fix(ops/keycloak): set up client for usage with oauth2_proxy r/3428

This will be useful for things like panettone, pending a NixOS module for oauth2-proxy (the upstream one is too complicated and doesn't support what we need). Change-Id: I4ca193e10a94a29b1fb9003e945896ff8eb61116 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4662 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de> Autosubmit: tazjin <mail@tazj.in>
author: Vincent Ambo <mail@tazj.in> 2021-12-26T16·08+0300
committer: clbot <clbot@tvl.fyi> 2021-12-26T16·59+0000
commit: fc16f1e467918b7bff59e0a18a32622e2571fead (patch)
tree: ca78f1a85c773cf078ce83c77f52b35366a60baa
parent: a8923242bebdc2464f760f906fddd135a8c13abb (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
index d6c01442ecd3..05398a866cee 100644
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@@ -49,14 +49,14 @@ resource "keycloak_openid_client" "oauth2_proxy" {
   standard_flow_enabled = true
 
   valid_redirect_uris = [
-    "https://login.tvl.fyi/oauth2/callback"
+    "https://login.tvl.fyi/oauth2/callback",
+    "http://localhost:4774/oauth2/callback",
   ]
 }
 
-resource "keycloak_openid_audience_protocol_mapper" "panettone_audience" {
-  realm_id  = keycloak_realm.tvl.id
-  client_id = keycloak_openid_client.oauth2_proxy.id
-  name      = "panettone-audience"
-
-  included_custom_audience = "b"
+resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" {
+  realm_id                 = keycloak_realm.tvl.id
+  client_id                = keycloak_openid_client.oauth2_proxy.id
+  name                     = "oauth2-proxy-audience"
+  included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id
 }
author	Vincent Ambo <mail@tazj.in>	2021-12-26T16·08+0300
committer	clbot <clbot@tvl.fyi>	2021-12-26T16·59+0000
commit	fc16f1e467918b7bff59e0a18a32622e2571fead (patch)
tree	ca78f1a85c773cf078ce83c77f52b35366a60baa
parent	a8923242bebdc2464f760f906fddd135a8c13abb (diff)