From 65c5321ce687d78ab6c8f774c4e3d2b1b12838d9 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <reitzrobert77@gmail.com>
Date: Sun, 2 Mar 2025 13:11:38 +0100
Subject: [PATCH] Added Grafana client config to Keycloak

---
 .../keycloak/manifests/keycloak-config.yaml   | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index e2a0981..2dd6d9b 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -181,6 +181,82 @@ data:
       ]
     }
 
+  grafana-client-payload.json: |
+    {
+      "clientId": "grafana-oauth",
+      "name": "grafana-oauth",
+      "description": "Used for Grafana SSO",
+      "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL",
+      "redirectUris": [
+        "http://{{{ .Env.DOMAIN }}}/grafana/*"
+      ],
+      "webOrigins": [
+        "https://{{{ .Env.DOMAIN }}}/grafana"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": true,
+      "protocol": "openid-connect",
+      "attributes": {
+        "oidc.ciba.grant.enabled": "false",
+        "backchannel.logout.session.required": "true",
+        "display.on.consent.screen": "false",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.revoke.offline.tokens": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "protocolMappers": [
+        {
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "false",
+            "user.attribute": "foo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "roles",
+        "offline_access",
+        "profile",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "microprofile-jwt"
+      ],
+      "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+      }
+    }
+
 ---
 apiVersion: batch/v1
 kind: Job