From 29d89880cad59340579d2e2497f8855cb9236ffa Mon Sep 17 00:00:00 2001 From: jenkins Date: Sat, 20 Jun 2026 14:19:47 -0300 Subject: [PATCH] keycloak: disable PKCE for Gitea Veles OIDC --- .../keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml | 4 ++-- services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml b/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml index 0187d540..422189e2 100644 --- a/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml +++ b/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml @@ -1,12 +1,12 @@ # services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml -# One-off job for sso/veles-gitea-oidc-secret-ensure-1. +# One-off job for sso/veles-gitea-oidc-secret-ensure-2. # Purpose: create/update the Veles realm Gitea OIDC client and write the # matching Gitea auth-source secret to Vault. # Keep suspended until the Vault policy change has reconciled, then unsuspend once. apiVersion: batch/v1 kind: Job metadata: - name: veles-gitea-oidc-secret-ensure-1 + name: veles-gitea-oidc-secret-ensure-2 namespace: sso spec: suspend: true diff --git a/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh b/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh index 322c19bb..2ccd3e20 100755 --- a/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh @@ -157,7 +157,7 @@ client_payload="$(jq -nc \ --arg client_id "${CLIENT_ID}" \ --arg root_url "${PUBLIC_BASE_URL}" \ --arg callback "${PUBLIC_BASE_URL}/user/oauth2/${AUTH_SOURCE_NAME}/callback" \ - '{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$callback],webOrigins:[$root_url],rootUrl:$root_url,baseUrl:"/",attributes:{"pkce.code.challenge.method":"S256","post.logout.redirect.uris":($root_url + "/*")}}')" + '{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$callback],webOrigins:[$root_url],rootUrl:$root_url,baseUrl:"/",attributes:{"post.logout.redirect.uris":($root_url + "/*")}}')" if [ -z "$CLIENT_UUID" ] || [ "$CLIENT_UUID" = "null" ]; then status="$(curl -sS -o /tmp/keycloak-client-create.json -w "%{http_code}" -X POST \