# Self-service Keycloak client config for Backstage.
# Kyverno clones this to the keycloak namespace, where the
# keycloak-client-registrar CronJob processes it and creates
# the backstage-oidc-credentials Secret in the backstage namespace.
apiVersion: v1
kind: Secret
metadata:
  name: keycloak-client-backstage
  namespace: backstage
  labels:
    keycloak.forteapps.net/client-config: "true"
stringData:
  client.json: |
    {
      "clientId": "backstage",
      "name": "Backstage Developer Portal",
      "redirectUris": ["https://backstage.forteapps.net/api/auth/oidc/handler/frame"],
      "webOrigins": ["https://backstage.forteapps.net"],
      "defaultClientScopes": ["openid", "email", "profile"],
      "protocolMappers": [
        {
          "name": "email_verified",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-hardcoded-claim-mapper",
          "config": {
            "claim.name": "email_verified",
            "claim.value": "true",
            "jsonType.label": "boolean",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "userinfo.token.claim": "true"
          }
        }
      ],
      "secret": {
        "namespace": "backstage",
        "name": "backstage-oidc-credentials",
        "keys": {
          "clientId": "AUTH_OIDC_CLIENT_ID",
          "clientSecret": "AUTH_OIDC_CLIENT_SECRET"
        }
      }
    }