Skip to content

Commit bc56d99

Browse files
kmeinkmein
committed
fix(services/keycloak): require exactly one of client / client_scope on protocol mappers
1 parent f3e4d67 commit bc56d99

1 file changed

Lines changed: 29 additions & 0 deletions

File tree

services/keycloak/lib.nix

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,15 @@ let
7474
add_to_userinfo = oBool "Include in UserInfo?";
7575
};
7676

77+
# protocol mappers attach to a client *or* a client scope -- never
78+
# both, never neither (the provider rejects either).
79+
clientOrScopeOneOf = [
80+
[
81+
"client"
82+
"client_scope"
83+
]
84+
];
85+
7786
# SAML counterparts of the openid refs above.
7887
samlClientOptionalRef = {
7988
attr = "client_id";
@@ -1082,6 +1091,7 @@ let
10821091
client = openidClientOptionalRef;
10831092
client_scope = openidClientScopeOptionalRef;
10841093
};
1094+
oneOfRefs = clientOrScopeOneOf;
10851095
requiredAttrs = [
10861096
"user_attribute"
10871097
"claim_name"
@@ -1106,6 +1116,7 @@ let
11061116
client = openidClientOptionalRef;
11071117
client_scope = openidClientScopeOptionalRef;
11081118
};
1119+
oneOfRefs = clientOrScopeOneOf;
11091120
requiredAttrs = [
11101121
"user_property"
11111122
"claim_name"
@@ -1128,6 +1139,7 @@ let
11281139
client = openidClientOptionalRef;
11291140
client_scope = openidClientScopeOptionalRef;
11301141
};
1142+
oneOfRefs = clientOrScopeOneOf;
11311143
requiredAttrs = [ "claim_name" ];
11321144
description = "OpenID protocol mapper that maps group memberships to a claim.";
11331145
attrs = openidMapperCommonAttrs // {
@@ -1146,6 +1158,7 @@ let
11461158
client = openidClientOptionalRef;
11471159
client_scope = openidClientScopeOptionalRef;
11481160
};
1161+
oneOfRefs = clientOrScopeOneOf;
11491162
description = "OpenID protocol mapper that emits the user's full name as a single claim.";
11501163
attrs = openidMapperCommonAttrs;
11511164
};
@@ -1160,6 +1173,7 @@ let
11601173
client = openidClientOptionalRef;
11611174
client_scope = openidClientScopeOptionalRef;
11621175
};
1176+
oneOfRefs = clientOrScopeOneOf;
11631177
description = "OpenID protocol mapper for the `sub` claim.";
11641178
attrs = {
11651179
name = oStr "Mapper name. Defaults to the attribute key.";
@@ -1178,6 +1192,7 @@ let
11781192
client = openidClientOptionalRef;
11791193
client_scope = openidClientScopeOptionalRef;
11801194
};
1195+
oneOfRefs = clientOrScopeOneOf;
11811196
requiredAttrs = [
11821197
"claim_name"
11831198
"claim_value"
@@ -1200,6 +1215,7 @@ let
12001215
client = openidClientOptionalRef;
12011216
client_scope = openidClientScopeOptionalRef;
12021217
};
1218+
oneOfRefs = clientOrScopeOneOf;
12031219
description = "OpenID protocol mapper that adds an audience to issued tokens (exactly one of `included_client_audience` / `included_custom_audience`).";
12041220
attrs = {
12051221
name = oStr "Mapper name. Defaults to the attribute key.";
@@ -1220,6 +1236,7 @@ let
12201236
client = openidClientOptionalRef;
12211237
client_scope = openidClientScopeOptionalRef;
12221238
};
1239+
oneOfRefs = clientOrScopeOneOf;
12231240
description = "OpenID audience-resolve mapper (derives audience from client roles).";
12241241
attrs = {
12251242
name = oStr "Mapper name. Defaults to the attribute key.";
@@ -1236,6 +1253,7 @@ let
12361253
client = openidClientOptionalRef;
12371254
client_scope = openidClientScopeOptionalRef;
