mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-09-18 14:11:48 +02:00
keycloak: remove /auth from all Keycloak endpoints
From [1]: "By default, the new Quarkus distribution removes /auth from the context-path." [1] https://www.keycloak.org/migration/migrating-to-quarkus
This commit is contained in:
parent
20c0df7a7b
commit
ed19221404
@ -14,7 +14,7 @@
|
|||||||
kcadm "$@" \
|
kcadm "$@" \
|
||||||
-r archlinux \
|
-r archlinux \
|
||||||
--no-config \
|
--no-config \
|
||||||
--server https://accounts.archlinux.org/auth \
|
--server https://accounts.archlinux.org \
|
||||||
--realm master \
|
--realm master \
|
||||||
--user $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_user) \
|
--user $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_user) \
|
||||||
--password $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_password)
|
--password $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_password)
|
||||||
|
@ -19,7 +19,7 @@ IMPORT_GROUPS = {
|
|||||||
CLIENT_ID = "admin-cli"
|
CLIENT_ID = "admin-cli"
|
||||||
KEYCLOAK_ADMIN_USERNAME = os.environ["KEYCLOAK_ADMIN_USERNAME"]
|
KEYCLOAK_ADMIN_USERNAME = os.environ["KEYCLOAK_ADMIN_USERNAME"]
|
||||||
KEYCLOAK_ADMIN_PASSWORD = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
|
KEYCLOAK_ADMIN_PASSWORD = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
|
||||||
KEYCLOAK_URL = "https://accounts.archlinux.org/auth"
|
KEYCLOAK_URL = "https://accounts.archlinux.org"
|
||||||
KEYCLOAK_REALM = "archlinux"
|
KEYCLOAK_REALM = "archlinux"
|
||||||
|
|
||||||
REALM_URL = f"{KEYCLOAK_URL}/realms/master"
|
REALM_URL = f"{KEYCLOAK_URL}/realms/master"
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
curl -s https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
|
curl -s https://accounts.archlinux.org/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
