feat(ops/keycloak): allow log in with Bornhack account

This adds bornhack.dk as an OIDC provider. We currently do not yet map the `nickname` claim as a username field. This means users logging in via Bornhack need to choose their username manually, until https://github.com/bornhack/bornhack-website/issues/1837 is solved. Change-Id: Ia91594107a0cd1d1e0a2ee7ca48d603a2ac681a5 Reviewed-on: https://cl.snix.dev/c/snix/+/30326 Tested-by: besadii Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com> Autosubmit: Florian Klink <flokli@flokli.de>
2025-04-12 19:26:28 +02:00 · 2025-04-12 19:26:28 +02:00 · 09c1e3d25b
commit 09c1e3d25b
parent 154f85d3e7
2 changed files with 46 additions and 0 deletions
--- a/ops/keycloak/identity_providers.tf
+++ b/ops/keycloak/identity_providers.tf
@ -1,3 +1,7 @@
+variable "bornhack_client_secret" {
+  type = string
+}
+
 variable "github_client_secret" {
  type = string
 }
@ -39,3 +43,45 @@ resource "keycloak_oidc_identity_provider" "gitlab" {
  authorization_url = ""
  token_url         = ""
 }
+
+resource "keycloak_oidc_identity_provider" "bornhack" {
+  alias                 = "bornhack"
+  provider_id           = "oidc"
+  client_id             = "I9RQMXbukxjUAgtYaKeGTqJL3pPoRTw34tZ6jita"
+  client_secret         = var.bornhack_client_secret
+  realm                 = keycloak_realm.snix.id
+  backchannel_supported = false
+  gui_order             = "3"
+  store_token           = false
+  sync_mode             = "IMPORT"
+  trust_email           = true
+  default_scopes        = "openid profile email"
+
+  authorization_url = "https://bornhack.dk/o/authorize/"
+  token_url         = "https://bornhack.dk/o/token/"
+  validate_signature = true
+  user_info_url = "https://bornhack.dk/o/userinfo/"
+  jwks_url = "https://bornhack.dk/o/.well-known/jwks.json"
+  issuer = "https://bornhack.dk/o"
+
+  extra_config = {
+    pkceEnabled = true
+    pkceMethod = "S256"
+  }
+}
+
+# Bornhack uses a uuid as `sub`, and has an additional `nickname` claim, which we use.
+# Normally, we'd simply import this as the username, but for now we cannot, due to
+# https://github.com/bornhack/bornhack-website/issues/1837
+# resource "keycloak_custom_identity_provider_mapper" "bornhack_nickname" {
+#   realm = keycloak_realm.snix.id
+#   name = "bornhack_nickname"
+#   identity_provider_alias = keycloak_oidc_identity_provider.bornhack.alias
+#   identity_provider_mapper = "oidc-user-attribute-idp-mapper"
+
+#   extra_config = {
+#     syncMode = "INHERIT"
+#     claim = "nickname"
+#     "user.attribute" = "username"
+#   }
+# }