From e10c34ade3d730fb02490070384d0a02bd22e5a8 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Thu, 31 Mar 2022 12:11:23 +0200
Subject: [PATCH] Support the OIDC authentication.

---
 defaults/main.yml                  | 14 +++++++++++++-
 templates/shinyproxy-2-conf.yml.j2 | 13 +++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 3952e13..c2061f8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -74,7 +74,8 @@ shinyproxy_template_path: '{{ shinyproxy_install_dir }}/web_templates'
 
 shinyproxy_app_title: 'Open Analytics Shiny Proxy'
 shinyproxy_logo_url: 'http://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png'
-# ldap, keycloak, none
+# ldap, keycloak, oidc, none
+# See https://www.shinyproxy.io/documentation/configuration/
 shinyproxy_authentication: 'none'
 shinyproxy_basic_auth: 'false'
 shinyproxy_admin_group: ''
@@ -97,5 +98,16 @@ shinyproxy_keycloak_ssl_required: 'external'
 # name, preferred_username, nickname, email
 shinyproxy_keycloak_name_attribute: 'preferred_username'
 shinyproxy_keycloak_role_mappings: 'false'
+shinyproxy_oidc_auth_url: 'https://keycloak.example.org/auth/realms/master/protocol/openid-connect/auth'
+shinyproxy_oidc_token_url: 'https:/keycloak.example.org/auth/realms/master/protocol/openid-connect/token'
+shinyproxy_oidc_jwks_url: 'https:/keycloak.example.org/auth/realms/master/protocol/openid-connect/certs'
+shinyproxy_oidc_logout_url: 'https:/keycloak.example.org/auth/realms/master/protocol/openid-connect/logout'
+shinyproxy_oidc_client_id: 'shiny_client'
+shinyproxy_oidc_client_secret: 'use a vault file'
+# name, preferred_username, nickname, email
+shinyproxy_oidc_username_attribute: 'email'
+# See https://www.shinyproxy.io/faq/#authentication-using-openid-does-not-work-because-of-missing-attribute-email-in-attributes-exception
+shinyproxy_oidc_use_roles_claim: True
+shinyproxy_oidc_roles_claim: 'groups'
 
 shinyproxy_max_log_size: 20MB
diff --git a/templates/shinyproxy-2-conf.yml.j2 b/templates/shinyproxy-2-conf.yml.j2
index 1e0a292..f5ec1c4 100644
--- a/templates/shinyproxy-2-conf.yml.j2
+++ b/templates/shinyproxy-2-conf.yml.j2
@@ -68,6 +68,19 @@ proxy:
     name-attribute: {{ shinyproxy_keycloak_name_attribute }}
     use-resource-role-mappings: {{ shinyproxy_keycloak_role_mappings }}
 {% endif %}
+{% if shinyproxy_authentication == 'oidc' %}
+  oidc:
+    auth-url: {{ shinyproxy_oidc_auth_url }}
+    token-url: {{ shinyproxy_oidc_token_url }}
+    jwks-url: {{ shinyproxy_oidc_jwks_url }}
+    logout-url: {{ shinyproxy_oidc_logout_url }}
+    client-id: {{ shinyproxy_oidc_client_id }}
+    client-secret: {{ shinyproxy_oidc_client_secret }}
+    username-attribute: {{ shinyproxy_oidc_username_attribute }}
+    {% if shinyproxy_oidc_use_roles_claim %}
+    roles-claim: {{ shinyproxy_oidc_roles_claim }}
+    {% endif %}
+{% endif %}
 {% if shinyproxy_container_backend == 'docker' or shinyproxy_container_backend == 'docker-swarm' %}
   docker:
     container-memory-request: {{ shinyproxy_docker_memory_request }}