From 9d381c4a1b6e4daac4ffc990451fc2e20ad01642 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Jan 2020 18:20:00 -0500 Subject: [PATCH] import keycloak-httpd-client-install-1.0-2.el8 --- ...ypo-in-oidc-redirect-uri-description.patch | 25 +++++ ...-oidc-logout-uri-command-line-option.patch | 93 +++++++++++++++++++ SPECS/keycloak-httpd-client-install.spec | 10 +- 3 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch create mode 100644 SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch diff --git a/SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch b/SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch new file mode 100644 index 0000000..02efefb --- /dev/null +++ b/SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch @@ -0,0 +1,25 @@ +From d4b703761cc52d25e82d8bdf7fb860ccedaa15a2 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 28 Jun 2019 21:18:45 +0200 +Subject: [PATCH 1/4] doc: Fix a typo in --oidc-redirect-uri description + +--- + doc/keycloak-httpd-client-install.8 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8 +index f67c227..734e837 100644 +--- a/doc/keycloak-httpd-client-install.8 ++++ b/doc/keycloak-httpd-client-install.8 +@@ -205,7 +205,7 @@ Common root ancestor for all protected locations + .B mod_auth_oidc OIDC RP Client Options + + .TP +-.BR \-\-oidc\-redirect\--uri " " \fIOIDC_REDIRECT_URI\fR ++.BR \-\-oidc\-redirect\-uri " " \fIOIDC_REDIRECT_URI\fR + The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the + protected locations. + (default: The first protected location appened with "/redirect_uri") +-- +2.20.1 + diff --git a/SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch b/SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch new file mode 100644 index 0000000..d6eb982 --- /dev/null +++ b/SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch @@ -0,0 +1,93 @@ +From 1428515ecb6297b9ccc074210aa6f466fbae30d8 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 1 Jul 2019 15:33:05 +0200 +Subject: [PATCH 2/4] Add a new --oidc-logout-uri command line option + +This patch adds a new command line option, unset by default, which if +set, is added as an additional redirectUri when the keycloak client is +being created. + +This option might be useful to add an extra allowed redirect for logout +pages. + +The mod_auth_openidc wiki: + https://github.com/zmartzone/mod_auth_openidc/wiki#9-how-do-i-logout-users +says: + By redirecting the user to the OIDCRedirectURI with a parameter named + logout. The value of that parameter contains the (URL-encoded) URL where + the user will be redirected to after the session has been killed. +and also: + make sure that the (URL-encoded) callback URL passed in the logout + parameter points to a location that is not protected by + mod_auth_openidc or else the login process will be started again. +--- + bin/keycloak-httpd-client-install | 5 +++++ + doc/keycloak-httpd-client-install.8 | 8 ++++++++ + templates/oidc-client-registration.tpl | 3 +++ + templates/oidc-client-representation.tpl | 3 +++ + 4 files changed, 19 insertions(+) + +diff --git a/bin/keycloak-httpd-client-install b/bin/keycloak-httpd-client-install +index f211a4d..128f962 100755 +--- a/bin/keycloak-httpd-client-install ++++ b/bin/keycloak-httpd-client-install +@@ -886,6 +886,11 @@ def main(): + help='claim used when setting the REMOTE_USER variable, ' + 'default="sub"') + ++ group.add_argument('--oidc-logout-uri', ++ help='Should not be a child of one of the protected ' ++ 'locations. When set, adds the argument as a valid ' ++ 'redirectUri for Keycloak') ++ + # ---- Argument Group "Mellon SP" ---- + + group = parser.add_argument_group('Mellon SP') +diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8 +index 734e837..ead8717 100644 +--- a/doc/keycloak-httpd-client-install.8 ++++ b/doc/keycloak-httpd-client-install.8 +@@ -210,6 +210,14 @@ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the + protected locations. + (default: The first protected location appened with "/redirect_uri") + ++.TP ++.BR \-\-oidc\-logout\-uri " " \fIOIDC_REDIRECT_URI\fR ++Can be used to add the location the user is redirected to after logout as ++an additional redirectUri value in Keycloak's client representation. The ++location should not be nested under any of the protected locations, ++otherwise the login process would start again. ++(default: None) ++ + .TP + .BR \-\-oidc\-client\-secret " " \fIOIDC_CLIENT_SECRET\fR + OIDC client secret +diff --git a/templates/oidc-client-registration.tpl b/templates/oidc-client-registration.tpl +index 3c45c09..fd6cd38 100644 +--- a/templates/oidc-client-registration.tpl ++++ b/templates/oidc-client-registration.tpl +@@ -2,5 +2,8 @@ + "client_name": "{{ clientid }}", + "redirect_uris": [ + "{{ client_https_url }}{{ oidc_redirect_uri }}" ++ {% if oidc_logout_uri %} ++ ,"{{ client_https_url }}{{ oidc_logout_uri }}", ++ {% endif %} + ] + } +diff --git a/templates/oidc-client-representation.tpl b/templates/oidc-client-representation.tpl +index 2bbf66a..1f4a496 100644 +--- a/templates/oidc-client-representation.tpl ++++ b/templates/oidc-client-representation.tpl +@@ -6,5 +6,8 @@ + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "{{ client_https_url }}{{ oidc_redirect_uri }}" ++ {% if oidc_logout_uri %} ++ ,"{{ client_https_url }}{{ oidc_logout_uri }}" ++ {% endif %} + ] + } +-- +2.20.1 + diff --git a/SPECS/keycloak-httpd-client-install.spec b/SPECS/keycloak-httpd-client-install.spec index 41be198..1598731 100644 --- a/SPECS/keycloak-httpd-client-install.spec +++ b/SPECS/keycloak-httpd-client-install.spec @@ -6,7 +6,7 @@ Name: %{srcname} Version: 1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: %{summary} %global git_tag RELEASE_%(r=%{version}; echo $r | tr '.' '_') @@ -15,6 +15,9 @@ License: GPLv3 URL: https://github.com/jdennis/keycloak-httpd-client-install Source0: https://github.com/jdennis/keycloak-httpd-client-install/archive/%{git_tag}.tar.gz +Patch0001: 0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch +Patch0002: 0002-Add-a-new-oidc-logout-uri-command-line-option.patch + BuildArch: noarch BuildRequires: python3-devel @@ -68,6 +71,11 @@ install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/ma %{_mandir}/man8/* %changelog +* Wed Jul 3 2019 Jakub Hrozek - 1.0-2 +- Backport upstream patches to adds the --oidc-logout-uri option + and fix OIDC-related man page issues +- Related: rhbz#1553890 - [RFE] Add mod_auth_openidc support + * Fri Jun 14 2019 Jakub Hrozek - 1.0-1 - New upstream release - Resolves: rhbz#1553890 - [RFE] Add mod_auth_openidc support