diff --git a/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php b/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php index f04ef62aa..46b48c1fe 100644 --- a/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php +++ b/configurator/src/Configurator/Vendor/Keycloak/KeycloakConfigurator.php @@ -70,12 +70,18 @@ public function configure(OutputInterface $output, array $presets): void $appScopes = $this->getAppScopes(); foreach ($this->symfonyApplications as $app) { $clientId = getenv(sprintf('%s_ADMIN_CLIENT_ID', strtoupper($app))); + $baseUri = getenv(sprintf('%s_API_URL', strtoupper($app))); + $clientData = $this->configureClient( $clientId, getenv(sprintf('%s_ADMIN_CLIENT_SECRET', strtoupper($app))), - getenv(sprintf('%s_API_URL', strtoupper($app))).'/admin', + $baseUri, [ 'serviceAccountsEnabled' => true, + ], + redirectUris: [ + $baseUri.'/admin/*', + $baseUri.'/bundles/apiplatform/swagger-ui/oauth2-redirect.html', ] ); @@ -198,12 +204,14 @@ private function configureClient( ?string $clientSecret, string $baseUri, array $data = [], + ?array $redirectUris = null, ): array { $clientData = $this->keycloakManager->createClient( $clientId, $clientSecret, $baseUri, $data, + $redirectUris, ); foreach ([ diff --git a/configurator/src/Configurator/Vendor/Keycloak/KeycloakManager.php b/configurator/src/Configurator/Vendor/Keycloak/KeycloakManager.php index 239a790de..67ca221db 100644 --- a/configurator/src/Configurator/Vendor/Keycloak/KeycloakManager.php +++ b/configurator/src/Configurator/Vendor/Keycloak/KeycloakManager.php @@ -274,8 +274,9 @@ public function addServiceAccountRole( public function createClient( string $clientId, ?string $clientSecret, - ?string $baseUri, + ?string $rootUrl, array $data = [], + ?array $redirectUris = null, ): array { $client = $this->getClientByClientId($clientId); @@ -284,10 +285,10 @@ public function createClient( 'secret' => $clientSecret, 'publicClient' => null === $clientSecret, 'frontchannelLogout' => false, - 'rootUrl' => $baseUri, - 'redirectUris' => $baseUri ? [ - $baseUri.'/*', - ] : null, + 'rootUrl' => $rootUrl, + 'redirectUris' => $redirectUris ?? ($rootUrl ? [ + $rootUrl.'/*', + ] : null), ], $data); if (null !== $client) { diff --git a/databox/api/config/packages/api_platform.yaml b/databox/api/config/packages/api_platform.yaml index 35796e9ff..0a6411351 100644 --- a/databox/api/config/packages/api_platform.yaml +++ b/databox/api/config/packages/api_platform.yaml @@ -18,7 +18,7 @@ api_platform: oauth: clientId: '%env(ADMIN_CLIENT_ID)%' clientSecret: '%env(ADMIN_CLIENT_SECRET)%' - tokenUrl: '%env(KEYCLOAK_URL)%/oauth/v2/token' + tokenUrl: '%env(KEYCLOAK_URL)%/realms/%env(KEYCLOAK_REALM_NAME)%/protocol/openid-connect/token' + authorizationUrl: '%env(KEYCLOAK_URL)%/realms/%env(KEYCLOAK_REALM_NAME)%/protocol/openid-connect/auth' flow: authorizationCode - authorizationUrl: '%env(KEYCLOAK_URL)%/oauth/v2/auth' event_listeners_backward_compatibility_layer: false diff --git a/expose/api/config/packages/api_platform.yaml b/expose/api/config/packages/api_platform.yaml index 2592f3cd0..2a7f9b6c9 100644 --- a/expose/api/config/packages/api_platform.yaml +++ b/expose/api/config/packages/api_platform.yaml @@ -10,9 +10,8 @@ api_platform: html: ['text/html'] multipart: ['multipart/form-data'] oauth: - enabled: true - type: 'oauth2' - flow: 'password' - tokenUrl: '%env(KEYCLOAK_URL)%/oauth/v2/token' - authorizationUrl: '%env(KEYCLOAK_URL)%/oauth/v2/auth' - scopes: [] + clientId: '%env(ADMIN_CLIENT_ID)%' + clientSecret: '%env(ADMIN_CLIENT_SECRET)%' + tokenUrl: '%env(KEYCLOAK_URL)%/realms/%env(KEYCLOAK_REALM_NAME)%/protocol/openid-connect/token' + authorizationUrl: '%env(KEYCLOAK_URL)%/realms/%env(KEYCLOAK_REALM_NAME)%/protocol/openid-connect/auth' + flow: authorizationCode diff --git a/uploader/api/config/packages/api_platform.yaml b/uploader/api/config/packages/api_platform.yaml index e7efc8834..3c01b855a 100644 --- a/uploader/api/config/packages/api_platform.yaml +++ b/uploader/api/config/packages/api_platform.yaml @@ -15,9 +15,8 @@ api_platform: html: ['text/html'] multipart: ['multipart/form-data'] oauth: - enabled: true - type: 'oauth2' - flow: 'password' - tokenUrl: '%env(KEYCLOAK_URL)%/oauth/v2/token' - authorizationUrl: '%env(KEYCLOAK_URL)%/oauth/v2/auth' - scopes: [] + clientId: '%env(ADMIN_CLIENT_ID)%' + clientSecret: '%env(ADMIN_CLIENT_SECRET)%' + tokenUrl: '%env(KEYCLOAK_URL)%/realms/%env(KEYCLOAK_REALM_NAME)%/protocol/openid-connect/token' + authorizationUrl: '%env(KEYCLOAK_URL)%/realms/%env(KEYCLOAK_REALM_NAME)%/protocol/openid-connect/auth' + flow: authorizationCode