import keycloak-httpd-client-install-1.0-2.el8

.gitignore

@@ -1 +1 @@
-SOURCES/keycloak-httpd-client-install-0.8.tar.gz
+SOURCES/RELEASE_1_0.tar.gz

.keycloak-httpd-client-install.metadata

@@ -1 +1 @@
-0292bad45fd81e0a9928267d5168e6f73d7c370a SOURCES/keycloak-httpd-client-install-0.8.tar.gz
+50e2b29a2dd8a150dd8259491449ea31a13b86b8 SOURCES/RELEASE_1_0.tar.gz

SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch

@@ -0,0 +1,25 @@
+From d4b703761cc52d25e82d8bdf7fb860ccedaa15a2 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 28 Jun 2019 21:18:45 +0200
+Subject: [PATCH 1/4] doc: Fix a typo in --oidc-redirect-uri description
+
+---
+ doc/keycloak-httpd-client-install.8 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
+index f67c227..734e837 100644
+--- a/doc/keycloak-httpd-client-install.8
++++ b/doc/keycloak-httpd-client-install.8
+@@ -205,7 +205,7 @@ Common root ancestor for all protected locations
+ .B mod_auth_oidc OIDC RP Client Options
+ 
+ .TP
+-.BR \-\-oidc\-redirect\--uri " " \fIOIDC_REDIRECT_URI\fR
++.BR \-\-oidc\-redirect\-uri " " \fIOIDC_REDIRECT_URI\fR
+ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
+ protected locations.
+ (default: The first protected location appened with "/redirect_uri")
+-- 
+2.20.1
+

SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch

@@ -0,0 +1,93 @@
+From 1428515ecb6297b9ccc074210aa6f466fbae30d8 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 1 Jul 2019 15:33:05 +0200
+Subject: [PATCH 2/4] Add a new --oidc-logout-uri command line option
+
+This patch adds a new command line option, unset by default, which if
+set, is added as an additional redirectUri when the keycloak client is
+being created.
+
+This option might be useful to add an extra allowed redirect for logout
+pages.
+
+The mod_auth_openidc wiki:
+    https://github.com/zmartzone/mod_auth_openidc/wiki#9-how-do-i-logout-users
+says:
+   By redirecting the user to the OIDCRedirectURI with a parameter named
+   logout. The value of that parameter contains the (URL-encoded) URL where
+   the user will be redirected to after the session has been killed.
+and also:
+   make sure that the (URL-encoded) callback URL passed in the logout
+   parameter points to a location that is not protected by
+   mod_auth_openidc or else the login process will be started again.
+---
+ bin/keycloak-httpd-client-install        | 5 +++++
+ doc/keycloak-httpd-client-install.8      | 8 ++++++++
+ templates/oidc-client-registration.tpl   | 3 +++
+ templates/oidc-client-representation.tpl | 3 +++
+ 4 files changed, 19 insertions(+)
+
+diff --git a/bin/keycloak-httpd-client-install b/bin/keycloak-httpd-client-install
+index f211a4d..128f962 100755
+--- a/bin/keycloak-httpd-client-install
++++ b/bin/keycloak-httpd-client-install
+@@ -886,6 +886,11 @@ def main():
+                        help='claim used when setting the REMOTE_USER variable, '
+                        'default="sub"')
+ 
++    group.add_argument('--oidc-logout-uri',
++                       help='Should not be a child of one of the protected '
++                       'locations. When set, adds the argument as a valid '
++                       'redirectUri for Keycloak')
++
+     # ---- Argument Group "Mellon SP"  ----
+ 
+     group = parser.add_argument_group('Mellon SP')
+diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
+index 734e837..ead8717 100644
+--- a/doc/keycloak-httpd-client-install.8
++++ b/doc/keycloak-httpd-client-install.8
+@@ -210,6 +210,14 @@ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
+ protected locations.
+ (default: The first protected location appened with "/redirect_uri")
+ 
++.TP
++.BR \-\-oidc\-logout\-uri " " \fIOIDC_REDIRECT_URI\fR
++Can be used to add the location the user is redirected to after logout as
++an additional redirectUri value in Keycloak's client representation. The
++location should not be nested under any of the protected locations,
++otherwise the login process would start again.
++(default: None)
++
+ .TP
+ .BR \-\-oidc\-client\-secret " " \fIOIDC_CLIENT_SECRET\fR
+ OIDC client secret
+diff --git a/templates/oidc-client-registration.tpl b/templates/oidc-client-registration.tpl
+index 3c45c09..fd6cd38 100644
+--- a/templates/oidc-client-registration.tpl
++++ b/templates/oidc-client-registration.tpl
+@@ -2,5 +2,8 @@
+     "client_name": "{{ clientid }}",
+     "redirect_uris": [
+         "{{ client_https_url }}{{ oidc_redirect_uri }}"
++        {% if oidc_logout_uri %}
++        ,"{{ client_https_url }}{{ oidc_logout_uri }}",
++        {% endif %}
+     ]
+ }
+diff --git a/templates/oidc-client-representation.tpl b/templates/oidc-client-representation.tpl
+index 2bbf66a..1f4a496 100644
+--- a/templates/oidc-client-representation.tpl
++++ b/templates/oidc-client-representation.tpl
+@@ -6,5 +6,8 @@
+     "clientAuthenticatorType": "client-secret",
+     "redirectUris": [
+         "{{ client_https_url }}{{ oidc_redirect_uri }}"
++        {% if oidc_logout_uri %}
++        ,"{{ client_https_url }}{{ oidc_logout_uri }}"
++        {% endif %}
+     ]
+ }
+-- 
+2.20.1
+

