diff --git a/docs/_modules.yml b/docs/_modules.yml index bd0caad..8d5aabc 100644 --- a/docs/_modules.yml +++ b/docs/_modules.yml @@ -30,6 +30,4 @@ modules: tracing: name: Tracing Quarkus Apps security: - name: Securing Resources with Keycloak - extra: - name: Extra Credit \ No newline at end of file + name: Securing Quarkus APIs \ No newline at end of file diff --git a/docs/_workshop.yml b/docs/_workshop.yml index f0c2dde..db298a9 100644 --- a/docs/_workshop.yml +++ b/docs/_workshop.yml @@ -27,5 +27,4 @@ modules: - kafka - monitoring - tracing - - security - - extra \ No newline at end of file + - security \ No newline at end of file diff --git a/docs/deploy.adoc b/docs/deploy.adoc index d3d05ee..acbc1d9 100644 --- a/docs/deploy.adoc +++ b/docs/deploy.adoc @@ -156,8 +156,8 @@ Earlier you implemented a series of MicroProfile health checks. To make OpenShif [source,sh,role="copypaste"] ---- -oc set probe dc/people --readiness --get-url=http://:8080/health/ready -oc set probe dc/people --liveness --get-url=http://:8080/health/live +oc set probe dc/people --readiness --initial-delay-seconds=30 --get-url=http://:8080/health/ready +oc set probe dc/people --liveness --initial-delay-seconds=30 --get-url=http://:8080/health/live ---- This configures both a _readiness_ probe (is the app initialized and ready to serve requests?) and a _liveness_ probe (is the app still up and ready to serve requests) with default timeouts. OpenShift will not route any traffic to pods that don't respond successfully to these probes. By editing these, it will trigger a new deployment so make sure the app comes up with its new probes in place: diff --git a/docs/extra.adoc b/docs/extra.adoc deleted file mode 100644 index da3a62a..0000000 --- a/docs/extra.adoc +++ /dev/null @@ -1,2 +0,0 @@ -## Extra Credit - diff --git a/docs/images/secapis.png b/docs/images/secapis.png new file mode 100644 index 0000000..600add7 Binary files /dev/null and b/docs/images/secapis.png differ diff --git a/docs/security.adoc b/docs/security.adoc index 4b40250..49d78e2 100644 --- a/docs/security.adoc +++ b/docs/security.adoc @@ -1,100 +1,42 @@ -## Securing Quarkus APIs with Keycloak +## Securing Quarkus APIs -This exercise demonstrates how your Quarkus applications can use https://keyloak.org[Keycloak] to protect your JAX-RS applications using _bearer token authorization_, where these tokens are issued by a Keycloak Server. +Bearer Token Authorization is the process of authorizing HTTP requests based on the existence and validity of a bearer token representing a subject and her access context, where the token provides valuable information to determine the subject of the call as well whether or not a HTTP resource can be accessed. This is commonly used in OAuth-based identity and access management systems like https://keycloak.org[Keycloak], a popular open source project. In this exercise we'll show you how to use https://github.com/eclipse/microprofile-jwt-auth/releases/download/1.1.1/microprofile-jwt-auth-spec.pdf[Microprofile JSON Web Token (JWT) RBAC], https://keyloak.org[Keycloak] and https://en.wikipedia.org/wiki/OAuth[OAuth] in your Quarkus applications. -Bearer Token Authorization is the process of authorizing HTTP requests based on the existence and validity of a bearer token representing a subject and her access context, where the token provides valuable information to determine the subject of the call as well whether or not a HTTP resource can be accessed. +## Add Keycloak + JWT to Quarkus -Keycloak is a OAuth 2.0 compliant Authorization Server, capable of issuing access tokens so that you can use them to access protected resources. We are not going to enter into the details on what OAuth 2.0 is and how it works but give you a guideline on how to use OAuth 2.0 in your JAX-RS applications using the Quarkus Keycloak Extension. - -If you are already familiar with Keycloak, you’ll notice that the extension is basically another adapter implementation but specific for Quarkus applications. Otherwise, you can find more information in Keycloak documentation. - -## Add Keycloak to Quarkus - -Like other exercises, we'll need another extension to enable the use of Keycloak. Install it with: +Like other exercises, we'll need another extension to enable the use of Keycloak and MicroProfile JWT. Install them with: [source,sh,role="copypaste"] ---- -mvn quarkus:add-extension -Dextensions="keycloak" +mvn quarkus:add-extension -Dextensions="keycloak, jwt" ---- -This will add the necessary entries in your `pom.xml` to bring in the Keycloak extension which is an implementation of a Keycloak Adapter for Quarkus applications and provides all the necessary capabilities to integrate with a Keycloak Server and perform bearer token authorization. +This will add the necessary entries in your `pom.xml` to bring in the Keycloak and JWT extensions. -## Create secured endpoints +## Configure Quarkus for MicroProfile JWT -Create a new class in the `org.acme.people.rest` package called `SecuredResource` with the following code which will create **three new secured endpoints** all beginning with `/secured`: - -[source,java,role="copypaste"] ----- -package org.acme.people.rest; - -import javax.annotation.security.RolesAllowed; -import javax.inject.Inject; -import javax.ws.rs.GET; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; -import javax.ws.rs.core.MediaType; - -import org.jboss.resteasy.annotations.cache.NoCache; -import org.keycloak.KeycloakSecurityContext; - -@Path("/secured") -public class SecuredResource { - - @Inject - KeycloakSecurityContext keycloakSecurityContext; // <1> - - @GET - @Path("/me") // <2> - @RolesAllowed("user") - @Produces(MediaType.APPLICATION_JSON) - @NoCache - public User me() { - return new User(keycloakSecurityContext); - } - - @GET - @Path("/admin") // <3> - @RolesAllowed("admin") - @Produces(MediaType.TEXT_PLAIN) - public String admin() { - return "granted"; - } - - - @GET - @Path("/confidential") // <4> - @Produces(MediaType.TEXT_PLAIN) - public String confidential() { - return "confidential"; - } - - public class User { - - private final String userName; - - User(KeycloakSecurityContext securityContext) { - this.userName = securityContext.getToken().getPreferredUsername(); - } - - public String getUserName() { - return userName; - } - } -} ----- -<1> The `KeycloakSecurityContext` is an object produced by the Keycloak extension that you can use to obtain information from tokens sent to your application. In the source code above we are using this object to access the token representation and obtain the username of the user represented by the token. -<2> Here we are using a `@RolesAllowed` annotation for the `/secured/me` endpoint to make sure that only users granted with the `user` role (i.e. are logged in) can access the endpoint. -<3> For the `/secured/admin` we only want administrators (those granted the `admin` role in our identity management system) to be able to access -<4> For the `/api/confidential` there is no explicit access control defined to this endpoint. The Keycloak extension will enforce access to this endpoint based on the policies defined in the Keycloak Server. For now, don’t worry about how the extension enforces access to `/api/confidential`. Just keep in mind that there is some configuration that we need to define to make this happen. - -## Configuring using the application.properties file - -The Keycloak extension allows you to define the adapter configuration using either the `application.properties` file or using a `keycloak.json`. Open up your `application.properties` file and add the following configuration for Keycloak: +Some configuration of the extensions is required. Add this to your `application.properties`: [source,none,role="copypaste"] ---- -quarkus.keycloak.realm=quarkus # <1> -quarkus.keycloak.auth-server-url=http://{{ KEYCLOAK_URL }}/auth +mp.jwt.verify.publickey.location=META-INF/resources/publicKey.pem # <1> +mp.jwt.verify.issuer=https://quarkus.io/using-jwt-rbac # <2> +quarkus.smallrye-jwt.auth-mechanism=MP-JWT # <3> +quarkus.smallrye-jwt.realm-name=quarkus + +---- +<1> Sets public key location for JWT authentication. This file has been created for you. +<2> Issuer URL. This must match the incoming JWT `iss` _claims_ or else authentication fails. +<3> Sets authentication mechanism name to `MP-JWT`, the MicroProfile JWT RBAC specification standard name for the token based authentication mechanism. + +## Configuring Keycloak + +Next, add these to your `application.properties` for Keycloak: + +[source,none,role="copypaste"] +---- +quarkus.keycloak.realm=quarkus +quarkus.keycloak.auth-server-url={{ KEYCLOAK_URL }}/auth quarkus.keycloak.resource=backend-service quarkus.keycloak.bearer-only=true quarkus.keycloak.credentials.secret=secret @@ -110,9 +52,118 @@ We are using the same Keycloak instance that we use for Eclipse Che, and have pr For more details about this file and all the supported options, please take a look at https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config[Keycloak Adapter Config]. +## Create secured endpoints + +Create a new class in the `org.acme.people.rest` package called `SecuredResource` with the following code which will create **four new secured endpoints** all beginning with `/secured`: + +[source,java,role="copypaste"] +---- +package org.acme.people.rest; + +import java.security.Principal; +import java.util.Optional; + +import javax.annotation.security.RolesAllowed; +import javax.enterprise.context.RequestScoped; +import javax.inject.Inject; +import javax.json.JsonString; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.SecurityContext; + +import org.eclipse.microprofile.jwt.Claim; +import org.eclipse.microprofile.jwt.Claims; +import org.eclipse.microprofile.jwt.JsonWebToken; +import org.jboss.resteasy.annotations.cache.NoCache; +import org.keycloak.KeycloakSecurityContext; + +@Path("/secured") +@RequestScoped // <1> +public class SecuredResource { + + @Inject + KeycloakSecurityContext keycloakSecurityContext; // <2> + + @Inject + JsonWebToken jwt; // <3> + + @Inject + @Claim(standard = Claims.iss) + Optional issuer; // <4> + + @GET + @Path("/me/jwt") + @PermitAll + @Produces(MediaType.TEXT_PLAIN) + public String meJwt(@Context SecurityContext ctx) { // <5> + Principal caller = ctx.getUserPrincipal(); + String name = caller == null ? "anonymous" : caller.getName(); + boolean hasJWT = jwt != null; + + final StringBuilder helloReply = new StringBuilder(String.format("hello %s, isSecure: %s, authScheme: %s, hasJWT: %s\n", name, ctx.isSecure(), ctx.getAuthenticationScheme(), hasJWT)); + if (hasJWT && (jwt.getClaimNames() != null)) { + helloReply.append("Injected issuer: [" + issuer.get() + "]\n"); + jwt.getClaimNames().forEach(n -> { + helloReply.append("\nClaim Name: [" + n + "] Claim Value: [" + jwt.getClaim(n) + "]"); + }); + } + return helloReply.toString(); + } + + @GET + @Path("/me") // <5> + @RolesAllowed("user") + @Produces(MediaType.APPLICATION_JSON) + @NoCache + public User me() { + return new User(keycloakSecurityContext); + } + + @GET + @Path("/admin") // <6> + @RolesAllowed("admin") + @Produces(MediaType.TEXT_PLAIN) + public String admin() { + return "granted"; + } + + + @GET + @Path("/confidential") // <7> + @Produces(MediaType.TEXT_PLAIN) + public String confidential() { + return "confidential"; + } + + public class User { // <8> + + private final String userName; + + User(KeycloakSecurityContext securityContext) { + this.userName = securityContext.getToken().getPreferredUsername(); + } + + public String getUserName() { + return userName; + } + } +} +---- +<1> Adds a `@RequestScoped` as Quarkus uses a default scoping of `ApplicationScoped` and this will produce undesirable behavior since JWT claims are naturally request scoped. +<2> The `KeycloakSecurityContext` is