titan-iac/services/keycloak/scripts/agent_oidc_secret_ensure.sh

#!/usr/bin/env sh
set -euo pipefail

. /vault/secrets/keycloak-admin-env.sh

CLIENT_NAME="agent"
PUBLIC_URL="https://agent.bstein.dev"
VAULT_SECRET_PATH="openclaw/agent-oidc"
KC_URL="http://keycloak.sso.svc.cluster.local"

ACCESS_TOKEN=""
for attempt in 1 2 3 4 5 6 7 8 9 10; do
  if curl -fsS "${KC_URL}/realms/master" >/dev/null 2>&1; then
    break
  fi
  echo "Waiting for Keycloak to be reachable (attempt ${attempt})" >&2
  sleep $((attempt * 2))
done
for attempt in 1 2 3 4 5; do
  TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d "grant_type=password" \
    -d "client_id=admin-cli" \
    -d "username=${KEYCLOAK_ADMIN}" \
    -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
  ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
  if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
    break
  fi
  echo "Keycloak token request failed (attempt ${attempt})" >&2
  sleep $((attempt * 2))
done
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
  echo "Failed to fetch Keycloak admin token" >&2
  exit 1
fi

CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients?clientId=${CLIENT_NAME}" || true)"
CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
client_payload="$(jq -nc \
  --arg client_id "${CLIENT_NAME}" \
  --arg redirect_uri "${PUBLIC_URL}/oauth2/callback" \
  --arg web_origin "${PUBLIC_URL}" \
  '{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$redirect_uri],webOrigins:[$web_origin],rootUrl:$web_origin,baseUrl:"/"}')"

if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
  status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H 'Content-Type: application/json' \
    -d "${client_payload}" \
    "$KC_URL/admin/realms/atlas/clients")"
  if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
    echo "Keycloak client create failed (status ${status})" >&2
    exit 1
  fi
  CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "$KC_URL/admin/realms/atlas/clients?clientId=${CLIENT_NAME}" || true)"
  CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
fi

if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
  echo "Keycloak client ${CLIENT_NAME} not found" >&2
  exit 1
fi

SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
  echo "Keycloak client scope groups not found" >&2
  exit 1
fi

DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"

if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
  && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
  status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
    status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
      "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
    if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
      echo "Failed to attach groups client scope to ${CLIENT_NAME} (status ${status})" >&2
      exit 1
    fi
  fi
fi

status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  -H 'Content-Type: application/json' \
  -d "${client_payload}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}")"
if [ "$status" != "204" ]; then
  echo "Keycloak client update failed (status ${status})" >&2
  exit 1
fi

CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
  echo "Keycloak client secret not found" >&2
  exit 1
fi

vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
vault_role="${VAULT_ROLE:-sso-secrets}"
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
vault_token="$(curl -sS --request POST --data "${login_payload}" \
  "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
  echo "vault login failed" >&2
  exit 1
fi

read_status="$(curl -sS -o /tmp/agent-oidc-read.json -w "%{http_code}" \
  -H "X-Vault-Token: ${vault_token}" \
  "${vault_addr}/v1/kv/data/atlas/${VAULT_SECRET_PATH}" || true)"
COOKIE_SECRET=""
if [ "${read_status}" = "200" ]; then
  COOKIE_SECRET="$(jq -r '.data.data.cookie_secret // empty' /tmp/agent-oidc-read.json)"
elif [ "${read_status}" != "404" ]; then
  echo "Vault read failed (status ${read_status})" >&2
  cat /tmp/agent-oidc-read.json >&2 || true
  exit 1
fi
if [ -n "${COOKIE_SECRET}" ]; then
  length="$(printf '%s' "${COOKIE_SECRET}" | wc -c | tr -d ' ')"
  if [ "${length}" != "16" ] && [ "${length}" != "24" ] && [ "${length}" != "32" ]; then
    COOKIE_SECRET=""
  fi
fi
if [ -z "${COOKIE_SECRET}" ]; then
  COOKIE_SECRET="$(openssl rand -hex 16 | tr -d '\n')"
fi

payload="$(jq -nc \
  --arg client_id "${CLIENT_NAME}" \
  --arg client_secret "${CLIENT_SECRET}" \
  --arg cookie_secret "${COOKIE_SECRET}" \
  '{data:{client_id:$client_id,client_secret:$client_secret,cookie_secret:$cookie_secret}}')"
write_status="$(curl -sS -o /tmp/agent-oidc-write.json -w "%{http_code}" -X POST \
  -H "X-Vault-Token: ${vault_token}" \
  -H 'Content-Type: application/json' \
  -d "${payload}" "${vault_addr}/v1/kv/data/atlas/${VAULT_SECRET_PATH}")"
if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
  echo "Vault write failed (status ${write_status})" >&2
  cat /tmp/agent-oidc-write.json >&2 || true
  exit 1
fi

