Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Christian Rebischke
infrastructure
Commits
0d6c79dd
Verified
Commit
0d6c79dd
authored
May 23, 2020
by
Sven-Hendrik Haase
Browse files
keycloak: Add Arch Browser authentication flow
parent
989c55f9
Changes
1
Hide whitespace changes
Inline
Side-by-side
tf-stage2/keycloak.tf
View file @
0d6c79dd
...
...
@@ -166,7 +166,7 @@ resource "keycloak_group" "staff" {
name
=
"Arch Linux Staff"
}
resource
"keycloak_group"
"externals"
{
resource
"keycloak_group"
"external
contributor
s"
{
realm_id
=
"archlinux"
name
=
"External Contributors"
}
...
...
@@ -196,9 +196,9 @@ resource "keycloak_role" "staff" {
description
=
"Role held by all Arch Linux staff"
}
resource
"keycloak_role"
"external
s
"
{
resource
"keycloak_role"
"external
contributor
"
{
realm_id
=
"archlinux"
name
=
"External Contributor
s
"
name
=
"External Contributor"
description
=
"Role held by external contributors working on Arch Linux projects without further access"
}
...
...
@@ -218,14 +218,105 @@ resource "keycloak_group_roles" "staff" {
]
}
resource
"keycloak_group_roles"
"external
s
"
{
resource
"keycloak_group_roles"
"external
contributor
"
{
realm_id
=
"archlinux"
group_id
=
keycloak_group
.
externals
.
id
group_id
=
keycloak_group
.
external
contributor
s
.
id
role_ids
=
[
keycloak_role
.
external
s
.
id
keycloak_role
.
external
contributor
.
id
]
}
// Try misc/kcadm_wrapper.sh get authentication/flows/{{ your flow alias}}/executions
// to make this a whole lot easier.
resource
"keycloak_authentication_flow"
"arch_browser_flow"
{
realm_id
=
"archlinux"
alias
=
"Arch Browser"
description
=
"Customized Browser flow that forces all users with the 'Staff' role to use OTP."
}
resource
"keycloak_authentication_execution"
"cookie"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_flow
.
arch_browser_flow
.
alias
authenticator
=
"auth-cookie"
requirement
=
"ALTERNATIVE"
}
resource
"keycloak_authentication_execution"
"identity_provider_redirector"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_flow
.
arch_browser_flow
.
alias
authenticator
=
"identity-provider-redirector"
requirement
=
"ALTERNATIVE"
}
resource
"keycloak_authentication_subflow"
"subforms"
{
realm_id
=
"archlinux"
alias
=
"subforms"
parent_flow_alias
=
keycloak_authentication_flow
.
arch_browser_flow
.
alias
requirement
=
"ALTERNATIVE"
}
resource
"keycloak_authentication_execution"
"username_password_form"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
subforms
.
alias
authenticator
=
"auth-username-password-form"
requirement
=
"REQUIRED"
}
resource
"keycloak_authentication_subflow"
"userconfigured_conditional_otp"
{
realm_id
=
"archlinux"
alias
=
"User-configured Conditional OTP"
parent_flow_alias
=
keycloak_authentication_subflow
.
subforms
.
alias
requirement
=
"CONDITIONAL"
}
resource
"keycloak_authentication_execution"
"userconfigured_conditional_otp_condition"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
userconfigured_conditional_otp
.
alias
authenticator
=
"conditional-user-configured"
requirement
=
"REQUIRED"
}
resource
"keycloak_authentication_execution"
"userconfigured_conditional_otp_form"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
userconfigured_conditional_otp
.
alias
authenticator
=
"auth-otp-form"
requirement
=
"REQUIRED"
}
resource
"keycloak_authentication_execution"
"forced_otp_for_staff"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
subforms
.
alias
authenticator
=
"auth-conditional-otp-form"
requirement
=
"REQUIRED"
}
resource
"keycloak_authentication_execution_config"
"forced_otp_for_staff_config"
{
realm_id
=
"archlinux"
execution_id
=
keycloak_authentication_execution
.
forced_otp_for_staff
.
id
alias
=
"forced_otp_for_staff_config"
config
=
{
forceOtpRole
=
"Staff"
,
defaultOtpOutcome
=
"skip"
}
}
resource
"keycloak_authentication_execution"
"forced_otp_for_externalcontributors"
{
realm_id
=
"archlinux"
parent_flow_alias
=
keycloak_authentication_subflow
.
subforms
.
alias
authenticator
=
"auth-conditional-otp-form"
requirement
=
"REQUIRED"
}
resource
"keycloak_authentication_execution_config"
"forced_otp_for_externalcontributors_config"
{
realm_id
=
"archlinux"
execution_id
=
keycloak_authentication_execution
.
forced_otp_for_externalcontributors
.
id
alias
=
"forced_otp_for_externalcontributorsconfig"
config
=
{
forceOtpRole
=
"External Contributor"
,
defaultOtpOutcome
=
"skip"
}
}
output
"gitlab_saml_configuration"
{
value
=
{
issuer
=
keycloak_saml_client
.
saml_gitlab
.
client_id
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
