admin/authser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11763405ab1ed11bd65cd8aa9660ef50db71b2c6
authser/realms/ecosplay-realm.json

216 lines
6.5 KiB
JSON
Raw Normal View History

Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
{
"realm": "ecosplay",
"displayName": "E-Cosplay",
"displayNameHtml": "<span style=\"font-weight:900;text-transform:uppercase;font-style:italic;\">E-Cosplay</span>",
"enabled": true,
"loginTheme": "ecosplay",
"accountTheme": "ecosplay",
"emailTheme": "ecosplay",
"adminTheme": "keycloak.v2",
"internationalizationEnabled": true,
"supportedLocales": ["fr"],
"defaultLocale": "fr",
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"rememberMe": true,
"verifyEmail": true,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": true,
"permanentLockout": false,
"maxFailureWaitSeconds": 900,
"minimumQuickLoginWaitSeconds": 60,
"waitIncrementSeconds": 60,
"quickLoginCheckMilliSeconds": 1000,
"maxDeltaTimeSeconds": 43200,
"failureFactor": 5,
"passwordPolicy": "length(10) and specialChars(1) and digits(1) and upperCase(1) and lowerCase(1) and notUsername(undefined) and notEmail(undefined)",
"accessTokenLifespan": 300,
"accessTokenLifespanForImplicitFlow": 900,
"ssoSessionIdleTimeout": 1800,
"ssoSessionMaxLifespan": 36000,
"offlineSessionIdleTimeout": 2592000,
"actionTokenGeneratedByUserLifespan": 900,
Enable WebAuthn / passkey on master and ecosplay realms - Add a configure_webauthn helper to sync.sh that sets the WebAuthn policy (both 2FA and passwordless variants) on a realm and enables the webauthn-register and webauthn-register-passwordless required actions so users can self-enroll passkeys via the account console. - Apply it to both master (RP "E-Cosplay Auth") and ecosplay (RP "E-Cosplay") on every sync run, idempotent. - Mirror the same policy fields and required actions in the ecosplay realm import JSON for fresh installs. Sensible defaults: ES256/RS256/EdDSA, user verification preferred, no attestation, resident key not specified. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 18:23:30 +02:00
"webAuthnPolicyRpEntityName": "E-Cosplay",
"webAuthnPolicySignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
"webAuthnPolicyUserVerificationRequirement": "preferred",
"webAuthnPolicyAttestationConveyancePreference": "none",
"webAuthnPolicyRequireResidentKey": "not specified",
"webAuthnPolicyPasswordlessRpEntityName": "E-Cosplay",
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
"webAuthnPolicyPasswordlessUserVerificationRequirement": "preferred",
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "none",
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
"requiredActions": [
{
"alias": "CONFIGURE_TOTP",
"name": "Configure OTP",
"providerId": "CONFIGURE_TOTP",
"enabled": true,
"defaultAction": false,
"priority": 10,
"config": {}
},
{
"alias": "webauthn-register",
"name": "Webauthn Register",
"providerId": "webauthn-register",
"enabled": true,
"defaultAction": false,
"priority": 70,
"config": {}
},
{
"alias": "webauthn-register-passwordless",
"name": "Webauthn Register Passwordless",
"providerId": "webauthn-register-passwordless",
"enabled": true,
"defaultAction": false,
"priority": 80,
"config": {}
}
],
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
"smtpServer": {
"host": "email-smtp.eu-west-3.amazonaws.com",
"port": "587",
"from": "auth@e-cosplay.fr",
"fromDisplayName": "E-Cosplay",
"replyTo": "noreply@e-cosplay.fr",
"envelopeFrom": "auth@e-cosplay.fr",
"auth": "true",
"starttls": "true",
"ssl": "false",
"user": "AKIAWTT2T22CWBRBBDYN",
"password": "BBdgb6KxRQ8mNcpWFJsZCJxbSGNdgLhKFiITMErfBlQP"
},
Add fixed group set on ecosplay realm - Declare the 10 application groups (gp_asso, gp_contest, gp_mail, gp_mailling, gp_member, gp_ndd, gp_sign, gp_ticket, super_admin_asso, superadmin) in the realm import JSON for fresh installs. - Extend keycloak-init to idempotently create them via kcadm on every boot, so existing installs (where the realm is already imported and --import-realm is a no-op) also get them in sync. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:36:40 +02:00
"groups": [
{ "name": "gp_asso" },
{ "name": "gp_contest" },