|
||||||
|
@ -23,7 +23,7 @@
|
|||||||
# 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
|
# 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
|
||||||
# one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
|
# one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
|
||||||
# 2. In order to logout properly we need to configure the "After sign out path" and set it to
|
# 2. In order to logout properly we need to configure the "After sign out path" and set it to
|
||||||
# https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
|
# https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
|
||||||
# https://gitlab.com/gitlab-org/gitlab/issues/14414
|
# https://gitlab.com/gitlab-org/gitlab/issues/14414
|
||||||
#
|
#
|
||||||
# In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below.
|
# In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below.
|
||||||
@ -78,8 +78,8 @@
|
|||||||
args: {
|
args: {
|
||||||
assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
|
assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
|
||||||
idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
|
idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
|
||||||
idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/saml_gitlab',
|
idp_sso_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/saml_gitlab',
|
||||||
idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml',
|
idp_slo_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml',
|
||||||
issuer: 'saml_gitlab',
|
issuer: 'saml_gitlab',
|
||||||
attribute_statements: {
|
attribute_statements: {
|
||||||
first_name: ['first_name'],
|
first_name: ['first_name'],
|
||||||
|
@ -433,7 +433,7 @@ disable_login_form = true
|
|||||||
;disable_signout_menu = false
|
;disable_signout_menu = false
|
||||||
|
|
||||||
# URL to redirect the user to after sign out
|
# URL to redirect the user to after sign out
|
||||||
signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
|
signout_redirect_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
|
||||||
|
|
||||||
# Set to true to attempt login with OAuth automatically, skipping the login screen.
|
# Set to true to attempt login with OAuth automatically, skipping the login screen.
|
||||||
# This setting is ignored if multiple OAuth providers are configured.
|
# This setting is ignored if multiple OAuth providers are configured.
|
||||||
@ -573,9 +573,9 @@ email_attribute_path = email
|
|||||||
;login_attribute_path =
|
;login_attribute_path =
|
||||||
;name_attribute_path =
|
;name_attribute_path =
|
||||||
;id_token_attribute_name =
|
;id_token_attribute_name =
|
||||||
auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
|
auth_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
|
||||||
token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
|
token_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
|
||||||
api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
|
api_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo
|
||||||
;teams_url =
|
;teams_url =
|
||||||
;allowed_domains =
|
;allowed_domains =
|
||||||
;team_ids =
|
;team_ids =
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
[Service]
|
[Service]
|
||||||
Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
|
Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo
|
||||||
Environment=CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
|
Environment=CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
|
||||||
Environment=CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
|
Environment=CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
|
||||||
Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
|
Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
|
||||||
Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
|
Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
|
||||||
Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
|
Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
|
||||||
Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
|
Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
|
||||||
Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
|
Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
|
||||||
Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
|
Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
|
||||||
|
@ -5,7 +5,6 @@ metrics-enabled=true
|
|||||||
http-enabled=true
|
http-enabled=true
|
||||||
http-host=127.0.0.1
|
http-host=127.0.0.1
|
||||||
http-port={{ keycloak_port }}
|
http-port={{ keycloak_port }}
|
||||||
http-relative-path=/auth
|
|
||||||
proxy=edge
|
proxy=edge
|
||||||
|
|
||||||
db=postgres
|
db=postgres
|
||||||
|
@ -32,10 +32,10 @@ server {
|
|||||||
|
|
||||||
# https://w3c.github.io/webappsec-change-password-url/
|
# https://w3c.github.io/webappsec-change-password-url/
|
||||||
location = /.well-known/change-password {
|
location = /.well-known/change-password {
|
||||||
return 302 https://$server_name/auth/realms/archlinux/account/#/security/signingin;
|
return 302 https://$server_name/realms/archlinux/account/#/security/signingin;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /auth/realms/[a-z]+/metrics {
|
location ~ /realms/[a-z]+/metrics {
|
||||||
auth_basic "Prometheus exporter";
|
auth_basic "Prometheus exporter";
|
||||||
auth_basic_user_file {{ keycloak_nginx_htpasswd }};
|
auth_basic_user_file {{ keycloak_nginx_htpasswd }};
|
||||||
|
|
||||||
@ -59,6 +59,6 @@ server {
|
|||||||
}
|
}
|
||||||
|
|
||||||
location = / {
|
location = / {
|
||||||
return 301 https://$server_name/auth/realms/archlinux/account;
|
return 301 https://$server_name/realms/archlinux/account;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -143,7 +143,7 @@ oidc_providers:
|
|||||||
idp_name: "Arch Linux"
|
idp_name: "Arch Linux"
|
||||||
idp_icon: "mxc://archlinux.org/iQmyhmksPLmphXWFUxiLEwVw"
|
idp_icon: "mxc://archlinux.org/iQmyhmksPLmphXWFUxiLEwVw"
|
||||||
idp_brand: archlinux
|
idp_brand: archlinux
|
||||||
issuer: "https://accounts.archlinux.org/auth/realms/archlinux"
|
issuer: "https://accounts.archlinux.org/realms/archlinux"
|
||||||
client_id: "openid_matrix"
|
client_id: "openid_matrix"
|
||||||
client_secret: "{{ vault_matrix_openid_client_secret }}"
|
client_secret: "{{ vault_matrix_openid_client_secret }}"
|
||||||
scopes: ["openid", "profile", "email", "roles"]
|
scopes: ["openid", "profile", "email", "roles"]
|
||||||
|
@ -90,7 +90,7 @@ scrape_configs:
|
|||||||
|
|
||||||
- job_name: 'keycloak'
|
- job_name: 'keycloak'
|
||||||
scheme: https
|
scheme: https
|
||||||
metrics_path: "/auth/realms/master/metrics"
|
metrics_path: "/realms/master/metrics"
|
||||||
basic_auth:
|
basic_auth:
|
||||||
username: "{{ vault_keycloak_nginx_user }}"
|
username: "{{ vault_keycloak_nginx_user }}"
|
||||||
password: "{{ vault_keycloak_nginx_passwd }}"
|
password: "{{ vault_keycloak_nginx_passwd }}"
|
||||||
|
@ -3,7 +3,7 @@ secret_key = '{{ vault_security_tracker.secret_key }}'
|
|||||||
|
|
||||||
[sso]
|
[sso]
|
||||||
enabled = yes
|
enabled = yes
|
||||||
metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration
|
metadata_url = https://accounts.archlinux.org/realms/archlinux/.well-known/openid-configuration
|
||||||
client_id = openid_security_tracker
|
client_id = openid_security_tracker
|
||||||
client_secret = {{ vault_security_tracker_openid_client_secret }}
|
client_secret = {{ vault_security_tracker_openid_client_secret }}
|
||||||
administrator_group = /Arch Linux Staff/Security Team/Admins
|
administrator_group = /Arch Linux Staff/Security Team/Admins
|
||||||
|
@ -57,10 +57,6 @@ provider "keycloak" {
|
|||||||
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
|
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
|
||||||
password = data.external.vault_keycloak.result.vault_keycloak_admin_password
|
password = data.external.vault_keycloak.result.vault_keycloak_admin_password
|
||||||
url = "https://accounts.archlinux.org"
|
url = "https://accounts.archlinux.org"
|
||||||
|
|
||||||
# TODO: remove this once our Keycloak instance is no longer served under /auth
|
|
||||||
# https://github.com/mrparkers/terraform-provider-keycloak/blob/master/CHANGELOG.md#v400-october-10-2022
|
|
||||||
base_path = "/auth"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "gitlab_instance" {
|
variable "gitlab_instance" {
|
||||||
@ -213,7 +209,7 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
|
|||||||
realm = "archlinux"
|
realm = "archlinux"
|
||||||
alias = "github"
|
alias = "github"
|
||||||
provider_id = "github"
|
provider_id = "github"
|
||||||
authorization_url = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
|
authorization_url = "https://accounts.archlinux.org/realms/archlinux/broker/github/endpoint"
|
||||||
client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
|
client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
|
||||||
client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
|
client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
|
||||||
token_url = ""
|
token_url = ""
|
||||||
@ -765,7 +761,7 @@ output "gitlab_saml_configuration" {
|
|||||||
issuer = keycloak_saml_client.saml_gitlab.client_id
|
issuer = keycloak_saml_client.saml_gitlab.client_id
|
||||||
assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
|
assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
|
||||||
admin_groups = [keycloak_role.devops.name]
|
admin_groups = [keycloak_role.devops.name]
|
||||||
idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
|
idp_sso_target_url = "https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
|
||||||
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
|
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user