samply/bridgehead
1
0
Fork 0
mirror of https://github.com/samply/bridgehead.git synced 2025-07-31 12:10:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: migrate PSP to Authentik (#329)

Browse Source
This commit is contained in:
djuarezgf
2025-07-22 11:34:49 +02:00
committed by GitHub
parent 2cfdc3ac3e
commit 7e13e251f8
3 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ccp/modules/id-management-compose.yml
View File

@@ -14,6 +14,7 @@ services:
MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY} MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY} MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY} MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
MAGICPL_OIDC_PROVIDER: ${OIDC_PRIVATE_URL}
depends_on: depends_on:
- patientlist - patientlist
- traefik-forward-auth - traefik-forward-auth
@@ -71,12 +72,14 @@ services:
- https_proxy=http://forward_proxy:3128 - https_proxy=http://forward_proxy:3128
- OAUTH2_PROXY_PROVIDER=oidc - OAUTH2_PROXY_PROVIDER=oidc
- OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
- OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.verbis.dkfz.de/realms/master - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
- OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID} - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
- OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET} - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
- OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET} - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
- OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
- OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST} - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
- OAUTH2_PROXY_COOKIE_REFRESH=4m
- OAUTH2_PROXY_COOKIE_EXPIRE=24h
- OAUTH2_PROXY_HTTP_ADDRESS=:4180 - OAUTH2_PROXY_HTTP_ADDRESS=:4180
- OAUTH2_PROXY_REVERSE_PROXY=true - OAUTH2_PROXY_REVERSE_PROXY=true
- OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST} - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
@@ -87,8 +90,8 @@ services:
- OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
- OAUTH2_PROXY_SET_XAUTHREQUEST=true - OAUTH2_PROXY_SET_XAUTHREQUEST=true
# Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that
- OAUTH2_PROXY_COOKIE_REFRESH=60s - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_PSP_GROUP}
- OAUTH2_PROXY_ALLOWED_GROUPS=DKTK-CCP-PPSN - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
- OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"

2
ccp/modules/id-management-setup.sh
View File

@@ -14,6 +14,8 @@ function idManagementSetup() {
# Ensure old ids are working !!! # Ensure old ids are working !!!
export IDMANAGEMENT_FRIENDLY_ID=$(legacyIdMapping "$SITE_ID") export IDMANAGEMENT_FRIENDLY_ID=$(legacyIdMapping "$SITE_ID")
add_private_oidc_redirect_url "/oauth2-idm/callback"
fi fi
} }

1
ccp/vars
View File

@@ -10,6 +10,7 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
OIDC_PSP_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_PSP"
OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
OIDC_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PUBLIC_CLIENT_ID}/" OIDC_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PUBLIC_CLIENT_ID}/"