SPECS/keycloak-httpd-client-install.spec

@@ -1,36 +1,26 @@
 %global srcname keycloak-httpd-client-install
 %global summary Tools to configure Apache HTTPD as Keycloak client
 
-%if (0%{?fedora} > 0 && 0%{?fedora} < 32) || (0%{?rhel} > 0 && 0%{?rhel} <= 7)
-  %bcond_without python2
-  %bcond_without python3
-%endif
-
-%if 0%{?fedora} || 0%{?rhel} >= 8
-  %bcond_with python2
-  %bcond_without python3
-%endif
+%bcond_without python2
+%bcond_with python3
 
 Name:           %{srcname}
-Version:        0.8
-Release:        7%{?dist}
+Version:        1.0
+Release:        2%{?dist}
 Summary:        %{summary}
 
 %global git_tag RELEASE_%(r=%{version}; echo $r | tr '.' '_')
 
 License:        GPLv3
 URL:            https://github.com/jdennis/keycloak-httpd-client-install
-Source0:        https://github.com/jdennis/keycloak-httpd-client-install/releases/download/%{git_tag}/%{srcname}-%{version}.tar.gz
+Source0:        https://github.com/jdennis/keycloak-httpd-client-install/archive/%{git_tag}.tar.gz
+
+Patch0001:      0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch
+Patch0002:      0002-Add-a-new-oidc-logout-uri-command-line-option.patch
 
 BuildArch:      noarch
 
-%if %{with python2}
-BuildRequires:  python2-devel
-%endif # with_python2
-
-%if 0%{?with_python3}
 BuildRequires:  python3-devel
-%endif
 
 Requires:       %{_bindir}/keycloak-httpd-client-install
 
@@ -42,25 +32,6 @@ libraries and tools which can automate and simplify configuring an
 Apache HTTPD authentication module and registering as a client of a
 Keycloak IdP.
 
-%if %{with python2}
-%package -n python2-%{srcname}
-Summary:        %{summary}
-
-%{?python_provide:%python_provide python2-%{srcname}}
-
-Requires:       %{name} = %{version}-%{release}
-Requires:       python2-requests
-Requires:       python2-requests-oauthlib
-Requires:       python2-jinja2
-Requires:       %{_bindir}/keycloak-httpd-client-install
-
-%description -n python2-%{srcname}
-Keycloak is an authentication server. This package contains libraries and
-programs which can invoke the Keycloak REST API and configure clients
-of a Keycloak server.
-%endif # with_python2
-
-%if 0%{?with_python3}
 %package -n python3-%{srcname}
 Summary:        %{summary}
 
@@ -76,38 +47,14 @@ Keycloak is an authentication server. This package contains libraries and
 programs which can invoke the Keycloak REST API and configure clients
 of a Keycloak server.
 
-%endif
-
 %prep
-%autosetup -n %{srcname}-%{version}
+%autosetup -n %{srcname}-%{git_tag} -p1
 
 %build
-%if %{with python2}
-%py2_build
-%endif # with_python2
-
-%if 0%{?with_python3}
 %py3_build
-%endif
 
 %install
-%if %{with python2}
-# Must do the python2 install first because the scripts in /usr/bin are
-# overwritten with every setup.py install, and in general we want the
-# python3 version to be the default.
-%py2_install
-%endif # with_python2
-
-%if 0%{?with_python3}
-# py3_install won't overwrite files if they have a timestamp greater-than
-# or equal to the py2 installed files. If both the py2 and py3 builds execute
-# quickly the files end up with the same timestamps thus leaving the py2
-# version in the py3 install. Therefore remove any files susceptible to this.
-%if %{with python2}
-rm %{buildroot}%{_bindir}/keycloak-httpd-client-install
-%endif # with_python2
 %py3_install
-%endif
 
 install -d -m 755 %{buildroot}/%{_mandir}/man8
 install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/man8
@@ -117,25 +64,22 @@ install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/ma
 %doc README.md doc/ChangeLog
 %{_datadir}/%{srcname}/
 
-%if %{with python2}
-# Note that there is no %%files section for the unversioned python module if we are building for several python runtimes
-%files -n python2-%{srcname}
-%{python2_sitelib}/*
-
-%if ! 0%{?with_python3}
-%{_bindir}/keycloak-httpd-client-install
-%{_mandir}/man8/*
-%endif
-%endif # with_python2
-
-%if 0%{?with_python3}
 %files -n python3-%{srcname}
 %{python3_sitelib}/*
 %{_bindir}/keycloak-httpd-client-install
+%{_bindir}/keycloak-rest
 %{_mandir}/man8/*
-%endif
 
 %changelog
+* Wed Jul  3 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-2
+- Backport upstream patches to adds the --oidc-logout-uri option
+  and fix OIDC-related man page issues
+- Related: rhbz#1553890 - [RFE] Add mod_auth_openidc support
+
+* Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-1
+- New upstream release
+- Resolves: rhbz#1553890 - [RFE] Add mod_auth_openidc support
+
 * Fri Jul 27 2018  <jdennis@redhat.com> - 0.8-7
 - fix SOURCE0, it was pointing to github repo archive instead of release tarball