Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion acs-service-setup/lib/openid.js
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,14 @@ class OpenIDSetup {
publicClient,
standardFlowEnabled: spec.standardFlowEnabled ?? true,
directAccessGrantsEnabled: spec.directAccessGrantsEnabled ?? false,
serviceAccountsEnabled: false,
// Enables the OAuth client-credentials grant (Keycloak
// "service account") for machine-to-machine consumers, e.g.
// an unattended kiosk fetching a Grafana JWT. Keycloak only
// supports service accounts on confidential clients, so
// this cannot be combined with publicClient. A pure
// service client should also set standardFlowEnabled:
// false - it has no browser login to redirect.
serviceAccountsEnabled: !publicClient && !!spec.serviceAccountsEnabled,
rootUrl: spec.rootUrl ?? root,
baseUrl: spec.baseUrl ?? root,
redirectUris: spec.redirectUris
Expand Down
14 changes: 14 additions & 0 deletions deploy/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,20 @@ serviceSetup:
# redirectUris (list of full URLs)
# webOrigins (list of origins)
# postLogoutRedirectUris (list of full URLs)
#
# Machine-to-machine clients: set `serviceAccountsEnabled: true` to
# enable the OAuth client-credentials grant (Keycloak "service
# account") so an unattended consumer - a kiosk, a scheduled job -
# can exchange the generated client_secret for tokens with no
# human login. Such clients are necessarily confidential (ignored
# if publicClient is set) and should also set
# `standardFlowEnabled: false`: they have no browser flow, so no
# redirect URIs are ever exercised. Example:
# polyptic-kiosk:
# enabled: true
# name: Polyptic kiosk
# serviceAccountsEnabled: true
# standardFlowEnabled: false
openidClients:
grafana:
enabled: true
Expand Down
Loading