From 19ee864d7c5b037433e5056854e8c4385242c89e Mon Sep 17 00:00:00 2001 From: GPortas Date: Thu, 15 Dec 2022 17:29:21 +0000 Subject: [PATCH 01/10] Added: Bash script for keycloak container setup and json config for realm initialization --- conf/docker-keycloak/oidc-realm.json | 2108 ++++++++++++++++++++++++++ conf/docker-keycloak/run-keycloak.sh | 36 + 2 files changed, 2144 insertions(+) create mode 100644 conf/docker-keycloak/oidc-realm.json create mode 100755 conf/docker-keycloak/run-keycloak.sh diff --git a/conf/docker-keycloak/oidc-realm.json b/conf/docker-keycloak/oidc-realm.json new file mode 100644 index 00000000000..199ba4bf96f --- /dev/null +++ b/conf/docker-keycloak/oidc-realm.json @@ -0,0 +1,2108 @@ +{ + "id": "oidc-realm", + "realm": "oidc-realm", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "13d76240-fcf8-4361-9dbf-de268717cfb2", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "oidc-realm", + "attributes": {} + }, + { + "id": "88b414c4-3516-4486-8f8b-a811ed0e0ce5", + "name": "default-roles-oidc-realm", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ] + }, + "clientRole": false, + "containerId": "oidc-realm", + "attributes": {} + }, + { + "id": "b907fd4e-0e54-461c-9411-3f736eef7d2f", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "oidc-realm", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "39342ea9-0b4e-4841-8996-433759e9297f", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "f8680034-617d-45d3-9801-7bf0d704c549", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "b08e4cc3-71e2-4395-b66b-fb1277b48b88", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "c15dc407-d012-43af-9a21-a2923e1d7b74", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "66c07cb7-42cd-4155-8485-6cc7bd37cba9", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "0419515f-4ab8-43ca-ac69-e842195813c0", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "aa553d5a-b2dc-4f81-979a-2af0a019fee0", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "9567e1e9-b755-43a8-93ed-d5929391316f", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "e3dab69f-7323-4aad-bf98-8b7697f36d57", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "ee8a4855-d0d5-4261-bdba-b419d304a824", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "4f251212-e922-4ac0-9cce-3ada607648d2", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "34e1dc59-a975-424f-887b-52465e184a4b", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "create-client", + "manage-users", + "manage-realm", + "manage-events", + "view-realm", + "view-events", + "impersonation", + "manage-clients", + "query-users", + "view-identity-providers", + "query-groups", + "view-clients", + "view-users", + "manage-authorization", + "manage-identity-providers", + "query-realms", + "query-clients", + "view-authorization" + ] + } + }, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "d35aca04-0182-40d3-96b8-1ce5cc118729", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "7d3b28d5-471a-4b2b-bc80-56d4ff80fd28", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-users", + "query-groups" + ] + } + }, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "651059eb-fc1a-4f8d-9ced-ed28b0a2f965", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "73f447e9-def8-4214-8516-56571f2c6f65", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "1b5f7c39-885e-4246-8cf5-25769544fc3d", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "350da4c1-69d4-4557-a9a8-8ba760db0225", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + }, + { + "id": "43d51082-6922-4765-8022-529d91a4603f", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "account-console": [], + "broker": [], + "oidc-client": [], + "account": [ + { + "id": "a163535c-71de-4b2d-9530-26b25eeb1c1e", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "aed2e103-ee29-4d5c-a34e-1b8c65b7d537", + "attributes": {} + }, + { + "id": "851c6a9f-bce7-4c70-be82-084c25d61b25", + "name": "manage-account", + "composite": false, + "clientRole": true, + "containerId": "aed2e103-ee29-4d5c-a34e-1b8c65b7d537", + "attributes": {} + } + ] + } + }, + "groups": [], + "defaultRole": { + "id": "88b414c4-3516-4486-8f8b-a811ed0e0ce5", + "name": "default-roles-oidc-realm", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "oidc-realm" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpSupportedApplications": [ + "FreeOTP", + "Google Authenticator" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users": [ + { + "username": "keycloakuser", + "enabled": true, + "totp": false, + "emailVerified": true, + "firstName": "Test", + "lastName": "Test", + "email": "test@test.com", + "credentials": [ + { + "type": "keycloakuserpassword", + "value": "test" + } + ] + } + ], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account" + ] + } + ] + }, + "clients": [ + { + "id": "aed2e103-ee29-4d5c-a34e-1b8c65b7d537", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/oidc-realm/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/oidc-realm/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "1e821c0e-f6b9-4324-9b23-e82b5431fb72", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/oidc-realm/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/oidc-realm/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "397616ab-4124-4a13-92b6-317423e818a3", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "dddcc3e0-d742-422b-8b5f-84a292ea9d66", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "df6f6cd0-a046-492f-84ac-b4fe31909be4", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "c0af31b9-21aa-4e70-baf3-8d68850c4081", + "clientId": "oidc-client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "http://localhost:8080/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "oauth2.device.authorization.grant.enabled": "false", + "use.jwks.url": "true", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", + "jwt.credential.certificate": "MIICpTCCAY0CBgGE8V6o6TANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtvaWRjLWNsaWVudDAeFw0yMjEyMDgxMDUyMDNaFw0zMjEyMDgxMDUzNDNaMBYxFDASBgNVBAMMC29pZGMtY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUffTl+jXWzyY3T4VVtkiGyNnY+RgyAXUzz+dxT7wUQaYSiNPvmaxnio555pWjR403SRUjVxM8eJYgHK9s43qQWdheXBIHyLKaQfjVsTtSmHgFtPmjk+kweQs6fxUi5CNvtx4RTCaOK5wV8q5q1X7mb8cZ5+gLSx1f/pHtayFXMT75nV04aZKWgPztPz8w+QXUx9cuFY4OIiTdRbdyfr1oOiDtMbxxA22tggB/HSMVkSckT3LSPj7fJKJMPFYi/g1AXxGipX/q8XkmOBrvNePCpH0F/IZbC1vXEsDC6urfoijOdiZgPMobuADmWHPiw2zgCN8qa6QuLFaI+JduXT9QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCEOYRHkH8DnBucb+uN5c9U/fZY+mpglxzZvby7dGBXfVwLN+eP1kGcQPaFi+nshk7FgF4mR5/cmuAPZt+YBbgP0z37D49nB7S6sniwzfhCAAplOT4vmm+MjperTDsWFUGhQZJvN/jxqP2Xccw7N//ReYi7yOlmWhwGyqQyTi0ySbE3BY5eFvUKepekybYi/15XlyF8lwS2jH1MvnJAxAMNVpVUcP4wTnq/dOw5ybrVWF0mPnA8KVzTPuPE5nzZvZ3rkXQeEJTffIToR+T/DH/KTLXcNUtx4nG0ajJ0gM6iVAXGnKlI9Viq/M5Ese+52I6rQmxTsFMn57LNzKgMpWcE", + "oidc.ciba.grant.enabled": "false", + "use.jwks.string": "false", + "backchannel.logout.session.required": "false", + "client_credentials.use_refresh_token": "false", + "require.pushed.authorization.requests": "false", + "saml.client.signature": "false", + "pkce.code.challenge.method": "S256", + "id.token.as.detached.signature": "false", + "saml.assertion.signature": "false", + "saml.encrypt": "false", + "saml.server.signature": "false", + "exclude.session.state.from.auth.response": "false", + "saml.artifact.binding": "false", + "saml_force_name_id_format": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "43ffb712-f233-48e2-ae79-d6993bac34a5", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "3747f98f-efbb-49ef-8238-a349bf5ab409", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/oidc-realm/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/oidc-realm/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "2fbdf6c9-ee69-4edc-b780-ec62aecfc519", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "f76f507d-7d1c-495b-9504-47830b3834f1", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "be849ec8-1747-4efb-bc00-beeaf44f11c8", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "8e8600ec-4290-435d-b109-9f0547cb4a1d", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "54b87197-5309-4b2c-8ad9-f561a0fc178a", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "5fd831af-19a5-4a9c-b44f-2a806fae011c", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "2f85470d-8cb7-4f07-8602-47342d68af86", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "c5d2aafc-f72d-4d7b-9d88-cd759f0e045e", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "528face9-229a-4adf-98d8-68b1a22e880d", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "89240a7c-10f3-4e09-9d6b-41955b86c58d", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "15b6db72-4870-480e-a675-87f87df5f8a5", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "cdd11477-b02b-4886-bc6d-cf4b728ebc0e", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "627b9f4f-23d6-4480-adf4-264faf58de33", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "6a2adf2e-db2d-4ebe-8d48-f658f9b4a5ca", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "8f830142-b3f1-40f0-82e2-ceed68857a40", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "28a96dc6-c4dc-4aae-b316-28b56dccd077", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "3e81050f-540e-4f3d-9abf-86406e484f76", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "13afa1f4-3fac-4c90-a9b4-e84e682f46e9", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "3beac2fc-e947-408f-8422-ca9a1e66a258", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "12911891-db5c-4a35-80fa-555c5eda7e68", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "8a29297a-e6f6-41ae-b25d-8a14236de535", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "ce1622c5-701f-4e3e-9d2d-8dae0f07a295", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "98cc62b8-250a-4087-92da-bb0f0931e675", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "b99c8c44-4cc9-4c87-a5a1-c14e64d472ae", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "903d5932-bdec-42bc-a53c-3cce93deaa1c", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "ccbdc095-28f7-4769-8261-2e32c7b6fab0", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "22a4a38c-f755-44f3-b847-803c7fb3cef5", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "78726920-b4e2-4ed2-b9e0-df38a7f82376", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "String" + } + }, + { + "id": "c64c6eb8-5cbe-4092-bf2c-dd02b8c0e0e8", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "306784d8-8da1-48d8-92a3-dccfff83bcaf", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "0ff127fa-774e-43a8-a1fc-47ea3f307aa1", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "8989c6f8-25c5-4d02-aa06-25b3b77fc227", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "3b67000c-9cbf-43ee-9e05-26f560871897", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "c28b04de-2770-423e-9b9a-b3321d7300e2", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "fd791ed4-d4ab-4df9-81b4-c69a3134bcab", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "c7378ce5-3673-47b2-9ebc-92c772bebf9f", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "web-origins", + "role_list", + "roles", + "email", + "profile" + ], + "defaultOptionalClientScopes": [ + "address", + "microprofile-jwt", + "offline_access", + "phone" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "8e2d0c22-0627-4115-9f14-4225244333d9", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "45bdde87-a364-4d66-a12e-1a4fd42c85fb", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "7b7d3215-68d2-41db-bc0f-db0a45934a84", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "e067781a-6058-4f2b-9408-3390e9854cf8", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "296be954-8084-45c8-b6f3-94d53f7341f6", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "oidc-address-mapper", + "saml-user-attribute-mapper", + "oidc-usermodel-property-mapper", + "oidc-full-name-mapper", + "saml-user-property-mapper", + "oidc-usermodel-attribute-mapper" + ] + } + }, + { + "id": "b9a2a484-aee1-4633-aa37-a9ab2b74a239", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "016e4914-a32c-40fa-8aab-3eb25a411df5", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "a4fb2fa3-93b8-4497-8047-424f70f298c7", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-full-name-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-user-property-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper", + "saml-user-attribute-mapper" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "31b693fa-2b95-47a6-96a1-dfff868ca1df", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "f1e63d09-45a0-4382-8346-0408ee906649", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "99084d92-06f5-4787-b932-a40b5377f3cb", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "9887f1bf-b4f7-4646-9919-a9dbde13ce74", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "fec20812-5cf4-475d-895e-942790f83a05", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "be77226c-dab4-44b4-86e8-8c88e74027dd", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "aadf4b09-bb37-4b40-80da-f9fe40ab3d9c", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "f2084331-5d78-420f-8ff6-97b0a1218b9c", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "7f1c5b3d-7671-4615-8339-fc046ccb3fde", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "07502848-8395-4810-9eaf-a96369883df2", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "flowAlias": "Account verification options", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "5bcad4d1-6de7-44b5-b451-9636fc664a63", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "122aab94-b9b3-47e8-ac4d-98bf8b28ad11", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "163f8867-3660-4f0f-baf7-fe224ea008f9", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "ad8da048-03bc-4e58-b911-3404749a653e", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "flowAlias": "forms", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "1bdd3165-a32d-4ba0-827b-5967a24fc114", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "eafdf270-6797-4768-8966-58f5885e3c70", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "67fb6643-3703-455d-89bc-dc6817cf7eec", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "85c4e0e6-074f-481b-8ebd-4869db18cb9c", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "flowAlias": "User creation or