5a6f984222
Without some kind of physical organisation it's a little difficult to understand whether things are going "in" (supplying users to Keycloak) or "out" (getting auth/user info from Keycloak). Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de>
92 lines
3.1 KiB
HCL
92 lines
3.1 KiB
HCL
# All Keycloak clients, that is applications which authenticate
|
|
# through Keycloak.
|
|
#
|
|
# Includes first-party (i.e. TVL-hosted) and third-party clients.
|
|
|
|
resource "keycloak_openid_client" "grafana" {
|
|
realm_id = keycloak_realm.tvl.id
|
|
client_id = "grafana"
|
|
name = "Grafana"
|
|
enabled = true
|
|
access_type = "CONFIDENTIAL"
|
|
standard_flow_enabled = true
|
|
base_url = "https://status.tvl.su"
|
|
|
|
valid_redirect_uris = [
|
|
"https://status.tvl.su/*",
|
|
]
|
|
}
|
|
|
|
resource "keycloak_openid_client" "gerrit" {
|
|
realm_id = keycloak_realm.tvl.id
|
|
client_id = "gerrit"
|
|
name = "TVL Gerrit"
|
|
enabled = true
|
|
access_type = "CONFIDENTIAL"
|
|
standard_flow_enabled = true
|
|
base_url = "https://cl.tvl.fyi"
|
|
description = "TVL's code review tool"
|
|
direct_access_grants_enabled = true
|
|
exclude_session_state_from_auth_response = false
|
|
|
|
valid_redirect_uris = [
|
|
"https://cl.tvl.fyi/*",
|
|
]
|
|
|
|
web_origins = [
|
|
"https://cl.tvl.fyi",
|
|
]
|
|
}
|
|
|
|
resource "keycloak_saml_client" "buildkite" {
|
|
realm_id = keycloak_realm.tvl.id
|
|
client_id = "https://buildkite.com"
|
|
name = "Buildkite"
|
|
base_url = "https://buildkite.com/sso/tvl"
|
|
|
|
client_signature_required = false
|
|
assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
|
|
|
|
valid_redirect_uris = [
|
|
"https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
|
|
]
|
|
}
|
|
|
|
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
|
|
realm_id = keycloak_realm.tvl.id
|
|
client_id = keycloak_saml_client.buildkite.id
|
|
name = "buildkite-email-mapper"
|
|
user_attribute = "email"
|
|
saml_attribute_name = "email"
|
|
saml_attribute_name_format = "Unspecified"
|
|
}
|
|
|
|
resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
|
|
realm_id = keycloak_realm.tvl.id
|
|
client_id = keycloak_saml_client.buildkite.id
|
|
name = "buildkite-name-mapper"
|
|
user_attribute = "displayName"
|
|
saml_attribute_name = "name"
|
|
saml_attribute_name_format = "Unspecified"
|
|
}
|
|
|
|
resource "keycloak_openid_client" "oauth2_proxy" {
|
|
realm_id = keycloak_realm.tvl.id
|
|
client_id = "oauth2-proxy"
|
|
name = "TVL OAuth2 Proxy"
|
|
enabled = true
|
|
access_type = "CONFIDENTIAL"
|
|
standard_flow_enabled = true
|
|
|
|
valid_redirect_uris = [
|
|
"https://login.tvl.fyi/oauth2/callback",
|
|
"http://localhost:4774/oauth2/callback",
|
|
]
|
|
}
|
|
|
|
resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
|
|
realm_id = keycloak_realm.tvl.id
|
|
client_id = keycloak_openid_client.oauth2_proxy.id
|
|
name = "oauth2-proxy-audience"
|
|
included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
|
|
}
|