{ "name": "gp_mail" },
{ "name": "gp_mailling" },
{ "name": "gp_member" },
{ "name": "gp_ndd" },
{ "name": "gp_sign" },
{ "name": "gp_ticket" },
{ "name": "super_admin_asso" },
{ "name": "superadmin" }
],
Extract init logic to versioned sync script + bootstrap admin user - Move the inline keycloak-init bash block out of docker-compose.yml into init/sync.sh, mounted into the init container at /opt/init. The script is fully idempotent and is the new entry point for any future role/group/user/realm configuration changes — re-run with `docker compose up -d keycloak-init --force-recreate`. - Add reusable helper functions (ensure_user, ensure_group, ensure_user_in_group, ensure_user_realm_role, ensure_user_client_role) on top of kcadm.sh, with safe parsing of user/group IDs. - Bootstrap admin identity jovann@siteconseil.fr (password Shoko1997@) in both realms: * master realm: granted the global `admin` role. * ecosplay realm: granted realm-management/realm-admin and added to groups super_admin_asso and superadmin. Both users have CONFIGURE_TOTP as a required action so OTP enrollment is forced at first login. - Mirror the ecosplay user in the realm import JSON for fresh installs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:57:50 +02:00
"users": [
{
Switch admin to jovann@e-cosplay.fr + disable default admin - Rename the bootstrap human admin from jovann@siteconseil.fr to jovann@e-cosplay.fr in docker-compose env vars and in the realm import JSON. Keycloak identifies users by username so a new user is created on the next sync run; the old jovann@siteconseil.fr is left in place and can be deleted manually from the admin UI. - Introduce a service account client `sync-bot` in the master realm (confidential, service accounts enabled, direct grants off) granted the `admin` realm role. sync.sh now authenticates via client_credentials, falling back to the bootstrap admin only on the very first run — so reconciliation keeps working after the default admin is disabled. - Add disable_default_admin() at the end of the sync script. It first verifies that sync-bot can authenticate, then flips the `admin` user's `enabled` flag to false. Idempotent and safe: refuses to run if sync-bot auth is broken, and is a no-op if admin is already disabled. - SYNC_BOT_CLIENT / SYNC_BOT_SECRET env vars added to the init container for both bootstrap authentication and service client secret reconciliation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 16:15:46 +02:00
"username": "jovann@e-cosplay.fr",
"email": "jovann@e-cosplay.fr",
Capitalize admin first name (Jovann) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:59:33 +02:00
"firstName": "Jovann",
Rename ecosplay client, fix redirect URIs, set admin user real name - Rename OIDC client ecosplay-web -> ecosplay_web in the realm import JSON. The client is used by the internal e-cosplay site for OAuth. - Replace wildcard redirect URIs with the two exact callbacks: https://www.e-cosplay.fr/oauth/keycloak and https://cos.local/oauth/keycloak. webOrigins and post-logout URIs follow the same hosts. - Add helpers to sync.sh (client_internal_id, rename_client, set_client_uris) and a reconciliation step that renames any legacy ecosplay-web -> ecosplay_web and idempotently re-applies the URIs on every run, so live installs are migrated automatically. - Set the bootstrap admin user's real first/last name (jovann Serreau) in both the env vars and the realm import JSON. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:59:06 +02:00
"lastName": "Serreau",
Extract init logic to versioned sync script + bootstrap admin user - Move the inline keycloak-init bash block out of docker-compose.yml into init/sync.sh, mounted into the init container at /opt/init. The script is fully idempotent and is the new entry point for any future role/group/user/realm configuration changes — re-run with `docker compose up -d keycloak-init --force-recreate`. - Add reusable helper functions (ensure_user, ensure_group, ensure_user_in_group, ensure_user_realm_role, ensure_user_client_role) on top of kcadm.sh, with safe parsing of user/group IDs. - Bootstrap admin identity jovann@siteconseil.fr (password Shoko1997@) in both realms: * master realm: granted the global `admin` role. * ecosplay realm: granted realm-management/realm-admin and added to groups super_admin_asso and superadmin. Both users have CONFIGURE_TOTP as a required action so OTP enrollment is forced at first login. - Mirror the ecosplay user in the realm import JSON for fresh installs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:57:50 +02:00