an object produced by the Keycloak extension that you can use to obtain information from tokens sent to your application. +<3> `@JsonWebToken` provides access to the claims associated with the current authenticated JWT token. +<4> When using JWT Authentication, claims encoded in tokens can be `@Inject` ed into your class for convenient access. +<5> The `/me` and `/me/jwt` endpoints demonstrate how to access the security context for Quarkus apps secured with JWT or Keycloak. In the first one we are using a `@RolesAllowed` annotation to make sure that only users granted with the `user` role (i.e. are logged in) can access the endpoint. The `/me/jwt` shows how to access claims. +<6> For the `/secured/admin` we only want administrators (those granted the `admin` role in our identity management system) to be able to access +<7> For the `/api/confidential` there is no explicit access control defined to this endpoint. The Keycloak extension will enforce access to this endpoint based on the policies defined in the Keycloak Server. For now, don’t worry about how the extension enforces access to `/api/confidential`. Just keep in mind that there is some configuration that we need to define to make this happen. +<8> Simple POJO to encapsulate the data model of a Keycloak user. + ## Rebuild and redeploy app -First, re-build the app using the command palette and selecting **Build Executable JAR**. Once that's done, run the following command to re-deploy: +First, re-build the app using the command palette and selecting **Create Executable JAR**. Once that's done, run the following command to re-deploy: [source,sh,role="copypaste"] ---- @@ -139,51 +190,47 @@ Get a token for user `alice` with this command: [source,sh,role="copypaste"] ---- export ALICE_TOKEN=$(\ - curl -X POST http://{{KEYCLOAK_URL}}/auth/realms/quarkus/protocol/openid-connect/token \ + curl -X POST {{KEYCLOAK_URL}}/auth/realms/quarkus/protocol/openid-connect/token \ --user backend-service:secret \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'username=alice&password=alice&grant_type=password' | jq --raw-output '.access_token' \ ) + echo $ALICE_TOKEN ---- -This issues a `curl` command to Keycloak (using `backend-service` credentials which is a special user that is allowed acess to the Keycloak REST API), and fetches a token for Alice using their credentials. You can see the value of this token: - -[source,sh,role="copypaste"] ----- -echo $ALICE_TOKEN ----- +This issues a `curl` command to Keycloak (using `backend-service` credentials which is a special user that is allowed acess to the Keycloak REST API), and fetches a token for Alice using their credentials. Any user is allowed to access the `/secured/me` endpoint which basically returns a JSON payload with personal details about the user that's part of the `KeycloakSecurityContext` object. -[NOTE] -==== -There are other APIs you can use if you try to auto-complete the method name using Che, e.g. `getBirthDate()` or `getPicture()`. Place the cursor just after `securityContext.getToken().` and press CTRL-SPACE to see them: - -::img -==== - -Try out the secured API as Alice: +Try out the Keycloak-secured API as Alice: [source,sh,role="copypaste"] ---- -curl -v -X GET \ +curl -X GET \ http://$(oc get route people -o=go-template --template='{{ .spec.host }}')/secured/me \ -H "Authorization: Bearer $ALICE_TOKEN" ---- You should see: -[source,none] +[source,json] ---- -TODO: OUTPUT +{"userName":"alice"} ---- +[NOTE] +==== +There are other APIs you can use if you try to auto-complete the method name using Che, e.g. `getBirthDate()` or `getPicture()`. Place the cursor just after `securityContext.getToken().get` and press CTRL-SPACE to see them: + +image::secapis.png[apis, 800] +==== + ### Test Admin The `/secured/admin` endpoint can only be accessed by users with the `admin` role. If you try to access this endpoint with the previously issued access token, you should get a 403 response from the server. Try it: [source,sh,role="copypaste"] ---- -curl -v -X GET \ +curl -X GET \ http://$(oc get route people -o=go-template --template='{{ .spec.host }}')/secured/admin \ -H "Authorization: Bearer $ALICE_TOKEN" ---- @@ -192,7 +239,7 @@ You should see: [source,none] ---- -TODO: OUTPUT +Access forbidden: role not allowed ---- Failed as expected! Obtain an Admin token: @@ -200,7 +247,7 @@ Failed as expected! Obtain an Admin token: [source,sh,role="copypaste"] ---- export ADMIN_TOKEN=$(\ - curl -X POST http://{{KEYCLOAK_URL}}/auth/realms/quarkus/protocol/openid-connect/token \ + curl -X POST {{KEYCLOAK_URL}}/auth/realms/quarkus/protocol/openid-connect/token \ --user backend-service:secret \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'username=admin&password=admin&grant_type=password' | jq --raw-output '.access_token' \ @@ -208,9 +255,10 @@ export ADMIN_TOKEN=$(\ ---- And try again with your new token: + [source,sh,role="copypaste"] ---- -curl -v -X GET \ +curl -X GET \ http://$(oc get route people -o=go-template --template='{{ .spec.host }}')/secured/admin \ -H "Authorization: Bearer $ADMIN_TOKEN" ---- @@ -219,7 +267,7 @@ You should see: [source,none] ---- -TODO: OUTPUT +granted ---- Success! @@ -237,11 +285,14 @@ curl -v -X GET \ -H "Authorization: Bearer $ADMIN_TOKEN" ---- -You should see: +You should see in the returned HTTP headers: [source,none] ---- -TODO: output +< HTTP/1.1 403 Forbidden +< Content-Length: 0 +< Date: Mon, 15 Jul 2019 14:13:27 GMT +< Set-Cookie: 199a0e26f45fa42c8974157b896962e3=d0ea1fac5248f71f70eee9941b4902f1; path=/; HttpOnly ---- Failed as expected! @@ -251,7 +302,7 @@ To access the confidential endpoint, you should obtain an access token for user [source,sh,role="copypaste"] ---- export JDOE_TOKEN=$(\ - curl -X POST http://{{KEYCLOAK_URL}}/auth/realms/quarkus/protocol/openid-connect/token \ + curl -X POST {{KEYCLOAK_URL}}/auth/realms/quarkus/protocol/openid-connect/token \ --user backend-service:secret \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'username=jdoe&password=jdoe&grant_type=password' | jq --raw-output '.access_token' \ @@ -262,7 +313,7 @@ And access the confidential endpoint with your new token: [source,sh,role="copypaste"] ---- -curl -v -X GET \ +curl -X GET \ http://$(oc get route people -o=go-template --template='{{ .spec.host }}')/secured/confidential \ -H "Authorization: Bearer $JDOE_TOKEN" ---- @@ -271,28 +322,52 @@ You should see: [source,none] ---- -TODO: OUTPUT +confidential ---- -Success! +Success! Even though our code did not explicitly protect the `/secured/confidential` endpoint, we can protect arbitrary URLs in Quarkus apps when using Keycloak and MicroProfile JWT. + +### Test JWT Authentication + +Use Alice's token to access the JWT endpoint: + +[source,sh,role="copypaste"] +---- +curl -X GET \ + http://$(oc get route people -o=go-template --template='{{ .spec.host }}')/secured/me/jwt \ + -H "Authorization: Bearer $ALICE_TOKEN" +---- + +You should see: + +[source,none] +---- +hello alice, isSecure: false, authScheme: MP-JWT, hasJWT: true +Injected issuer: ["http://keycloak-che.apps.cluster-orlando-c811.orlando-c811.openshiftworkshop.com/auth/realms/quarkus"] + +Claim Name: [sub] Claim Value: [eb4123a3-b722-4798-9af5-8957f823657a] +Claim Name: [email_verified] Claim Value: [false] +Claim Name: [raw_token] Claim Value: [omitted][ +Claim Name: [iss] Claim Value: [http://keycloak-che.apps.cluster-orlando-c811.orlando-c811.openshiftworkshop.com/auth/realms/quarkus] +Claim Name: [groups] Claim Value: [[]] +Claim Name: [typ] Claim Value: ["Bearer"] +Claim Name: [preferred_username] Claim Value: [alice] +Claim Name: [acr] Claim Value: [1] +Claim Name: [nbf] Claim Value: [0] +Claim Name: [realm_access] Claim Value: [{"roles":["user"]}] +Claim Name: [azp] Claim Value: [backend-service] +Claim Name: [auth_time] Claim Value: [0] +Claim Name: [scope] Claim Value: ["email profile"] +Claim Name: [exp] Claim Value: [1563210121] +Claim Name: [session_state] Claim Value: ["816e22c9-5dcb-4b8a-b90f-005b25e145e1"] +Claim Name: [iat] Claim Value: [1563209821] +Claim Name: [jti] Claim Value: [5010b2eb-bb49-4f25-94e4-309d87a041b4] +---- + +As you can see, the JSON Web Token (generated via Keycloak) was used to authenticate Alice, and show all of the various claims encoded in the JWT Token. You are also able to access claims using standard `@Inject` fields which are populated with claims when a request comes in (it can be seen above in the `Injected issuer` line near the beginning). + +You can try it again using other users' tokens (just run the same `curl` again and replace `ALICE_TOKEN` with `JDOE_TOKEN` or `ADMIN_TOKEN` which you set up earlier). ## Congratulations! -This exercise demonstrated how your Quarkus application can use Keycloak to protect your JAX-RS applications using bearer token authorization, where these tokens are issued by a Keycloak Server. - -Quarkus has a number of other security-related features, such as: - -* JSON Web Token support for Access Control - Quarkus application can utilize the https://microprofile.io/project/eclipse/microprofile-jwt-auth[MicroProfile JWT RBAC] to provide secured access to the JAX-RS endpoints. See https://quarkus.io/guides/jwt-guide[this guide] for more detail. - -* Quarkus comes with integration with the https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security[Elytron security subsystem] to allow for RBAC based on the common security annotations `@RolesAllowed`, `@DenyAll`, `@PermitAll` on REST endpoints. See https://quarkus.io/guides/security-guide[this guide] for details. - - - - - - - - - - - +This exercise demonstrated how your Quarkus application can use MicroProfile JWT in conjunction with Keycloak to protect your JAX-RS applications using JWT claims and bearer token authorization. diff --git a/files/quarkus-realm.json b/files/quarkus-realm.json new file mode 100644 index 0000000..f4a5b4d --- /dev/null +++ b/files/quarkus-realm.json @@ -0,0 +1,1619 @@ +{ + "id" : "11d78bf6-6d10-4484-baba-a1388379d68b", + "realm" : "quarkus", + "notBefore" : 0, + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 3000, + "accessTokenLifespanForImplicitFlow" : 9000, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "enabled" : true, + "sslRequired" : "none", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "3fc80564-13ac-4e7b-9986-322f571e82bc", + "name" : "confidential", + "composite" : false, + "clientRole" : false, + "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", + "attributes" : { } + }, { + "id" : "39eb64c8-66a9-4983-9c81-27ea7e2f6273", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", + "attributes" : { } + }, { + "id" : "8c1abe12-62fe-4a06-ae0d-f5fb67dddbb0", + "name" : "admin", + "composite" : false, + "clientRole" : false, + "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", + "attributes" : { } + }, { + "id" : "5afce544-6a3c-495f-b805-fd737cf5081e", + "name" : "user", + "composite" : false, + "clientRole" : false, + "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", + "attributes" : { } + }, { + "id" : "bc431d62-a80a-425b-961a-0fb3fc59006d", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", + "attributes" : { } + } ], + "client" : { + "realm-management" : [ { + "id" : "7db1f38d-d436-4725-93fd-030a3bbe628e", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "1163b9bd-7319-4154-a25f-0101b2548d21", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "73d0a556-072b-404f-bf8e-10e2544c8c27", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "7e727e28-2095-4443-b2da-865e684f2308", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "df9e5352-f835-4467-bcaf-cb1b5f55c1ec", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "fa77909a-32a3-41ae-9983-2b92ae03080c", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "a8780507-dc72-4433-8b95-b8e4f3c37d0e", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "f7f4697a-3977-42f6-af86-9bb006cf4d04", + "name" : "realm-admin", + "description" : "${role_realm-admin}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "impersonation", "manage-identity-providers", "view-identity-providers", "view-realm", "query-users", "manage-clients", "manage-events", "manage-realm", "view-authorization", "manage-authorization", "view-users", "create-client", "query-clients", "query-groups", "manage-users", "view-clients", "view-events", "query-realms" ] + } + }, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "ca7dc1ce-a981-4efe-b3f0-a7192b6d3943", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "a0ab4faa-00a9-4f52-ac9f-8e764b6a8126", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "0b4ed5e0-eceb-4d81-ba05-fa67022abe59", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "c10336be-06f3-40ef-bef5-28d8c9b8a1e2", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "1a1ffadc-11d5-44ea-bac0-d94372c8ae5c", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-groups", "query-users" ] + } + }, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "5ba9a1a3-9027-4531-8253-b91f6058513c", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "b4fba807-7a7e-4e3e-bd31-45703305a9e3", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "c9384254-0af3-434c-b4ed-7c94f59a8247", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "9a0022f2-bd58-4418-828c-a8e7abe3346b", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "83df8311-4366-4d22-9425-eccc343faa3f", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + }, { + "id" : "e81bf277-047f-4bdd-afd6-59e2016c5066", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "376bd940-e50a-4495-80fc-9c6c07312748", + "attributes" : { } + } ], + "security-admin-console" : [ ], + "admin-cli" : [ ], + "backend-service" : [ { + "id" : "df147a91-6da7-4bbc-866c-f30cf99b2637", + "name" : "uma_protection", + "composite" : false, + "clientRole" : true, + "containerId" : "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes" : { } + } ], + "broker" : [ { + "id" : "d36865b0-7ade-4bcd-a7dc-1dacbd80f169", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "53d4fe53-a039-471e-886a-28eddc950e95", + "attributes" : { } + } ], + "account" : [ { + "id" : "539325a0-d9b3-4821-97ee-d42999296b62", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "e55e1234-38fa-432d-8d90-39f5e024688d", + "attributes" : { } + }, { + "id" : "e4af836c-c884-4a57-8b1d-fb673b0fe3a5", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] + } + }, + "clientRole" : true, + "containerId" : "e55e1234-38fa-432d-8d90-39f5e024688d", + "attributes" : { } + }, { + "id" : "35d1c998-bcae-4ab1-a026-4c67bff49a98", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "e55e1234-38fa-432d-8d90-39f5e024688d", + "attributes" : { } + } ] + } + }, + "groups" : [ ], + "defaultRoles" : [ "uma_authorization", "offline_access" ], + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], + "scopeMappings" : [ { + "clientScope" : "offline_access", + "roles" : [ "offline_access" ] + } ], + "clients" : [ { + "id" : "e55e1234-38fa-432d-8d90-39f5e024688d", + "clientId" : "account", + "name" : "${client_account}", + "baseUrl" : "/auth/realms/quarkus/account", + "surrogateAuthRequired" : false, + "enabled" : true, + "clientAuthenticatorType" : "client-secret", + "secret" : "0136c3ef-0dfd-4b13-a6d0-2c8b6358edec", + "defaultRoles" : [ "view-profile", "manage-account" ], + "redirectUris" : [ "/auth/realms/quarkus/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "e9cc41a2-8e35-4d5e-949e-4879880c2ddb", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "clientAuthenticatorType" : "client-secret", + "secret" : "a951803a-79c7-46a6-8197-e32835286971", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "53d4fe53-a039-471e-886a-28eddc950e95", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "clientAuthenticatorType" : "client-secret", + "secret" : "e1f7edd7-e15c-43b4-8736-ff8204d16836", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "clientId" : "backend-service", + "surrogateAuthRequired" : false, + "enabled" : true, + "clientAuthenticatorType" : "client-secret", + "secret" : "secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : true, + "authorizationServicesEnabled" : true, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "id" : "3eac903f-c16b-4a78-a7e8-eb8f4d402b71", + "name" : "Client ID", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientId", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientId", + "jsonType.label" : "String" + } + }, { + "id" : "8422cefe-7f42-4f3b-abad-5f06f7d4b748", + "name" : "Client IP Address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientAddress", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientAddress", + "jsonType.label" : "String" + } + }, { + "id" : "988e47d6-2055-45eb-82d6-0b8b25c629fc", + "name" : "Client Host", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientHost", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientHost", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ], + "authorizationSettings" : { + "allowRemoteResourceManagement" : true, + "policyEnforcementMode" : "ENFORCING", + "resources" : [ { + "name" : "Confidential Resource", + "ownerManagedAccess" : false, + "attributes" : { }, + "_id" : "99856673-24fa-431b-9e26-93e2113f69db", + "uris" : [ "/secured/confidential" ] + } ], + "policies" : [ { + "id" : "c72b05ee-ee80-4a97-acf2-ca329a44aae1", + "name" : "Confidential Policy", + "type" : "js", + "logic" : "POSITIVE", + "decisionStrategy" : "UNANIMOUS", + "config" : { + "code" : "var identity = $evaluation.context.identity;\n\nif (identity.hasRealmRole(\"confidential\")) {\n$evaluation.grant();\n}" + } + }, { + "id" : "976c6965-9684-42ac-a928-fcad639e5deb", + "name" : "Confidential Permission", + "type" : "resource", + "logic" : "POSITIVE", + "decisionStrategy" : "UNANIMOUS", + "config" : { + "resources" : "[\"Confidential