diff --git a/ops/keycloak/identity_providers.tf b/ops/keycloak/identity_providers.tf index 15e36bc81..418476d8e 100644 --- a/ops/keycloak/identity_providers.tf +++ b/ops/keycloak/identity_providers.tf @@ -1,3 +1,7 @@ +variable "bornhack_client_secret" { + type = string +} + variable "github_client_secret" { type = string } @@ -39,3 +43,45 @@ resource "keycloak_oidc_identity_provider" "gitlab" { authorization_url = "" token_url = "" } + +resource "keycloak_oidc_identity_provider" "bornhack" { + alias = "bornhack" + provider_id = "oidc" + client_id = "I9RQMXbukxjUAgtYaKeGTqJL3pPoRTw34tZ6jita" + client_secret = var.bornhack_client_secret + realm = keycloak_realm.snix.id + backchannel_supported = false + gui_order = "3" + store_token = false + sync_mode = "IMPORT" + trust_email = true + default_scopes = "openid profile email" + + authorization_url = "https://bornhack.dk/o/authorize/" + token_url = "https://bornhack.dk/o/token/" + validate_signature = true + user_info_url = "https://bornhack.dk/o/userinfo/" + jwks_url = "https://bornhack.dk/o/.well-known/jwks.json" + issuer = "https://bornhack.dk/o" + + extra_config = { + pkceEnabled = true + pkceMethod = "S256" + } +} + +# Bornhack uses a uuid as `sub`, and has an additional `nickname` claim, which we use. +# Normally, we'd simply import this as the username, but for now we cannot, due to +# https://github.com/bornhack/bornhack-website/issues/1837 +# resource "keycloak_custom_identity_provider_mapper" "bornhack_nickname" { +# realm = keycloak_realm.snix.id +# name = "bornhack_nickname" +# identity_provider_alias = keycloak_oidc_identity_provider.bornhack.alias +# identity_provider_mapper = "oidc-user-attribute-idp-mapper" + +# extra_config = { +# syncMode = "INHERIT" +# claim = "nickname" +# "user.attribute" = "username" +# } +# } diff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age index 50b87f551..1fdbc5286 100644 Binary files a/ops/secrets/tf-keycloak.age and b/ops/secrets/tf-keycloak.age differ