"enabled": true,
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "Shoko1997@",
"temporary": false
}
],
"requiredActions": ["CONFIGURE_TOTP"],
"groups": ["/super_admin_asso", "/superadmin"],
"clientRoles": {
"realm-management": ["realm-admin"]
}
}
],
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
"clients": [
{
Rename ecosplay client, fix redirect URIs, set admin user real name - Rename OIDC client ecosplay-web -> ecosplay_web in the realm import JSON. The client is used by the internal e-cosplay site for OAuth. - Replace wildcard redirect URIs with the two exact callbacks: https://www.e-cosplay.fr/oauth/keycloak and https://cos.local/oauth/keycloak. webOrigins and post-logout URIs follow the same hosts. - Add helpers to sync.sh (client_internal_id, rename_client, set_client_uris) and a reconciliation step that renames any legacy ecosplay-web -> ecosplay_web and idempotently re-applies the URIs on every run, so live installs are migrated automatically. - Set the bootstrap admin user's real first/last name (jovann Serreau) in both the env vars and the realm import JSON. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:59:06 +02:00
"clientId": "ecosplay_web",
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
"name": "E-Cosplay Web",
Rename ecosplay client, fix redirect URIs, set admin user real name - Rename OIDC client ecosplay-web -> ecosplay_web in the realm import JSON. The client is used by the internal e-cosplay site for OAuth. - Replace wildcard redirect URIs with the two exact callbacks: https://www.e-cosplay.fr/oauth/keycloak and https://cos.local/oauth/keycloak. webOrigins and post-logout URIs follow the same hosts. - Add helpers to sync.sh (client_internal_id, rename_client, set_client_uris) and a reconciliation step that renames any legacy ecosplay-web -> ecosplay_web and idempotently re-applies the URIs on every run, so live installs are migrated automatically. - Set the bootstrap admin user's real first/last name (jovann Serreau) in both the env vars and the realm import JSON. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:59:06 +02:00
"description": "Application web principale e-cosplay.fr (login site interne)",
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
"enabled": true,
"publicClient": false,
"secret": "change-me-in-admin-console",
"redirectUris": [
Rename ecosplay client, fix redirect URIs, set admin user real name - Rename OIDC client ecosplay-web -> ecosplay_web in the realm import JSON. The client is used by the internal e-cosplay site for OAuth. - Replace wildcard redirect URIs with the two exact callbacks: https://www.e-cosplay.fr/oauth/keycloak and https://cos.local/oauth/keycloak. webOrigins and post-logout URIs follow the same hosts. - Add helpers to sync.sh (client_internal_id, rename_client, set_client_uris) and a reconciliation step that renames any legacy ecosplay-web -> ecosplay_web and idempotently re-applies the URIs on every run, so live installs are migrated automatically. - Set the bootstrap admin user's real first/last name (jovann Serreau) in both the env vars and the realm import JSON. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:59:06 +02:00
"https://www.e-cosplay.fr/oauth/keycloak",
"https://cos.local/oauth/keycloak"
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
],
"webOrigins": [
"https://www.e-cosplay.fr",
