keycloak: allow harbor direct grants

services/keycloak/harbor-oidc-secret-ensure-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: harbor-oidc-secret-ensure-9
+  name: harbor-oidc-secret-ensure-10
   namespace: sso
 spec:
   backoffLimit: 0

services/keycloak/scripts/harbor_oidc_secret_ensure.sh

@@ -29,7 +29,7 @@ CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
 CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
 
 if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
-  create_payload='{"clientId":"harbor","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://registry.bstein.dev/c/oidc/callback"],"webOrigins":["https://registry.bstein.dev"],"rootUrl":"https://registry.bstein.dev","baseUrl":"/"}'
+  create_payload='{"clientId":"harbor","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":false,"redirectUris":["https://registry.bstein.dev/c/oidc/callback"],"webOrigins":["https://registry.bstein.dev"],"rootUrl":"https://registry.bstein.dev","baseUrl":"/"}'
   status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
     -H "Authorization: Bearer ${ACCESS_TOKEN}" \
     -H 'Content-Type: application/json' \
@@ -49,6 +49,21 @@ if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
   exit 1
 fi
 
+CLIENT_CONFIG="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}" || true)"
+if [ -n "$CLIENT_CONFIG" ]; then
+  updated_config="$(echo "$CLIENT_CONFIG" | jq '.directAccessGrantsEnabled=true')"
+  status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
+    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+    -H 'Content-Type: application/json' \
+    -d "${updated_config}" \
+    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}")"
+  if [ "$status" != "200" ] && [ "$status" != "204" ]; then
+    echo "Keycloak client update failed (status ${status})" >&2
+    exit 1
+  fi
+fi
+
 SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
   "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
 if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
@@ -77,6 +92,26 @@ if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2
   fi
 fi
 
+OFFLINE_SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  "$KC_URL/admin/realms/atlas/client-scopes?search=offline_access" | jq -r '.[] | select(.name=="offline_access") | .id' 2>/dev/null | head -n1 || true)"
+if [ -n "$OFFLINE_SCOPE_ID" ] && [ "$OFFLINE_SCOPE_ID" != "null" ]; then
+  if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="offline_access")' >/dev/null 2>&1 \
+    && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="offline_access")' >/dev/null 2>&1; then
+    status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
+      -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+      "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${OFFLINE_SCOPE_ID}")"
+    if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
+      status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
+        -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+        "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${OFFLINE_SCOPE_ID}")"
+      if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
+        echo "Failed to attach offline_access scope to harbor (status ${status})" >&2
+        exit 1
+      fi
+    fi
+  fi
+fi
+
 CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
   "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
 if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then