├── .gitattributes ├── .gitignore ├── LICENSE ├── README.md ├── build.pipeline ├── keycloak-export-tests ├── pom.xml └── src │ └── test │ ├── java │ └── io │ │ └── cloudtrust │ │ └── keycloak │ │ └── export │ │ ├── ExportResourceProviderTest.java │ │ └── dto │ │ └── BetterRealmRepresentationTest.java │ └── resources │ ├── exported-realm.json │ ├── keycloak.properties │ ├── log4j.properties │ └── test-export-realm.json ├── keycloak-export ├── assembly.xml ├── install.sh ├── module.xml ├── pom.xml └── src │ └── main │ ├── java │ └── io │ │ └── cloudtrust │ │ └── keycloak │ │ ├── export │ │ ├── ExportResourceProvider.java │ │ ├── ExportResourceProviderFactory.java │ │ ├── ImportExportUtils.java │ │ ├── SingleFileImportProvider.java │ │ ├── SingleFileImportProviderFactory.java │ │ └── dto │ │ │ ├── BetterCredentialRepresentation.java │ │ │ ├── BetterRealmRepresentation.java │ │ │ └── BetterUserRepresentation.java │ │ └── json │ │ ├── BetterCredentialDeserializer.java │ │ └── BetterUserDeserializer.java │ └── resources │ ├── META-INF │ ├── keycloak-themes.json │ └── services │ │ ├── org.keycloak.exportimport.ImportProviderFactory │ │ └── org.keycloak.services.resource.RealmResourceProviderFactory │ └── theme │ └── ctexport │ └── admin │ ├── resources │ ├── css │ │ └── styles.css │ ├── js │ │ ├── controllers │ │ │ └── realm.js │ │ └── services.js │ └── templates │ │ └── kc-modal.html │ └── theme.properties └── pom.xml /.gitattributes: -------------------------------------------------------------------------------- 1 | *.js linguist-vendored -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled class file 2 | *.class 3 | 4 | # Log file 5 | *.log 6 | 7 | # BlueJ files 8 | *.ctxt 9 | 10 | # Mobile Tools for Java (J2ME) 11 | .mtj.tmp/ 12 | 13 | # Package Files # 14 | *.war 15 | *.ear 16 | *.zip 17 | *.tar.gz 18 | *.rar 19 | 20 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 21 | hs_err_pid* 22 | 23 | # IDE 24 | *.iml 25 | .idea/ 26 | .classpath 27 | .project 28 | .settings/ 29 | 30 | # target 31 | target/ 32 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU AFFERO GENERAL PUBLIC LICENSE 2 | Version 3, 19 November 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU Affero General Public License is a free, copyleft license for 11 | software and other kinds of works, specifically designed to ensure 12 | cooperation with the community in the case of network server software. 13 | 14 | The licenses for most software and other practical works are designed 15 | to take away your freedom to share and change the works. By contrast, 16 | our General Public Licenses are intended to guarantee your freedom to 17 | share and change all versions of a program--to make sure it remains free 18 | software for all its users. 19 | 20 | When we speak of free software, we are referring to freedom, not 21 | price. Our General Public Licenses are designed to make sure that you 22 | have the freedom to distribute copies of free software (and charge for 23 | them if you wish), that you receive source code or can get it if you 24 | want it, that you can change the software or use pieces of it in new 25 | free programs, and that you know you can do these things. 26 | 27 | Developers that use our General Public Licenses protect your rights 28 | with two steps: (1) assert copyright on the software, and (2) offer 29 | you this License which gives you legal permission to copy, distribute 30 | and/or modify the software. 31 | 32 | A secondary benefit of defending all users' freedom is that 33 | improvements made in alternate versions of the program, if they 34 | receive widespread use, become available for other developers to 35 | incorporate. Many developers of free software are heartened and 36 | encouraged by the resulting cooperation. However, in the case of 37 | software used on network servers, this result may fail to come about. 38 | The GNU General Public License permits making a modified version and 39 | letting the public access it on a server without ever releasing its 40 | source code to the public. 41 | 42 | The GNU Affero General Public License is designed specifically to 43 | ensure that, in such cases, the modified source code becomes available 44 | to the community. It requires the operator of a network server to 45 | provide the source code of the modified version running there to the 46 | users of that server. Therefore, public use of a modified version, on 47 | a publicly accessible server, gives the public access to the source 48 | code of the modified version. 49 | 50 | An older license, called the Affero General Public License and 51 | published by Affero, was designed to accomplish similar goals. This is 52 | a different license, not a version of the Affero GPL, but Affero has 53 | released a new version of the Affero GPL which permits relicensing under 54 | this license. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | TERMS AND CONDITIONS 60 | 61 | 0. Definitions. 62 | 63 | "This License" refers to version 3 of the GNU Affero General Public License. 64 | 65 | "Copyright" also means copyright-like laws that apply to other kinds of 66 | works, such as semiconductor masks. 67 | 68 | "The Program" refers to any copyrightable work licensed under this 69 | License. Each licensee is addressed as "you". "Licensees" and 70 | "recipients" may be individuals or organizations. 71 | 72 | To "modify" a work means to copy from or adapt all or part of the work 73 | in a fashion requiring copyright permission, other than the making of an 74 | exact copy. The resulting work is called a "modified version" of the 75 | earlier work or a work "based on" the earlier work. 76 | 77 | A "covered work" means either the unmodified Program or a work based 78 | on the Program. 79 | 80 | To "propagate" a work means to do anything with it that, without 81 | permission, would make you directly or secondarily liable for 82 | infringement under applicable copyright law, except executing it on a 83 | computer or modifying a private copy. Propagation includes copying, 84 | distribution (with or without modification), making available to the 85 | public, and in some countries other activities as well. 86 | 87 | To "convey" a work means any kind of propagation that enables other 88 | parties to make or receive copies. Mere interaction with a user through 89 | a computer network, with no transfer of a copy, is not conveying. 90 | 91 | An interactive user interface displays "Appropriate Legal Notices" 92 | to the extent that it includes a convenient and prominently visible 93 | feature that (1) displays an appropriate copyright notice, and (2) 94 | tells the user that there is no warranty for the work (except to the 95 | extent that warranties are provided), that licensees may convey the 96 | work under this License, and how to view a copy of this License. If 97 | the interface presents a list of user commands or options, such as a 98 | menu, a prominent item in the list meets this criterion. 99 | 100 | 1. Source Code. 101 | 102 | The "source code" for a work means the preferred form of the work 103 | for making modifications to it. "Object code" means any non-source 104 | form of a work. 105 | 106 | A "Standard Interface" means an interface that either is an official 107 | standard defined by a recognized standards body, or, in the case of 108 | interfaces specified for a particular programming language, one that 109 | is widely used among developers working in that language. 110 | 111 | The "System Libraries" of an executable work include anything, other 112 | than the work as a whole, that (a) is included in the normal form of 113 | packaging a Major Component, but which is not part of that Major 114 | Component, and (b) serves only to enable use of the work with that 115 | Major Component, or to implement a Standard Interface for which an 116 | implementation is available to the public in source code form. A 117 | "Major Component", in this context, means a major essential component 118 | (kernel, window system, and so on) of the specific operating system 119 | (if any) on which the executable work runs, or a compiler used to 120 | produce the work, or an object code interpreter used to run it. 121 | 122 | The "Corresponding Source" for a work in object code form means all 123 | the source code needed to generate, install, and (for an executable 124 | work) run the object code and to modify the work, including scripts to 125 | control those activities. However, it does not include the work's 126 | System Libraries, or general-purpose tools or generally available free 127 | programs which are used unmodified in performing those activities but 128 | which are not part of the work. For example, Corresponding Source 129 | includes interface definition files associated with source files for 130 | the work, and the source code for shared libraries and dynamically 131 | linked subprograms that the work is specifically designed to require, 132 | such as by intimate data communication or control flow between those 133 | subprograms and other parts of the work. 134 | 135 | The Corresponding Source need not include anything that users 136 | can regenerate automatically from other parts of the Corresponding 137 | Source. 138 | 139 | The Corresponding Source for a work in source code form is that 140 | same work. 141 | 142 | 2. Basic Permissions. 143 | 144 | All rights granted under this License are granted for the term of 145 | copyright on the Program, and are irrevocable provided the stated 146 | conditions are met. This License explicitly affirms your unlimited 147 | permission to run the unmodified Program. The output from running a 148 | covered work is covered by this License only if the output, given its 149 | content, constitutes a covered work. This License acknowledges your 150 | rights of fair use or other equivalent, as provided by copyright law. 151 | 152 | You may make, run and propagate covered works that you do not 153 | convey, without conditions so long as your license otherwise remains 154 | in force. You may convey covered works to others for the sole purpose 155 | of having them make modifications exclusively for you, or provide you 156 | with facilities for running those works, provided that you comply with 157 | the terms of this License in conveying all material for which you do 158 | not control copyright. Those thus making or running the covered works 159 | for you must do so exclusively on your behalf, under your direction 160 | and control, on terms that prohibit them from making any copies of 161 | your copyrighted material outside their relationship with you. 162 | 163 | Conveying under any other circumstances is permitted solely under 164 | the conditions stated below. Sublicensing is not allowed; section 10 165 | makes it unnecessary. 166 | 167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 168 | 169 | No covered work shall be deemed part of an effective technological 170 | measure under any applicable law fulfilling obligations under article 171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 172 | similar laws prohibiting or restricting circumvention of such 173 | measures. 174 | 175 | When you convey a covered work, you waive any legal power to forbid 176 | circumvention of technological measures to the extent such circumvention 177 | is effected by exercising rights under this License with respect to 178 | the covered work, and you disclaim any intention to limit operation or 179 | modification of the work as a means of enforcing, against the work's 180 | users, your or third parties' legal rights to forbid circumvention of 181 | technological measures. 182 | 183 | 4. Conveying Verbatim Copies. 184 | 185 | You may convey verbatim copies of the Program's source code as you 186 | receive it, in any medium, provided that you conspicuously and 187 | appropriately publish on each copy an appropriate copyright notice; 188 | keep intact all notices stating that this License and any 189 | non-permissive terms added in accord with section 7 apply to the code; 190 | keep intact all notices of the absence of any warranty; and give all 191 | recipients a copy of this License along with the Program. 192 | 193 | You may charge any price or no price for each copy that you convey, 194 | and you may offer support or warranty protection for a fee. 195 | 196 | 5. Conveying Modified Source Versions. 197 | 198 | You may convey a work based on the Program, or the modifications to 199 | produce it from the Program, in the form of source code under the 200 | terms of section 4, provided that you also meet all of these conditions: 201 | 202 | a) The work must carry prominent notices stating that you modified 203 | it, and giving a relevant date. 204 | 205 | b) The work must carry prominent notices stating that it is 206 | released under this License and any conditions added under section 207 | 7. This requirement modifies the requirement in section 4 to 208 | "keep intact all notices". 209 | 210 | c) You must license the entire work, as a whole, under this 211 | License to anyone who comes into possession of a copy. This 212 | License will therefore apply, along with any applicable section 7 213 | additional terms, to the whole of the work, and all its parts, 214 | regardless of how they are packaged. This License gives no 215 | permission to license the work in any other way, but it does not 216 | invalidate such permission if you have separately received it. 217 | 218 | d) If the work has interactive user interfaces, each must display 219 | Appropriate Legal Notices; however, if the Program has interactive 220 | interfaces that do not display Appropriate Legal Notices, your 221 | work need not make them do so. 222 | 223 | A compilation of a covered work with other separate and independent 224 | works, which are not by their nature extensions of the covered work, 225 | and which are not combined with it such as to form a larger program, 226 | in or on a volume of a storage or distribution medium, is called an 227 | "aggregate" if the compilation and its resulting copyright are not 228 | used to limit the access or legal rights of the compilation's users 229 | beyond what the individual works permit. Inclusion of a covered work 230 | in an aggregate does not cause this License to apply to the other 231 | parts of the aggregate. 232 | 233 | 6. Conveying Non-Source Forms. 234 | 235 | You may convey a covered work in object code form under the terms 236 | of sections 4 and 5, provided that you also convey the 237 | machine-readable Corresponding Source under the terms of this License, 238 | in one of these ways: 239 | 240 | a) Convey the object code in, or embodied in, a physical product 241 | (including a physical distribution medium), accompanied by the 242 | Corresponding Source fixed on a durable physical medium 243 | customarily used for software interchange. 244 | 245 | b) Convey the object code in, or embodied in, a physical product 246 | (including a physical distribution medium), accompanied by a 247 | written offer, valid for at least three years and valid for as 248 | long as you offer spare parts or customer support for that product 249 | model, to give anyone who possesses the object code either (1) a 250 | copy of the Corresponding Source for all the software in the 251 | product that is covered by this License, on a durable physical 252 | medium customarily used for software interchange, for a price no 253 | more than your reasonable cost of physically performing this 254 | conveying of source, or (2) access to copy the 255 | Corresponding Source from a network server at no charge. 256 | 257 | c) Convey individual copies of the object code with a copy of the 258 | written offer to provide the Corresponding Source. This 259 | alternative is allowed only occasionally and noncommercially, and 260 | only if you received the object code with such an offer, in accord 261 | with subsection 6b. 262 | 263 | d) Convey the object code by offering access from a designated 264 | place (gratis or for a charge), and offer equivalent access to the 265 | Corresponding Source in the same way through the same place at no 266 | further charge. You need not require recipients to copy the 267 | Corresponding Source along with the object code. If the place to 268 | copy the object code is a network server, the Corresponding Source 269 | may be on a different server (operated by you or a third party) 270 | that supports equivalent copying facilities, provided you maintain 271 | clear directions next to the object code saying where to find the 272 | Corresponding Source. Regardless of what server hosts the 273 | Corresponding Source, you remain obligated to ensure that it is 274 | available for as long as needed to satisfy these requirements. 275 | 276 | e) Convey the object code using peer-to-peer transmission, provided 277 | you inform other peers where the object code and Corresponding 278 | Source of the work are being offered to the general public at no 279 | charge under subsection 6d. 280 | 281 | A separable portion of the object code, whose source code is excluded 282 | from the Corresponding Source as a System Library, need not be 283 | included in conveying the object code work. 284 | 285 | A "User Product" is either (1) a "consumer product", which means any 286 | tangible personal property which is normally used for personal, family, 287 | or household purposes, or (2) anything designed or sold for incorporation 288 | into a dwelling. In determining whether a product is a consumer product, 289 | doubtful cases shall be resolved in favor of coverage. For a particular 290 | product received by a particular user, "normally used" refers to a 291 | typical or common use of that class of product, regardless of the status 292 | of the particular user or of the way in which the particular user 293 | actually uses, or expects or is expected to use, the product. A product 294 | is a consumer product regardless of whether the product has substantial 295 | commercial, industrial or non-consumer uses, unless such uses represent 296 | the only significant mode of use of the product. 297 | 298 | "Installation Information" for a User Product means any methods, 299 | procedures, authorization keys, or other information required to install 300 | and execute modified versions of a covered work in that User Product from 301 | a modified version of its Corresponding Source. The information must 302 | suffice to ensure that the continued functioning of the modified object 303 | code is in no case prevented or interfered with solely because 304 | modification has been made. 305 | 306 | If you convey an object code work under this section in, or with, or 307 | specifically for use in, a User Product, and the conveying occurs as 308 | part of a transaction in which the right of possession and use of the 309 | User Product is transferred to the recipient in perpetuity or for a 310 | fixed term (regardless of how the transaction is characterized), the 311 | Corresponding Source conveyed under this section must be accompanied 312 | by the Installation Information. But this requirement does not apply 313 | if neither you nor any third party retains the ability to install 314 | modified object code on the User Product (for example, the work has 315 | been installed in ROM). 316 | 317 | The requirement to provide Installation Information does not include a 318 | requirement to continue to provide support service, warranty, or updates 319 | for a work that has been modified or installed by the recipient, or for 320 | the User Product in which it has been modified or installed. Access to a 321 | network may be denied when the modification itself materially and 322 | adversely affects the operation of the network or violates the rules and 323 | protocols for communication across the network. 