linking", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "fed80f43-0fde-4dc1-ba9b-ae9d151a4434", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "4981597f-5e50-4122-9c4e-4580492e7be4", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "flowAlias": "Authentication Options", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "d8110dc0-2614-44b2-acf0-79334e1eae02", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "flowAlias": "registration form", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "25c8023e-c7cf-49a7-b0fa-dbbe4c75e247", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "071196cf-e578-45ff-b858-4849beaf879d", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "875bdc07-6ebd-46f6-b7df-2f1aa009bb81", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "c58d7bfa-7bab-4ee4-9c85-654db54f5553", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "d2fb0a76-a16c-467f-ac8a-bcc3a8e0c367", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "terms_and_conditions", + "name": "Terms and Conditions", + "providerId": "terms_and_conditions", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5" + }, + "keycloakVersion": "16.1.1", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +}, diff --git a/conf/docker-keycloak/run-keycloak.sh b/conf/docker-keycloak/run-keycloak.sh new file mode 100755 index 00000000000..0e2e01bef97 --- /dev/null +++ b/conf/docker-keycloak/run-keycloak.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +DOCKER_IMAGE="jboss/keycloak:16.1.1" +KEYCLOAK_USER="keycloakadmin" +KEYCLOAK_PASSWORD="keycloakadminpassword" + +if [ ! "$(docker ps -q -f name=keycloak)" ]; then + if [ "$(docker ps -aq -f status=exited -f name=keycloak)" ]; then + echo "INFO - An exited Keycloak container already exists, please select an option:" + options=("Recreate container" "Restart container" "Quit") + select opt in "${options[@]}"; do + case $opt in + "Recreate container") + docker rm keycloak + docker run -d --name keycloak -p 8090:8080 -e KEYCLOAK_USER=$KEYCLOAK_USER -e KEYCLOAK_PASSWORD=$KEYCLOAK_PASSWORD -e KEYCLOAK_IMPORT=/tmp/oidc-realm.json -v "$(pwd)"/oidc-realm.json:/tmp/oidc-realm.json $DOCKER_IMAGE + echo "INFO - Keycloak container recreated" + break + ;; + "Restart container") + docker start keycloak + echo "INFO - Keycloak container restarted" + break + ;; + "Quit") + break + ;; + *) echo "invalid option $REPLY" ;; + esac + done + else + docker run -d --name keycloak -p 8090:8080 -e KEYCLOAK_USER=$KEYCLOAK_USER -e KEYCLOAK_PASSWORD=$KEYCLOAK_PASSWORD -e KEYCLOAK_IMPORT=/tmp/oidc-realm.json -v "$(pwd)"/oidc-realm.json:/tmp/oidc-realm.json $DOCKER_IMAGE + echo "INFO - Keycloak container created" + fi +else + echo "INFO - Keycloak container is already running" +fi From a97c8215bb0cef333630a11297a58c029216939a Mon Sep 17 00:00:00 2001 From: GPortas Date: Fri, 16 Dec 2022 08:22:30 +0000 Subject: [PATCH 02/10] Changed: separate scripts to run and remove Keycloak container --- conf/docker-keycloak/rm-keycloak.sh | 11 ++++++++++ conf/docker-keycloak/run-keycloak.sh | 33 +++++++--------------------- 2 files changed, 19 insertions(+), 25 deletions(-) create mode 100755 conf/docker-keycloak/rm-keycloak.sh diff --git a/conf/docker-keycloak/rm-keycloak.sh b/conf/docker-keycloak/rm-keycloak.sh new file mode 100755 index 00000000000..ea29fbb37c0 --- /dev/null +++ b/conf/docker-keycloak/rm-keycloak.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +if [ "$(docker ps -aq -f name=^/keycloak$)" ]; then + if [ "$(docker ps -aq -f status=running -f name=^/keycloak$)" ]; then + docker kill keycloak + fi + docker rm keycloak + echo "INFO - Keycloak container removed" +else + echo "INFO - No Keycloak container available to remove" +fi diff --git a/conf/docker-keycloak/run-keycloak.sh b/conf/docker-keycloak/run-keycloak.sh index 0e2e01bef97..be229d1a71e 100755 --- a/conf/docker-keycloak/run-keycloak.sh +++ b/conf/docker-keycloak/run-keycloak.sh @@ -3,33 +3,16 @@ DOCKER_IMAGE="jboss/keycloak:16.1.1" KEYCLOAK_USER="keycloakadmin" KEYCLOAK_PASSWORD="keycloakadminpassword" +KEYCLOAK_PORT=8090 -if [ ! "$(docker ps -q -f name=keycloak)" ]; then - if [ "$(docker ps -aq -f status=exited -f name=keycloak)" ]; then - echo "INFO - An exited Keycloak container already exists, please select an option:" - options=("Recreate container" "Restart container" "Quit") - select opt in "${options[@]}"; do - case $opt in - "Recreate container") - docker rm keycloak - docker run -d --name keycloak -p 8090:8080 -e KEYCLOAK_USER=$KEYCLOAK_USER -e KEYCLOAK_PASSWORD=$KEYCLOAK_PASSWORD -e KEYCLOAK_IMPORT=/tmp/oidc-realm.json -v "$(pwd)"/oidc-realm.json:/tmp/oidc-realm.json $DOCKER_IMAGE - echo "INFO - Keycloak container recreated" - break - ;; - "Restart container") - docker start keycloak - echo "INFO - Keycloak container