12381255
};
1256+
oneOfRefs = clientOrScopeOneOf;
12391257
requiredAttrs = [ "role_id" ];
12401258
description = "OpenID protocol mapper that adds a hardcoded role to issued tokens.";
12411259
attrs = {
@@ -1254,6 +1272,7 @@ let
12541272
client = openidClientOptionalRef;
12551273
client_scope = openidClientScopeOptionalRef;
12561274
};
1275+
oneOfRefs = clientOrScopeOneOf;
12571276
requiredAttrs = [ "claim_name" ];
12581277
description = "OpenID protocol mapper that maps the user's realm roles to a claim.";
12591278
attrs = openidMapperCommonAttrs // {
@@ -1275,6 +1294,7 @@ let
12751294
client = openidClientOptionalRef;
12761295
client_scope = openidClientScopeOptionalRef;
12771296
};
1297+
oneOfRefs = clientOrScopeOneOf;
12781298
requiredAttrs = [ "claim_name" ];
12791299
description = "OpenID protocol mapper that maps the user's roles on a specific client to a claim.";
12801300
attrs = openidMapperCommonAttrs // {
@@ -1296,6 +1316,7 @@ let
12961316
client = openidClientOptionalRef;
12971317
client_scope = openidClientScopeOptionalRef;
12981318
};
1319+
oneOfRefs = clientOrScopeOneOf;
12991320
requiredAttrs = [
13001321
"claim_name"
13011322
"session_note"
@@ -1321,6 +1342,7 @@ let
13211342
client = openidClientOptionalRef;
13221343
client_scope = openidClientScopeOptionalRef;
13231344
};
1345+
oneOfRefs = clientOrScopeOneOf;
13241346
requiredAttrs = [
13251347
"script"
13261348
"claim_name"
@@ -1344,6 +1366,7 @@ let
13441366
client = samlClientOptionalRef;
13451367
client_scope = samlClientScopeOptionalRef;
13461368
};
1369+
oneOfRefs = clientOrScopeOneOf;
13471370
requiredAttrs = [
13481371
"user_attribute"
13491372
"saml_attribute_name"
@@ -1369,6 +1392,7 @@ let
13691392
client = samlClientOptionalRef;
13701393
client_scope = samlClientScopeOptionalRef;
13711394
};
1395+
oneOfRefs = clientOrScopeOneOf;
13721396
requiredAttrs = [
13731397
"user_property"
13741398
"saml_attribute_name"
@@ -1393,6 +1417,7 @@ let
13931417
client = samlClientOptionalRef;
13941418
client_scope = samlClientScopeOptionalRef;
13951419
};
1420+
oneOfRefs = clientOrScopeOneOf;
13961421
requiredAttrs = [
13971422
"script"
13981423
"saml_attribute_name"
@@ -1418,6 +1443,7 @@ let
14181443
client = anyClientOptionalRef;
14191444
client_scope = anyClientScopeOptionalRef;
14201445
};
1446+
oneOfRefs = clientOrScopeOneOf;
14211447
requiredAttrs = [
14221448
"protocol"
14231449
"protocol_mapper"
@@ -1442,6 +1468,7 @@ let
14421468
client = anyClientOptionalRef;
14431469
client_scope = anyClientScopeOptionalRef;
14441470
};
1471+
oneOfRefs = clientOrScopeOneOf;
14451472
requiredAttrs = [
14461473
"protocol"
14471474
"protocol_mapper"
@@ -1466,6 +1493,7 @@ let
14661493
client = anyClientOptionalRef;
14671494
client_scope = anyClientScopeOptionalRef;
14681495
};
1496+
oneOfRefs = clientOrScopeOneOf;
14691497
requiredAttrs = [ "role_id" ];
14701498
description = "Generic role-scope mapper that attaches a role to a client / client scope, keyed by an arbitrary label.";
14711499
attrs = {
@@ -1483,6 +1511,7 @@ let
14831511
client = anyClientOptionalRef;
14841512
client_scope = anyClientScopeOptionalRef;
14851513
};
1514+
oneOfRefs = clientOrScopeOneOf;
14861515
requiredAttrs = [ "role_id" ];
14871516
description = "Generic role-scope mapper attached to a specific client (deprecated alias kept for completeness).";
14881517
attrs = {

0 commit comments

Comments
 (0)