generated from coulomb/repo-seed
Close OpenBao OIDC admin bootstrap path
This commit is contained in:
@@ -98,6 +98,21 @@ bash ./create-secrets.sh
|
||||
kubectl rollout restart deployment/keycape -n sso
|
||||
```
|
||||
|
||||
If the browser flow reaches the KeyCape OTP screen and then reports
|
||||
`mfa check error`, refresh the live privacyIDEA token without printing it:
|
||||
|
||||
```bash
|
||||
cd sso-mfa/k8s/keycape
|
||||
KEYCAPE_PI_REALM=coulomb KUBECTL="${KUBECTL:-kubectl}" \
|
||||
bash ./refresh-pi-token-live.sh platform-root
|
||||
```
|
||||
|
||||
The helper prompts for the `pi-admin` password, writes the token only into
|
||||
Kubernetes Secrets, and restarts KeyCape. The current live privacyIDEA realm is
|
||||
`coulomb`; use `KEYCAPE_PI_REALM=netkingdom` only for an explicit future realm
|
||||
migration. The helper also restores `privacyidea.requireForAll: true`, which
|
||||
keeps KeyCape from using the admin token-list API as the MFA-required check.
|
||||
|
||||
## OIDC client registration
|
||||
|
||||
Downstream applications are registered in the `clients:` block in
|
||||
|
||||
Reference in New Issue
Block a user