restarted" - break - ;; - "Quit") - break - ;; - *) echo "invalid option $REPLY" ;; - esac - done +if [ ! "$(docker ps -q -f name=^/keycloak$)" ]; then + if [ "$(docker ps -aq -f status=exited -f name=^/keycloak$)" ]; then + echo "INFO - An exited Keycloak container already exists, restarting..." + docker start keycloak + echo "INFO - Keycloak container restarted" else - docker run -d --name keycloak -p 8090:8080 -e KEYCLOAK_USER=$KEYCLOAK_USER -e KEYCLOAK_PASSWORD=$KEYCLOAK_PASSWORD -e KEYCLOAK_IMPORT=/tmp/oidc-realm.json -v "$(pwd)"/oidc-realm.json:/tmp/oidc-realm.json $DOCKER_IMAGE - echo "INFO - Keycloak container created" + docker run -d --name keycloak -p $KEYCLOAK_PORT:8080 -e KEYCLOAK_USER=$KEYCLOAK_USER -e KEYCLOAK_PASSWORD=$KEYCLOAK_PASSWORD -e KEYCLOAK_IMPORT=/tmp/oidc-realm.json -v "$(pwd)"/oidc-realm.json:/tmp/oidc-realm.json $DOCKER_IMAGE + echo "INFO - Keycloak container created and running" fi else echo "INFO - Keycloak container is already running" From 919984ae66d6dbadd211b4109dcc8f8b18749188 Mon Sep 17 00:00:00 2001 From: GPortas Date: Fri, 16 Dec 2022 08:55:24 +0000 Subject: [PATCH 03/10] Added: docker-compose setup option --- conf/docker-keycloak/docker-compose.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 conf/docker-keycloak/docker-compose.yml diff --git a/conf/docker-keycloak/docker-compose.yml b/conf/docker-keycloak/docker-compose.yml new file mode 100644 index 00000000000..da2ad19b886 --- /dev/null +++ b/conf/docker-keycloak/docker-compose.yml @@ -0,0 +1,15 @@ +version: "3.9" + +services: + + keycloak: + image: 'jboss/keycloak:16.1.1' + environment: + - KEYCLOAK_USER=keycloakadmin + - KEYCLOAK_PASSWORD=keycloakadminpassword + - KEYCLOAK_IMPORT=/tmp/oidc-realm.json + - KEYCLOAK_LOGLEVEL=DEBUG + ports: + - "8090:8080" + volumes: + - './oidc-realm.json:/tmp/oidc-realm.json' From c2d44c1afeedb70f074f4b4e502e0a3d806aa39e Mon Sep 17 00:00:00 2001 From: GPortas Date: Fri, 16 Dec 2022 09:07:57 +0000 Subject: [PATCH 04/10] Fixed: User credential data in realm json file --- conf/docker-keycloak/oidc-realm.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/docker-keycloak/oidc-realm.json b/conf/docker-keycloak/oidc-realm.json index 199ba4bf96f..0ccb8be9b9a 100644 --- a/conf/docker-keycloak/oidc-realm.json +++ b/conf/docker-keycloak/oidc-realm.json @@ -375,8 +375,8 @@ "email": "test@test.com", "credentials": [ { - "type": "keycloakuserpassword", - "value": "test" + "type": "password", + "value": "keycloakuserpassword" } ] } From dc9bf66cd808ed403fc7cc040bb03549d525339b Mon Sep 17 00:00:00 2001 From: GPortas Date: Fri, 16 Dec 2022 11:22:32 +0000 Subject: [PATCH 05/10] Refactor: keycloak conf folder name --- conf/{docker-keycloak => keycloak}/docker-compose.yml | 0 conf/{docker-keycloak => keycloak}/oidc-realm.json | 0 conf/{docker-keycloak => keycloak}/rm-keycloak.sh | 0 conf/{docker-keycloak => keycloak}/run-keycloak.sh | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename conf/{docker-keycloak => keycloak}/docker-compose.yml (100%) rename conf/{docker-keycloak => keycloak}/oidc-realm.json (100%) rename conf/{docker-keycloak => keycloak}/rm-keycloak.sh (100%) rename conf/{docker-keycloak => keycloak}/run-keycloak.sh (100%) diff --git a/conf/docker-keycloak/docker-compose.yml b/conf/keycloak/docker-compose.yml similarity index 100% rename from conf/docker-keycloak/docker-compose.yml rename to conf/keycloak/docker-compose.yml diff --git a/conf/docker-keycloak/oidc-realm.json b/conf/keycloak/oidc-realm.json similarity index 100% rename from conf/docker-keycloak/oidc-realm.json rename to conf/keycloak/oidc-realm.json diff --git a/conf/docker-keycloak/rm-keycloak.sh b/conf/keycloak/rm-keycloak.sh similarity index 100% rename from conf/docker-keycloak/rm-keycloak.sh rename to conf/keycloak/rm-keycloak.sh diff --git a/conf/docker-keycloak/run-keycloak.sh b/conf/keycloak/run-keycloak.sh similarity index 100% rename from conf/docker-keycloak/run-keycloak.sh rename to conf/keycloak/run-keycloak.sh From 040c742cbfe9654cc6f1108e7d73d12704f7a269 Mon Sep 17 00:00:00 2001 From: GPortas Date: Fri, 16 Dec 2022 12:25:54 +0000 Subject: [PATCH 06/10] Added: Dataverse authentication provider json file and Keycloak oidc-client config changes to make it suitable for Dataverse --- .../keycloak/oidc-keycloak-auth-provider.json | 8 +++ conf/keycloak/oidc-realm.json | 68 +++++++++---------- 2 files changed, 42 insertions(+), 34 deletions(-) create mode 100644 conf/keycloak/oidc-keycloak-auth-provider.json diff --git a/conf/keycloak/oidc-keycloak-auth-provider.json b/conf/keycloak/oidc-keycloak-auth-provider.json new file mode 100644 index 00000000000..bc70640212d --- /dev/null +++ b/conf/keycloak/oidc-keycloak-auth-provider.json @@ -0,0 +1,8 @@ +{ + "id": "oidc-keycloak", + "factoryAlias": "oidc", + "title": "OIDC-Keycloak", + "subtitle": "OIDC-Keycloak", + "factoryData": "type: oidc | issuer: http://localhost:8090/auth/realms/oidc-realm | clientId: oidc-client | clientSecret: ss6gE8mODCDfqesQaSG3gwUwZqZt547E", + "enabled": true +} diff --git a/conf/keycloak/oidc-realm.json b/conf/keycloak/oidc-realm.json index 0ccb8be9b9a..9333df4e293 100644 --- a/conf/keycloak/oidc-realm.json +++ b/conf/keycloak/oidc-realm.json @@ -575,8 +575,9 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", + "secret": "ss6gE8mODCDfqesQaSG3gwUwZqZt547E", "redirectUris": [ - "http://localhost:8080/*" + "*" ], "webOrigins": [ "+" @@ -588,7 +589,7 @@ "implicitFlowEnabled": false, "directAccessGrantsEnabled": false, "serviceAccountsEnabled": false, - "publicClient": true, + "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { @@ -606,7 +607,6 @@ "client_credentials.use_refresh_token": "false", "require.pushed.authorization.requests": "false", "saml.client.signature": "false", - "pkce.code.challenge.method": "S256", "id.token.as.detached.signature": "false", "saml.assertion.signature": "false", "saml.encrypt": "false", @@ -1306,14 +1306,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", + "saml-user-property-mapper", + "oidc-usermodel-attribute-mapper", "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "oidc-usermodel-property-mapper", - "oidc-full-name-mapper", - "saml-user-property-mapper", - "oidc-usermodel-attribute-mapper" + "oidc-full-name-mapper" ] } }, @@ -1349,13 +1349,13 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "saml-role-list-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", + "oidc-full-name-mapper", "saml-user-property-mapper", - "oidc-usermodel-property-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", "oidc-address-mapper", + "oidc-usermodel-property-mapper", "saml-user-attribute-mapper" ] } @@ -1418,7 +1418,7 @@ "supportedLocales": [], "authenticationFlows": [ { - "id": "fec20812-5cf4-475d-895e-942790f83a05", + "id": "a7f91199-178d-4399-8319-5063ffcc37b0", "alias": "Account verification options", "description": "Method with which to verity the existing account", "providerId": "basic-flow", @@ -1444,7 +1444,7 @@ ] }, { - "id": "be77226c-dab4-44b4-86e8-8c88e74027dd", + "id": "602533e3-f7a1-4e25-9a12-f3080eeccec3", "alias": "Authentication Options", "description": "Authentication options.", "providerId": "basic-flow", @@ -1478,7 +1478,7 @@ ] }, { - "id": "aadf4b09-bb37-4b40-80da-f9fe40ab3d9c", + "id": "ba7bcdfd-05c6-4da6-827b-24e3513bddbe", "alias": "Browser - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1504,7 +1504,7 @@ ] }, { - "id": "f2084331-5d78-420f-8ff6-97b0a1218b9c", + "id": "d0f62327-ef2f-4561-8b5a-1f61faecdac0", "alias": "Direct Grant - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1530,7 +1530,7 @@ ] }, { - "id": "7f1c5b3d-7671-4615-8339-fc046ccb3fde", + "id": "f10b85d0-26ee-4648-b81b-80213b066d76", "alias": "First broker login - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1556,7 +1556,7 @@ ] }, { - "id": "07502848-8395-4810-9eaf-a96369883df2", + "id": "d6af4ac0-f6bc-4197-bf01-6e2c321ecaad", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", @@ -1582,7 +1582,7 @@ ] }, { - "id": "5bcad4d1-6de7-44b5-b451-9636fc664a63", + "id": "501ab743-2e2f-427d-820f-14deed111b08", "alias": "Reset - Conditional OTP", "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId": "basic-flow", @@ -1608,7 +1608,7 @@ ] }, { - "id": "122aab94-b9b3-47e8-ac4d-98bf8b28ad11", + "id": "e02c3a63-a09d-4dde-9f6c-22c95eef8534", "alias": "User creation or linking", "description": "Flow for the existing/non-existing user alternatives", "providerId": "basic-flow", @@ -1635,7 +1635,7 @@ ] }, { - "id": "163f8867-3660-4f0f-baf7-fe224ea008f9", + "id": "c348906d-6266-4e68-937e-8f3d15c66524", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", @@ -1661,7 +1661,7 @@ ] }, { - "id": "ad8da048-03bc-4e58-b911-3404749a653e", + "id": "cf6ba166-43d5-4687-95c4-0a184ca08885", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", @@ -1703,7 +1703,7 @@ ] }, { - "id": "1bdd3165-a32d-4ba0-827b-5967a24fc114", + "id": "87cb4f25-9275-4617-9e95-63adf1ce3ece", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", @@ -1745,7 +1745,7 @@ ] }, { - "id": "eafdf270-6797-4768-8966-58f5885e3c70", + "id": "e75b99c5-c566-4009-b0ba-c73716bed254", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", @@ -1779,7 +1779,7 @@ ] }, { - "id": "67fb6643-3703-455d-89bc-dc6817cf7eec", + "id": "8a97380c-0f70-45cb-a7b0-780eb70453ba", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", @@ -1797,7 +1797,7 @@ ] }, { - "id": "85c4e0e6-074f-481b-8ebd-4869db18cb9c", + "id": "131e0aad-5422-4504-bafc-96be2fa44c34", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", @@ -1824,7 +1824,7 @@ ] }, { - "id": "fed80f43-0fde-4dc1-ba9b-ae9d151a4434", + "id": "e7d4b793-b3c2-4ec3-a2b1-04f7217e8f46", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", @@ -1850,7 +1850,7 @@ ] }, { - "id": "4981597f-5e50-4122-9c4e-4580492e7be4", + "id": "f59a7688-61a1-4ac9-a13a-03f92e022add", "alias": "http challenge", "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId": "basic-flow", @@ -1876,7 +1876,7 @@ ] }, { - "id": "d8110dc0-2614-44b2-acf0-79334e1eae02", + "id": "80a7b0f5-abb3-4780-be58-4ed1dc3e50fa", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", @@ -1895,7 +1895,7 @@ ] }, { - "id": "25c8023e-c7cf-49a7-b0fa-dbbe4c75e247", + "id": "f18231cf-b803-493b-9dd6-ee8fa602c861", "alias": "registration form", "description": "registration form", "providerId": "form-flow", @@ -1937,7 +1937,7 @@ ] }, { - "id": "071196cf-e578-45ff-b858-4849beaf879d", + "id": "34ccfce6-1488-4db3-b90e-d98e8d8b2ae6", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", @@ -1979,7 +1979,7 @@ ] }, { - "id": "875bdc07-6ebd-46f6-b7df-2f1aa009bb81", + "id": "4468100c-fa83-4c16-8970-d53cb592f93a", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", @@ -1999,14 +1999,14 @@ ], "authenticatorConfig": [ { - "id": "c58d7bfa-7bab-4ee4-9c85-654db54f5553", + "id": "c3bb087e-7fe9-4f13-b1bd-c2d7d1320054", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { - "id": "d2fb0a76-a16c-467f-ac8a-bcc3a8e0c367", + "id": "09820d9d-3c12-45f3-bc62-97b53f8a7efe", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" @@ -2105,4 +2105,4 @@ "clientPolicies": { "policies": [] } -}, +} From e8a019eba1547c8d0dd42b24d62079e731c637e7 Mon Sep 17 00:00:00 2001 From: GPortas Date: Mon, 19 Dec 2022 12:46:15 +0000 Subject: [PATCH 07/10] Added: Sphinx guides for OIDC remote users --- .../source/developers/remote-users.rst | 36 +++++++++++++++++-- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/doc/sphinx-guides/source/developers/remote-users.rst b/doc/sphinx-guides/source/developers/remote-users.rst index a5e51aa5e54..cac67fed9cd 100755 --- a/doc/sphinx-guides/source/developers/remote-users.rst +++ b/doc/sphinx-guides/source/developers/remote-users.rst @@ -1,6 +1,6 @@ -==================== -Shibboleth and OAuth -==================== +========================== +Shibboleth, OAuth and OIDC +========================== .. contents:: |toctitle| :local: @@ -30,4 +30,34 @@ Now when you go to http://localhost:8080/oauth2/firstLogin.xhtml you should be p ---- +OpenID Connect (OIDC) +--------------------- + +If you are working on the OpenID Connect (OIDC) user authentication flow, you do not need to connect to a remote provider (as explained in :doc:`/installation/oidc`) to test this feature. Instead, you can use the available configuration that allows you to run a test Keycloak OIDC identity management service locally through a Docker container. + +You can find this configuration in ``conf/keycloak``. There are two options available in this directory to run a Keycloak container: bash script or docker-compose. + +To run the container via bash script, execute the following command (Positioned in ``conf/keycloak``): + +``./run-keycloak.sh`` + +The script will create a Keycloak container or restart it if the container was already created and stopped. Once the script is executed, Keycloak should be accessible from http://localhost:8090/ + +Now load the configuration defined in ``oidc-keycloak-auth-provider.json`` into your Dataverse installation to enable Keycloak as an authentication provider. + +``curl -X POST -H 'Content-type: application/json' --upload-file oidc-keycloak-auth-provider.json http://localhost:8080/api/admin/authenticationProviders`` + +You should see the new provider, called “OIDC-Keycloak“, under “Other options” on the Log In page. + +You should be able to log into Keycloak with the following credentials: + +- username: keycloakuser +- password: keycloakuserpassword + +In case you want to stop and remove the Keycloak container, just run the other available bash script: + +``./rm-keycloak.sh`` + +---- + Previous: :doc:`unf/index` | Next: :doc:`geospatial` From 15fad0edb821d889e2705469ce5c822de7bc16f3 Mon Sep 17 00:00:00 2001 From: GPortas Date: Mon, 19 Dec 2022 13:51:16 +0000 Subject: [PATCH 08/10] Changed: shortened Keycloak usernames and passwords --- conf/keycloak/docker-compose.yml | 4 ++-- conf/keycloak/oidc-realm.json | 4 ++-- conf/keycloak/run-keycloak.sh | 4 ++-- doc/sphinx-guides/source/developers/remote-users.rst | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/conf/keycloak/docker-compose.yml b/conf/keycloak/docker-compose.yml index da2ad19b886..2776f6572df 100644 --- a/conf/keycloak/docker-compose.yml +++ b/conf/keycloak/docker-compose.yml @@ -5,8 +5,8 @@ services: keycloak: image: 'jboss/keycloak:16.1.1' environment: - - KEYCLOAK_USER=keycloakadmin - - KEYCLOAK_PASSWORD=keycloakadminpassword + - KEYCLOAK_USER=kcadmin + - KEYCLOAK_PASSWORD=kcpassword - KEYCLOAK_IMPORT=/tmp/oidc-realm.json - KEYCLOAK_LOGLEVEL=DEBUG ports: diff --git a/conf/keycloak/oidc-realm.json b/conf/keycloak/oidc-realm.json index 9333df4e293..1b77f2b4384 100644 --- a/conf/keycloak/oidc-realm.json +++ b/conf/keycloak/oidc-realm.json @@ -366,7 +366,7 @@ "webAuthnPolicyPasswordlessAcceptableAaguids": [], "users": [ { - "username": "keycloakuser", + "username": "kcuser", "enabled": true, "totp": false, "emailVerified": true, @@ -376,7 +376,7 @@ "credentials": [ { "type": "password", - "value": "keycloakuserpassword" + "value": "kcpassword" } ] } diff --git a/conf/keycloak/run-keycloak.sh b/conf/keycloak/run-keycloak.sh index be229d1a71e..effb37f91b8 100755 --- a/conf/keycloak/run-keycloak.sh +++ b/conf/keycloak/run-keycloak.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash DOCKER_IMAGE="jboss/keycloak:16.1.1" -KEYCLOAK_USER="keycloakadmin" -KEYCLOAK_PASSWORD="keycloakadminpassword" +KEYCLOAK_USER="kcadmin" +KEYCLOAK_PASSWORD="kcpassword" KEYCLOAK_PORT=8090 if [ ! "$(docker ps -q -f name=^/keycloak$)" ]; then diff --git a/doc/sphinx-guides/source/developers/remote-users.rst b/doc/sphinx-guides/source/developers/remote-users.rst index cac67fed9cd..9d3a788fe57 100755 --- a/doc/sphinx-guides/source/developers/remote-users.rst +++ b/doc/sphinx-guides/source/developers/remote-users.rst @@ -51,8 +51,8 @@ You should see the new provider, called “OIDC-Keycloak“, under “Other opti You should be able to log into Keycloak with the following credentials: -- username: keycloakuser -- password: keycloakuserpassword +- username: kcuser +- password: kcpassword In case you want to stop and remove the Keycloak container, just run the other available bash script: From 27cd2f509127a3d8e3663491724695085957a9f5 Mon Sep 17 00:00:00 2001 From: Philip Durbin Date: Fri, 6 Jan 2023 15:18:05 -0500 Subject: [PATCH 09/10] trivial doc changes #9228 --- doc/sphinx-guides/source/developers/remote-users.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/sphinx-guides/source/developers/remote-users.rst b/doc/sphinx-guides/source/developers/remote-users.rst index 9d3a788fe57..1f3aad70540 100755 --- a/doc/sphinx-guides/source/developers/remote-users.rst +++ b/doc/sphinx-guides/source/developers/remote-users.rst @@ -37,7 +37,7 @@ If you are working on the OpenID Connect (OIDC) user authentication flow, you do You can find this configuration in ``conf/keycloak``. There are two options available in this directory to run a Keycloak container: bash script or docker-compose. -To run the container via bash script, execute the following command (Positioned in ``conf/keycloak``): +To run the container via bash script, execute the following command (positioned in ``conf/keycloak``): ``./run-keycloak.sh`` @@ -47,7 +47,7 @@ Now load the configuration defined in ``oidc-keycloak-auth-provider.json`` into ``curl -X POST -H 'Content-type: application/json' --upload-file oidc-keycloak-auth-provider.json http://localhost:8080/api/admin/authenticationProviders`` -You should see the new provider, called “OIDC-Keycloak“, under “Other options” on the Log In page. +You should see the new provider, called "OIDC-Keycloak", under "Other options" on the Log In page. You should be able to log into Keycloak with the following credentials: From bb625eae6c90b11a5d57ee9c72b0fbd2cb7bc6c2 Mon Sep 17 00:00:00 2001 From: Philip Durbin Date: Fri, 6 Jan 2023 15:23:37 -0500 Subject: [PATCH 10/10] add note: client secret exposed, do not use in prod, dev only #9228 --- doc/sphinx-guides/source/developers/remote-users.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/sphinx-guides/source/developers/remote-users.rst b/doc/sphinx-guides/source/developers/remote-users.rst index 1f3aad70540..21d36d28a75 100755 --- a/doc/sphinx-guides/source/developers/remote-users.rst +++ b/doc/sphinx-guides/source/developers/remote-users.rst @@ -35,6 +35,8 @@ OpenID Connect (OIDC) If you are working on the OpenID Connect (OIDC) user authentication flow, you do not need to connect to a remote provider (as explained in :doc:`/installation/oidc`) to test this feature. Instead, you can use the available configuration that allows you to run a test Keycloak OIDC identity management service locally through a Docker container. +(Please note! The client secret (``ss6gE8mODCDfqesQaSG3gwUwZqZt547E``) is hard-coded in ``oidc-realm.json`` and ``oidc-keycloak-auth-provider.json``. Do not use this config in production! This is only for developers.) + You can find this configuration in ``conf/keycloak``. There are two options available in this directory to run a Keycloak container: bash script or docker-compose. To run the container via bash script, execute the following command (positioned in ``conf/keycloak``):