From d7c62b15f11d8d51c214a489c521a53a49eab5aa Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Fri, 10 Apr 2026 12:02:22 +0200
Subject: [PATCH] Add eticket OIDC client for ticket.e-cosplay.fr

- Declare a new confidential client 'eticket' (PKCE S256, standard
  flow only) in the realm import JSON for fresh installs.
- Add a generic ensure_client helper to sync.sh that creates a
  client with sane defaults if missing, then applies the URIs via
  set_client_uris on every run for idempotent reconciliation.
- Wire the new client up with its four redirect URIs:
    https://ticket.e-cosplay.fr/api/auth/login/sso/validate
    https://cos.local/api/auth/login/sso/validate
    https://ticket.e-cosplay.fr/connection/sso/check
    https://cos.local/connection/sso/check
  and matching webOrigins / post-logout URIs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 init/sync.sh               | 39 ++++++++++++++++++++++++++++++++++++++
 realms/ecosplay-realm.json | 28 +++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/init/sync.sh b/init/sync.sh
index 5ed804e..ee6e4d9 100755
--- a/init/sync.sh
+++ b/init/sync.sh
@@ -144,6 +144,33 @@ set_client_uris() {
     info "  client $2 URIs synced ($1)"
 }
 
+ensure_client() {
+    # $1=realm $2=clientId $3=name $4=description $5=secret
+    # $6=redirectUris(json) $7=webOrigins(json) $8=postLogoutUris(##-separated)
+    if [ -n "$(client_internal_id "$1" "$2")" ]; then
+        info "= client $2 ($1)"
+        return
+    fi
+    $KC create clients -r "$1" \
+        -s "clientId=$2" \
+        -s "name=$3" \
+        -s "description=$4" \
+        -s 'protocol=openid-connect' \
+        -s 'enabled=true' \
+        -s 'publicClient=false' \
+        -s "secret=$5" \
+        -s 'standardFlowEnabled=true' \
+        -s 'implicitFlowEnabled=false' \
+        -s 'directAccessGrantsEnabled=false' \
+        -s 'serviceAccountsEnabled=false' \
+        -s 'frontchannelLogout=true' \
+        -s "redirectUris=$6" \
+        -s "webOrigins=$7" \
+        -s "attributes.\"post.logout.redirect.uris\"=$8" \
+        -s 'attributes."pkce.code.challenge.method"=S256' >/dev/null
+    info "+ client $2 ($1)"
+}
+
 # =============================================================
 # Master realm: SMTP, theme, locale
 # =============================================================
@@ -193,6 +220,18 @@ if realm_exists ecosplay; then
         '["https://www.e-cosplay.fr/oauth/keycloak","https://cos.local/oauth/keycloak"]' \
         '["https://www.e-cosplay.fr","https://cos.local"]' \
         'https://www.e-cosplay.fr/*##https://cos.local/*'
+
+    log "Reconciling eticket client"
+    ensure_client ecosplay eticket "E-Ticket" \
+        "Application billetterie ticket.e-cosplay.fr" \
+        "change-me-in-admin-console" \
+        '["https://ticket.e-cosplay.fr/api/auth/login/sso/validate","https://cos.local/api/auth/login/sso/validate","https://ticket.e-cosplay.fr/connection/sso/check","https://cos.local/connection/sso/check"]' \
+        '["https://ticket.e-cosplay.fr","https://cos.local"]' \
+        'https://ticket.e-cosplay.fr/*##https://cos.local/*'
+    set_client_uris ecosplay eticket \
+        '["https://ticket.e-cosplay.fr/api/auth/login/sso/validate","https://cos.local/api/auth/login/sso/validate","https://ticket.e-cosplay.fr/connection/sso/check","https://cos.local/connection/sso/check"]' \
+        '["https://ticket.e-cosplay.fr","https://cos.local"]' \
+        'https://ticket.e-cosplay.fr/*##https://cos.local/*'
 else
     warn "ecosplay realm not found — will be imported on next boot"
 fi
diff --git a/realms/ecosplay-realm.json b/realms/ecosplay-realm.json
index 2bf3fa7..e324601 100644
--- a/realms/ecosplay-realm.json
+++ b/realms/ecosplay-realm.json
@@ -116,6 +116,34 @@
         "post.logout.redirect.uris": "https://www.e-cosplay.fr/*##https://cos.local/*",
         "pkce.code.challenge.method": "S256"
       }
+    },
+    {
+      "clientId": "eticket",
+      "name": "E-Ticket",
+      "description": "Application billetterie ticket.e-cosplay.fr",
+      "enabled": true,
+      "publicClient": false,
+      "secret": "change-me-in-admin-console",
+      "redirectUris": [
+        "https://ticket.e-cosplay.fr/api/auth/login/sso/validate",
+        "https://cos.local/api/auth/login/sso/validate",
+        "https://ticket.e-cosplay.fr/connection/sso/check",
+        "https://cos.local/connection/sso/check"
+      ],
+      "webOrigins": [
+        "https://ticket.e-cosplay.fr",
+        "https://cos.local"
+      ],
+      "protocol": "openid-connect",
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "frontchannelLogout": true,
+      "attributes": {
+        "post.logout.redirect.uris": "https://ticket.e-cosplay.fr/*##https://cos.local/*",
+        "pkce.code.challenge.method": "S256"
+      }
     }
   ]
 }