From ed19221404d7a68a2cfa5ff24c271df931258186 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Sat, 12 Nov 2022 16:07:09 +0200
Subject: [PATCH] keycloak: remove /auth from all Keycloak endpoints
From [1]: "By default, the new Quarkus distribution removes /auth from
the context-path."
[1] https://www.keycloak.org/migration/migrating-to-quarkus
---
misc/kcadm_wrapper.sh | 2 +-
one-shots/keycloak-importer/import_user_groups.py | 2 +-
one-shots/keycloak-keyfetcher/get_fingerprint.sh | 2 +-
roles/gitlab/tasks/main.yml | 6 +++---
roles/grafana/templates/grafana.ini.j2 | 8 ++++----
roles/hedgedoc/templates/hedgedoc.service.d.j2 | 6 +++---
roles/keycloak/templates/keycloak.conf.j2 | 1 -
roles/keycloak/templates/nginx.d.conf.j2 | 6 +++---
roles/matrix/templates/homeserver.yaml.j2 | 2 +-
roles/prometheus/templates/prometheus.yml.j2 | 2 +-
roles/security_tracker/templates/20-user.local.conf.j2 | 2 +-
tf-stage2/keycloak.tf | 8 ++------
12 files changed, 21 insertions(+), 26 deletions(-)
diff --git a/misc/kcadm_wrapper.sh b/misc/kcadm_wrapper.sh
index 239a1d58c..0a6adc0e0 100755
--- a/misc/kcadm_wrapper.sh
+++ b/misc/kcadm_wrapper.sh
@@ -14,7 +14,7 @@
kcadm "$@" \
-r archlinux \
--no-config \
- --server https://accounts.archlinux.org/auth \
+ --server https://accounts.archlinux.org \
--realm master \
--user $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_user) \
--password $(misc/get_key.py group_vars/all/vault_keycloak.yml vault_keycloak_admin_password)
diff --git a/one-shots/keycloak-importer/import_user_groups.py b/one-shots/keycloak-importer/import_user_groups.py
index f42453a23..90300774c 100755
--- a/one-shots/keycloak-importer/import_user_groups.py
+++ b/one-shots/keycloak-importer/import_user_groups.py
@@ -19,7 +19,7 @@ IMPORT_GROUPS = {
CLIENT_ID = "admin-cli"
KEYCLOAK_ADMIN_USERNAME = os.environ["KEYCLOAK_ADMIN_USERNAME"]
KEYCLOAK_ADMIN_PASSWORD = os.environ["KEYCLOAK_ADMIN_PASSWORD"]
-KEYCLOAK_URL = "https://accounts.archlinux.org/auth"
+KEYCLOAK_URL = "https://accounts.archlinux.org"
KEYCLOAK_REALM = "archlinux"
REALM_URL = f"{KEYCLOAK_URL}/realms/master"
diff --git a/one-shots/keycloak-keyfetcher/get_fingerprint.sh b/one-shots/keycloak-keyfetcher/get_fingerprint.sh
index 2d40dcea7..3f4e2233d 100755
--- a/one-shots/keycloak-keyfetcher/get_fingerprint.sh
+++ b/one-shots/keycloak-keyfetcher/get_fingerprint.sh
@@ -1,3 +1,3 @@
#!/usr/bin/env bash
-curl -s https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
+curl -s https://accounts.archlinux.org/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml
index 7e9d721f0..c618bc280 100644
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@@ -23,7 +23,7 @@
# 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
# one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
# 2. In order to logout properly we need to configure the "After sign out path" and set it to
- # https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
+ # https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
# https://gitlab.com/gitlab-org/gitlab/issues/14414
#
# In addition, see https://docs.gitlab.com/ee/administration/pages/ for the GitLab Pages trickery done below.
@@ -78,8 +78,8 @@
args: {
assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
- idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/saml_gitlab',
- idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml',
+ idp_sso_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/saml_gitlab',
+ idp_slo_target_url: 'https://accounts.archlinux.org/realms/archlinux/protocol/saml',
issuer: 'saml_gitlab',
attribute_statements: {
first_name: ['first_name'],
diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
index 6848e40fe..6ac46ac3d 100644
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -433,7 +433,7 @@ disable_login_form = true
;disable_signout_menu = false
# URL to redirect the user to after sign out
-signout_redirect_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
+signout_redirect_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https://{{ grafana_domain }}
