From d2d33e4d489dbb7a080e77fa8f04846cdbe5844c Mon Sep 17 00:00:00 2001 From: Michael Stingl <214010+michaelstingl@users.noreply.github.com> Date: Mon, 7 Apr 2025 17:54:13 +0200 Subject: [PATCH] Harmonize Keycloak Client Configurations with Built-in IdP (#589) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Harmonize Keycloak client configurations with built-in IdP This change makes the Keycloak client configurations consistent with the built-in IdP: 1. Standardized client IDs to match built-in IdP: - web (unchanged) - OpenCloudDesktop (was random ID) - OpenCloudAndroid (was random ID) - OpenCloudIOS (was random ID) - Cyberduck (simplified ID) 2. Updated domain names to use .eu consistently: - Changed from opencloud.com to opencloud.eu for mobile apps - Changed from hardcoded domains to templated {{OC_URL}} values 3. Updated redirect URIs to match built-in IdP format: - Added specific callback paths for web client - Removed wildcarded ports for desktop client 4. Changed mobile/desktop clients to public clients (equivalent to native app type) 5. Enhanced docker-entrypoint-override.sh to handle {{OC_URL}} template variables These changes ensure a consistent authentication experience regardless of whether users are using the built-in IdP or Keycloak. * Harmonize Keycloak client configuration with client JSONs Update the realm configuration to match the client configuration JSON files: 1. Update client IDs to match client JSON files: - Changed 'xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69' to 'OpenCloudDesktop' - Changed 'e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD' to 'OpenCloudAndroid' - Changed 'mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1' to 'OpenCloudIOS' 2. Fix additional client properties: - Fix client names: Use proper capitalization for all clients - Fix OAuth redirect URIs for Android and iOS to use .eu domain - Fix Desktop URIs by removing wildcard asterisks - Update post-logout redirect URIs to match client JSONs - Set publicClient flag to true for all mobile/desktop clients These changes ensure that when the realm is imported during deployment, the client configurations will match the client JSONs exactly. * Update web client configuration in Keycloak realm Harmonize the web client configuration in the realm: - Add 'OpenCloud Web App' client name - Change URLs to use {{OC_URL}} template variables - Update redirect URIs to use specific paths instead of wildcard - Set backchannel logout URL to use templated URL This completes the harmonization of all client configurations in the realm. * Revert template variable approach in Keycloak configuration Reverted templating changes to match upstream conventions: 1. Removed template variable handling from docker-entrypoint-override.sh - Removed {{OC_URL}} replacement, keeping only domain replacement This maintains compatibility with the upstream approach of using direct URLs with domain substitution instead of template variables. * Fix remaining old client ID references in role mappings Updated the remaining references to old client IDs in the role mappings section: - xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 → OpenCloudDesktop - e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD → OpenCloudAndroid - mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1 → OpenCloudIOS This ensures all client ID references throughout the realm configuration are consistent and use the simplified IDs. --- ...android_app.json => OpenCloudAndroid.json} | 11 +++--- .../{ios_app.json => OpenCloudDesktop.json} | 10 ++--- ...{desktop_client.json => OpenCloudIOS.json} | 12 +++--- .../config/keycloak/clients/cyberduck.json | 7 ++-- .../config/keycloak/clients/web.json | 14 ++++--- .../config/keycloak/opencloud-realm.dist.json | 38 +++++++++---------- 6 files changed, 45 insertions(+), 47 deletions(-) rename deployments/examples/opencloud_full/config/keycloak/clients/{android_app.json => OpenCloudAndroid.json} (84%) rename deployments/examples/opencloud_full/config/keycloak/clients/{ios_app.json => OpenCloudDesktop.json} (86%) rename deployments/examples/opencloud_full/config/keycloak/clients/{desktop_client.json => OpenCloudIOS.json} (83%) diff --git a/deployments/examples/opencloud_full/config/keycloak/clients/android_app.json b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json similarity index 84% rename from deployments/examples/opencloud_full/config/keycloak/clients/android_app.json rename to deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json index 7310cdd63a..c21838d67b 100644 --- a/deployments/examples/opencloud_full/config/keycloak/clients/android_app.json +++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json @@ -1,13 +1,12 @@ { - "clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", - "name": "openCloud