sso: attach groups scope to metis oidc client

2026-03-31 17:48:15 -03:00 · 2026-03-31 17:48:15 -03:00 · 322cbeba35
commit 322cbeba35
parent aec3a797a7
1 changed files with 30 additions and 2 deletions
--- a/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
@ -5,7 +5,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: metis-oidc-secret-ensure-2
+  name: metis-oidc-secret-ensure-3
  namespace: sso
 spec:
  backoffLimit: 0
@ -79,7 +79,7 @@ spec:
                  -H 'Content-Type: application/json' \
                  -d "${create_payload}" \
                  "$KC_URL/admin/realms/atlas/clients")"
-                if [ "$status" != "201" ] && [ "$status" != "204" ]; then
+                if [ "$status" != "201" ] && [ "$status" != "204" ] && [ "$status" != "409" ]; then
                  echo "Keycloak client create failed (status ${status})" >&2
                  exit 1
                fi
@ -93,6 +93,34 @@ spec:
                exit 1
              fi

+              SCOPE_ID="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                "$KC_URL/admin/realms/atlas/client-scopes?search=groups" | jq -r '.[] | select(.name=="groups") | .id' 2>/dev/null | head -n1 || true)"
+              if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" = "null" ]; then
+                echo "Keycloak client scope groups not found" >&2
+                exit 1
+              fi
+
+              DEFAULT_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/default-client-scopes" || true)"
+              OPTIONAL_SCOPES="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes" || true)"
+
+              if ! echo "$DEFAULT_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1 \
+                && ! echo "$OPTIONAL_SCOPES" | jq -e '.[] | select(.name=="groups")' >/dev/null 2>&1; then
+                status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
+                  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                  "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
+                if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
+                  status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
+                    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+                    "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/optional-client-scopes/${SCOPE_ID}")"
+                  if [ "$status" != "200" ] && [ "$status" != "201" ] && [ "$status" != "204" ]; then
+                    echo "Failed to attach groups client scope to metis (status ${status})" >&2
+                    exit 1
+                  fi
+                fi
+              fi
+
              update_payload='{"enabled":true,"clientId":"metis","protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://sentinel.bstein.dev/oauth2/callback"],"webOrigins":["https://sentinel.bstein.dev"],"rootUrl":"https://sentinel.bstein.dev","baseUrl":"/"}'
              status="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT \
                -H "Authorization: Bearer ${ACCESS_TOKEN}" \