diff --git a/services/keycloak/Dockerfile b/services/keycloak/Dockerfile index aaaa86c90f..b4a3a4387e 100644 --- a/services/keycloak/Dockerfile +++ b/services/keycloak/Dockerfile @@ -54,6 +54,7 @@ ENV TMPDIR=/tmp \ PROXY_ADDRESS_FORWARDING=true \ KEYCLOAK_API_CLIENT_SECRET=39d5282d-3684-4026-b4ed-04bbc034b61a \ KEYCLOAK_AUTH_SERVER_CLIENT_SECRET=f605b150-7636-4447-abd3-70988786b330 \ + KEYCLOAK_SERVICE_API_CLIENT_SECRET=d3724d52-34d1-4967-a802-4d178678564b \ JAVA_OPTS="-server -Xms2048m -Xmx4096m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true" VOLUME /opt/jboss/keycloak/standalone/data diff --git a/services/keycloak/start.sh b/services/keycloak/start.sh index 56bbb7cb8c..5ff82ef11c 100755 --- a/services/keycloak/start.sh +++ b/services/keycloak/start.sh @@ -1748,6 +1748,11 @@ function configure_token_exchange { /opt/jboss/keycloak/bin/kcadm.sh update clients/$REALM_MANAGEMENT_CLIENT_ID/authz/resource-server/permission/scope/$IMPERSONATE_PERMISSION_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'policies=["'$AUTH_SERVER_CLIENT_POLICY_ID'","'$SERVICE_API_CLIENT_POLICY_ID'"]' -s 'decisionStrategy="AFFIRMATIVE"' } +function regen_client_secrets { + SERVICE_API_CLIENT_ID=$(/opt/jboss/keycloak/bin/kcadm.sh get -r ${KEYCLOAK_REALM:-master} clients?clientId=service-api --config $CONFIG_PATH | python -c 'import sys, json; print json.load(sys.stdin)[0]["id"]') + /opt/jboss/keycloak/bin/kcadm.sh create clients/$SERVICE_API_CLIENT_ID/client-secret --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} +} + function configure_keycloak { until is_keycloak_running; do echo Keycloak still not running, waiting 5 seconds @@ -1776,6 +1781,7 @@ function configure_keycloak { update_openshift_view_permission configure_service_api_client configure_token_exchange + regen_client_secrets echo "Config of Keycloak done. Log in via admin user '$KEYCLOAK_ADMIN_USER' and password '$KEYCLOAK_ADMIN_PASSWORD'"