├── README.md ├── config └── oauth2-proxy.cfg ├── docker-compose.yaml ├── k8s ├── 0-common.yaml ├── 1-redis.yaml ├── external-resource.yaml ├── ingress-auth.yaml └── sidecar.yaml ├── keycloak ├── dev-realm.json ├── dev-users-0.json ├── master-realm.json └── master-users-0.json └── nginx └── nginx.conf /README.md: -------------------------------------------------------------------------------- 1 | # NGINX with OAuth2 Proxy and Keycloak demo 2 | 3 | NGINX -> OAuth2 Proxy -> HTTPBin 4 | 5 | ## Quick Start 6 | 7 | ```sh 8 | # Start (Keycloak will bootstrap with `dev` realm and users) 9 | # NGINX and OAuth2 Proxy will exit as dependent containers are not ready (https://docs.docker.com/compose/startup-order/) 10 | docker-compose up -d 11 | # Wait until Keycloak completes initialization, and start the stopped containers 12 | docker-compose up -d 13 | 14 | # Cleanup 15 | docker-compose rm 16 | docker volume prune 17 | ``` 18 | 19 | Initiate browser login at http://nginx.127.0.0.1.nip.io:9000/get with user=`user`, password=`password`. 20 | 21 | Authenticated requests will be proxied to NodeJS server with HTTP headers echoed to the browser: 22 | 23 | ```sh 24 | 'x-user': '4a76657b-35f0-43d0-9653-9b0f60ebd4b9' 25 | 'x-email': 'user@example.org' 26 | ``` 27 | 28 | [Sign-out URL](http://nginx.127.0.0.1.nip.io:9000/oauth2/sign_out?rd=http://keycloak.127.0.0.1.nip.io:8080/auth/realms/dev/protocol/openid-connect/logout?redirect_uri=http://nginx.127.0.0.1.nip.io:9000): Signing out will clear OAuth2 Proxy cookie followed by redirect to Keycloak logout endpoint to clear Keycloak session, before final redirect to http://nginx.127.0.0.1.nip.io:9000. 29 | 30 | Access Keycloak at [http://keycloak.127.0.0.1.nip.io:8080](http://keycloak.127.0.0.1.nip.io:8080) with user=`admin`, password=`password` to check out the settings 31 | 32 | ## Refreshing Cookie 33 | 34 | By setting a value for `refresh-cookie`, the proxy will refresh the Access Token after the specified duration. By setting a short duration (e.g. 5m, which is the default expiry for Access Token issued by Keycloak), this will allow sessions to be revoked quickly. 35 | 36 | > For OAuth2 Proxy configuration, `refresh-cookie` does not work for `keycloak` provider but works for `oidc` provider. 37 | 38 | ## Hostname / Domain 39 | 40 | The issuer of access token is the hostname / domain during browser login. Subsequent `POST` to token validation endpoint ( OAuth2 Proxy `validate_url` value if configured) by OAuth2 Proxy will fail with `{"error":"invalid_token","error_description":"Token verification failed"}` if the hostname is different. 41 | 42 | For OAuth2 Proxy container to reach Keycloak using the same hostname / FQDN, an alias to Keycloak container is configured in `docker-compose.yml`. 43 | 44 | ```yml 45 | aliases: 46 | - keycloak.127.0.0.1.nip.io 47 | ``` 48 | 49 | ## Keycloak Export 50 | 51 | ```sh 52 | docker run --rm\ 53 | --name keycloak_exporter\ 54 | --network local\ 55 | -v /tmp:/tmp/realm-config:Z\ 56 | -e KEYCLOAK_USER=admin\ 57 | -e KEYCLOAK_PASSWORD=password\ 58 | -e DB_ADDR=mariadb\ 59 | -e DB_USER=keycloak\ 60 | -e DB_PASSWORD=password\ 61 | -e DB_VENDOR=mariadb\ 62 | jboss/keycloak:11.0.1\ 63 | -Dkeycloak.migration.action=export\ 64 | -Dkeycloak.migration.provider=dir\ 65 | -Dkeycloak.migration.dir=/tmp/realm-config\ 66 | -Dkeycloak.migration.usersExportStrategy=SAME_FILE 67 | ``` 68 | 69 | ## Kubernetes Deployment 70 | 71 | A public FQDN of a Keycloak instance accesible from pods and browser is required. The Keycloak instance in `docker-compose.yaml` can be re-used as follows. The Keycloak instance can be exposed using `ngrok` 72 | 73 | > Update `OAUTH2_PROXY_OIDC_ISSUER_URL` to public FQDN of Keycloak in deployment files 74 | 75 | ```sh 76 | # Run Keycloak and MariaDB service 77 | docker-compose up -d keycloak mariadb 78 | 79 | # Keycloak can be referenced using `hostAlias` in local development or exposed over internet using `ngrok`: 80 | ngrok http 8080 81 | ``` 82 | 83 | Create the following common resources. 84 | 85 | ```sh 86 | kubectl apply -f k8s/0-common.yaml 87 | # Comment line in `oauth2-proxy-redis-config` if Redis storage is not to be used 88 | kubectl apply -f k8s/1-redis.yaml 89 | ``` 90 | 91 | ### Sidecar Deployment 92 | 93 | Thw following deployment runs OAuth2-Proxy a sidecar to protect resources within same pod. 94 | 95 | ```sh 96 | kubectl apply -f k8s/sidecar.yaml 97 | 98 | # Access using Ingress: http://sidecar.127.0.0.1.nip.io/get?show_env=1 99 | # Or: http://localhost:8000/get?show_env=1 via port-forwarding below 100 | kubectl port-forward server-667478cf46-w4fm7 8000:4180 101 | ``` 102 | 103 | ### Auth Reverse Proxy to Protect External Resource Outside Cluster 104 | 105 | Thw following deploymeny runs OAuth2-Proxy a Authentication Reverse Proxy to resource outside the cluster. 106 | 107 | ```sh 108 | # Update public IP of httpbin.org in following file if using headless service 109 | # Visit http://proxy.127.0.0.1.nip.io/get?show_env=1 110 | kubectl apply -f k8s/external-resource.yaml 111 | ``` 112 | 113 | ### NGINX Auth Service to Protect Ingress Resource 114 | 115 | Thw following deployment runs OAuth2-Proxy as an Authentication Service used by NGINX Ingress Controller. 116 | 117 | ```sh 118 | # Visit http://httpbin.127.0.0.1.nip.io/get?show_env=1 119 | kubectl apply -f k8s/ingress-auth.yaml 120 | ``` 121 | 122 | ## Reference 123 | 124 | [OAuth2 Proxy Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview) 125 | 126 | [NGINX Ingress Controller Annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) 127 | 128 | ## Troubleshooting 129 | 130 | ```sh 131 | Error redeeming code during OAuth2 callback: email in id_token () isn't verified 132 | 133 | Error creating session during OAuth2 callback: id_token did not contain an email and profileURL is not defined 134 | ``` 135 | -------------------------------------------------------------------------------- /config/oauth2-proxy.cfg: -------------------------------------------------------------------------------- 1 | ## OAuth2 Proxy Config File 2 | ## https://github.com/oauth2-proxy/oauth2-proxy 3 | 4 | ## : to listen on for HTTP/HTTPS clients 5 | http_address="0.0.0.0:4180" 6 | # https_address = ":443" 7 | 8 | ## Are we running behind a reverse proxy? Will not accept headers like X-Real-Ip unless this is set. 9 | # reverse_proxy = true 10 | 11 | ## TLS Settings 12 | # tls_cert_file = "" 13 | # tls_key_file = "" 14 | 15 | ## the OAuth Redirect URL. 16 | # defaults to the "https://" + requested host header + "/oauth2/callback" 17 | redirect_url="http://nginx.127.0.0.1.nip.io:9000/oauth2/callback" 18 | 19 | ## For clients that have obtained Access Tokens, configure the following: 20 | # redirect_url="" 21 | # skip_jwt_bearer_tokens = true 22 | 23 | ## the http url(s) of the upstream endpoint. If multiple, routing is based on path 24 | upstreams = [ 25 | # static://200 26 | "http://server/" 27 | ] 28 | ## Logging configuration 29 | #logging_filename = "" 30 | #logging_max_size = 100 31 | #logging_max_age = 7 32 | #logging_local_time = true 33 | #logging_compress = false 34 | #standard_logging = true 35 | #standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}" 36 | #request_logging = true 37 | #request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}" 38 | #auth_logging = true 39 | #auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}" 40 | 41 | ## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream 42 | # pass_basic_auth = true 43 | # pass_user_headers = true 44 | ## pass the request Host Header to upstream 45 | ## when disabled the upstream Host is used as the Host Header 46 | # pass_host_header = true 47 | 48 | ## Email Domains to allow authentication for (this authorizes any email on this domain) 49 | ## for more granular authorization use `authenticated_emails_file` 50 | ## To authorize any email addresses use "*" 51 | # email_domains = [ 52 | # "yourcompany.com" 53 | # ] 54 | email_domains = "*" 55 | 56 | ## The OAuth Client ID, Secret 57 | client_id = "server" 58 | client_secret = "d1680bbb-24f3-4835-a0d9-2a7492a4cc99" 59 | 60 | ## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token" 61 | pass_access_token = true 62 | 63 | ## Authenticated Email Addresses File (one email per line) 64 | # authenticated_emails_file = "" 65 | 66 | ## Htpasswd File (optional) 67 | ## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption 68 | ## enabling exposes a username/login signin form 69 | # htpasswd_file = "" 70 | 71 | ## bypass authentication for requests that match the method & path. Format: method=path_regex OR path_regex alone for all methods 72 | # skip_auth_routes = [ 73 | # "GET=^/probe", 74 | # "^/metrics" 75 | # ] 76 | 77 | ## Templates 78 | ## optional directory with custom sign_in.html and error.html 79 | # custom_templates_dir = "" 80 | 81 | ## skip SSL checking for HTTPS requests 82 | # ssl_insecure_skip_verify = false 83 | 84 | 85 | ## Cookie Settings 86 | ## Name - the cookie name 87 | ## Secret - the seed string for secure cookies; should be 16, 24, or 32 bytes 88 | ## for use with an AES cipher when cookie_refresh or pass_access_token 89 | ## is set 90 | ## Domain - (optional) cookie domain to force cookies to (ie: .yourcompany.com) 91 | ## Expire - (duration) expire timeframe for cookie 92 | ## Refresh - (duration) refresh the cookie when duration has elapsed after cookie was initially set. 93 | ## Should be less than cookie_expire; set to 0 to disable. 94 | ## On refresh, OAuth token is re-validated. 95 | ## (ie: 1h means tokens are refreshed on request 1hr+ after it was set) 96 | ## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended) 97 | ## HttpOnly - httponly cookies are not readable by javascript (recommended) 98 | # cookie_name = "_oauth2_proxy" 99 | # cookie_secret = "" 100 | # cookie_domains = "" 101 | # cookie_expire = "168h" 102 | cookie_refresh = "5m" 103 | cookie_secure = false 104 | # cookie_httponly = true 105 | 106 | whitelist_domains = [ 107 | "keycloak.127.0.0.1.nip.io:*" 108 | ] 109 | 110 | oidc_issuer_url = "http://keycloak.127.0.0.1.nip.io:8080/auth/realms/dev" 111 | provider = "oidc" 112 | provider_display_name = "Keycloak" 113 | 114 | # for `keycloak-oidc` access_token is used, `aud` of access token need to include client_id 115 | # provider = "keycloak-oidc" 116 | # allowed_role= " / :" 117 | 118 | # Disable 'login screen' 119 | skip_provider_button = "true" 120 | 121 | request_logging = true 122 | # Optional: Set additional headers at http://nginx.127.0.0.1.nip.io:9000/oauth2/auth 123 | set_authorization_header = true 124 | set_xauthrequest = true 125 | -------------------------------------------------------------------------------- /docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | 5 | proxy: 6 | image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 7 | container_name: oauth2-proxy 8 | command: --config /oauth2-proxy.cfg 9 | ports: 10 | - 4180:4180 11 | - 443:443 12 | environment: 13 | - OAUTH2_PROXY_COOKIE_SECRET=MTExMTExMTExMTExMTExMQ== 14 | networks: 15 | - proxy-network 16 | volumes: 17 | - ./config/oauth2-proxy.cfg:/oauth2-proxy.cfg 18 | depends_on: 19 | - keycloak 20 | 21 | keycloak: 22 | image: jboss/keycloak:16.1.0 23 | environment: 24 | - DB_ADDR=mariadb 25 | - DB_USER=keycloak 26 | - DB_PASSWORD=password 27 | container_name: kc 28 | volumes: 29 | - ./keycloak:/tmp/realm-config 30 | command: 31 | [ 32 | '-Dkeycloak.migration.action=import', 33 | '-Dkeycloak.migration.provider=dir', 34 | '-Dkeycloak.migration.dir=/tmp/realm-config', 35 | '-Dkeycloak.migration.strategy=IGNORE_EXISTING', 36 | ] 37 | networks: 38 | proxy-network: 39 | aliases: 40 | - keycloak.127.0.0.1.nip.io 41 | ports: 42 | - 8080:8080 43 | depends_on: 44 | - mariadb 45 | 46 | mariadb: 47 | image: mariadb:10.5.5 48 | environment: 49 | - MYSQL_DATABASE=keycloak 50 | - MYSQL_ROOT_PASSWORD=password 51 | - MYSQL_USER=keycloak 52 | - MYSQL_PASSWORD=password 53 | container_name: keycloak-db 54 | networks: 55 | - proxy-network 56 | volumes: 57 | - vol-mariadb:/var/lib/mysql 58 | 59 | server: 60 | image: kennethreitz/httpbin 61 | # environment: 62 | # - "GUNICORN_CMD_ARGS=\"--capture-output --error-logfile - --access-logfile - --access-logformat \"%(h)s %(t)s %(r)s %(s)s Host: %({Host}i)s}\"\"" 63 | ports: 64 | - 8000:80 65 | container_name: server 66 | networks: 67 | - proxy-network 68 | 69 | nginx: 70 | image: nginx:alpine 71 | ports: 72 | - 9000:80 73 | container_name: nginx 74 | volumes: 75 | - ./nginx:/etc/nginx/conf.d 76 | networks: 77 | - proxy-network 78 | depends_on: 79 | - server 80 | - proxy 81 | 82 | networks: 83 | proxy-network: 84 | name: local 85 | 86 | volumes: 87 | vol-mariadb: 88 | -------------------------------------------------------------------------------- /k8s/0-common.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: oauth2-proxy-common-config 6 | data: 7 | # Override default _oauth2_proxy cookie name 8 | OAUTH2_PROXY_COOKIE_NAME: sso_sid 9 | OAUTH2_PROXY_CLIENT_ID: server 10 | # Provide public FQDN of IdP reacheable by the proxy and public client 11 | OAUTH2_PROXY_OIDC_ISSUER_URL: https://5328-118-189-149-221.ngrok.io/auth/realms/dev 12 | # To set domain to be 1-level higher to support dedicated auth domain name (see ingress-auth.yaml) 13 | OAUTH2_PROXY_COOKIE_DOMAINS: 127.0.0.1.nip.io 14 | # To set duration for token refresh (to set duration at most the validity of tokens) 15 | OAUTH2_PROXY_COOKIE_REFRESH: 5m 16 | OAUTH2_PROXY_COOKIE_SECURE: "false" 17 | # Important for cross-domain redirects 18 | OAUTH2_PROXY_WHITELIST_DOMAINS: .127.0.0.1.nip.io:* 19 | # To allow clients that already obtained an access token to provide it in Authorization header 20 | # OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS: true 21 | --- 22 | apiVersion: v1 23 | kind: Secret 24 | metadata: 25 | name: oauth2-proxy-common-secrets 26 | type: Opaque 27 | stringData: 28 | OAUTH2_PROXY_CLIENT_SECRET: d1680bbb-24f3-4835-a0d9-2a7492a4cc99 29 | OAUTH2_PROXY_COOKIE_SECRET: MTExMTExMTExMTExMTExMQ== 30 | -------------------------------------------------------------------------------- /k8s/1-redis.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: oauth2-proxy-redis-config 6 | data: 7 | # Comment line below to use Cookie Storage instead of Redis 8 | OAUTH2_PROXY_SESSION_STORE_TYPE: redis 9 | --- 10 | apiVersion: apps/v1 11 | kind: StatefulSet 12 | metadata: 13 | name: redis 14 | spec: 15 | selector: 16 | matchLabels: 17 | app: redis-app 18 | serviceName: redis-svc 19 | replicas: 1 20 | template: 21 | metadata: 22 | labels: 23 | app: redis-app 24 | spec: 25 | containers: 26 | - name: redis-app 27 | image: redis:6.2.6-alpine 28 | ports: 29 | - containerPort: 6379 30 | name: redis 31 | --- 32 | # Headless service for Redis 33 | apiVersion: v1 34 | kind: Service 35 | metadata: 36 | name: redis-svc 37 | spec: 38 | type: ClusterIP 39 | clusterIP: None 40 | ports: 41 | - name: redis 42 | port: 6379 43 | targetPort: redis 44 | selector: 45 | app: redis-app 46 | statefulset.kubernetes.io/pod-name: redis-0 -------------------------------------------------------------------------------- /k8s/external-resource.yaml: -------------------------------------------------------------------------------- 1 | # create headless service for external resource 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: httpbin-external-svc 6 | spec: 7 | type: ExternalName 8 | externalName: httpbin.org 9 | --- 10 | # # Alternatively create headless service for external resource 11 | # apiVersion: v1 12 | # kind: Service 13 | # metadata: 14 | # name: httpbin-external-svc 15 | # spec: 16 | # # Headless service 17 | # clusterIP: None 18 | # ports: 19 | # - port: 80 20 | # --- 21 | # apiVersion: v1 22 | # kind: Endpoints 23 | # metadata: 24 | # name: httpbin-external-svc 25 | # subsets: 26 | # - addresses: 27 | # # httpbin.org public IP address 28 | # - ip: 54.221.78.73 29 | # ports: 30 | # - port: 80 31 | --- 32 | # OAuth2-Proxy to proxy to external resource 33 | apiVersion: apps/v1 34 | kind: Deployment 35 | metadata: 36 | name: httpbin-proxy 37 | spec: 38 | selector: 39 | matchLabels: 40 | app: httpbin-proxy 41 | template: 42 | metadata: 43 | labels: 44 | app: httpbin-proxy 45 | spec: 46 | containers: 47 | - name: oauth2-proxy 48 | image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 49 | resources: 50 | limits: 51 | memory: "48Mi" 52 | cpu: "500m" 53 | envFrom: 54 | - configMapRef: 55 | name: oauth2-proxy-common-config 56 | - configMapRef: 57 | name: oauth2-proxy-redis-config 58 | - secretRef: 59 | name: oauth2-proxy-common-secrets 60 | env: 61 | - name: OAUTH2_PROXY_UPSTREAMS 62 | value: "http://httpbin-external-svc" 63 | - name: OAUTH2_PROXY_REDIS_CONNECTION_URL 64 | value: "redis://redis-svc:6379/1" 65 | args: 66 | - "--email-domain=*" 67 | - "--skip-provider-button=true" 68 | - "--provider=oidc" 69 | - "--insecure-oidc-allow-unverified-email=true" 70 | - "--http-address=0.0.0.0:4180" 71 | # Pass ID token in 'Authorization' header to upstream 72 | - "--pass-authorization-header=true" 73 | # Pass Access Token as 'X-Auth-Request-Access-Token' to upstream 74 | - "--pass-access-token=true" 75 | ports: 76 | - containerPort: 4180 77 | --- 78 | apiVersion: v1 79 | kind: Service 80 | metadata: 81 | name: httpbin-proxy-svc 82 | spec: 83 | selector: 84 | app: httpbin-proxy 85 | ports: 86 | - port: 4180 87 | --- 88 | # Ingress to expose httpbin proxy 89 | apiVersion: networking.k8s.io/v1 90 | kind: Ingress 91 | metadata: 92 | name: httpbin-proxy-ingress 93 | annotations: 94 | # Fix for 'upstream sent too big header while reading response header from upstream' 95 | nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" 96 | spec: 97 | rules: 98 | - host: proxy.127.0.0.1.nip.io 99 | http: 100 | paths: 101 | - pathType: Prefix 102 | path: / 103 | backend: 104 | service: 105 | name: httpbin-proxy-svc 106 | port: 107 | number: 4180 108 | -------------------------------------------------------------------------------- /k8s/ingress-auth.yaml: -------------------------------------------------------------------------------- 1 | # OAuth2-Proxy Authentication Service 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: oauth2-proxy 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: oauth2-proxy 10 | template: 11 | metadata: 12 | labels: 13 | app: oauth2-proxy 14 | spec: 15 | containers: 16 | - name: oauth2-proxy 17 | image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 18 | resources: 19 | limits: 20 | memory: "48Mi" 21 | cpu: "500m" 22 | envFrom: 23 | - configMapRef: 24 | name: oauth2-proxy-common-config 25 | - configMapRef: 26 | name: oauth2-proxy-redis-config 27 | - secretRef: 28 | name: oauth2-proxy-common-secrets 29 | env: 30 | - name: OAUTH2_PROXY_UPSTREAMS 31 | value: "file:///dev/null" 32 | - name: OAUTH2_PROXY_REDIS_CONNECTION_URL 33 | value: "redis://redis-svc:6379/2" 34 | args: 35 | - "--email-domain=*" 36 | - "--skip-provider-button=true" 37 | - "--provider=oidc" 38 | - "--insecure-oidc-allow-unverified-email=true" 39 | - "--http-address=0.0.0.0:4180" 40 | # Add ID token to 'Authorization' header in auth response for NGINX to pass to upstream' 41 | - "--set-authorization-header=true" 42 | # Add 'X-Auth-Request-* headers in auth response for NGINX to pass to upstream' 43 | - "--set-xauthrequest=true" 44 | ports: 45 | - containerPort: 4180 46 | --- 47 | apiVersion: v1 48 | kind: Service 49 | metadata: 50 | name: auth-svc 51 | spec: 52 | selector: 53 | app: oauth2-proxy 54 | ports: 55 | - port: 4180 56 | --- 57 | # Ingress to OAuth2-Proxy for redirect and callback URLs 58 | apiVersion: networking.k8s.io/v1 59 | kind: Ingress 60 | metadata: 61 | annotations: 62 | # Fix for 'upstream sent too big header while reading response header from upstream' 63 | nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" 64 | name: oauth2-proxy 65 | spec: 66 | rules: 67 | # Refer to nginx.ingress.kubernetes.io/(auth-url|auth-signin) annotations 68 | # Can use `httpbin.127.0.0.1.nip.io` as well for same domain name as upstream resource 69 | # If using dedicated domain (i.e. auth.127.0.0.1.nip.io) OAUTH2_PROXY_COOKIE_DOMAINS need to be set 1-level higher. 70 | - host: auth.127.0.0.1.nip.io 71 | http: 72 | paths: 73 | - pathType: Prefix 74 | path: /oauth2 75 | backend: 76 | service: 77 | name: auth-svc 78 | port: 79 | number: 4180 80 | # tls: 81 | # - hosts: 82 | # - httpbin.127.0.0.1.nip.io 83 | # secretName: __INGRESS_SECRET__ 84 | 85 | --- 86 | # Ingress Resource to be Protected 87 | apiVersion: networking.k8s.io/v1 88 | kind: Ingress 89 | metadata: 90 | annotations: 91 | # auth-url can be set to `http://$host/oauth2/auth` or the following (more efficient?) 92 | nginx.ingress.kubernetes.io/auth-url: "http://auth-svc.default.svc.cluster.local:4180/oauth2/auth" 93 | # auth-signin can be set to `http://$host/oauth2/start?rd=$escaped_request_uri` if sharing same domain as auth service 94 | nginx.ingress.kubernetes.io/auth-signin: "http://auth.127.0.0.1.nip.io/oauth2/start?rd=$pass_access_scheme://$http_host$escaped_request_uri" 95 | # Specify headers to pass to backend once authentication request completes. 96 | nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-preferred-username, authorization" 97 | # Fix for 'upstream sent too big header while reading response header from upstream' 98 | nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" 99 | name: httpbin-ingress 100 | spec: 101 | rules: 102 | - host: httpbin.127.0.0.1.nip.io 103 | http: 104 | paths: 105 | - path: / 106 | pathType: Prefix 107 | backend: 108 | service: 109 | name: httpbin-svc 110 | port: 111 | number: 80 112 | --- 113 | # httpbin service 114 | apiVersion: v1 115 | kind: Service 116 | metadata: 117 | name: httpbin-svc 118 | spec: 119 | selector: 120 | app: httpbin 121 | ports: 122 | - port: 80 123 | --- 124 | # httpbin deployment 125 | apiVersion: apps/v1 126 | kind: Deployment 127 | metadata: 128 | name: httpbin 129 | spec: 130 | selector: 131 | matchLabels: 132 | app: httpbin 133 | template: 134 | metadata: 135 | labels: 136 | app: httpbin 137 | spec: 138 | containers: 139 | - name: httpbin 140 | image: kennethreitz/httpbin 141 | resources: 142 | limits: 143 | memory: "48Mi" 144 | cpu: "200m" 145 | ports: 146 | - containerPort: 80 147 | -------------------------------------------------------------------------------- /k8s/sidecar.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: server 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: server 9 | template: 10 | metadata: 11 | labels: 12 | app: server 13 | spec: 14 | # Use host aliases for local development 15 | # hostAliases: 16 | # - ip: "172.20.80.1" 17 | # hostnames: 18 | # - "keycloak.127.0.0.1.nip.io" 19 | containers: 20 | - name: server 21 | image: kennethreitz/httpbin 22 | resources: 23 | limits: 24 | memory: "64Mi" 25 | cpu: "500m" 26 | ports: 27 | - containerPort: 80 28 | - name: oauth2-proxy 29 | image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 30 | resources: 31 | limits: 32 | memory: "64Mi" 33 | cpu: "500m" 34 | envFrom: 35 | - configMapRef: 36 | name: oauth2-proxy-common-config 37 | - configMapRef: 38 | name: oauth2-proxy-redis-config 39 | - secretRef: 40 | name: oauth2-proxy-common-secrets 41 | env: 42 | - name: OAUTH2_PROXY_UPSTREAMS 43 | value: "http://localhost" 44 | - name: OAUTH2_PROXY_REDIS_CONNECTION_URL 45 | value: "redis://redis-svc:6379/0" 46 | args: 47 | - "--email-domain=*" 48 | - "--skip-provider-button=true" 49 | - "--provider=oidc" 50 | - "--insecure-oidc-allow-unverified-email=true" 51 | - "--http-address=0.0.0.0:4180" 52 | ports: 53 | - containerPort: 4180 54 | --- 55 | apiVersion: v1 56 | kind: Service 57 | metadata: 58 | name: server-svc 59 | spec: 60 | selector: 61 | app: server 62 | ports: 63 | - port: 4180 64 | --- 65 | apiVersion: networking.k8s.io/v1 66 | kind: Ingress 67 | metadata: 68 | name: sidecar-ingress 69 | annotations: 70 | # Fix for 'upstream sent too big header while reading response header from upstream' 71 | nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" 72 | spec: 73 | rules: 74 | - host: sidecar.127.0.0.1.nip.io 75 | http: 76 | paths: 77 | - pathType: Prefix 78 | path: "/" 79 | backend: 80 | service: 81 | name: server-svc 82 | port: 83 | number: 4180 84 | -------------------------------------------------------------------------------- /keycloak/dev-realm.json: -------------------------------------------------------------------------------- 1 | { 2 | "id" : "dev", 3 | "realm" : "dev", 4 | "notBefore" : 0, 5 | "revokeRefreshToken" : false, 6 | "refreshTokenMaxReuse" : 0, 