ab/homelab
1
1
Fork 1
Code Issues Pull Requests 86 Actions Packages Wiki Activity

Added WebAuth
Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 13s
Details
Keycloak Terraform / Terraform (push) Successful in 20s
Details

Browse Source
This commit is contained in:
Hills Eternity
2026-05-19 02:13:37 +03:00
parent 49e7b3b415
commit 11357657bb
1 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
terraform/keycloak/main.tf
+92
View File
@@ -41,6 +41,98 @@ resource "keycloak_required_action" "webauthn_register_passwordless" {
default_action = false
}
# =============================================================================
# Browser flow with Passkey support
# =============================================================================
resource "keycloak_authentication_flow" "browser_with_passkey" {
realm_id = keycloak_realm.hexor.id
alias = "browser-with-passkey"
description = "Browser flow with passkey/password alternatives"
provider_id = "basic-flow"
}
# --- Cookie (re-use existing session) ---
resource "keycloak_authentication_execution" "cookie" {
realm_id = keycloak_realm.hexor.id
parent_flow_alias = keycloak_authentication_flow.browser_with_passkey.alias
authenticator = "auth-cookie"
requirement = "ALTERNATIVE"
priority = 10
}
# --- Identity Provider Redirector ---
resource "keycloak_authentication_execution" "idp_redirector" {
realm_id = keycloak_realm.hexor.id
parent_flow_alias = keycloak_authentication_flow.browser_with_passkey.alias
authenticator = "identity-provider-redirector"
requirement = "ALTERNATIVE"
priority = 20
}
# --- Passkey (WebAuthn Passwordless) ---
resource "keycloak_authentication_execution" "passkey" {
realm_id = keycloak_realm.hexor.id
parent_flow_alias = keycloak_authentication_flow.browser_with_passkey.alias
authenticator = "webauthn-authenticator-passwordless"
requirement = "ALTERNATIVE"
priority = 30
}
# --- Username/Password + optional 2FA subflow ---
resource "keycloak_authentication_subflow" "forms" {
realm_id = keycloak_realm.hexor.id
parent_flow_alias = keycloak_authentication_flow.browser_with_passkey.alias
alias = "browser-with-passkey-forms"
provider_id = "basic-flow"
requirement = "ALTERNATIVE"
priority = 40
}
resource "keycloak_authentication_execution" "username_password" {
realm_id = keycloak_realm.hexor.id
parent_flow_alias = keycloak_authentication_subflow.forms.alias
authenticator = "auth-username-password-form"
requirement = "REQUIRED"
priority = 10
}
resource "keycloak_authentication_subflow" "conditional_2fa" {
realm_id = keycloak_realm.hexor.id
parent_flow_alias = keycloak_authentication_subflow.forms.alias
alias = "browser-with-passkey-conditional-2fa"
provider_id = "basic-flow"
requirement = "CONDITIONAL"
priority = 20
}
resource "keycloak_authentication_execution" "condition_user_configured" {
realm_id = keycloak_realm.hexor.id
parent_flow_alias = keycloak_authentication_subflow.conditional_2fa.alias
authenticator = "conditional-user-configured"
requirement = "REQUIRED"
priority = 10
}
resource "keycloak_authentication_execution" "otp_form" {
realm_id = keycloak_realm.hexor.id
parent_flow_alias = keycloak_authentication_subflow.conditional_2fa.alias
authenticator = "auth-otp-form"
requirement = "ALTERNATIVE"
priority = 20
}
# --- Bind the new flow as the browser flow ---
resource "keycloak_authentication_bindings" "browser" {
realm_id = keycloak_realm.hexor.id
browser_flow = keycloak_authentication_flow.browser_with_passkey.alias
}
# =============================================================================
# Google Identity Provider
# =============================================================================