324 | 325 | Corresponding Source conveyed, and Installation Information provided, 326 | in accord with this section must be in a format that is publicly 327 | documented (and with an implementation available to the public in 328 | source code form), and must require no special password or key for 329 | unpacking, reading or copying. 330 | 331 | 7. Additional Terms. 332 | 333 | "Additional permissions" are terms that supplement the terms of this 334 | License by making exceptions from one or more of its conditions. 335 | Additional permissions that are applicable to the entire Program shall 336 | be treated as though they were included in this License, to the extent 337 | that they are valid under applicable law. If additional permissions 338 | apply only to part of the Program, that part may be used separately 339 | under those permissions, but the entire Program remains governed by 340 | this License without regard to the additional permissions. 341 | 342 | When you convey a copy of a covered work, you may at your option 343 | remove any additional permissions from that copy, or from any part of 344 | it. (Additional permissions may be written to require their own 345 | removal in certain cases when you modify the work.) You may place 346 | additional permissions on material, added by you to a covered work, 347 | for which you have or can give appropriate copyright permission. 348 | 349 | Notwithstanding any other provision of this License, for material you 350 | add to a covered work, you may (if authorized by the copyright holders of 351 | that material) supplement the terms of this License with terms: 352 | 353 | a) Disclaiming warranty or limiting liability differently from the 354 | terms of sections 15 and 16 of this License; or 355 | 356 | b) Requiring preservation of specified reasonable legal notices or 357 | author attributions in that material or in the Appropriate Legal 358 | Notices displayed by works containing it; or 359 | 360 | c) Prohibiting misrepresentation of the origin of that material, or 361 | requiring that modified versions of such material be marked in 362 | reasonable ways as different from the original version; or 363 | 364 | d) Limiting the use for publicity purposes of names of licensors or 365 | authors of the material; or 366 | 367 | e) Declining to grant rights under trademark law for use of some 368 | trade names, trademarks, or service marks; or 369 | 370 | f) Requiring indemnification of licensors and authors of that 371 | material by anyone who conveys the material (or modified versions of 372 | it) with contractual assumptions of liability to the recipient, for 373 | any liability that these contractual assumptions directly impose on 374 | those licensors and authors. 375 | 376 | All other non-permissive additional terms are considered "further 377 | restrictions" within the meaning of section 10. If the Program as you 378 | received it, or any part of it, contains a notice stating that it is 379 | governed by this License along with a term that is a further 380 | restriction, you may remove that term. If a license document contains 381 | a further restriction but permits relicensing or conveying under this 382 | License, you may add to a covered work material governed by the terms 383 | of that license document, provided that the further restriction does 384 | not survive such relicensing or conveying. 385 | 386 | If you add terms to a covered work in accord with this section, you 387 | must place, in the relevant source files, a statement of the 388 | additional terms that apply to those files, or a notice indicating 389 | where to find the applicable terms. 390 | 391 | Additional terms, permissive or non-permissive, may be stated in the 392 | form of a separately written license, or stated as exceptions; 393 | the above requirements apply either way. 394 | 395 | 8. Termination. 396 | 397 | You may not propagate or modify a covered work except as expressly 398 | provided under this License. Any attempt otherwise to propagate or 399 | modify it is void, and will automatically terminate your rights under 400 | this License (including any patent licenses granted under the third 401 | paragraph of section 11). 402 | 403 | However, if you cease all violation of this License, then your 404 | license from a particular copyright holder is reinstated (a) 405 | provisionally, unless and until the copyright holder explicitly and 406 | finally terminates your license, and (b) permanently, if the copyright 407 | holder fails to notify you of the violation by some reasonable means 408 | prior to 60 days after the cessation. 409 | 410 | Moreover, your license from a particular copyright holder is 411 | reinstated permanently if the copyright holder notifies you of the 412 | violation by some reasonable means, this is the first time you have 413 | received notice of violation of this License (for any work) from that 414 | copyright holder, and you cure the violation prior to 30 days after 415 | your receipt of the notice. 416 | 417 | Termination of your rights under this section does not terminate the 418 | licenses of parties who have received copies or rights from you under 419 | this License. If your rights have been terminated and not permanently 420 | reinstated, you do not qualify to receive new licenses for the same 421 | material under section 10. 422 | 423 | 9. Acceptance Not Required for Having Copies. 424 | 425 | You are not required to accept this License in order to receive or 426 | run a copy of the Program. Ancillary propagation of a covered work 427 | occurring solely as a consequence of using peer-to-peer transmission 428 | to receive a copy likewise does not require acceptance. However, 429 | nothing other than this License grants you permission to propagate or 430 | modify any covered work. These actions infringe copyright if you do 431 | not accept this License. Therefore, by modifying or propagating a 432 | covered work, you indicate your acceptance of this License to do so. 433 | 434 | 10. Automatic Licensing of Downstream Recipients. 435 | 436 | Each time you convey a covered work, the recipient automatically 437 | receives a license from the original licensors, to run, modify and 438 | propagate that work, subject to this License. You are not responsible 439 | for enforcing compliance by third parties with this License. 440 | 441 | An "entity transaction" is a transaction transferring control of an 442 | organization, or substantially all assets of one, or subdividing an 443 | organization, or merging organizations. If propagation of a covered 444 | work results from an entity transaction, each party to that 445 | transaction who receives a copy of the work also receives whatever 446 | licenses to the work the party's predecessor in interest had or could 447 | give under the previous paragraph, plus a right to possession of the 448 | Corresponding Source of the work from the predecessor in interest, if 449 | the predecessor has it or can get it with reasonable efforts. 450 | 451 | You may not impose any further restrictions on the exercise of the 452 | rights granted or affirmed under this License. For example, you may 453 | not impose a license fee, royalty, or other charge for exercise of 454 | rights granted under this License, and you may not initiate litigation 455 | (including a cross-claim or counterclaim in a lawsuit) alleging that 456 | any patent claim is infringed by making, using, selling, offering for 457 | sale, or importing the Program or any portion of it. 458 | 459 | 11. Patents. 460 | 461 | A "contributor" is a copyright holder who authorizes use under this 462 | License of the Program or a work on which the Program is based. The 463 | work thus licensed is called the contributor's "contributor version". 464 | 465 | A contributor's "essential patent claims" are all patent claims 466 | owned or controlled by the contributor, whether already acquired or 467 | hereafter acquired, that would be infringed by some manner, permitted 468 | by this License, of making, using, or selling its contributor version, 469 | but do not include claims that would be infringed only as a 470 | consequence of further modification of the contributor version. For 471 | purposes of this definition, "control" includes the right to grant 472 | patent sublicenses in a manner consistent with the requirements of 473 | this License. 474 | 475 | Each contributor grants you a non-exclusive, worldwide, royalty-free 476 | patent license under the contributor's essential patent claims, to 477 | make, use, sell, offer for sale, import and otherwise run, modify and 478 | propagate the contents of its contributor version. 479 | 480 | In the following three paragraphs, a "patent license" is any express 481 | agreement or commitment, however denominated, not to enforce a patent 482 | (such as an express permission to practice a patent or covenant not to 483 | sue for patent infringement). To "grant" such a patent license to a 484 | party means to make such an agreement or commitment not to enforce a 485 | patent against the party. 486 | 487 | If you convey a covered work, knowingly relying on a patent license, 488 | and the Corresponding Source of the work is not available for anyone 489 | to copy, free of charge and under the terms of this License, through a 490 | publicly available network server or other readily accessible means, 491 | then you must either (1) cause the Corresponding Source to be so 492 | available, or (2) arrange to deprive yourself of the benefit of the 493 | patent license for this particular work, or (3) arrange, in a manner 494 | consistent with the requirements of this License, to extend the patent 495 | license to downstream recipients. "Knowingly relying" means you have 496 | actual knowledge that, but for the patent license, your conveying the 497 | covered work in a country, or your recipient's use of the covered work 498 | in a country, would infringe one or more identifiable patents in that 499 | country that you have reason to believe are valid. 500 | 501 | If, pursuant to or in connection with a single transaction or 502 | arrangement, you convey, or propagate by procuring conveyance of, a 503 | covered work, and grant a patent license to some of the parties 504 | receiving the covered work authorizing them to use, propagate, modify 505 | or convey a specific copy of the covered work, then the patent license 506 | you grant is automatically extended to all recipients of the covered 507 | work and works based on it. 508 | 509 | A patent license is "discriminatory" if it does not include within 510 | the scope of its coverage, prohibits the exercise of, or is 511 | conditioned on the non-exercise of one or more of the rights that are 512 | specifically granted under this License. You may not convey a covered 513 | work if you are a party to an arrangement with a third party that is 514 | in the business of distributing software, under which you make payment 515 | to the third party based on the extent of your activity of conveying 516 | the work, and under which the third party grants, to any of the 517 | parties who would receive the covered work from you, a discriminatory 518 | patent license (a) in connection with copies of the covered work 519 | conveyed by you (or copies made from those copies), or (b) primarily 520 | for and in connection with specific products or compilations that 521 | contain the covered work, unless you entered into that arrangement, 522 | or that patent license was granted, prior to 28 March 2007. 523 | 524 | Nothing in this License shall be construed as excluding or limiting 525 | any implied license or other defenses to infringement that may 526 | otherwise be available to you under applicable patent law. 527 | 528 | 12. No Surrender of Others' Freedom. 529 | 530 | If conditions are imposed on you (whether by court order, agreement or 531 | otherwise) that contradict the conditions of this License, they do not 532 | excuse you from the conditions of this License. If you cannot convey a 533 | covered work so as to satisfy simultaneously your obligations under this 534 | License and any other pertinent obligations, then as a consequence you may 535 | not convey it at all. For example, if you agree to terms that obligate you 536 | to collect a royalty for further conveying from those to whom you convey 537 | the Program, the only way you could satisfy both those terms and this 538 | License would be to refrain entirely from conveying the Program. 539 | 540 | 13. Remote Network Interaction; Use with the GNU General Public License. 541 | 542 | Notwithstanding any other provision of this License, if you modify the 543 | Program, your modified version must prominently offer all users 544 | interacting with it remotely through a computer network (if your version 545 | supports such interaction) an opportunity to receive the Corresponding 546 | Source of your version by providing access to the Corresponding Source 547 | from a network server at no charge, through some standard or customary 548 | means of facilitating copying of software. This Corresponding Source 549 | shall include the Corresponding Source for any work covered by version 3 550 | of the GNU General Public License that is incorporated pursuant to the 551 | following paragraph. 552 | 553 | Notwithstanding any other provision of this License, you have 554 | permission to link or combine any covered work with a work licensed 555 | under version 3 of the GNU General Public License into a single 556 | combined work, and to convey the resulting work. The terms of this 557 | License will continue to apply to the part which is the covered work, 558 | but the work with which it is combined will remain governed by version 559 | 3 of the GNU General Public License. 560 | 561 | 14. Revised Versions of this License. 562 | 563 | The Free Software Foundation may publish revised and/or new versions of 564 | the GNU Affero General Public License from time to time. Such new versions 565 | will be similar in spirit to the present version, but may differ in detail to 566 | address new problems or concerns. 567 | 568 | Each version is given a distinguishing version number. If the 569 | Program specifies that a certain numbered version of the GNU Affero General 570 | Public License "or any later version" applies to it, you have the 571 | option of following the terms and conditions either of that numbered 572 | version or of any later version published by the Free Software 573 | Foundation. If the Program does not specify a version number of the 574 | GNU Affero General Public License, you may choose any version ever published 575 | by the Free Software Foundation. 576 | 577 | If the Program specifies that a proxy can decide which future 578 | versions of the GNU Affero General Public License can be used, that proxy's 579 | public statement of acceptance of a version permanently authorizes you 580 | to choose that version for the Program. 581 | 582 | Later license versions may give you additional or different 583 | permissions. However, no additional obligations are imposed on any 584 | author or copyright holder as a result of your choosing to follow a 585 | later version. 586 | 587 | 15. Disclaimer of Warranty. 588 | 589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 597 | 598 | 16. Limitation of Liability. 599 | 600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 608 | SUCH DAMAGES. 609 | 610 | 17. Interpretation of Sections 15 and 16. 611 | 612 | If the disclaimer of warranty and limitation of liability provided 613 | above cannot be given local legal effect according to their terms, 614 | reviewing courts shall apply local law that most closely approximates 615 | an absolute waiver of all civil liability in connection with the 616 | Program, unless a warranty or assumption of liability accompanies a 617 | copy of the Program in return for a fee. 618 | 619 | END OF TERMS AND CONDITIONS 620 | 621 | How to Apply These Terms to Your New Programs 622 | 623 | If you develop a new program, and you want it to be of the greatest 624 | possible use to the public, the best way to achieve this is to make it 625 | free software which everyone can redistribute and change under these terms. 626 | 627 | To do so, attach the following notices to the program. It is safest 628 | to attach them to the start of each source file to most effectively 629 | state the exclusion of warranty; and each file should have at least 630 | the "copyright" line and a pointer to where the full notice is found. 631 | 632 | 633 | Copyright (C) 634 | 635 | This program is free software: you can redistribute it and/or modify 636 | it under the terms of the GNU Affero General Public License as published 637 | by the Free Software Foundation, either version 3 of the License, or 638 | (at your option) any later version. 639 | 640 | This program is distributed in the hope that it will be useful, 641 | but WITHOUT ANY WARRANTY; without even the implied warranty of 642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 643 | GNU Affero General Public License for more details. 644 | 645 | You should have received a copy of the GNU Affero General Public License 646 | along with this program. If not, see . 647 | 648 | Also add information on how to contact you by electronic and paper mail. 649 | 650 | If your software can interact with users remotely through a computer 651 | network, you should also make sure that it provides a way for users to 652 | get its source. For example, if your program is a web application, its 653 | interface could display a "Source" link that leads users to an archive 654 | of the code. There are many ways you could offer source, and different 655 | solutions will be better for different programs; see section 13 for the 656 | specific requirements. 657 | 658 | You should also get your employer (if you work as a programmer) or school, 659 | if any, to sign a "copyright disclaimer" for the program, if necessary. 660 | For more information on this, and how to apply and follow the GNU AGPL, see 661 | . 662 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # This module was created for Keycloak 3.4.3. 3 | 4 | # As Keycloak export feature has been enhanced since the first version of this module, this module became obsolete and is not maintained anymore 5 | 6 | 7 | # Keycloak export Module 8 | 9 | This module allows you to perform a full export from the REST-API, while keycloak is still running. 10 | 11 | This version currently works with keycloak 8.0.1, but there are versions for other builds (see the releases) 12 | 13 | ## Install keycloak-export 14 | 15 | You need Java-8-x Java environment. To build, you must have the keycloak test artifacts in one of your repositories. 16 | This can be done by downloading the keycloak source, and building it as recommended on their [webpage](https://github.com/keycloak/keycloak). 17 | 18 | Run 19 | 20 | ``` 21 | mvn clean install 22 | ``` 23 | 24 | ### Deploy manually 25 | 26 | You can deploy as a module by running: 27 | 28 | $KEYCLOAK_HOME/bin/jboss-cli.sh --command="module add --name=io.cloudtrust.keycloak-export --resources=target/keycloak-export-8.0.1.jar --dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-services,javax.ws.rs.api" 29 | 30 | Then registering the provider by editing `standalone/configuration/standalone.xml` and adding the module to the provider's element list: 31 | 32 | 33 | ... 34 | module:io.cloudtrust.keycloak-export 35 | 36 | 37 | ### Deploy automatically 38 | 39 | Simply call the install.sh script with the base directory of keycloak as parameter. Then start (or restart) the server. 