diff --git a/services/keycloak/lagoon-realm-base-import.json b/services/keycloak/lagoon-realm-base-import.json index 5d4f334682..d66c582842 100644 --- a/services/keycloak/lagoon-realm-base-import.json +++ b/services/keycloak/lagoon-realm-base-import.json @@ -424,6 +424,7 @@ } ], "lagoon-ui": [], + "lagoon-cli": [], "service-api": [] } }, @@ -3195,6 +3196,61 @@ "microprofile-jwt" ] }, + { + "clientId": "lagoon-cli", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "http://127.0.0.1" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "Lagoon User ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lagoon-uid", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "lagoon.user_id", + "jsonType.label": "int" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, { "clientId": "realm-management", "name": "${client_realm-management}", diff --git a/services/keycloak/startup-scripts/00-configure-lagoon.sh b/services/keycloak/startup-scripts/00-configure-lagoon.sh index 0453677151..a74ea582d9 100755 --- a/services/keycloak/startup-scripts/00-configure-lagoon.sh +++ b/services/keycloak/startup-scripts/00-configure-lagoon.sh @@ -643,6 +643,20 @@ function service-api_add_view-users_permission { fi } +function add_lagoon-cli_client { + local lagoon_cli_client=$( /opt/keycloak/bin/kcadm.sh get -r lagoon clients?clientId=lagoon-cli --config $CONFIG_PATH | jq -r '.[0]["id"] // false') + if [ "$lagoon_cli_client" != "false" ]; then + echo "lagoon-cli already exists" + return 0 + fi + + echo Creating client lagoon-cli + echo '{"clientId": "lagoon-cli", "publicClient": true, "webOrigins": ["*"], "redirectUris": ["http://127.0.0.1"]}' | /opt/keycloak/bin/kcadm.sh create clients --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -f - + echo Creating mapper for lagoon-cli "lagoon-uid" + CLIENT_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients?clientId=lagoon-cli --config $CONFIG_PATH | jq -r '.[0]["id"]') + echo '{"protocol":"openid-connect","config":{"id.token.claim":"true","access.token.claim":"true","userinfo.token.claim":"true","user.attribute":"lagoon-uid","claim.name":"lagoon.user_id","jsonType.label":"int","multivalued":""},"name":"Lagoon User ID","protocolMapper":"oidc-usermodel-attribute-mapper"}' | /opt/keycloak/bin/kcadm.sh create -r ${KEYCLOAK_REALM:-master} clients/$CLIENT_ID/protocol-mappers/models --config $CONFIG_PATH -f - +} + ################## # Initialization # ################## @@ -677,6 +691,7 @@ function configure_keycloak { remove_deleteall_permissions_scopes add_update_platform_viewer_permissions service-api_add_view-users_permission + add_lagoon-cli_client # always run last sync_client_secrets