From 09c1e3d25beb5954c18ef6c7d20687542303e332 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Sat, 12 Apr 2025 19:26:28 +0200
Subject: [PATCH] feat(ops/keycloak): allow log in with Bornhack account

This adds bornhack.dk as an OIDC provider.

We currently do not yet map the `nickname` claim as a username field.

This means users logging in via Bornhack need to choose their username
manually, until https://github.com/bornhack/bornhack-website/issues/1837
is solved.

Change-Id: Ia91594107a0cd1d1e0a2ee7ca48d603a2ac681a5
Reviewed-on: https://cl.snix.dev/c/snix/+/30326
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
---
 ops/keycloak/identity_providers.tf |  46 +++++++++++++++++++++++++++++
 ops/secrets/tf-keycloak.age        | Bin 820 -> 979 bytes
 2 files changed, 46 insertions(+)

diff --git a/ops/keycloak/identity_providers.tf b/ops/keycloak/identity_providers.tf
index 15e36bc81..418476d8e 100644
--- a/ops/keycloak/identity_providers.tf
+++ b/ops/keycloak/identity_providers.tf
@@ -1,3 +1,7 @@
+variable "bornhack_client_secret" {
+  type = string
+}
+
 variable "github_client_secret" {
   type = string
 }
@@ -39,3 +43,45 @@ resource "keycloak_oidc_identity_provider" "gitlab" {
   authorization_url = ""
   token_url         = ""
 }
+
+resource "keycloak_oidc_identity_provider" "bornhack" {
+  alias                 = "bornhack"
+  provider_id           = "oidc"
+  client_id             = "I9RQMXbukxjUAgtYaKeGTqJL3pPoRTw34tZ6jita"
+  client_secret         = var.bornhack_client_secret
+  realm                 = keycloak_realm.snix.id
+  backchannel_supported = false
+  gui_order             = "3"
+  store_token           = false
+  sync_mode             = "IMPORT"
+  trust_email           = true
+  default_scopes        = "openid profile email"
+
+  authorization_url = "https://bornhack.dk/o/authorize/"
+  token_url         = "https://bornhack.dk/o/token/"
+  validate_signature = true
+  user_info_url = "https://bornhack.dk/o/userinfo/"
+  jwks_url = "https://bornhack.dk/o/.well-known/jwks.json"
+  issuer = "https://bornhack.dk/o"
+
+  extra_config = {
+    pkceEnabled = true
+    pkceMethod = "S256"
+  }
+}
+
+# Bornhack uses a uuid as `sub`, and has an additional `nickname` claim, which we use.
+# Normally, we'd simply import this as the username, but for now we cannot, due to
+# https://github.com/bornhack/bornhack-website/issues/1837
+# resource "keycloak_custom_identity_provider_mapper" "bornhack_nickname" {
+#   realm = keycloak_realm.snix.id
+#   name = "bornhack_nickname"
+#   identity_provider_alias = keycloak_oidc_identity_provider.bornhack.alias
+#   identity_provider_mapper = "oidc-user-attribute-idp-mapper"
+
+#   extra_config = {
+#     syncMode = "INHERIT"
+#     claim = "nickname"
+#     "user.attribute" = "username"
+#   }
+# }
diff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age
index 50b87f551886b1be533e0f34ee2e7fc2091e7232..1fdbc528682f44a22986309c3c997e582086e0ab 100644
GIT binary patch
delta 949
zcmdnOcA0&GPQ9~BZkmU0sk^s_Npf12eu;rmkwL0aiHC7|Xo-ubtG<76RC0Mys+)gA
zI#;T8q;r^QwrRLoLAgbUk*T9&c}_uUs<U@qfp2Q5PfD_Jl4Y{1sdj-!AeXM4LWGg2
zsiCDpNl;3DsX<6)Sx%x?dPuo%sb7U@uw#gyhoeb}MZIZul)h(9qJF7QN@RvFmw8Z5
zdcJ>ZZcaduk)OGfOQxG!YLtbWX?CJ%TBfI~zeP}nhgY&=k#>qN$cp0P4BgZeh&|3m
zRpEJ#3RxE3*-=5IiI(PWLB4rez9|{y76HCx+T||ker}ne+D5)Xsb>0t7RhdoTtx=;
zY1w(<Miv1@F0NiB=`I!i6~_K9$su8ezS>4+N#TCR*&$w8PVRY5j$FFBx(X4wreR@@
zmL>Y7ULm<b5&nhY#rj41o=)E7Ngn!{`p!j}L2eZxk>yT_u3S<3?lhLY-?yn+KX84e
zuWN<RQJrf{yB%)sG#27MqrD~Y*i*ka&HBctz8mM}XULs+`l`h${CdZkDd}lu&sOn>
zY_)be>64Il@fh>$?0%1>vY`$8&dKDj*^>X=WV2$Wz|Cxn9^<7q{@485l*Xo>5&q*t
z)L$<}{-trVtlU(DlVXf@&%2&{ytG#Gk*HC9Qb_N=vijT#=_P(r`rEb^aP6G&=!#hS
z+)TrI!QEHyGrB(4mb>`u)3HYZ_EAOW*jNjG7VdBQ#Q!a5zm3A`u2z-qyEEq8k(=Dj
zF=Ni#hK=#LJD<4oY!H*3+PM1Affcc=vB#a4_x7)w|KIk_8Z+jvQC)YeveiFrmJ`~?
zvhsDAZf?FyyX(g7O-Uva<z||HBo|#5t6vv?=NsFLz5exe^A5Y;Z~U(<-dO#jb9Gqj
ztXp0`?6(wpNy@xgz3&gZPv4!4`x~D%xvf}`xMlwGuh-<}UfdwTY+WDcSFzV`@0?pF
z_rLhG<X=eZuJ4;K^Bv__<H>d0tSCTg&MnXSIZIt_i{GbZ>TaKXV)=ZbP1So^T~=f)
zbE%J4oqj$!;ko*rvKjTORkxjP{qWa3zhlvH-iXA^U0zO+Z&sM!U6~iBvpnQh;@a<f
zlXH51cJ14@(CO;5@9{FahM!JeJi({J_DCR2CA4Ppt4$M`XHF2fv3~3A!zl$5YAhnA
zOkdD)`3>*C6;(YF$`-S3B|USNs6G2~vV~oC*sapM|Eo^ii~GoTRyT%uk-OfSpAXAR
vtNPskx){~4bGEg;x$3ir^?;IEhF0-pMinX6ea(C4UHjPNkf3*Jc3BYsSxKAr