40 | 41 | ## Using the module 42 | 43 | The module is used as for other REST-API endpoints (see [here](https://www.keycloak.org/docs/1.9/server_development_guide/topics/admin-rest-api.html)): 44 | 45 | 1) Export - Call the API to get an access token 46 | 47 | ``` 48 | curl \ 49 | -d "client_id=admin-cli" \ 50 | -d "username=admin" \ 51 | -d "password=password" \ 52 | -d "grant_type=password" \ 53 | "http://localhost:8080/auth/realms/master/protocol/openid-connect/token" 54 | ``` 55 | 56 | Then call the `http://localhost:8080/auth/realms/master/export/realm` endpoint, using the token 57 | 58 | ``` 59 | curl \ 60 | -H "Authorization: bearer eyJhbGciOiJSUz..." \ 61 | "http://localhost:8080/auth/realms/master/export/realm" 62 | ``` 63 | 64 | You should see a JSON with the exported content. 65 | You can also invoke the endpoint for other realms by replacing `master` with the realm name in the above URL. 66 | Note that only an admin user in the master realm can call functions from this module. 67 | 68 | 2) Import through the user interface 69 | 70 | * In Keycloak, go to the Themes configuration of the master realm 71 | * Set the Admin Console Theme to `ctexport` then save 72 | * Log out and reconnect 73 | * You are now able to `Add a realm` and select a file to import using this module's features 74 | 75 | 3) Import on Keycloak start-up 76 | 77 | Import on start-up is described in Keycloak documentation (https://www.keycloak.org/docs/7.0/server_admin/index.html#_export_import) 78 | To use this module to import realms, you have to use the provider `ctSingleFile` 79 | 80 | Example: 81 | 82 | ``` 83 | ${KEYCLOAK_HOME}/standalone/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=ctSingleFile -Dkeycloak.migration.file=myrealm.json 84 | ``` 85 | 86 | ## Testing 87 | 88 | Tests run with arquillian, as standard unit tests, similar to what is done on the keycloak project. 89 | -------------------------------------------------------------------------------- /build.pipeline: -------------------------------------------------------------------------------- 1 | javaBuildPipeline('kc-export', [[name: 'keycloak-export', path:'./keycloak-export']], true) 2 | -------------------------------------------------------------------------------- /keycloak-export-tests/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4.0.0 4 | 5 | 6 | io.cloudtrust 7 | kc-cloudtrust-testsuite 8 | 18.0.0 9 | 10 | 11 | 12 | keycloak-export-tests 13 | 18.1.2-SNAPSHOT 14 | Keycloak Export tests 15 | jar 16 | 17 | 18 | 19 | io.cloudtrust 20 | keycloak-export 21 | ${project.version} 22 | 23 | 24 | io.cloudtrust 25 | kc-cloudtrust-test-tools 26 | ${kc-cloudtrust.version} 27 | 28 | 29 | org.keycloak 30 | keycloak-core 31 | ${keycloak.version} 32 | 33 | 34 | org.keycloak 35 | keycloak-common 36 | ${keycloak.version} 37 | 38 | 39 | org.keycloak 40 | keycloak-server-spi 41 | ${keycloak.version} 42 | 43 | 44 | org.keycloak 45 | keycloak-server-spi-private 46 | ${keycloak.version} 47 | 48 | 49 | org.keycloak 50 | keycloak-services 51 | ${keycloak.version} 52 | 53 | 54 | org.jboss.logging 55 | jboss-logging 56 | ${jbosslogging.version} 57 | provided 58 | 59 | 60 | 61 | com.fasterxml.jackson.core 62 | jackson-core 63 | ${jackson.version} 64 | test 65 | 66 | 67 | com.fasterxml.jackson.core 68 | jackson-databind 69 | ${jackson.version} 70 | test 71 | 72 | 73 | com.fasterxml.jackson.core 74 | jackson-annotations 75 | ${jackson.version} 76 | test 77 | 78 | 79 | org.junit.jupiter 80 | junit-jupiter-engine 81 | 82 | 83 | 84 | 85 | 86 | project-release 87 | https://artifactory.svc.elca.ch/artifactory/prj_cloudtrust_release 88 | 89 | true 90 | 91 | 92 | false 93 | 94 | 95 | 96 | project-snapshot 97 | https://artifactory.svc.elca.ch/artifactory/prj_cloudtrust_snapshot 98 | 99 | false 100 | 101 | 102 | true 103 | 104 | 105 | 106 | 107 | 108 | keycloak-export 109 | 110 | 111 | org.apache.maven.plugins 112 | maven-surefire-plugin 113 | 114 | 115 | maven-install-plugin 116 | 117 | true 118 | 119 | 120 | 121 | org.apache.maven.plugins 122 | maven-deploy-plugin 123 | 124 | true 125 | 126 | 127 | 128 | org.apache.maven.plugins 129 | maven-dependency-plugin 130 | 131 | 132 | 133 | 134 | -------------------------------------------------------------------------------- /keycloak-export-tests/src/test/java/io/cloudtrust/keycloak/export/ExportResourceProviderTest.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export; 2 | 3 | import com.fasterxml.jackson.databind.DeserializationFeature; 4 | import com.fasterxml.jackson.databind.ObjectMapper; 5 | 6 | import io.cloudtrust.keycloak.test.AbstractInKeycloakTest; 7 | import io.cloudtrust.keycloak.test.container.KeycloakDeploy; 8 | 9 | import org.apache.http.HttpEntity; 10 | import org.apache.http.HttpResponse; 11 | import org.apache.http.client.HttpResponseException; 12 | import org.apache.http.client.methods.HttpGet; 13 | import org.apache.http.impl.client.CloseableHttpClient; 14 | import org.apache.http.impl.client.HttpClientBuilder; 15 | import org.hamcrest.MatcherAssert; 16 | import org.junit.jupiter.api.AfterAll; 17 | import org.junit.jupiter.api.Assertions; 18 | import org.junit.jupiter.api.BeforeAll; 19 | import org.junit.jupiter.api.Test; 20 | import org.junit.jupiter.api.extension.ExtendWith; 21 | import org.keycloak.admin.client.Keycloak; 22 | import org.keycloak.admin.client.resource.RolesResource; 23 | import org.keycloak.representations.idm.ClientRepresentation; 24 | import org.keycloak.representations.idm.CredentialRepresentation; 25 | import org.keycloak.representations.idm.GroupRepresentation; 26 | import org.keycloak.representations.idm.RealmRepresentation; 27 | import org.keycloak.representations.idm.RoleRepresentation; 28 | import org.keycloak.representations.idm.UserRepresentation; 29 | 30 | import javax.ws.rs.ForbiddenException; 31 | import javax.ws.rs.core.Response; 32 | import java.io.File; 33 | import java.io.IOException; 34 | import java.io.InputStream; 35 | import java.util.Arrays; 36 | import java.util.List; 37 | import java.util.Optional; 38 | import java.util.stream.IntStream; 39 | 40 | import static org.hamcrest.CoreMatchers.is; 41 | 42 | @ExtendWith(KeycloakDeploy.class) 43 | public class ExportResourceProviderTest extends AbstractInKeycloakTest { 44 | private static final String KEYCLOAK_URL = "http://localhost:8180"; 45 | private static final String CLIENT = "admin-cli"; 46 | private static final String TEST_USER = "user-test-export"; 47 | private static ClientRepresentation clientBeforeChanges; 48 | private static final String TEST_REALM_NAME = "test-export"; 49 | private static final String TEST_REALM_PATH = "src/test/resources/" + TEST_REALM_NAME + "-realm.json"; 50 | 51 | @BeforeAll 52 | public static void initRealmAndUsers() throws IOException { 53 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, "master", "admin", "admin", CLIENT); 54 | clientBeforeChanges = keycloak.realms().realm("master").clients().findByClientId(CLIENT).get(0); 55 | createTestUser("admin", "admin", "master", TEST_USER, "password", "user"); 56 | //just making sure realm is not already present 57 | String token = keycloak.tokenManager().getAccessTokenString(); 58 | RealmRepresentation nullRealm = null; 59 | try { 60 | nullRealm = exportRealm(token, TEST_REALM_NAME); 61 | } catch (HttpResponseException e) { 62 | Assertions.assertEquals(404, e.getStatusCode()); 63 | } 64 | Assertions.assertNull(nullRealm); 65 | //end just making sure realm is not already present 66 | } 67 | 68 | @AfterAll 69 | public static void resetRealm() { 70 | //idempotence 71 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, "master", "admin", "admin", CLIENT); 72 | UserRepresentation user = keycloak.realm("master").users().search(TEST_USER).get(0); 73 | keycloak.realm("master").users().delete(user.getId()); 74 | keycloak.realm("master").roles().get("user").remove(); 75 | if (clientBeforeChanges != null) { 76 | keycloak.realms().realm("master").clients().get(clientBeforeChanges.getId()).update(clientBeforeChanges); 77 | } 78 | } 79 | 80 | @Test 81 | void adminCanExportMasterRealm() throws IOException { 82 | //TODO activate Full scope Mapping in admin-cli programmatically 83 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, "master", "admin", "admin", CLIENT); 84 | String token = keycloak.tokenManager().getAccessTokenString(); 85 | RealmRepresentation realmRepresentation = exportRealm(token, "master"); 86 | Assertions.assertNotNull(realmRepresentation); 87 | Assertions.assertEquals("master", realmRepresentation.getRealm()); 88 | Assertions.assertTrue(realmRepresentation.getUsers().stream().anyMatch(ur -> ur.getUsername().equals("admin"))); 89 | Assertions.assertTrue(realmRepresentation.getClients().size() > 0); 90 | } 91 | 92 | public interface RunnableEx { 93 | void run() throws IOException; 94 | } 95 | 96 | private void withRealm(String realmName, RunnableEx runnable) throws IOException { 97 | withRealm(realmName, "admin", "admin", runnable); 98 | } 99 | 100 | private void withRealm(String realmName, String username, String password, RunnableEx runnable) throws IOException { 101 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, "master", username, password, CLIENT); 102 | try { 103 | RealmRepresentation realmRepresentation = new ObjectMapper().readValue( 104 | getClass().getResourceAsStream("/" + realmName + "-realm.json"), RealmRepresentation.class); 105 | keycloak.realms().create(realmRepresentation); 106 | 107 | //TestsHelper.importTestRealm(username, password, "/" + realmName + "-realm.json"); 108 | runnable.run(); 109 | } finally { 110 | try { 111 | //TestsHelper.deleteRealm("admin", "admin", realmName); 112 | keycloak.realm(realmName).remove(); 113 | } catch (Exception e) { 114 | // NOOP 115 | } 116 | } 117 | } 118 | 119 | @Test 120 | void importEqualsExport() throws IOException { 121 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, "master", "admin", "admin", CLIENT); 122 | String token = keycloak.tokenManager().getAccessTokenString(); 123 | new ObjectMapper().readTree(new File(TEST_REALM_PATH)); 124 | RealmRepresentation fileRepresentation = new ObjectMapper().readValue(new File(TEST_REALM_PATH), RealmRepresentation.class); 125 | Assertions.assertNotNull(fileRepresentation); 126 | withRealm(TEST_REALM_NAME, () -> { 127 | RealmRepresentation exportedRealm = exportRealm(token, TEST_REALM_NAME); 128 | Assertions.assertEquals(fileRepresentation.getUsers().size(), exportedRealm.getUsers().size()); 129 | //making sure all users are imported 130 | IntStream.range(0, fileRepresentation.getUsers().size()).forEach(i -> { 131 | UserRepresentation fileUser = fileRepresentation.getUsers().get(i); 132 | UserRepresentation exportedUser = exportedRealm.getUsers().parallelStream().filter(c -> c.getId().equals(fileUser.getId())).findAny().get(); 133 | Assertions.assertEquals(fileUser.getUsername(), exportedUser.getUsername()); 134 | Assertions.assertEquals(fileUser.getCredentials(), exportedUser.getCredentials()); 135 | //making sure credentials are imported 136 | if (fileUser.getCredentials() != null && !fileUser.getCredentials().isEmpty()) { 137 | Assertions.assertEquals(fileUser.getCredentials().get(0).getSecretData(), exportedUser.getCredentials().get(0).getSecretData()); 138 | } 139 | }); 140 | //making sure client secrets are well imported and exported 141 | IntStream.range(0, fileRepresentation.getClients().size()).forEach(i -> { 142 | ClientRepresentation fileClient = fileRepresentation.getClients().get(i); 143 | ClientRepresentation exportedClient = exportedRealm.getClients().parallelStream().filter(c -> c.getId().equals(fileClient.getId())).findAny().get(); 144 | Assertions.assertEquals(fileClient.getId(), exportedClient.getId()); 145 | Assertions.assertEquals(fileClient.getName(), exportedClient.getName()); 146 | Assertions.assertEquals(fileClient.getSecret(), exportedClient.getSecret()); 147 | }); 148 | //groups... 149 | IntStream.range(0, fileRepresentation.getGroups().size()).forEach(i -> { 150 | GroupRepresentation fileGroup = fileRepresentation.getGroups().get(i); 151 | GroupRepresentation exportedGroup = exportedRealm.getGroups().parallelStream().filter(c -> c.getId().equals(fileGroup.getId())).findAny().get(); 152 | Assertions.assertEquals(fileGroup.getId(), exportedGroup.getId()); 153 | Assertions.assertEquals(fileGroup.getName(), exportedGroup.getName()); 154 | }); 155 | //realm roles (do not compare IDs, as they might be changed by the import mechanism) 156 | IntStream.range(0, fileRepresentation.getRoles().getRealm().size()).forEach(i -> { 157 | RoleRepresentation fileRealmRole = fileRepresentation.getRoles().getRealm().get(i); 158 | Optional exportRealmRoleOpt = exportedRealm.getRoles().getRealm().parallelStream().filter(c -> c.getName().equals(fileRealmRole.getName())).findAny(); 159 | Assertions.assertTrue(exportRealmRoleOpt.isPresent()); 160 | }); 161 | //clients roles 162 | fileRepresentation.getRoles().getClient().keySet().forEach(clientId -> { 163 | List fileClientRoles = fileRepresentation.getRoles().getClient().get(clientId); 164 | List exportedClientRoles = exportedRealm.getRoles().getClient().get(clientId); 165 | IntStream.range(0, fileClientRoles.size()).forEach(i -> { 166 | RoleRepresentation fileClientRole = fileClientRoles.get(i); 167 | RoleRepresentation exportedClientRole = exportedClientRoles.parallelStream().filter(c -> c.getId().equals(fileClientRole.getId())).findAny().get(); 168 | Assertions.assertEquals(fileClientRole.getId(), exportedClientRole.getId()); 169 | Assertions.assertEquals(fileClientRole.getName(), exportedClientRole.getName()); 170 | }); 171 | }); 172 | }); 173 | } 174 | 175 | @Test 176 | void nonAdminCantExportMaster() throws IOException { 177 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, "master", TEST_USER, "password", CLIENT); 178 | String token = keycloak.tokenManager().getAccessTokenString(); 179 | HttpResponseException ex = Assertions.assertThrows(HttpResponseException.class, () -> exportRealm(token, "master")); 180 | MatcherAssert.assertThat(ex.getStatusCode(), is(403)); 181 | } 182 | 183 | @Test 184 | void nonMasterAdminCantExportMaster() throws IOException { 185 | withRealm(TEST_REALM_NAME, () -> { 186 | final String testAdminUser = "test.admin"; 187 | createTestUser("admin", "admin", TEST_REALM_NAME, testAdminUser, "password", "user", "admin"); 188 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, TEST_REALM_NAME, testAdminUser, "password", CLIENT); 189 | String token = keycloak.tokenManager().getAccessTokenString(); 190 | HttpResponseException ex = Assertions.assertThrows(HttpResponseException.class, () -> exportRealm(token, "master")); 191 | MatcherAssert.assertThat(ex.getStatusCode(), is(403)); 192 | }); 193 | } 194 | 195 | @Test 196 | void nonMasterAdminCantExportTestRealm() throws IOException { 197 | withRealm(TEST_REALM_NAME, () -> { 198 | final String testAdminUser = "test.admin"; 199 | createTestUser("admin", "admin", TEST_REALM_NAME, testAdminUser, "password", "user", "admin"); 200 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, TEST_REALM_NAME, testAdminUser, "password", CLIENT); 201 | String token = keycloak.tokenManager().getAccessTokenString(); 202 | HttpResponseException ex = Assertions.assertThrows(HttpResponseException.class, () -> exportRealm(token, TEST_REALM_NAME)); 203 | MatcherAssert.assertThat(ex.getStatusCode(), is(403)); 204 | }); 205 | } 206 | 207 | @Test 208 | void nonAdminCantBuiltInImport() throws IOException { 209 | RealmRepresentation fileRepresentation = new ObjectMapper().readValue(new File(TEST_REALM_PATH), RealmRepresentation.class); 210 | Assertions.assertNotNull(fileRepresentation); 211 | Assertions.assertThrows(ForbiddenException.class, () -> withRealm(TEST_REALM_NAME, TEST_USER, "password", () -> { 212 | })); 213 | } 214 | 215 | private static RealmRepresentation exportRealm(String token, String realm) throws IOException { 216 | try (CloseableHttpClient client = HttpClientBuilder.create().build()) { 217 | HttpGet get = new HttpGet(KEYCLOAK_URL + "/realms/" + realm + "/export/realm"); 218 | get.addHeader("Authorization", "Bearer " + token); 219 | 220 | HttpResponse response = client.execute(get); 221 | if (response.getStatusLine().getStatusCode() != 200) { 222 | throw new HttpResponseException(response.getStatusLine().getStatusCode(), "export failed: " + response.getStatusLine().getStatusCode()); 223 | } 224 | HttpEntity entity = response.getEntity(); 225 | try (InputStream is = entity.getContent()) { 226 | ObjectMapper mapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); 227 | return mapper.readValue(is, RealmRepresentation.class); 228 | } 229 | } 230 | } 231 | 232 | private static void createTestUser(String username, String password, String realmName, String newUsername, String newPassword, String... roles) { 233 | Keycloak keycloak = Keycloak.getInstance(KEYCLOAK_URL, "master", username, password, CLIENT); 234 | 235 | //add roles 236 | for (String role : roles) { 237 | RoleRepresentation representation = new RoleRepresentation(); 238 | representation.setName(role); 239 | RolesResource realmsRoles = keycloak.realms().realm(realmName).roles(); 240 | if (realmsRoles.list().stream().map(RoleRepresentation::getName).noneMatch(role::equals)) { 241 | realmsRoles.create(representation); 242 | } 243 | } 244 | 245 | UserRepresentation userRepresentation = new UserRepresentation(); 246 | userRepresentation.setUsername(newUsername); 247 | userRepresentation.setEnabled(Boolean.TRUE); 248 | userRepresentation.setRealmRoles(Arrays.asList(roles)); 249 | Response response = keycloak.realms().realm(realmName).users().create(userRepresentation); 250 | String location = response.getHeaderString("Location"); 251 | String userId = location.substring(location.lastIndexOf('/')+1); 252 | response.close(); 253 | CredentialRepresentation rep = new CredentialRepresentation(); 254 | rep.setType(CredentialRepresentation.PASSWORD); 255 | rep.setValue(newPassword); 256 | rep.setTemporary(false); 257 | keycloak.realms().realm(realmName).users().get(userId).resetPassword(rep); 258 | } 259 | } 260 | -------------------------------------------------------------------------------- /keycloak-export-tests/src/test/java/io/cloudtrust/keycloak/export/dto/BetterRealmRepresentationTest.