Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
f06f1470
Verified
Commit
f06f1470
authored
May 26, 2020
by
Sven-Hendrik Haase
Browse files
keycloak: Add recaptcha support (fixes #35)
parent
8ab0fdc9
Pipeline
#170
failed with stage
in 1 minute
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
tf-stage2/keycloak.tf
View file @
f06f1470
...
...
@@ -20,6 +20,14 @@ data "external" "keycloak_smtp_password" {
program
=
[
"
${
path
.
module}
/../misc/get_key.py"
,
"group_vars/all/vault_keycloak.yml"
,
"vault_keycloak_smtp_password"
,
"json"
]
}
data
"external"
"google_recaptcha_site_key"
{
program
=
[
"
${
path
.
module}
/../misc/get_key.py"
,
"group_vars/all/vault_google.yml"
,
"vault_google_recaptcha_site_key"
,
"json"
]
}
data
"external"
"google_recaptcha_secret_key"
{
program
=
[
"
${
path
.
module}
/../misc/get_key.py"
,
"group_vars/all/vault_google.yml"
,
"vault_google_recaptcha_secret_key"
,
"json"
]
}
provider
"keycloak"
{
client_id
=
"admin-cli"
username
=
data
.
external
.
keycloak_admin_user
.
result
.
vault_keycloak_admin_user
...
...
@@ -46,6 +54,7 @@ resource "keycloak_realm" "archlinux" {
password_policy
=
"length(8) and notUsername"
browser_flow
=
"Arch Browser"
registration_flow
=
"Arch Registration"
smtp_server
{
host
=
"mail.archlinux.org"
...
...
@@ -62,6 +71,15 @@ resource "keycloak_realm" "archlinux" {
}
security_defenses
{
headers
{
x_frame_options
=
"ALLOW-FROM https://www.google.com"
content_security_policy
=
"frame-src 'self' https://www.google.com; frame-ancestors 'self'; object-src 'none';"
content_security_policy_report_only
=
""
x_content_type_options
=
"nosniff"
x_robots_tag
=
"none"
x_xss_protection
=
"1; mode=block"
strict_transport_security
=
"max-age=31536000; includeSubDomains"
}
brute_force_detection
{
permanent_lockout
=
false
max_login_failures
=
30
...
...
@@ -228,6 +246,66 @@ resource "keycloak_group_roles" "externalcontributor" {
]
}
// Add new custom registration flow with reCAPTCHA
resource
"keycloak_authentication_flow"
"arch_registration_flow"
{
realm_id
=
"archlinux"
alias
=
"Arch Registration"
description
=
"Customized Registration flow that forces enables ReCAPTCHA."
}
resource
"keycloak_authentication_subflow"
"registration_form"
{
realm_id
=
"archlinux"
alias
=
"Registration Form"
parent_flow_alias
=
keycloak_authentication_flow
.
arch_registration_flow
.
alias
provider_id
=
"form-flow"
authenticator
=
"registration-page-form"
requirement
=
"REQUIRED"
}
resource
"keycloak_authentication_execution"
"registration_user_creation"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
registration_form
.
alias
authenticator
=
"registration-user-creation"
requirement
=
"REQUIRED"
}
resource
"keycloak_authentication_execution"
"registration_profile_action"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
registration_form
.
alias
authenticator
=
"registration-profile-action"
requirement
=
"REQUIRED"
depends_on
=
[
keycloak_authentication_execution
.
registration_user_creation
]
}
resource
"keycloak_authentication_execution"
"registration_password_action"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
registration_form
.
alias
authenticator
=
"registration-password-action"
requirement
=
"REQUIRED"
depends_on
=
[
keycloak_authentication_execution
.
registration_profile_action
]
}
resource
"keycloak_authentication_execution"
"registration_recaptcha_action"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
registration_form
.
alias
authenticator
=
"registration-recaptcha-action"
requirement
=
"REQUIRED"
depends_on
=
[
keycloak_authentication_execution
.
registration_password_action
]
}
resource
"keycloak_authentication_execution_config"
"registration_recaptcha_action_config"
{
realm_id
=
"archlinux"
alias
=
"reCAPTCHA config"
execution_id
=
keycloak_authentication_execution
.
registration_recaptcha_action
.
id
config
=
{
"useRecaptchaNet"
=
"false"
,
"site.key"
=
data
.
external
.
google_recaptcha_site_key
.
result
.
vault_google_recaptcha_site_key
"secret"
=
data
.
external
.
google_recaptcha_secret_key
.
result
.
vault_google_recaptcha_secret_key
}
}
// Add new custom browser login flow with forced OTP for some user roles
//
// Try misc/kcadm_wrapper.sh get authentication/flows/{{ your flow alias}}/executions
// to make this a whole lot easier.
// NOTE: We use the `depends_on` calls to properly order the executions and subflows inside the
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment