afnix/infra

Fork 0

id.afnix.fr: add broker flows and render first / last name optional #302

Open

raito wants to merge 2 commits from broker-flows into main

raito commented

2025-08-28 00:22:55 +00:00

(Migrated from git.lix.systems)

Fixes #284.
Depends on #265.

Fixes #284. Depends on #265.

raito commented

2025-08-28 00:41:36 +00:00

(Migrated from git.lix.systems)

Plan sounds good by rebasing it on #265.


  # keycloak_authentication_execution.create_user_if_unique will be created
  + resource "keycloak_authentication_execution" "create_user_if_unique" {
      + authenticator     = "idp-create-user-if-unique"
      + id                = (known after apply)
      + parent_flow_alias = "first broker login / User creation or linking"
      + priority          = 10
      + realm_id          = "afnix"
      + requirement       = "REQUIRED"
    }

  # keycloak_authentication_execution.review_profile will be created
  + resource "keycloak_authentication_execution" "review_profile" {
      + authenticator     = "idp-review-profile"
      + id                = (known after apply)
      + parent_flow_alias = "first broker login"
      + priority          = 10
      + realm_id          = "afnix"
      + requirement       = "REQUIRED"
    }

  # keycloak_authentication_flow.first_broker_login will be created
  + resource "keycloak_authentication_flow" "first_broker_login" {
      + alias       = "first broker login"
      + description = <<-EOT
            Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account
        EOT
      + id          = (known after apply)
      + provider_id = "basic-flow"
      + realm_id    = "afnix"
    }

  # keycloak_authentication_flow.post_github_login will be created
  + resource "keycloak_authentication_flow" "post_github_login" {
      + alias       = "post github login"
      + description = <<-EOT
            Enforce bans post github login since it bypasses the normal flow
        EOT
      + id          = (known after apply)
      + provider_id = "basic-flow"
      + realm_id    = "afnix"
    }

  # keycloak_authentication_subflow.first_broker_login_creation_or_linkage will be created
  + resource "keycloak_authentication_subflow" "first_broker_login_creation_or_linkage" {
      + alias             = "first broker login / User creation or linking"
      + description       = <<-EOT
            Flow for the existing / non existing user alternatives.
        EOT
      + id                = (known after apply)
      + parent_flow_alias = "first broker login"
      + priority          = 20
      + provider_id       = "basic-flow"
      + realm_id          = "afnix"
      + requirement       = "REQUIRED"
    }

  # keycloak_realm_user_profile.default_user_profile will be created
  + resource "keycloak_realm_user_profile" "default_user_profile" {
      + id                         = (known after apply)
      + realm_id                   = "afnix"
      + unmanaged_attribute_policy = "ADMIN_EDIT"

      + attribute {
          + display_name       = "${username}"
          + group              = "user-metadata"
          + multi_valued       = false
          + name               = "username"
          + required_for_roles = [
              + "admin",
              + "user",
            ]

          + permissions {
              + edit = [
                  + "admin",
                  + "user",
                ]
              + view = [
                  + "admin",
                  + "user",
                ]
            }

          + validator {
              + config = {
                  + "max" = "255"
                  + "min" = "3"
                }
              + name   = "length"
            }
          + validator {
              + name = "up-username-not-idn-homograph"
            }
          + validator {
              + name = "username-prohibited-characters"
            }
        }
      + attribute {
          + display_name       = "${email}"
          + group              = "user-metadata"
          + multi_valued       = false
          + name               = "email"
          + required_for_roles = [
              + "admin",
              + "user",
            ]

          + permissions {
              + edit = [
                  + "admin",
                  + "user",
                ]
              + view = [
                  + "admin",
                  + "user",
                ]
            }

          + validator {
              + config = {
                  + "max" = "255"
                  + "min" = "0"
                }
              + name   = "length"
            }
          + validator {
              + name = "email"
            }
        }
      + attribute {
          + display_name = "${firstName}"
          + group        = "user-metadata"
          + multi_valued = false
          + name         = "firstName"

          + permissions {
              + edit = [
                  + "admin",
                  + "user",
                ]
              + view = [
                  + "admin",
                  + "user",
                ]
            }

          + validator {
              + config = {
                  + "max" = "255"
                  + "min" = "0"
                }
              + name   = "length"
            }
          + validator {
              + name = "person-name-prohibited-chars"
            }
        }
      + attribute {
          + display_name = "${lastName}"
          + group        = "user-metadata"
          + multi_valued = false
          + name         = "lastName"

          + permissions {
              + edit = [
                  + "admin",
                  + "user",
                ]
              + view = [
                  + "admin",
                  + "user",
                ]
            }

          + validator {
              + config = {
                  + "max" = "255"
                  + "min" = "0"
                }
              + name   = "length"
            }
          + validator {
              + name = "person-name-prohibited-chars"
            }
        }

      + group {
          + display_description = "Attributes, which refer to user metadata"
          + display_header      = "User metadata"
          + name                = "user-metadata"
        }
    }
    ```

I will wait for #265 to be merged though.