verify_status="$(curl -sS -o /tmp/agent-oidc-verify.json -w "%{http_code}" \
  -H "X-Vault-Token: ${vault_token}" \
  "${vault_addr}/v1/kv/data/atlas/${VAULT_SECRET_PATH}" || true)"
if [ "${verify_status}" != "200" ]; then
  echo "Vault verify failed (status ${verify_status})" >&2
  cat /tmp/agent-oidc-verify.json >&2 || true
  exit 1
fi

echo "Agent OIDC secret ready in Vault"
agent(openclaw): expose oauth protected UI 2026-05-20 17:22:12 -03:00			`#!/usr/bin/env sh`
			`set -euo pipefail`

			`. /vault/secrets/keycloak-admin-env.sh`

			`CLIENT_NAME="agent"`
			`PUBLIC_URL="https://agent.bstein.dev"`
			`VAULT_SECRET_PATH="openclaw/agent-oidc"`
			`KC_URL="http://keycloak.sso.svc.cluster.local"`

			`ACCESS_TOKEN=""`
			`for attempt in 1 2 3 4 5 6 7 8 9 10; do`
			`if curl -fsS "${KC_URL}/realms/master" >/dev/null 2>&1; then`
			`break`
			`fi`
			`echo "Waiting for Keycloak to be reachable (attempt ${attempt})" >&2`
			`sleep $((attempt * 2))`
			`done`
			`for attempt in 1 2 3 4 5; do`
			`TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \`
			`-H 'Content-Type: application/x-www-form-urlencoded' \`
			`-d "grant_type=password" \`
			`-d "client_id=admin-cli" \`
			`-d "username=${KEYCLOAK_ADMIN}" \`
			`-d "password=${KEYCLOAK_ADMIN_PASSWORD}" \|\| true)"`
			`ACCESS_TOKEN="$(echo "$TOKEN_JSON" \| jq -r '.access_token' 2>/dev/null \|\| true)"`
			`if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then`
			`break`
			`fi`
			`echo "Keycloak token request failed (attempt ${attempt})" >&2`
			`sleep $((attempt * 2))`
			`done`
			`if [ -z "$ACCESS_TOKEN" ] \|\| [ "$ACCESS_TOKEN" = "null" ]; then`
			`echo "Failed to fetch Keycloak admin token" >&2`
			`exit 1`
			`fi`

			`CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients?clientId=${CLIENT_NAME}" \|\| true)"`
			`CLIENT_ID="$(echo "$CLIENT_QUERY" \| jq -r '.[0].id' 2>/dev/null \|\| true)"`
			`client_payload="$(jq -nc \`
			`--arg client_id "${CLIENT_NAME}" \`
			`--arg redirect_uri "${PUBLIC_URL}/oauth2/callback" \`
			`--arg web_origin "${PUBLIC_URL}" \`
			`'{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$redirect_uri],webOrigins:[$web_origin],rootUrl:$web_origin,baseUrl:"/"}')"`

			`if [ -z "$CLIENT_ID" ] \|\| [ "$CLIENT_ID" = "null" ]; then`
			`status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \`
			`-H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`-H 'Content-Type: application/json' \`
			`-d "${client_payload}" \`
			`"$KC_URL/admin/realms/atlas/clients")"`
			`if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then`
			`echo "Keycloak client create failed (status ${status})" >&2`
			`exit 1`
			`fi`
			`CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients?clientId=${CLIENT_NAME}" \|\| true)"`
			`CLIENT_ID="$(echo "$CLIENT_QUERY" \| jq -r '.[0].id' 2>/dev/null \|\| true)"`
			`fi`

			`if [ -z "$CLIENT_ID" ] \|\| [ "$CLIENT_ID" = "null" ]; then`
			`echo "Keycloak client ${CLIENT_NAME} not found" >&2`
			`exit 1`
			`fi`

			`SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/client-scopes?search=groups" \| jq -r '.[] \| select(.name=="groups") \| .id' 2>/dev/null \| head -n1 \|\| true)"`
			`if [ -z "$SCOPE_ID" ] \|\| [ "$SCOPE_ID" = "null" ]; then`
			`echo "Keycloak client scope groups not found" >&2`
			`exit 1`
			`fi`

