Merge pull request 'Added support to proxy introspection provider configs and defaults and TIP based conf. file YAML template' (!4) from mauro.mugnaini/ansible-role-keycloak:master into master

Reviewed-on: #4

README.md

@@ -72,6 +72,11 @@ keycloak_cluster: false
 keycloak_cache_type: ispn
 keycloak_cache_stack: tcp
 keycloak_cache_container_name: keycloak
+
+proxy_introspection_enabled: false
+proxy_introspection_issuer: 'https://proxy.acc.myaccessid.org'
+proxy_introspection_client_id: client-id-unconfigured
+# proxy_introspection_client_secret: 'define it into a vault file'
 ```
 
 Dependencies

defaults/main.yml

@@ -109,3 +109,5 @@ keycloak_jgroups_bind_specific_ip: false
 keycloak_jgroups_bind_ip_address: "{{ ansible_default_ipv4.address }}"
 keycloak_jgroups_extended_stack: false
 keycloak_jgroups_extended_stack_name: "extended-{{ keycloak_cache_stack }}"
+
+proxy_introspection_enabled: false

tasks/keycloak-configuration.yml

@@ -11,3 +11,13 @@
         mode: "0644"
       loop: '{{ keycloak_configuration_files }}'
       notify: Restart Keycloak
+
+    - name: keycloak-configuration | Install the TIP configuration since introspection proxy is enabled
+      ansible.builtin.template:
+        src: 'tip.yaml.j2'
+        dest: '{{ keycloak_conf_directory }}/tip.yaml'
+        owner: root
+        group: root
+        mode: "0644"
+      when: proxy_introspection_enabled
+      notify: Restart Keycloak

templates/keycloak.conf.j2

@@ -87,3 +87,7 @@ log-level={{ keycloak_log_level }}
 {{ keycloak_prop }}
 {% endfor %}
 
+{% if proxy_introspection_enabled %}
+spi-oauth2-token-introspection-access_token-yaml-config-file={{ keycloak_conf_directory }}/tip.yaml
+spi-oauth2-token-introspection-eosc_node_access_token-yaml-config-file={{ keycloak_conf_directory }}/tip.yaml
+{% endif %}

templates/tip.yaml.j2

@@ -0,0 +1,55 @@
+tip:
+  fallback_issuer_unknown_token_issuer:
+    issuer_url: {{ proxy_introspection_issuer }}
+#    introspection_endpoint: https://issuer.example.com/introspect
+    client_id: {{ proxy_introspection_client_id }}
+    client_secret: {{ proxy_introspection_client_secret }}
+# this part is not configured but is supported in the custom introspection provider
+#    drop_claims:
+#      - todrop1
+#      - todrop2
+#    claim_renaming:
+#      weird_groups: groups
+#      bad_username: username
+#    claim_mapping:
+#      strings:
+#        sub:
+#          one-sub: other-sub
+#      string_arrays:
+#        super-entitlements:
+#          hpc:
+#            - compute
+#        weird_groups:
+#          all-users:
+#            - users
+#          special-users:
+#            - admins
+#            - dev
+  fallback_issuer_unsupported_token_issuer:
+# Not configured bu the synatx is the same of the 'fallback_issuer_unknown_token_issuer'
+  remote_issuers:
+    - issuer_url: {{ proxy_introspection_issuer }}
+ #     introspection_endpoint: https://issuer.example.com/introspect
+      client_id: {{ proxy_introspection_client_id }}
+      client_secret: {{ proxy_introspection_client_secret }}
+# this part is not configured but is supported in the custom introspection provider
+#      drop_claims:
+#        - todrop1
+#        - todrop2
+#      claim_renaming:
+#        weird_groups: groups
+#        user_id: username
+#      claim_mapping:
+#        strings:
+#          sub:
+#            one-sub: other-sub
+#        string_arrays:
+#          entitlements:
+#            hpc:
+#              - compute
+#          weird_groups:
+#            all-users:
+#              - users
+#            special-users:
+#              - admins
+#              - dev