7 | "accessTokenLifespan" : 300, 8 | "accessTokenLifespanForImplicitFlow" : 900, 9 | "ssoSessionIdleTimeout" : 1800, 10 | "ssoSessionMaxLifespan" : 36000, 11 | "ssoSessionIdleTimeoutRememberMe" : 0, 12 | "ssoSessionMaxLifespanRememberMe" : 0, 13 | "offlineSessionIdleTimeout" : 2592000, 14 | "offlineSessionMaxLifespanEnabled" : false, 15 | "offlineSessionMaxLifespan" : 5184000, 16 | "clientSessionIdleTimeout" : 0, 17 | "clientSessionMaxLifespan" : 0, 18 | "clientOfflineSessionIdleTimeout" : 0, 19 | "clientOfflineSessionMaxLifespan" : 0, 20 | "accessCodeLifespan" : 60, 21 | "accessCodeLifespanUserAction" : 300, 22 | "accessCodeLifespanLogin" : 1800, 23 | "actionTokenGeneratedByAdminLifespan" : 43200, 24 | "actionTokenGeneratedByUserLifespan" : 300, 25 | "enabled" : true, 26 | "sslRequired" : "none", 27 | "registrationAllowed" : false, 28 | "registrationEmailAsUsername" : false, 29 | "rememberMe" : false, 30 | "verifyEmail" : false, 31 | "loginWithEmailAllowed" : true, 32 | "duplicateEmailsAllowed" : false, 33 | "resetPasswordAllowed" : false, 34 | "editUsernameAllowed" : false, 35 | "bruteForceProtected" : false, 36 | "permanentLockout" : false, 37 | "maxFailureWaitSeconds" : 900, 38 | "minimumQuickLoginWaitSeconds" : 60, 39 | "waitIncrementSeconds" : 60, 40 | "quickLoginCheckMilliSeconds" : 1000, 41 | "maxDeltaTimeSeconds" : 43200, 42 | "failureFactor" : 30, 43 | "roles" : { 44 | "realm" : [ { 45 | "id" : "4e96fa82-e867-40b0-b2cf-99e04a0159f2", 46 | "name" : "uma_authorization", 47 | "description" : "${role_uma_authorization}", 48 | "composite" : false, 49 | "clientRole" : false, 50 | "containerId" : "dev", 51 | "attributes" : { } 52 | }, { 53 | "id" : "503639ee-87fc-42d2-bc2a-317138927d74", 54 | "name" : "offline_access", 55 | "description" : "${role_offline-access}", 56 | "composite" : false, 57 | "clientRole" : false, 58 | "containerId" : "dev", 59 | "attributes" : { } 60 | } ], 61 | "client" : { 62 | "server" : [ ], 63 | "realm-management" : [ { 64 | "id" : "8c4e763f-0d2e-40c5-be29-2f30e2540803", 65 | "name" : "query-users", 66 | "description" : "${role_query-users}", 67 | "composite" : false, 68 | "clientRole" : true, 69 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 70 | "attributes" : { } 71 | }, { 72 | "id" : "72444487-8ecd-4bfa-be39-27e54362b0a1", 73 | "name" : "manage-users", 74 | "description" : "${role_manage-users}", 75 | "composite" : false, 76 | "clientRole" : true, 77 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 78 | "attributes" : { } 79 | }, { 80 | "id" : "7e4e9003-c156-4d8e-9d7c-6352803efb3f", 81 | "name" : "manage-clients", 82 | "description" : "${role_manage-clients}", 83 | "composite" : false, 84 | "clientRole" : true, 85 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 86 | "attributes" : { } 87 | }, { 88 | "id" : "4ba8c8d9-fb60-486d-801b-8e25a3e58823", 89 | "name" : "impersonation", 90 | "description" : "${role_impersonation}", 91 | "composite" : false, 92 | "clientRole" : true, 93 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 94 | "attributes" : { } 95 | }, { 96 | "id" : "7f1c0b1e-f620-4c3d-bcfa-59c4c44eeafa", 97 | "name" : "view-users", 98 | "description" : "${role_view-users}", 99 | "composite" : true, 100 | "composites" : { 101 | "client" : { 102 | "realm-management" : [ "query-groups", "query-users" ] 103 | } 104 | }, 105 | "clientRole" : true, 106 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 107 | "attributes" : { } 108 | }, { 109 | "id" : "39bb2d78-75ca-4d79-b838-2339d53cf8d1", 110 | "name" : "view-realm", 111 | "description" : "${role_view-realm}", 112 | "composite" : false, 113 | "clientRole" : true, 114 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 115 | "attributes" : { } 116 | }, { 117 | "id" : "f2c7dc73-dda0-4c3f-a738-b5f742d5436a", 118 | "name" : "query-groups", 119 | "description" : "${role_query-groups}", 120 | "composite" : false, 121 | "clientRole" : true, 122 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 123 | "attributes" : { } 124 | }, { 125 | "id" : "f5561f6c-638c-4823-ab25-d3e044be8991", 126 | "name" : "query-realms", 127 | "description" : "${role_query-realms}", 128 | "composite" : false, 129 | "clientRole" : true, 130 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 131 | "attributes" : { } 132 | }, { 133 | "id" : "c021917f-5610-4f29-8302-65ca2be6715f", 134 | "name" : "manage-authorization", 135 | "description" : "${role_manage-authorization}", 136 | "composite" : false, 137 | "clientRole" : true, 138 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 139 | "attributes" : { } 140 | }, { 141 | "id" : "4675e9f5-894a-487b-8c38-9f62ce2d28e9", 142 | "name" : "view-events", 143 | "description" : "${role_view-events}", 144 | "composite" : false, 145 | "clientRole" : true, 146 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 147 | "attributes" : { } 148 | }, { 149 | "id" : "7ff94cb9-3c0d-43fe-9ae9-5f0940f843e6", 150 | "name" : "manage-identity-providers", 151 | "description" : "${role_manage-identity-providers}", 152 | "composite" : false, 153 | "clientRole" : true, 154 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 155 | "attributes" : { } 156 | }, { 157 | "id" : "c0a7525e-b42e-4ad2-af36-fb2bdd6f3f4c", 158 | "name" : "view-clients", 159 | "description" : "${role_view-clients}", 160 | "composite" : true, 161 | "composites" : { 162 | "client" : { 163 | "realm-management" : [ "query-clients" ] 164 | } 165 | }, 166 | "clientRole" : true, 167 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 168 | "attributes" : { } 169 | }, { 170 | "id" : "44a39c0a-165e-45b6-935d-13d467ed0203", 171 | "name" : "realm-admin", 172 | "description" : "${role_realm-admin}", 173 | "composite" : true, 174 | "composites" : { 175 | "client" : { 176 | "realm-management" : [ "query-users", "manage-users", "manage-clients", "impersonation", "view-users", "view-realm", "query-groups", "query-realms", "manage-authorization", "view-events", "manage-identity-providers", "view-clients", "view-authorization", "create-client", "view-identity-providers", "manage-events", "query-clients", "manage-realm" ] 177 | } 178 | }, 179 | "clientRole" : true, 180 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 181 | "attributes" : { } 182 | }, { 183 | "id" : "5af35b5d-1300-4ece-a2d8-aaaba350bbac", 184 | "name" : "view-authorization", 185 | "description" : "${role_view-authorization}", 186 | "composite" : false, 187 | "clientRole" : true, 188 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 189 | "attributes" : { } 190 | }, { 191 | "id" : "a62064d9-9a0c-49a3-847e-e3b22ca11dac", 192 | "name" : "create-client", 193 | "description" : "${role_create-client}", 194 | "composite" : false, 195 | "clientRole" : true, 196 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 197 | "attributes" : { } 198 | }, { 199 | "id" : "f20cd701-466d-4b98-affb-69018bafe6d8", 200 | "name" : "view-identity-providers", 201 | "description" : "${role_view-identity-providers}", 202 | "composite" : false, 203 | "clientRole" : true, 204 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 205 | "attributes" : { } 206 | }, { 207 | "id" : "c75b21c2-2f95-4648-ac0d-02ff9b63a7fb", 208 | "name" : "manage-events", 209 | "description" : "${role_manage-events}", 210 | "composite" : false, 211 | "clientRole" : true, 212 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 213 | "attributes" : { } 214 | }, { 215 | "id" : "fe5c1bfb-9504-46d3-bcaa-5250cf76ea57", 216 | "name" : "query-clients", 217 | "description" : "${role_query-clients}", 218 | "composite" : false, 219 | "clientRole" : true, 220 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 221 | "attributes" : { } 222 | }, { 223 | "id" : "10471b75-f72e-42a0-8b12-6148bc76fb99", 224 | "name" : "manage-realm", 225 | "description" : "${role_manage-realm}", 226 | "composite" : false, 227 | "clientRole" : true, 228 | "containerId" : "09d95a66-b98f-43de-8955-f952d725660e", 229 | "attributes" : { } 230 | } ], 231 | "security-admin-console" : [ ], 232 | "admin-cli" : [ ], 233 | "account-console" : [ ], 234 | "broker" : [ { 235 | "id" : "7c2f7c1e-b1d5-47a5-a96d-6952809c71e4", 236 | "name" : "read-token", 237 | "description" : "${role_read-token}", 238 | "composite" : false, 239 | "clientRole" : true, 240 | "containerId" : "997d61d4-667f-487c-ac45-bc9d87493b7b", 241 | "attributes" : { } 242 | } ], 243 | "account" : [ { 244 | "id" : "605f7cf4-920e-43e3-9a81-251f9ead9ec6", 245 | "name" : "view-applications", 246 | "description" : "${role_view-applications}", 247 | "composite" : false, 248 | "clientRole" : true, 249 | "containerId" : "ee8d66d6-f15d-4290-87e2-7f9b3e053033", 250 | "attributes" : { } 251 | }, { 252 | "id" : "de675104-0146-4575-aa0c-2aa9dd9bcfa2", 253 | "name" : "view-profile", 254 | "description" : "${role_view-profile}", 255 | "composite" : false, 256 | "clientRole" : true, 257 | "containerId" : "ee8d66d6-f15d-4290-87e2-7f9b3e053033", 258 | "attributes" : { } 259 | }, { 260 | "id" : "4ff6ef5b-3da5-43d5-9a98-16b7c525f760", 261 | "name" : "manage-account", 262 | "description" : "${role_manage-account}", 263 | "composite" : true, 264 | "composites" : { 265 | "client" : { 266 | "account" : [ "manage-account-links" ] 267 | } 268 | }, 269 | "clientRole" : true, 270 | "containerId" : "ee8d66d6-f15d-4290-87e2-7f9b3e053033", 271 | "attributes" : { } 272 | }, { 273 | "id" : "e50fe4ad-2386-4f2a-92c6-4788cd16e150", 274 | "name" : "view-consent", 275 | "description" : "${role_view-consent}", 276 | "composite" : false, 277 | "clientRole" : true, 278 | "containerId" : "ee8d66d6-f15d-4290-87e2-7f9b3e053033", 279 | "attributes" : { } 280 | }, { 281 | "id" : "c3c3b5d5-9f15-4be0-b484-aa4f6cac21e5", 282 | "name" : "manage-consent", 283 | "description" : "${role_manage-consent}", 284 | "composite" : true, 285 | "composites" : { 286 | "client" : { 287 | "account" : [ "view-consent" ] 288 | } 289 | }, 290 | "clientRole" : true, 291 | "containerId" : "ee8d66d6-f15d-4290-87e2-7f9b3e053033", 292 | "attributes" : { } 293 | }, { 294 | "id" : "009303b8-e9c8-4b34-a48c-835c2770214e", 295 | "name" : "manage-account-links", 296 | "description" : "${role_manage-account-links}", 297 | "composite" : false, 298 | "clientRole" : true, 299 | "containerId" : "ee8d66d6-f15d-4290-87e2-7f9b3e053033", 300 | "attributes" : { } 301 | } ] 302 | } 303 | }, 304 | "groups" : [ { 305 | "id" : "1a21485b-906d-48ee-a9c4-7a0d703f697b", 306 | "name" : "admin", 307 | "path" : "/admin", 308 | "attributes" : { }, 309 | "realmRoles" : [ ], 310 | "clientRoles" : { }, 311 | "subGroups" : [ ] 312 | } ], 313 | "defaultRoles" : [ "uma_authorization", "offline_access" ], 314 | "requiredCredentials" : [ "password" ], 315 | "otpPolicyType" : "totp", 316 | "otpPolicyAlgorithm" : "HmacSHA1", 317 | "otpPolicyInitialCounter" : 0, 318 | "otpPolicyDigits" : 6, 319 | "otpPolicyLookAheadWindow" : 1, 320 | "otpPolicyPeriod" : 30, 321 | "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], 322 | "webAuthnPolicyRpEntityName" : "keycloak", 323 | "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], 324 | "webAuthnPolicyRpId" : "", 325 | "webAuthnPolicyAttestationConveyancePreference" : "not specified", 326 | "webAuthnPolicyAuthenticatorAttachment" : "not specified", 327 | "webAuthnPolicyRequireResidentKey" : "not specified", 328 | "webAuthnPolicyUserVerificationRequirement" : "not specified", 329 | "webAuthnPolicyCreateTimeout" : 0, 330 | "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, 331 | "webAuthnPolicyAcceptableAaguids" : [ ], 332 | "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", 333 | "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], 334 | "webAuthnPolicyPasswordlessRpId" : "", 335 | "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", 336 | "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", 337 | "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", 338 | "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", 339 | "webAuthnPolicyPasswordlessCreateTimeout" : 0, 340 | "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, 341 | "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], 342 | "scopeMappings" : [ { 343 | "clientScope" : "offline_access", 344 | "roles" : [ "offline_access" ] 345 | } ], 346 | "clientScopeMappings" : { 347 | "account" : [ { 348 | "client" : "account-console", 349 | "roles" : [ "manage-account" ] 350 | } ] 351 | }, 352 | "clients" : [ { 353 | "id" : "ee8d66d6-f15d-4290-87e2-7f9b3e053033", 354 | "clientId" : "account", 355 | "name" : "${client_account}", 356 | "rootUrl" : "${authBaseUrl}", 357 | "baseUrl" : "/realms/dev/account/", 358 | "surrogateAuthRequired" : false, 359 | "enabled" : true, 360 | "alwaysDisplayInConsole" : false, 361 | "clientAuthenticatorType" : "client-secret", 362 | "secret" : "a772fd4a-9200-4d9a-a475-37925014c552", 363 | "defaultRoles" : [ "manage-account", "view-profile" ], 364 | "redirectUris" : [ "/realms/dev/account/*" ], 365 | "webOrigins" : [ ], 366 | "notBefore" : 0, 367 | "bearerOnly" : false, 368 | "consentRequired" : false, 369 | "standardFlowEnabled" : true, 370 | "implicitFlowEnabled" : false, 371 | "directAccessGrantsEnabled" : false, 372 | "serviceAccountsEnabled" : false, 373 | "publicClient" : false, 374 | "frontchannelLogout" : false, 375 | "protocol" : "openid-connect", 376 | "attributes" : { }, 377 | "authenticationFlowBindingOverrides" : { }, 378 | "fullScopeAllowed" : false, 379 | "nodeReRegistrationTimeout" : 0, 380 | "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], 381 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 382 | }, { 383 | "id" : "c9fb1b1b-2960-40c3-9a21-e06b31d4b42c", 384 | "clientId" : "account-console", 385 | "name" : "${client_account-console}", 386 | "rootUrl" : "${authBaseUrl}", 387 | "baseUrl" : "/realms/dev/account/", 388 | "surrogateAuthRequired" : false, 389 | "enabled" : true, 390 | "alwaysDisplayInConsole" : false, 391 | "clientAuthenticatorType" : "client-secret", 392 | "secret" : "62348a97-1ed8-4347-9ed9-3bf0e7c1492a", 393 | "redirectUris" : [ "/realms/dev/account/*" ], 394 | "webOrigins" : [ ], 395 | "notBefore" : 0, 396 | "bearerOnly" : false, 397 | "consentRequired" : false, 398 | "standardFlowEnabled" : true, 399 | "implicitFlowEnabled" : false, 400 | "directAccessGrantsEnabled" : false, 401 | "serviceAccountsEnabled" : false, 402 | "publicClient" : true, 403 | "frontchannelLogout" : false, 404 | "protocol" : "openid-connect", 405 | "attributes" : { 406 | "pkce.code.challenge.method" : "S256" 407 | }, 408 | "authenticationFlowBindingOverrides" : { }, 409 | "fullScopeAllowed" : false, 410 | "nodeReRegistrationTimeout" : 0, 411 | "protocolMappers" : [ { 412 | "id" : "47151da2-dc82-4b18-bab9-ed981c3510e8", 413 | "name" : "audience resolve", 414 | "protocol" : "openid-connect", 415 | "protocolMapper" : "oidc-audience-resolve-mapper", 416 | "consentRequired" : false, 417 | "config" : { } 418 | } ], 419 | "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], 420 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 421 | }, { 422 | "id" : "23543bd1-7419-4839-af42-fa7327634009", 423 | "clientId" : "admin-cli", 424 | "name" : "${client_admin-cli}", 425 | "surrogateAuthRequired" : false, 426 | "enabled" : true, 427 | "alwaysDisplayInConsole" : false, 428 | "clientAuthenticatorType" : "client-secret", 429 | "secret" : "b949950c-4336-44b7-8dae-9e0e7448f7a4", 430 | "redirectUris" : [ ], 431 | "webOrigins" : [ ], 432 | "notBefore" : 0, 433 | "bearerOnly" : false, 434 | "consentRequired" : false, 435 | "standardFlowEnabled" : false, 436 | "implicitFlowEnabled" : false, 437 | "directAccessGrantsEnabled" : true, 438 | "serviceAccountsEnabled" : false, 439 | "publicClient" : true, 440 | "frontchannelLogout" : false, 441 | "protocol" : "openid-connect", 442 | "attributes" : { }, 443 | "authenticationFlowBindingOverrides" : { }, 444 | "fullScopeAllowed" : false, 445 | "nodeReRegistrationTimeout" : 0, 446 | "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], 447 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 448 | }, { 449 | "id" : "997d61d4-667f-487c-ac45-bc9d87493b7b", 450 | "clientId" : "broker", 451 | "name" : "${client_broker}", 452 | "surrogateAuthRequired" : false, 453 | "enabled" : true, 454 | "alwaysDisplayInConsole" : false, 455 | "clientAuthenticatorType" : "client-secret", 456 | "secret" : "1c6c6cec-a140-480f-aed7-7ba84aaa2129", 457 | "redirectUris" : [ ], 458 | "webOrigins" : [ ], 459 | "notBefore" : 0, 460 | "bearerOnly" : false, 461 | "consentRequired" : false, 462 | "standardFlowEnabled" : true, 463 | "implicitFlowEnabled" : false, 464 | "directAccessGrantsEnabled" : false, 465 | "serviceAccountsEnabled" : false, 466 | "publicClient" : false, 467 | "frontchannelLogout" : false, 468 | "protocol" : "openid-connect", 469 | "attributes" : { }, 470 | "authenticationFlowBindingOverrides" : { }, 471 | "fullScopeAllowed" : false, 472 | "nodeReRegistrationTimeout" : 0, 473 | "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], 474 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 475 | }, { 476 | "id" : "09d95a66-b98f-43de-8955-f952d725660e", 477 | "clientId" : "realm-management", 478 | "name" : "${client_realm-management}", 479 | "surrogateAuthRequired" : false, 480 | "enabled" : true, 481 | "alwaysDisplayInConsole" : false, 482 | "clientAuthenticatorType" : "client-secret", 483 | "secret" : "a9f43168-9729-41ce-bb43-b067549f2c76", 484 | "redirectUris" : [ ], 485 | "webOrigins" : [ ], 486 | "notBefore" : 0, 487 | "bearerOnly" : true, 488 | "consentRequired" : false, 489 | "standardFlowEnabled" : true, 490 | "implicitFlowEnabled" : false, 491 | "directAccessGrantsEnabled" : false, 492 | "serviceAccountsEnabled" : false, 493 | "publicClient" : false, 494 | "frontchannelLogout" : false, 495 | "protocol" : "openid-connect", 496 | "attributes" : { }, 497 | "authenticationFlowBindingOverrides" : { }, 498 | "fullScopeAllowed" : false, 499 | "nodeReRegistrationTimeout" : 0, 500 | "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], 501 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 502 | }, { 503 | "id" : "158303c9-120f-43a0-8054-611f1df8b640", 504 | "clientId" : "security-admin-console", 505 | "name" : "${client_security-admin-console}", 506 | "rootUrl" : "${authAdminUrl}", 507 | "baseUrl" : "/admin/dev/console/", 508 | "surrogateAuthRequired" : false, 509 | "enabled" : true, 510 | "alwaysDisplayInConsole" : false, 511 | "clientAuthenticatorType" : "client-secret", 512 | "secret" : "c55d8b19-2a09-45d9-86be-57b6f29d1d48", 513 | "redirectUris" : [ "/admin/dev/console/*" ], 514 | "webOrigins" : [ "+" ], 515 | "notBefore" : 0, 516 | "bearerOnly" : false, 517 | "consentRequired" : false, 518 | "standardFlowEnabled" : true, 519 | "implicitFlowEnabled" : false, 520 | "directAccessGrantsEnabled" : false, 521 | "serviceAccountsEnabled" : false, 522 | "publicClient" : true, 523 | "frontchannelLogout" : false, 524 | "protocol" : "openid-connect", 525 | "attributes" : { 526 | "pkce.code.challenge.method" : "S256" 527 | }, 528 | "authenticationFlowBindingOverrides" : { }, 529 | "fullScopeAllowed" : false, 530 | "nodeReRegistrationTimeout" : 0, 531 | "protocolMappers" : [ { 532 | "id" : "5882af62-571a-4c59-9e61-1f9f0da159dc", 533 | "name" : "locale", 534 | "protocol" : "openid-connect", 535 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 536 | "consentRequired" : false, 537 | "config" : { 538 | "userinfo.token.claim" : "true", 539 | "user.attribute" : "locale", 540 | "id.token.claim" : "true", 541 | "access.token.claim" : "true", 542 | "claim.name" : "locale", 543 | "jsonType.label" : "String" 544 | } 545 | } ], 546 | "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], 547 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 548 | }, { 549 | "id" : "8aa5f84c-5525-4b8a-8b10-769e16314141", 550 | "clientId" : "server", 551 | "rootUrl" : "http://localhost:8000", 552 | "adminUrl" : "http://localhost:8000", 553 | "surrogateAuthRequired" : false, 554 | "enabled" : true, 555 | "alwaysDisplayInConsole" : false, 556 | "clientAuthenticatorType" : "client-secret", 557 | "secret" : "d1680bbb-24f3-4835-a0d9-2a7492a4cc99", 558 | "redirectUris" : [ "*" ], 559 | "webOrigins" : [ "http://localhost:8000" ], 560 | "notBefore" : 0, 561 | "bearerOnly" : false, 562 | "consentRequired" : false, 563 | "standardFlowEnabled" : true, 564 | "implicitFlowEnabled" : false, 565 | "directAccessGrantsEnabled" : true, 566 | "serviceAccountsEnabled" : false, 567 | "publicClient" : false, 568 | "frontchannelLogout" : false, 569 | "protocol" : "openid-connect", 570 | "attributes" : { 571 | "saml.assertion.signature" : "false", 572 | "saml.force.post.binding" : "false", 573 | "saml.multivalued.roles" : "false", 574 | "saml.encrypt" : "false", 575 | "saml.server.signature" : "false", 576 | "saml.server.signature.keyinfo.ext" : "false", 577 | "exclude.session.state.from.auth.response" : "false", 578 | "saml_force_name_id_format" : "false", 579 | "saml.client.signature" : "false", 580 | "tls.client.certificate.bound.access.tokens" : "false", 581 | "saml.authnstatement" : "false", 582 | "display.on.consent.screen" : "false", 583 | "saml.onetimeuse.condition" : "false" 584 | }, 585 | "authenticationFlowBindingOverrides" : { }, 586 | "fullScopeAllowed" : true, 587 | "nodeReRegistrationTimeout" : -1, 588 | "protocolMappers" : [ { 589 | "id" : "20904861-6eaa-40ca-9f09-f11f9bd24c57", 590 | "name" : "groups", 591 | "protocol" : "openid-connect", 592 | "protocolMapper" : "oidc-group-membership-mapper", 593 | "consentRequired" : false, 594 | "config" : { 595 | "full.path" : "true", 596 | "id.token.claim" : "false", 597 | "access.token.claim" : "false", 598 | "claim.name" : "groups", 599 | "userinfo.token.claim" : "true" 600 | } 601 | } ], 602 | "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "api", "email" ], 603 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 604 | } ], 605 | "clientScopes" : [ { 606 | "id" : "13827002-f62e-4ce0-afb2-798f9a2b2e17", 607 | "name" : "email", 608 | "description" : "OpenID Connect built-in scope: email", 609 | "protocol" : "openid-connect", 610 | "attributes" : { 611 | "include.in.token.scope" : "true", 612 | "display.on.consent.screen" : "true", 613 | "consent.screen.text" : "${emailScopeConsentText}" 614 | }, 615 | "protocolMappers" : [ { 616 | "id" : "985aed3c-eb99-45a8-88ec-bd6260d9d427", 617 | "name" : "email verified", 618 | "protocol" : "openid-connect", 619 | "protocolMapper" : "oidc-usermodel-property-mapper", 620 | "consentRequired" : false, 621 | "config" : { 622 | "userinfo.token.claim" : "true", 623 | "user.attribute" : "emailVerified", 624 | "id.token.claim" : "true", 625 | "access.token.claim" : "true", 626 | "claim.name" : "email_verified", 627 | "jsonType.label" : "boolean" 628 | } 629 | }, { 630 | "id" : "63c45bd3-9714-4e5d-b14b-ec0d50742e38", 631 | "name" : "email", 632 | "protocol" : "openid-connect", 633 | "protocolMapper" : "oidc-usermodel-property-mapper", 634 | "consentRequired" : false, 635 | "config" : { 636 | "userinfo.token.claim" : "true", 637 | "user.attribute" : "email", 638 | "id.token.claim" : "true", 639 | "access.token.claim" : "true", 640 | "claim.name" : "email", 641 | "jsonType.label" : "String" 642 | } 643 | } ] 644 | }, { 645 | "id" : "1def9ee8-6705-49b0-a2be-7eec6100a08b", 646 | "name" : "phone", 647 | "description" : "OpenID Connect built-in scope: phone", 648 | "protocol" : "openid-connect", 649 | "attributes" : { 650 | "include.in.token.scope" : "true", 651 | "display.on.consent.screen" : "true", 652 | "consent.screen.text" : "${phoneScopeConsentText}" 653 | }, 654 | "protocolMappers" : [ { 655 | "id" : "b3f21921-23f7-45a1-868b-f1fda266d1e7", 656 | "name" : "phone number", 657 | "protocol" : "openid-connect", 658 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 659 | "consentRequired" : false, 660 | "config" : { 661 | "userinfo.token.claim" : "true", 662 | "user.attribute" : "phoneNumber", 663 | "id.token.claim" : "true", 664 | "access.token.claim" : "true", 665 | "claim.name" : "phone_number", 666 | "jsonType.label" : "String" 667 | } 668 | }, { 669 | "id" : "0bfcbc53-d912-42c2-9943-a4dfca2f0a79", 670 | "name" : "phone number verified", 671 | "protocol" : "openid-connect", 672 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 673 | "consentRequired" : false, 674 | "config" : { 675 | "userinfo.token.claim" : "true", 676 | "user.attribute" : "phoneNumberVerified", 677 | "id.token.claim" : "true", 678 | "access.token.claim" : "true", 679 | "claim.name" : "phone_number_verified", 680 | "jsonType.label" : "boolean" 681 | } 682 | } ] 683 | }, { 684 | "id" : "3f3221a0-5864-4e86-a19e-c75b6f196da9", 