diff --git a/CHANGELOG.MD b/CHANGELOG.MD index ef2960a46..eaefdae08 100644 --- a/CHANGELOG.MD +++ b/CHANGELOG.MD @@ -2,6 +2,20 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](https://semver.org/). +## v1.1.0 - 2023-11-06 +> **Feature**: Switch MET to use Keycloak SSO service - [🎟️DESENG-408](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-408) +> - Switch all role-based checks on the API to use a single callback function (`current_app.config['JWT_ROLE_CALLBACK']`) +> - Added a configurable path `JWT_ROLE_CLAIM` to indicate where your SSO instance places role information in the JWT token. If your access token looks like: +> `{ ..., "realm_access": { "roles": [ "role1", "role2"]}}` you would set `JWT_ROLE_CLAIM=realm_access.roles` +> - Explicitly disable single tenant mode to ensure correct multi-tenancy behaviour +> - Remove local Keycloak instances and configuration +> - *Potentially breaking*: Default to the "standard" realm for Keycloak +> - *Potentially breaking*: Use tenancy information from DB rather than Keycloak + +> **Feature**: .env var audit and cleanup - [🎟️DESENG-414](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-414) +> - Update sample.env files to properly reflect the current state of the project and document where to download credentials securely +> *This ticket is not closed by this version* + ## v1.0.1 - 2023-10-26 diff --git a/met-api/docker-compose.yml b/met-api/docker-compose.yml deleted file mode 100644 index a20d7c847..000000000 --- a/met-api/docker-compose.yml +++ /dev/null @@ -1,65 +0,0 @@ -version: "3.9" - -services: - keycloak: - image: quay.io/keycloak/keycloak:12.0.2 - ports: - - "8081:8081" - environment: - - KEYCLOAK_USER=admin - - KEYCLOAK_PASSWORD=admin - command: -b 0.0.0.0 -Djboss.http.port=8081 -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/tmp/keycloak/test -Dkeycloak.migration.strategy=OVERWRITE_EXISTING - healthcheck: - test: - [ - "CMD", - "curl", - "--fail", - "http://localhost:8081/auth/realms/demo || exit 1", - ] - interval: 30s - timeout: 10s - retries: 10 - volumes: - - ./setup:/tmp/keycloak/test/ - met-db: - image: postgres - volumes: - - db-data:/var/lib/postgresql/data2 - environment: - - POSTGRES_USER=admin - - POSTGRES_PASSWORD:admin - - POSTGRES_HOST_AUTH_METHOD=trust - ports: - - 54332:5432/tcp - restart: unless-stopped - - met-db-test: - image: postgres - volumes: - - db-data:/var/lib/postgresql/data3 - environment: - - POSTGRES_USER=admin - - POSTGRES_PASSWORD:admin - - POSTGRES_HOST_AUTH_METHOD=trust - ports: - - 54333:5432/tcp - restart: unless-stopped - - met-analytics-db: - image: postgres - volumes: - - db-data:/var/lib/postgresql/data4 - environment: - - POSTGRES_USER=admin - - POSTGRES_PASSWORD:admin - - POSTGRES_HOST_AUTH_METHOD=trust - ports: - - 54334:5432/tcp - restart: unless-stopped - - -volumes: - db-data: - driver: local - \ No newline at end of file diff --git a/met-api/sample.env b/met-api/sample.env index c4379332f..e026e357a 100644 --- a/met-api/sample.env +++ b/met-api/sample.env @@ -12,18 +12,24 @@ DATABASE_NAME="met" # Email API endpoint NOTIFICATIONS_EMAIL_ENDPOINT=https://met-notify-api-dev.apps.gold.devops.gov.bc.ca/api/v1/notifications/email -# Keycloak configuration. Keycloak is now hosted, and local keycloak instances are no longer needed. -KEYCLOAK_BASE_URL=https://dev.loginproxy.gov.bc.ca/auth -KEYCLOAK_REALMNAME=standard -JWT_OIDC_AUDIENCE=modern-engagement-tools-4787 +# Keycloak configuration. +# Populate from 'GDX Modern Engagement Tools-installation-*.json' +# https://bcgov.github.io/sso-requests +KEYCLOAK_BASE_URL= # auth-server-url +KEYCLOAK_REALMNAME= # realm +MET_ADMIN_CLIENT_ID= # resource +MET_ADMIN_CLIENT_SECRET= # credentials.secret + +# Copy from 'GDX MET web (public)-installation-*.json' +JWT_OIDC_AUDIENCE= # resource JWT_OIDC_WELL_KNOWN_CONFIG=${KEYCLOAK_BASE_URL}/realms/${KEYCLOAK_REALMNAME}/.well-known/openid-configuration JWT_OIDC_JWKS_URI=${KEYCLOAK_BASE_URL}/realms/${KEYCLOAK_REALMNAME}/protocol/openid-connect/certs JWT_OIDC_ISSUER=${KEYCLOAK_BASE_URL}/realms/${KEYCLOAK_REALMNAME} +# Where Keycloak provides the roles that a user has +JWT_ROLE_CLAIM=realm_access.roles +# JWT_ROLE_CLAIM=client_roles + -# Authenticates the MET API with Keycloak for running tests. -# Currently unused since the hosted Keycloak instance does not support API usage. -MET_ADMIN_CLIENT_ID= -MET_ADMIN_CLIENT_SECRET= # S3 configuration. Used for uploading custom header images, etc. S3_ACCESS_KEY_ID= @@ -42,4 +48,8 @@ EPIC_KEYCLOAK_SERVICE_ACCOUNT_ID= EPIC_KEYCLOAK_SERVICE_ACCOUNT_SECRET= # Allowed CORS origins -CORS_ORIGIN=http://localhost:3000,http://localhost:5000 \ No newline at end of file +CORS_ORIGIN=http://localhost:3000,http://localhost:5000 + +# Whether to skip certain auth checks. Should be false in production. +# Must match the value set for REACT_APP_IS_SINGLE_TENANT_ENVIRONMENT in the client app. +IS_SINGLE_TENANT_ENVIRONMENT=false \ No newline at end of file diff --git a/met-api/src/met_api/__init__.py b/met-api/src/met_api/__init__.py index 2694f90ed..fb866e92a 100644 --- a/met-api/src/met_api/__init__.py +++ b/met-api/src/met_api/__init__.py @@ -128,8 +128,15 @@ def build_cache(app): def setup_jwt_manager(app_context, jwt_manager): """Use flask app to configure the JWTManager to work for a particular Realm.""" - def get_roles(a_dict): - return a_dict['realm_access']['roles'] # pragma: no cover - + def get_roles(token_info): + """ + Consumes a token_info dictionary and returns a list of roles. + Uses a configurable path to the roles in the token_info dictionary. + """ + role_access_path = app_context.config['JWT_ROLE_CLAIM'] + for key in role_access_path.split('.'): + token_info = token_info.get(key, {}) + return token_info + app_context.config['JWT_ROLE_CALLBACK'] = get_roles jwt_manager.init_app(app_context) diff --git a/met-api/src/met_api/config.py b/met-api/src/met_api/config.py index