# Set to true to attempt login with OAuth automatically, skipping the login screen.
# This setting is ignored if multiple OAuth providers are configured.
@@ -573,9 +573,9 @@ email_attribute_path = email
;login_attribute_path =
;name_attribute_path =
;id_token_attribute_name =
-auth_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
-token_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
-api_url = https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
+auth_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
+token_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
+api_url = https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo
;teams_url =
;allowed_domains =
;team_ids =
diff --git a/roles/hedgedoc/templates/hedgedoc.service.d.j2 b/roles/hedgedoc/templates/hedgedoc.service.d.j2
index 36810b009..b6497775d 100644
--- a/roles/hedgedoc/templates/hedgedoc.service.d.j2
+++ b/roles/hedgedoc/templates/hedgedoc.service.d.j2
@@ -1,10 +1,10 @@
[Service]
-Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/userinfo
+Environment=CMD_OAUTH2_USER_PROFILE_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/userinfo
Environment=CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
Environment=CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
-Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/token
-Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/auth
+Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
+Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2
index 6da32f33b..88add9180 100644
--- a/roles/keycloak/templates/keycloak.conf.j2
+++ b/roles/keycloak/templates/keycloak.conf.j2
@@ -5,7 +5,6 @@ metrics-enabled=true
http-enabled=true
http-host=127.0.0.1
http-port={{ keycloak_port }}
-http-relative-path=/auth
proxy=edge
db=postgres
diff --git a/roles/keycloak/templates/nginx.d.conf.j2 b/roles/keycloak/templates/nginx.d.conf.j2
index 1525e57c9..2d71a2f0d 100644
--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
@@ -32,10 +32,10 @@ server {
# https://w3c.github.io/webappsec-change-password-url/
location = /.well-known/change-password {
- return 302 https://$server_name/auth/realms/archlinux/account/#/security/signingin;
+ return 302 https://$server_name/realms/archlinux/account/#/security/signingin;
}
- location ~ /auth/realms/[a-z]+/metrics {
+ location ~ /realms/[a-z]+/metrics {
auth_basic "Prometheus exporter";
auth_basic_user_file {{ keycloak_nginx_htpasswd }};
@@ -59,6 +59,6 @@ server {
}
location = / {
- return 301 https://$server_name/auth/realms/archlinux/account;
+ return 301 https://$server_name/realms/archlinux/account;
}
}
diff --git a/roles/matrix/templates/homeserver.yaml.j2 b/roles/matrix/templates/homeserver.yaml.j2
index 319c35f9d..7317dd1b4 100644
--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -143,7 +143,7 @@ oidc_providers:
idp_name: "Arch Linux"
idp_icon: "mxc://archlinux.org/iQmyhmksPLmphXWFUxiLEwVw"
idp_brand: archlinux
- issuer: "https://accounts.archlinux.org/auth/realms/archlinux"
+ issuer: "https://accounts.archlinux.org/realms/archlinux"
client_id: "openid_matrix"
client_secret: "{{ vault_matrix_openid_client_secret }}"
scopes: ["openid", "profile", "email", "roles"]
diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
index 1b3f7a91f..49734f5b7 100644
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -90,7 +90,7 @@ scrape_configs:
- job_name: 'keycloak'
scheme: https
- metrics_path: "/auth/realms/master/metrics"
+ metrics_path: "/realms/master/metrics"
basic_auth:
username: "{{ vault_keycloak_nginx_user }}"
password: "{{ vault_keycloak_nginx_passwd }}"
diff --git a/roles/security_tracker/templates/20-user.local.conf.j2 b/roles/security_tracker/templates/20-user.local.conf.j2
index 56ea0b3bf..c06a59be2 100644
--- a/roles/security_tracker/templates/20-user.local.conf.j2
+++ b/roles/security_tracker/templates/20-user.local.conf.j2
@@ -3,7 +3,7 @@ secret_key = '{{ vault_security_tracker.secret_key }}'
[sso]
enabled = yes
-metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration
+metadata_url = https://accounts.archlinux.org/realms/archlinux/.well-known/openid-configuration
client_id = openid_security_tracker
client_secret = {{ vault_security_tracker_openid_client_secret }}
administrator_group = /Arch Linux Staff/Security Team/Admins
diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index c0798ab2a..6c300efe5 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -57,10 +57,6 @@ provider "keycloak" {
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
password = data.external.vault_keycloak.result.vault_keycloak_admin_password
url = "https://accounts.archlinux.org"
-
- # TODO: remove this once our Keycloak instance is no longer served under /auth
- # https://github.com/mrparkers/terraform-provider-keycloak/blob/master/CHANGELOG.md#v400-october-10-2022
- base_path = "/auth"
}
variable "gitlab_instance" {
@@ -213,7 +209,7 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
realm = "archlinux"
alias = "github"
provider_id = "github"
- authorization_url = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
+ authorization_url = "https://accounts.archlinux.org/realms/archlinux/broker/github/endpoint"
client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
token_url = ""
@@ -765,7 +761,7 @@ output "gitlab_saml_configuration" {
issuer = keycloak_saml_client.saml_gitlab.client_id
assertion_consumer_service_url = var.gitlab_instance.saml_redirect_url
admin_groups = [keycloak_role.devops.name]
- idp_sso_target_url = "https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
+ idp_sso_target_url = "https://accounts.archlinux.org/realms/archlinux/protocol/saml/clients/${keycloak_saml_client.saml_gitlab.client_id}"
signing_certificate_fingerprint = keycloak_saml_client.saml_gitlab.signing_certificate
}
}
--
GitLab