import keycloak-httpd-client-install-1.0-2.el8

SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch

@@ -0,0 +1,25 @@
+From d4b703761cc52d25e82d8bdf7fb860ccedaa15a2 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 28 Jun 2019 21:18:45 +0200
+Subject: [PATCH 1/4] doc: Fix a typo in --oidc-redirect-uri description
+
+---
+ doc/keycloak-httpd-client-install.8 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
+index f67c227..734e837 100644
+--- a/doc/keycloak-httpd-client-install.8
++++ b/doc/keycloak-httpd-client-install.8
+@@ -205,7 +205,7 @@ Common root ancestor for all protected locations
+ .B mod_auth_oidc OIDC RP Client Options
+ 
+ .TP
+-.BR \-\-oidc\-redirect\--uri " " \fIOIDC_REDIRECT_URI\fR
++.BR \-\-oidc\-redirect\-uri " " \fIOIDC_REDIRECT_URI\fR
+ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
+ protected locations.
+ (default: The first protected location appened with "/redirect_uri")
+-- 
+2.20.1
+

SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch

@@ -0,0 +1,93 @@
+From 1428515ecb6297b9ccc074210aa6f466fbae30d8 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 1 Jul 2019 15:33:05 +0200
+Subject: [PATCH 2/4] Add a new --oidc-logout-uri command line option
+
+This patch adds a new command line option, unset by default, which if
+set, is added as an additional redirectUri when the keycloak client is
+being created.
+
+This option might be useful to add an extra allowed redirect for logout
+pages.
+
+The mod_auth_openidc wiki:
+    https://github.com/zmartzone/mod_auth_openidc/wiki#9-how-do-i-logout-users
+says:
+   By redirecting the user to the OIDCRedirectURI with a parameter named
+   logout. The value of that parameter contains the (URL-encoded) URL where
+   the user will be redirected to after the session has been killed.
+and also:
+   make sure that the (URL-encoded) callback URL passed in the logout
+   parameter points to a location that is not protected by
+   mod_auth_openidc or else the login process will be started again.
+---
+ bin/keycloak-httpd-client-install        | 5 +++++
+ doc/keycloak-httpd-client-install.8      | 8 ++++++++
+ templates/oidc-client-registration.tpl   | 3 +++
+ templates/oidc-client-representation.tpl | 3 +++
+ 4 files changed, 19 insertions(+)
+
+diff --git a/bin/keycloak-httpd-client-install b/bin/keycloak-httpd-client-install
+index f211a4d..128f962 100755
+--- a/bin/keycloak-httpd-client-install
++++ b/bin/keycloak-httpd-client-install
+@@ -886,6 +886,11 @@ def main():
+                        help='claim used when setting the REMOTE_USER variable, '
+                        'default="sub"')
+ 
++    group.add_argument('--oidc-logout-uri',
++                       help='Should not be a child of one of the protected '
++                       'locations. When set, adds the argument as a valid '
++                       'redirectUri for Keycloak')
++
+     # ---- Argument Group "Mellon SP"  ----
+ 
+     group = parser.add_argument_group('Mellon SP')
+diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
+index 734e837..ead8717 100644
+--- a/doc/keycloak-httpd-client-install.8
++++ b/doc/keycloak-httpd-client-install.8
+@@ -210,6 +210,14 @@ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
+ protected locations.
+ (default: The first protected location appened with "/redirect_uri")
+ 
++.TP
++.BR \-\-oidc\-logout\-uri " " \fIOIDC_REDIRECT_URI\fR
++Can be used to add the location the user is redirected to after logout as
++an additional redirectUri value in Keycloak's client representation. The
++location should not be nested under any of the protected locations,
++otherwise the login process would start again.
++(default: None)
++
+ .TP
+ .BR \-\-oidc\-client\-secret " " \fIOIDC_CLIENT_SECRET\fR
+ OIDC client secret
+diff --git a/templates/oidc-client-registration.tpl b/templates/oidc-client-registration.tpl
+index 3c45c09..fd6cd38 100644
+--- a/templates/oidc-client-registration.tpl
++++ b/templates/oidc-client-registration.tpl
+@@ -2,5 +2,8 @@
+     "client_name": "{{ clientid }}",
+     "redirect_uris": [
+         "{{ client_https_url }}{{ oidc_redirect_uri }}"
++        {% if oidc_logout_uri %}
++        ,"{{ client_https_url }}{{ oidc_logout_uri }}",
++        {% endif %}
+     ]
+ }
+diff --git a/templates/oidc-client-representation.tpl b/templates/oidc-client-representation.tpl
+index 2bbf66a..1f4a496 100644
+--- a/templates/oidc-client-representation.tpl
++++ b/templates/oidc-client-representation.tpl
+@@ -6,5 +6,8 @@
+     "clientAuthenticatorType": "client-secret",
+     "redirectUris": [
+         "{{ client_https_url }}{{ oidc_redirect_uri }}"
++        {% if oidc_logout_uri %}
++        ,"{{ client_https_url }}{{ oidc_logout_uri }}"
++        {% endif %}
+     ]
+ }
+-- 
+2.20.1
+

SPECS/keycloak-httpd-client-install.spec

@@ -6,7 +6,7 @@
 
 Name:           %{srcname}
 Version:        1.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        %{summary}
 
 %global git_tag RELEASE_%(r=%{version}; echo $r | tr '.' '_')
@@ -15,6 +15,9 @@ License:        GPLv3
 URL:            https://github.com/jdennis/keycloak-httpd-client-install
 Source0:        https://github.com/jdennis/keycloak-httpd-client-install/archive/%{git_tag}.tar.gz
 
+Patch0001:      0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch
+Patch0002:      0002-Add-a-new-oidc-logout-uri-command-line-option.patch
+
 BuildArch:      noarch
 
 BuildRequires:  python3-devel
@@ -68,6 +71,11 @@ install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/ma
 %{_mandir}/man8/*
 
 %changelog
+* Wed Jul  3 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-2
+- Backport upstream patches to adds the --oidc-logout-uri option
+  and fix OIDC-related man page issues
+- Related: rhbz#1553890 - [RFE] Add mod_auth_openidc support
+
 * Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-1
 - New upstream release
 - Resolves: rhbz#1553890 - [RFE] Add mod_auth_openidc support