diff --git a/charts/keycloak-late/templates/clients/builtin-realm-management.yaml b/charts/keycloak-late/templates/clients/builtin-realm-management.yaml index 0f3070cb..ec616cb0 100644 --- a/charts/keycloak-late/templates/clients/builtin-realm-management.yaml +++ b/charts/keycloak-late/templates/clients/builtin-realm-management.yaml @@ -17,3 +17,23 @@ spec: - Observe providerConfigRef: name: default +--- +# THIS IS A BUILT IN KEYCLOAK CLIENT +# THIS IS ONLY HERE TO TRACK / OBSERVE IT +# THIS SHOULD NOT BE USED TO MODIFY THE CLIENT +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: Client +metadata: + name: own-deepcypher-realm-management +spec: + deletionPolicy: Orphan + forProvider: + realmIdRef: + name: deepcypher + name: realm-management + clientId: realm-management + description: "Built-in realm management client" + managementPolicies: + - Observe + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/groups/george.yaml b/charts/keycloak-late/templates/groups/george.yaml index 9d1cc554..e108836f 100644 --- a/charts/keycloak-late/templates/groups/george.yaml +++ b/charts/keycloak-late/templates/groups/george.yaml @@ -9,3 +9,17 @@ spec: name: george attributes: nextcloud-legacy-id: archer +--- +apiVersion: group.keycloak.crossplane.io/v1alpha1 +kind: Group +metadata: + name: own-george +spec: + deletionPolicy: Delete + forProvider: + realmId: deepcypher + name: george + attributes: + nextcloud-legacy-id: archer + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/protocol-mappers/client-roles-in-all-tokens.yaml b/charts/keycloak-late/templates/protocol-mappers/client-roles-in-all-tokens.yaml index 9e31460a..e664e60c 100644 --- a/charts/keycloak-late/templates/protocol-mappers/client-roles-in-all-tokens.yaml +++ b/charts/keycloak-late/templates/protocol-mappers/client-roles-in-all-tokens.yaml @@ -26,3 +26,32 @@ spec: jsonType.label: "String" providerConfigRef: name: default +--- +# this adds client roles to all tokens under the claim: +# resource_access..roles +apiVersion: client.keycloak.crossplane.io/v1alpha1 +kind: ProtocolMapper +metadata: + name: own-client-roles-in-all-tokens +spec: + forProvider: + realmIdRef: + name: deepcypher + clientScopeIdRef: + name: roles-in-all-tokens + name: client-roles-in-all-tokens + protocol: openid-connect + # to find the config keys see: + # https://github.com/keycloak/keycloak/blob/d089e23aef560f9d9ceb96490d68a64aa910b79b/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserClientRoleMappingMapper.java#L39 + protocolMapper: oidc-usermodel-client-role-mapper + config: + id.token.claim: "true" + access.token.claim: "true" + userinfo.token.claim: "true" + lightweight.claim: "true" + introspection.token.claim: "true" + multivalued: "true" + claim.name: "resource_access.${client_id}.roles" + jsonType.label: "String" + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/protocol-mappers/groups.yaml b/charts/keycloak-late/templates/protocol-mappers/groups.yaml index 873d8305..33c42a62 100644 --- a/charts/keycloak-late/templates/protocol-mappers/groups.yaml +++ b/charts/keycloak-late/templates/protocol-mappers/groups.yaml @@ -20,3 +20,26 @@ spec: userinfo.token.claim: "true" providerConfigRef: name: default +--- +apiVersion: client.keycloak.crossplane.io/v1alpha1 +kind: ProtocolMapper +metadata: + name: own-groups +spec: + forProvider: + realmIdRef: + name: deepcypher + clientScopeIdRef: + name: groups + name: groups + protocol: openid-connect + # https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/GroupMembershipMapper.java#L59C47-L59C75 + protocolMapper: oidc-group-membership-mapper + config: + # https://github.com/keycloak/keycloak/blob/0aa14c19e11752898935c36ea7df55a0aa72a5aa/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java#L52-L79 + claim.name: "groups" + id.token.claim: "true" + access.token.claim: "true" + userinfo.token.claim: "true" + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/protocol-mappers/nextcloud-legacy-id.yaml b/charts/keycloak-late/templates/protocol-mappers/nextcloud-legacy-id.yaml index d4f2a670..dd3d8e8c 100644 --- a/charts/keycloak-late/templates/protocol-mappers/nextcloud-legacy-id.yaml +++ b/charts/keycloak-late/templates/protocol-mappers/nextcloud-legacy-id.yaml @@ -1,4 +1,3 @@ - # see: https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.8.0/resources/client.keycloak.crossplane.io/ProtocolMapper/v1alpha1 # role mapper example apiVersion: client.keycloak.crossplane.io/v1alpha1 @@ -31,3 +30,36 @@ spec: jsonType.label: "String" providerConfigRef: name: default +--- +# see: https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.8.0/resources/client.keycloak.crossplane.io/ProtocolMapper/v1alpha1 +# role mapper example +apiVersion: client.keycloak.crossplane.io/v1alpha1 +kind: ProtocolMapper +metadata: + name: own-nextcloud-legacy-id +spec: + forProvider: + realmIdRef: + name: deepcypher + #clientId: grafana + clientScopeIdRef: + name: nextcloud-legacy-id + name: nextcloud-legacy-id + protocol: openid-connect + # name comes from https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserAttributeMapper.java#L69 + protocolMapper: oidc-usermodel-attribute-mapper + config: + # for available options: + # which links to the OIDCAttributeMapperHelper at https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserRealmRoleMappingMapper.java#L61 + # which then references: https://github.com/keycloak/keycloak/blob/cc558b4090eb6707e269d9a581945a6424d0adbc/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java#L57 + id.token.claim: "true" + access.token.claim: "true" + userinfo.token.claim: "true" + user.attribute: "nextcloud-legacy-id" + + #multivalued: "true" + claim.name: "nextcloud-legacy-id" + + jsonType.label: "String" + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/roles/admin.yaml b/charts/keycloak-late/templates/roles/admin.yaml index 35159f89..0069b8c6 100644 --- a/charts/keycloak-late/templates/roles/admin.yaml +++ b/charts/keycloak-late/templates/roles/admin.yaml @@ -9,3 +9,15 @@ spec: description: Administrator for all deepcypher applications. providerConfigRef: name: default +--- +apiVersion: role.keycloak.crossplane.io/v1alpha1 +kind: Role +metadata: + name: own-admin +spec: + forProvider: + realmId: deepcypher + name: admin + description: Administrator for all deepcypher applications. + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/roles/builtin-realm-admin.yaml b/charts/keycloak-late/templates/roles/builtin-realm-admin.yaml index 21c938aa..47eceedb 100644 --- a/charts/keycloak-late/templates/roles/builtin-realm-admin.yaml +++ b/charts/keycloak-late/templates/roles/builtin-realm-admin.yaml @@ -1,4 +1,3 @@ - # THIS IS A BUILT IN KEYCLOAK ROLE # THIS IS ONLY HERE TO TRACK / OBSERVE IT # THIS SHOULD NOT BE USED TO MODIFY THE ROLE @@ -20,3 +19,25 @@ spec: - Observe providerConfigRef: name: default +--- +# THIS IS A BUILT IN KEYCLOAK ROLE +# THIS IS ONLY HERE TO TRACK / OBSERVE IT +# THIS SHOULD NOT BE USED TO MODIFY THE ROLE +apiVersion: role.keycloak.crossplane.io/v1alpha1 +kind: Role +metadata: + annotations: + # Here we reference the role by "/" + #crossplane.io/external-name: deepcypher/realm-management/realm-admin + name: own-deepcypher-realm-management-realm-admin +spec: + deletionPolicy: Orphan + forProvider: + realmId: deepcypher + name: realm-admin + clientIdRef: + name: deepcypher-realm-management + managementPolicies: + - Observe + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/scopes/groups.yaml b/charts/keycloak-late/templates/scopes/groups.yaml index ae6f90c2..c3a574fa 100644 --- a/charts/keycloak-late/templates/scopes/groups.yaml +++ b/charts/keycloak-late/templates/scopes/groups.yaml @@ -9,3 +9,17 @@ spec: name: deepcypher name: groups description: "Group membership list scope" +--- +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: ClientScope +metadata: + name: own-groups +spec: + deletionPolicy: Delete + forProvider: + realmIdRef: + name: deepcypher + name: groups + description: "Group membership list scope" + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/scopes/nextcloud-legacy-id.yaml b/charts/keycloak-late/templates/scopes/nextcloud-legacy-id.yaml index 9b59f396..bc40c208 100644 --- a/charts/keycloak-late/templates/scopes/nextcloud-legacy-id.yaml +++ b/charts/keycloak-late/templates/scopes/nextcloud-legacy-id.yaml @@ -9,3 +9,17 @@ spec: name: deepcypher name: nextcloud-legacy-id description: "Legacy scope to allow old clients to present legacy user ID to nextcloud" +--- +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: ClientScope +metadata: + name: own-nextcloud-legacy-id +spec: + deletionPolicy: Delete + forProvider: + realmIdRef: + name: deepcypher + name: nextcloud-legacy-id + description: "Legacy scope to allow old clients to present legacy user ID to nextcloud" + providerConfigRef: + name: owncloak diff --git a/charts/keycloak-late/templates/scopes/scope-roles-in-all-tokens.yaml b/charts/keycloak-late/templates/scopes/scope-roles-in-all-tokens.yaml index 48e49854..f6eca8bf 100644 --- a/charts/keycloak-late/templates/scopes/scope-roles-in-all-tokens.yaml +++ b/charts/keycloak-late/templates/scopes/scope-roles-in-all-tokens.yaml @@ -9,3 +9,17 @@ spec: name: deepcypher name: roles-in-all-tokens description: "Role membership list scope in all tokens" +--- +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: ClientScope +metadata: + name: own-roles-in-all-tokens +spec: + deletionPolicy: Delete + forProvider: + realmIdRef: + name: deepcypher + name: roles-in-all-tokens + description: "Role membership list scope in all tokens" + providerConfigRef: + name: owncloak