mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-18 17:55:09 +02:00
Kevin Veen-Birkenbach
7d0502ebc5
Replace 01_import.yml with 01_initialize.yml (KEYCLOAK_HOST_IMPORT_DIR) Add generic 02_update.yml (kcadm updater for clients/components) - Resolve ID → read current → merge (kc_merge_path optional) - Preserve immutable fields; support kc_force_attrs Update tasks/main.yml: - Readiness via KEYCLOAK_MASTER_REALM_URL; kcadm login - Merge LDAP component config from Realm when KEYCLOAK_LDAP_ENABLED - Update client settings incl. frontchannel.logout.url realm.json.j2: include ldap.json in UserStorageProvider ldap.json.j2: use KEYCLOAK_LDAP_* vars for bindDn/credential/connectionUrl vars/main.yml: add KEYCLOAK_* URLs/dirs and KEYCLOAK_DICTIONARY_REALM(_RAW) docker-compose.yml.j2: mount KEYCLOAK_HOST_IMPORT_DIR Cleanup: remove 02_update_client_redirects.yml, 03_update-ldap-bind.yml, 04_ssh_public_key.yml; drop obsolete config flag; formatting Note: redirectUris/webOrigins ordering may still cause changed=true; consider sorting for stability in a follow-up.
60 lines
1.9 KiB
Django/Jinja
60 lines
1.9 KiB
Django/Jinja
{
|
|
"clientId": "{{ KEYCLOAK_CLIENT_ID }}",
|
|
"name": "",
|
|
"description": "",
|
|
"rootUrl": "{{ KEYCLOAK_REALM_URL }}",
|
|
"adminUrl": "{{ KEYCLOAK_REALM_URL }}",
|
|
"baseUrl": "{{ KEYCLOAK_REALM_URL }}",
|
|
"surrogateAuthRequired": false,
|
|
"enabled": true,
|
|
"alwaysDisplayInConsole": false,
|
|
"clientAuthenticatorType": "client-secret",
|
|
"secret": "{{ OIDC.CLIENT.SECRET }}",
|
|
"redirectUris": {{ KEYCLOAK_REDIRECT_URIS | to_json }},
|
|
"webOrigins": {{ KEYCLOAK_WEB_ORIGINS | to_json }},
|
|
"notBefore": 0,
|
|
"bearerOnly": false,
|
|
"consentRequired": false,
|
|
"standardFlowEnabled": true,
|
|
"implicitFlowEnabled": true,
|
|
"directAccessGrantsEnabled": true,
|
|
"serviceAccountsEnabled": true,
|
|
"publicClient": false,
|
|
"frontchannelLogout": true,
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"frontchannel.logout.url": {{ KEYCLOAK_FRONTCHANNEL_LOGOUT_URL | to_json }},
|
|
"realm_client": "false",
|
|
"oidc.ciba.grant.enabled": "false",
|
|
"client.secret.creation.time": "0",
|
|
"backchannel.logout.session.required": "true",
|
|
"post.logout.redirect.uris": {{ KEYCLOAK_POST_LOGOUT_URIS | to_json }},
|
|
"frontchannel.logout.session.required": "true",
|
|
"oauth2.device.authorization.grant.enabled": "false",
|
|
"display.on.consent.screen": "false",
|
|
"use.jwks.url": "false",
|
|
"backchannel.logout.revoke.offline.tokens": "false"
|
|
},
|
|
"authenticationFlowBindingOverrides": {},
|
|
"fullScopeAllowed": true,
|
|
"nodeReRegistrationTimeout": -1,
|
|
"defaultClientScopes": [
|
|
"web-origins",
|
|
"service_account",
|
|
"acr",
|
|
"roles",
|
|
"profile",
|
|
"basic",
|
|
"email"
|
|
],
|
|
"optionalClientScopes": [
|
|
"address",
|
|
"phone",
|
|
"organization",
|
|
"offline_access",
|
|
"microprofile-jwt",
|
|
"{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
|
|
"{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
|
|
]
|
|
}
|