feat: add the aud claim for oauth2proxy (#253)

* feat: add aud claim for oauth2proxy

* fix: use keycloak client id instead of hardcoded

(cherry picked from commit f74e44f)

Author: ElderMatt

src/operators/keycloak/keycloak.ts

@@ -23,6 +23,7 @@ import { extractError } from '../../tasks/keycloak/errors'
 import {
   createAdminUser,
   createClient,
+  createClientAudClaimMapper,
   createClientEmailClaimMapper,
   createClientScopes,
   createClientSubClaimMapper,
@@ -476,6 +477,13 @@ async function keycloakRealmProviderConfigurer(api: KeycloakApi) {
     await api.protocols.adminRealmsRealmClientsClientUuidProtocolMappersModelsPost(keycloakRealm, client.id!, subMapper)
   }
 
+  // Needed for oauth2-proxy OIDC configuration
+  if (!allClaims.some((el) => el.name === 'aud')) {
+    const subMapper = createClientAudClaimMapper()
+    console.info('Creating client aud claim mapper')
+    await api.protocols.adminRealmsRealmClientsClientUuidProtocolMappersModelsPost(keycloakRealm, client.id!, subMapper)
+  }
+
   // set login theme for master realm
   console.info('adding theme for login page')
   await api.realms.adminRealmsRealmPut(env.KEYCLOAK_REALM, createLoginThemeConfig('APL'))

src/tasks/keycloak/config.ts

@@ -1,8 +1,13 @@
 import { ProtocolMapperRepresentation } from '@linode/keycloak-client-node'
 import axios from 'axios'
+import { cleanEnv, KEYCLOAK_CLIENT_ID } from '../../validators'
 
 export const keycloakRealm = 'otomi'
 
+const localEnv = cleanEnv({
+  KEYCLOAK_CLIENT_ID,
+})
+
 export const defaultsIdpMapperTpl = (
   idpAlias: string,
   idpUsernameClaimMapper: string,
@@ -232,6 +237,19 @@ export const clientSubClaimMapper = (): Record<string, unknown> => ({
   },
 })
 
+export const clientAudClaimMapper = (): Record<string, unknown> => ({
+  name: 'aud-mapper-otomi',
+  protocol: 'openid-connect',
+  protocolMapper: 'oidc-audience-mapper',
+  config: {
+    'access.token.claim': 'true',
+    'id.token.claim': 'true',
+    'included.client.audience': localEnv.KEYCLOAK_CLIENT_ID,
+    'introspection.token.claim': 'true',
+    'lightweight.claim': 'true',
+  },
+})
+
 export const oidcCfg = (
   providerCfg: OidcProviderCfg,
   clientId: string,

src/tasks/keycloak/realm-factory.ts

@@ -14,6 +14,7 @@ import * as utils from '../../utils'
 import {
   TeamMapping,
   adminUserCfgTpl,
+  clientAudClaimMapper,
   clientEmailClaimMapper,
   clientScopeCfgTpl,
   clientSubClaimMapper,
@@ -120,6 +121,11 @@ export function createClientSubClaimMapper(): ProtocolMapperRepresentation {
   return subClaimMapper
 }
 
+export function createClientAudClaimMapper(): ProtocolMapperRepresentation {
+  const subClaimMapper = defaultsDeep(new ProtocolMapperRepresentation(), clientAudClaimMapper())
+  return subClaimMapper
+}
+
 export function createAdminUser(username: string, password: string): UserRepresentation {
   const userRepresentation = defaultsDeep(new UserRepresentation(), adminUserCfgTpl(username, password))
   return userRepresentation