685 | "name" : "profile", 686 | "description" : "OpenID Connect built-in scope: profile", 687 | "protocol" : "openid-connect", 688 | "attributes" : { 689 | "include.in.token.scope" : "true", 690 | "display.on.consent.screen" : "true", 691 | "consent.screen.text" : "${profileScopeConsentText}" 692 | }, 693 | "protocolMappers" : [ { 694 | "id" : "b95e2e0a-f859-448f-b09b-8e659516322a", 695 | "name" : "family name", 696 | "protocol" : "openid-connect", 697 | "protocolMapper" : "oidc-usermodel-property-mapper", 698 | "consentRequired" : false, 699 | "config" : { 700 | "userinfo.token.claim" : "true", 701 | "user.attribute" : "lastName", 702 | "id.token.claim" : "true", 703 | "access.token.claim" : "true", 704 | "claim.name" : "family_name", 705 | "jsonType.label" : "String" 706 | } 707 | }, { 708 | "id" : "e657a0ed-4b74-4d6b-a4ef-019a67dd5c37", 709 | "name" : "updated at", 710 | "protocol" : "openid-connect", 711 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 712 | "consentRequired" : false, 713 | "config" : { 714 | "userinfo.token.claim" : "true", 715 | "user.attribute" : "updatedAt", 716 | "id.token.claim" : "true", 717 | "access.token.claim" : "true", 718 | "claim.name" : "updated_at", 719 | "jsonType.label" : "String" 720 | } 721 | }, { 722 | "id" : "0239b2a8-00b5-4b15-974b-8ec6e412c8dc", 723 | "name" : "gender", 724 | "protocol" : "openid-connect", 725 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 726 | "consentRequired" : false, 727 | "config" : { 728 | "userinfo.token.claim" : "true", 729 | "user.attribute" : "gender", 730 | "id.token.claim" : "true", 731 | "access.token.claim" : "true", 732 | "claim.name" : "gender", 733 | "jsonType.label" : "String" 734 | } 735 | }, { 736 | "id" : "1669cbd3-a313-4f90-9e83-4a5c68dedfba", 737 | "name" : "given name", 738 | "protocol" : "openid-connect", 739 | "protocolMapper" : "oidc-usermodel-property-mapper", 740 | "consentRequired" : false, 741 | "config" : { 742 | "userinfo.token.claim" : "true", 743 | "user.attribute" : "firstName", 744 | "id.token.claim" : "true", 745 | "access.token.claim" : "true", 746 | "claim.name" : "given_name", 747 | "jsonType.label" : "String" 748 | } 749 | }, { 750 | "id" : "33afb038-732e-454a-9e84-cfaddff4397d", 751 | "name" : "middle name", 752 | "protocol" : "openid-connect", 753 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 754 | "consentRequired" : false, 755 | "config" : { 756 | "userinfo.token.claim" : "true", 757 | "user.attribute" : "middleName", 758 | "id.token.claim" : "true", 759 | "access.token.claim" : "true", 760 | "claim.name" : "middle_name", 761 | "jsonType.label" : "String" 762 | } 763 | }, { 764 | "id" : "73695960-5af9-45fb-bad4-0748ebe1726e", 765 | "name" : "locale", 766 | "protocol" : "openid-connect", 767 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 768 | "consentRequired" : false, 769 | "config" : { 770 | "userinfo.token.claim" : "true", 771 | "user.attribute" : "locale", 772 | "id.token.claim" : "true", 773 | "access.token.claim" : "true", 774 | "claim.name" : "locale", 775 | "jsonType.label" : "String" 776 | } 777 | }, { 778 | "id" : "8fab75e0-4f62-4de5-86cc-db88cbd7d2d9", 779 | "name" : "username", 780 | "protocol" : "openid-connect", 781 | "protocolMapper" : "oidc-usermodel-property-mapper", 782 | "consentRequired" : false, 783 | "config" : { 784 | "userinfo.token.claim" : "true", 785 | "user.attribute" : "username", 786 | "id.token.claim" : "true", 787 | "access.token.claim" : "true", 788 | "claim.name" : "preferred_username", 789 | "jsonType.label" : "String" 790 | } 791 | }, { 792 | "id" : "01177cc3-9429-4a1d-8390-319ab0254b33", 793 | "name" : "full name", 794 | "protocol" : "openid-connect", 795 | "protocolMapper" : "oidc-full-name-mapper", 796 | "consentRequired" : false, 797 | "config" : { 798 | "id.token.claim" : "true", 799 | "access.token.claim" : "true", 800 | "userinfo.token.claim" : "true" 801 | } 802 | }, { 803 | "id" : "627f6bd9-6ad7-4f98-b92f-15754f804433", 804 | "name" : "nickname", 805 | "protocol" : "openid-connect", 806 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 807 | "consentRequired" : false, 808 | "config" : { 809 | "userinfo.token.claim" : "true", 810 | "user.attribute" : "nickname", 811 | "id.token.claim" : "true", 812 | "access.token.claim" : "true", 813 | "claim.name" : "nickname", 814 | "jsonType.label" : "String" 815 | } 816 | }, { 817 | "id" : "8428522c-0e1b-47c6-936d-8b9bdf63ec3e", 818 | "name" : "zoneinfo", 819 | "protocol" : "openid-connect", 820 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 821 | "consentRequired" : false, 822 | "config" : { 823 | "userinfo.token.claim" : "true", 824 | "user.attribute" : "zoneinfo", 825 | "id.token.claim" : "true", 826 | "access.token.claim" : "true", 827 | "claim.name" : "zoneinfo", 828 | "jsonType.label" : "String" 829 | } 830 | }, { 831 | "id" : "cf68ee92-80db-48d5-97b0-2b6b25ee3b30", 832 | "name" : "birthdate", 833 | "protocol" : "openid-connect", 834 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 835 | "consentRequired" : false, 836 | "config" : { 837 | "userinfo.token.claim" : "true", 838 | "user.attribute" : "birthdate", 839 | "id.token.claim" : "true", 840 | "access.token.claim" : "true", 841 | "claim.name" : "birthdate", 842 | "jsonType.label" : "String" 843 | } 844 | }, { 845 | "id" : "09b1b9d3-5a3f-4412-9b30-4e412a63b026", 846 | "name" : "website", 847 | "protocol" : "openid-connect", 848 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 849 | "consentRequired" : false, 850 | "config" : { 851 | "userinfo.token.claim" : "true", 852 | "user.attribute" : "website", 853 | "id.token.claim" : "true", 854 | "access.token.claim" : "true", 855 | "claim.name" : "website", 856 | "jsonType.label" : "String" 857 | } 858 | }, { 859 | "id" : "93aceea7-c542-46ca-bd58-80f841d5d916", 860 | "name" : "picture", 861 | "protocol" : "openid-connect", 862 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 863 | "consentRequired" : false, 864 | "config" : { 865 | "userinfo.token.claim" : "true", 866 | "user.attribute" : "picture", 867 | "id.token.claim" : "true", 868 | "access.token.claim" : "true", 869 | "claim.name" : "picture", 870 | "jsonType.label" : "String" 871 | } 872 | }, { 873 | "id" : "59f63b8c-bd7a-4106-b368-eea78863c735", 874 | "name" : "profile", 875 | "protocol" : "openid-connect", 876 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 877 | "consentRequired" : false, 878 | "config" : { 879 | "userinfo.token.claim" : "true", 880 | "user.attribute" : "profile", 881 | "id.token.claim" : "true", 882 | "access.token.claim" : "true", 883 | "claim.name" : "profile", 884 | "jsonType.label" : "String" 885 | } 886 | } ] 887 | }, { 888 | "id" : "74155647-0eba-45ae-87a0-292855d5667f", 889 | "name" : "microprofile-jwt", 890 | "description" : "Microprofile - JWT built-in scope", 891 | "protocol" : "openid-connect", 892 | "attributes" : { 893 | "include.in.token.scope" : "true", 894 | "display.on.consent.screen" : "false" 895 | }, 896 | "protocolMappers" : [ { 897 | "id" : "9d34d278-442b-4f56-9517-9103e216f873", 898 | "name" : "upn", 899 | "protocol" : "openid-connect", 900 | "protocolMapper" : "oidc-usermodel-property-mapper", 901 | "consentRequired" : false, 902 | "config" : { 903 | "userinfo.token.claim" : "true", 904 | "user.attribute" : "username", 905 | "id.token.claim" : "true", 906 | "access.token.claim" : "true", 907 | "claim.name" : "upn", 908 | "jsonType.label" : "String" 909 | } 910 | }, { 911 | "id" : "50dd0525-fca5-4216-a3a3-da7e78cb92af", 912 | "name" : "groups", 913 | "protocol" : "openid-connect", 914 | "protocolMapper" : "oidc-usermodel-realm-role-mapper", 915 | "consentRequired" : false, 916 | "config" : { 917 | "multivalued" : "true", 918 | "user.attribute" : "foo", 919 | "id.token.claim" : "true", 920 | "access.token.claim" : "true", 921 | "claim.name" : "groups", 922 | "jsonType.label" : "String" 923 | } 924 | } ] 925 | }, { 926 | "id" : "8d448f45-4a94-4c56-9518-1c7c012ddb52", 927 | "name" : "roles", 928 | "description" : "OpenID Connect scope for add user roles to the access token", 929 | "protocol" : "openid-connect", 930 | "attributes" : { 931 | "include.in.token.scope" : "false", 932 | "display.on.consent.screen" : "true", 933 | "consent.screen.text" : "${rolesScopeConsentText}" 934 | }, 935 | "protocolMappers" : [ { 936 | "id" : "855f857c-2359-4ddf-a304-7d503e36415a", 937 | "name" : "audience resolve", 938 | "protocol" : "openid-connect", 939 | "protocolMapper" : "oidc-audience-resolve-mapper", 940 | "consentRequired" : false, 941 | "config" : { } 942 | }, { 943 | "id" : "a0e2c324-45e3-4a5b-8cd8-f7dade743b46", 944 | "name" : "client roles", 945 | "protocol" : "openid-connect", 946 | "protocolMapper" : "oidc-usermodel-client-role-mapper", 947 | "consentRequired" : false, 948 | "config" : { 949 | "user.attribute" : "foo", 950 | "access.token.claim" : "true", 951 | "claim.name" : "resource_access.