delta 789
zcmcc2zJ+aqPQ7t<sdip&qES+Xw^yaUYp8R9qibYYN|~{-vrAe*iHToQdb(#>dZnME
z1(%tVc8GbPpPy4wl1FGpxRG&GRY|CJfpM}^m9|HSi@9Zfwq=l$c3PR2374*&LWGg2
zsiCDpS-4?vWT;1?xnW2|a%#Dom!(&MTX{iYrGa07dwrpHnWsgrPk~EVnuSp^mshcA
zaY&(YVOW^4V{l%Wah98(slP#Ss#&N>q;pttUSUC6qH|@qW0ncnisIr7-P9C_J<di|
z;dzb<#et=sCi&jpWnreSd09pUNfGJZY2^i(Sq1ry;ejRIA$dvenVH&V7NLP$?&kGj
zY1%HPfffd?p4w)GrTJbd<>tO7?&+>B>1C;5`mXLii9VrW2EhUOT)Mit3MQs`K2b#h
ziHT`Z1{rxd{*@--#$^Q+Dd}!TAq82kuCDpsrmoJel~sl5T%XEh&g9C!KU{Opr+jz%
z^^3Vumjdp1PExnLnR!}q%jGute7E#3^@_^oACBI1S^uX0L*d5*fB$o;B^~CS+c{~{
zgihrxe?5O}SjXP1`0xbVmQ3Ank!?rv8K&$|OKeytD6x@|f8T*qLjV7CSG{p$Qg4vZ
z{(ohy!e6b${QWh_TX!j@FpJflw2@VLUMi;PIcp6AdqDKGWAig2H_Z3UeAs(WG$7?}
zX~?pA;n1tWnhGzp4@y6A&RHV4C+ha|loN8@MG6xiE!tqkX2@FdZhqwI{J=S#)n+<!
zO;#0K4{tr|n|?89)6;48Q?!pJ_ig{RY>v~dbANl{{H~Q9yflAHuJKtzgH`K)S58dt
zE?t}WFr_+Pr%yM@dB+vk?-54Aum7kVUeJC}@#?kKWjpJCZ1GuRS$J=~;x~&94j1NM
zmxb5e6w**UB>nZm+?d(rch$Z9bMN-E?tb?m-mfh4((<gFi#r*$fBj!#y>PPT%x!6>
zH*`I7IG?#N;CA#TC!M2m0fkMUE^xlEd}4QQ>Cu1ZWW~P)B{scGpY(Iz^m8?e8$>MM
iE1kMlaqw``RM!P=>(}rpazF37Xq-3QmxV*Mpa=l;(@b&z