diff --git a/README.md b/README.md index 46d7353..e801281 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,11 @@ keycloak_cluster: false keycloak_cache_type: ispn keycloak_cache_stack: tcp keycloak_cache_container_name: keycloak + +proxy_introspection_enabled: false +proxy_introspection_issuer: 'https://proxy.acc.myaccessid.org' +proxy_introspection_client_id: client-id-unconfigured +# proxy_introspection_client_secret: 'define it into a vault file' ``` Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index a78dc3f..eed27bf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -109,3 +109,5 @@ keycloak_jgroups_bind_specific_ip: false keycloak_jgroups_bind_ip_address: "{{ ansible_default_ipv4.address }}" keycloak_jgroups_extended_stack: false keycloak_jgroups_extended_stack_name: "extended-{{ keycloak_cache_stack }}" + +proxy_introspection_enabled: false \ No newline at end of file diff --git a/tasks/keycloak-configuration.yml b/tasks/keycloak-configuration.yml index 6c52216..26f96b4 100644 --- a/tasks/keycloak-configuration.yml +++ b/tasks/keycloak-configuration.yml @@ -11,3 +11,13 @@ mode: "0644" loop: '{{ keycloak_configuration_files }}' notify: Restart Keycloak + + - name: keycloak-configuration | Install the TIP configuration since introspection proxy is enabled + ansible.builtin.template: + src: 'tip.yaml.j2' + dest: '{{ keycloak_conf_directory }}/tip.yaml' + owner: root + group: root + mode: "0644" + when: proxy_introspection_enabled + notify: Restart Keycloak diff --git a/templates/keycloak.conf.j2 b/templates/keycloak.conf.j2 index 5bce0bf..76a67c6 100644 --- a/templates/keycloak.conf.j2 +++ b/templates/keycloak.conf.j2 @@ -87,3 +87,7 @@ log-level={{ keycloak_log_level }} {{ keycloak_prop }} {% endfor %} +{% if proxy_introspection_enabled %} +spi-oauth2-token-introspection-access_token-yaml-config-file={{ keycloak_conf_directory }}/tip.yaml +spi-oauth2-token-introspection-eosc_node_access_token-yaml-config-file={{ keycloak_conf_directory }}/tip.yaml +{% endif %} \ No newline at end of file diff --git a/templates/tip.yaml.j2 b/templates/tip.yaml.j2 new file mode 100644 index 0000000..db89b20 --- /dev/null +++ b/templates/tip.yaml.j2 @@ -0,0 +1,55 @@ +tip: + fallback_issuer_unknown_token_issuer: + issuer_url: {{ proxy_introspection_issuer }} +# introspection_endpoint: https://issuer.example.com/introspect + client_id: {{ proxy_introspection_client_id }} + client_secret: {{ proxy_introspection_client_secret }} +# this part is not configured but is supported in the custom introspection provider +# drop_claims: +# - todrop1 +# - todrop2 +# claim_renaming: +# weird_groups: groups +# bad_username: username +# claim_mapping: +# strings: +# sub: +# one-sub: other-sub +# string_arrays: +# super-entitlements: +# hpc: +# - compute +# weird_groups: +# all-users: +# - users +# special-users: +# - admins +# - dev + fallback_issuer_unsupported_token_issuer: +# Not configured bu the synatx is the same of the 'fallback_issuer_unknown_token_issuer' + remote_issuers: + - issuer_url: {{ proxy_introspection_issuer }} + # introspection_endpoint: https://issuer.example.com/introspect + client_id: {{ proxy_introspection_client_id }} + client_secret: {{ proxy_introspection_client_secret }} +# this part is not configured but is supported in the custom introspection provider +# drop_claims: +# - todrop1 +# - todrop2 +# claim_renaming: +# weird_groups: groups +# user_id: username +# claim_mapping: +# strings: +# sub: +# one-sub: other-sub +# string_arrays: +# entitlements: +# hpc: +# - compute +# weird_groups: +# all-users: +# - users +# special-users: +# - admins +# - dev \ No newline at end of file