From f178677b1246ba123ff708f325ee039f05ef65c9 Mon Sep 17 00:00:00 2001 From: Matthieu Lamalle Date: Fri, 18 Nov 2022 12:12:33 +0100 Subject: [PATCH] (hydra) ajout url post logout --- defaults/main.yml | 22 ++++++++++++---------- sso.schema.yml | 4 +++- templates/cadoles-pod-hydra-v1.conf.j2 | 3 ++- 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c9a8fda..eff7d6f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,6 +43,8 @@ hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_base_ hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent" hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login" hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout" +hydra_url_post_logout: "{{ haproxy_public_base_url }}" + hydra_log_level: warn hydra_log_leak_sensitive_values: no @@ -60,7 +62,7 @@ hydra_clients: hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}" hydra_dispatcher_debug: no -hydra_dispatcher_admin_authorized_hosts: +hydra_dispatcher_admin_authorized_hosts: - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' @@ -87,12 +89,12 @@ hydra_passwordless_smtp_insecure_skip_verify: no hydra_passwordless_smtp_use_start_tls: no hydra_passwordless_sender_address: noreply@localhost hydra_passwordless_sender_name: "[hydra-passwordless]" -hydra_passwordless_attributes_rewrite_rules: +hydra_passwordless_attributes_rewrite_rules: email: - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" email_verified: - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false" - family_name: + family_name: - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" given_name: - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" @@ -138,10 +140,10 @@ hydra_saml_include_sp_default_attributes_policy: "yes" # Règles de sélection et réécritures des attributs du jeton OIDC # en provenance de la login-app sélectionnée -hydra_saml_attributes_rewrite_rules: +hydra_saml_attributes_rewrite_rules: email: - "consent.session.id_token.email ? consent.session.id_token.email : null" - family_name: + family_name: - "consent.session.id_token.family_name ? consent.session.id_token.family_name : null" given_name: - "consent.session.id_token.given_name ? consent.session.id_token.given_name : null" @@ -172,7 +174,7 @@ saml_attributes: nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri - id: mail name: urn:oid:0.9.2342.19200300.100.1.3 - nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri + nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri saml_attribute_policies: [] @@ -195,11 +197,11 @@ hydra_oidc_identity_provider_id: oidc hydra_oidc_authorize_endpoint: hydra_oidc_token_endpoint: hydra_oidc_userinfo_endpoint: -hydra_oidc_logout_endpoint: +hydra_oidc_logout_endpoint: hydra_oidc_post_logout_redirect_url: hydra_oidc_scope: openid email hydra_oidc_client_id: -hydra_oidc_client_secret: +hydra_oidc_client_secret: hydra_oidc_additionnal_env: {} hydra_oidc_app_options: {} hydra_oidc_attributes_rewrite_rules: @@ -207,7 +209,7 @@ hydra_oidc_attributes_rewrite_rules: - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" email_verified: - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false" - family_name: + family_name: - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" given_name: - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" @@ -234,7 +236,7 @@ hydra_ldap_attributes_rewrite_rules: - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" email_verified: - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false" - family_name: + family_name: - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" given_name: - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" diff --git a/sso.schema.yml b/sso.schema.yml index b179614..f52b6ec 100644 --- a/sso.schema.yml +++ b/sso.schema.yml @@ -78,6 +78,8 @@ properties: type: string hydra_urls_logout: type: string + hydra_url_post_logout: + type: string hydra_log_level: type: string @@ -153,4 +155,4 @@ properties: oidc_test_app_client_secret: type: string -additionalProperties: true \ No newline at end of file +additionalProperties: true diff --git a/templates/cadoles-pod-hydra-v1.conf.j2 b/templates/cadoles-pod-hydra-v1.conf.j2 index 0c38098..3e7fa77 100644 --- a/templates/cadoles-pod-hydra-v1.conf.j2 +++ b/templates/cadoles-pod-hydra-v1.conf.j2 @@ -14,9 +14,10 @@ PODMAN_ARGS="\ -e 'HYDRA_URLS_CONSENT={{ hydra_urls_consent }}' \ -e 'HYDRA_URLS_LOGIN={{ hydra_urls_login }}' \ -e 'HYDRA_URLS_LOGOUT={{ hydra_urls_logout }}' \ + -e 'HYDRA_URL_POST_LOGOUT={{ hydra_url_post_logout }}' \ -e 'HYDRA_ALLOW_INSECURE=yes' \ -e 'HYDRA_LEVEL={{ hydra_log_level }}' \ -e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \ -e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \ -v /etc/hydra/clients.d:/etc/hydra/clients.d \ -" \ No newline at end of file +"