diff --git a/.gitignore b/.gitignore index 42d76ae..dd801a9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/keycloak-httpd-client-install-0.8.tar.gz +SOURCES/RELEASE_1_0.tar.gz diff --git a/.keycloak-httpd-client-install.metadata b/.keycloak-httpd-client-install.metadata index 84b5d3c..a6d25a5 100644 --- a/.keycloak-httpd-client-install.metadata +++ b/.keycloak-httpd-client-install.metadata @@ -1 +1 @@ -0292bad45fd81e0a9928267d5168e6f73d7c370a SOURCES/keycloak-httpd-client-install-0.8.tar.gz +50e2b29a2dd8a150dd8259491449ea31a13b86b8 SOURCES/RELEASE_1_0.tar.gz diff --git a/SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch b/SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch new file mode 100644 index 0000000..02efefb --- /dev/null +++ b/SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch @@ -0,0 +1,25 @@ +From d4b703761cc52d25e82d8bdf7fb860ccedaa15a2 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 28 Jun 2019 21:18:45 +0200 +Subject: [PATCH 1/4] doc: Fix a typo in --oidc-redirect-uri description + +--- + doc/keycloak-httpd-client-install.8 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8 +index f67c227..734e837 100644 +--- a/doc/keycloak-httpd-client-install.8 ++++ b/doc/keycloak-httpd-client-install.8 +@@ -205,7 +205,7 @@ Common root ancestor for all protected locations + .B mod_auth_oidc OIDC RP Client Options + + .TP +-.BR \-\-oidc\-redirect\--uri " " \fIOIDC_REDIRECT_URI\fR ++.BR \-\-oidc\-redirect\-uri " " \fIOIDC_REDIRECT_URI\fR + The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the + protected locations. + (default: The first protected location appened with "/redirect_uri") +-- +2.20.1 + diff --git a/SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch b/SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch new file mode 100644 index 0000000..d6eb982 --- /dev/null +++ b/SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch @@ -0,0 +1,93 @@ +From 1428515ecb6297b9ccc074210aa6f466fbae30d8 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 1 Jul 2019 15:33:05 +0200 +Subject: [PATCH 2/4] Add a new --oidc-logout-uri command line option + +This patch adds a new command line option, unset by default, which if +set, is added as an additional redirectUri when the keycloak client is +being created. + +This option might be useful to add an extra allowed redirect for logout +pages. + +The mod_auth_openidc wiki: + https://github.com/zmartzone/mod_auth_openidc/wiki#9-how-do-i-logout-users +says: + By redirecting the user to the OIDCRedirectURI with a parameter named + logout. The value of that parameter contains the (URL-encoded) URL where + the user will be redirected to after the session has been killed. +and also: + make sure that the (URL-encoded) callback URL passed in the logout + parameter points to a location that is not protected by + mod_auth_openidc or else the login process will be started again. +--- + bin/keycloak-httpd-client-install | 5 +++++ + doc/keycloak-httpd-client-install.8 | 8 ++++++++ + templates/oidc-client-registration.tpl | 3 +++ + templates/oidc-client-representation.tpl | 3 +++ + 4 files changed, 19 insertions(+) + +diff --git a/bin/keycloak-httpd-client-install b/bin/keycloak-httpd-client-install +index f211a4d..128f962 100755 +--- a/bin/keycloak-httpd-client-install ++++ b/bin/keycloak-httpd-client-install +@@ -886,6 +886,11 @@ def main(): + help='claim used when setting the REMOTE_USER variable, ' + 'default="sub"') + ++ group.add_argument('--oidc-logout-uri', ++ help='Should not be a child of one of the protected ' ++ 'locations. When set, adds the argument as a valid ' ++ 'redirectUri for Keycloak') ++ + # ---- Argument Group "Mellon SP" ---- + + group = parser.add_argument_group('Mellon SP') +diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8 +index 734e837..ead8717 100644 +--- a/doc/keycloak-httpd-client-install.8 ++++ b/doc/keycloak-httpd-client-install.8 +@@ -210,6 +210,14 @@ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the + protected locations. + (default: The first protected location appened with "/redirect_uri") + ++.TP ++.BR \-\-oidc\-logout\-uri " " \fIOIDC_REDIRECT_URI\fR ++Can be used to add the location the user is redirected to after logout as ++an additional redirectUri value in Keycloak's client representation. The ++location should not be nested under any of the protected locations, ++otherwise the login process would start again. ++(default: None) ++ + .TP + .BR \-\-oidc\-client\-secret " " \fIOIDC_CLIENT_SECRET\fR + OIDC client secret +diff --git a/templates/oidc-client-registration.tpl b/templates/oidc-client-registration.tpl +index 3c45c09..fd6cd38 100644 +--- a/templates/oidc-client-registration.tpl ++++ b/templates/oidc-client-registration.tpl +@@ -2,5 +2,8 @@ + "client_name": "{{ clientid }}", + "redirect_uris": [ + "{{ client_https_url }}{{ oidc_redirect_uri }}" ++ {% if oidc_logout_uri %} ++ ,"{{ client_https_url }}{{ oidc_logout_uri }}", ++ {% endif %} + ] + } +diff --git a/templates/oidc-client-representation.tpl b/templates/oidc-client-representation.tpl +index 2bbf66a..1f4a496 100644 +--- a/templates/oidc-client-representation.tpl ++++ b/templates/oidc-client-representation.tpl +@@ -6,5 +6,8 @@ + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "{{ client_https_url }}{{ oidc_redirect_uri }}" ++ {% if oidc_logout_uri %} ++ ,"{{ client_https_url }}{{ oidc_logout_uri }}" ++ {% endif %} + ] + } +-- +2.20.1 + diff --git a/SPECS/keycloak-httpd-client-install.spec b/SPECS/keycloak-httpd-client-install.spec index 3c06c13..1598731 100644 --- a/SPECS/keycloak-httpd-client-install.spec +++ b/SPECS/keycloak-httpd-client-install.spec @@ -1,36 +1,26 @@ %global srcname keycloak-httpd-client-install %global summary Tools to configure Apache HTTPD as Keycloak client -%if (0%{?fedora} > 0 && 0%{?fedora} < 32) || (0%{?rhel} > 0 && 0%{?rhel} <= 7) - %bcond_without python2 - %bcond_without python3 -%endif - -%if 0%{?fedora} || 0%{?rhel} >= 8 - %bcond_with python2 - %bcond_without python3 -%endif +%bcond_without python2 +%bcond_with python3 Name: %{srcname} -Version: 0.8 -Release: 7%{?dist} +Version: 1.0 +Release: 2%{?dist} Summary: %{summary} %global git_tag RELEASE_%(r=%{version}; echo $r | tr '.' '_') License: GPLv3 URL: https://github.com/jdennis/keycloak-httpd-client-install -Source0: https://github.com/jdennis/keycloak-httpd-client-install/releases/download/%{git_tag}/%{srcname}-%{version}.tar.gz +Source0: https://github.com/jdennis/keycloak-httpd-client-install/archive/%{git_tag}.tar.gz + +Patch0001: 0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch +Patch0002: 0002-Add-a-new-oidc-logout-uri-command-line-option.patch BuildArch: noarch -%if %{with python2} -BuildRequires: python2-devel -%endif # with_python2 - -%if 0%{?with_python3} BuildRequires: python3-devel -%endif Requires: %{_bindir}/keycloak-httpd-client-install @@ -42,25 +32,6 @@ libraries and tools which can automate and simplify configuring an Apache HTTPD authentication module and registering as a client of a Keycloak IdP. -%if %{with python2} -%package -n python2-%{srcname} -Summary: %{summary} - -%{?python_provide:%python_provide python2-%{srcname}} - -Requires: %{name} = %{version}-%{release} -Requires: python2-requests -Requires: python2-requests-oauthlib -Requires: python2-jinja2 -Requires: %{_bindir}/keycloak-httpd-client-install - -%description -n python2-%{srcname} -Keycloak is an authentication server. This package contains libraries and -programs which can invoke the Keycloak REST API and configure clients -of a Keycloak server. -%endif # with_python2 - -%if 0%{?with_python3} %package -n python3-%{srcname} Summary: %{summary} @@ -76,38 +47,14 @@ Keycloak is an authentication server. This package contains libraries and programs which can invoke the Keycloak REST API and configure clients of a Keycloak server. -%endif - %prep -%autosetup -n %{srcname}-%{version} +%autosetup -n %{srcname}-%{git_tag} -p1 %build -%if %{with python2} -%py2_build -%endif # with_python2 - -%if 0%{?with_python3} %py3_build -%endif %install -%if %{with python2} -# Must do the python2 install first because the scripts in /usr/bin are -# overwritten with every setup.py install, and in general we want the -# python3 version to be the default. -%py2_install -%endif # with_python2 - -%if 0%{?with_python3} -# py3_install won't overwrite files if they have a timestamp greater-than -# or equal to the py2 installed files. If both the py2 and py3 builds execute -# quickly the files end up with the same timestamps thus leaving the py2 -# version in the py3 install. Therefore remove any files susceptible to this. -%if %{with python2} -rm %{buildroot}%{_bindir}/keycloak-httpd-client-install -%endif # with_python2 %py3_install -%endif install -d -m 755 %{buildroot}/%{_mandir}/man8 install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/man8 @@ -117,25 +64,22 @@ install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/ma %doc README.md doc/ChangeLog %{_datadir}/%{srcname}/ -%if %{with python2} -# Note that there is no %%files section for the unversioned python module if we are building for several python runtimes -%files -n python2-%{srcname} -%{python2_sitelib}/* - -%if ! 0%{?with_python3} -%{_bindir}/keycloak-httpd-client-install -%{_mandir}/man8/* -%endif -%endif # with_python2 - -%if 0%{?with_python3} %files -n python3-%{srcname} %{python3_sitelib}/* %{_bindir}/keycloak-httpd-client-install +%{_bindir}/keycloak-rest %{_mandir}/man8/* -%endif %changelog +* Wed Jul 3 2019 Jakub Hrozek - 1.0-2 +- Backport upstream patches to adds the --oidc-logout-uri option + and fix OIDC-related man page issues +- Related: rhbz#1553890 - [RFE] Add mod_auth_openidc support + +* Fri Jun 14 2019 Jakub Hrozek - 1.0-1 +- New upstream release +- Resolves: rhbz#1553890 - [RFE] Add mod_auth_openidc support + * Fri Jul 27 2018 - 0.8-7 - fix SOURCE0, it was pointing to github repo archive instead of release tarball