maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snix/ops/keycloak/user_sources.tf
Florian Klink 7eb6900129 fix(ops/keycloak): update client ID and client secret 
This points to a "GitHub App" now
("https://github.com/organizations/tvlfyi/settings/apps"), rather than an
"OAuth App"
("https://github.com/organizations/tvlfyi/settings/applications").

Apparently this makes a big difference, and we should be using a "GitHub
App", not an "OAuth App".

The defails on why are in
https://github.com/keycloak/keycloak/issues/9429#issuecomment-1578953468

The App can be configured at
https://github.com/organizations/tvlfyi/settings/apps/tvl-keycloak .

With this, we should get rid of spurious Exceptions with some GitHub
users trying to log in, hopefully fixing https://b.tvl.fyi/issues/201.

Change-Id: I25d0d6cd1b05ad54ed3d760d3a48ce1f430c0e7d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12413
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2024-09-01 13:19:19 +00:00

51 lines
1.5 KiB
HCL
Raw Blame History

# All user sources, that is services from which Keycloak gets user
# information (either by accessing a system like LDAP or integration
# through protocols like OIDC).
variable "github_client_secret" {
type = string
}
resource "keycloak_ldap_user_federation" "tvl_ldap" {
name = "tvl-ldap"
realm_id = keycloak_realm.tvl.id
enabled = true
connection_url = "ldap://localhost"
users_dn = "ou=users,dc=tvl,dc=fyi"
username_ldap_attribute = "cn"
uuid_ldap_attribute = "cn"
rdn_ldap_attribute = "cn"
full_sync_period = 86400
trust_email = true
user_object_classes = [
"inetOrgPerson",
"organizationalPerson",
]
lifecycle {
# Without this, terraform wants to recreate the resource.
ignore_changes = [
delete_default_mappers
]
}
}
# keycloak_oidc_identity_provider.github will be destroyed
# (because keycloak_oidc_identity_provider.github is not in configuration)
resource "keycloak_oidc_identity_provider" "github" {
alias = "github"
provider_id = "github"
client_id = "Iv23liXfGNIr7InMg5Uo"
client_secret = var.github_client_secret
realm = keycloak_realm.tvl.id
backchannel_supported = false
gui_order = "1"
store_token = false
sync_mode = "IMPORT"
trust_email = true
# These default to built-in values for the `github` provider_id.
authorization_url = ""
token_url = ""
}
Reference in a new issue View git blame Copy permalink