mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-21 11:15:06 +02:00
Kevin Veen-Birkenbach
d1cd87c843
- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set).
- Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS).
- Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables.
- Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'.
- Refactored Keycloak role task structure:
* Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.).
* Introduced meta and dependency handling separation.
- Cleaned up Keycloak config defaults and recaptcha placeholders.
61 lines
1.9 KiB
Django/Jinja
61 lines
1.9 KiB
Django/Jinja
{
|
|
"clientId": "{{ KEYCLOAK_CLIENT_ID }}",
|
|
"name": "",
|
|
"description": "",
|
|
"rootUrl": "{{ KEYCLOAK_REALM_URL }}",
|
|
"adminUrl": "{{ KEYCLOAK_REALM_URL }}",
|
|
"baseUrl": "{{ KEYCLOAK_REALM_URL }}",
|
|
"surrogateAuthRequired": false,
|
|
"enabled": true,
|
|
"alwaysDisplayInConsole": false,
|
|
"clientAuthenticatorType": "client-secret",
|
|
"secret": "{{ OIDC.CLIENT.SECRET }}",
|
|
"redirectUris": {{ KEYCLOAK_REDIRECT_URIS | to_json }},
|
|
"webOrigins": {{ KEYCLOAK_WEB_ORIGINS | to_json }},
|
|
"notBefore": 0,
|
|
"bearerOnly": false,
|
|
"consentRequired": false,
|
|
"standardFlowEnabled": true,
|
|
"implicitFlowEnabled": true,
|
|
"directAccessGrantsEnabled": true,
|
|
"serviceAccountsEnabled": true,
|
|
"publicClient": false,
|
|
"frontchannelLogout": true,
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"frontchannel.logout.url": {{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL | to_json }},
|
|
"realm_client": "false",
|
|
"oidc.ciba.grant.enabled": "false",
|
|
"client.secret.creation.time": "0",
|
|
"backchannel.logout.session.required": "true",
|
|
"standard.token.exchange.enabled": "false",
|
|
"post.logout.redirect.uris": {{ KEYCLOAK_POST_LOGOUT_URIS | to_json }},
|
|
"frontchannel.logout.session.required": "true",
|
|
"oauth2.device.authorization.grant.enabled": "false",
|
|
"display.on.consent.screen": "false",
|
|
"use.jwks.url": "false",
|
|
"backchannel.logout.revoke.offline.tokens": "false"
|
|
},
|
|
"authenticationFlowBindingOverrides": {},
|
|
"fullScopeAllowed": true,
|
|
"nodeReRegistrationTimeout": -1,
|
|
"defaultClientScopes": [
|
|
"web-origins",
|
|
"service_account",
|
|
"acr",
|
|
"roles",
|
|
"profile",
|
|
"basic",
|
|
"email"
|
|
],
|
|
"optionalClientScopes": [
|
|
"address",
|
|
"phone",
|
|
"organization",
|
|
"offline_access",
|
|
"microprofile-jwt",
|
|
"{{ KEYCLOAK_RBAC_GROUP_CLAIME }}",
|
|
"{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
|
|
]
|
|
}
|