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export.dto; 2 | 3 | import com.fasterxml.jackson.databind.ObjectMapper; 4 | 5 | import org.junit.jupiter.api.Assertions; 6 | import org.junit.jupiter.api.Test; 7 | 8 | import java.io.IOException; 9 | import java.io.InputStream; 10 | 11 | class BetterRealmRepresentationTest { 12 | @Test 13 | void realmDeserializationTest() throws IOException { 14 | try (InputStream is = BetterRealmRepresentationTest.class.getClassLoader().getResourceAsStream("exported-realm.json")) { 15 | BetterRealmRepresentation realm = new ObjectMapper().readValue(is, BetterRealmRepresentation.class); 16 | Assertions.assertEquals("Cloudtrust", realm.getId()); 17 | Assertions.assertTrue(realm.getRequiredActions().stream().anyMatch(ra -> "NOT_AN_ENUM_VALUE".equals(ra.getAlias()))); 18 | 19 | BetterUserRepresentation user = (BetterUserRepresentation) realm.getUsers().get(0); 20 | Assertions.assertEquals("uglykidjoe", user.getUsername()); 21 | Assertions.assertEquals(2, user.getRequiredActions().size()); 22 | Assertions.assertTrue(user.getRequiredActions().contains("NOT_AN_ENUM_VALUE")); 23 | 24 | BetterCredentialRepresentation cred = (BetterCredentialRepresentation) user.getCredentials().get(0); 25 | Assertions.assertEquals("1b9748f0-b9ba-4aaa-874f-0f0a3652dcf4", cred.getId()); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /keycloak-export-tests/src/test/resources/keycloak.properties: -------------------------------------------------------------------------------- 1 | [modules] 2 | ../keycloak-export/target/keycloak-export-0.0.0-SNAPSHOT.jar 3 | -------------------------------------------------------------------------------- /keycloak-export-tests/src/test/resources/log4j.properties: -------------------------------------------------------------------------------- 1 | # Root logger option 2 | log4j.rootLogger=INFO, stdout 3 | 4 | # Direct log messages to stdout 5 | log4j.appender.stdout=org.apache.log4j.ConsoleAppender 6 | log4j.appender.stdout.Target=System.out 7 | log4j.appender.stdout.layout=org.apache.log4j.PatternLayout 8 | log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n -------------------------------------------------------------------------------- /keycloak-export-tests/src/test/resources/test-export-realm.json: -------------------------------------------------------------------------------- 1 | { 2 | "id":"test-export", 3 | "realm":"test-export", 4 | "notBefore":0, 5 | "revokeRefreshToken":false, 6 | "refreshTokenMaxReuse":0, 7 | "accessTokenLifespan":300, 8 | "accessTokenLifespanForImplicitFlow":900, 9 | "ssoSessionIdleTimeout":1800, 10 | "ssoSessionMaxLifespan":36000, 11 | "offlineSessionIdleTimeout":2592000, 12 | "accessCodeLifespan":60, 13 | "accessCodeLifespanUserAction":300, 14 | "accessCodeLifespanLogin":1800, 15 | "actionTokenGeneratedByAdminLifespan":43200, 16 | "actionTokenGeneratedByUserLifespan":300, 17 | "enabled":true, 18 | "sslRequired":"external", 19 | "registrationAllowed":false, 20 | "registrationEmailAsUsername":false, 21 | "rememberMe":false, 22 | "verifyEmail":false, 23 | "loginWithEmailAllowed":true, 24 | "duplicateEmailsAllowed":false, 25 | "resetPasswordAllowed":false, 26 | "editUsernameAllowed":false, 27 | "bruteForceProtected":false, 28 | "permanentLockout":false, 29 | "maxFailureWaitSeconds":900, 30 | "minimumQuickLoginWaitSeconds":60, 31 | "waitIncrementSeconds":60, 32 | "quickLoginCheckMilliSeconds":1000, 33 | "maxDeltaTimeSeconds":43200, 34 | "failureFactor":30, 35 | "roles":{ 36 | "realm":[ 37 | { 38 | "id":"607cccf8-5a6a-4578-a9c3-bdbc9630fea1", 39 | "name":"uma_authorization", 40 | "description":"${role_uma_authorization}", 41 | "scopeParamRequired":false, 42 | "composite":false, 43 | "clientRole":false, 44 | "containerId":"test-export" 45 | }, 46 | { 47 | "id":"1062a69b-331f-4d55-8041-85ca04f71599", 48 | "name":"offline_access", 49 | "description":"${role_offline-access}", 50 | "scopeParamRequired":true, 51 | "composite":false, 52 | "clientRole":false, 53 | "containerId":"test-export" 54 | } 55 | ], 56 | "client":{ 57 | "realm-management":[ 58 | { 59 | "id":"3ff2f1cf-1c6a-4bfa-8866-b9deef7a9328", 60 | "name":"view-users", 61 | "description":"${role_view-users}", 62 | "scopeParamRequired":false, 63 | "composite":true, 64 | "composites":{ 65 | "client":{ 66 | "realm-management":[ 67 | "query-groups", 68 | "query-users" 69 | ] 70 | } 71 | }, 72 | "clientRole":true, 73 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 74 | }, 75 | { 76 | "id":"53032c3c-7471-4504-a8eb-2c5018c22ec3", 77 | "name":"view-events", 78 | "description":"${role_view-events}", 79 | "scopeParamRequired":false, 80 | "composite":false, 81 | "clientRole":true, 82 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 83 | }, 84 | { 85 | "id":"6653feed-117e-4564-8ab6-b22ce52caa68", 86 | "name":"realm-admin", 87 | "description":"${role_realm-admin}", 88 | "scopeParamRequired":false, 89 | "composite":true, 90 | "composites":{ 91 | "client":{ 92 | "realm-management":[ 93 | "view-users", 94 | "view-events", 95 | "manage-realm", 96 | "view-clients", 97 | "manage-users", 98 | "manage-clients", 99 | "create-client", 100 | "manage-authorization", 101 | "manage-events", 102 | "impersonation", 103 | "view-authorization", 104 | "query-clients", 105 | "view-identity-providers", 106 | "query-groups", 107 | "query-users", 108 | "view-realm", 109 | "manage-identity-providers", 110 | "query-realms" 111 | ] 112 | } 113 | }, 114 | "clientRole":true, 115 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 116 | }, 117 | { 118 | "id":"b9014431-c60f-4884-85ed-688b22499e9f", 119 | "name":"manage-realm", 120 | "description":"${role_manage-realm}", 121 | "scopeParamRequired":false, 122 | "composite":false, 123 | "clientRole":true, 124 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 125 | }, 126 | { 127 | "id":"02aa11ba-3e2f-44bf-b174-ad638c464d95", 128 | "name":"view-clients", 129 | "description":"${role_view-clients}", 130 | "scopeParamRequired":false, 131 | "composite":true, 132 | "composites":{ 133 | "client":{ 134 | "realm-management":[ 135 | "query-clients" 136 | ] 137 | } 138 | }, 139 | "clientRole":true, 140 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 141 | }, 142 | { 143 | "id":"077192a8-9502-4d98-85c5-64ecfe33e5bc", 144 | "name":"manage-users", 145 | "description":"${role_manage-users}", 146 | "scopeParamRequired":false, 147 | "composite":false, 148 | "clientRole":true, 149 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 150 | }, 151 | { 152 | "id":"cef22a22-36f8-4f50-b723-61dc85579682", 153 | "name":"manage-clients", 154 | "description":"${role_manage-clients}", 155 | "scopeParamRequired":false, 156 | "composite":false, 157 | "clientRole":true, 158 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 159 | }, 160 | { 161 | "id":"cbb524d1-2788-43d8-a4d3-bf253620e0f9", 162 | "name":"create-client", 163 | "description":"${role_create-client}", 164 | "scopeParamRequired":false, 165 | "composite":false, 166 | "clientRole":true, 167 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 168 | }, 169 | { 170 | "id":"fc6490ff-5673-4777-8d0a-1eef85d08b39", 171 | "name":"manage-authorization", 172 | "description":"${role_manage-authorization}", 173 | "scopeParamRequired":false, 174 | "composite":false, 175 | "clientRole":true, 176 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 177 | }, 178 | { 179 | "id":"cd9a76d9-1057-44e1-83b4-330c5fced84f", 180 | "name":"manage-events", 181 | "description":"${role_manage-events}", 182 | "scopeParamRequired":false, 183 | "composite":false, 184 | "clientRole":true, 185 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 186 | }, 187 | { 188 | "id":"d6bfe597-98c9-49b5-a475-232fc6a35bbf", 189 | "name":"impersonation", 190 | "description":"${role_impersonation}", 191 | "scopeParamRequired":false, 192 | "composite":false, 193 | "clientRole":true, 194 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 195 | }, 196 | { 197 | "id":"81221ba1-cfa8-4aae-89ae-99b0ca5154a9", 198 | "name":"view-authorization", 199 | "description":"${role_view-authorization}", 200 | "scopeParamRequired":false, 201 | "composite":false, 202 | "clientRole":true, 203 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 204 | }, 205 | { 206 | "id":"b84d6a26-a2cc-4ba5-94ad-f19808577fd9", 207 | "name":"query-clients", 208 | "description":"${role_query-clients}", 209 | "scopeParamRequired":false, 210 | "composite":false, 211 | "clientRole":true, 212 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 213 | }, 214 | { 215 | "id":"5f2029e9-db22-4edc-8287-679296c44072", 216 | "name":"view-identity-providers", 217 | "description":"${role_view-identity-providers}", 218 | "scopeParamRequired":false, 219 | "composite":false, 220 | "clientRole":true, 221 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 222 | }, 223 | { 224 | "id":"51743152-3c8a-4fa3-afcf-42324e2bfd97", 225 | "name":"query-users", 226 | "description":"${role_query-users}", 227 | "scopeParamRequired":false, 228 | "composite":false, 229 | "clientRole":true, 230 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 231 | }, 232 | { 233 | "id":"0fe9dd8d-480b-46c3-a4cb-da170dde7612", 234 | "name":"query-groups", 235 | "description":"${role_query-groups}", 236 | "scopeParamRequired":false, 237 | "composite":false, 238 | "clientRole":true, 239 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 240 | }, 241 | { 242 | "id":"94240d8b-fd4b-408b-9639-04a880580463", 243 | "name":"view-realm", 244 | "description":"${role_view-realm}", 245 | "scopeParamRequired":false, 246 | "composite":false, 247 | "clientRole":true, 248 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 249 | }, 250 | { 251 | "id":"8c58a6fb-0367-4f46-9936-88c5db9c4cdb", 252 | "name":"manage-identity-providers", 253 | "description":"${role_manage-identity-providers}", 254 | "scopeParamRequired":false, 255 | "composite":false, 256 | "clientRole":true, 257 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 258 | }, 259 | { 260 | "id":"f0d8f203-4b29-4198-a6eb-eae40e92a9a9", 261 | "name":"query-realms", 262 | "description":"${role_query-realms}", 263 | "scopeParamRequired":false, 264 | "composite":false, 265 | "clientRole":true, 266 | "containerId":"1bfd9c37-a219-4db9-94c6-73eeade70327" 267 | } 268 | ], 269 | "security-admin-console":[ 270 | 271 | ], 272 | "admin-cli":[ 273 | 274 | ], 275 | "broker":[ 276 | { 277 | "id":"97833851-8567-434f-826a-752b8f7d4ed0", 278 | "name":"read-token", 279 | "description":"${role_read-token}", 280 | "scopeParamRequired":false, 281 | "composite":false, 282 | "clientRole":true, 283 | "containerId":"83c7777d-4bd0-4a79-bbcc-c375ac4c383e" 284 | } 285 | ], 286 | "account":[ 287 | { 288 | "id":"f80d0483-ffa3-4998-9a60-b88730990fdc", 289 | "name":"manage-account-links", 290 | "description":"${role_manage-account-links}", 291 | "scopeParamRequired":false, 292 | "composite":false, 293 | "clientRole":true, 294 | "containerId":"d0232b7c-1249-4c67-b87c-4c6d743a471c" 295 | }, 296 | { 297 | "id":"43c90a0b-5853-4b22-b28a-1af15e7292b4", 298 | "name":"view-profile", 299 | "description":"${role_view-profile}", 300 | "scopeParamRequired":false, 301 | "composite":false, 302 | "clientRole":true, 303 | "containerId":"d0232b7c-1249-4c67-b87c-4c6d743a471c" 304 | }, 305 | { 306 | "id":"7556f272-b489-40a5-aa61-9315fac04ca5", 307 | "name":"manage-account", 308 | "description":"${role_manage-account}", 309 | "scopeParamRequired":false, 310 | "composite":true, 311 | "composites":{ 312 | "client":{ 313 | "account":[ 314 | "manage-account-links" 315 | ] 316 | } 317 | }, 318 | "clientRole":true, 319 | "containerId":"d0232b7c-1249-4c67-b87c-4c6d743a471c" 320 | } 321 | ] 322 | } 323 | }, 324 | "groups":[ 325 | 326 | ], 327 | "defaultRoles":[ 328 | "offline_access", 329 | "uma_authorization" 330 | ], 331 | "requiredCredentials":[ 332 | "password" 333 | ], 334 | "otpPolicyType":"totp", 335 | "otpPolicyAlgorithm":"HmacSHA1", 336 | "otpPolicyInitialCounter":0, 337 | "otpPolicyDigits":6, 338 | "otpPolicyLookAheadWindow":1, 339 | "otpPolicyPeriod":30, 340 | "otpSupportedApplications":[ 341 | "FreeOTP", 342 | "Google Authenticator" 343 | ], 344 | "users":[ 345 | { 346 | "id":"6966fd14-5f36-4619-91f6-9fe120e4b6b5", 347 | "createdTimestamp":1519925354404, 348 | "username":"user1", 349 | "enabled":true, 350 | "totp":false, 351 | "emailVerified":false, 352 | "credentials":[ 353 | 354 | ], 355 | "disableableCredentialTypes":[ 356 | 357 | ], 358 | "requiredActions":[ 359 | 360 | ], 361 | "realmRoles":[ 362 | "uma_authorization", 363 | "offline_access" 364 | ], 365 | "clientRoles":{ 366 | "account":[ 367 | "view-profile", 368 | "manage-account" 369 | ] 370 | }, 371 | "notBefore":0, 372 | "groups":[ 373 | 374 | ] 375 | }, 376 | { 377 | "id":"513020dd-9366-4680-a501-b0a5218e5674", 378 | "createdTimestamp":1519925362065, 379 | "username":"user2", 380 | "enabled":true, 381 | "totp":false, 382 | "emailVerified":false, 383 | "credentials":[ 384 | { 385 | "id":"801bd5c1-e1b6-4c36-9b58-c9237760f022", 386 | "type":"password", 387 | "createdDate":1569507437952, 388 | "secretData":"{\"value\":\"94+CVYjkC2a3Z36Ot2WYSJvWRkmRxy+ePwxdYaLWihqmDFrnYg7vp4qqqJDaWp+/pudnRUxRfEXkPcHev7LrVw==\",\"salt\":\"JGPowls+r344qLh6uzWVtg==\"}", 389 | "credentialData":"{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" 390 | } 391 | ], 392 | "disableableCredentialTypes":[ 393 | "password" 394 | ], 395 | "requiredActions":[ 396 | 397 | ], 398 | "realmRoles":[ 399 | "uma_authorization", 400 | "offline_access" 401 | ], 402 | "clientRoles":{ 403 | "account":[ 404 | "view-profile", 405 | "manage-account" 406 | ] 407 | }, 408 | "notBefore":0, 409 | "groups":[ 410 | 411 | ] 412 | } 413 | ], 414 | "clients":[ 415 | { 416 | "id":"c2751b2e-d00e-4f69-8a95-d445ace1dcf2", 417 | "clientId":"security-admin-console", 418 | "name":"${client_security-admin-console}", 419 | "baseUrl":"/auth/admin/test-export/console/index.html", 420 | "surrogateAuthRequired":false, 421 | "enabled":true, 422 | "clientAuthenticatorType":"client-secret", 423 | "secret":"**********", 424 | "redirectUris":[ 425 | "/auth/admin/test-export/console/*" 426 | ], 427 | "webOrigins":[ 428 | 429 | ], 430 | "notBefore":0, 431 | "bearerOnly":false, 432 | "consentRequired":false, 433 | "standardFlowEnabled":true, 434 | "implicitFlowEnabled":false, 435 | "directAccessGrantsEnabled":false, 436 | "serviceAccountsEnabled":false, 437 | "publicClient":true, 438 | "frontchannelLogout":false, 439 | "protocol":"openid-connect", 440 | "attributes":{ 441 | 442 | }, 443 | "fullScopeAllowed":false, 444 | "nodeReRegistrationTimeout":0, 445 | "protocolMappers":[ 446 | { 447 | "id":"4cd46ab1-05b3-40e0-9c09-8864eb983ccd", 448 | "name":"given name", 449 | "protocol":"openid-connect", 450 | "protocolMapper":"oidc-usermodel-property-mapper", 451 | "consentRequired":true, 452 | "consentText":"${givenName}", 453 | "config":{ 454 | "userinfo.token.claim":"true", 455 | "user.attribute":"firstName", 456 | "id.token.claim":"true", 457 | "access.token.claim":"true", 458 | "claim.name":"given_name", 459 | "jsonType.label":"String" 460 | } 461 | }, 462 | { 463 | "id":"adbf8b41-8158-4d92-a0b4-d9b87e55f756", 464 | "name":"email", 465 | "protocol":"openid-connect", 466 | "protocolMapper":"oidc-usermodel-property-mapper", 467 | "consentRequired":true, 468 | "consentText":"${email}", 469 | "config":{ 470 | "userinfo.token.claim":"true", 471 | "user.attribute":"email", 472 | "id.token.claim":"true", 473 | "access.token.claim":"true", 474 | "claim.name":"email", 475 | "jsonType.label":"String" 476 | } 477 | }, 478 | { 479 | "id":"4be1f453-7b5e-482e-8a6f-93a1f7d19b9d", 480 | "name":"role list", 481 | "protocol":"saml", 482 | "protocolMapper":"saml-role-list-mapper", 483 | "consentRequired":false, 484 | "config":{ 485 | "single":"false", 486 | "attribute.nameformat":"Basic", 487 | "attribute.name":"Role" 488 | } 489 | }, 490 | { 491 | "id":"dd9107c5-9364-4e4f-9608-b115b4ae9550", 492 | "name":"full name", 493 | "protocol":"openid-connect", 494 | "protocolMapper":"oidc-full-name-mapper", 495 | "consentRequired":true, 496 | "consentText":"${fullName}", 497 | "config":{ 498 | "id.token.claim":"true", 499 | "access.token.claim":"true", 500 | "userinfo.token.claim":"true" 501 | } 502 | }, 503 | { 504 | "id":"708f2a2f-cfce-4a48-8c27-a20fef6d69c1", 505 | "name":"username", 506 | "protocol":"openid-connect", 507 | "protocolMapper":"oidc-usermodel-property-mapper", 508 | "consentRequired":true, 509 | "consentText":"${username}", 510 | "config":{ 511 | "userinfo.token.claim":"true", 512 | "user.attribute":"username", 513 | "id.token.claim":"true", 514 | "access.token.claim":"true", 515 | "claim.name":"preferred_username", 516 | "jsonType.label":"String" 517 | } 518 | }, 519 | { 520 | "id":"b1deb97c-643e-4ba3-a49b-5fc969d7bfdd", 521 | "name":"locale", 522 | "protocol":"openid-connect", 523 | "protocolMapper":"oidc-usermodel-attribute-mapper", 524 | "consentRequired":false, 525 | "consentText":"${locale}", 526 | "config":{ 527 | "userinfo.token.claim":"true", 528 | "user.attribute":"locale", 529 | "id.token.claim":"true", 530 | "access.token.claim":"true", 531 | "claim.name":"locale", 532 | "jsonType.label":"String" 533 | } 534 | }, 535 | { 536 | "id":"98b80d75-eafd-43e4-9557-91817983e334", 537 | "name":"family name", 538 | "protocol":"openid-connect", 539 | "protocolMapper":"oidc-usermodel-property-mapper", 540 | "consentRequired":true, 541 | "consentText":"${familyName}", 542 | "config":{ 543 | "userinfo.token.claim":"true", 544 | "user.attribute":"lastName", 545 | "id.token.claim":"true", 546 | "access.token.claim":"true", 547 | "claim.name":"family_name", 548 | "jsonType.label":"String" 549 | } 550 | } 551 | ], 552 | "useTemplateConfig":false, 553 | "useTemplateScope":false, 554 | "useTemplateMappers":false 555 | }, 556 | { 557 | "id":"83c7777d-4bd0-4a79-bbcc-c375ac4c383e", 558 | "clientId":"broker", 559 | "name":"${client_broker}", 560 | "surrogateAuthRequired":false, 561 | "enabled":true, 562 | "clientAuthenticatorType":"client-secret", 563 | "secret":"**********", 564 | "redirectUris":[ 565 | 566 | ], 567 | "webOrigins":[ 568 | 569 | ], 570 | "notBefore":0, 571 | "bearerOnly":false, 572 | "consentRequired":false, 573 | "standardFlowEnabled":true, 574 | "implicitFlowEnabled":false, 575 | "directAccessGrantsEnabled":false, 576 | "serviceAccountsEnabled":false, 577 | "publicClient":false, 578 | "frontchannelLogout":false, 579 | "protocol":"openid-connect", 580 | "attributes":{ 581 | 582 | }, 583 | "fullScopeAllowed":false, 584 | "nodeReRegistrationTimeout":0, 585 | "protocolMappers":[ 586 | { 587 | "id":"b43b7967-940f-409d-9ce4-d522bd309603", 588 | "name":"family name", 589 | "protocol":"openid-connect", 590 | "protocolMapper":"oidc-usermodel-property-mapper", 591 | "consentRequired":true, 592 | "consentText":"${familyName}", 593 | "config":{ 594 | "userinfo.token.claim":"true", 595 | "user.attribute":"lastName", 596 | "id.token.claim":"true", 597 | "access.token.claim":"true", 598 | "claim.name":"family_name", 599 | "jsonType.label":"String" 600 | } 601 | }, 602 | { 603 | "id":"fca167ff-8a03-43b7-b134-18a74dc13890", 604 | "name":"role list", 605 | "protocol":"saml", 606 | "protocolMapper":"saml-role-list-mapper", 607 | "consentRequired":false, 608 | "config":{ 609 | "single":"false", 610 | "attribute.nameformat":"Basic", 611 | "attribute.name":"Role" 612 | } 613 | }, 614 | { 615 | "id":"66752663-076f-4e46-aa5e-5f92512a90fc", 616 | "name":"email", 617 | "protocol":"openid-connect", 618 | "protocolMapper":"oidc-usermodel-property-mapper", 619 | "consentRequired":true, 620 | "consentText":"${email}", 621 | "config":{ 622 | "userinfo.token.claim":"true", 623 | "user.attribute":"email", 624 | "id.token.claim":"true", 625 | "access.token.claim":"true", 626 | "claim.name":"email", 627 | "jsonType.label":"String" 628 | } 629 | }, 630 | { 631 | "id":"c3f2933d-22f7-412c-ac87-6d6930038ca6", 632 | "name":"given name", 633 | "protocol":"openid-connect", 634 | "protocolMapper":"oidc-usermodel-property-mapper", 635 | "consentRequired":true, 636 | "consentText":"${givenName}", 637 | "config":{ 638 | "userinfo.token.claim":"true", 639 | "user.attribute":"firstName", 640 | "id.token.claim":"true", 641 | "access.token.claim":"true", 642 | "claim.name":"given_name", 643 | "jsonType.label":"String" 644 | } 645 | }, 646 | { 647 | "id":"2138d0a7-05fc-4bfc-a64b-8856b5ef253d", 648 | "name":"full name", 649 | "protocol":"openid-connect", 650 | "protocolMapper":"oidc-full-name-mapper", 651 | "consentRequired":true, 652 | "consentText":"${fullName}", 653 | "config":{ 654 | "id.token.claim":"true", 655 | "access.token.claim":"true", 656 | "userinfo.token.claim":"true" 657 | } 658 | }, 659 | { 660 | "id":"694dc511-c129-4956-8cee-afb3ca125bb4", 661 | "name":"username", 662 | "protocol":"openid-connect", 663 | "protocolMapper":"oidc-usermodel-property-mapper", 664 | "consentRequired":true, 665 | "consentText":"${username}", 666 | "config":{ 667 | "userinfo.token.claim":"true", 668 | "user.attribute":"username", 669 | "id.token.claim":"true", 670 | "access.token.claim":"true", 671 | "claim.name":"preferred_username", 672 | "jsonType.label":"String" 673 | } 674 | } 675 | ], 676 | "useTemplateConfig":false, 677 | "useTemplateScope":false, 678 | "useTemplateMappers":false 679 | }, 680 | { 681 | "id":"d0232b7c-1249-4c67-b87c-4c6d743a471c", 682 | "clientId":"account", 683 | "name":"${client_account}", 684 | "baseUrl":"/auth/realms/test-export/account", 685 | "surrogateAuthRequired":false, 686 | "enabled":true, 687 | "clientAuthenticatorType":"client-secret", 688 | "secret":"**********", 689 | "defaultRoles":[ 690 | "view-profile", 691 | "manage-account" 692 | ], 693 | "redirectUris":[ 694 | "/auth/realms/test-export/account/*" 695 | ], 696 | "webOrigins":[ 697 | 698 | ], 699 | "notBefore":0, 700 | "bearerOnly":false, 701 | "consentRequired":false, 