Resource\"]", + "applyPolicies" : "[\"Confidential Policy\"]" + } + } ], + "scopes" : [ ] + } + }, { + "id" : "376bd940-e50a-4495-80fc-9c6c07312748", + "clientId" : "realm-management", + "name" : "${client_realm-management}", + "surrogateAuthRequired" : false, + "enabled" : true, + "clientAuthenticatorType" : "client-secret", + "secret" : "c41b709a-a012-4c69-89d7-4f926dba0619", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "a8732cac-ae0f-44ec-b7f3-bd2c41eff13c", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "baseUrl" : "/auth/admin/quarkus/console/index.html", + "surrogateAuthRequired" : false, + "enabled" : true, + "clientAuthenticatorType" : "client-secret", + "secret" : "e571b211-2550-475d-b87f-116ff54091ee", + "redirectUris" : [ "/auth/admin/quarkus/console/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "280528ca-5e96-4bb9-9fc0-20311caac32d", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "520cc3ef-2c6b-4d84-bcde-8c063241f4bd", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "c1d3bd07-0a5f-4f4f-b381-c58a7b723029", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "19920c96-a383-4f35-8ee9-27833263cf03", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "36a0adf0-6c25-419f-98d7-cdeada8661aa", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + }, { + "id" : "b0c39901-5e5d-4436-b685-908bb90ea1d9", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + } ] + }, { + "id" : "55b3ee1c-cbf9-4526-93d7-aa56a9c5f1cb", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "59128144-a21a-4744-bb55-e66ff0503b18", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + }, { + "id" : "69351a63-7d6e-45d0-be47-088c83b20fdb", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "3f190f54-8e3a-4c82-a799-bd12ddc475b2", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } + }, { + "id" : "defa3480-5368-4f34-8075-49fb982b71b3", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "069ae414-9e98-4612-a3d6-e8b5a1fa841d", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "cea58e24-d0e0-4cc6-9e34-7b3bf7d6d85b", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "b7321e2e-dd8e-41cf-a527-c765155c3f78", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${profileScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "1d4d3df5-7af5-488e-8477-0ad7cb74d50a", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "1a5e26d6-211e-4f8a-b696-0ea9577db25a", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "18971685-6dd7-420f-9c09-879c4f2d54d8", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "String" + } + }, { + "id" : "b970d96b-0156-4db0-9beb-9c84c173e619", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "50287033-df21-45c6-aa46-c3060e6f9855", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "3dc6b97e-7063-4077-98d1-0cacf9029c7b", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "3fb9391b-376c-42ef-b012-4df461c617cc", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + }, { + "id" : "83f7fc4a-5386-4f86-a103-6585e138b61d", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + }, { + "id" : "8ef177b3-f485-44b1-afee-1901393b00c7", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + }, { + "id" : "e994cbc7-2a1a-4465-b7b7-12b35b4fe49e", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + }, { + "id" : "abaa4c9e-1fa2-4b45-a1bb-b3d650de9aca", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + }, { + "id" : "bf21b514-81fd-4bbe-9236-bab5fcf54561", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "254f8de4-08e7-4d3d-a87f-4b238f0f922b", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + }, { + "id" : "7934bf2a-cfc3-4b2d-a5cb-287f3ed2a977", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "f3dc793d-6011-4861-b538-399dde5434c0", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "22eeabf8-a3c3-4026-a351-367f8ace7927", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + }, { + "id" : "f72c1acd-c367-41b1-8646-b6bd5fff3e3f", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${rolesScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "cd8e589e-5fa7-4dae-bf6e-e8f6a3fd3cff", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "708b19d1-0709-4278-b5a1-bcbeec11f51a", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + }, { + "id" : "25e97210-30c7-4f35-be11-407f1fa674cb", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + } ] + }, { + "id" : "52618957-a4e8-4c6f-a902-217f2c41a2fd", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" + }, + "protocolMappers" : [ { + "id" : "a66ddadf-312f-491f-993c-fa58685815c6", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] + } ], + "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins" ], + "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "xXSSProtection" : "1; mode=block", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "a7679218-373d-48ca-88f8-429985faeae3", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-address-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper" ] + } + }, { + "id" : "2ebf6f9f-4bfc-44b9-ad7c-282f2274d35b", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "552093c3-0a0a-4234-ad7c-ae660f0f0db1", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "8f27cf74-cee7-4a73-851f-982ee45157ca", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] + } + }, { + "id" : "ff570525-6c96-4500-9d73-c02e708b39de", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "b52284eb-123a-4718-aac9-857530a24a9b", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "2b8c0a6d-d5c0-4ea2-8a9c-4843d3e04ec6", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "bf59de5a-2c93-43cc-a9aa-03be0129fe53", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper" ] + } + } ], + "org.keycloak.keys.KeyProvider" : [ { + "id" : "b3efd9cc-28b6-4404-82af-8a48a966b8ff", + "name" : "rsa-generated", + "providerId" : "rsa-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEowIBAAKCAQEAn5T13suF8mlS+pJXp0U1bto41nW55wpcs+Rps8ZVCRyJKWqzwSCYnI7lm0rB2wBpAAO4OPoj1zlmVoFmBPsDU9Xf7rjsJb5LIzIQDCZY44aSDZt6RR+gakPiQvlzHyW/RozYpngDJF7TsTD7rdRF1xQ4RprfBF8fwK/xsU7pxbeom5xDHZhz3fiw8s+7UdbmnazDHfAjU58aUrLGgVRfUsuoHjtsptYlOIXEifaeMetXZE+HhqLYRHQPDap5fbBJl773Trosn7N9nmzN4x1xxGj9So21WC5UboQs9sAIVgizc4omjZ5Y4RN9HLH7G4YwJctNntzmnJhDui9zAO+zSQIDAQABAoIBADi+F7rTtVoft0Cfnok8o6Y58/HVxHdxiMryUd95iy0FN4RBi48FTx6D9QKFz25Ws/8sU2n3D51srIXf1u24b1N0/f39RQKaqk7mcyxOylaEuBQcj5pah4ihgKd92UBfBKdKV5LBo6RgD3e2yhbiHr8+UlBQqzH7vOef6Bm6zIbfmi3N88swAJhP0YizRZFklsbmLsK6nkwyro00CHJvPVKSBbM+ad+/zIBsLw56MvNngB5TuFguUgoljd6M1T2z4utmZGlTUqrfE1onAVLJZoGnRohyIr7dJEg6YxWR70PxsgmkDKyeRvet9P1trO0n+OSprusfrC3cHJStabap1V0CgYEA1A/CtsqTnjdYYsB19eumZgdpzUgNc/YEAzZ/OWb8yTLoB2ncci+63A1rXHUXAqJFY7vtjn5mxv7SuASNbUrzq+6KfZvC1x9XEtnczqT/ypunNfxmIZuj8Nuu6vtURguZ8kPPwdkI8toTizRFeRE5ZDBvoQryiEVYugfHaHT5vzsCgYEAwKWODwquI0Lv9BuwdNVrBXQpkKh3ZfYOA7i9xvhxlM7xUu8OMCwwCPn3r7vrW5APjTqX4h330mJ44SLEs+7gbCUs4BbJBLA6g0ChlHa9PTkxp6tk2nDF/B34fxiZSRkE85L+d+at0Dc3hnlzLCJCzJawGpoPniPU9e4w0p4dN0sCgYAsGnMGjS8SUrRhJWHjGXVr9tK8TOXvXhULjgP7rj2Yoqu7Dvs4DFEyft/7RKbad2EzEtyfLA64CDtO5jN7rYDsGxpWcVSeZPg5BXJ0z8AbJTArfCjJiJMZ/rZsTIUEZFlKF2xYBolj6JLz+pUQTtK+0YwF1D8ItFN1rTR9twZSDQKBgQC6sPXNX+VH6LuPTjIf1x8CxwLs3EXxOpV0R9kp9GRl+HJnk6GlT30xhcThufQo5KAdllXQXIhoiuNoEoCbevhj9Vbax1oBQCNERSMRNEzKAx46xd9TzYwgeo7x5E3QR/3DaoVOfu+cY5ZcrF/PulgP2kxJS1mtQD5GIpGP2oinpwKBgGqiqTFPqRcelx76vBvTU+Jp1zM62T4AotbMrSQR/oUvqHe5Ytj/SbZx+wbbHAiyGgV700Mosyviik83YEAbR3kdOPjgYvAJJW2Y3jEMdQ7MwriXz8XLh5BGmYfVjkSOJXed9ua9WlYLKOJeXXv191BbDvrx5NXuJyVVU4vJx3YZ" ], + "certificate" : [ "MIICnTCCAYUCBgFp4EYIrjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdwcm90ZWFuMB4XDTE5MDQwMjIyNTYxOVoXDTI5MDQwMjIyNTc1OVowEjEQMA4GA1UEAwwHcHJvdGVhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ+U9d7LhfJpUvqSV6dFNW7aONZ1uecKXLPkabPGVQkciSlqs8EgmJyO5ZtKwdsAaQADuDj6I9c5ZlaBZgT7A1PV3+647CW+SyMyEAwmWOOGkg2bekUfoGpD4kL5cx8lv0aM2KZ4AyRe07Ew+63URdcUOEaa3wRfH8Cv8bFO6cW3qJucQx2Yc934sPLPu1HW5p2swx3wI1OfGlKyxoFUX1LLqB47bKbWJTiFxIn2njHrV2RPh4ai2ER0Dw2qeX2wSZe+9066LJ+zfZ5szeMdccRo/UqNtVguVG6ELPbACFYIs3OKJo2eWOETfRyx+xuGMCXLTZ7c5pyYQ7ovcwDvs0kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAVtmRKDb4OK5iSA46tagMBkp6L7WuPpCWuHGWwobEP+BecYsShW7zP3s12oA8SNSwbhvu0CRqgzxhuypgf3hKQFVU153Erv4hzkj+8S0s5LR/ZE7tDNY2lzJ3yQKXy3Md7EkuzzvOZ50MTrcSKAanWq/ZW1OTnrtGymj5zGJnTg7mMnJzEIGePxkvPu/QdchiPBLqxfZYm1jsFGY25djOC3N/KmVcRVmPRGuu6D8tBFHlKoPfZYPdbMvsvs24aupHKRcZ+ofTCpK+2Qo8c0pSSqeEYHGmuGqC6lC6ozxtxSABPO9Q1R1tZBU7Kg5HvXUwwmoVS3EGub46YbHqbmWMLg==" ], + "priority" : [ "100" ] + } + }, { + "id" : "20460ca5-ec24-4a9b-839a-457743d3f841", + "name" : "hmac-generated", + "providerId" : "hmac-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "96afd00e-85cf-4d35-b18e-061d3813d8b2" ], + "secret" : [ "qBFGKdUGf6xDgKphnRfoFzIzaFHJW4bYnZ9MinPFzN38X5_ctq-2u1q5RdZzeJukXvk2biHB8_s3DxWmmLZFsA" ], + "priority" : [ "100" ], + "algorithm" : [ "HS256" ] + } + }, { + "id" : "4f02d984-7a23-4ce1-8591-848a71390efe", + "name" : "aes-generated", + "providerId" : "aes-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "b04473d3-8395-4016-b455-19a9e951106b" ], + "secret" : [ "x68mMOVdz3qKWzltzReV0g" ], + "priority" : [ "100" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "d6c3e282-a738-4b8b-98c2-378b9faf8344", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "idp-email-verification", + "requirement" : "ALTERNATIVE", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 30, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "4855860b-4009-4f1b-ba6b-60581618ea62", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-otp-form", + "requirement" : "OPTIONAL", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "8a9872b0-65f1-47ff-9565-fa826ac64cd4", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-spnego", + "requirement" : "DISABLED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "identity-provider-redirector", + "requirement" : "ALTERNATIVE", + "priority" : 25, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 30, + "flowAlias" : "forms", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "51b8ed14-62b6-49b3-b602-0b51508349e0", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-jwt", + "requirement" : "ALTERNATIVE", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-secret-jwt", + "requirement" : "ALTERNATIVE", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-x509", + "requirement" : "ALTERNATIVE", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "9b65133a-ee71-494a-a659-6804513fc30b", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "direct-grant-validate-password", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "requirement" : "OPTIONAL", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "f62bc4ad-25ac-4f83-963b-32820af3a683", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "1b423fe7-f312-404c-903b-f1260a77259b", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "requirement" : "ALTERNATIVE", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 30, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "9c9530b3-e3c6-481b-99e8-1461a9752e8e", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-otp-form", + "requirement" : "OPTIONAL", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "70fb94ac-354c-4629-a5fe-5135d0137964", + "alias" : "http challenge", + "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "no-cookie-redirect", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "basic-auth", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "basic-auth-otp", + "requirement" : "DISABLED", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-spnego", + "requirement" : "DISABLED", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "08292a4a-6722-4e33-a5d9-354c2628f567", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "requirement" : "REQUIRED", + "priority" : 10, + "flowAlias" : "registration form", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "668dc4b6-fe1a-4d24-ab5b-bc76e20ac390", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-profile-action", + "requirement" : "REQUIRED", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-password-action", + "requirement" : "REQUIRED", + "priority" : 50, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-recaptcha-action", + "requirement" : "DISABLED", + "priority" : 60, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "a0e191f0-ce9a-4a75-b6e4-97332b05f7e5", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-credential-email", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-password", + "requirement" : "REQUIRED", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-otp", + "requirement" : "OPTIONAL", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "ad4beb21-8e9a-4fca-af41-0f757169f26c", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "25632f91-6071-423a-8e9c-7322cdc1b011", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "02d7f70b-1ebc-4e72-a65c-d94a600895ac", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" + } + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "terms_and_conditions", + "name" : "Terms and Conditions", + "providerId" : "terms_and_conditions", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "attributes" : { + "_browser_header.xXSSProtection" : "1; mode=block", + "_browser_header.xFrameOptions" : "SAMEORIGIN", + "_browser_header.strictTransportSecurity" : "max-age=31536000; includeSubDomains", + "permanentLockout" : "false", + "quickLoginCheckMilliSeconds" : "1000", + "_browser_header.xRobotsTag" : "none", + "maxFailureWaitSeconds" : "900", + "minimumQuickLoginWaitSeconds" : "60", + "failureFactor" : "30", + "actionTokenGeneratedByUserLifespan" : "300", + "maxDeltaTimeSeconds" : "43200", + "_browser_header.xContentTypeOptions" : "nosniff", + "offlineSessionMaxLifespan" : "5184000", + "actionTokenGeneratedByAdminLifespan" : "43200", + "_browser_header.contentSecurityPolicyReportOnly" : "", + "bruteForceProtected" : "false", + "_browser_header.contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "waitIncrementSeconds" : "60", + "offlineSessionMaxLifespanEnabled" : "false" + }, + "users" : [ { + "id" : "af134cab-f41c-4675-b141-205f975db679", + "username" : "admin", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "credentials" : [ { + "type" : "password", + "hashedSaltedValue" : "NICTtwsvSxJ5hL8hLAuleDUv9jwZcuXgxviMXvR++cciyPtiIEStEaJUyfA9DOir59awjPrHOumsclPVjNBplA==", + "salt" : "T/2P5o5oxFJUEk68BRURRg==", + "hashIterations" : 27500, + "counter" : 0, + "algorithm" : "pbkdf2-sha256", + "digits" : 0, + "period" : 0, + "createdDate" : 1554245879354, + "config" : { } + } ], + "disableableCredentialTypes" : [ "password" ], + "requiredActions" : [ ], + "realmRoles" : [ "admin", "user" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "id" : "eb4123a3-b722-4798-9af5-8957f823657a", + "username" : "alice", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "credentials" : [ { + "type" : "password", + "hashedSaltedValue" : "A3okqV2T/ybXTVEgKfosoSjP8Yc9IZbFP/SY4cEd6hag7TABQrQ6nUSuwagGt96l8cw1DTijO75PqX6uiTXMzw==", + "salt" : "sl4mXx6T9FypPH/s9TngfQ==", + "hashIterations" : 27500, + "counter" : 0, + "algorithm" : "pbkdf2-sha256", + "digits" : 0, + "period" : 0, + "createdDate" : 1554245879116, + "config" : { } + } ], + "disableableCredentialTypes" : [ "password" ], + "requiredActions" : [ ], + "realmRoles" : [ "user" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "id" : "1eed6a8e-a853-4597-b4c6-c4c2533546a0", + "username" : "jdoe", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "credentials" : [ { + "type" : "password", + "hashedSaltedValue" : "JV3DUNLjqOadjbBOtC4rvacQI553CGaDGAzBS8MR5ReCr7SwF3E6CsW3T7/XO8ITZAsch8+A/6loeuCoVLLJrg==", + "salt" : "uCbOH7HZtyDtMd0E9DG/nw==", + "hashIterations" : 27500, + "counter" : 0, + "algorithm" : "pbkdf2-sha256", + "digits" : 0, + "period" : 0, + "createdDate" : 1554245879227, + "config" : { } + } ], + "disableableCredentialTypes" : [ "password" ], + "requiredActions" : [ ], + "realmRoles" : [ "confidential", "user" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "id" : "948c59ec-46ed-4d99-aa43-02900029b930", + "createdTimestamp" : 1554245880023, + "username" : "service-account-backend-service", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "email" : "service-account-backend-service@placeholder.org", + "serviceAccountClientId" : "backend-service", + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "offline_access" ], + "clientRoles" : { + "backend-service" : [ "uma_protection" ], + "account" : [ "view-profile", "manage-account" ] + }, + "notBefore" : 0, + "groups" : [ ] + } ], + "keycloakVersion" : "6.0.0", + "userManagedAccessAllowed" : false +} diff --git a/setup/preparelab.sh b/setup/preparelab.sh index ea4b5ed..8812e3d 100755 --- a/setup/preparelab.sh +++ b/setup/preparelab.sh @@ -252,18 +252,13 @@ SSO_TOKEN=$(curl -s -d "username=${KEYCLOAK_USER}&password=${KEYCLOAK_PASSWORD}& -X POST http://keycloak-che.${HOSTNAME_SUFFIX}/auth/realms/master/protocol/openid-connect/token | \ jq -r '.access_token') -# Import realm from -# https://raw.githubusercontent.com/quarkusio/quarkus-quickstarts/master/using-keycloak/config/quarkus-realm.json -TMPREALM=$(mktemp) -curl -s -o $TMPREALM https://raw.githubusercontent.com/quarkusio/quarkus-quickstarts/master/using-keycloak/config/quarkus-realm.json - -curl -v -H "Authorization: Bearer ${SSO_TOKEN}" -H "Content-Type:application/json" -d @${TMPREALM} \ +# Import realm +curl -v -H "Authorization: Bearer ${SSO_TOKEN}" -H "Content-Type:application/json" -d ../files/quarkus-realm.json \ -X POST http://keycloak-che.${HOSTNAME_SUFFIX}/auth/admin/realms -rm -f ${TMPREALM} - -# Create Che users +# Create Che users, let them view che namespace for i in {1..$USERCOUNT} ; do + oc adm policy add-role-to-user view user${i} -n che USERNAME=user${i} FIRSTNAME=User${i} LASTNAME=Developer