP User Federation component in Keycloak (as shown in UI) keycloak_import_realm: "{{ applications | get_app_conf(application_id, 'actions.import_realm') }}" # Activate realm import keycloak_update_ldap_bind: "{{ applications | get_app_conf(application_id, 'actions.update_ldap_bind') }}" # Toggle the LDAP bind update step +kc_desired_frontchannel_logout_url: "{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}/" # Docker docker_compose_flush_handlers: true # Remember to copy realm import before flush when set to true \ No newline at end of file