b1ed7a0db..29a9fae6b 100644 --- a/met-api/src/met_api/config.py +++ b/met-api/src/met_api/config.py @@ -122,6 +122,8 @@ class _Config(): # pylint: disable=too-few-public-methods JWT_OIDC_CACHING_ENABLED = os.getenv('JWT_OIDC_CACHING_ENABLED', 'True') JWT_OIDC_JWKS_CACHE_TIMEOUT = 300 + JWT_ROLE_CLAIM = os.getenv('JWT_ROLE_CLAIM', 'realm_access.roles') + S3_CONFIG = { 'DEFAULT': { 'S3_BUCKET': os.getenv('S3_BUCKET'), @@ -135,7 +137,7 @@ class _Config(): # pylint: disable=too-few-public-methods # Service account details KEYCLOAK_BASE_URL = os.getenv('KEYCLOAK_BASE_URL') - KEYCLOAK_REALMNAME = os.getenv('KEYCLOAK_REALMNAME', 'met') + KEYCLOAK_REALMNAME = os.getenv('KEYCLOAK_REALMNAME', 'standard') KEYCLOAK_SERVICE_ACCOUNT_ID = os.getenv('MET_ADMIN_CLIENT_ID') KEYCLOAK_SERVICE_ACCOUNT_SECRET = os.getenv('MET_ADMIN_CLIENT_SECRET') # TODO separate out clients for APIs and user management. diff --git a/met-api/src/met_api/models/base_model.py b/met-api/src/met_api/models/base_model.py index 066ae46d3..bbdb779b4 100644 --- a/met-api/src/met_api/models/base_model.py +++ b/met-api/src/met_api/models/base_model.py @@ -67,16 +67,10 @@ def flush(self): db.session.flush() return self - def add_to_session(self): - """Save and flush.""" - return self.flush() - def save(self): """Save and commit.""" - self._set_tenant_id() - db.session.add(self) - db.session.flush() - db.session.commit() + self.flush() + self.commit() def _set_tenant_id(self): # add tenant id to the model if the child model has tenant id column diff --git a/met-api/src/met_api/services/authorization.py b/met-api/src/met_api/services/authorization.py index 4d58266ba..b30cdb0de 100644 --- a/met-api/src/met_api/services/authorization.py +++ b/met-api/src/met_api/services/authorization.py @@ -21,12 +21,13 @@ def check_auth(**kwargs): """Check if user is authorized to perform action on the service.""" skip_tenant_check = current_app.config.get('IS_SINGLE_TENANT_ENVIRONMENT') user_from_context: UserContext = kwargs['user_context'] + user_from_db = StaffUserModel.get_user_by_external_id(user_from_context.sub) token_roles = set(user_from_context.roles) permitted_roles = set(kwargs.get('one_of_roles', [])) has_valid_roles = token_roles & permitted_roles if has_valid_roles: if not skip_tenant_check: - user_tenant_id = user_from_context.tenant_id + user_tenant_id = user_from_db.tenant_id _validate_tenant(kwargs.get('engagement_id'), user_tenant_id) return @@ -47,8 +48,8 @@ def _validate_tenant(eng_id, tenant_id): return engagement_tenant_id = EngagementModel.find_tenant_id_by_id(eng_id) if engagement_tenant_id and str(tenant_id) != str(engagement_tenant_id): - current_app.logger.debug(f'Aborting . Tenant Id on Engagement and user context Mismatch' - f'engagement_tenant_id:{engagement_tenant_id} ' + current_app.logger.debug(f'Aborting . Tenant Id on Engagement and user context Mismatch\n' + f'engagement_tenant_id:{engagement_tenant_id}\n' f'tenant_id: {tenant_id}') abort(HTTPStatus.FORBIDDEN) diff --git a/met-api/src/met_api/utils/tenant_validator.py b/met-api/src/met_api/utils/tenant_validator.py index caa0bd720..2696b6433 100644 --- a/met-api/src/met_api/utils/tenant_validator.py +++ b/met-api/src/met_api/utils/tenant_validator.py @@ -25,6 +25,7 @@ from met_api.auth import jwt as _jwt from met_api.utils.constants import TENANT_ID_JWT_CLAIM from met_api.utils.roles import Role +from met_api.models.staff_user import StaffUser def require_role(role, skip_tenant_check_for_admin=False): @@ -54,14 +55,14 @@ def wrapper(*args, **kwargs): if skip_tenant_check_for_admin and is_met_global_admin(token_info): return func(*args, **kwargs) - tenant_id = token_info.get(TENANT_ID_JWT_CLAIM, None) - current_app.logger.debug(f'Tenant Id From JWT Claim {tenant_id}') - current_app.logger.debug(f'Tenant Id From g {g.tenant_id}') - if g.tenant_id and str(g.tenant_id) == str(tenant_id): + user_id = token_info.get('sub', None) + # fetch user from the db + user = StaffUser.get_user_by_external_id(user_id) + if user and user.tenant_id == g.tenant_id: return func(*args, **kwargs) else: abort(HTTPStatus.FORBIDDEN, - description='The user has no access to this tenant') + description='The user does not exist or has no access to this tenant') return wrapper @@ -74,7 +75,5 @@ def _get_token_info() -> Dict: def is_met_global_admin(token_info) -> bool: """Return True if the user is MET Admin ie who can manage all tenants.""" - roles: list = token_info.get('realm_access', None).get('roles', []) if 'realm_access' in token_info \ - else [] - + roles = current_app.config['JWT_ROLE_CALLBACK'](token_info) return Role.CREATE_TENANT.value in roles diff --git a/met-api/src/met_api/utils/user_context.py b/met-api/src/met_api/utils/user_context.py index 4aa0cbde4..f09bcf38a 100644 --- a/met-api/src/met_api/utils/user_context.py +++ b/met-api/src/met_api/utils/user_context.py @@ -16,7 +16,7 @@ import functools from typing import Dict -from flask import g, request +from flask import g, request, current_app from met_api.utils.constants import TENANT_ID_JWT_CLAIM from met_api.utils.roles import Role @@ -39,8 +39,7 @@ def __init__(self): self._last_name: str = token_info.get('lastname', None) self._tenant_id: str = token_info.get(TENANT_ID_JWT_CLAIM, None) self._bearer_token: str = _get_token() - self._roles: list = token_info.get('realm_access', None).get('roles', []) if 'realm_access' in token_info \ - else [] + self._roles: list = current_app.config['JWT_ROLE_CALLBACK'](token_info) self._sub: str = token_info.get('sub', None) self._name: str = f"{token_info.get('firstname', None)} {token_info.get('lastname', None)}" diff --git a/met-web/sample.env b/met-web/sample.env index c8f37cb1f..aba4e7610 100644 --- a/met-web/sample.env +++ b/met-web/sample.env @@ -1,9 +1,10 @@ -# Keycloak auth endpoint -REACT_APP_KEYCLOAK_URL=https://dev.loginproxy.gov.bc.ca/auth -REACT_APP_KEYCLOAK_REALM=standard -# Resource identifier for the Keycloak client -REACT_APP_KEYCLOAK_CLIENT=modern-engagement-tools-4787 +# Keycloak auth +# Copy from 'GDX MET web (public)-installation-*.json' +# https://bcgov.github.io/sso-requests +REACT_APP_KEYCLOAK_URL= # auth-server-url +REACT_APP_KEYCLOAK_REALM= # realm +REACT_APP_KEYCLOAK_CLIENT= # resource # The role needed to be considered an admin # TODO: Allocate a dedicated role for this on SSO @@ -14,5 +15,10 @@ REACT_APP_API_URL=http://localhost:5000/api # `analytics-api` endpoint REACT_APP_ANALYTICS_API_URL=http://localhost:5001/api + # Default tenant to assign when signing in for the first time -REACT_APP_DEFAULT_TENANT=eao \ No newline at end of file +REACT_APP_DEFAULT_TENANT=eao + +# Whether to skip certain auth checks. Should be false in production. +# Must match the value set for IS_SINGLE_TENANT_ENVIRONMENT in the API. +REACT_APP_IS_SINGLE_TENANT_ENVIRONMENT=false \ No newline at end of file diff --git a/tools/keycloak/docker-compose.yml b/tools/keycloak/docker-compose.yml deleted file mode 100644 index 213071286..000000000 --- a/tools/keycloak/docker-compose.yml +++ /dev/null @@ -1,22 +0,0 @@ -version: "3.5" -services: - keycloak: - container_name: keycloak - image: quay.io/keycloak/keycloak:14.0.0 - volumes: - - ./init:/opt/jboss/keycloak/init - - keycloak:/opt/jboss/keycloak - ports: - - 8080:8080 - networks: - - metnetwork - env_file: - - ./keycloak.env - restart: unless-stopped -volumes: - keycloak: - name: keycloak.local -networks: - metnetwork: - external: - name: metnetwork diff --git a/tools/keycloak/init/realm-export.json b/tools/keycloak/init/realm-export.json deleted file mode 100644 index 06f32146c..000000000 --- a/tools/keycloak/init/realm-export.json +++ /dev/null @@ -1,2671 +0,0 @@ -{ - "id": "met", - "realm": "met", - "displayNameHtml": "
MET
", - "notBefore": 0, - "defaultSignatureAlgorithm": "RS256", - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 1800, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 3600, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 1800, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "enabled": true, - "sslRequired": "external", - "registrationAllowed": false, - "registrationEmailAsUsername": false, - "rememberMe": false, - "verifyEmail": false, - "loginWithEmailAllowed": false, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": true, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "roles": { - "realm": [ - { - "id": "e966714c-948f-4f81-aebf-a5e710172361", - "name": "edit_engagement", - "description": "Edit an engagement details", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "5edbeee1-b7d1-44d2-994b-8c78bc1fd51b", - "name": "offline_access", - "description": "${role_offline-access}", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "a325b37b-954f-4494-9253-5423c596200d", - "name": "uma_authorization", - "description": "${role_uma_authorization}", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "9901c6fd-8602-40d4-a9ec-1e57091faeb0", - "name": "create_survey", - "description": "Role to create surveys", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "086d57d3-12e9-4d41-bf6c-333110c75c0a", - "name": "default-roles-met", - "description": "${role_default-roles}", - "composite": true, - "composites": { - "realm": [ - "offline_access", - "uma_authorization" - ], - "client": { - "account": [ - "view-profile", - "manage-account" - ] - } - }, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "f29f4d3f-e24e-4b00-8666-7fc1eacbd811", - "name": "create_engagement", - "description": "Creates an engagement", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "4969cf4c-8489-42fa-bb8c-acca43c1ebf6", - "name": "publish_engagement", - "description": "Publish an engagement", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "5d17aefc-bb12-48b0-af5d-550c530c8e21", - "name": "app-admin", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "6d7efaec-3c2e-49c8-b4cf-034e94f7ba4d", - "name": "create_admin_user", - "description": "Create admin users", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "63b83673-dc5a-463a-b5d6-2af5b375fd49", - "name": "view_engagement", - "description": "View an engagement", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "68c2a38b-2a46-4728-8c18-b2b77e5405c1", - "name": "access_dashboard", - "description": "This role is used to provide user access to the dashboards", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - }, - { - "id": "2e0cdece-3471-4e9d-ab13-4b41a7c58bb7", - "name": "view_users", - "description": "View Users", - "composite": false, - "clientRole": false, - "containerId": "met", - "attributes": {} - } - ], - "client": { - "met-api": [], - "met-admin": [], - "realm-management": [ - { - "id": "ebe09137-c2f8-411a-b828-51fa6b19b67b", - "name": "query-clients", - "description": "${role_query-clients}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "751c4e27-f526-4101-ab74-44aedebe0699", - "name": "view-clients", - "description": "${role_view-clients}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-clients" - ] - } - }, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "2bfa634c-5cd7-4b41-b8ff-a6e2c0d8a9ab", - "name": "manage-events", - "description": "${role_manage-events}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "e644a22a-c734-43c4-b18d-f828e95ea374", - "name": "manage-clients", - "description": "${role_manage-clients}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "a2bc5cab-fb0f-44b5-83bc-6302ec109ea9", - "name": "impersonation", - "description": "${role_impersonation}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "ef7849f0-a4d1-4bd4-8130-6b46ee4f7a57", - "name": "view-events", - "description": "${role_view-events}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "a7d7f1c4-ccef-49e2-bcb6-a66d044e7b4e", - "name": "query-groups", - "description": "${role_query-groups}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "0f43216f-cfb5-