mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-09-18 14:11:48 +02:00
keycloak: remove /auth from all Keycloak endpoints
From [1]: "By default, the new Quarkus distribution removes /auth from the context-path." [1] https://www.keycloak.org/migration/migrating-to-quarkus
This commit is contained in:
parent
20c0df7a7b
commit
ed19221404
@ -14,7 +14,7 @@
|
||||
kcadm "$@" \
|
||||
-r archlinux \
|
||||
--no-config \
|
||||
--server https://accounts.archlinux.org/auth \
|
||||
--server https://accounts.archlinux.org \
|
||||
--realm master \
|
||||
--user $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_user) \
|
||||
--password $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_password)
|
||||
|
@ -19,7 +19,7 @@ IMPORT_GROUPS = {
|
||||
CLIENT_ID = "admin-cli"
|
||||
KEYCLOAK_ADMIN_USERNAME = os.environ["KEYCLOAK_ADMIN_USERNAME"]
|
||||
KEYCLOAK_ADMIN_PASSWORD = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
|
||||
KEYCLOAK_URL = "https://accounts.archlinux.org/auth"
|
||||
KEYCLOAK_URL = "https://accounts.archlinux.org"
|
||||
KEYCLOAK_REALM = "archlinux"
|
||||
|
||||
REALM_URL = f"{KEYCLOAK_URL}/realms/master"
|
||||
|
@ -1,3 +1,3 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
curl -s https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
|
||||
curl -s https://accounts.archlinux.org/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
|
||||
|
@ -23,7 +23,7 @@
|
||||
# 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
|
||||
# one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
|
||||
# 2. In order to logout properly we need to configure the "After sign out path" and set it to
|
||||
# https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
|
||||
# https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
|
||||
# https://gitlab.com/gitlab-org/gitlab/issues/14414
|
||||
#
|
||||
# In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below.
|
||||
@ -78,8 +78,8 @@
|
||||
args: {
|
||||
assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
|
||||
idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
|
||||
idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/saml_gitlab',
|
||||
idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml',
|
||||
idp_sso_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/saml_gitlab',
|
||||
idp_slo_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml',
|
||||
issuer: 'saml_gitlab',
|
||||
attribute_statements: {
|
||||
first_name: ['first_name'],
|
||||
|
@ -433,7 +433,7 @@ disable_login_form = true
|
||||
;disable_signout_menu = false
|
||||
|
||||
# URL to redirect the user to after sign out
|
||||
signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
|
||||
signout_redirect_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
|
||||
|
||||
# Set to true to attempt login with OAuth automatically, skipping the login screen.
|
||||
# This setting is ignored if multiple OAuth providers are configured.
|
||||
@ -573,9 +573,9 @@ email_attribute_path = email
|
||||
;login_attribute_path =
|
||||
;name_attribute_path =
|
||||
;id_token_attribute_name =
|
||||
auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
|
||||
token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
|
||||
api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
|
||||
auth_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
|
||||
token_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
|
||||
api_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo
|
||||
;teams_url =
|
||||
;allowed_domains =
|
||||
;team_ids =
|
||||
|
@ -1,10 +1,10 @@
|
||||
[Service]
|
||||
Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
|
||||
Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo
|
||||
Environment=CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
|
||||
Environment=CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
|
||||
Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
|
||||
Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
|
||||
Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
|
||||
Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
|
||||
Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
|
||||
Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
|
||||
Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
|
||||
Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
|
||||
|
@ -5,7 +5,6 @@ metrics-enabled=true
|
||||
http-enabled=true
|
||||
http-host=127.0.0.1
|
||||
http-port={{ keycloak_port }}
|
||||
http-relative-path=/auth
|
||||
proxy=edge
|
||||
|
||||
db=postgres
|
||||
|
@ -32,10 +32,10 @@ server {
|
||||
|
||||
# https://w3c.github.io/webappsec-change-password-url/
|
||||
location = /.well-known/change-password {
|
||||
return 302 https://$server_name/auth/realms/archlinux/account/#/security/signingin;
|
||||
return 302 https://$server_name/realms/archlinux/account/#/security/signingin;
|
||||
}
|
||||
|
||||
location ~ /auth/realms/[a-z]+/metrics {
|
||||
location ~ /realms/[a-z]+/metrics {
|
||||
auth_basic "Prometheus exporter";
|
||||
auth_basic_user_file {{ keycloak_nginx_htpasswd }};
|
||||
|
||||
@ -59,6 +59,6 @@ server {
|
||||
}
|
||||
|
||||
location = / {
|
||||
return 301 https://$server_name/auth/realms/archlinux/account;
|
||||
return 301 https://$server_name/realms/archlinux/account;
|
||||
}
|
||||
}
|
||||
|
@ -143,7 +143,7 @@ oidc_providers:
|
||||
idp_name: "Arch Linux"
|
||||
idp_icon: "mxc://archlinux.org/iQmyhmksPLmphXWFUxiLEwVw"
|
||||
idp_brand: archlinux
|
||||
issuer: "https://accounts.archlinux.org/auth/realms/archlinux"
|
||||
issuer: "https://accounts.archlinux.org/realms/archlinux"
|
||||
client_id: "openid_matrix"
|
||||
client_secret: "{{ vault_matrix_openid_client_secret }}"
|
||||
scopes: ["openid", "profile", "email", "roles"]
|
||||
|
@ -90,7 +90,7 @@ scrape_configs:
|
||||
|
||||
- job_name: 'keycloak'
|
||||
scheme: https
|
||||
metrics_path: "/auth/realms/master/metrics"
|
||||
metrics_path: "/realms/master/metrics"
|
||||
basic_auth:
|
||||
username: "{{ vault_keycloak_nginx_user }}"
|
||||
password: "{{ vault_keycloak_nginx_passwd }}"
|
||||
|
@ -3,7 +3,7 @@ secret_key = '{{ vault_security_tracker.secret_key }}'
|
||||
|
||||
[sso]
|
||||
enabled = yes
|
||||
metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration
|
||||
metadata_url = https://accounts.archlinux.org/realms/archlinux/.well-known/openid-configuration
|
||||
client_id = openid_security_tracker
|
||||
client_secret = {{ vault_security_tracker_openid_client_secret }}
|
||||
administrator_group = /Arch Linux Staff/Security Team/Admins
|
||||
|
@ -57,10 +57,6 @@ provider "keycloak" {
|
||||
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
|
||||
password = data.external.vault_keycloak.result.vault_keycloak_admin_password
|
||||
url = "https://accounts.archlinux.org"
|
||||
|
||||
# TODO: remove this once our Keycloak instance is no longer served under /auth
|
||||
# https://github.com/mrparkers/terraform-provider-keycloak/blob/master/CHANGELOG.md#v400-october-10-2022
|
||||
base_path = "/auth"
|
||||
}
|
||||
|
||||
variable "gitlab_instance" {
|
||||
@ -213,7 +209,7 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
|
||||
realm = "archlinux"
|
||||
alias = "github"
|
||||
provider_id = "github"
|
||||
authorization_url = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
|
||||
authorization_url = "https://accounts.archlinux.org/realms/archlinux/broker/github/endpoint"
|
||||
client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
|
||||
client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
|
||||
token_url = ""
|
||||
@ -765,7 +761,7 @@ output "gitlab_saml_configuration" {
|
||||
issuer = keycloak_saml_client.saml_gitlab.client_id
|
||||
assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
|
||||
admin_groups = [keycloak_role.devops.name]
|
||||
idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
|
||||
idp_sso_target_url = "https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
|
||||
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user