From 965809ce1157254a09ac7ddc65ea10338e60200a Mon Sep 17 00:00:00 2001
From: cellarspoon <cellarspoon@riseup.net>
Date: Mon, 13 Dec 2021 16:55:38 +0100
Subject: [PATCH] fix: whitelist SSO

---
 .env.sample          | 1 +
 compose.keycloak.yml | 3 ++-
 homeserver.yaml.tmpl | 5 +++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.env.sample b/.env.sample
index 908a8c4..02da021 100644
--- a/.env.sample
+++ b/.env.sample
@@ -20,6 +20,7 @@ COMPOSE_FILE="compose.yml"
 #KEYCLOAK_NAME=
 #KEYCLOAK_URL=
 #KEYCLOAK_CLIENT_ID=
+#KEYCLOAK_CLIENT_DOMAIN=
 #SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
 
 #COMPOSE_FILE="compose.yml:compose.turn.yml"
diff --git a/compose.keycloak.yml b/compose.keycloak.yml
index 25d7338..6a540c8 100644
--- a/compose.keycloak.yml
+++ b/compose.keycloak.yml
@@ -10,10 +10,11 @@ services:
       - macaroon_secret_key
       - registration_shared_secret
     environment:
+      - KEYCLOAK_CLIENT_DOMAIN
+      - KEYCLOAK_CLIENT_ID
       - KEYCLOAK_ENABLED
       - KEYCLOAK_NAME
       - KEYCLOAK_URL
-      - KEYCLOAK_CLIENT_ID
 
 secrets:
   keycloak_client_secret:
diff --git a/homeserver.yaml.tmpl b/homeserver.yaml.tmpl
index faa30d4..327db65 100644
--- a/homeserver.yaml.tmpl
+++ b/homeserver.yaml.tmpl
@@ -1948,6 +1948,11 @@ sso:
     #client_whitelist:
     #  - https://riot.im/develop
     #  - https://my.custom.client/
+    {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
+    client_whitelist:
+      - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
+    {{ end }}
+
 
     # Uncomment to keep a user's profile fields in sync with information from
     # the identity provider. Currently only syncing the displayname is