Plan sounds good by rebasing it on #265. ``` # keycloak_authentication_execution.create_user_if_unique will be created + resource "keycloak_authentication_execution" "create_user_if_unique" { + authenticator = "idp-create-user-if-unique" + id = (known after apply) + parent_flow_alias = "first broker login / User creation or linking" + priority = 10 + realm_id = "afnix" + requirement = "REQUIRED" } # keycloak_authentication_execution.review_profile will be created + resource "keycloak_authentication_execution" "review_profile" { + authenticator = "idp-review-profile" + id = (known after apply) + parent_flow_alias = "first broker login" + priority = 10 + realm_id = "afnix" + requirement = "REQUIRED" } # keycloak_authentication_flow.first_broker_login will be created + resource "keycloak_authentication_flow" "first_broker_login" { + alias = "first broker login" + description = <<-EOT Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account EOT + id = (known after apply) + provider_id = "basic-flow" + realm_id = "afnix" } # keycloak_authentication_flow.post_github_login will be created + resource "keycloak_authentication_flow" "post_github_login" { + alias = "post github login" + description = <<-EOT Enforce bans post github login since it bypasses the normal flow EOT + id = (known after apply) + provider_id = "basic-flow" + realm_id = "afnix" } # keycloak_authentication_subflow.first_broker_login_creation_or_linkage will be created + resource "keycloak_authentication_subflow" "first_broker_login_creation_or_linkage" { + alias = "first broker login / User creation or linking" + description = <<-EOT Flow for the existing / non existing user alternatives. EOT + id = (known after apply) + parent_flow_alias = "first broker login" + priority = 20 + provider_id = "basic-flow" + realm_id = "afnix" + requirement = "REQUIRED" } # keycloak_realm_user_profile.default_user_profile will be created + resource "keycloak_realm_user_profile" "default_user_profile" { + id = (known after apply) + realm_id = "afnix" + unmanaged_attribute_policy = "ADMIN_EDIT" + attribute { + display_name = "${username}" + group = "user-metadata" + multi_valued = false + name = "username" + required_for_roles = [ + "admin", + "user", ] + permissions { + edit = [ + "admin", + "user", ] + view = [ + "admin", + "user", ] } + validator { + config = { + "max" = "255" + "min" = "3" } + name = "length" } + validator { + name = "up-username-not-idn-homograph" } + validator { + name = "username-prohibited-characters" } } + attribute { + display_name = "${email}" + group = "user-metadata" + multi_valued = false + name = "email" + required_for_roles = [ + "admin", + "user", ] + permissions { + edit = [ + "admin", + "user", ] + view = [ + "admin", + "user", ] } + validator { + config = { + "max" = "255" + "min" = "0" } + name = "length" } + validator { + name = "email" } } + attribute { + display_name = "${firstName}" + group = "user-metadata" + multi_valued = false + name = "firstName" + permissions { + edit = [ + "admin", + "user", ] + view = [ + "admin", + "user", ] } + validator { + config = { + "max" = "255" + "min" = "0" } + name = "length" } + validator { + name = "person-name-prohibited-chars" } } + attribute { + display_name = "${lastName}" + group = "user-metadata" + multi_valued = false + name = "lastName" + permissions { + edit = [ + "admin", + "user", ] + view = [ + "admin", + "user", ] } + validator { + config = { + "max" = "255" + "min" = "0" } + name = "length" } + validator { + name = "person-name-prohibited-chars" } } + group { + display_description = "Attributes, which refer to user metadata" + display_header = "User metadata" + name = "user-metadata" } } ``` I will wait for #265 to be merged though.

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin broker-flows:broker-flows

git switch broker-flows

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff broker-flows

git switch broker-flows

git rebase main

git switch main

git merge --ff-only broker-flows

git switch broker-flows

git rebase main

git switch main

git merge --no-ff broker-flows

git switch main

git merge --squash broker-flows

git switch main

git merge --ff-only broker-flows

git switch main

git merge broker-flows

git push origin main

No reviewers

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: afnix/infra#302

No description provided.

Rows
Columns