From 0c9aa6181366687ee45960fba475ec7739f13113 Mon Sep 17 00:00:00 2001
From: Michael Barz <michael.barz@zeitgestalten.eu>
Date: Mon, 23 Jun 2025 17:28:39 +0200
Subject: [PATCH] fix: wording of the external idp

---
 .env.example                                  | 17 +++++++++++++-
 ...opencloud-realm-autoprovisioning.dist.json | 22 ++++++++++++++++++-
 idm/{keycloak.yml => external-idp.yml}        | 15 ++++++++-----
 3 files changed, 46 insertions(+), 8 deletions(-)
 rename idm/{keycloak.yml => external-idp.yml} (84%)

diff --git a/.env.example b/.env.example
index c8a448c..fe4d1f7 100644
--- a/.env.example
+++ b/.env.example
@@ -245,10 +245,25 @@ LDAP_BIND_PASSWORD=
 # authentication process, the allowed clients and the session management.
 # Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
 # Keycloak can be used in two different modes:
-# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time.
+# 1. Autoprovisioning: New users are automatically created in openCloud when they log in for the first time.
 # 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
 # because the LDAP server is connected to both Keycloak and OpenCloud.
+# Only use one of the two modes at a time.
 
+## Autoprovisioning Mode ##
+# Use together with idm/external-idp.yml
+# If you want to use a keycloak for local testing, you can use testing/external-keycloak.yml and testing/ldap-manager.yml
+# Domain of your Identity Provider.
+IDP_DOMAIN=
+# IdP Issuer URL, which is used to identify the Identity Provider.
+# We need the complete URL, including the protocol (http or https) and the realm.
+# Example: "https://keycloak.opencloud.test/realms/openCloud"
+IDP_ISSUER_URL=
+# Url of the account endit page from your Identity Provider.
+IDP_ACCOUNT_URL=
+
+## Shared User Directory Mode ##
+# Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
 # Domain for Keycloak. Defaults to "keycloak.opencloud.test".
 KEYCLOAK_DOMAIN=
 # Admin user login name. Defaults to "kcadmin".
diff --git a/config/keycloak/opencloud-realm-autoprovisioning.dist.json b/config/keycloak/opencloud-realm-autoprovisioning.dist.json
index f16359a..989616a 100644
--- a/config/keycloak/opencloud-realm-autoprovisioning.dist.json
+++ b/config/keycloak/opencloud-realm-autoprovisioning.dist.json
@@ -1596,6 +1596,10 @@
     "strictTransportSecurity" : "max-age=31536000; includeSubDomains"
   },
   "smtpServer" : { },
+  "loginTheme": "opencloud",
+  "accountTheme": "",
+  "adminTheme": "",
+  "emailTheme": "",
   "eventsEnabled" : false,
   "eventsListeners" : [ "jboss-logging" ],
   "enabledEventTypes" : [ ],
@@ -1663,7 +1667,23 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : { }
-    } ],
+    },
+    {
+      "id": "c016f2b3-cf74-410e-a852-f6c7b49e0f5a",
+      "name": "Block Client Registration",
+      "providerId": "trusted-hosts",
+      "subType": "anonymous",
+      "subComponents": {},
+      "config": {
+        "host-sending-registration-request-must-match": [
+          "true"
+        ],
+        "client-uris-must-match": [
+          "true"
+        ]
+      }
+    }
+    ],
     "org.keycloak.userprofile.UserProfileProvider" : [ {
       "id" : "28d6b4ce-33d4-40c0-adef-b27e35b7e122",
       "providerId" : "declarative-user-profile",
diff --git a/idm/keycloak.yml b/idm/external-idp.yml
similarity index 84%
rename from idm/keycloak.yml
rename to idm/external-idp.yml
index d20570a..4bb53ac 100644
--- a/idm/keycloak.yml
+++ b/idm/external-idp.yml
@@ -17,17 +17,17 @@ services:
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
       WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
-      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud
+      OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
       # This specifies to start all services except idm and idp. These are replaced by external services.
       OC_EXCLUDE_RUN_SERVICES: idm,idp
-      # Keycloak IDP specific configuration for auto-provisioning
+      # IdP specific configuration for auto-provisioning
       OC_LDAP_SERVER_WRITE_ENABLED: "true"
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
-      # Use the `sub` claim from keycloak for the user ID
-      # Keycloak uses the keycloak user ID as the `sub` claim
+      # Use the `sub` claim from the IdP for the user ID
+      # Most IdPs use the internal user ID as the `sub` claim
       PROXY_USER_OIDC_CLAIM: "sub"
       # Use the `sub` claim as identifier during autoprovisioning
-      # That mitigates problems when a user is renamed in keycloak
+      # That mitigates problems when a user is renamed in the IdP
       PROXY_AUTOPROVISION_CLAIM_USERNAME: "sub"
       PROXY_USER_CS3_CLAIM: "username"
       # This is the default value, we need to set it here because we overwrite the values
@@ -40,7 +40,10 @@ services:
       SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
-      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      # We need to set the IDP_DOMAIN to allow the CSP rules to be set correctly
+      IDP_DOMAIN: ${IDP_DOMAIN:-keycloak.opencloud.test}
+      # The openCloud users need to be able to edit their account in the externa IdP
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
     image: bitnami/openldap:2.6
     networks: