(hydra) ajout url post logout

2022-11-18 12:12:33 +01:00 · 2022-11-18 12:12:33 +01:00 · f178677b12
parent 8953a1ca1b
commit f178677b12
3 changed files with 17 additions and 12 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -43,6 +43,8 @@ hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_base_
 hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
 hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
 hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
+hydra_url_post_logout: "{{ haproxy_public_base_url }}"
+

 hydra_log_level: warn
 hydra_log_leak_sensitive_values: no
@ -60,7 +62,7 @@ hydra_clients:

 hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}"
 hydra_dispatcher_debug: no
-hydra_dispatcher_admin_authorized_hosts: 
+hydra_dispatcher_admin_authorized_hosts:
  - '10.0.0.0/8'
  - '172.16.0.0/12'
  - '192.168.0.0/16'
@ -87,12 +89,12 @@ hydra_passwordless_smtp_insecure_skip_verify: no
 hydra_passwordless_smtp_use_start_tls: no
 hydra_passwordless_sender_address: noreply@localhost
 hydra_passwordless_sender_name: "[hydra-passwordless]"
-hydra_passwordless_attributes_rewrite_rules: 
+hydra_passwordless_attributes_rewrite_rules:
    email:
      - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
    email_verified:
      - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
-    family_name: 
+    family_name:
      - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
    given_name:
      - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
@ -138,10 +140,10 @@ hydra_saml_include_sp_default_attributes_policy: "yes"

 # Règles de sélection et réécritures des attributs du jeton OIDC
 # en provenance de la login-app sélectionnée
-hydra_saml_attributes_rewrite_rules: 
+hydra_saml_attributes_rewrite_rules:
  email:
    - "consent.session.id_token.email ? consent.session.id_token.email : null"
-  family_name: 
+  family_name:
    - "consent.session.id_token.family_name ? consent.session.id_token.family_name : null"
  given_name:
    - "consent.session.id_token.given_name ? consent.session.id_token.given_name : null"
@ -172,7 +174,7 @@ saml_attributes:
    nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
  - id: mail
    name: urn:oid:0.9.2342.19200300.100.1.3
-    nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri 
+    nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri

 saml_attribute_policies: []

@ -195,11 +197,11 @@ hydra_oidc_identity_provider_id: oidc
 hydra_oidc_authorize_endpoint:
 hydra_oidc_token_endpoint:
 hydra_oidc_userinfo_endpoint:
-hydra_oidc_logout_endpoint: 
+hydra_oidc_logout_endpoint:
 hydra_oidc_post_logout_redirect_url:
 hydra_oidc_scope: openid email
 hydra_oidc_client_id:
-hydra_oidc_client_secret: 
+hydra_oidc_client_secret:
 hydra_oidc_additionnal_env: {}
 hydra_oidc_app_options: {}
 hydra_oidc_attributes_rewrite_rules:
@ -207,7 +209,7 @@ hydra_oidc_attributes_rewrite_rules:
    - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
  email_verified:
    - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
-  family_name: 
+  family_name:
    - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
  given_name:
    - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
@ -234,7 +236,7 @@ hydra_ldap_attributes_rewrite_rules:
    - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
  email_verified:
    - "property_exists(consent.session.id_token, 'email_verified') ? consent.session.id_token.email_verified : false"
-  family_name: 
+  family_name:
    - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
  given_name:
    - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
--- a/sso.schema.yml
+++ b/sso.schema.yml
@ -78,6 +78,8 @@ properties:
    type: string
  hydra_urls_logout:
    type: string
+  hydra_url_post_logout:
+    type: string

  hydra_log_level:
    type: string
@ -153,4 +155,4 @@ properties:
  oidc_test_app_client_secret:
    type: string

-additionalProperties: true
+additionalProperties: true
--- a/templates/cadoles-pod-hydra-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-v1.conf.j2
@ -14,9 +14,10 @@ PODMAN_ARGS="\
    -e 'HYDRA_URLS_CONSENT={{ hydra_urls_consent }}' \
    -e 'HYDRA_URLS_LOGIN={{ hydra_urls_login }}' \
    -e 'HYDRA_URLS_LOGOUT={{ hydra_urls_logout }}' \
+    -e 'HYDRA_URL_POST_LOGOUT={{ hydra_url_post_logout }}' \
    -e 'HYDRA_ALLOW_INSECURE=yes' \
    -e 'HYDRA_LEVEL={{ hydra_log_level }}' \
    -e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
    -e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
    -v /etc/hydra/clients.d:/etc/hydra/clients.d \
-"
+"