diff options
author | Nick Cao <nickcao@nichi.co> | 2024-06-10 07:40:05 -0400 |
---|---|---|
committer | Nick Cao <nickcao@nichi.co> | 2024-06-22 10:23:09 -0400 |
commit | d10d0fc42398b545367853f3a4747c7220810b17 (patch) | |
tree | c3244515db5aa3b7a084adfb3a98ed04d9e0e8d3 /nixos | |
parent | 134a223f3fda26847e51cbe92db9b06a8142e322 (diff) |
nixos/keycloak: update options for release 25.0.0
Reference: https://www.keycloak.org/docs/25.0.0/upgrading/
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2205.section.md | 2 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2411.section.md | 3 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/keycloak.md | 12 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 28 |
4 files changed, 25 insertions, 20 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 3a2c70fb7a31b..dad45f12373e6 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -453,7 +453,7 @@ In addition to numerous new and upgraded packages, this release has the followin The new names are as follows: - `bindAddress`: [`services.keycloak.settings.http-host`](#opt-services.keycloak.settings.http-host) - - `forceBackendUrlToFrontendUrl`: [`services.keycloak.settings.hostname-strict-backchannel`](#opt-services.keycloak.settings.hostname-strict-backchannel) + - `forceBackendUrlToFrontendUrl`: `services.keycloak.settings.hostname-strict-backchannel` - `httpPort`: [`services.keycloak.settings.http-port`](#opt-services.keycloak.settings.http-port) - `httpsPort`: [`services.keycloak.settings.https-port`](#opt-services.keycloak.settings.https-port) diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index dce64715eb529..2cbcf3a7e5727 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -87,6 +87,9 @@ services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }; ``` +- `keycloak` was updated to version 25, which introduces new hostname related options. + See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions. + - The `tracy` package no longer works on X11, since it's moved to Wayland support, which is the intended default behavior by Tracy maintainers. X11 users have to switch to the new package `tracy-x11`. diff --git a/nixos/modules/services/web-apps/keycloak.md b/nixos/modules/services/web-apps/keycloak.md index 020bee4003489..4036885ce151c 100644 --- a/nixos/modules/services/web-apps/keycloak.md +++ b/nixos/modules/services/web-apps/keycloak.md @@ -68,13 +68,11 @@ to `/auth`. See the option description for more details. ::: -[](#opt-services.keycloak.settings.hostname-strict-backchannel) -determines whether Keycloak should force all requests to go -through the frontend URL. By default, -Keycloak allows backend requests to -instead use its local hostname or IP address and may also -advertise it to clients through its OpenID Connect Discovery -endpoint. +[](#opt-services.keycloak.settings.hostname-backchannel-dynamic) +Keycloak has the capability to offer a separate URL for backchannel requests, +enabling internal communication while maintaining the use of a public URL +for frontchannel requests. Moreover, the backchannel is dynamically +resolved based on incoming headers endpoint. For more information on hostname configuration, see the [Hostname section of the Keycloak Server Installation and Configuration diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 6d472cf48cd01..36bae2575974e 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -328,8 +328,7 @@ in }; hostname = mkOption { - type = nullOr str; - default = null; + type = str; example = "keycloak.example.com"; description = '' The hostname part of the public URL used as base for @@ -340,16 +339,13 @@ in ''; }; - hostname-strict-backchannel = mkOption { + hostname-backchannel-dynamic = mkOption { type = bool; default = false; example = true; description = '' - Whether Keycloak should force all requests to go - through the frontend URL. By default, Keycloak allows - backend requests to instead use its local hostname or - IP address and may also advertise it to clients - through its OpenID Connect Discovery endpoint. + Enables dynamic resolving of backchannel URLs, + including hostname, scheme, port and context path. See <https://www.keycloak.org/server/hostname> for more information about hostname configuration. @@ -482,12 +478,20 @@ in message = "Setting up a local PostgreSQL db for Keycloak requires `standard_conforming_strings` turned on to work reliably"; } { - assertion = cfg.settings.hostname != null || cfg.settings.hostname-url or null != null; - message = "Setting the Keycloak hostname is required, see `services.keycloak.settings.hostname`"; + assertion = cfg.settings.hostname-url or null == null; + message = '' + The option `services.keycloak.settings.hostname-url' has been removed. + Set `services.keycloak.settings.hostname' instead. + See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. + ''; } { - assertion = !(cfg.settings.hostname != null && cfg.settings.hostname-url or null != null); - message = "`services.keycloak.settings.hostname` and `services.keycloak.settings.hostname-url` are mutually exclusive"; + assertion = cfg.settings.hostname-strict-backchannel or null == null; + message = '' + The option `services.keycloak.settings.hostname-strict-backchannel' has been removed. + Set `services.keycloak.settings.hostname-backchannel-dynamic' instead. + See [New Hostname options](https://www.keycloak.org/docs/25.0.0/upgrading/#new-hostname-options) for details. + ''; } ]; |