support to flip implicit flow with newer adw

Alfresco · May 31, 2024 · 5c3a82d · 5c3a82d
1 parent fbdedc8
commit 5c3a82d
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 7 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -144,7 +144,7 @@
         "filename": "playbooks/acs.yml",
         "hashed_secret": "3a0b8a438a9efa61267357269709a946d797b9bd",
         "is_verified": false,
-        "line_number": 398,
+        "line_number": 402,
         "is_secret": false
       }
     ],
@@ -259,5 +259,5 @@
       }
     ]
   },
-  "generated_at": "2024-05-21T11:53:50Z"
+  "generated_at": "2024-05-31T10:49:58Z"
 }
diff --git a/playbooks/acs.yml b/playbooks/acs.yml
@@ -43,6 +43,7 @@
       when: identity_enabled
       ansible.builtin.set_fact:
         identity_url: "{{ alfresco_url }}/auth"
+        code_flow_pkce_supported: "{{ adw.version is version('4.5.0', 'ge') }}"
 
 - name: Database Role
   hosts: database
@@ -99,6 +100,7 @@
       identity_admin_username: admin
       identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}"
       identity_keycloak_http_port: "{{ ports_cfg.identity.http }}"
+      identity_default_client_implicit_flow_enabled: "{{ not code_flow_pkce_supported }}"
       when: not groups.external_identity | default([])
   tasks:
     - name: Configure Realm
@@ -342,6 +344,8 @@
           oauth2:
             host: "{protocol}//{hostname}{:port}/auth/realms/alfresco"
             clientId: alfresco
+            implicitFlow: "{{ not code_flow_pkce_supported }}"
+            codeFlow: "{{ code_flow_pkce_supported }}"
 
 - name: Alfresco Control Center Role
   hosts: acc

diff --git a/roles/identity/defaults/main.yml b/roles/identity/defaults/main.yml
@@ -14,3 +14,8 @@ identity_keycloak_http_relative_path: /auth
 
 identity_url: null
 identity_known_urls: []
+
+identity_default_realm_id: alfresco
+
+identity_default_client_id: alfresco
+identity_default_client_implicit_flow_enabled: true
diff --git a/roles/identity/meta/argument_specs.yml b/roles/identity/meta/argument_specs.yml
@@ -50,3 +50,8 @@ argument_specs:
         description:
           Set the base URL for frontend URL and admin console, including scheme, host, port and path.
           Will override identity_keycloak_host, identity_keycloak_http_port.
+      identity_default_client_implicit_flow_enabled:
+        type: bool
+        default: true
+        description: |
+          Enable or disable the implicit flow for the default client inside the default realm
diff --git a/roles/identity/tasks/realm.yml b/roles/identity/tasks/realm.yml
@@ -14,8 +14,8 @@
     auth_realm: master
     auth_username: "{{ identity_admin_username }}"
     auth_password: "{{ identity_admin_password }}"
-    id: alfresco
-    realm: alfresco
+    id: "{{ identity_default_realm_id }}"
+    realm: "{{ identity_default_realm_id }}"
     state: present
     access_token_lifespan: 300
     default_locale: en
@@ -48,10 +48,10 @@
     auth_realm: master
     auth_username: "{{ identity_admin_username }}"
     auth_password: "{{ identity_admin_password }}"
-    realm: alfresco
-    client_id: alfresco
+    realm: "{{ identity_default_realm_id }}"
+    client_id: "{{ identity_default_client_id }}"
     enabled: true
-    implicit_flow_enabled: true
+    implicit_flow_enabled: "{{ identity_default_client_implicit_flow_enabled }}"
     redirect_uris: "{{ identity_known_urls | map('regex_replace', '(.+)', '\\1/*') | list }}"
     web_origins: "{{ identity_known_urls }}"
     state: present