diff --git a/acs-service-setup/lib/openid.js b/acs-service-setup/lib/openid.js index 48382ea17..178596c01 100644 --- a/acs-service-setup/lib/openid.js +++ b/acs-service-setup/lib/openid.js @@ -256,7 +256,14 @@ class OpenIDSetup { publicClient, standardFlowEnabled: spec.standardFlowEnabled ?? true, directAccessGrantsEnabled: spec.directAccessGrantsEnabled ?? false, - serviceAccountsEnabled: false, + // Enables the OAuth client-credentials grant (Keycloak + // "service account") for machine-to-machine consumers, e.g. + // an unattended kiosk fetching a Grafana JWT. Keycloak only + // supports service accounts on confidential clients, so + // this cannot be combined with publicClient. A pure + // service client should also set standardFlowEnabled: + // false - it has no browser login to redirect. + serviceAccountsEnabled: !publicClient && !!spec.serviceAccountsEnabled, rootUrl: spec.rootUrl ?? root, baseUrl: spec.baseUrl ?? root, redirectUris: spec.redirectUris diff --git a/deploy/values.yaml b/deploy/values.yaml index 1bf328271..079088767 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -218,6 +218,20 @@ serviceSetup: # redirectUris (list of full URLs) # webOrigins (list of origins) # postLogoutRedirectUris (list of full URLs) + # + # Machine-to-machine clients: set `serviceAccountsEnabled: true` to + # enable the OAuth client-credentials grant (Keycloak "service + # account") so an unattended consumer - a kiosk, a scheduled job - + # can exchange the generated client_secret for tokens with no + # human login. Such clients are necessarily confidential (ignored + # if publicClient is set) and should also set + # `standardFlowEnabled: false`: they have no browser flow, so no + # redirect URIs are ever exercised. Example: + # polyptic-kiosk: + # enabled: true + # name: Polyptic kiosk + # serviceAccountsEnabled: true + # standardFlowEnabled: false openidClients: grafana: enabled: true