feat(enterprise): Add plugin-directory Keycloak client

Adds the plugin-directory OIDC client to the Keycloak realm template for SSO authentication with the Plugin Directory marketplace app. New environment variables for envsubst: - $PLUGIN_DIRECTORY_HOST - hostname for redirect URIs - $PLUGIN_DIRECTORY_CLIENT_SECRET - OIDC client secret Related: All-Hands-AI/OpenHands-Cloud#306
2026-03-22 13:47:19 +08:00 · 2026-03-06 22:48:38 +00:00
parent d1c2185d99
commit 3624e5b78d
1 changed files with 58 additions and 0 deletions
--- a/enterprise/allhands-realm-github-provider.json.tmpl
+++ b/enterprise/allhands-realm-github-provider.json.tmpl
@@ -894,6 +894,64 @@
        "organization",
        "microprofile-jwt"
      ]
+    },
+    {
+      "id": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
+      "clientId": "plugin-directory",
+      "name": "Plugin Directory",
+      "description": "Plugin marketplace for discovering and reviewing agent plugins",
+      "rootUrl": "",
+      "adminUrl": "",
+      "baseUrl": "",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "$PLUGIN_DIRECTORY_CLIENT_SECRET",
+      "redirectUris": [
+        "https://$PLUGIN_DIRECTORY_HOST/auth/callback"
+      ],
+      "webOrigins": [
+        "https://$PLUGIN_DIRECTORY_HOST"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": true,
+      "protocol": "openid-connect",
+      "attributes": {
+        "realm_client": "false",
+        "oidc.ciba.grant.enabled": "false",
+        "backchannel.logout.session.required": "true",
+        "frontchannel.logout.session.required": "true",
+        "post.logout.redirect.uris": "+",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "display.on.consent.screen": "false",
+        "backchannel.logout.revoke.offline.tokens": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "roles",
+        "profile",
+        "basic",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "organization",
+        "microprofile-jwt"
+      ]
    }
  ],
  "clientScopes": [