bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak: add audience scope for oauth2-proxy clients

Browse Source
This commit is contained in:
Brad Stein 2025-12-10 03:03:40 -03:00
parent 1ec2c55e17
commit f9ec7ab3ae
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
services/keycloak/zot-client-bootstrap.yaml
View File

@ -40,6 +40,8 @@ spec:
value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]' value: '["https://auth.bstein.dev/oauth2/callback","https://registry.bstein.dev/oauth2/callback","https://longhorn.bstein.dev/oauth2/callback","https://secret.bstein.dev/oauth2/callback","https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"]'
- name: WEB_ORIGINS - name: WEB_ORIGINS
value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]' value: '["https://registry.bstein.dev","https://auth.bstein.dev","https://longhorn.bstein.dev","https://secret.bstein.dev"]'
- name: AUDIENCE_SCOPE
value: oauth2-proxy-audience
command: command:
- /bin/sh - /bin/sh
- -c - -c
@ -49,6 +51,18 @@ spec:
KCADM="/opt/keycloak/bin/kcadm.sh" KCADM="/opt/keycloak/bin/kcadm.sh"
$KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli $KCADM config credentials --server "$KC_SERVER" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli
# Ensure audience client scope exists and injects oauth2-proxy as audience
SCOPE_ID="$($KCADM get client-scopes -r "$REALM" -q name="$AUDIENCE_SCOPE" --fields id --format csv --noquotes || true)"
if [ -z "$SCOPE_ID" ]; then
echo "Creating audience client scope $AUDIENCE_SCOPE"
SCOPE_ID="$($KCADM create client-scopes -r "$REALM" -s name="$AUDIENCE_SCOPE" -s protocol=openid-connect -i)"
fi
MAPPER_ID="$($KCADM get client-scopes/$SCOPE_ID/protocol-mappers/models -r "$REALM" -q name=aud-$AUDIENCE_SCOPE --fields id --format csv --noquotes || true)"
if [ -z "$MAPPER_ID" ]; then
echo "Creating audience mapper on scope $AUDIENCE_SCOPE"
$KCADM create client-scopes/$SCOPE_ID/protocol-mappers/models -r "$REALM" -s name=aud-$AUDIENCE_SCOPE -s protocol=openid-connect -s protocolMapper=oidc-audience-mapper -s 'config."included.client.audience"="oauth2-proxy"' -s 'config."id.token.claim"="true"' -s 'config."access.token.claim"="true"' -s 'config."included.custom.audience"=""'
fi
for CLIENT_ID in $CLIENT_IDS; do for CLIENT_ID in $CLIENT_IDS; do
CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes || true)" CLIENT_UUID="$($KCADM get clients -r "$REALM" -q clientId="$CLIENT_ID" --fields id --format csv --noquotes || true)"
if [ -z "$CLIENT_UUID" ]; then if [ -z "$CLIENT_UUID" ]; then
@ -62,6 +76,10 @@ spec:
-s 'webOrigins='"$WEB_ORIGINS" \ -s 'webOrigins='"$WEB_ORIGINS" \
-s 'standardFlowEnabled=true' \ -s 'standardFlowEnabled=true' \
-s 'directAccessGrantsEnabled=false' -s 'directAccessGrantsEnabled=false'
# Attach audience scope so access tokens carry aud=oauth2-proxy
$KCADM update "clients/$CLIENT_UUID/optional-client-scopes/$SCOPE_ID" -r "$REALM" >/dev/null 2>&1 || \
$KCADM add-optional-client-scopes -r "$REALM" --clientid "$CLIENT_ID" --scopes "$AUDIENCE_SCOPE"
done done
echo "Keycloak zot client bootstrap complete" echo "Keycloak zot client bootstrap complete"