Android app", + "clientId": "OpenCloudAndroid", + "name": "OpenCloud Android App", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", "redirectUris": [ - "oc://android.opencloud.com" + "oc://android.opencloud.eu" ], "webOrigins": [], "notBefore": 0, @@ -17,7 +16,7 @@ "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, - "publicClient": false, + "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { @@ -25,7 +24,7 @@ "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", - "post.logout.redirect.uris": "+", + "post.logout.redirect.uris": "oc://android.opencloud.eu", "backchannel.logout.revoke.offline.tokens": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", diff --git a/deployments/examples/opencloud_full/config/keycloak/clients/ios_app.json b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json similarity index 86% rename from deployments/examples/opencloud_full/config/keycloak/clients/ios_app.json rename to deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json index 8161996823..d17a7cb6cf 100644 --- a/deployments/examples/opencloud_full/config/keycloak/clients/ios_app.json +++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json @@ -1,13 +1,13 @@ { - "clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", - "name": "OpenCloud iOS app", + "clientId": "OpenCloudDesktop", + "name": "OpenCloud Desktop Client", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", "redirectUris": [ - "oc://ios.opencloud.com" + "http://127.0.0.1", + "http://localhost" ], "webOrigins": [], "notBefore": 0, @@ -17,7 +17,7 @@ "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, - "publicClient": false, + "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { diff --git a/deployments/examples/opencloud_full/config/keycloak/clients/desktop_client.json b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudIOS.json similarity index 83% rename from deployments/examples/opencloud_full/config/keycloak/clients/desktop_client.json rename to deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudIOS.json index 0b89849979..d09e089570 100644 --- a/deployments/examples/opencloud_full/config/keycloak/clients/desktop_client.json +++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudIOS.json @@ -1,14 +1,12 @@ { - "clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", - "name": "openCloud Desktop Client", + "clientId": "OpenCloudIOS", + "name": "OpenCloud iOS App", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", "redirectUris": [ - "http://127.0.0.1:*", - "http://localhost:*" + "oc://ios.opencloud.eu" ], "webOrigins": [], "notBefore": 0, @@ -18,7 +16,7 @@ "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, - "publicClient": false, + "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { @@ -26,7 +24,7 @@ "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", - "post.logout.redirect.uris": "+", + "post.logout.redirect.uris": "oc://ios.opencloud.eu", "backchannel.logout.revoke.offline.tokens": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", diff --git a/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json b/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json index 85a4e72c5c..5143323a44 100644 --- a/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json +++ b/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json @@ -1,12 +1,11 @@ { - "clientId": "3keLfua0olYvW1zKXTDB3OjAMPEYWEQNuiscli395GKJOiPnPURNQWGvGCJZf4Hw", + "clientId": "Cyberduck", "name": "Cyberduck", - "description": "", + "description": "File transfer utility client", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "yoqICbLIeYbpZPqDH4D8k4NKb04HqnrWBntEeVZEQ5gO1RmaUlln0Aqu1dj2UoF4", "redirectUris": [ "x-cyberduck-action:oauth", "x-mountainduck-action:oauth" @@ -19,7 +18,7 @@ "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, - "publicClient": false, + "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { diff --git a/deployments/examples/opencloud_full/config/keycloak/clients/web.json b/deployments/examples/opencloud_full/config/keycloak/clients/web.json index 18c7f09e98..9ab819a44e 100644 --- a/deployments/examples/opencloud_full/config/keycloak/clients/web.json +++ b/deployments/examples/opencloud_full/config/keycloak/clients/web.json @@ -1,19 +1,21 @@ { "clientId": "web", - "name": "", + "name": "OpenCloud Web App", "description": "", - "rootUrl": "https://cloud.opencloud.test", - "adminUrl": "https://cloud.opencloud.test", + "rootUrl": "{{OC_URL}}", + "adminUrl": "{{OC_URL}}", "baseUrl": "", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://cloud.opencloud.test/*" + "{{OC_URL}}/", + "{{OC_URL}}/oidc-callback.html", + "{{OC_URL}}/oidc-silent-redirect.html" ], "webOrigins": [ - "https://cloud.opencloud.test" + "{{OC_URL}}" ], "notBefore": 0, "bearerOnly": false, @@ -37,7 +39,7 @@ "saml.server.signature.keyinfo.ext": "false", "exclude.session.state.from.auth.response": "false", "oidc.ciba.grant.enabled": "false", - "backchannel.logout.url": "https://cloud.opencloud/backchannel_logout", + "backchannel.logout.url": "{{OC_URL}}/backchannel_logout", "backchannel.logout.session.required": "true", "client_credentials.use_refresh_token": "false", "saml_force_name_id_format": "false", diff --git a/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json b/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json index 3610658380..0076cc1ef0 100644 --- a/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json +++ b/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json @@ -279,12 +279,12 @@ "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", "attributes" : { } } ], - "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69" : [ ], + "OpenCloudDesktop" : [ ], "web" : [ ], "security-admin-console" : [ ], - "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD" : [ ], + "OpenCloudAndroid" : [ ], "admin-cli" : [ ], - "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1" : [ ], + "OpenCloudIOS" : [ ], "account-console" : [ ], "broker" : [ { "id" : "81fad68a-8dd8-4d79-9a8f-206a82460145", @@ -797,14 +797,14 @@ "optionalClientScopes" : [ ] }, { "id" : "c8367556-1d13-4979-b4f6-5e2cff1f82ae", - "clientId" : "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", - "name" : "openCloud Android app", + "clientId" : "OpenCloudAndroid", + "name" : "OpenCloud Android App", "surrogateAuthRequired" : false, "enabled" : true, "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", "secret" : "**********", - "redirectUris" : [ "oc://android.opencloud.com" ], + "redirectUris" : [ "oc://android.opencloud.eu" ], "webOrigins" : [ ], "notBefore" : 0, "bearerOnly" : false, @@ -813,7 +813,7 @@ "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : true, "serviceAccountsEnabled" : false, - "publicClient" : false, + "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { @@ -821,7 +821,7 @@ "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", - "post.logout.redirect.uris" : "+", + "post.logout.redirect.uris" : "oc://android.opencloud.eu", "backchannel.logout.revoke.offline.tokens" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", @@ -842,14 +842,14 @@ "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "6ae0e3da-38ff-47a4-a76e-b59eec0a2de9", - "clientId" : "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", - "name" : "openCloud iOS app", + "clientId" : "OpenCloudIOS", + "name" : "OpenCloud iOS App", "surrogateAuthRequired" : false, "enabled" : true, "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", "secret" : "**********", - "redirectUris" : [ "oc://ios.opencloud.com" ], + "redirectUris" : [ "oc://ios.opencloud.eu" ], "webOrigins" : [ ], "notBefore" : 0, "bearerOnly" : false, @@ -858,7 +858,7 @@ "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : true, "serviceAccountsEnabled" : false, - "publicClient" : false, + "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { @@ -866,7 +866,7 @@ "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", - "post.logout.redirect.uris" : "+", + "post.logout.redirect.uris" : "oc://ios.opencloud.eu", "backchannel.logout.revoke.offline.tokens" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", @@ -962,7 +962,7 @@ }, { "id" : "54b18eca-cf79-4263-9db9-2d79f8a1c831", "clientId" : "web", - "name" : "", + "name" : "OpenCloud Web App", "description" : "", "rootUrl" : "https://cloud.opencloud.test", "adminUrl" : "https://cloud.opencloud.test", @@ -971,7 +971,7 @@ "enabled" : true, "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ "https://cloud.opencloud.test/*" ], + "redirectUris" : [ "https://cloud.opencloud.test/", "https://cloud.opencloud.test/oidc-callback.html", "https://cloud.opencloud.test/oidc-silent-redirect.html" ], "webOrigins" : [ "https://cloud.opencloud.test" ], "notBefore" : 0, "bearerOnly" : false, @@ -1012,14 +1012,14 @@ "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "fc7d8a8e-cb92-4cb0-b404-d723c07d8d4f", - "clientId" : "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", - "name" : "openCloud Desktop Client", + "clientId" : "OpenCloudDesktop", + "name" : "OpenCloud Desktop Client", "surrogateAuthRequired" : false, "enabled" : true, "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", "secret" : "**********", - "redirectUris" : [ "http://127.0.0.1:*", "http://localhost:*" ], + "redirectUris" : [ "http://127.0.0.1", "http://localhost" ], "webOrigins" : [ ], "notBefore" : 0, "bearerOnly" : false, @@ -1028,7 +1028,7 @@ "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : true, "serviceAccountsEnabled" : false, - "publicClient" : false, + "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : {