- Add a configure_webauthn helper to sync.sh that sets the
WebAuthn policy (both 2FA and passwordless variants) on a
realm and enables the webauthn-register and
webauthn-register-passwordless required actions so users can
self-enroll passkeys via the account console.
- Apply it to both master (RP "E-Cosplay Auth") and ecosplay
(RP "E-Cosplay") on every sync run, idempotent.
- Mirror the same policy fields and required actions in the
ecosplay realm import JSON for fresh installs. Sensible
defaults: ES256/RS256/EdDSA, user verification preferred,
no attestation, resident key not specified.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea 1.25.5 and earlier do not send PKCE code_challenge_method
on OIDC sources, so enforcing PKCE in Keycloak causes:
Missing parameter: code_challenge_method
at the /auth endpoint. Drop the pkce.code.challenge.method
attribute from the ecosplay_code client block in the realm
import JSON, and add a set_client_pkce helper to sync.sh that
clears the attribute on existing installs. All other clients
(ecosplay_web, eticket) keep S256.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Gitea OAuth2 provider name changed from esy_lock to
ecosplay_code, so the callback path follows:
/user/oauth2/ecosplay_code/callback
Update both the realm import JSON and sync.sh reconciliation
for code.e-cosplay.fr and cos.local.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Rename the bootstrap human admin from jovann@siteconseil.fr to
jovann@e-cosplay.fr in docker-compose env vars and in the realm
import JSON. Keycloak identifies users by username so a new user
is created on the next sync run; the old jovann@siteconseil.fr
is left in place and can be deleted manually from the admin UI.
- Introduce a service account client `sync-bot` in the master
realm (confidential, service accounts enabled, direct grants off)
granted the `admin` realm role. sync.sh now authenticates via
client_credentials, falling back to the bootstrap admin only on
the very first run — so reconciliation keeps working after the
default admin is disabled.
- Add disable_default_admin() at the end of the sync script. It
first verifies that sync-bot can authenticate, then flips the
`admin` user's `enabled` flag to false. Idempotent and safe:
refuses to run if sync-bot auth is broken, and is a no-op if
admin is already disabled.
- SYNC_BOT_CLIENT / SYNC_BOT_SECRET env vars added to the init
container for both bootstrap authentication and service client
secret reconciliation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Rename OIDC client ecosplay-web -> ecosplay_web in the realm import
JSON. The client is used by the internal e-cosplay site for OAuth.
- Replace wildcard redirect URIs with the two exact callbacks:
https://www.e-cosplay.fr/oauth/keycloak and
https://cos.local/oauth/keycloak. webOrigins and post-logout URIs
follow the same hosts.
- Add helpers to sync.sh (client_internal_id, rename_client,
set_client_uris) and a reconciliation step that renames any legacy
ecosplay-web -> ecosplay_web and idempotently re-applies the URIs
on every run, so live installs are migrated automatically.
- Set the bootstrap admin user's real first/last name (jovann Serreau)
in both the env vars and the realm import JSON.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Move the inline keycloak-init bash block out of docker-compose.yml
into init/sync.sh, mounted into the init container at /opt/init.
The script is fully idempotent and is the new entry point for any
future role/group/user/realm configuration changes — re-run with
`docker compose up -d keycloak-init --force-recreate`.
- Add reusable helper functions (ensure_user, ensure_group,
ensure_user_in_group, ensure_user_realm_role, ensure_user_client_role)
on top of kcadm.sh, with safe parsing of user/group IDs.
- Bootstrap admin identity jovann@siteconseil.fr (password Shoko1997@)
in both realms:
* master realm: granted the global `admin` role.
* ecosplay realm: granted realm-management/realm-admin and added
to groups super_admin_asso and superadmin.
Both users have CONFIGURE_TOTP as a required action so OTP enrollment
is forced at first login.
- Mirror the ecosplay user in the realm import JSON for fresh installs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
