snix/ops/keycloak/forgejo.tf

resource "keycloak_openid_client" "forgejo" {
  realm_id                                 = keycloak_realm.snix.id
  client_id                                = "forgejo"
  name                                     = "snix Forgejo"
  enabled                                  = true
  access_type                              = "CONFIDENTIAL"
  standard_flow_enabled                    = true
  base_url                                 = "https://git.snix.dev"

  description                              = "snix project's code browsing, search and issue tracker"

  // disable full scope, roles are assigned via keycloak_generic_client_role_mapper
  full_scope_allowed    = false

  valid_redirect_uris = [
    "https://git.snix.dev/*",
  ]

  web_origins = [
    "https://git.snix.dev",
  ]
}

resource "keycloak_role" "forgejo_admin" {
  realm_id    = keycloak_realm.snix.id
  client_id   = keycloak_openid_client.forgejo.id
  name        = "Admin"
  description = "Forgejo site admin and Snix Org Owner"
}

resource "keycloak_role" "forgejo_snix_contributors" {
  realm_id    = keycloak_realm.snix.id
  client_id   = keycloak_openid_client.forgejo.id
  name        = "Contributors"
  description = "Snix contributors"
}


# Add the "Contributors" role to all users
resource "keycloak_openid_hardcoded_role_protocol_mapper" "forgejo_hardcoded_role_mapper" {
  realm_id = keycloak_realm.snix.id
  client_id = keycloak_openid_client.forgejo.id
  name = "add forgejo contributors"
  role_id = keycloak_role.forgejo_snix_contributors.id
}

# Expose the above two roles at `forgejo_roles`
resource "keycloak_openid_user_client_role_protocol_mapper" "forgejo_role_mapper" {
  realm_id = keycloak_realm.snix.id
  client_id = keycloak_openid_client.forgejo.id
  name = "forgejo_roles mapper"

  claim_name = "forgejo_roles"
  claim_value_type = "String"
  add_to_id_token = true
  add_to_access_token = true
  multivalued = true

  # https://github.com/keycloak/terraform-provider-keycloak/issues/1016
  client_id_for_role_mappings = keycloak_openid_client.forgejo.client_id
}