External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-12 15:14:45 -03:30
Code Issues Packages Projects Releases Wiki Activity

Configuring Keycloak to also do OIDC (#12700)

Browse Source
This commit is contained in:
John Westcott IV
2022-08-24 07:08:39 -04:00
committed by GitHub
parent ff49cc5636
commit a1b364f80c
4 changed files with 150 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tools/docker-compose/ansible/plumb_keycloak.yml
View File

@@ -24,6 +24,8 @@
public_key_trimmed: "{{ public_key_content | regex_replace('-----BEGIN CERTIFICATE-----\\\\n', '') | regex_replace('\\\\n-----END CERTIFICATE-----', '') }}"
existing_saml: "{{ lookup('awx.awx.controller_api', 'settings/saml', host=awx_host, verify_ssl=false) }}"
new_saml: "{{ lookup('template', 'saml_settings.json.j2') }}"
existing_oidc: "{{ lookup('awx.awx.controller_api', 'settings/oidc', host=awx_host, verify_ssl=false) }}"
new_oidc: "{{ lookup('template', 'oidc_settings.json.j2') }}"
vars:
# We add the extra \\ in here so that when jinja is templating out the files we end up with \n in the strings.
public_key_content: "{{ lookup('file', public_key_file) | regex_replace('\n', '\\\\n') }}"
@@ -34,14 +36,21 @@
msg:
- "Here is your existing SAML configuration for reference:"
- "{{ existing_saml }}"
- "Here is your existing OIDC configuration for reference:"
- "{{ existing_oidc }}"
- pause:
prompt: "Continuing to run this will replace your existing saml settings (displayed above). They will all be captured except for your private key. Be sure that is backed up before continuing"
prompt: "Continuing to run this will replace your existing saml and OIDC settings (displayed above). They will all be captured except for your private key. Be sure that is backed up before continuing"
- name: Write out the existing content
copy:
dest: "../_sources/existing_saml_adapter_settings.json"
content: "{{ existing_saml }}"
dest: "../_sources/{{ item.filename }}"
content: "{{ item.content }}"
loop:
- filename: "existing_saml_adapter_settings.json"
content: "{{ existing_saml }}"
- filename: "existing_oidc_adapter_settings.json"
content: "{{ existing_oidc }}"
- name: Configure AWX SAML adapter
awx.awx.settings:
@@ -49,6 +58,12 @@
controller_host: "{{ awx_host }}"
validate_certs: False
- name: Configure AWX OIDC adapter
awx.awx.settings:
settings: "{{ new_oidc }}"
controller_host: "{{ awx_host }}"
validate_certs: False
- name: Get a keycloak token
uri:
url: "https://localhost:8443/auth/realms/master/protocol/openid-connect/token"

115
tools/docker-compose/ansible/templates/keycloak.awx.realm.json.j2
View File

@@ -2,7 +2,7 @@
This template is an export from Keycloak.
See https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/export-import.adoc for instructions on how to run the export.
Once you have the export you want to variablize the public cert, private cert, and the endpoints.
The endpoints should be replaced with the variable {{ container_reference }}
The endpoints should be replaced with either the variable {{ container_reference }} or {{ oidc_reference }}
Some of the keys have \n's in there and some references do not.
The ones with the \n can be variablized by {{ private_key }} and {{ public_key }}.
The public key in the setting `saml.signing.certificate` should be replaced with {{ public_key_trimmed }}
@@ -65,7 +65,8 @@
"composite": true,
"composites": {
"realm": [
"offline_access"
"offline_access",
"uma_authorization"
],
"client": {
"account": [
@@ -75,12 +76,31 @@
}
},
"clientRole": false,
"containerId": "Tower Realm",
"containerId": "AWX Realm",
"attributes": {}
},
{
"id": "ea2c2864-93b0-4022-9ef1-202bc2f9c87a",
"name": "uma_authorization",
"description": "${role_uma_authorization}",
"composite": false,
"clientRole": false,
"containerId": "AWX Realm",
"attributes": {}
},
{
"id": "3764c3ca-d706-424e-8802-65be0d2e060d",
"name": "offline_access",
"description": "${role_offline-access}",
"composite": false,
"clientRole": false,
"containerId": "AWX Realm",
"attributes": {}
}
],
"client": {
"{{ container_reference }}:8043": []
"{{ container_reference }}:8043": [],
"awx_oidc_client": []
}
},
"groups": [],
@@ -90,7 +110,7 @@
"description": "${role_default-roles}",
"composite": true,
"clientRole": false,
"containerId": "Tower Realm"
"containerId": "AWX Realm"
},
"requiredCredentials": [
"password"
@@ -290,6 +310,88 @@
"role_list"
],
"optionalClientScopes": []
},
{
"id": "525e0eeb-56ee-429f-a040-c6fc18072dc4",
"clientId": "awx_oidc_client",
"baseUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "7b1c3527-8702-4742-af69-2b74ee5742e8",
"redirectUris": [
{% if oidc_reference is defined %}
"https://{{ oidc_reference }}:8043/sso/complete/oidc/",
{% endif %}
"https://{{ container_reference }}:8043/sso/complete/oidc/"
],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"id.token.as.detached.signature": "false",
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"use.refresh.tokens": "true",
"exclude.session.state.from.auth.response": "false",
"oidc.ciba.grant.enabled": "false",
"saml.artifact.binding": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"require.pushed.authorization.requests": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"id": "a8f4a0a8-ece4-4a9d-9e7b-830f23ba0067",
"name": "AWX OIDC Group Membership",
"protocol": "openid-connect",
"protocolMapper": "oidc-group-membership-mapper",
"consentRequired": false,
"config": {
"full.path": "false",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "Group",
"userinfo.token.claim": "true"
}
}
],
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
],
"clientScopes": [
@@ -626,6 +728,7 @@
"consentRequired": false,
"config": {
"multivalued": "true",
"userinfo.token.claim": "true",
"user.attribute": "foo",
"id.token.claim": "true",
"access.token.claim": "true",
@@ -1686,7 +1789,7 @@
"clientOfflineSessionIdleTimeout": "0",
"cibaInterval": "5"
},
"keycloakVersion": "15.0.2.redhat-00001",
"keycloakVersion": "15.0.2",
"userManagedAccessAllowed": false,
"clientProfiles": {
"profiles": []

6
tools/docker-compose/ansible/templates/oidc_settings.json.j2 Normal file
View File

@@ -0,0 +1,6 @@
{
"SOCIAL_AUTH_OIDC_KEY": "awx_oidc_client",
"SOCIAL_AUTH_OIDC_SECRET": "7b1c3527-8702-4742-af69-2b74ee5742e8",
"SOCIAL_AUTH_OIDC_OIDC_ENDPOINT": "https://{{ oidc_reference | default(container_reference) }}:8443/auth/realms/awx",
"SOCIAL_AUTH_OIDC_VERIFY_SSL": "False"
}