mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-27 05:55:15 +02:00
Kevin Veen-Birkenbach
c182ecf516
- Improved OIDC variable definitions (12_oidc.yml) - Added account/security/profile URLs - Restructured web-app-desktop tasks and JS handling - Introduced oidc.js and iframe.js with runtime loader - Fixed nginx.conf, LDAP, and healthcheck templates spacing - Improved Lua injection for CSP and snippets - Fixed typos (WordPress, receive, etc.) - Added silent-check-sso nginx location Conversation: https://chatgpt.com/share/68ae0060-4fac-800f-9f02-22592a4087d3
49 lines
3.9 KiB
YAML
49 lines
3.9 KiB
YAML
#############################################
|
|
### Identity and Access Management (IAM) ###
|
|
#############################################
|
|
|
|
#############################################
|
|
### OIDC ###
|
|
#############################################
|
|
# @see https://en.wikipedia.org/wiki/OpenID_Connect
|
|
|
|
# Helper Variables:
|
|
_oidc_client_realm: "{{ OIDC.CLIENT.REALM if OIDC.CLIENT is defined and OIDC.CLIENT.REALM is defined else SOFTWARE_NAME | lower }}"
|
|
_oidc_url: "{{
|
|
( OIDC.URL
|
|
if (OIDC is defined and OIDC.URL is defined)
|
|
else domains | get_url('web-app-keycloak', WEB_PROTOCOL)
|
|
).rstrip('/')
|
|
}}"
|
|
_oidc_client_issuer_url: "{{ _oidc_url ~ '/realms/' ~ _oidc_client_realm }}"
|
|
_oidc_client_id: "{{ OIDC.CLIENT.ID if OIDC.CLIENT is defined and OIDC.CLIENT.ID is defined else SOFTWARE_NAME | lower }}"
|
|
_oidc_account_url: "{{ _oidc_client_issuer_url ~ '/account' }}"
|
|
_oidc_protocol_oidc: "{{ _oidc_client_issuer_url ~ '/protocol/openid-connect' }}"
|
|
|
|
# Definition
|
|
defaults_oidc:
|
|
URL: "{{ _oidc_url }}"
|
|
CLIENT:
|
|
ID: "{{ _oidc_client_id }}" # Client identifier, typically matching your primary domain
|
|
# secret: # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
|
|
REALM: "{{ _oidc_client_realm }}" # The realm to which the client belongs in the OIDC provider
|
|
ISSUER_URL: "{{ _oidc_client_issuer_url }}" # Base URL of the OIDC provider (issuer)
|
|
DISCOVERY_DOCUMENT: "{{ _oidc_client_issuer_url ~ '/.well-known/openid-configuration' }}" # URL for fetching the provider's configuration details
|
|
AUTHORIZE_URL: "{{ _oidc_protocol_oidc ~ '/auth' }}" # Endpoint to start the authorization process
|
|
TOKEN_URL: "{{ _oidc_protocol_oidc ~ '/token' }}" # Endpoint to exchange authorization codes for tokens (note: 'token_url' may be a typo for 'token_url')
|
|
USER_INFO_URL: "{{ _oidc_protocol_oidc ~ '/userinfo' }}" # Endpoint to retrieve user information
|
|
LOGOUT_URL: "{{ _oidc_protocol_oidc ~ '/logout' }}" # Endpoint to log out the user
|
|
CERTS: "{{ _oidc_protocol_oidc ~ '/certs' }}" # JSON Web Key Set (JWKS)
|
|
ACCOUNT:
|
|
URL: "{{ _oidc_account_url }}" # Entry point for the user settings console
|
|
PROFILE_URL: "{{ _oidc_account_url ~ '/#/personal-info' }}" # Section for managing personal information
|
|
SECURITY_URL: "{{ _oidc_account_url ~ '/#/security/signingin' }}" # Section for managing login and security settings
|
|
CHANGE_CREDENTIALS: "{{ _oidc_account_url ~ '/account-security/signing-in' }}" # URL for managing or changing user credentials
|
|
RESET_CREDENTIALS: "{{ _oidc_client_issuer_url ~ '/login-actions/reset-credentials?client_id=' ~ _oidc_client_id }}" # Password reset url
|
|
BUTTON_TEXT: "SSO Login ({{ PRIMARY_DOMAIN | upper }})" # Default button text
|
|
ATTRIBUTES:
|
|
# Attribut to identify the user
|
|
USERNAME: "preferred_username"
|
|
GIVEN_NAME: "givenName"
|
|
FAMILY_NAME: "surname"
|
|
EMAIL: "email" |