454c-9d67-98ee21253b03", - "name": "view-authorization", - "description": "${role_view-authorization}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "82f2dd96-050b-4bcd-80df-2a3fe6481cdc", - "name": "view-users", - "description": "${role_view-users}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-users", - "query-groups" - ] - } - }, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "f7657fe0-7d8c-4465-9058-c075c0edd6a8", - "name": "manage-realm", - "description": "${role_manage-realm}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "9895c2b1-91e5-444a-861b-2e6be0f0c876", - "name": "view-identity-providers", - "description": "${role_view-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "2ffc78e1-5ffd-461f-a538-ba9159cac382", - "name": "create-client", - "description": "${role_create-client}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "078a2cbf-c8ee-472a-a79d-b15da8742024", - "name": "view-realm", - "description": "${role_view-realm}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "8938e417-33d2-4cde-a53e-3ff4e1a638ce", - "name": "realm-admin", - "description": "${role_realm-admin}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-clients", - "view-clients", - "manage-events", - "manage-clients", - "impersonation", - "view-events", - "query-groups", - "view-users", - "view-authorization", - "view-identity-providers", - "manage-realm", - "create-client", - "view-realm", - "manage-users", - "query-users", - "manage-authorization", - "manage-identity-providers", - "query-realms" - ] - } - }, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "34aac6e1-5c98-4745-8c8e-439d05947a6f", - "name": "manage-users", - "description": "${role_manage-users}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "fec6d1ac-16df-4d03-a572-41d75c0546ac", - "name": "query-users", - "description": "${role_query-users}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "c83869a1-4051-437f-92e6-5743c6b8c485", - "name": "manage-authorization", - "description": "${role_manage-authorization}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "7d6213ae-3e67-4fc2-b8de-a9bac872d65d", - "name": "manage-identity-providers", - "description": "${role_manage-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - }, - { - "id": "d1208e76-f320-499d-a15a-bbf165f8f661", - "name": "query-realms", - "description": "${role_query-realms}", - "composite": false, - "clientRole": true, - "containerId": "9670a048-680b-4570-b170-b3b844774917", - "attributes": {} - } - ], - "security-admin-console": [], - "admin-cli": [], - "met-eao-": [ - { - "id": "4ec7699c-a096-4663-b59d-3acd8fdfc46f", - "name": "met-eao-admin", - "description": "met-eao-admin", - "composite": false, - "clientRole": true, - "containerId": "84139a29-5137-4f0c-be8a-9d801d0f6cbc", - "attributes": {} - } - ], - "met-web": [], - "account-console": [], - "broker": [ - { - "id": "b6312eb8-db9c-4e73-bcd1-b8f3e1ece4c7", - "name": "read-token", - "description": "${role_read-token}", - "composite": false, - "clientRole": true, - "containerId": "56cd24de-cba1-46d4-8952-e37d4e1d35d5", - "attributes": {} - } - ], - "account": [ - { - "id": "44e563ff-240b-4273-be8c-c7abb8d09379", - "name": "manage-account-links", - "description": "${role_manage-account-links}", - "composite": false, - "clientRole": true, - "containerId": "81927c14-26a8-4cff-a1b3-7158cdc04182", - "attributes": {} - }, - { - "id": "428ba250-51bb-495f-916a-4e6cbe758707", - "name": "view-profile", - "description": "${role_view-profile}", - "composite": false, - "clientRole": true, - "containerId": "81927c14-26a8-4cff-a1b3-7158cdc04182", - "attributes": {} - }, - { - "id": "c4930e1e-2269-4a1c-a126-8022553383d8", - "name": "delete-account", - "description": "${role_delete-account}", - "composite": false, - "clientRole": true, - "containerId": "81927c14-26a8-4cff-a1b3-7158cdc04182", - "attributes": {} - }, - { - "id": "928422bf-eaa4-4064-aa71-95614969187c", - "name": "view-applications", - "description": "${role_view-applications}", - "composite": false, - "clientRole": true, - "containerId": "81927c14-26a8-4cff-a1b3-7158cdc04182", - "attributes": {} - }, - { - "id": "72ac966b-efa7-4920-b93d-338547e199c3", - "name": "manage-account", - "description": "${role_manage-account}", - "composite": true, - "composites": { - "client": { - "account": [ - "manage-account-links" - ] - } - }, - "clientRole": true, - "containerId": "81927c14-26a8-4cff-a1b3-7158cdc04182", - "attributes": {} - }, - { - "id": "06c6aa0d-b67e-4e13-ab93-04278e967de8", - "name": "manage-consent", - "description": "${role_manage-consent}", - "composite": true, - "composites": { - "client": { - "account": [ - "view-consent" - ] - } - }, - "clientRole": true, - "containerId": "81927c14-26a8-4cff-a1b3-7158cdc04182", - "attributes": {} - }, - { - "id": "28502f13-a0b4-4153-8af1-4d09debdb9a5", - "name": "view-consent", - "description": "${role_view-consent}", - "composite": false, - "clientRole": true, - "containerId": "81927c14-26a8-4cff-a1b3-7158cdc04182", - "attributes": {} - } - ] - } - }, - "groups": [ - { - "id": "902997b6-5901-4cef-a1b3-2cb8ebc72947", - "name": "ADMIN", - "path": "/ADMIN", - "attributes": {}, - "realmRoles": [], - "clientRoles": { - "met-eao-": [ - "met-eao-admin" - ] - }, - "subGroups": [ - { - "id": "0434accd-b343-4ad8-864c-66e6d477b46c", - "name": "EAO_IT_ADMIN", - "path": "/ADMIN/EAO_IT_ADMIN", - "attributes": { - "Label": [ - "Administrator" - ], - "Name": [ - "Admin" - ] - }, - "realmRoles": [ - "edit_engagement", - "create_survey", - "default-roles-met", - "create_engagement", - "publish_engagement", - "app-admin", - "create_admin_user", - "view_engagement", - "view_users", - "access_dashboard" - ], - "clientRoles": {}, - "subGroups": [] - } - ] - }, - { - "id": "3c7e5dac-2e0c-4eec-a717-fe8fca228cb2", - "name": "EAO_IT_VIEWER", - "path": "/EAO_IT_VIEWER", - "attributes": {}, - "realmRoles": [ - "offline_access", - "edit_engagement", - "uma_authorization", - "access_dashboard" - ], - "clientRoles": {}, - "subGroups": [] - } - ], - "defaultRole": { - "id": "086d57d3-12e9-4d41-bf6c-333110c75c0a", - "name": "default-roles-met", - "description": "${role_default-roles}", - "composite": true, - "clientRole": false, - "containerId": "met" - }, - "requiredCredentials": [ - "password" - ], - "otpPolicyType": "totp", - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyInitialCounter": 0, - "otpPolicyDigits": 6, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpSupportedApplications": [ - "FreeOTP", - "Google Authenticator" - ], - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "users": [ - { - "id": "b62acf43-f54c-49d5-b880-518a0e754779", - "createdTimestamp": 1658806213538, - "username": "service-account-met-admin", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "met-admin", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "default-roles-met" - ], - "clientRoles": { - "realm-management": [ - "manage-users" - ] - }, - "notBefore": 0, - "groups": [] - } - ], - "scopeMappings": [ - { - "clientScope": "offline_access", - "roles": [ - "offline_access" - ] - } - ], - "clientScopeMappings": { - "account": [ - { - "client": "account-console", - "roles": [ - "manage-account" - ] - } - ] - }, - "clients": [ - { - "id": "81927c14-26a8-4cff-a1b3-7158cdc04182", - "clientId": "account", - "name": "${client_account}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/met/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/met/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "d013e6fe-824c-444b-8206-ecc8912e2959", - "clientId": "account-console", - "name": "${client_account-console}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/met/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/met/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "204f5f09-b693-4caa-ac97-cf1ca41ab12e", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "b0e7a43f-4acf-4b63-981f-2adedc435a38", - "clientId": "admin-cli", - "name": "${client_admin-cli}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "56cd24de-cba1-46d4-8952-e37d4e1d35d5", - "clientId": "broker", - "name": "${client_broker}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "2105c988-b70b-48d3-9da4-8e1eac533f6c", - "clientId": "met-admin", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "id.token.as.detached.signature": "false", - "saml.multivalued.roles": "false", - "saml.force.post.binding": "false", - "saml.encrypt": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "saml.artifact.binding": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "a0b89fe2-1008-4149-ab3a-c27827fea10f", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - }, - { - "id": "7d062bd9-9a53-4623-9548-9d822926bb61", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "id": "26bf345d-68a8-4f09-8c4a-217e7614c07c", - "name": "aud-account-services-mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.client.audience": "met-admin", - "id.token.claim": "false", - "access.token.claim": "true" - } - }, - { - "id": "7dd1b1b9-269f-499a-a918-b8cacf0db1e0", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "652d9951-0b52-41f2-b0e3-3be8a237d900", - "clientId": "met-api", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "id.token.as.detached.signature": "false", - "saml.multivalued.roles": "false", - "saml.force.post.binding": "false", - "saml.encrypt": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "saml.artifact.binding": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "84139a29-5137-4f0c-be8a-9d801d0f6cbc", - "clientId": "met-eao-", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "4abf88a0-4f1d-40c5-9b26-125dbaa0816a", - "clientId": "met-web", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "https://met-web-dev.apps.gold.devops.gov.bc.ca/*", - "http://localhost:3000/*" - ], - "webOrigins": [ - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "id.token.as.detached.signature": "false", - "saml.multivalued.roles": "false", - "saml.force.post.binding": "false", - "saml.encrypt": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "saml.artifact.binding": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "10d9eedc-0138-441a-b3e8-e4c027f48ce7", - "name": "Login identity_provider", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "identity_provider", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "identity_provider", - "jsonType.label": "String", - "access.tokenResponse.claim": "true" - } - }, - { - "id": "13679f5b-3191-4742-bded-2a931214c006", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String", - "access.tokenResponse.claim": "false" - } - }, - { - "id": "25ed36f0-c01c-4ce7-a9c7-211effd3d922", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String", - "access.tokenResponse.claim": "false" - } - }, - { - "id": "35e991a5-565f-4c4e-8c85-83ead987f508", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String", - "access.tokenResponse.claim": "false" - } - }, - { - "id": "68301d96-aed5-426c-9827-ee8a31fd7e56", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "userinfo.token.claim": "true" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "met-app", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "9670a048-680b-4570-b170-b3b844774917", - "clientId": "realm-management", - "name": "${client_realm-management}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "4bbbf7ec-1055-4805-a222-ca935b4eec58", - "clientId": "security-admin-console", - "name": "${client_security-admin-console}", - "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/met/console/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/admin/met/console/*" - ], - "webOrigins": [ - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "4bd6848b-1c85-434a-92f9-be00b7b01ead", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - } - ], - "clientScopes": [ - { - "id": "0dc35a9d-3ff1-435f-acbf-c06cbe5f85c1", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "fb5bd4be-c0c6-46da-974b-460b90fbac99", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - }, - { - "id": "54e85348-573a-4bb4-9435-ddd063be0cdc", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - } - ] - }, - { - "id": "4c29d5f9-50dd-4490-83c1-2a2d817d7d94", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "9b4919b4-58c5-45d1-9e80-e790fcb1cc67", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - }, - { - "id": "cec3b095-3e33-4caa-9ba2-a43cb873427d", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "4f2576fc-60ec-40be-9f39-4471b531d0eb", - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "cf048e2f-ca99-4719-b40e-a109b59f0d69", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - }, - { - "id": "3e01a6db-1ddb-46ef-b374-c469b59d5892", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - } - ] - }, - { - "id": "3b2ad8ed-e9b8-4e36-a6b1-3c886a578b0e", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "6d054433-3146-49bd-a5db-38ea5eacd77e", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "id": "436f0033-9290-4117-8e06-d6a18f9e551a", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "5654e975-0f93-45ae-843e-489edad755ec", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "id": "36701f89-4b5a-438b-bb02-7064bcbbd1d0", - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "08b7222e-a97f-4da6-9d5e-dd1a1676120f", - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "id": "361ea2f4-d645-4164-9a21-f916c30bbaf2", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - }, - { - "id": "3d747d4e-38c1-4fd8-8c41-5fda61362914", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" - } - } - ] - }, - { - "id": "2a8a3532-27a5-41ec-bf1d-ad60e9dc705c", - "name": "offline_access", - "description": "OpenID Connect built-in scope: offline_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - }, - { - "id": "c0a56361-e6b0-4f2c-93d6-511dc4fd4715", - "name": "profile", - "description": "OpenID Connect built-in scope: profile", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "5fa52ead-79c8-4ba3-aa12-00adad5f5213", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - }, - { - "id": "a2632454-54d5-4072-b843-abd0b49be6b7", - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "String" - } - }, - { - "id": "42c44e72-a728-45a7-8bc5-fe1a236134b2", - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - }, - { - "id": "5c18736f-e062-45a9-a56f-7de96831fab0", - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "profile", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "profile", - "jsonType.label": "String" - } - }, - { - "id": "a5e0006b-e80a-420b-a7b5-e278007ca0f1", - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "website", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String" - } - }, - { - "id": "bad126aa-8cec-4710-9d47-7da84e22a398", - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String" - } - }, - { - "id": "e4b86ce1-1342-4836-8dc1-5d736cc17490", - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "middleName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String" - } - }, - { - "id": "21b35942-a064-4134-8d38-4dc5368655d8", - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "birthdate", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "birthdate", - "jsonType.label": "String" - } - }, - { - "id": "d1548f64-4040-4745-ae1a-905da5fc7047", - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "nickname", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "nickname", - "jsonType.label": "String" - } - }, - { - "id": "8cd0b20d-952b-437e-8d3d-9a5eb85d430b", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - }, - { - "id": "139a9581-c98c-4354-b895-b38082aa90a3", - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "gender", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "gender", - "jsonType.label": "String" - } - }, - { - "id": "05acf19d-5bb3-4358-80a6-a1383ec64724", - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "lastName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "family_name", - "jsonType.label": "String" - } - }, - { - "id": "f4aa843f-ab76-43e0-a3d5-3546ac6b2ed5", - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "zoneinfo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String" - } - }, - { - "id": "ae7cb44e-0353-4549-b64b-fa105098f4b3", - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "b87c5ddb-b2f5-407f-a747-a22ce68b1019", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "e12a1407-4e34-40c5-befb-40fc31703e5a", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "fa9423aa-d62f-41eb-9508-6eca3a805125", - "name": "met-app", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "ccdf9244-bdd8-4e72-9b73-62698de470fb", - "name": "Audience", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.client.audience": "met-web", - "id.token.claim": "false", - "access.token.claim": "true" - } - } - ] - } - ], - "defaultDefaultClientScopes": [ - "role_list", - "profile", - "email", - "roles", - "web-origins" - ], - "defaultOptionalClientScopes": [ - "offline_access", - "address", - "phone", - "microprofile-jwt" - ], - "browserSecurityHeaders": { - "contentSecurityPolicyReportOnly": "", - "xContentTypeOptions": "nosniff", - "xRobotsTag": "none", - "xFrameOptions": "SAMEORIGIN", - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection": "1; mode=block", - "strictTransportSecurity": "max-age=31536000; includeSubDomains" - }, - "smtpServer": {}, - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "enabledEventTypes": [], - "adminEventsEnabled": false, - "adminEventsDetailsEnabled": false, - "identityProviders": [ - { - "alias": "idir", - "displayName": "IDIR", - "internalId": "4456563e-b512-46bd-ab53-7b53588463a7", - "providerId": "oidc", - "enabled": true, - "updateProfileFirstLoginMode": "on", - "trustEmail": false, - "storeToken": true, - "addReadTokenRoleOnCreate": true, - "authenticateByDefault": false, - "linkOnly": false, - "firstBrokerLoginFlowAlias": "first