702 | "standardFlowEnabled":true, 703 | "implicitFlowEnabled":false, 704 | "directAccessGrantsEnabled":false, 705 | "serviceAccountsEnabled":false, 706 | "publicClient":false, 707 | "frontchannelLogout":false, 708 | "protocol":"openid-connect", 709 | "attributes":{ 710 | 711 | }, 712 | "fullScopeAllowed":false, 713 | "nodeReRegistrationTimeout":0, 714 | "protocolMappers":[ 715 | { 716 | "id":"989ff315-41d4-4034-a8a4-750627b976a2", 717 | "name":"username", 718 | "protocol":"openid-connect", 719 | "protocolMapper":"oidc-usermodel-property-mapper", 720 | "consentRequired":true, 721 | "consentText":"${username}", 722 | "config":{ 723 | "userinfo.token.claim":"true", 724 | "user.attribute":"username", 725 | "id.token.claim":"true", 726 | "access.token.claim":"true", 727 | "claim.name":"preferred_username", 728 | "jsonType.label":"String" 729 | } 730 | }, 731 | { 732 | "id":"1be65f1a-b7f1-4558-a392-a9268d98318e", 733 | "name":"family name", 734 | "protocol":"openid-connect", 735 | "protocolMapper":"oidc-usermodel-property-mapper", 736 | "consentRequired":true, 737 | "consentText":"${familyName}", 738 | "config":{ 739 | "userinfo.token.claim":"true", 740 | "user.attribute":"lastName", 741 | "id.token.claim":"true", 742 | "access.token.claim":"true", 743 | "claim.name":"family_name", 744 | "jsonType.label":"String" 745 | } 746 | }, 747 | { 748 | "id":"a4671315-5613-40a5-ba41-25be81a5d0f8", 749 | "name":"given name", 750 | "protocol":"openid-connect", 751 | "protocolMapper":"oidc-usermodel-property-mapper", 752 | "consentRequired":true, 753 | "consentText":"${givenName}", 754 | "config":{ 755 | "userinfo.token.claim":"true", 756 | "user.attribute":"firstName", 757 | "id.token.claim":"true", 758 | "access.token.claim":"true", 759 | "claim.name":"given_name", 760 | "jsonType.label":"String" 761 | } 762 | }, 763 | { 764 | "id":"2591fca7-23a9-4e23-92da-16c9498a48a0", 765 | "name":"full name", 766 | "protocol":"openid-connect", 767 | "protocolMapper":"oidc-full-name-mapper", 768 | "consentRequired":true, 769 | "consentText":"${fullName}", 770 | "config":{ 771 | "id.token.claim":"true", 772 | "access.token.claim":"true", 773 | "userinfo.token.claim":"true" 774 | } 775 | }, 776 | { 777 | "id":"2ac0dbaf-658e-4338-b6ca-419f72c2379d", 778 | "name":"role list", 779 | "protocol":"saml", 780 | "protocolMapper":"saml-role-list-mapper", 781 | "consentRequired":false, 782 | "config":{ 783 | "single":"false", 784 | "attribute.nameformat":"Basic", 785 | "attribute.name":"Role" 786 | } 787 | }, 788 | { 789 | "id":"86a87658-99da-4f03-a12f-2f22dce3bf9d", 790 | "name":"email", 791 | "protocol":"openid-connect", 792 | "protocolMapper":"oidc-usermodel-property-mapper", 793 | "consentRequired":true, 794 | "consentText":"${email}", 795 | "config":{ 796 | "userinfo.token.claim":"true", 797 | "user.attribute":"email", 798 | "id.token.claim":"true", 799 | "access.token.claim":"true", 800 | "claim.name":"email", 801 | "jsonType.label":"String" 802 | } 803 | } 804 | ], 805 | "useTemplateConfig":false, 806 | "useTemplateScope":false, 807 | "useTemplateMappers":false 808 | }, 809 | { 810 | "id":"c05f3022-794a-4190-96e2-5c91bfd06eb5", 811 | "clientId":"admin-cli", 812 | "name":"${client_admin-cli}", 813 | "surrogateAuthRequired":false, 814 | "enabled":true, 815 | "clientAuthenticatorType":"client-secret", 816 | "secret":"**********", 817 | "redirectUris":[ 818 | 819 | ], 820 | "webOrigins":[ 821 | 822 | ], 823 | "notBefore":0, 824 | "bearerOnly":false, 825 | "consentRequired":false, 826 | "standardFlowEnabled":false, 827 | "implicitFlowEnabled":false, 828 | "directAccessGrantsEnabled":true, 829 | "serviceAccountsEnabled":false, 830 | "publicClient":true, 831 | "frontchannelLogout":false, 832 | "protocol":"openid-connect", 833 | "attributes":{ 834 | 835 | }, 836 | "fullScopeAllowed":false, 837 | "nodeReRegistrationTimeout":0, 838 | "protocolMappers":[ 839 | { 840 | "id":"98da3353-455e-4478-9dc1-bcc6dc08eae4", 841 | "name":"role list", 842 | "protocol":"saml", 843 | "protocolMapper":"saml-role-list-mapper", 844 | "consentRequired":false, 845 | "config":{ 846 | "single":"false", 847 | "attribute.nameformat":"Basic", 848 | "attribute.name":"Role" 849 | } 850 | }, 851 | { 852 | "id":"283ca517-fd64-4349-86d4-fe4d28585b5e", 853 | "name":"email", 854 | "protocol":"openid-connect", 855 | "protocolMapper":"oidc-usermodel-property-mapper", 856 | "consentRequired":true, 857 | "consentText":"${email}", 858 | "config":{ 859 | "userinfo.token.claim":"true", 860 | "user.attribute":"email", 861 | "id.token.claim":"true", 862 | "access.token.claim":"true", 863 | "claim.name":"email", 864 | "jsonType.label":"String" 865 | } 866 | }, 867 | { 868 | "id":"c949943a-7352-4d59-b649-6c0d9bc211f5", 869 | "name":"full name", 870 | "protocol":"openid-connect", 871 | "protocolMapper":"oidc-full-name-mapper", 872 | "consentRequired":true, 873 | "consentText":"${fullName}", 874 | "config":{ 875 | "id.token.claim":"true", 876 | "access.token.claim":"true", 877 | "userinfo.token.claim":"true" 878 | } 879 | }, 880 | { 881 | "id":"9709abbe-32ee-4e7b-b0e9-6d2b8d9c4edd", 882 | "name":"given name", 883 | "protocol":"openid-connect", 884 | "protocolMapper":"oidc-usermodel-property-mapper", 885 | "consentRequired":true, 886 | "consentText":"${givenName}", 887 | "config":{ 888 | "userinfo.token.claim":"true", 889 | "user.attribute":"firstName", 890 | "id.token.claim":"true", 891 | "access.token.claim":"true", 892 | "claim.name":"given_name", 893 | "jsonType.label":"String" 894 | } 895 | }, 896 | { 897 | "id":"20dd3d08-22ac-4494-a6f9-bc268a0adc51", 898 | "name":"family name", 899 | "protocol":"openid-connect", 900 | "protocolMapper":"oidc-usermodel-property-mapper", 901 | "consentRequired":true, 902 | "consentText":"${familyName}", 903 | "config":{ 904 | "userinfo.token.claim":"true", 905 | "user.attribute":"lastName", 906 | "id.token.claim":"true", 907 | "access.token.claim":"true", 908 | "claim.name":"family_name", 909 | "jsonType.label":"String" 910 | } 911 | }, 912 | { 913 | "id":"b77de162-6b0e-4f52-b6c1-146c4b916505", 914 | "name":"username", 915 | "protocol":"openid-connect", 916 | "protocolMapper":"oidc-usermodel-property-mapper", 917 | "consentRequired":true, 918 | "consentText":"${username}", 919 | "config":{ 920 | "userinfo.token.claim":"true", 921 | "user.attribute":"username", 922 | "id.token.claim":"true", 923 | "access.token.claim":"true", 924 | "claim.name":"preferred_username", 925 | "jsonType.label":"String" 926 | } 927 | } 928 | ], 929 | "useTemplateConfig":false, 930 | "useTemplateScope":false, 931 | "useTemplateMappers":false 932 | }, 933 | { 934 | "id":"1bfd9c37-a219-4db9-94c6-73eeade70327", 935 | "clientId":"realm-management", 936 | "name":"${client_realm-management}", 937 | "surrogateAuthRequired":false, 938 | "enabled":true, 939 | "clientAuthenticatorType":"client-secret", 940 | "secret":"**********", 941 | "redirectUris":[ 942 | 943 | ], 944 | "webOrigins":[ 945 | 946 | ], 947 | "notBefore":0, 948 | "bearerOnly":true, 949 | "consentRequired":false, 950 | "standardFlowEnabled":true, 951 | "implicitFlowEnabled":false, 952 | "directAccessGrantsEnabled":false, 953 | "serviceAccountsEnabled":false, 954 | "publicClient":false, 955 | "frontchannelLogout":false, 956 | "protocol":"openid-connect", 957 | "attributes":{ 958 | 959 | }, 960 | "fullScopeAllowed":false, 961 | "nodeReRegistrationTimeout":0, 962 | "protocolMappers":[ 963 | { 964 | "id":"5db25eea-434e-4b12-9acf-6ff82a7ce3ec", 965 | "name":"username", 966 | "protocol":"openid-connect", 967 | "protocolMapper":"oidc-usermodel-property-mapper", 968 | "consentRequired":true, 969 | "consentText":"${username}", 970 | "config":{ 971 | "userinfo.token.claim":"true", 972 | "user.attribute":"username", 973 | "id.token.claim":"true", 974 | "access.token.claim":"true", 975 | "claim.name":"preferred_username", 976 | "jsonType.label":"String" 977 | } 978 | }, 979 | { 980 | "id":"ad286369-59e1-4703-bab5-e601ebf02714", 981 | "name":"given name", 982 | "protocol":"openid-connect", 983 | "protocolMapper":"oidc-usermodel-property-mapper", 984 | "consentRequired":true, 985 | "consentText":"${givenName}", 986 | "config":{ 987 | "userinfo.token.claim":"true", 988 | "user.attribute":"firstName", 989 | "id.token.claim":"true", 990 | "access.token.claim":"true", 991 | "claim.name":"given_name", 992 | "jsonType.label":"String" 993 | } 994 | }, 995 | { 996 | "id":"198d1632-11f1-4dd2-874a-d777e7bb6574", 997 | "name":"full name", 998 | "protocol":"openid-connect", 999 | "protocolMapper":"oidc-full-name-mapper", 1000 | "consentRequired":true, 1001 | "consentText":"${fullName}", 1002 | "config":{ 1003 | "id.token.claim":"true", 1004 | "access.token.claim":"true", 1005 | "userinfo.token.claim":"true" 1006 | } 1007 | }, 1008 | { 1009 | "id":"2e850c38-968e-4127-9737-35b78fd7126c", 1010 | "name":"email", 1011 | "protocol":"openid-connect", 1012 | "protocolMapper":"oidc-usermodel-property-mapper", 1013 | "consentRequired":true, 1014 | "consentText":"${email}", 1015 | "config":{ 1016 | "userinfo.token.claim":"true", 1017 | "user.attribute":"email", 1018 | "id.token.claim":"true", 1019 | "access.token.claim":"true", 1020 | "claim.name":"email", 1021 | "jsonType.label":"String" 1022 | } 1023 | }, 1024 | { 1025 | "id":"775c8ae1-5bce-43f0-9bf2-7397f8bc3607", 1026 | "name":"family name", 1027 | "protocol":"openid-connect", 1028 | "protocolMapper":"oidc-usermodel-property-mapper", 1029 | "consentRequired":true, 1030 | "consentText":"${familyName}", 1031 | "config":{ 1032 | "userinfo.token.claim":"true", 1033 | "user.attribute":"lastName", 1034 | "id.token.claim":"true", 1035 | "access.token.claim":"true", 1036 | "claim.name":"family_name", 1037 | "jsonType.label":"String" 1038 | } 1039 | }, 1040 | { 1041 | "id":"9fe4849b-a792-4b66-ab01-b8e7c97e8d87", 1042 | "name":"role list", 1043 | "protocol":"saml", 1044 | "protocolMapper":"saml-role-list-mapper", 1045 | "consentRequired":false, 1046 | "config":{ 1047 | "single":"false", 1048 | "attribute.nameformat":"Basic", 1049 | "attribute.name":"Role" 1050 | } 1051 | } 1052 | ], 1053 | "useTemplateConfig":false, 1054 | "useTemplateScope":false, 1055 | "useTemplateMappers":false 1056 | } 1057 | ], 1058 | "clientTemplates":[ 1059 | 1060 | ], 1061 | "browserSecurityHeaders":{ 1062 | "xContentTypeOptions":"nosniff", 1063 | "xRobotsTag":"none", 1064 | "xFrameOptions":"SAMEORIGIN", 1065 | "xXSSProtection":"1; mode=block", 1066 | "contentSecurityPolicy":"frame-src 'self'; frame-ancestors 'self'; object-src 'none';", 1067 | "strictTransportSecurity":"max-age=31536000; includeSubDomains" 1068 | }, 1069 | "smtpServer":{ 1070 | 1071 | }, 1072 | "eventsEnabled":false, 1073 | "eventsListeners":[ 1074 | "jboss-logging" 1075 | ], 1076 | "enabledEventTypes":[ 1077 | 1078 | ], 1079 | "adminEventsEnabled":false, 1080 | "adminEventsDetailsEnabled":false, 1081 | "components":{ 1082 | "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy":[ 1083 | { 1084 | "id":"be18a6a9-92b8-4df9-942e-2aec58de1d77", 1085 | "name":"Full Scope Disabled", 1086 | "providerId":"scope", 1087 | "subType":"anonymous", 1088 | "subComponents":{ 1089 | 1090 | }, 1091 | "config":{ 1092 | 1093 | } 1094 | }, 1095 | { 1096 | "id":"1ac152a4-8d07-40ef-aab4-47cdc4d8ef72", 1097 | "name":"Trusted Hosts", 1098 | "providerId":"trusted-hosts", 1099 | "subType":"anonymous", 1100 | "subComponents":{ 1101 | 1102 | }, 1103 | "config":{ 1104 | "host-sending-registration-request-must-match":[ 1105 | "true" 1106 | ], 1107 | "client-uris-must-match":[ 1108 | "true" 1109 | ] 1110 | } 1111 | }, 1112 | { 1113 | "id":"e601f8f8-9270-4583-80cf-322bca64b5c2", 1114 | "name":"Allowed Protocol Mapper Types", 1115 | "providerId":"allowed-protocol-mappers", 1116 | "subType":"anonymous", 1117 | "subComponents":{ 1118 | 1119 | }, 1120 | "config":{ 1121 | "allowed-protocol-mapper-types":[ 1122 | "oidc-full-name-mapper", 1123 | "oidc-address-mapper", 1124 | "oidc-usermodel-property-mapper", 1125 | "saml-user-attribute-mapper", 1126 | "oidc-sha256-pairwise-sub-mapper", 1127 | "saml-role-list-mapper", 1128 | "saml-user-property-mapper", 1129 | "oidc-usermodel-attribute-mapper" 1130 | ], 1131 | "consent-required-for-all-mappers":[ 1132 | "true" 1133 | ] 1134 | } 1135 | }, 1136 | { 1137 | "id":"0d485fd9-c501-41c5-9805-47f2e831ccea", 1138 | "name":"Allowed Client Templates", 1139 | "providerId":"allowed-client-templates", 1140 | "subType":"authenticated", 1141 | "subComponents":{ 1142 | 1143 | }, 1144 | "config":{ 1145 | 1146 | } 1147 | }, 1148 | { 1149 | "id":"a36a5c38-dc49-4f0a-b262-2f7dd7aa698f", 1150 | "name":"Allowed Protocol Mapper Types", 1151 | "providerId":"allowed-protocol-mappers", 1152 | "subType":"authenticated", 1153 | "subComponents":{ 1154 | 1155 | }, 1156 | "config":{ 1157 | "allowed-protocol-mapper-types":[ 1158 | "oidc-sha256-pairwise-sub-mapper", 1159 | "oidc-address-mapper", 1160 | "oidc-full-name-mapper", 1161 | "saml-role-list-mapper", 1162 | "oidc-usermodel-property-mapper", 1163 | "saml-user-property-mapper", 1164 | "oidc-usermodel-attribute-mapper", 1165 | "saml-user-attribute-mapper" 1166 | ], 1167 | "consent-required-for-all-mappers":[ 1168 | "true" 1169 | ] 1170 | } 1171 | }, 1172 | { 1173 | "id":"b8f6d668-f2e0-4c15-a47d-36309fdf9dba", 1174 | "name":"Allowed Client Templates", 1175 | "providerId":"allowed-client-templates", 1176 | "subType":"anonymous", 1177 | "subComponents":{ 1178 | 1179 | }, 1180 | "config":{ 1181 | 1182 | } 1183 | }, 1184 | { 1185 | "id":"667b6e4f-0e5d-415b-9c40-d33ce6ecca1e", 1186 | "name":"Max Clients Limit", 1187 | "providerId":"max-clients", 1188 | "subType":"anonymous", 1189 | "subComponents":{ 1190 | 1191 | }, 1192 | "config":{ 1193 | "max-clients":[ 1194 | "200" 1195 | ] 1196 | } 1197 | }, 1198 | { 1199 | "id":"0da2733e-fdc0-4115-9fe6-89ab52c6e800", 1200 | "name":"Consent Required", 1201 | "providerId":"consent-required", 1202 | "subType":"anonymous", 1203 | "subComponents":{ 1204 | 1205 | }, 1206 | "config":{ 1207 | 1208 | } 1209 | } 1210 | ], 1211 | "org.keycloak.keys.KeyProvider":[ 1212 | { 1213 | "id":"13fa5810-c053-4b47-9971-8a2032edcc9e", 1214 | "name":"aes-generated", 1215 | "providerId":"aes-generated", 1216 | "subComponents":{ 1217 | 1218 | }, 1219 | "config":{ 1220 | "kid":[ 1221 | "2ff7f7e7-4f2b-4a8b-8b26-6f630c198b97" 1222 | ], 1223 | "secret":[ 1224 | "zuVY3I0msRmUmAgJzdxo9Q" 1225 | ], 1226 | "priority":[ 1227 | "100" 1228 | ] 1229 | } 1230 | }, 1231 | { 1232 | "id":"66fe4331-e515-45e9-86fd-1226324c9b24", 1233 | "name":"rsa-generated", 1234 | "providerId":"rsa-generated", 1235 | "subComponents":{ 1236 | 1237 | }, 1238 | "config":{ 1239 | "privateKey":[ 1240 | "MIIEpAIBAAKCAQEAqPuVdUUGC8FE/+S4ubDCtoBS/O5wDwXmPkf95IjoMGCBbggCo7XUuecpBszGWxZHKvSGe0TqFepwS2d16COGbZt/dCBunuEpV1VyrY04nXbK58YL6ZY6vVM8aVJWio/TkbBU/LmExeAqB+HwtIy+AygxArxQK0kefOwxXSe16ggng4I/R0b+4J4zxyS/6j862iT6ESHWEViJ4Y3Se9f+oHxha3/dYqIfy7KHNtZWBInIEdkOg6zkoaaTEDSOpfprA4vwDaYNAQcrb06edzUmkD9AWT9YVc7B/cbjtkoorZwR33xmvwx+iAWdUsfp4VqKepvjfooJvh2eeWcW7YbrOQIDAQABAoIBAFru/6+alDVRLNNTfsCWSUGybnYjzXOYJh2P2iXYMrKNzDis4Na+K5pata4uFfPAWk3YRmIhZKKkhQdexolETLvA+OZB6aVf30Ja/ho8q6G44lm1LoXlzPhCyXiX0XBBE4YL0MArCTL+fT++qyxNrJbAUxd4xN92OozZAXtyuicUldYzjv1+Exgx5oYmWsdzNdIzjn+GpnWnTYyT+tRBm2/sXQAlSsyrlPf+V5+PawKzmyiMqfQyCBz69pDedotbFtkRhBNG+dUCiMekxm09c1JyIYpgYQGUM1RSkYw5aeZeoonSyeVws4Of16oARBn0i94tlyoo0mvU94vJdh2KtoECgYEA/pUW+y2gxfQmK2gEUHW0ZXzzfFTrCf0yqPjrErTAptzqfjltSkOEtxSj0aCczvpTlkEwfP/gOPsUyJf+di0kLlcD2YMSSxWoM/51SmOnzkvPZe/YphNIVEtIlWnOWcbRkE77kdK7RAWLaGIUgwp3CQvHNWrrCoL8U2dBTz2d2XECgYEAqex4gxtvPTY2Ud/83gKG1PKBobePXP5OwINZK3vT35xQrIog1r7ueb2EAGe1ldyZd+2BtTNe8UzBIwWxzIfWIGvO+j9hunFeJ7Q6uIDX2np56gPDMaAA/RYBq9plRpD1MkldEbFr4jPh7z3Gwq9O9AnikjCR2M4IdwwSYoqdikkCgYAVFN2BUUb1/YDHqWZqD0Uv/kffbNzFx/zQ90PoGaW2a6bTawf81ViBHKlwK3+wuBQB5kYQo9O6hDg1YDjHKnfLipMcCPmT1ChInfKyhUwZDjgPdewX3JLpwA4zqT5YOtmRvKiia7PsLxVbQHv4Wf5/dkU5zC/IgA5LDcrft/eBUQKBgQCOIlnvuOwEdKtdMxHOFqj3yN28CtHlhGcVSwk0gUCJo7QrjuLHHjBWLrsSp61RbJQGp+k+S3kYOA65n9LIdbsbpXIdCxVRIfETHwObP1LO0nHV2E3W3bLWAClnuafLLgebh5hM626FaMaNGsx+HqvZH8egZvYoNrcH9VYPjUkX2QKBgQD7WDoIcRRAV+x2+RADnNuv00q6iNMhr6nl22OZEGVyWwR3Z8uZJPmktEuzVAOjgzcxVCQQhB/u2Wl8ojU1GRkJpHid5Av5clHF14EWOR6zNxpXexxBIHEVUBmQh562ckxQ3+ZO8bINF44XUPvNrp0UqZuwW9joCg5IRO6oS4IFzQ==" 1241 | ], 1242 | "certificate":[ 1243 | "MIICszCCAZsCBgFh4pMlpDANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJ0ZXN0LWltcG9ydC1leHBvcnQwHhcNMTgwMzAxMTcxNzI5WhcNMjgwMzAxMTcxOTA5WjAdMRswGQYDVQQDDBJ0ZXN0LWltcG9ydC1leHBvcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo+5V1RQYLwUT/5Li5sMK2gFL87nAPBeY+R/3kiOgwYIFuCAKjtdS55ykGzMZbFkcq9IZ7ROoV6nBLZ3XoI4Ztm390IG6e4SlXVXKtjTiddsrnxgvpljq9UzxpUlaKj9ORsFT8uYTF4CoH4fC0jL4DKDECvFArSR587DFdJ7XqCCeDgj9HRv7gnjPHJL/qPzraJPoRIdYRWInhjdJ71/6gfGFrf91ioh/Lsoc21lYEicgR2Q6DrOShppMQNI6l+msDi/ANpg0BBytvTp53NSaQP0BZP1hVzsH9xuO2SiitnBHffGa/DH6IBZ1Sx+nhWop6m+N+igm+HZ55Zxbthus5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJnTU+t4sqCH9865ekIfLR1syoYjnRKcOUs5kiHx4+xjc9hBI//ZSbgDBkMwDxUA86R/5ECtbUpzBCY+CYo8/kEtLjDv9Rem/ZlnsajXCLklkeceN9QXBIXVrdeMcXhEuoJPfyyihIao1cOzhDOzO4MuIUKt8E27GBzV5oOd7JazBl98f8QKX8xRKjcjdSUpcnSbSpzqgV0jx39DWXOVySl3rD2hhErtW19J2rVNI+p/PJNxUo9sgPEgB+y1yn7PjUBYCvjylblYxzgBPu5IJ6Dm9bBRWaJeU4J83pa7td+bCiu2j8sWkSNs5y5tohA9iCxakSzdwG4Mnfiec5TNjGA=" 1244 | ], 1245 | "priority":[ 1246 | "100" 1247 | ] 1248 | } 1249 | }, 1250 | { 1251 | "id":"9c28841a-f8ad-474c-b44d-ec5d08ee1178", 1252 | "name":"hmac-generated", 1253 | "providerId":"hmac-generated", 1254 | "subComponents":{ 1255 | 1256 | }, 1257 | "config":{ 1258 | "kid":[ 1259 | "4e681d54-b14f-4f48-a50c-da1d0fc50df3" 1260 | ], 1261 | "secret":[ 1262 | "woPC5rzYZPii4JaGruEv4hP_AinlU8XiFIOQonCN9i0" 1263 | ], 1264 | "priority":[ 1265 | "100" 1266 | ] 1267 | } 1268 | } 1269 | ] 1270 | }, 1271 | "internationalizationEnabled":false, 1272 | "supportedLocales":[ 1273 | 1274 | ], 1275 | "authenticationFlows": [ 1276 | { 1277 | "id": "38fea546-591d-411d-a642-cfccf97fda6e", 1278 | "alias": "Account verification options", 1279 | "description": "Method with which to verity the existing account", 1280 | "providerId": "basic-flow", 1281 | "topLevel": false, 1282 | "builtIn": true, 1283 | "authenticationExecutions": [ 1284 | { 1285 | "authenticator": "idp-email-verification", 1286 | "requirement": "ALTERNATIVE", 1287 | "priority": 10, 1288 | "userSetupAllowed": false, 1289 | "autheticatorFlow": false 1290 | }, 1291 | { 1292 | "requirement": "ALTERNATIVE", 1293 | "priority": 20, 1294 | "flowAlias": "Verify Existing Account by Re-authentication", 1295 | "userSetupAllowed": false, 1296 | "autheticatorFlow": true 1297 | } 1298 | ] 1299 | }, 1300 | { 1301 | "id": "3ffada50-4b44-41b5-b445-7e1bb92e3b8a", 1302 | "alias": "Authentication Options", 1303 | "description": "Authentication options.", 1304 | "providerId": "basic-flow", 1305 | "topLevel": false, 1306 | "builtIn": true, 1307 | "authenticationExecutions": [ 1308 | { 1309 | "authenticator": "basic-auth", 1310 | "requirement": "REQUIRED", 1311 | "priority": 10, 1312 | "userSetupAllowed": false, 1313 | "autheticatorFlow": false 1314 | }, 1315 | { 1316 | "authenticator": "basic-auth-otp", 1317 | "requirement": "DISABLED", 1318 | "priority": 20, 1319 | "userSetupAllowed": false, 1320 | "autheticatorFlow": false 1321 | }, 1322 | { 1323 | "authenticator": "auth-spnego", 1324 | "requirement": "DISABLED", 1325 | "priority": 30, 1326 | "userSetupAllowed": false, 1327 | "autheticatorFlow": false 1328 | } 1329 | ] 1330 | }, 1331 | { 1332 | "id": "e4588f1b-6c74-4bc2-aa68-ed745c3b65ce", 1333 | "alias": "Browser - Conditional OTP", 1334 | "description": "Flow to determine if the OTP is required for the authentication", 1335 | "providerId": "basic-flow", 1336 | "topLevel": false, 1337 | "builtIn": true, 1338 | "authenticationExecutions": [ 1339 | { 1340 | "authenticator": "conditional-user-configured", 1341 | "requirement": "REQUIRED", 1342 | "priority": 10, 1343 | "userSetupAllowed": false, 1344 | "autheticatorFlow": false 1345 | }, 1346 | { 1347 | "authenticator": "auth-otp-form", 1348 | "requirement": "REQUIRED", 1349 | "priority": 20, 1350 | "userSetupAllowed": false, 1351 | "autheticatorFlow": false 1352 | } 1353 | ] 1354 | }, 1355 | { 1356 | "id": "595a77c4-1cdb-4b56-946f-bbedb409edfb", 1357 | "alias": "Direct Grant - Conditional OTP", 1358 | "description": "Flow to determine if the OTP is required for the authentication", 1359 | "providerId": "basic-flow", 1360 | "topLevel": false, 1361 | "builtIn": true, 1362 | "authenticationExecutions": [ 1363 | { 1364 | "authenticator": "conditional-user-configured", 1365 | "requirement": "REQUIRED", 1366 | "priority": 10, 1367 | "userSetupAllowed": false, 1368 | "autheticatorFlow": false 1369 | }, 1370 | { 1371 | "authenticator": "direct-grant-validate-otp", 1372 | "requirement": "REQUIRED", 1373 | "priority": 20, 1374 | "userSetupAllowed": false, 1375 | "autheticatorFlow": false 1376 | } 1377 | ] 1378 | }, 1379 | { 1380 | "id": "21756d37-ab5e-426f-9ebc-deb19ecc190e", 1381 | "alias": "First broker login - Conditional OTP", 1382 | "description": "Flow to determine if the OTP is required for the authentication", 1383 | "providerId": "basic-flow", 1384 | "topLevel": false, 1385 | "builtIn": true, 1386 | "authenticationExecutions": [ 1387 | { 1388 | "authenticator": "conditional-user-configured", 1389 | "requirement": "REQUIRED", 1390 | "priority": 10, 1391 | "userSetupAllowed": false, 1392 | "autheticatorFlow": false 1393 | }, 1394 | { 1395 | "authenticator": "auth-otp-form", 1396 | "requirement": "REQUIRED", 1397 | "priority": 20, 1398 | "userSetupAllowed": false, 1399 | "autheticatorFlow": false 1400 | } 1401 | ] 1402 | }, 1403 | { 1404 | "id": "ca51a470-7551-4dab-b9a6-223772ee6007", 1405 | "alias": "Handle Existing Account", 1406 | "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", 1407 | "providerId": "basic-flow", 1408 | "topLevel": false, 1409 | "builtIn": true, 1410 | "authenticationExecutions": [ 1411 | { 1412 | "authenticator": "idp-confirm-link", 1413 | "requirement": "REQUIRED", 1414 | "priority": 10, 1415 | "userSetupAllowed": false, 1416 | "autheticatorFlow": false 1417 | }, 1418 | { 1419 | "requirement": "REQUIRED", 1420 | "priority": 20, 1421 | "flowAlias": "Account verification options", 1422 | "userSetupAllowed": false, 1423 | "autheticatorFlow": true 1424 | } 1425 | ] 1426 | }, 1427 | { 1428 | "id": "ff6a9930-a6b8-4848-9234-99fa7030235d", 1429 | "alias": "Reset - Conditional OTP", 1430 | "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", 1431 | "providerId": "basic-flow", 1432 | "topLevel": false, 1433 | "builtIn": true, 1434 | "authenticationExecutions": [ 1435 | { 1436 | "authenticator": "conditional-user-configured", 1437 | "requirement": "REQUIRED", 1438 | "priority": 10, 1439 | "userSetupAllowed": false, 1440 | "autheticatorFlow": false 1441 | }, 1442 | { 1443 | "authenticator": "reset-otp", 1444 | "requirement": "REQUIRED", 1445 | "priority": 20, 1446 | "userSetupAllowed": false, 1447 | "autheticatorFlow": false 1448 | } 1449 | ] 1450 | }, 1451 | { 1452 | "id": "cf2929fe-03a4-4cce-a708-11469c40099c", 1453 | "alias": "User creation or linking", 1454 | "description": "Flow for the existing/non-existing user alternatives", 1455 | "providerId": "basic-flow", 1456 | "topLevel": false, 1457 | "builtIn": true, 1458 | "authenticationExecutions": [ 1459 | { 1460 | "authenticatorConfig": "create unique user config", 1461 | "authenticator": "idp-create-user-if-unique", 1462 | "requirement": "ALTERNATIVE", 1463 | "priority": 10, 1464 | "userSetupAllowed": false, 1465 | "autheticatorFlow": false 1466 | }, 1467 | { 1468 | "requirement": "ALTERNATIVE", 1469 | "priority": 20, 1470 | "flowAlias": "Handle Existing Account", 1471 | "userSetupAllowed": false, 1472 | "autheticatorFlow": true 1473 | } 1474 | ] 1475 | }, 1476 | { 1477 | "id": "47bfaadf-233d-42df-907e-f02585f72128", 1478 | "alias": "Verify Existing Account by Re-authentication", 1479 | "description": "Reauthentication of existing account", 1480 | "providerId": "basic-flow", 1481 | "topLevel": false, 1482 | "builtIn": true, 1483 | "authenticationExecutions": [ 1484 | { 1485 | "authenticator": "idp-username-password-form", 1486 | "requirement": "REQUIRED", 1487 | "priority": 10, 1488 | "userSetupAllowed": false, 1489 | "autheticatorFlow": false 1490 | }, 1491 | { 1492 | "requirement": "CONDITIONAL", 1493 | "priority": 20, 1494 | "flowAlias": "First broker login - Conditional OTP", 1495 | "userSetupAllowed": false, 1496 | "autheticatorFlow": true 1497 | } 1498 | ] 1499 | }, 1500 | { 1501 | "id": "e7a96b44-1b50-473d-b743-e001dfb90f4d", 1502 | "alias": "browser", 1503 | "description": "browser based authentication", 1504 | "providerId": "basic-flow", 1505 | "topLevel": true, 1506 | "builtIn": true, 1507 | "authenticationExecutions": [ 1508 | { 1509 | "authenticator": "auth-cookie", 1510 | "requirement": "ALTERNATIVE", 1511 | "priority": 10, 1512 | "userSetupAllowed": false, 1513 | "autheticatorFlow": false 1514 | }, 1515 | { 1516 | "authenticator": "auth-spnego", 1517 | "requirement": "DISABLED", 1518 | "priority": 20, 1519 | "userSetupAllowed": false, 1520 | "autheticatorFlow": false 1521 | }, 1522 | { 1523 | "authenticator": "identity-provider-redirector", 1524 | "requirement": "ALTERNATIVE", 1525 | "priority": 25, 1526 | "userSetupAllowed": false, 1527 | "autheticatorFlow": false 1528 | }, 1529 | { 1530 | "requirement": "ALTERNATIVE", 1531 | "priority": 30, 1532 | "flowAlias": "forms", 1533 | "userSetupAllowed": false, 1534 | "autheticatorFlow": true 1535 | } 1536 | ] 1537 | }, 1538 | { 1539 | "id": "fc2efb9f-577d-433c-9caa-27377dd82693", 1540 | "alias": "clients", 1541 | "description": "Base authentication for clients", 1542 | "providerId": "client-flow", 1543 | "topLevel": true, 1544 | "builtIn": true, 1545 | "authenticationExecutions": [ 1546 | { 1547 | "authenticator": "client-secret", 1548 | "requirement": "ALTERNATIVE", 1549 | "priority": 10, 1550 | "userSetupAllowed": false, 1551 | "autheticatorFlow": false 1552 | }, 1553 | { 1554 | "authenticator": "client-jwt", 1555 | "requirement": "ALTERNATIVE", 1556 | "priority": 20, 1557 | "userSetupAllowed": false, 1558 | "autheticatorFlow": false 1559 | }, 1560 | { 1561 | "authenticator": "client-secret-jwt", 1562 | "requirement": "ALTERNATIVE", 1563 | "priority": 30, 1564 | "userSetupAllowed": false, 1565 | "autheticatorFlow": false 1566 | }, 1567 | { 1568 | "authenticator": "client-x509", 1569 | "requirement": "ALTERNATIVE", 1570 | "priority": 40, 1571 | "userSetupAllowed": false, 1572 | "autheticatorFlow": false 1573 | } 1574 | ] 1575 | }, 1576 | { 1577 | "id": "74965210-a3bf-4d42-b17e-419ddbafd0d3", 1578 | "alias": "direct grant", 1579 | "description": "OpenID Connect Resource Owner Grant", 1580 | "providerId": "basic-flow", 1581 | "topLevel": true, 1582 | "builtIn": true, 1583 | "authenticationExecutions": [ 1584 | { 1585 | "authenticator": "direct-grant-validate-username", 1586 | "requirement": "REQUIRED", 1587 | "priority": 10, 1588 | "userSetupAllowed": false, 1589 | "autheticatorFlow": false 1590 | }, 1591 | { 1592 | "authenticator": "direct-grant-validate-password", 1593 | "requirement": "REQUIRED", 1594 | "priority": 20, 1595 | "userSetupAllowed": false, 1596 | "autheticatorFlow": false 1597 | }, 1598 | { 1599 | "requirement": "CONDITIONAL", 1600 | "priority": 30, 1601 | "flowAlias": "Direct Grant - Conditional OTP", 1602 | "userSetupAllowed": false, 1603 | "autheticatorFlow": true 1604 | } 1605 | ] 1606 | }, 1607 | { 1608 | "id": "4622d4d7-50c7-415a-8681-6579f02d7299", 1609 | "alias": "docker auth", 1610 | "description": "Used by Docker clients to authenticate against the IDP", 1611 | "providerId": "basic-flow", 1612 | "topLevel": true, 1613 | "builtIn": true, 1614 | "authenticationExecutions": [ 1615 | { 1616 | "authenticator": "docker-http-basic-authenticator", 1617 | "requirement": "REQUIRED", 1618 | "priority": 10, 1619 | "userSetupAllowed": false, 1620 | "autheticatorFlow": false 1621 | } 1622 | ] 1623 | }, 1624 | { 1625 | "id": "af0567dd-0055-48e7-9eec-172089be3dac", 1626 | "alias": "first broker login", 1627 | "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", 1628 | "providerId": "basic-flow", 1629 | "topLevel": true, 1630 | "builtIn": true, 1631 | "authenticationExecutions": [ 1632 | { 1633 | "authenticatorConfig": "review profile config", 1634 | "authenticator": "idp-review-profile", 1635 | "requirement": "REQUIRED", 1636 | "priority": 10, 1637 | "userSetupAllowed": false, 1638 | "autheticatorFlow": false 1639 | }, 1640 | { 1641 | "requirement": "REQUIRED", 1642 | "priority": 20, 1643 | "flowAlias": "User creation or linking", 1644 | "userSetupAllowed": false, 1645 | "autheticatorFlow": true 1646 | } 1647 | ] 1648 | }, 1649 | { 1650 | "id": "db55cfe1-555e-43d7-8d75-e6ff90b02c78", 1651 | "alias": "forms", 1652 | "description": "Username, password, otp and other auth forms.", 1653 | "providerId": "basic-flow", 1654 | "topLevel": false, 1655 | "builtIn": true, 1656 | "authenticationExecutions": [ 1657 | { 1658 | "authenticator": "auth-username-password-form", 1659 | "requirement": "REQUIRED", 1660 | "priority": 10, 1661 | "userSetupAllowed": false, 1662 | "autheticatorFlow": false 1663 | }, 1664 | { 1665 | "requirement": "CONDITIONAL", 1666 | "priority": 20, 1667 | "flowAlias": "Browser - Conditional OTP", 1668 | "userSetupAllowed": false, 1669 | "autheticatorFlow": true 1670 | } 1671 | ] 1672 | }, 1673 | { 1674 | "id": "d0c316fb-1bbc-41a0-ba70-7caad2827d38", 1675 | "alias": "http challenge", 1676 | "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", 1677 | "providerId": "basic-flow", 1678 | "topLevel": true, 1679 | "builtIn": true, 1680 | "authenticationExecutions": [ 1681 | { 1682 | "authenticator": "no-cookie-redirect", 1683 | "requirement": "REQUIRED", 1684 | "priority": 10, 1685 | "userSetupAllowed": false, 1686 | "autheticatorFlow": false 1687 | }, 1688 | { 1689 | "requirement": "REQUIRED", 1690 | "priority": 20, 1691 | "flowAlias": "Authentication Options", 1692 | "userSetupAllowed": false, 1693 | "autheticatorFlow": true 1694 | } 1695 | ] 1696 | }, 1697 | { 1698 | "id": "14b33114-b4bf-4904-9652-61641fd33240", 1699 | "alias": "registration", 1700 | "description": "registration flow", 1701 | "providerId": "basic-flow", 1702 | "topLevel": true, 1703 | "builtIn": true, 1704 | "authenticationExecutions": [ 1705 | { 1706 | "authenticator": "registration-page-form", 1707 | "requirement": "REQUIRED", 1708 | "priority": 10, 1709 | "flowAlias": "registration form", 1710 | "userSetupAllowed": false, 1711 | "autheticatorFlow": true 1712 | } 1713 | ] 1714 | }, 1715 | { 1716 | "id": "55701952-ea49-46cd-a748-7a5c01114fd9", 1717 | "alias": "registration form", 1718 | "description": "registration form", 1719 | "providerId": "form-flow", 1720 | "topLevel": false, 1721 | "builtIn": true, 1722 | "authenticationExecutions": [ 1723 | { 1724 | "authenticator": "registration-user-creation", 1725 | "requirement": "REQUIRED", 1726 | "priority": 20, 1727 | "userSetupAllowed": false, 1728 | "autheticatorFlow": false 1729 | }, 1730 | { 1731 | "authenticator": "registration-profile-action", 1732 | "requirement": "REQUIRED", 1733 | "priority": 40, 1734 | "userSetupAllowed": false, 1735 | "autheticatorFlow": false 1736 | }, 1737 | { 1738 | "authenticator": "registration-password-action", 1739 | "requirement": "REQUIRED", 1740 | "priority": 50, 1741 | "userSetupAllowed": false, 1742 | "autheticatorFlow": false 1743 | }, 1744 | { 1745 | "authenticator": "registration-recaptcha-action", 1746 | "requirement": "DISABLED", 1747 | "priority": 60, 1748 | "userSetupAllowed": false, 1749 | "autheticatorFlow": false 1750 | } 1751 | ] 1752 | }, 1753 | { 1754 | "id": "d2750eed-dbd1-4379-a0b7-02b48847d062", 1755 | "alias": "reset credentials", 1756 | "description": "Reset credentials for a user if they forgot their password or something", 1757 | "providerId": "basic-flow", 1758 | "topLevel": true, 1759 | "builtIn": true, 1760 | "authenticationExecutions": [ 1761 | { 1762 | "authenticator": "reset-credentials-choose-user", 1763 | "requirement": "REQUIRED", 1764 | "priority": 10, 1765 | "userSetupAllowed": false, 1766 | "autheticatorFlow": false 1767 | }, 1768 | { 1769 | "authenticator": "reset-credential-email", 1770 | "requirement": "REQUIRED", 1771 | "priority": 20, 1772 | "userSetupAllowed": false, 1773 | "autheticatorFlow": false 1774 | }, 1775 | { 1776 | "authenticator": "reset-password", 1777 | "requirement": "REQUIRED", 1778 | "priority": 30, 1779 | "userSetupAllowed": false, 1780 | "autheticatorFlow": false 1781 | }, 1782 | { 1783 | "requirement": "CONDITIONAL", 1784 | "priority": 40, 1785 | "flowAlias": "Reset - Conditional OTP", 1786 | "userSetupAllowed": false, 1787 | "autheticatorFlow": true 1788 | } 1789 | ] 1790 | }, 1791 | { 1792 | "id": "a0db18ab-8265-4484-a8e3-7568bd5cbd05", 1793 | "alias": "saml ecp", 1794 | "description": "SAML ECP Profile Authentication Flow", 1795 | "providerId": "basic-flow", 1796 | "topLevel": true, 1797 | "builtIn": true, 1798 | "authenticationExecutions": [ 1799 | { 1800 | "authenticator": "http-basic-authenticator", 1801 | "requirement": "REQUIRED", 1802 | "priority": 10, 1803 | "userSetupAllowed": false, 1804 | "autheticatorFlow": false 1805 | } 1806 | ] 1807 | } 1808 | ], 1809 | "authenticatorConfig": [ 1810 | { 1811 | "id": "744bd950-7496-4f6b-ba17-5af52e9cb418", 1812 | "alias": "create unique user config", 1813 | "config": { 1814 | "require.password.update.after.registration": "false" 1815 | } 1816 | }, 1817 | { 1818 | "id": "67b496e7-7a68-4288-986b-2bc0731dfd89", 1819 | "alias": "review profile config", 1820 | "config": { 1821 | "update.profile.on.first.login": "missing" 1822 | } 1823 | } 1824 | ], 1825 | "requiredActions":[ 1826 | { 1827 | "alias":"CONFIGURE_TOTP", 1828 | "name":"Configure OTP", 1829 | "providerId":"CONFIGURE_TOTP", 1830 | "enabled":true, 1831 | "defaultAction":false, 1832 | "config":{ 1833 | 1834 | } 1835 | }, 1836 | { 1837 | "alias":"UPDATE_PASSWORD", 1838 | "name":"Update Password", 1839 | "providerId":"UPDATE_PASSWORD", 1840 | "enabled":true, 1841 | "defaultAction":false, 1842 | "config":{ 1843 | 1844 | } 1845 | }, 1846 | { 1847 | "alias":"UPDATE_PROFILE", 1848 | "name":"Update Profile", 1849 | "providerId":"UPDATE_PROFILE", 1850 | "enabled":true, 1851 | "defaultAction":false, 1852 | "config":{ 1853 | 1854 | } 1855 | }, 1856 | { 1857 | "alias":"VERIFY_EMAIL", 1858 | "name":"Verify Email", 1859 | "providerId":"VERIFY_EMAIL", 1860 | "enabled":true, 1861 | "defaultAction":false, 1862 | "config":{ 1863 | 1864 | } 1865 | }, 1866 | { 1867 | "alias":"terms_and_conditions", 1868 | "name":"Terms and Conditions", 1869 | "providerId":"terms_and_conditions", 1870 | "enabled":false, 1871 | "defaultAction":false, 1872 | "config":{ 1873 | 1874 | } 1875 | } 1876 | ], 1877 | "browserFlow":"browser", 1878 | "registrationFlow":"registration", 1879 | "directGrantFlow":"direct grant", 1880 | "resetCredentialsFlow":"reset credentials", 1881 | "clientAuthenticationFlow":"clients", 1882 | "dockerAuthenticationFlow":"docker auth", 1883 | "attributes":{ 1884 | "_browser_header.xXSSProtection":"1; mode=block", 1885 | "_browser_header.xFrameOptions":"SAMEORIGIN", 1886 | "_browser_header.strictTransportSecurity":"max-age=31536000; includeSubDomains", 1887 | "permanentLockout":"false", 1888 | "quickLoginCheckMilliSeconds":"1000", 1889 | "_browser_header.xRobotsTag":"none", 1890 | "maxFailureWaitSeconds":"900", 1891 | "minimumQuickLoginWaitSeconds":"60", 1892 | "failureFactor":"30", 1893 | "actionTokenGeneratedByUserLifespan":"300", 1894 | "maxDeltaTimeSeconds":"43200", 1895 | "_browser_header.xContentTypeOptions":"nosniff", 1896 | "actionTokenGeneratedByAdminLifespan":"43200", 1897 | "bruteForceProtected":"false", 1898 | "_browser_header.contentSecurityPolicy":"frame-src 'self'; frame-ancestors 'self'; object-src 'none';", 1899 | "waitIncrementSeconds":"60" 1900 | }, 1901 | "keycloakVersion":"7.0.0" 1902 | } -------------------------------------------------------------------------------- /keycloak-export/assembly.xml: -------------------------------------------------------------------------------- 1 | 4 | dist 5 | 6 | tar.gz 7 | 8 | ${project.build.finalName} 9 | 10 | 11 | install.sh 12 | 0755 13 | 14 | 15 | module.xml 16 | 17 | 18 | 19 | 20 | ${project.build.directory} 21 | target 22 | 23 | ${project.build.finalName}.jar 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /keycloak-export/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # install.sh 3 | # 4 | # install keycloak module : 5 | # keycloak-export 6 | 7 | set -eE 8 | MODULE_DIR=$(dirname $0) 9 | TARGET_DIR=$MODULE_DIR/target 10 | [ -z "$WINDIR" ] && KC_EXE=kc.sh || KC_EXE=kc.bat 11 | 12 | usage () 13 | { 14 | echo "usage: $0 keycloak_path [-c]" 15 | } 16 | 17 | abort_usage_keycloak() 18 | { 19 | echo "Invalid keycloak path" 20 | usage 21 | exit 1 22 | } 23 | 24 | init() 25 | { 26 | #optional args 27 | argv__UNINSTALL=0 28 | argv__TARGET="http://localhost:8898" 29 | getopt_results=$(getopt -s bash -o u --long uninstall -- "$@") 30 | 31 | if test $? != 0 32 | then 33 | echo "unrecognized option" 34 | exit 1 35 | fi 36 | eval set -- "$getopt_results" 37 | 38 | while true 39 | do 40 | case "$1" in 41 | -u|--uninstall) 42 | argv__UNINSTALL=1 43 | echo "--delete set. will remove plugin" 44 | shift 45 | ;; 46 | --) 47 | shift 48 | break 49 | ;; 50 | *) 51 | EXCEPTION=$Main__ParameterException 52 | EXCEPTION_MSG="unparseable option $1" 53 | exit 1 54 | ;; 55 | esac 56 | done 57 | 58 | # positional args 59 | argv__KEYCLOAK="" 60 | if [[ "$#" -ne 1 ]]; then 61 | usage 62 | exit 1 63 | fi 64 | argv__KEYCLOAK="$1" 65 | [ -d $argv__KEYCLOAK ] && [ -d $argv__KEYCLOAK/bin ] && [ -d $argv__KEYCLOAK/providers ] && [ -d $argv__KEYCLOAK/conf ] || abort_usage_keycloak 66 | # optional args 67 | CONF_FILE=$argv__KEYCLOAK/conf/keycloak.conf 68 | JAR_PATH=`find ${TARGET_DIR} -type f -name "*.jar" -not -name "*sources.jar" | grep -v "archive-tmp"` 69 | JAR_NAME=`basename $JAR_PATH` 70 | } 71 | 72 | init_exceptions() 73 | { 74 | EXCEPTION=0 75 | EXCEPTION_MSG="" 76 | #Main__Default_Unkown=1 77 | Main__ParameterException=2 78 | } 79 | 80 | del_configuration() 81 | { 82 | if [[ ! -z "$1" ]] ; then 83 | sed -i "/^$1=/d" ${CONF_FILE} 84 | fi 85 | } 86 | 87 | add_configuration() 88 | { 89 | if [[ ! -z "$1" ]] ; then 90 | sed -i "/^$1=/d" ${CONF_FILE} 91 | echo "$1=$2" >> ${CONF_FILE} 92 | fi 93 | } 94 | 95 | cleanup() 96 | { 97 | #clean dir structure in case of script failure 98 | echo "cleanup..." 99 | 100 | #del_configuration spi-xxxxxxxxxxxxxx 101 | rm -rf $argv__KEYCLOAK/providers/$JAR_NAME 102 | 103 | echo "done" 104 | } 105 | 106 | Main__interruptHandler() 107 | { 108 | # @description signal handler for SIGINT 109 | echo "$0: SIGINT caught" 110 | exit 111 | } 112 | Main__terminationHandler() 113 | { 114 | # @description signal handler for SIGTERM 115 | echo "$0: SIGTERM caught" 116 | exit 117 | } 118 | Main__exitHandler() 119 | { 120 | cleanup 121 | if [[ "$EXCEPTION" -ne 0 ]] ; then 122 | echo "$0: error : ${EXCEPTION_MSG}" 123 | fi 124 | exit 125 | } 126 | 127 | trap Main__interruptHandler INT 128 | trap Main__terminationHandler TERM 129 | trap Main__exitHandler ERR 130 | 131 | Main__main() 132 | { 133 | # init script temporals 134 | init_exceptions 135 | init "$@" 136 | if [[ "$argv__UNINSTALL" -eq 1 ]]; then 137 | cleanup 138 | exit 0 139 | fi 140 | # install module 141 | cp $JAR_PATH $argv__KEYCLOAK/providers/ 142 | 143 | # configure module 144 | #add_configuration key value 145 | $argv__KEYCLOAK/bin/$KC_EXE build 146 | 147 | exit 0 148 | } 149 | 150 | Main__main "$@" 151 | -------------------------------------------------------------------------------- /keycloak-export/module.