feat(ops/keycloak): configure Forgejo Roles
There's two Roles for the Forgejo application, "Admin" and "Contributors". Everyone gets the "Contributor" role assigned automatically (it doesn't really give you a ton of privileges). Regarding mapping Gerrit groups, it seems there's no support for this in the `gerrit-oauth-provider` plugin (yet) - see https://github.com/davido/gerrit-oauth-provider/issues/170. Fixes #73. Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a Reviewed-on: https://cl.snix.dev/c/snix/+/30477 Tested-by: besadii Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com> Autosubmit: Florian Klink <flokli@flokli.de>
This commit is contained in:
Florian Klink
clbot
parent
e20ff4cb60
commit
d9ca20a5cc
3 changed files with 46 additions and 12 deletions
|
|
@ -141,7 +141,6 @@ in
|
|||
REGISTER_EMAIL_CONFIRM = false;
|
||||
ACCOUNT_LINKING = "login";
|
||||
USERNAME = "nickname";
|
||||
OPENID_CONNECT_SCOPES = "email profile";
|
||||
};
|
||||
|
||||
repository = {
|
||||
|
|
@ -260,7 +259,6 @@ in
|
|||
CLIENT_ID="forgejo"
|
||||
CLIENT_SECRET=$(cat ${config.age.secrets.forgejo-oauth-secret.path})
|
||||
DISCOVERY_URL="https://auth.snix.dev/realms/snix-project/.well-known/openid-configuration"
|
||||
SCOPES=("openid" "profile" "email")
|
||||
|
||||
# Check if the OAuth2 source already exists
|
||||
if gitea admin auth list | grep -q "$NAME"; then
|
||||
|
|
@ -275,8 +273,10 @@ in
|
|||
--key "$CLIENT_ID" \
|
||||
--secret "$CLIENT_SECRET" \
|
||||
--auto-discover-url "$DISCOVERY_URL" \
|
||||
$(printf -- '--scopes "%s" ' "''${SCOPES[@]}") \
|
||||
--icon-url "$ICON_URL"
|
||||
--group-claim-name forgejo_roles \
|
||||
--admin-group Admin \
|
||||
--group-team-map '{"Admin":{"snix":["Owners"]},"Contributors":{"snix": ["Contributors"]}}' \
|
||||
--group-team-map-removal true
|
||||
|
||||
echo "OAuth2 source '$NAME' added successfully."
|
||||
'';
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue