From 65903d282c2b78c1d9c7587073967df87c05dac7 Mon Sep 17 00:00:00 2001 From: jenkins Date: Sat, 20 Jun 2026 14:23:46 -0300 Subject: [PATCH] keycloak: clear Gitea Veles OIDC PKCE flag --- .../keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml | 4 ++-- services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml b/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml index 422189e2..4afb5551 100644 --- a/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml +++ b/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml @@ -1,12 +1,12 @@ # services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml -# One-off job for sso/veles-gitea-oidc-secret-ensure-2. +# One-off job for sso/veles-gitea-oidc-secret-ensure-3. # Purpose: create/update the Veles realm Gitea OIDC client and write the # matching Gitea auth-source secret to Vault. # Keep suspended until the Vault policy change has reconciled, then unsuspend once. apiVersion: batch/v1 kind: Job metadata: - name: veles-gitea-oidc-secret-ensure-2 + name: veles-gitea-oidc-secret-ensure-3 namespace: sso spec: suspend: true diff --git a/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh b/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh index 2ccd3e20..32764b6b 100755 --- a/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh @@ -157,7 +157,7 @@ client_payload="$(jq -nc \ --arg client_id "${CLIENT_ID}" \ --arg root_url "${PUBLIC_BASE_URL}" \ --arg callback "${PUBLIC_BASE_URL}/user/oauth2/${AUTH_SOURCE_NAME}/callback" \ - '{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$callback],webOrigins:[$root_url],rootUrl:$root_url,baseUrl:"/",attributes:{"post.logout.redirect.uris":($root_url + "/*")}}')" + '{clientId:$client_id,enabled:true,protocol:"openid-connect",publicClient:false,standardFlowEnabled:true,implicitFlowEnabled:false,directAccessGrantsEnabled:false,serviceAccountsEnabled:false,redirectUris:[$callback],webOrigins:[$root_url],rootUrl:$root_url,baseUrl:"/",attributes:{"pkce.code.challenge.method":"","post.logout.redirect.uris":($root_url + "/*")}}')" if [ -z "$CLIENT_UUID" ] || [ "$CLIENT_UUID" = "null" ]; then status="$(curl -sS -o /tmp/keycloak-client-create.json -w "%{http_code}" -X POST \