rpms/keycloak-httpd-client-install
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import keycloak-httpd-client-install-1.0-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 18:20:00 -05:00 committed by Stepan Oksanichenko
parent 651af1ad2b
commit 9d381c4a1b
3 changed files with 127 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch Normal file
View File

@ -0,0 +1,25 @@
From d4b703761cc52d25e82d8bdf7fb860ccedaa15a2 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 28 Jun 2019 21:18:45 +0200
Subject: [PATCH 1/4] doc: Fix a typo in --oidc-redirect-uri description
---
doc/keycloak-httpd-client-install.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
index f67c227..734e837 100644
--- a/doc/keycloak-httpd-client-install.8
+++ b/doc/keycloak-httpd-client-install.8
@@ -205,7 +205,7 @@ Common root ancestor for all protected locations
.B mod_auth_oidc OIDC RP Client Options
.TP
-.BR \-\-oidc\-redirect\--uri " " \fIOIDC_REDIRECT_URI\fR
+.BR \-\-oidc\-redirect\-uri " " \fIOIDC_REDIRECT_URI\fR
The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
protected locations.
(default: The first protected location appened with "/redirect_uri")
--
2.20.1

93
SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch Normal file
View File

@ -0,0 +1,93 @@
From 1428515ecb6297b9ccc074210aa6f466fbae30d8 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 1 Jul 2019 15:33:05 +0200
Subject: [PATCH 2/4] Add a new --oidc-logout-uri command line option
This patch adds a new command line option, unset by default, which if
set, is added as an additional redirectUri when the keycloak client is
being created.
This option might be useful to add an extra allowed redirect for logout
pages.
The mod_auth_openidc wiki:
https://github.com/zmartzone/mod_auth_openidc/wiki#9-how-do-i-logout-users
says:
By redirecting the user to the OIDCRedirectURI with a parameter named
logout. The value of that parameter contains the (URL-encoded) URL where
the user will be redirected to after the session has been killed.
and also:
make sure that the (URL-encoded) callback URL passed in the logout
parameter points to a location that is not protected by
mod_auth_openidc or else the login process will be started again.
---
bin/keycloak-httpd-client-install | 5 +++++
doc/keycloak-httpd-client-install.8 | 8 ++++++++
templates/oidc-client-registration.tpl | 3 +++
templates/oidc-client-representation.tpl | 3 +++
4 files changed, 19 insertions(+)
diff --git a/bin/keycloak-httpd-client-install b/bin/keycloak-httpd-client-install
index f211a4d..128f962 100755
--- a/bin/keycloak-httpd-client-install
+++ b/bin/keycloak-httpd-client-install
@@ -886,6 +886,11 @@ def main():
help='claim used when setting the REMOTE_USER variable, '
'default="sub"')
+ group.add_argument('--oidc-logout-uri',
+ help='Should not be a child of one of the protected '
+ 'locations. When set, adds the argument as a valid '
+ 'redirectUri for Keycloak')
+
# ---- Argument Group "Mellon SP" ----
group = parser.add_argument_group('Mellon SP')
diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
index 734e837..ead8717 100644
--- a/doc/keycloak-httpd-client-install.8
+++ b/doc/keycloak-httpd-client-install.8
@@ -210,6 +210,14 @@ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
protected locations.
(default: The first protected location appened with "/redirect_uri")
+.TP
+.BR \-\-oidc\-logout\-uri " " \fIOIDC_REDIRECT_URI\fR
+Can be used to add the location the user is redirected to after logout as
+an additional redirectUri value in Keycloak's client representation. The
+location should not be nested under any of the protected locations,
+otherwise the login process would start again.
+(default: None)
+
.TP
.BR \-\-oidc\-client\-secret " " \fIOIDC_CLIENT_SECRET\fR
OIDC client secret
diff --git a/templates/oidc-client-registration.tpl b/templates/oidc-client-registration.tpl
index 3c45c09..fd6cd38 100644
--- a/templates/oidc-client-registration.tpl
+++ b/templates/oidc-client-registration.tpl
@@ -2,5 +2,8 @@
"client_name": "{{ clientid }}",
"redirect_uris": [
"{{ client_https_url }}{{ oidc_redirect_uri }}"
+ {% if oidc_logout_uri %}
+ ,"{{ client_https_url }}{{ oidc_logout_uri }}",
+ {% endif %}
]
}
diff --git a/templates/oidc-client-representation.tpl b/templates/oidc-client-representation.tpl
index 2bbf66a..1f4a496 100644
--- a/templates/oidc-client-representation.tpl
+++ b/templates/oidc-client-representation.tpl
@@ -6,5 +6,8 @@
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"{{ client_https_url }}{{ oidc_redirect_uri }}"
+ {% if oidc_logout_uri %}
+ ,"{{ client_https_url }}{{ oidc_logout_uri }}"
+ {% endif %}
]
}
--
2.20.1

10
SPECS/keycloak-httpd-client-install.spec
View File

@ -6,7 +6,7 @@
Name: %{srcname}
Version: 1.0
Release: 1%{?dist}
Release: 2%{?dist}
Summary: %{summary}
%global git_tag RELEASE_%(r=%{version}; echo $r | tr '.' '_')
@ -15,6 +15,9 @@ License: GPLv3
URL: https://github.com/jdennis/keycloak-httpd-client-install
Source0: https://github.com/jdennis/keycloak-httpd-client-install/archive/%{git_tag}.tar.gz
Patch0001: 0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch
Patch0002: 0002-Add-a-new-oidc-logout-uri-command-line-option.patch
BuildArch: noarch
BuildRequires: python3-devel
@ -68,6 +71,11 @@ install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/ma
%{_mandir}/man8/*
%changelog
* Wed Jul 3 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-2
- Backport upstream patches to adds the --oidc-logout-uri option
and fix OIDC-related man page issues
- Related: rhbz#1553890 - [RFE] Add mod_auth_openidc support
* Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-1
- New upstream release
- Resolves: rhbz#1553890 - [RFE] Add mod_auth_openidc support