Support the OIDC authentication.

2022-03-31 12:11:23 +02:00 · 2022-03-31 12:11:23 +02:00 · e10c34ade3
parent 010b422c42
commit e10c34ade3
2 changed files with 26 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -74,7 +74,8 @@ shinyproxy_template_path: '{{ shinyproxy_install_dir }}/web_templates'

 shinyproxy_app_title: 'Open Analytics Shiny Proxy'
 shinyproxy_logo_url: 'http://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png'
-# ldap, keycloak, none
+# ldap, keycloak, oidc, none
+# See https://www.shinyproxy.io/documentation/configuration/
 shinyproxy_authentication: 'none'
 shinyproxy_basic_auth: 'false'
 shinyproxy_admin_group: ''
@ -97,5 +98,16 @@ shinyproxy_keycloak_ssl_required: 'external'
 # name, preferred_username, nickname, email
 shinyproxy_keycloak_name_attribute: 'preferred_username'
 shinyproxy_keycloak_role_mappings: 'false'
+shinyproxy_oidc_auth_url: 'https://keycloak.example.org/auth/realms/master/protocol/openid-connect/auth'
+shinyproxy_oidc_token_url: 'https:/keycloak.example.org/auth/realms/master/protocol/openid-connect/token'
+shinyproxy_oidc_jwks_url: 'https:/keycloak.example.org/auth/realms/master/protocol/openid-connect/certs'
+shinyproxy_oidc_logout_url: 'https:/keycloak.example.org/auth/realms/master/protocol/openid-connect/logout'
+shinyproxy_oidc_client_id: 'shiny_client'
+shinyproxy_oidc_client_secret: 'use a vault file'
+# name, preferred_username, nickname, email
+shinyproxy_oidc_username_attribute: 'email'
+# See https://www.shinyproxy.io/faq/#authentication-using-openid-does-not-work-because-of-missing-attribute-email-in-attributes-exception
+shinyproxy_oidc_use_roles_claim: True
+shinyproxy_oidc_roles_claim: 'groups'

 shinyproxy_max_log_size: 20MB
--- a/templates/shinyproxy-2-conf.yml.j2
+++ b/templates/shinyproxy-2-conf.yml.j2
@ -68,6 +68,19 @@ proxy:
    name-attribute: {{ shinyproxy_keycloak_name_attribute }}
    use-resource-role-mappings: {{ shinyproxy_keycloak_role_mappings }}
 {% endif %}
+{% if shinyproxy_authentication == 'oidc' %}
+  oidc:
+    auth-url: {{ shinyproxy_oidc_auth_url }}
+    token-url: {{ shinyproxy_oidc_token_url }}
+    jwks-url: {{ shinyproxy_oidc_jwks_url }}
+    logout-url: {{ shinyproxy_oidc_logout_url }}
+    client-id: {{ shinyproxy_oidc_client_id }}
+    client-secret: {{ shinyproxy_oidc_client_secret }}
+    username-attribute: {{ shinyproxy_oidc_username_attribute }}
+    {% if shinyproxy_oidc_use_roles_claim %}
+    roles-claim: {{ shinyproxy_oidc_roles_claim }}
+    {% endif %}
+{% endif %}
 {% if shinyproxy_container_backend == 'docker' or shinyproxy_container_backend == 'docker-swarm' %}
  docker:
    container-memory-request: {{ shinyproxy_docker_memory_request }}