Harmonize Keycloak Client Configurations with Built-in IdP (#589)

* Harmonize Keycloak client configurations with built-in IdP

This change makes the Keycloak client configurations consistent with the built-in IdP:

1. Standardized client IDs to match built-in IdP:
   - web (unchanged)
   - OpenCloudDesktop (was random ID)
   - OpenCloudAndroid (was random ID)
   - OpenCloudIOS (was random ID)
   - Cyberduck (simplified ID)

2. Updated domain names to use .eu consistently:
   - Changed from opencloud.com to opencloud.eu for mobile apps
   - Changed from hardcoded domains to templated {{OC_URL}} values

3. Updated redirect URIs to match built-in IdP format:
   - Added specific callback paths for web client
   - Removed wildcarded ports for desktop client

4. Changed mobile/desktop clients to public clients (equivalent to native app type)

5. Enhanced docker-entrypoint-override.sh to handle {{OC_URL}} template variables

These changes ensure a consistent authentication experience regardless of
whether users are using the built-in IdP or Keycloak.

* Harmonize Keycloak client configuration with client JSONs

Update the realm configuration to match the client configuration JSON files:

1. Update client IDs to match client JSON files:
   - Changed 'xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69' to 'OpenCloudDesktop'
   - Changed 'e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD' to 'OpenCloudAndroid'
   - Changed 'mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1' to 'OpenCloudIOS'

2. Fix additional client properties:
   - Fix client names: Use proper capitalization for all clients
   - Fix OAuth redirect URIs for Android and iOS to use .eu domain
   - Fix Desktop URIs by removing wildcard asterisks
   - Update post-logout redirect URIs to match client JSONs
   - Set publicClient flag to true for all mobile/desktop clients

These changes ensure that when the realm is imported during deployment,
the client configurations will match the client JSONs exactly.

* Update web client configuration in Keycloak realm

Harmonize the web client configuration in the realm:
- Add 'OpenCloud Web App' client name
- Change URLs to use {{OC_URL}} template variables
- Update redirect URIs to use specific paths instead of wildcard
- Set backchannel logout URL to use templated URL

This completes the harmonization of all client configurations in the realm.

* Revert template variable approach in Keycloak configuration

Reverted templating changes to match upstream conventions:

1. Removed template variable handling from docker-entrypoint-override.sh
   - Removed {{OC_URL}} replacement, keeping only domain replacement

This maintains compatibility with the upstream approach of using direct URLs
with domain substitution instead of template variables.

* Fix remaining old client ID references in role mappings

Updated the remaining references to old client IDs in the role mappings section:
- xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 → OpenCloudDesktop
- e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD → OpenCloudAndroid
- mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1 → OpenCloudIOS

This ensures all client ID references throughout the realm configuration are
consistent and use the simplified IDs.

deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json

@@ -1,13 +1,12 @@
 {
-  "clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
-  "name": "openCloud Android app",
+  "clientId": "OpenCloudAndroid",
+  "name": "OpenCloud Android App",
   "surrogateAuthRequired": false,
   "enabled": true,
   "alwaysDisplayInConsole": false,
   "clientAuthenticatorType": "client-secret",
-  "secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD",
   "redirectUris": [
-    "oc://android.opencloud.com"
+    "oc://android.opencloud.eu"
   ],
   "webOrigins": [],
   "notBefore": 0,
@@ -17,7 +16,7 @@
   "implicitFlowEnabled": false,
   "directAccessGrantsEnabled": true,
   "serviceAccountsEnabled": false,
-  "publicClient": false,
+  "publicClient": true,
   "frontchannelLogout": false,
   "protocol": "openid-connect",
   "attributes": {
@@ -25,7 +24,7 @@
     "saml.force.post.binding": "false",
     "saml.multivalued.roles": "false",
     "saml.encrypt": "false",
-    "post.logout.redirect.uris": "+",
+    "post.logout.redirect.uris": "oc://android.opencloud.eu",
     "backchannel.logout.revoke.offline.tokens": "false",
     "saml.server.signature": "false",
     "saml.server.signature.keyinfo.ext": "false",

deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json

@@ -1,13 +1,13 @@
 {
-  "clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
-  "name": "OpenCloud iOS app",
+  "clientId": "OpenCloudDesktop",
+  "name": "OpenCloud Desktop Client",
   "surrogateAuthRequired": false,
   "enabled": true,
   "alwaysDisplayInConsole": false,
   "clientAuthenticatorType": "client-secret",
-  "secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx",
   "redirectUris": [
-    "oc://ios.opencloud.com"
+    "http://127.0.0.1",
+    "http://localhost"
   ],
   "webOrigins": [],
   "notBefore": 0,
@@ -17,7 +17,7 @@
   "implicitFlowEnabled": false,
   "directAccessGrantsEnabled": true,
   "serviceAccountsEnabled": false,
-  "publicClient": false,
+  "publicClient": true,
   "frontchannelLogout": false,
   "protocol": "openid-connect",
   "attributes": {

deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudIOS.json

@@ -1,14 +1,12 @@
 {
-  "clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
-  "name": "openCloud Desktop Client",
+  "clientId": "OpenCloudIOS",
+  "name": "OpenCloud iOS App",
   "surrogateAuthRequired": false,
   "enabled": true,
   "alwaysDisplayInConsole": false,
   "clientAuthenticatorType": "client-secret",
-  "secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
   "redirectUris": [
-    "http://127.0.0.1:*",
-    "http://localhost:*"
+    "oc://ios.opencloud.eu"
   ],
   "webOrigins": [],
   "notBefore": 0,
@@ -18,7 +16,7 @@
   "implicitFlowEnabled": false,
   "directAccessGrantsEnabled": true,
   "serviceAccountsEnabled": false,
-  "publicClient": false,
+  "publicClient": true,
   "frontchannelLogout": false,
   "protocol": "openid-connect",
   "attributes": {
@@ -26,7 +24,7 @@
     "saml.force.post.binding": "false",
     "saml.multivalued.roles": "false",
     "saml.encrypt": "false",
-    "post.logout.redirect.uris": "+",
+    "post.logout.redirect.uris": "oc://ios.opencloud.eu",
     "backchannel.logout.revoke.offline.tokens": "false",
     "saml.server.signature": "false",
     "saml.server.signature.keyinfo.ext": "false",

deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json

@@ -1,12 +1,11 @@
 {
-  "clientId": "3keLfua0olYvW1zKXTDB3OjAMPEYWEQNuiscli395GKJOiPnPURNQWGvGCJZf4Hw",
+  "clientId": "Cyberduck",
   "name": "Cyberduck",
-  "description": "",
+  "description": "File transfer utility client",
   "surrogateAuthRequired": false,
   "enabled": true,
   "alwaysDisplayInConsole": false,
   "clientAuthenticatorType": "client-secret",
-  "secret": "yoqICbLIeYbpZPqDH4D8k4NKb04HqnrWBntEeVZEQ5gO1RmaUlln0Aqu1dj2UoF4",
   "redirectUris": [
     "x-cyberduck-action:oauth",
     "x-mountainduck-action:oauth"
@@ -19,7 +18,7 @@
   "implicitFlowEnabled": false,
   "directAccessGrantsEnabled": true,
   "serviceAccountsEnabled": false,
-  "publicClient": false,
+  "publicClient": true,
   "frontchannelLogout": false,
   "protocol": "openid-connect",
   "attributes": {

deployments/examples/opencloud_full/config/keycloak/clients/web.json

@@ -1,19 +1,21 @@
 {
   "clientId": "web",
-  "name": "",
+  "name": "OpenCloud Web App",
   "description": "",
-  "rootUrl": "https://cloud.opencloud.test",
-  "adminUrl": "https://cloud.opencloud.test",
+  "rootUrl": "{{OC_URL}}",
+  "adminUrl": "{{OC_URL}}",
   "baseUrl": "",
   "surrogateAuthRequired": false,
   "enabled": true,
   "alwaysDisplayInConsole": false,
   "clientAuthenticatorType": "client-secret",
   "redirectUris": [
-    "https://cloud.opencloud.test/*"
+    "{{OC_URL}}/",
+    "{{OC_URL}}/oidc-callback.html",
+    "{{OC_URL}}/oidc-silent-redirect.html"
   ],
   "webOrigins": [
-    "https://cloud.opencloud.test"
+    "{{OC_URL}}"
   ],
   "notBefore": 0,
   "bearerOnly": false,
@@ -37,7 +39,7 @@
     "saml.server.signature.keyinfo.ext": "false",
     "exclude.session.state.from.auth.response": "false",
     "oidc.ciba.grant.enabled": "false",
-    "backchannel.logout.url": "https://cloud.opencloud/backchannel_logout",
+    "backchannel.logout.url": "{{OC_URL}}/backchannel_logout",
     "backchannel.logout.session.required": "true",
     "client_credentials.use_refresh_token": "false",
     "saml_force_name_id_format": "false",

deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json

@@ -279,12 +279,12 @@
         "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7",
         "attributes" : { }
       } ],
-      "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69" : [ ],
+      "OpenCloudDesktop" : [ ],
       "web" : [ ],
       "security-admin-console" : [ ],
-      "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD" : [ ],
+      "OpenCloudAndroid" : [ ],
       "admin-cli" : [ ],
-      "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1" : [ ],
+      "OpenCloudIOS" : [ ],
       "account-console" : [ ],
       "broker" : [ {
         "id" : "81fad68a-8dd8-4d79-9a8f-206a82460145",
@@ -797,14 +797,14 @@
     "optionalClientScopes" : [ ]
   }, {
     "id" : "c8367556-1d13-4979-b4f6-5e2cff1f82ae",
-    "clientId" : "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
-    "name" : "openCloud Android app",
+    "clientId" : "OpenCloudAndroid",
+    "name" : "OpenCloud Android App",
     "surrogateAuthRequired" : false,
     "enabled" : true,
     "alwaysDisplayInConsole" : false,
     "clientAuthenticatorType" : "client-secret",
     "secret" : "**********",
-    "redirectUris" : [ "oc://android.opencloud.com" ],
+    "redirectUris" : [ "oc://android.opencloud.eu" ],
     "webOrigins" : [ ],
     "notBefore" : 0,
     "bearerOnly" : false,
@@ -813,7 +813,7 @@
     "implicitFlowEnabled" : false,
     "directAccessGrantsEnabled" : true,
     "serviceAccountsEnabled" : false,
-    "publicClient" : false,
+    "publicClient" : true,
     "frontchannelLogout" : false,
     "protocol" : "openid-connect",
     "attributes" : {
@@ -821,7 +821,7 @@
       "saml.force.post.binding" : "false",
       "saml.multivalued.roles" : "false",
       "saml.encrypt" : "false",
-      "post.logout.redirect.uris" : "+",
+      "post.logout.redirect.uris" : "oc://android.opencloud.eu",
       "backchannel.logout.revoke.offline.tokens" : "false",
       "saml.server.signature" : "false",
       "saml.server.signature.keyinfo.ext" : "false",
@@ -842,14 +842,14 @@
     "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
   }, {
     "id" : "6ae0e3da-38ff-47a4-a76e-b59eec0a2de9",
-    "clientId" : "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
-    "name" : "openCloud iOS app",
+    "clientId" : "OpenCloudIOS",
+    "name" : "OpenCloud iOS App",
     "surrogateAuthRequired" : false,
     "enabled" : true,
     "alwaysDisplayInConsole" : false,
     "clientAuthenticatorType" : "client-secret",
     "secret" : "**********",
-    "redirectUris" : [ "oc://ios.opencloud.com" ],
+    "redirectUris" : [ "oc://ios.opencloud.eu" ],
     "webOrigins" : [ ],
     "notBefore" : 0,
     "bearerOnly" : false,
@@ -858,7 +858,7 @@
     "implicitFlowEnabled" : false,
     "directAccessGrantsEnabled" : true,
     "serviceAccountsEnabled" : false,
-    "publicClient" : false,
+    "publicClient" : true,
     "frontchannelLogout" : false,
     "protocol" : "openid-connect",
     "attributes" : {
@@ -866,7 +866,7 @@
       "saml.force.post.binding" : "false",
       "saml.multivalued.roles" : "false",
       "saml.encrypt" : "false",
-      "post.logout.redirect.uris" : "+",
+      "post.logout.redirect.uris" : "oc://ios.opencloud.eu",
       "backchannel.logout.revoke.offline.tokens" : "false",
       "saml.server.signature" : "false",
       "saml.server.signature.keyinfo.ext" : "false",
@@ -962,7 +962,7 @@
   }, {
     "id" : "54b18eca-cf79-4263-9db9-2d79f8a1c831",
     "clientId" : "web",
-    "name" : "",
+    "name" : "OpenCloud Web App",
     "description" : "",
     "rootUrl" : "https://cloud.opencloud.test",
     "adminUrl" : "https://cloud.opencloud.test",
@@ -971,7 +971,7 @@
     "enabled" : true,
     "alwaysDisplayInConsole" : false,
     "clientAuthenticatorType" : "client-secret",
-    "redirectUris" : [ "https://cloud.opencloud.test/*" ],
+    "redirectUris" : [ "https://cloud.opencloud.test/", "https://cloud.opencloud.test/oidc-callback.html", "https://cloud.opencloud.test/oidc-silent-redirect.html" ],
     "webOrigins" : [ "https://cloud.opencloud.test" ],
     "notBefore" : 0,
     "bearerOnly" : false,
@@ -1012,14 +1012,14 @@
     "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
   }, {
     "id" : "fc7d8a8e-cb92-4cb0-b404-d723c07d8d4f",
-    "clientId" : "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
-    "name" : "openCloud Desktop Client",
+    "clientId" : "OpenCloudDesktop",
+    "name" : "OpenCloud Desktop Client",
     "surrogateAuthRequired" : false,
     "enabled" : true,
     "alwaysDisplayInConsole" : false,
     "clientAuthenticatorType" : "client-secret",
     "secret" : "**********",
-    "redirectUris" : [ "http://127.0.0.1:*", "http://localhost:*" ],
+    "redirectUris" : [ "http://127.0.0.1", "http://localhost" ],
     "webOrigins" : [ ],
     "notBefore" : 0,
     "bearerOnly" : false,
@@ -1028,7 +1028,7 @@
     "implicitFlowEnabled" : false,
     "directAccessGrantsEnabled" : true,
     "serviceAccountsEnabled" : false,
-    "publicClient" : false,
+    "publicClient" : true,
     "frontchannelLogout" : false,
     "protocol" : "openid-connect",
     "attributes" : {