Rename ecosplay client, fix redirect URIs, set admin user real name - Rename OIDC client ecosplay-web -> ecosplay_web in the realm import JSON. The client is used by the internal e-cosplay site for OAuth. - Replace wildcard redirect URIs with the two exact callbacks: https://www.e-cosplay.fr/oauth/keycloak and https://cos.local/oauth/keycloak. webOrigins and post-logout URIs follow the same hosts. - Add helpers to sync.sh (client_internal_id, rename_client, set_client_uris) and a reconciliation step that renames any legacy ecosplay-web -> ecosplay_web and idempotently re-applies the URIs on every run, so live installs are migrated automatically. - Set the bootstrap admin user's real first/last name (jovann Serreau) in both the env vars and the realm import JSON. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:59:06 +02:00
"https://cos.local"
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
],
"protocol": "openid-connect",
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"frontchannelLogout": true,
"attributes": {
Rename ecosplay client, fix redirect URIs, set admin user real name - Rename OIDC client ecosplay-web -> ecosplay_web in the realm import JSON. The client is used by the internal e-cosplay site for OAuth. - Replace wildcard redirect URIs with the two exact callbacks: https://www.e-cosplay.fr/oauth/keycloak and https://cos.local/oauth/keycloak. webOrigins and post-logout URIs follow the same hosts. - Add helpers to sync.sh (client_internal_id, rename_client, set_client_uris) and a reconciliation step that renames any legacy ecosplay-web -> ecosplay_web and idempotently re-applies the URIs on every run, so live installs are migrated automatically. - Set the bootstrap admin user's real first/last name (jovann Serreau) in both the env vars and the realm import JSON. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:59:06 +02:00
"post.logout.redirect.uris": "https://www.e-cosplay.fr/*##https://cos.local/*",
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
"pkce.code.challenge.method": "S256"
Add ecosplay_code OIDC client for Gitea SSO New confidential client 'ecosplay_code' with PKCE S256, declared in the realm import JSON for fresh installs and reconciled via sync.sh (ensure_client + set_client_uris) for existing installs. Redirect URIs match the Gitea OAuth2 callback format for the esy_lock provider: https://code.e-cosplay.fr/user/oauth2/esy_lock/callback https://cos.local/user/oauth2/esy_lock/callback Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 16:24:28 +02:00
}
},
{
"clientId": "ecosplay_code",
"name": "E-Cosplay Code",
Disable PKCE on ecosplay_code client (Gitea compat) Gitea 1.25.5 and earlier do not send PKCE code_challenge_method on OIDC sources, so enforcing PKCE in Keycloak causes: Missing parameter: code_challenge_method at the /auth endpoint. Drop the pkce.code.challenge.method attribute from the ecosplay_code client block in the realm import JSON, and add a set_client_pkce helper to sync.sh that clears the attribute on existing installs. All other clients (ecosplay_web, eticket) keep S256. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 16:53:17 +02:00
"description": "Forge de code (Gitea) - login SSO via ecosplay_code provider (Gitea ne supporte pas PKCE)",
Add ecosplay_code OIDC client for Gitea SSO New confidential client 'ecosplay_code' with PKCE S256, declared in the realm import JSON for fresh installs and reconciled via sync.sh (ensure_client + set_client_uris) for existing installs. Redirect URIs match the Gitea OAuth2 callback format for the esy_lock provider: https://code.e-cosplay.fr/user/oauth2/esy_lock/callback https://cos.local/user/oauth2/esy_lock/callback Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 16:24:28 +02:00
"enabled": true,
"publicClient": false,
"secret": "change-me-in-admin-console",
"redirectUris": [
Update ecosplay_code callback path (esy_lock -> ecosplay_code) The Gitea OAuth2 provider name changed from esy_lock to ecosplay_code, so the callback path follows: /user/oauth2/ecosplay_code/callback Update both the realm import JSON and sync.sh reconciliation for code.e-cosplay.fr and cos.local. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 16:51:02 +02:00
"https://code.e-cosplay.fr/user/oauth2/ecosplay_code/callback",
"https://cos.local/user/oauth2/ecosplay_code/callback"