broker login", - "config": { - "hideOnLoginPage": "false", - "userInfoUrl": "https://dev.oidc.gov.bc.ca/auth/realms/onestopauth/protocol/openid-connect/userinfo", - "validateSignature": "true", - "clientId": "met-3668", - "tokenUrl": "https://dev.oidc.gov.bc.ca/auth/realms/onestopauth/protocol/openid-connect/token", - "jwksUrl": "https://dev.oidc.gov.bc.ca/auth/realms/onestopauth/protocol/openid-connect/certs", - "issuer": "https://dev.oidc.gov.bc.ca/auth/realms/onestopauth", - "useJwksUrl": "true", - "authorizationUrl": "https://dev.oidc.gov.bc.ca/auth/realms/onestopauth/protocol/openid-connect/auth?kc_idp_hint=idir", - "clientAuthMethod": "client_secret_basic", - "logoutUrl": "https://dev.oidc.gov.bc.ca/auth/realms/onestopauth/protocol/openid-connect/logout", - "syncMode": "IMPORT", - "clientSecret": "**********" - } - } - ], - "identityProviderMappers": [], - "components": { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "id": "d55c50ba-5854-4f9c-aaa5-9aded5bbe9fc", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, - { - "id": "f9261f07-378b-47d1-be7a-0ba753f8205a", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "e8654614-76ac-41ea-b73f-249c1abc9d24", - "name": "Trusted Hosts", - "providerId": "trusted-hosts", - "subType": "anonymous", - "subComponents": {}, - "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] - } - }, - { - "id": "bdb98af9-5512-4daa-b535-a899ff9ede40", - "name": "Consent Required", - "providerId": "consent-required", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "415406bc-097c-41d8-a157-e28ce4ce2e06", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "8a508a72-6e6b-4b46-b3b1-36f7eb2befaf", - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "1d172938-3450-4187-911d-ad7acb3db50d", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-attribute-mapper", - "saml-user-property-mapper", - "oidc-usermodel-attribute-mapper", - "saml-role-list-mapper", - "oidc-usermodel-property-mapper", - "oidc-full-name-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-address-mapper" - ] - } - }, - { - "id": "a67fca91-0e29-46fe-911f-976065586dc4", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", - "saml-user-property-mapper", - "oidc-address-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-usermodel-property-mapper", - "oidc-full-name-mapper", - "saml-user-attribute-mapper", - "saml-role-list-mapper" - ] - } - } - ], - "org.keycloak.keys.KeyProvider": [ - { - "id": "33085382-5dd0-4391-8c06-2e49fa6465f7", - "name": "aes-generated", - "providerId": "aes-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - }, - { - "id": "1ba20beb-5b20-4410-bd2b-2c4efa0f4fe1", - "name": "rsa-generated", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - }, - { - "id": "dbee5c9f-90af-4de3-84c5-4447ce0539c0", - "name": "hmac-generated", - "providerId": "hmac-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ], - "algorithm": [ - "HS256" - ] - } - } - ] - }, - "internationalizationEnabled": false, - "supportedLocales": [], - "authenticationFlows": [ - { - "id": "314962c4-322d-4707-a101-4abca8bdfe24", - "alias": "Account verification options", - "description": "Method with which to verity the existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "bdaf1ce5-96eb-481f-9e72-7d747c9fb873", - "alias": "Authentication Options", - "description": "Authentication options.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "basic-auth", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "basic-auth-otp", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "c0c2f8f7-a332-4d3c-bae9-a76e141fee1c", - "alias": "Browser - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "fd2ca4fe-ab6a-442f-8fc2-b4cde489f075", - "alias": "Direct Grant - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "direct-grant-validate-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "638c0e53-9968-4d36-978f-70bd330c91e3", - "alias": "First broker login - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "cdb6b8be-7e8b-43b8-9238-0993d91f3a2c", - "alias": "Handle Existing Account", - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Account verification options", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "4c1d808e-de64-4491-a746-db64d843062f", - "alias": "Reset - Conditional OTP", - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "c90e4ce8-b634-4647-a354-93287075dd01", - "alias": "User creation or linking", - "description": "Flow for the existing/non-existing user alternatives", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "create unique user config", - "authenticator": "idp-create-user-if-unique", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "flowAlias": "Handle Existing Account", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "a2ad2923-67fe-4fbc-8b0c-7066bdda3678", - "alias": "Verify Existing Account by Re-authentication", - "description": "Reauthentication of existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "9f58adbb-b805-4675-ad6c-b9be070ab5a4", - "alias": "browser", - "description": "browser based authentication", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorConfig": "idir", - "authenticator": "identity-provider-redirector", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 25, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 30, - "flowAlias": "forms", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "acd9ddd7-0b3b-4822-a074-7b88a6a981b3", - "alias": "clients", - "description": "Base authentication for clients", - "providerId": "client-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-secret-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-x509", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 40, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "d9bda387-8ffd-4b7a-bc72-e28bfb2e8810", - "alias": "direct grant", - "description": "OpenID Connect Resource Owner Grant", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "direct-grant-validate-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 30, - "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "0807d0a3-05bc-46c5-9d34-7af9d2f3c811", - "alias": "docker auth", - "description": "Used by Docker clients to authenticate against the IDP", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "db1fd4d3-0afc-4494-8279-be2eae818888", - "alias": "first broker login", - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "review profile config", - "authenticator": "idp-review-profile", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "User creation or linking", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "5bf0f6f7-61ac-443d-9c08-898df9ff1a73", - "alias": "forms", - "description": "Username, password, otp and other auth forms.