Skip to content

Commit

Permalink
Merge pull request from GHSA-jr7f-g7p4-v985
Browse files Browse the repository at this point in the history 
Fix keycloak clients with empty secrets
  • Loading branch information
@tobybellwood
tobybellwood authored Apr 8, 2022
2 parents 1a62884 + c4a0489 commit a74d4e5
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
1 change: 1 addition & 0 deletions services/keycloak/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ ENV TMPDIR=/tmp \
PROXY_ADDRESS_FORWARDING=true \
KEYCLOAK_API_CLIENT_SECRET=39d5282d-3684-4026-b4ed-04bbc034b61a \
KEYCLOAK_AUTH_SERVER_CLIENT_SECRET=f605b150-7636-4447-abd3-70988786b330 \
KEYCLOAK_SERVICE_API_CLIENT_SECRET=d3724d52-34d1-4967-a802-4d178678564b \
JAVA_OPTS="-server -Xms2048m -Xmx4096m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true"

VOLUME /opt/jboss/keycloak/standalone/data
Expand Down
6 changes: 6 additions & 0 deletions services/keycloak/start.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1748,6 +1748,11 @@ function configure_token_exchange {
/opt/jboss/keycloak/bin/kcadm.sh update clients/$REALM_MANAGEMENT_CLIENT_ID/authz/resource-server/permission/scope/$IMPERSONATE_PERMISSION_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'policies=["'$AUTH_SERVER_CLIENT_POLICY_ID'","'$SERVICE_API_CLIENT_POLICY_ID'"]' -s 'decisionStrategy="AFFIRMATIVE"'
}

function regen_client_secrets {
SERVICE_API_CLIENT_ID=$(/opt/jboss/keycloak/bin/kcadm.sh get -r ${KEYCLOAK_REALM:-master} clients?clientId=service-api --config $CONFIG_PATH | python -c 'import sys, json; print json.load(sys.stdin)[0]["id"]')
/opt/jboss/keycloak/bin/kcadm.sh create clients/$SERVICE_API_CLIENT_ID/client-secret --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master}
}

function configure_keycloak {
until is_keycloak_running; do
echo Keycloak still not running, waiting 5 seconds
Expand Down Expand Up @@ -1776,6 +1781,7 @@ function configure_keycloak {
update_openshift_view_permission
configure_service_api_client
configure_token_exchange
regen_client_secrets

echo "Config of Keycloak done. Log in via admin user '$KEYCLOAK_ADMIN_USER' and password '$KEYCLOAK_ADMIN_PASSWORD'"

Expand Down

0 comments on commit a74d4e5

Please sign in to comment.