hedgedoc: Restrict keycloak authentication to staff members only (!713) · Merge requests · Platform / Infrastructure / Puppet / puppet-swh-site

Antoine Lambert requested to merge anlambert/puppet-swh-site:hedgedoc-staff-members-only into production Oct 28, 2024

These changes restrict hedgedoc access when authenticating with Keycloak to users having the role hedgedoc-staff-only.

Keycloak SWH instance has been configured to:

automatically add this hedgedoc client role to all members of the staff group
add a roles claim in the access token generated for the hedgedoc client.

I did not manage to test the changes with octocatalog-diff as my setup seems broken.

It also made me think that we should add hedgedoc client configuration for Keycloak in puppet manifest, some work on that subject has already been done in !305.

See related hedgedoc oauth2 documentation and related hedgedoc javascript client code.

Related to swh/infra/sysadm-environment#5461.

hedgedoc: Restrict keycloak authentication to staff members only

Merge request reports