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /keycloak-export/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4.0.0 4 | 5 | 6 | io.cloudtrust 7 | keycloak-export-parent 8 | 18.1.2-SNAPSHOT 9 | 10 | 11 | keycloak-export 12 | jar 13 | Keycloak Export 14 | 15 | 16 | 17 | org.keycloak 18 | keycloak-core 19 | provided 20 | 21 | 22 | org.keycloak 23 | keycloak-common 24 | provided 25 | 26 | 27 | org.keycloak 28 | keycloak-server-spi 29 | provided 30 | 31 | 32 | org.keycloak 33 | keycloak-server-spi-private 34 | provided 35 | 36 | 37 | org.keycloak 38 | keycloak-services 39 | provided 40 | 41 | 42 | org.jboss.logging 43 | jboss-logging 44 | provided 45 | 46 | 47 | 48 | 49 | 50 | 51 | org.jacoco 52 | jacoco-maven-plugin 53 | 54 | 55 | org.apache.maven.plugins 56 | maven-assembly-plugin 57 | 58 | 59 | default-package 60 | package 61 | 62 | single 63 | 64 | 65 | 66 | 67 | false 68 | 69 | assembly.xml 70 | 71 | posix 72 | 73 | 74 | 75 | org.apache.maven.plugins 76 | maven-release-plugin 77 | 3.0.0-M7 78 | 79 | @{project.version} 80 | 81 | 82 | 83 | com.github.spotbugs 84 | spotbugs-maven-plugin 85 | 86 | 87 | org.apache.maven.plugins 88 | maven-pmd-plugin 89 | 90 | 91 | org.owasp 92 | dependency-check-maven 93 | 94 | 95 | 96 | check 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/export/ExportResourceProvider.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export; 2 | 3 | import io.cloudtrust.keycloak.export.dto.BetterCredentialRepresentation; 4 | import io.cloudtrust.keycloak.export.dto.BetterRealmRepresentation; 5 | import org.jboss.logging.Logger; 6 | import org.keycloak.common.ClientConnection; 7 | import org.keycloak.credential.CredentialModel; 8 | import org.keycloak.exportimport.util.ExportUtils; 9 | import org.keycloak.jose.jws.JWSInput; 10 | import org.keycloak.jose.jws.JWSInputException; 11 | import org.keycloak.models.AdminRoles; 12 | import org.keycloak.models.ClientModel; 13 | import org.keycloak.models.KeycloakSession; 14 | import org.keycloak.models.ModelDuplicateException; 15 | import org.keycloak.models.RealmModel; 16 | import org.keycloak.models.RoleModel; 17 | import org.keycloak.policy.PasswordPolicyNotMetException; 18 | import org.keycloak.representations.AccessToken; 19 | import org.keycloak.representations.idm.CredentialRepresentation; 20 | import org.keycloak.representations.idm.RealmRepresentation; 21 | import org.keycloak.representations.idm.UserRepresentation; 22 | import org.keycloak.services.ErrorResponse; 23 | import org.keycloak.services.managers.AppAuthManager; 24 | import org.keycloak.services.managers.AuthenticationManager; 25 | import org.keycloak.services.managers.RealmManager; 26 | import org.keycloak.services.resource.RealmResourceProvider; 27 | import org.keycloak.services.resources.KeycloakApplication; 28 | import org.keycloak.services.resources.admin.AdminAuth; 29 | import org.keycloak.services.resources.admin.AdminRoot; 30 | import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator; 31 | import org.keycloak.services.resources.admin.permissions.AdminPermissions; 32 | 33 | import javax.ws.rs.ForbiddenException; 34 | import javax.ws.rs.GET; 35 | import javax.ws.rs.NotAuthorizedException; 36 | import javax.ws.rs.NotFoundException; 37 | import javax.ws.rs.POST; 38 | import javax.ws.rs.Path; 39 | import javax.ws.rs.Produces; 40 | import javax.ws.rs.core.Context; 41 | import javax.ws.rs.core.HttpHeaders; 42 | import javax.ws.rs.core.MediaType; 43 | import javax.ws.rs.core.Response; 44 | import javax.ws.rs.core.UriInfo; 45 | import java.net.URI; 46 | import java.util.HashMap; 47 | import java.util.List; 48 | import java.util.Map; 49 | import java.util.stream.Collectors; 50 | 51 | /** 52 | * ExportResourceProvider exposes two endpoints to import and export realms 53 | */ 54 | public class ExportResourceProvider implements RealmResourceProvider { 55 | 56 | protected static final Logger logger = Logger.getLogger(ExportResourceProvider.class); 57 | 58 | private KeycloakSession session; 59 | 60 | protected AppAuthManager authManager; 61 | 62 | @Context 63 | protected ClientConnection clientConnection; 64 | 65 | public ExportResourceProvider(KeycloakSession session) { 66 | this.session = session; 67 | this.authManager = new AppAuthManager(); 68 | 69 | } 70 | 71 | @Override 72 | public Object getResource() { 73 | return this; 74 | } 75 | 76 | @GET 77 | @Path("realm") 78 | @Produces(MediaType.APPLICATION_JSON) 79 | public RealmRepresentation exportRealm(@Context final HttpHeaders headers, @Context final UriInfo uriInfo) { 80 | //retrieving the realm should be done before authentication 81 | // authentication overrides the value with master inside the context 82 | // this is done this way to avoid changing the copied code below (authenticateRealmAdminRequest) 83 | RealmModel realm = session.getContext().getRealm(); 84 | AdminAuth adminAuth = authenticateRealmAdminRequest(headers, uriInfo); 85 | RealmManager realmManager = new RealmManager(session); 86 | RoleModel roleModel = adminAuth.getRealm().getRole(AdminRoles.ADMIN); 87 | AdminPermissionEvaluator realmAuth = AdminPermissions.evaluator(session, realm, adminAuth); 88 | if (roleModel != null && adminAuth.getUser().hasRole(roleModel) 89 | && adminAuth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm()) 90 | && realmAuth.realm().canManageRealm()) { 91 | RealmRepresentation realmRep = ExportUtils.exportRealm(session, realm, true, true); 92 | //correct users 93 | if (realmRep.getUsers() != null) { 94 | setCorrectCredentials(realmRep.getUsers(), realm); 95 | } 96 | return realmRep; 97 | } else { 98 | throw new ForbiddenException(); 99 | } 100 | } 101 | 102 | /** 103 | * This method rewrites the credential list for the users, including the Id (which is missing by default). 104 | * Unfortunately, due to the limitations in the keycloak API, there is no way to unit test this. 105 | * 106 | * @param users The user representations to correct 107 | * @param realm the realm being exported 108 | */ 109 | private void setCorrectCredentials(List users, RealmModel realm) { 110 | Map userRepMap = new HashMap<>(users.size()); 111 | users.stream().collect(Collectors.toMap(UserRepresentation::getId, u -> u)); 112 | 113 | session.users().getUsersStream(realm, true).forEach(user -> { 114 | UserRepresentation userRep = userRepMap.get(user.getId()); 115 | if (userRep != null) { 116 | // Credentials 117 | List credReps = session.userCredentialManager().getStoredCredentialsStream(realm, user) 118 | .map(this::exportCredential) 119 | .collect(Collectors.toList()); 120 | userRep.setCredentials(credReps); 121 | } 122 | }); 123 | } 124 | 125 | private BetterCredentialRepresentation exportCredential(CredentialModel userCred) { 126 | BetterCredentialRepresentation credRep = new BetterCredentialRepresentation(); 127 | credRep.setId(userCred.getId()); 128 | credRep.setType(userCred.getType()); 129 | credRep.setCreatedDate(userCred.getCreatedDate()); 130 | credRep.setCredentialData(userCred.getCredentialData()); 131 | credRep.setSecretData(userCred.getSecretData()); 132 | credRep.setUserLabel(userCred.getUserLabel()); 133 | return credRep; 134 | } 135 | 136 | @Override 137 | public void close() { 138 | // Nothing to close 139 | } 140 | 141 | /** 142 | * This code has been copied from keycloak org.keycloak.services.resources.admin.AdminRoot; 143 | * it allows to check if a user as realm/master admin 144 | * at each upgrade check that it hasn't been modified 145 | */ 146 | private AdminAuth authenticateRealmAdminRequest(HttpHeaders headers, UriInfo uriInfo) { 147 | String tokenString = AppAuthManager.extractAuthorizationHeaderToken(headers); 148 | if (tokenString == null) throw new NotAuthorizedException("Bearer"); 149 | AccessToken token; 150 | try { 151 | JWSInput input = new JWSInput(tokenString); 152 | token = input.readJsonContent(AccessToken.class); 153 | } catch (JWSInputException e) { 154 | throw new NotAuthorizedException("Bearer token format error", e); 155 | } 156 | String realmName = token.getIssuer().substring(token.getIssuer().lastIndexOf('/') + 1); 157 | RealmManager realmManager = new RealmManager(session); 158 | RealmModel realm = realmManager.getRealmByName(realmName); 159 | if (realm == null) { 160 | throw new NotAuthorizedException("Unknown realm in token"); 161 | } 162 | session.getContext().setRealm(realm); 163 | AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session) 164 | .setRealm(realm) 165 | .setUriInfo(uriInfo) 166 | .setConnection(clientConnection) 167 | .setHeaders(headers) 168 | .authenticate(); 169 | if (authResult == null) { 170 | logger.debug("Token not valid"); 171 | throw new NotAuthorizedException("Bearer"); 172 | } 173 | 174 | ClientModel client = realm.getClientByClientId(token.getIssuedFor()); 175 | if (client == null) { 176 | throw new NotFoundException("Could not find client for authorization"); 177 | 178 | } 179 | 180 | return new AdminAuth(realm, authResult.getToken(), authResult.getUser(), client); 181 | } 182 | 183 | @POST 184 | @Path("realm") 185 | @Produces(MediaType.APPLICATION_JSON) 186 | public Response importRealm(@Context final HttpHeaders headers, @Context final UriInfo uriInfo, @Context KeycloakApplication keycloak, BetterRealmRepresentation rep) { 187 | try { 188 | AdminAuth auth = authenticateRealmAdminRequest(headers, uriInfo); 189 | AdminPermissions.realms(session, auth).requireCreateRealm(); 190 | 191 | RealmModel realm = ImportExportUtils.importRealm(session, keycloak, rep, null, false); 192 | grantPermissionsToRealmCreator(auth, realm); 193 | 194 | URI location = AdminRoot.realmsUrl(session.getContext().getUri()).path(realm.getName()).build(); 195 | logger.debugv("imported realm success, sending back: {0}", location); 196 | 197 | return Response.created(location).build(); 198 | } catch (ModelDuplicateException e) { 199 | logger.error("Conflict detected", e); 200 | return ErrorResponse.exists("Conflict detected. See logs for details"); 201 | } catch (PasswordPolicyNotMetException e) { 202 | logger.error("Password policy not met for user " + e.getUsername(), e); 203 | if (session.getTransactionManager().isActive()) session.getTransactionManager().setRollbackOnly(); 204 | return ErrorResponse.error("Password policy not met. See logs for details", Response.Status.BAD_REQUEST); 205 | } 206 | } 207 | 208 | private void grantPermissionsToRealmCreator(AdminAuth auth, RealmModel realm) { 209 | if (auth.hasRealmRole(AdminRoles.ADMIN)) { 210 | return; 211 | } 212 | 213 | new RealmManager(session).getKeycloakAdminstrationRealm(); 214 | ClientModel realmAdminApp = realm.getMasterAdminClient(); 215 | for (String r : AdminRoles.ALL_REALM_ROLES) { 216 | RoleModel role = realmAdminApp.getRole(r); 217 | auth.getUser().grantRole(role); 218 | } 219 | } 220 | } 221 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/export/ExportResourceProviderFactory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2016 Red Hat, Inc. and/or its affiliates 3 | * and other contributors as indicated by the @author tags. 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * http://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | package io.cloudtrust.keycloak.export; 19 | 20 | import org.keycloak.Config.Scope; 21 | import org.keycloak.models.KeycloakSession; 22 | import org.keycloak.models.KeycloakSessionFactory; 23 | import org.keycloak.services.resource.RealmResourceProvider; 24 | import org.keycloak.services.resource.RealmResourceProviderFactory; 25 | 26 | /** 27 | * @author Stian Thorgersen 28 | */ 29 | public class ExportResourceProviderFactory implements RealmResourceProviderFactory { 30 | 31 | public static final String ID = "export"; 32 | 33 | @Override 34 | public String getId() { 35 | return ID; 36 | } 37 | 38 | @Override 39 | public RealmResourceProvider create(KeycloakSession session) { 40 | return new ExportResourceProvider(session); 41 | } 42 | 43 | @Override 44 | public void init(Scope config) { 45 | // Nothing to do 46 | } 47 | 48 | @Override 49 | public void postInit(KeycloakSessionFactory factory) { 50 | // Nothing to do 51 | } 52 | 53 | @Override 54 | public void close() { 55 | // Nothing to close 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/export/ImportExportUtils.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export; 2 | 3 | import io.cloudtrust.keycloak.export.dto.BetterRealmRepresentation; 4 | import org.jboss.logging.Logger; 5 | import org.keycloak.Config; 6 | import org.keycloak.exportimport.Strategy; 7 | import org.keycloak.models.KeycloakSession; 8 | import org.keycloak.models.RealmModel; 9 | import org.keycloak.models.RealmProvider; 10 | import org.keycloak.models.UserModel; 11 | import org.keycloak.representations.idm.UserRepresentation; 12 | import org.keycloak.services.managers.RealmManager; 13 | import org.keycloak.services.resources.KeycloakApplication; 14 | 15 | import java.util.Collections; 16 | import java.util.HashMap; 17 | import java.util.List; 18 | import java.util.Map; 19 | import java.util.Map.Entry; 20 | 21 | public class ImportExportUtils { 22 | private static final Logger logger = Logger.getLogger(ImportExportUtils.class); 23 | 24 | private ImportExportUtils() { 25 | } 26 | 27 | public static RealmModel importRealm(KeycloakSession session, KeycloakApplication keycloak, BetterRealmRepresentation rep, Strategy strategy, boolean skipUserDependent) { 28 | String realmName = rep.getRealm(); 29 | RealmProvider model = session.realms(); 30 | RealmModel realm = model.getRealmByName(realmName); 31 | 32 | if (realm != null) { 33 | if (strategy == Strategy.IGNORE_EXISTING) { 34 | logger.infof("Realm '%s' already exists. Import skipped", realmName); 35 | return null; 36 | } else if (strategy == Strategy.OVERWRITE_EXISTING) { 37 | logger.infof("Realm '%s' already exists. Removing it before import", realmName); 38 | if (Config.getAdminRealm().equals(realm.getId())) { 39 | // Delete all masterAdmin apps due to foreign key constraints 40 | model.getRealmsStream().forEach(r -> r.setMasterAdminClient(null)); 41 | } 42 | model.removeRealm(realm.getId()); 43 | } 44 | } 45 | 46 | RealmManager realmManager = new RealmManager(session); 47 | 48 | // Cache required actions information and remove it from user representations.. 49 | // Original version from RepresentationToModel first convert it to an enum 50 | // then get the name of the enum value. This fails for customized required actions 51 | Map> mapUserToRequiredActions = new HashMap<>(); 52 | if (rep.getUsers()!=null) { 53 | for (UserRepresentation user : rep.getUsers()) { 54 | if (user.getRequiredActions() != null) { 55 | mapUserToRequiredActions.put(user, user.getRequiredActions()); 56 | user.setRequiredActions(Collections.emptyList()); 57 | } 58 | } 59 | } 60 | 61 | // Basic import 62 | realm = realmManager.importRealm(rep, skipUserDependent); 63 | 64 | // Now set required actions 65 | for (Entry> entry : mapUserToRequiredActions.entrySet()) { 66 | UserRepresentation userRep = entry.getKey(); 67 | UserModel user = session.userLocalStorage().getUserById(realm, userRep.getId()); 68 | entry.getValue().forEach(user::addRequiredAction); 69 | } 70 | 71 | return realm; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/export/SingleFileImportProvider.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export; 2 | 3 | import com.fasterxml.jackson.core.JsonFactory; 4 | import com.fasterxml.jackson.core.JsonParser; 5 | import com.fasterxml.jackson.core.JsonToken; 6 | import com.fasterxml.jackson.databind.ObjectMapper; 7 | import io.cloudtrust.keycloak.export.dto.BetterRealmRepresentation; 8 | import org.jboss.logging.Logger; 9 | import org.keycloak.Config; 10 | import org.keycloak.exportimport.ImportProvider; 11 | import org.keycloak.exportimport.Strategy; 12 | import org.keycloak.models.KeycloakSession; 13 | import org.keycloak.models.KeycloakSessionFactory; 14 | import org.keycloak.models.utils.KeycloakModelUtils; 15 | import org.keycloak.services.managers.RealmManager; 16 | 17 | import java.io.File; 18 | import java.io.FileInputStream; 19 | import java.io.IOException; 20 | import java.io.InputStream; 21 | import java.util.ArrayList; 22 | import java.util.List; 23 | 24 | public class SingleFileImportProvider implements ImportProvider { 25 | private static final Logger logger = Logger.getLogger(SingleFileImportProvider.class); 26 | 27 | private final File file; 28 | 29 | // Allows to cache representation per provider to avoid parsing them twice 30 | private List realmReps; 31 | 32 | public SingleFileImportProvider(File file) { 33 | this.file = file; 34 | } 35 | 36 | @Override 37 | public void importModel(KeycloakSessionFactory factory, Strategy strategy) throws IOException { 38 | logger.infof("Full importing from file %s", this.file.getAbsolutePath()); 39 | 40 | BetterRealmRepresentation masterRealm = getMasterRealm(); 41 | KeycloakModelUtils.runJobInTransaction(factory, session -> { 42 | // Import master realm first, if exists 43 | if (masterRealm != null) { 44 | importRealm(session, masterRealm, strategy); 45 | } 46 | realmReps.stream().filter(r -> r != masterRealm).forEach(r -> importRealm(session, r, strategy)); 47 | 48 | if (masterRealm != null) { 49 | // If master was imported, we may need to re-create realm management clients 50 | session.realms().getRealmsStream().filter(r -> r.getMasterAdminClient() == null).forEach(realm -> { 51 | logger.infof("Re-created management client in master realm for realm '%s'", realm.getName()); 52 | new RealmManager(session).setupMasterAdminManagement(realm); 53 | }); 54 | } 55 | }); 56 | } 57 | 58 | @Override 59 | public void importRealm(KeycloakSessionFactory factory, String realmName, Strategy strategy) throws IOException { 60 | // import just that single realm in case that file contains many realms? 61 | importModel(factory, strategy); 62 | } 63 | 64 | @Override 65 | public boolean isMasterRealmExported() throws IOException { 66 | return getMasterRealm() != null; 67 | } 68 | 69 | @Override 70 | public void close() { 71 | // Nothing to close 72 | } 73 | 74 | private void importRealm(KeycloakSession session, BetterRealmRepresentation realm, Strategy strategy) { 75 | ImportExportUtils.importRealm(session, null, realm, strategy, false); 76 | } 77 | 78 | private BetterRealmRepresentation getMasterRealm() throws IOException { 79 | checkRealmReps(); 80 | return realmReps.stream().filter(r -> Config.getAdminRealm().equals(r.getRealm())).findFirst().orElse(null); 81 | } 82 | 83 | private void checkRealmReps() throws IOException { 84 | if (realmReps == null) { 85 | try (InputStream is = new FileInputStream(file)) { 86 | realmReps = getObjectsFromStream(new ObjectMapper(), is, BetterRealmRepresentation.class); 87 | } 88 | } 89 | } 90 | 91 | private static List getObjectsFromStream(ObjectMapper mapper, InputStream is, Class clazz) throws IOException { 92 | List result = new ArrayList<>(); 93 | JsonFactory factory = mapper.getFactory(); 94 | try (JsonParser parser = factory.createParser(is)) { 95 | parser.nextToken(); 96 | 97 | if (parser.getCurrentToken() == JsonToken.START_ARRAY) { 98 | // Case with more realms in stream 99 | parser.nextToken(); 100 | 101 | while (parser.getCurrentToken() == JsonToken.START_OBJECT) { 102 | T realmRep = parser.readValueAs(clazz); 103 | parser.nextToken(); 104 | result.add(realmRep); 105 | } 106 | } else if (parser.getCurrentToken() == JsonToken.START_OBJECT) { 107 | // Case with single realm in stream 108 | T realmRep = parser.readValueAs(clazz); 109 | result.add(realmRep); 110 | } 111 | } 112 | 113 | return result; 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/export/SingleFileImportProviderFactory.