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "f32f5e4b-d808-4219-a904-054e299be6b6", - "alias": "http challenge", - "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "no-cookie-redirect", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Authentication Options", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "5ab3e738-f529-4f72-b325-3cf76a9e2c39", - "alias": "registration", - "description": "registration flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 10, - "flowAlias": "registration form", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "96372272-dbe2-451d-9407-d100cccc2740", - "alias": "registration form", - "description": "registration form", - "providerId": "form-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-profile-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 40, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-password-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 50, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-recaptcha-action", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 60, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "890726af-4d5e-47b2-b6ba-375407eb2fb7", - "alias": "reset credentials", - "description": "Reset credentials for a user if they forgot their password or something", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-credential-email", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 40, - "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "d1111010-f96e-45f8-abb8-f02d06658e7a", - "alias": "saml ecp", - "description": "SAML ECP Profile Authentication Flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - } - ], - "authenticatorConfig": [ - { - "id": "d8a51913-b704-4362-8d3b-93b226fcd9ba", - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" - } - }, - { - "id": "cdeb71cc-6385-4dc1-b237-c7a7d13c829b", - "alias": "idir", - "config": { - "defaultProvider": "idir" - } - }, - { - "id": "b4d5f1ca-529f-468b-ab82-43365fa88833", - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" - } - } - ], - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "name": "Configure OTP", - "providerId": "CONFIGURE_TOTP", - "enabled": true, - "defaultAction": false, - "priority": 10, - "config": {} - }, - { - "alias": "terms_and_conditions", - "name": "Terms and Conditions", - "providerId": "terms_and_conditions", - "enabled": false, - "defaultAction": false, - "priority": 20, - "config": {} - }, - { - "alias": "UPDATE_PASSWORD", - "name": "Update Password", - "providerId": "UPDATE_PASSWORD", - "enabled": true, - "defaultAction": false, - "priority": 30, - "config": {} - }, - { - "alias": "UPDATE_PROFILE", - "name": "Update Profile", - "providerId": "UPDATE_PROFILE", - "enabled": true, - "defaultAction": false, - "priority": 40, - "config": {} - }, - { - "alias": "VERIFY_EMAIL", - "name": "Verify Email", - "providerId": "VERIFY_EMAIL", - "enabled": true, - "defaultAction": false, - "priority": 50, - "config": {} - }, - { - "alias": "delete_account", - "name": "Delete Account", - "providerId": "delete_account", - "enabled": false, - "defaultAction": false, - "priority": 60, - "config": {} - }, - { - "alias": "update_user_locale", - "name": "Update User Locale", - "providerId": "update_user_locale", - "enabled": true, - "defaultAction": false, - "priority": 1000, - "config": {} - } - ], - "browserFlow": "browser", - "registrationFlow": "registration", - "directGrantFlow": "direct grant", - "resetCredentialsFlow": "reset credentials", - "clientAuthenticationFlow": "clients", - "dockerAuthenticationFlow": "docker auth", - "attributes": { - "cibaBackchannelTokenDeliveryMode": "poll", - "cibaExpiresIn": "120", - "cibaAuthRequestedUserHint": "login_hint", - "oauth2DeviceCodeLifespan": "600", - "oauth2DevicePollingInterval": "5", - "clientOfflineSessionMaxLifespan": "0", - "clientSessionIdleTimeout": "0", - "clientSessionMaxLifespan": "0", - "clientOfflineSessionIdleTimeout": "0", - "cibaInterval": "5" - }, - "keycloakVersion": "14.0.0", - "userManagedAccessAllowed": false, - "clientProfiles": { - "profiles": [] - }, - "clientPolicies": { - "policies": [] - } -} \ No newline at end of file diff --git a/tools/keycloak/keycloak.env b/tools/keycloak/keycloak.env deleted file mode 100644 index 1024fa968..000000000 --- a/tools/keycloak/keycloak.env +++ /dev/null @@ -1,20 +0,0 @@ -DB_VENDOR=postgres -DB_ADDR=metdb -DB_DATABASE=met -DB_SCHEMA=keycloak -DB_PORT=5432 -DB_USER=keycloak -DB_PASSWORD=keycloak - -KEYCLOAK_ADMIN=admin -KEYCLOAK_ADMIN_PASSWORD=admin -KEYCLOAK_IMPORT=/opt/jboss/keycloak/init/realm-export.json -KEYCLOAK_HTTPS=false -KEYCLOAK_LOGLEVEL=DEBUG - -JAVA_OPTS=-Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled -JGROUPS_DISCOVERY_EXTERNAL_IP=keycloak -JGROUPS_DISCOVERY_PROPERTIES=datasource_jndi_name=java:jboss/datasources/KeycloakDS,initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp,ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))" -JGROUPS_DISCOVERY_PROTOCOL=org.jgroups.protocols.JDBC_PING -KC_PROXY=edge -PROXY_ADDRESS_FORWARDING=true