			`DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" \|\| true)"`
			`OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" \|\| true)"`

			`if ! echo "$DEFAULT_SCOPES" \| jq -e '.[] \| select(.name=="groups")' >/dev/null 2>&1 \`
			`&& ! echo "$OPTIONAL_SCOPES" \| jq -e '.[] \| select(.name=="groups")' >/dev/null 2>&1; then`
			`status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \`
			`-H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"`
			`if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then`
			`status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \`
			`-H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"`
			`if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then`
			`echo "Failed to attach groups client scope to ${CLIENT_NAME} (status ${status})" >&2`
			`exit 1`
			`fi`
			`fi`
			`fi`

			`status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \`
			`-H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`-H 'Content-Type: application/json' \`
			`-d "${client_payload}" \`
			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}")"`
			`if [ "$status" != "204" ]; then`
			`echo "Keycloak client update failed (status ${status})" >&2`
			`exit 1`
			`fi`

			`CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" \| jq -r '.value' 2>/dev/null \|\| true)"`
			`if [ -z "$CLIENT_SECRET" ] \|\| [ "$CLIENT_SECRET" = "null" ]; then`
			`echo "Keycloak client secret not found" >&2`
			`exit 1`
			`fi`

			`vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"`
			`vault_role="${VAULT_ROLE:-sso-secrets}"`
			`jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"`
			`login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"`
			`vault_token="$(curl -sS --request POST --data "${login_payload}" \`
			`"${vault_addr}/v1/auth/kubernetes/login" \| jq -r '.auth.client_token')"`
			`if [ -z "${vault_token}" ] \|\| [ "${vault_token}" = "null" ]; then`
			`echo "vault login failed" >&2`
			`exit 1`
			`fi`

			`read_status="$(curl -sS -o /tmp/agent-oidc-read.json -w "%{http_code}" \`
			`-H "X-Vault-Token: ${vault_token}" \`
			`"${vault_addr}/v1/kv/data/atlas/${VAULT_SECRET_PATH}" \|\| true)"`
			`COOKIE_SECRET=""`
			`if [ "${read_status}" = "200" ]; then`
			`COOKIE_SECRET="$(jq -r '.data.data.cookie_secret // empty' /tmp/agent-oidc-read.json)"`
			`elif [ "${read_status}" != "404" ]; then`
			`echo "Vault read failed (status ${read_status})" >&2`
			`cat /tmp/agent-oidc-read.json >&2 \|\| true`
			`exit 1`
			`fi`
			`if [ -n "${COOKIE_SECRET}" ]; then`
			`length="$(printf '%s' "${COOKIE_SECRET}" \| wc -c \| tr -d ' ')"`
			`if [ "${length}" != "16" ] && [ "${length}" != "24" ] && [ "${length}" != "32" ]; then`
			`COOKIE_SECRET=""`
			`fi`
			`fi`
			`if [ -z "${COOKIE_SECRET}" ]; then`
			`COOKIE_SECRET="$(openssl rand -hex 16 \| tr -d '\n')"`
			`fi`

			`payload="$(jq -nc \`
			`--arg client_id "${CLIENT_NAME}" \`
			`--arg client_secret "${CLIENT_SECRET}" \`
			`--arg cookie_secret "${COOKIE_SECRET}" \`
			`'{data:{client_id:$client_id,client_secret:$client_secret,cookie_secret:$cookie_secret}}')"`
			`write_status="$(curl -sS -o /tmp/agent-oidc-write.json -w "%{http_code}" -X POST \`
			`-H "X-Vault-Token: ${vault_token}" \`
			`-H 'Content-Type: application/json' \`
			`-d "${payload}" "${vault_addr}/v1/kv/data/atlas/${VAULT_SECRET_PATH}")"`
			`if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then`
			`echo "Vault write failed (status ${write_status})" >&2`
			`cat /tmp/agent-oidc-write.json >&2 \|\| true`
			`exit 1`
			`fi`

			`verify_status="$(curl -sS -o /tmp/agent-oidc-verify.json -w "%{http_code}" \`
			`-H "X-Vault-Token: ${vault_token}" \`
			`"${vault_addr}/v1/kv/data/atlas/${VAULT_SECRET_PATH}" \|\| true)"`
			`if [ "${verify_status}" != "200" ]; then`
			`echo "Vault verify failed (status ${verify_status})" >&2`
			`cat /tmp/agent-oidc-verify.json >&2 \|\| true`
			`exit 1`
			`fi`

			`echo "Agent OIDC secret ready in Vault"`