Move openid settings into separate profile

This allows them to be set via Spring properties not just environment variables. The motivation for this is loading secrets from the filesystem when running on kubernetes.
nla · Apr 24, 2024 · e35c4d8 · e35c4d8
1 parent f5d1d6b
commit e35c4d8
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 22 deletions.
diff --git a/ui/resources/application-openid.properties b/ui/resources/application-openid.properties
@@ -0,0 +1,12 @@
+# oidc: user logins
+spring.security.oauth2.client.provider.oidc.issuer-uri=${OIDC_URL}
+spring.security.oauth2.client.provider.oidc.user-name-attribute=preferred_username
+spring.security.oauth2.client.registration.oidc.client-id=${OIDC_CLIENT_ID}
+spring.security.oauth2.client.registration.oidc.client-secret=${OIDC_CLIENT_SECRET}
+spring.security.oauth2.client.registration.oidc.scope=openid
+
+# kcadmin: service account for keycloak admin REST API
+spring.security.oauth2.client.provider.kcadmin.issuer-uri=${OIDC_URL}
+spring.security.oauth2.client.registration.kcadmin.client-id=${OIDC_CLIENT_ID}
+spring.security.oauth2.client.registration.kcadmin.client-secret=${OIDC_CLIENT_SECRET}
+spring.security.oauth2.client.registration.kcadmin.authorization-grant-type=client_credentials
diff --git a/ui/src/pandas/Pandas.java b/ui/src/pandas/Pandas.java
@@ -19,29 +19,11 @@
 @EnableMethodSecurity
 public class Pandas {
     public static void main(String[] args) {
-        copyEnvToProperty("OIDC_URL", "spring.security.oauth2.client.provider.oidc.issuer-uri");
-        copyEnvToProperty("OIDC_CLIENT_ID", "spring.security.oauth2.client.registration.oidc.client-id");
-        copyEnvToProperty("OIDC_CLIENT_SECRET", "spring.security.oauth2.client.registration.oidc.client-secret");
-        if (System.getProperty("spring.security.oauth2.client.provider.oidc.issuer-uri") != null) {
-            System.setProperty("spring.security.oauth2.client.registration.oidc.scope", "openid");
-            System.setProperty("spring.security.oauth2.client.provider.oidc.user-name-attribute", "preferred_username");
-
-            // this second client registration is for the Keycloak admin API. It uses the same credentials
-            // but we have to add it separately because we need to change the authorization-grant-type
-            copyEnvToProperty("OIDC_URL", "spring.security.oauth2.client.provider.kcadmin.issuer-uri");
-            copyEnvToProperty("OIDC_CLIENT_ID", "spring.security.oauth2.client.registration.kcadmin.client-id");
-            copyEnvToProperty("OIDC_CLIENT_SECRET", "spring.security.oauth2.client.registration.kcadmin.client-secret");
-            System.setProperty("spring.security.oauth2.client.registration.kcadmin.authorization-grant-type", "client_credentials");
-        }
-
-        SpringApplication.run(Pandas.class, args);
-    }
-
-    private static void copyEnvToProperty(String env, String property) {
-        String value = System.getenv(env);
-        if (value != null && !value.isBlank()) {
-            System.setProperty(property, value);
+        var application = new SpringApplication(Pandas.class);
+        if (System.getenv("OIDC_URL") != null || System.getProperty("OIDC_URL") != null) {
+            application.setAdditionalProfiles("openid");
         }
+        application.run(args);
     }
 
     @Bean(name = "htmlSanitizer")