keycloak: remove /auth from all Keycloak endpoints

From [1]: "By default, the new Quarkus distribution removes /auth from
           the context-path."

[1] https://www.keycloak.org/migration/migrating-to-quarkus

misc/kcadm_wrapper.sh

@@ -14,7 +14,7 @@
 kcadm "$@" \
     -r archlinux \
     --no-config \
-    --server https://accounts.archlinux.org/auth \
+    --server https://accounts.archlinux.org \
     --realm master \
     --user $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_user) \
     --password $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_password)

one-shots/keycloak-importer/import_user_groups.py

@@ -19,7 +19,7 @@ IMPORT_GROUPS = {
 CLIENT_ID = "admin-cli"
 KEYCLOAK_ADMIN_USERNAME = os.environ["KEYCLOAK_ADMIN_USERNAME"]
 KEYCLOAK_ADMIN_PASSWORD = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
-KEYCLOAK_URL = "https://accounts.archlinux.org/auth"
+KEYCLOAK_URL = "https://accounts.archlinux.org"
 KEYCLOAK_REALM = "archlinux"
 
 REALM_URL = f"{KEYCLOAK_URL}/realms/master"

one-shots/keycloak-keyfetcher/get_fingerprint.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-curl -s https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/descriptor  | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
+curl -s https://accounts.archlinux.org/realms/archlinux/protocol/saml/descriptor  | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'

roles/gitlab/tasks/main.yml

@@ -23,7 +23,7 @@
       # 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
       # one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
       # 2. In order to logout properly we need to configure the "After sign out path" and set it to
-      # https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
+      # https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
       # https://gitlab.com/gitlab-org/gitlab/issues/14414
       #
       # In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below.
@@ -78,8 +78,8 @@
             args: {
               assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
               idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
-              idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/saml_gitlab',
-              idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml',
+              idp_sso_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/saml_gitlab',
+              idp_slo_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml',
               issuer: 'saml_gitlab',
               attribute_statements: {
                 first_name: ['first_name'],

roles/grafana/templates/grafana.ini.j2

@@ -433,7 +433,7 @@ disable_login_form = true
 ;disable_signout_menu = false
 
 # URL to redirect the user to after sign out
-signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
+signout_redirect_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
 
 # Set to true to attempt login with OAuth automatically, skipping the login screen.
 # This setting is ignored if multiple OAuth providers are configured.
@@ -573,9 +573,9 @@ email_attribute_path = email
 ;login_attribute_path =
 ;name_attribute_path =
 ;id_token_attribute_name =
-auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
-token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
-api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
+auth_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
+token_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
+api_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo
 ;teams_url =
 ;allowed_domains =
 ;team_ids =

roles/hedgedoc/templates/hedgedoc.service.d.j2

@@ -1,10 +1,10 @@
 [Service]
-Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
+Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo
 Environment=CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
 Environment=CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
 Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
-Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
-Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
+Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
+Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
 Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
 Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
 Environment=CMD_OAUTH2_SCOPE="openid email profile roles"

roles/keycloak/templates/keycloak.conf.j2

@@ -5,7 +5,6 @@ metrics-enabled=true
 http-enabled=true
 http-host=127.0.0.1
 http-port={{ keycloak_port }}
-http-relative-path=/auth
 proxy=edge
 
 db=postgres

roles/keycloak/templates/nginx.d.conf.j2

@@ -32,10 +32,10 @@ server {
 
     # https://w3c.github.io/webappsec-change-password-url/
     location = /.well-known/change-password {
-        return 302 https://$server_name/auth/realms/archlinux/account/#/security/signingin;
+        return 302 https://$server_name/realms/archlinux/account/#/security/signingin;
     }
 
-    location ~ /auth/realms/[a-z]+/metrics  {
+    location ~ /realms/[a-z]+/metrics  {
         auth_basic "Prometheus exporter";
         auth_basic_user_file {{ keycloak_nginx_htpasswd }};
 
@@ -59,6 +59,6 @@ server {
     }
 
     location = / {
-        return 301 https://$server_name/auth/realms/archlinux/account;
+        return 301 https://$server_name/realms/archlinux/account;
     }
 }

roles/matrix/templates/homeserver.yaml.j2

@@ -143,7 +143,7 @@ oidc_providers:
     idp_name: "Arch Linux"
     idp_icon: "mxc://archlinux.org/iQmyhmksPLmphXWFUxiLEwVw"
     idp_brand: archlinux
-    issuer: "https://accounts.archlinux.org/auth/realms/archlinux"
+    issuer: "https://accounts.archlinux.org/realms/archlinux"
     client_id: "openid_matrix"
     client_secret: "{{ vault_matrix_openid_client_secret }}"
     scopes: ["openid", "profile", "email", "roles"]

roles/prometheus/templates/prometheus.yml.j2

@@ -90,7 +90,7 @@ scrape_configs:
 
   - job_name: 'keycloak'
     scheme: https
-    metrics_path: "/auth/realms/master/metrics"
+    metrics_path: "/realms/master/metrics"
     basic_auth:
        username: "{{ vault_keycloak_nginx_user }}"
        password: "{{ vault_keycloak_nginx_passwd }}"

roles/security_tracker/templates/20-user.local.conf.j2

@@ -3,7 +3,7 @@ secret_key = '{{ vault_security_tracker.secret_key }}'
 
 [sso]
 enabled = yes
-metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration
+metadata_url = https://accounts.archlinux.org/realms/archlinux/.well-known/openid-configuration
 client_id = openid_security_tracker
 client_secret = {{ vault_security_tracker_openid_client_secret }}
 administrator_group = /Arch Linux Staff/Security Team/Admins

tf-stage2/keycloak.tf

@@ -57,10 +57,6 @@ provider "keycloak" {
   username  = data.external.vault_keycloak.result.vault_keycloak_admin_user
   password  = data.external.vault_keycloak.result.vault_keycloak_admin_password
   url       = "https://accounts.archlinux.org"
-
-  # TODO: remove this once our Keycloak instance is no longer served under /auth
-  # https://github.com/mrparkers/terraform-provider-keycloak/blob/master/CHANGELOG.md#v400-october-10-2022
-  base_path = "/auth"
 }
 
 variable "gitlab_instance" {
@@ -213,7 +209,7 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
   realm                        = "archlinux"
   alias                        = "github"
   provider_id                  = "github"
-  authorization_url            = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
+  authorization_url            = "https://accounts.archlinux.org/realms/archlinux/broker/github/endpoint"
   client_id                    = data.external.vault_github.result.vault_github_oauth_app_client_id
   client_secret                = data.external.vault_github.result.vault_github_oauth_app_client_secret
   token_url                    = ""
@@ -765,7 +761,7 @@ output "gitlab_saml_configuration" {
     issuer                          = keycloak_saml_client.saml_gitlab.client_id
     assertion_consumer_service_url  = var.gitlab_instance.saml_redirect_url
     admin_groups                    = [keycloak_role.devops.name]
-    idp_sso_target_url              = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
+    idp_sso_target_url              = "https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
     signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
   }
 }