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export; 2 | 3 | import org.keycloak.Config.Scope; 4 | import org.keycloak.exportimport.ExportImportConfig; 5 | import org.keycloak.exportimport.ImportProvider; 6 | import org.keycloak.exportimport.ImportProviderFactory; 7 | import org.keycloak.models.KeycloakSession; 8 | import org.keycloak.models.KeycloakSessionFactory; 9 | 10 | import java.io.File; 11 | 12 | public class SingleFileImportProviderFactory implements ImportProviderFactory { 13 | private static final String ID = "ctSingleFile"; 14 | 15 | @Override 16 | public String getId() { 17 | return ID; 18 | } 19 | 20 | @Override 21 | public ImportProvider create(KeycloakSession session) { 22 | String fileName = ExportImportConfig.getFile(); 23 | if (fileName == null) { 24 | throw new IllegalArgumentException("Property " + ExportImportConfig.FILE + " needs to be provided!"); 25 | } 26 | return new SingleFileImportProvider(new File(fileName)); 27 | } 28 | 29 | @Override 30 | public void init(Scope config) { 31 | // Nothing to init 32 | } 33 | 34 | @Override 35 | public void postInit(KeycloakSessionFactory factory) { 36 | // Nothing to do 37 | } 38 | 39 | @Override 40 | public void close() { 41 | // Nothing to close 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/export/dto/BetterCredentialRepresentation.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export.dto; 2 | 3 | import org.keycloak.representations.idm.CredentialRepresentation; 4 | 5 | public class BetterCredentialRepresentation extends CredentialRepresentation { 6 | } 7 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/export/dto/BetterRealmRepresentation.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export.dto; 2 | 3 | import com.fasterxml.jackson.databind.annotation.JsonDeserialize; 4 | import io.cloudtrust.keycloak.json.BetterUserDeserializer; 5 | import org.keycloak.representations.idm.RealmRepresentation; 6 | import org.keycloak.representations.idm.UserRepresentation; 7 | 8 | import java.util.List; 9 | 10 | public class BetterRealmRepresentation extends RealmRepresentation { 11 | @Override 12 | @JsonDeserialize(using = BetterUserDeserializer.class) 13 | public void setUsers(List users) { 14 | this.users = users; 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/export/dto/BetterUserRepresentation.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.export.dto; 2 | 3 | import com.fasterxml.jackson.databind.annotation.JsonDeserialize; 4 | import io.cloudtrust.keycloak.json.BetterCredentialDeserializer; 5 | import org.keycloak.representations.idm.CredentialRepresentation; 6 | import org.keycloak.representations.idm.UserRepresentation; 7 | 8 | import java.util.List; 9 | 10 | public class BetterUserRepresentation extends UserRepresentation { 11 | @Override 12 | @JsonDeserialize(using = BetterCredentialDeserializer.class) 13 | public void setCredentials(List credentials) { 14 | super.setCredentials(credentials); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/json/BetterCredentialDeserializer.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.json; 2 | 3 | import com.fasterxml.jackson.core.JsonParser; 4 | import com.fasterxml.jackson.databind.DeserializationContext; 5 | import com.fasterxml.jackson.databind.JsonDeserializer; 6 | import com.fasterxml.jackson.databind.JsonNode; 7 | import com.fasterxml.jackson.databind.ObjectMapper; 8 | import io.cloudtrust.keycloak.export.dto.BetterCredentialRepresentation; 9 | import org.keycloak.representations.idm.CredentialRepresentation; 10 | 11 | import java.io.IOException; 12 | import java.util.ArrayList; 13 | import java.util.Iterator; 14 | import java.util.List; 15 | 16 | public class BetterCredentialDeserializer extends JsonDeserializer> { 17 | @Override 18 | public List deserialize(JsonParser jsonParser, DeserializationContext context) throws IOException { 19 | ObjectMapper objMapper = new ObjectMapper(); 20 | List res = new ArrayList<>(); 21 | JsonNode jsonNode = jsonParser.readValueAsTree(); 22 | Iterator itr = jsonNode.elements(); 23 | while (itr.hasNext()) { 24 | JsonNode credNode = itr.next(); 25 | res.add(credNode.traverse(objMapper).readValueAs(BetterCredentialRepresentation.class)); 26 | } 27 | return res; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /keycloak-export/src/main/java/io/cloudtrust/keycloak/json/BetterUserDeserializer.java: -------------------------------------------------------------------------------- 1 | package io.cloudtrust.keycloak.json; 2 | 3 | import com.fasterxml.jackson.core.JsonParser; 4 | import com.fasterxml.jackson.databind.DeserializationContext; 5 | import com.fasterxml.jackson.databind.JsonDeserializer; 6 | import com.fasterxml.jackson.databind.JsonNode; 7 | import com.fasterxml.jackson.databind.ObjectMapper; 8 | import io.cloudtrust.keycloak.export.dto.BetterUserRepresentation; 9 | import org.keycloak.representations.idm.UserRepresentation; 10 | 11 | import java.io.IOException; 12 | import java.util.ArrayList; 13 | import java.util.Iterator; 14 | import java.util.List; 15 | 16 | public class BetterUserDeserializer extends JsonDeserializer> { 17 | @Override 18 | public List deserialize(JsonParser jsonParser, DeserializationContext context) throws IOException { 19 | ObjectMapper objMapper = new ObjectMapper(); 20 | List res = new ArrayList<>(); 21 | JsonNode jsonNode = jsonParser.readValueAsTree(); 22 | Iterator itr = jsonNode.elements(); 23 | while (itr.hasNext()) { 24 | JsonNode credNode = itr.next(); 25 | res.add(credNode.traverse(objMapper).readValueAs(BetterUserRepresentation.class)); 26 | } 27 | return res; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /keycloak-export/src/main/resources/META-INF/keycloak-themes.json: -------------------------------------------------------------------------------- 1 | { 2 | "themes": [ 3 | { 4 | "name" : "ctexport", 5 | "types": [ "admin" ] 6 | } 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /keycloak-export/src/main/resources/META-INF/services/org.keycloak.exportimport.ImportProviderFactory: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2016 Red Hat, Inc. and/or its affiliates 3 | # and other contributors as indicated by the @author tags. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | io.cloudtrust.keycloak.export.SingleFileImportProviderFactory -------------------------------------------------------------------------------- /keycloak-export/src/main/resources/META-INF/services/org.keycloak.services.resource.RealmResourceProviderFactory: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2016 Red Hat, Inc. and/or its affiliates 3 | # and other contributors as indicated by the @author tags. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | io.cloudtrust.keycloak.export.ExportResourceProviderFactory -------------------------------------------------------------------------------- /keycloak-export/src/main/resources/theme/ctexport/admin/resources/css/styles.css: -------------------------------------------------------------------------------- 1 | html,body { 2 | height: 100%; 3 | } 4 | 5 | form { 6 | margin-top: 20px; 7 | } 8 | 9 | table { 10 | margin-top: 20px; 11 | } 12 | 13 | .required { 14 | color: #f00; 15 | } 16 | 17 | .tooltip-inner { 18 | min-width: 200px; 19 | } 20 | 21 | .margin-top { 22 | margin-top: 20px; 23 | } 24 | 25 | .no-margin-top { 26 | margin-top: 0px !important; 27 | } 28 | 29 | table { 30 | max-width: 100%; 31 | } 32 | 33 | td.clip { 34 | overflow: hidden; 35 | text-overflow: ellipsis; 36 | white-space: nowrap; 37 | max-width: 0; 38 | } 39 | 40 | th.w-10 { 41 | width: 10%; 42 | } 43 | 44 | th.w-15 { 45 | width: 15%; 46 | } 47 | 48 | th.w-20 { 49 | width: 20%; 50 | } 51 | 52 | 53 | th.w-25 { 54 | width: 25%; 55 | } 56 | 57 | th.w-30 { 58 | width: 30%; 59 | } 60 | 61 | 62 | th.w-35 { 63 | width: 35%; 64 | } 65 | 66 | th.w-40 { 67 | width: 40%; 68 | } 69 | 70 | /*********** Loading ***********/ 71 | 72 | .loading { 73 | background-color: #f5f5f5; 74 | border: 1px solid #eee; 75 | position: absolute; 76 | bottom: 0px; 77 | left: 0px; 78 | padding: 2px 200px 2px 5px; 79 | } 80 | 81 | /*********** Feedback ***********/ 82 | 83 | .feedback-aligner { 84 | position: fixed; 85 | top: 15px; 86 | text-align: center; 87 | width: 100%; 88 | height: 0; 89 | z-index: 100; 90 | } 91 | .feedback-aligner .alert { 92 | border-radius: 2px; 93 | border-width: 1px; 94 | display: inline-block; 95 | position: relative; 96 | } 97 | 98 | /*********** On-Off Switch ***********/ 99 | 100 | .onoffswitch { 101 | -moz-user-select: none; 102 | height: 26px; 103 | position: relative; 104 | width: 62px; 105 | } 106 | .onoffswitch .onoffswitch-checkbox { 107 | display: none; 108 | } 109 | .onoffswitch .onoffswitch-label { 110 | border: 1px solid #bbb; 111 | border-radius: 2px; 112 | cursor: pointer; 113 | display: block; 114 | overflow: hidden; 115 | width: 62px; 116 | } 117 | .onoffswitch .onoffswitch-inner { 118 | display: block; 119 | margin-left: -100%; 120 | transition: margin 0.3s ease-in 0s; 121 | width: 200%; 122 | } 123 | .onoffswitch .onoffswitch-inner > span { 124 | -moz-box-sizing: border-box; 125 | color: white; 126 | float: left; 127 | font-size: 11px; 128 | font-family: "Open Sans", sans-serif; 129 | font-weight: bold; 130 | height: 24px; 131 | line-height: 24px; 132 | padding: 0; 133 | width: 50%; 134 | } 135 | .onoffswitch .onoffswitch-switch { 136 | background-image: linear-gradient(top, #fafafa 0%, #ededed 100%); 137 | background-image: -o-linear-gradient(top, #fafafa 0%, #ededed 100%); 138 | background-image: -moz-linear-gradient(top, #fafafa 0%, #ededed 100%); 139 | background-image: -webkit-linear-gradient(top, #fafafa 0%, #ededed 100%); 140 | background-image: -ms-linear-gradient(top, #fafafa 0%, #ededed 100%); 141 | background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0, #fafafa), color-stop(1, 0, #ededed)); 142 | border: 1px solid #aaa; 143 | border-radius: 2px; 144 | bottom: 0; 145 | margin: 0; 146 | position: absolute; 147 | right: 39px; 148 | top: 0; 149 | transition: all 0.3s ease-in 0s; 150 | -webkit-transition: all 0.3s ease-in 0s; 151 | width: 23px; 152 | } 153 | .onoffswitch .onoffswitch-inner .onoffswitch-active { 154 | background-image: linear-gradient(top, #00a9ec 0%, #009bd3 100%); 155 | background-image: -o-linear-gradient(top, #00a9ec 0%, #009bd3 100%); 156 | background-image: -moz-linear-gradient(top, #00a9ec 0%, #009bd3 100%); 157 | background-image: -webkit-linear-gradient(top, #00a9ec 0%, #009bd3 100%); 158 | background-image: -ms-linear-gradient(top, #00a9ec 0%, #009bd3 100%); 159 | background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0, #00a9ec), color-stop(1, 0, #009bd3)); 160 | color: #FFFFFF; 161 | padding-left: 10px; 162 | } 163 | .onoffswitch-checkbox:disabled + .onoffswitch-label .onoffswitch-inner .onoffswitch-active, 164 | .onoffswitch-checkbox:disabled + .onoffswitch-label .onoffswitch-inner .onoffswitch-inactive { 165 | background-image: none; 166 | background-color: #e5e5e5; 167 | color: #9d9fa1; 168 | } 169 | .onoffswitch .onoffswitch-inner .onoffswitch-inactive { 170 | background: linear-gradient(#fefefe, #e8e8e8) repeat scroll 0 0 transparent; 171 | color: #4d5258; 172 | padding-right: 10px; 173 | text-align: right; 174 | } 175 | .onoffswitch .onoffswitch-checkbox:checked + .onoffswitch-label .onoffswitch-inner { 176 | margin-left: 0; 177 | } 178 | .onoffswitch .onoffswitch-checkbox:checked + .onoffswitch-label .onoffswitch-switch { 179 | right: 0; 180 | } 181 | 182 | 183 | /*********** Select 2 ***********/ 184 | 185 | .select2-container { 186 | width: 100%; 187 | } 188 | 189 | .select2-container-multi .select2-choices .select2-search-field { 190 | height: 26px; 191 | } 192 | 193 | .select2-container-single { 194 | padding: 0; 195 | margin: 0; 196 | } 197 | 198 | .select2-container-single .form-group { 199 | width: 100%; 200 | margin: 0; 201 | } 202 | 203 | .select2-container-single .form-group .input-group { 204 | width: 100%; 205 | } 206 | 207 | /*********** html select ********/ 208 | .overflow-select { 209 | overflow: auto; 210 | } 211 | 212 | 213 | /*********** New Menu ***********/ 214 | 215 | 216 | .sidebar-pf-left{ 217 | background: #292e34; 218 | } 219 | 220 | .sidebar-pf .nav-pills > li a i, .sidebar-pf .nav-pills > li a span{ 221 | color: #72767b; 222 | display: inline-block; 223 | margin-right: 10px; 224 | } 225 | .sidebar-pf .nav-pills > li > a{ 226 | color: #dbdada; 227 | padding: 0px 20px 0 30px!important; 228 | line-height: 30px; 229 | border-left-width: 12px; 230 | border-left-style: solid; 231 | border-left-color: #292e34; 232 | margin-left: -6px; 233 | } 234 | 235 | .sidebar-pf .nav-pills > li > a:hover{ 236 | background: #393f44; 237 | border-color:#292e34; 238 | border-left-color: #393f44; 239 | color: #fff; 240 | } 241 | 242 | .sidebar-pf .nav-pills > li > a:after{ 243 | display: none!important; 244 | } 245 | 246 | 247 | .sidebar-pf .nav-pills > li.active > a { 248 | color: #fff; 249 | background: #393f44!important; 250 | border-bottom: 1px solid #000!important; 251 | border-top: 1px solid #000!important; 252 | border-left-color: #39a5dc!important; 253 | } 254 | 255 | .sidebar-pf .nav-pills > li.active a i, .sidebar-pf .nav-pills > li.active a span{ 256 | color: #39a5dc; 257 | } 258 | 259 | /*********** Realm selector ***********/ 260 | 261 | .realm-selector{ 262 | color: #fff; 263 | margin: 0 -20px; 264 | position: relative; 265 | } 266 | 267 | .realm-dropmenu{ 268 | display: none; 269 | cursor: pointer; 270 | position: absolute; 271 | top: 60px; 272 | left: 0; 273 | right: 0; 274 | z-index: 999; 275 | background: #fff; 276 | } 277 | 278 | .realm-selector:hover .realm-dropmenu{ 279 | display: block; 280 | } 281 | 282 | .realm-add{ 283 | padding: 10px; 284 | } 285 | 286 | .realm-selector h2{ 287 | font-size: 16px; 288 | line-height: 60px; 289 | padding: 0 20px; 290 | margin: 0; 291 | border-bottom: 1px solid #d5d5d6; 292 | } 293 | 294 | .realm-selector h2 i{ 295 | display: inline-block; 296 | float: right; 297 | line-height: 60px; 298 | } 299 | 300 | 301 | .realm-selector ul{ 302 | padding-left: 0; 303 | margin: 0; 304 | list-style: none; 305 | max-height: 200px; 306 | overflow-y:auto; 307 | } 308 | 309 | 310 | .realm-selector ul li a{ 311 | line-height: 60px; 312 | padding: 0 20px; 313 | border-bottom: 1px solid #d5d5d6; 314 | line-height: 39px; 315 | display: block; 316 | font-size: 14px; 317 | } 318 | 319 | 320 | /*********** Overwrites header defaults ***********/ 321 | 322 | .navbar-pf{ 323 | border-top: none!important; 324 | } 325 | 326 | .navbar-pf .navbar-brand { 327 | padding: 0; 328 | height: 56px; 329 | line-height: 56px; 330 | background-position: center center; 331 | background-image: url('../img/keyclok-logo.png'); 332 | background-size: 148px 30px; 333 | background-repeat: no-repeat; 334 | width: 148px; 335 | } 336 | 337 | .navbar-pf .navbar-utility .dropdown-toggle { 338 | padding: 23px !important; 339 | } 340 | 341 | .clickable { 342 | cursor: pointer; 343 | } 344 | 345 | h1 i { 346 | color: #999999; 347 | font-size: 18px; 348 | margin-left: 10px; 349 | } 350 | 351 | /* Action cell */ 352 | .kc-action-cell { 353 | background-color: #eeeeee; 354 | background-image: linear-gradient(to bottom, #fafafa 0%, #ededed 100%); 355 | background-repeat: repeat-x; 356 | 357 | text-align: center; 358 | vertical-align: middle; 359 | 360 | overflow: hidden; 361 | text-overflow: ellipsis; 362 | white-space: nowrap; 363 | 364 | cursor:pointer; 365 | } 366 | 367 | .kc-action-cell:hover { 368 | background-color: #eeeeee; 369 | background-image: none; 370 | } 371 | 372 | .kc-action-cell-disabled { 373 | background-color: #fafafa; 374 | color: #8b8d8f; 375 | background-image: none; 376 | cursor: not-allowed; 377 | } 378 | 379 | .kc-sorter span { 380 | margin-left: 10px; 381 | } 382 | 383 | 384 | /* Time selector */ 385 | 386 | .time-selector input { 387 | display: inline-block; 388 | width: 120px; 389 | padding-right: 0; 390 | margin-right: 0; 391 | } 392 | 393 | .time-selector select { 394 | display: inline-block; 395 | width: 80px; 396 | margin-left: 0; 397 | padding-left: 0; 398 | } 399 | 400 | .ace_editor { 401 | height: 600px; 402 | width: 100%; 403 | } 404 | 405 | .kc-button-input-file input { 406 | float: left; 407 | width: 73%; 408 | } 409 | 410 | .kc-button-input-file label { 411 | float: left; 412 | margin-left: 2%; 413 | width: 25%; 414 | } 415 | 416 | table.kc-authz-table-expanded { 417 | margin-top: 0px !important; 418 | } 419 | 420 | .no-gutter > [class*='col-'] { 421 | padding-right:0!important; 422 | padding-left:0!important; 423 | } 424 | 425 | .password-conceal { 426 | font-family: 'text-security-disc'; 427 | font-size: 14px; 428 | } 429 | 430 | .input-map input.form-control { 431 | width: 50%; 432 | } 433 | 434 | /* Deactivation styles for user-group membership tree models */ 435 | 436 | div[tree-model] li .deactivate { 437 | color: #4a5053; 438 | opacity: 0.4; 439 | } 440 | 441 | div[tree-model] li .deactivate_selected { 442 | background-color: #dcdcdc; 443 | font-weight: bold; 444 | padding: 1px 5px; 445 | } 446 | 447 | /* search highlighting */ 448 | 449 | div[tree-model] li .highlight { 450 | background-color: #aaddff; 451 | } 452 | 453 | /* Manage credentials */ 454 | table.credentials-table { 455 | margin-top: 0; 456 | margin-bottom: 20px; 457 | } 458 | 459 | table.credentials-table td { 460 | vertical-align: middle !important; 461 | } 462 | 463 | table.credentials-table input[type='text'] { 464 | width: 100%; 465 | } 466 | 467 | td.credential-arrows-cell { 468 | width: 75px; 469 | } 470 | 471 | td.credential-label-cell { 472 | padding: 5px !important; 473 | } 474 | 475 | td.credential-action-cell { 476 | padding: 0px !important; 477 | } 478 | 479 | td.credential-action-cell div.kc-action-cell { 480 | width: 100%; 481 | height: 36px; 482 | line-height: 34px; 483 | } 484 | 485 | td.credential-action-cell.expanded div.kc-action-cell { 486 | border-bottom: 1px solid #d1d1d1; 487 | } 488 | 489 | table.credential-data-table td { 490 | word-break: break-all; 491 | } 492 | 493 | table.credential-data-table tr:first-child td { 494 | border-top: 0; 495 | } 496 | 497 | table.credential-data-table td:first-child { 498 | width: 150px; 499 | } 500 | 501 | table.credential-data-table td.key { 502 | text-align: right; 503 | font-weight: bold; 504 | } 505 | 506 | .modal-sensitive { 507 | color: red; 508 | font-size: 2em; 509 | } 510 | 511 | .sensitive-delete { 512 | text-align: center; 513 | } 514 | 515 | .sensitive-delete input { 516 | width: 90%; 517 | font-size: 2em; 518 | color: red; 519 | } 520 | -------------------------------------------------------------------------------- /keycloak-export/src/main/resources/theme/ctexport/admin/resources/templates/kc-modal.html: -------------------------------------------------------------------------------- 1 |
2 | 5 |

{{title}}

6 |
7 |
8 | {{message}} 9 | 10 |
You are currently on {{currentHostname}}. 11 |
Confirm the name of the realm to delete: 12 | 13 |
14 |
15 | 16 |
17 |
18 | 19 | 20 |
21 | -------------------------------------------------------------------------------- /keycloak-export/src/main/resources/theme/ctexport/admin/theme.properties: -------------------------------------------------------------------------------- 1 | parent=keycloak 2 | import=common/keycloak -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4.0.0 4 | 5 | 6 | io.cloudtrust 7 | kc-cloudtrust-module 8 | 18.0.0 9 | 10 | 11 | keycloak-export-parent 12 | 18.1.2-SNAPSHOT 13 | Parent for export module 14 | pom 15 | 16 | 17 | scm:git:ssh://git@github.com/cloudtrust/keycloak-export 18 | scm:git:ssh://git@github.com/cloudtrust/keycloak-export 19 | https://github.com/cloudtrust/keycloak-export 20 | HEAD 21 | 22 | 23 | 24 | keycloak-export 25 | keycloak-export-tests 26 | 27 | 28 | 29 | 1.10.0 30 | 4.2 31 | 32 | 1.8 33 | 1.8 34 | 35 | 36 | 37 | 38 | project-release 39 | https://artifactory.svc.elca.ch/artifactory/prj_cloudtrust_release 40 | 41 | 42 | project-snapshot 43 | https://artifactory.svc.elca.ch/artifactory/prj_cloudtrust_snapshot 44 | 45 | 46 | 47 | 48 | project-release 49 | https://artifactory.svc.elca.ch/artifactory/prj_cloudtrust_release 50 | 51 | true 52 | 53 | 54 | false 55 | 56 | 57 | 58 | project-snapshot 59 | https://artifactory.svc.elca.ch/artifactory/prj_cloudtrust_snapshot 60 | 61 | false 62 | 63 | 64 | true 65 | 66 | 67 | 68 | 69 | --------------------------------------------------------------------------------