Add ecosplay_code OIDC client for Gitea SSO New confidential client 'ecosplay_code' with PKCE S256, declared in the realm import JSON for fresh installs and reconciled via sync.sh (ensure_client + set_client_uris) for existing installs. Redirect URIs match the Gitea OAuth2 callback format for the esy_lock provider: https://code.e-cosplay.fr/user/oauth2/esy_lock/callback https://cos.local/user/oauth2/esy_lock/callback Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 16:24:28 +02:00
],
"webOrigins": [
"https://code.e-cosplay.fr",
"https://cos.local"
],
"protocol": "openid-connect",
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"frontchannelLogout": true,
"attributes": {
Disable PKCE on ecosplay_code client (Gitea compat) Gitea 1.25.5 and earlier do not send PKCE code_challenge_method on OIDC sources, so enforcing PKCE in Keycloak causes: Missing parameter: code_challenge_method at the /auth endpoint. Drop the pkce.code.challenge.method attribute from the ecosplay_code client block in the realm import JSON, and add a set_client_pkce helper to sync.sh that clears the attribute on existing installs. All other clients (ecosplay_web, eticket) keep S256. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 16:53:17 +02:00
"post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*"
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
}
Add eticket OIDC client for ticket.e-cosplay.fr - Declare a new confidential client 'eticket' (PKCE S256, standard flow only) in the realm import JSON for fresh installs. - Add a generic ensure_client helper to sync.sh that creates a client with sane defaults if missing, then applies the URIs via set_client_uris on every run for idempotent reconciliation. - Wire the new client up with its four redirect URIs: https://ticket.e-cosplay.fr/api/auth/login/sso/validate https://cos.local/api/auth/login/sso/validate https://ticket.e-cosplay.fr/connection/sso/check https://cos.local/connection/sso/check and matching webOrigins / post-logout URIs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 12:02:22 +02:00
},
{
"clientId": "eticket",
"name": "E-Ticket",
"description": "Application billetterie ticket.e-cosplay.fr",
"enabled": true,
"publicClient": false,
"secret": "change-me-in-admin-console",
"redirectUris": [
"https://ticket.e-cosplay.fr/api/auth/login/sso/validate",
"https://cos.local/api/auth/login/sso/validate",
"https://ticket.e-cosplay.fr/connection/sso/check",
"https://cos.local/connection/sso/check"
],
"webOrigins": [
"https://ticket.e-cosplay.fr",
"https://cos.local"
],
"protocol": "openid-connect",
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"frontchannelLogout": true,
"attributes": {
"post.logout.redirect.uris": "https://ticket.e-cosplay.fr/*##https://cos.local/*",
"pkce.code.challenge.method": "S256"
}
Go-live, ecosplay realm-as-code, and full theme coverage Go-live: - Switch keycloak from start-dev to start --import-realm (production mode with auto-build at boot, no Dockerfile needed yet). - Set KC_HOSTNAME=https://auth.e-cosplay.fr and KC_PROXY_HEADERS= xforwarded so Keycloak emits correct issuer URLs and trusts Caddy's X-Forwarded-* headers. - Replace deprecated KEYCLOAK_ADMIN env vars with KC_BOOTSTRAP_ADMIN_*. - Bind the public port to 127.0.0.1 only (Caddy is colocated). - Add a Keycloak healthcheck against /health/ready on the management port (9000) using bash /dev/tcp; init container now waits on service_healthy instead of service_started. Architecture: - New realms/ecosplay-realm.json mounted into /opt/keycloak/data/import and imported on first boot. Defines the dedicated 'ecosplay' realm (separate from master) with French i18n, brute-force protection, strong password policy, SES SMTP, and an OIDC client 'ecosplay-web' pointing at e-cosplay.fr (confidential + PKCE S256). Theme coverage: - themes/ecosplay/account: PatternFly v5 overlay (parent=keycloak.v2) bringing the neo-brutalist colors, thick borders, italic uppercase typography, and offset hard shadows to the user account console. - themes/ecosplay/email: branded HTML wrapper template (table layout with inline styles for email-client safety) plus a matching plain text wrapper. All Keycloak emails now ship with the E-Cosplay identity without needing per-template overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 11:22:40 +02:00
}
]
}
Reference in New Issue Copy Permalink