${client_id}.roles", 952 | "jsonType.label" : "String", 953 | "multivalued" : "true" 954 | } 955 | }, { 956 | "id" : "764cc3f0-7e7d-4dd9-9fa6-1decd48d372c", 957 | "name" : "realm roles", 958 | "protocol" : "openid-connect", 959 | "protocolMapper" : "oidc-usermodel-realm-role-mapper", 960 | "consentRequired" : false, 961 | "config" : { 962 | "user.attribute" : "foo", 963 | "access.token.claim" : "true", 964 | "claim.name" : "realm_access.roles", 965 | "jsonType.label" : "String", 966 | "multivalued" : "true" 967 | } 968 | } ] 969 | }, { 970 | "id" : "9351137b-bd3b-41f5-b186-c11c93372da9", 971 | "name" : "api", 972 | "description" : "Test API Scope", 973 | "protocol" : "openid-connect", 974 | "attributes" : { 975 | "include.in.token.scope" : "false", 976 | "display.on.consent.screen" : "true", 977 | "consent.screen.text" : "" 978 | } 979 | }, { 980 | "id" : "9d0cd716-21be-4df9-901a-f8f945ecc844", 981 | "name" : "role_list", 982 | "description" : "SAML role list", 983 | "protocol" : "saml", 984 | "attributes" : { 985 | "consent.screen.text" : "${samlRoleListScopeConsentText}", 986 | "display.on.consent.screen" : "true" 987 | }, 988 | "protocolMappers" : [ { 989 | "id" : "a7f89380-a77b-4140-9fb2-24d2afde52fe", 990 | "name" : "role list", 991 | "protocol" : "saml", 992 | "protocolMapper" : "saml-role-list-mapper", 993 | "consentRequired" : false, 994 | "config" : { 995 | "single" : "false", 996 | "attribute.nameformat" : "Basic", 997 | "attribute.name" : "Role" 998 | } 999 | } ] 1000 | }, { 1001 | "id" : "b797ff93-206d-42b5-833a-599e546b1518", 1002 | "name" : "address", 1003 | "description" : "OpenID Connect built-in scope: address", 1004 | "protocol" : "openid-connect", 1005 | "attributes" : { 1006 | "include.in.token.scope" : "true", 1007 | "display.on.consent.screen" : "true", 1008 | "consent.screen.text" : "${addressScopeConsentText}" 1009 | }, 1010 | "protocolMappers" : [ { 1011 | "id" : "d737b414-62c2-4f5e-a2d4-5773fa456ab7", 1012 | "name" : "address", 1013 | "protocol" : "openid-connect", 1014 | "protocolMapper" : "oidc-address-mapper", 1015 | "consentRequired" : false, 1016 | "config" : { 1017 | "user.attribute.formatted" : "formatted", 1018 | "user.attribute.country" : "country", 1019 | "user.attribute.postal_code" : "postal_code", 1020 | "userinfo.token.claim" : "true", 1021 | "user.attribute.street" : "street", 1022 | "id.token.claim" : "true", 1023 | "user.attribute.region" : "region", 1024 | "access.token.claim" : "true", 1025 | "user.attribute.locality" : "locality" 1026 | } 1027 | } ] 1028 | }, { 1029 | "id" : "cb4dc6c8-185f-4106-8de7-ad947fb375ab", 1030 | "name" : "offline_access", 1031 | "description" : "OpenID Connect built-in scope: offline_access", 1032 | "protocol" : "openid-connect", 1033 | "attributes" : { 1034 | "consent.screen.text" : "${offlineAccessScopeConsentText}", 1035 | "display.on.consent.screen" : "true" 1036 | } 1037 | }, { 1038 | "id" : "d66accea-1428-4ac7-be56-a47e16dc5274", 1039 | "name" : "web-origins", 1040 | "description" : "OpenID Connect scope for add allowed web origins to the access token", 1041 | "protocol" : "openid-connect", 1042 | "attributes" : { 1043 | "include.in.token.scope" : "false", 1044 | "display.on.consent.screen" : "false", 1045 | "consent.screen.text" : "" 1046 | }, 1047 | "protocolMappers" : [ { 1048 | "id" : "10c00e05-3aad-4e53-8026-f115a4f05136", 1049 | "name" : "allowed web origins", 1050 | "protocol" : "openid-connect", 1051 | "protocolMapper" : "oidc-allowed-origins-mapper", 1052 | "consentRequired" : false, 1053 | "config" : { } 1054 | } ] 1055 | } ], 1056 | "defaultDefaultClientScopes" : [ "email", "profile", "roles", "role_list", "web-origins" ], 1057 | "defaultOptionalClientScopes" : [ "phone", "microprofile-jwt", "address", "offline_access" ], 1058 | "browserSecurityHeaders" : { 1059 | "contentSecurityPolicyReportOnly" : "", 1060 | "xContentTypeOptions" : "nosniff", 1061 | "xRobotsTag" : "none", 1062 | "xFrameOptions" : "SAMEORIGIN", 1063 | "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", 1064 | "xXSSProtection" : "1; mode=block", 1065 | "strictTransportSecurity" : "max-age=31536000; includeSubDomains" 1066 | }, 1067 | "smtpServer" : { }, 1068 | "eventsEnabled" : false, 1069 | "eventsListeners" : [ "jboss-logging" ], 1070 | "enabledEventTypes" : [ ], 1071 | "adminEventsEnabled" : false, 1072 | "adminEventsDetailsEnabled" : false, 1073 | "components" : { 1074 | "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { 1075 | "id" : "69c21c35-bacf-4160-ac1d-8a71f3a8d68a", 1076 | "name" : "Trusted Hosts", 1077 | "providerId" : "trusted-hosts", 1078 | "subType" : "anonymous", 1079 | "subComponents" : { }, 1080 | "config" : { 1081 | "host-sending-registration-request-must-match" : [ "true" ], 1082 | "client-uris-must-match" : [ "true" ] 1083 | } 1084 | }, { 1085 | "id" : "262f7c4f-665c-4054-a66c-0c2ee5600aa9", 1086 | "name" : "Allowed Client Scopes", 1087 | "providerId" : "allowed-client-templates", 1088 | "subType" : "authenticated", 1089 | "subComponents" : { }, 1090 | "config" : { 1091 | "allow-default-scopes" : [ "true" ] 1092 | } 1093 | }, { 1094 | "id" : "364c6489-96bc-461f-9208-981ebccb3b45", 1095 | "name" : "Max Clients Limit", 1096 | "providerId" : "max-clients", 1097 | "subType" : "anonymous", 1098 | "subComponents" : { }, 1099 | "config" : { 1100 | "max-clients" : [ "200" ] 1101 | } 1102 | }, { 1103 | "id" : "587ff99f-b039-4934-84f1-ad27930bbc42", 1104 | "name" : "Consent Required", 1105 | "providerId" : "consent-required", 1106 | "subType" : "anonymous", 1107 | "subComponents" : { }, 1108 | "config" : { } 1109 | }, { 1110 | "id" : "23ddd50d-3ea0-4cdb-a9bf-7fc10d2c0f06", 1111 | "name" : "Allowed Protocol Mapper Types", 1112 | "providerId" : "allowed-protocol-mappers", 1113 | "subType" : "anonymous", 1114 | "subComponents" : { }, 1115 | "config" : { 1116 | "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper" ] 1117 | } 1118 | }, { 1119 | "id" : "53917bd7-8893-455d-84b3-7a3ade3725aa", 1120 | "name" : "Full Scope Disabled", 1121 | "providerId" : "scope", 1122 | "subType" : "anonymous", 1123 | "subComponents" : { }, 1124 | "config" : { } 1125 | }, { 1126 | "id" : "534fef3b-1a84-419d-9b30-b8198332b767", 1127 | "name" : "Allowed Client Scopes", 1128 | "providerId" : "allowed-client-templates", 1129 | "subType" : "anonymous", 1130 | "subComponents" : { }, 1131 | "config" : { 1132 | "allow-default-scopes" : [ "true" ] 1133 | } 1134 | }, { 1135 | "id" : "75d1f633-a01b-4698-a90d-0e4e9cfee1cc", 1136 | "name" : "Allowed Protocol Mapper Types", 1137 | "providerId" : "allowed-protocol-mappers", 1138 | "subType" : "authenticated", 1139 | "subComponents" : { }, 1140 | "config" : { 1141 | "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper" ] 1142 | } 1143 | } ], 1144 | "org.keycloak.keys.KeyProvider" : [ { 1145 | "id" : "3dc6e836-13d5-4a82-82c0-be14438ca042", 1146 | "name" : "hmac-generated", 1147 | "providerId" : "hmac-generated", 1148 | "subComponents" : { }, 1149 | "config" : { 1150 | "kid" : [ "4bf6c4b3-c044-4285-a4ae-5552bc9539b4" ], 1151 | "secret" : [ "0riVLdwTRuaW8KbPwOupENTOise97wa160e-xJ1N88sTWrU4twFHw6eIZFFJbLeOl1aggrTsDzUtu2K8LCzkaQ" ], 1152 | "priority" : [ "100" ], 1153 | "algorithm" : [ "HS256" ] 1154 | } 1155 | }, { 1156 | "id" : "b553cde2-6456-4371-881b-b56b02f47368", 1157 | "name" : "rsa-generated", 1158 | "providerId" : "rsa-generated", 1159 | "subComponents" : { }, 1160 | "config" : { 1161 | "privateKey" : [ "MIIEowIBAAKCAQEAlTMYEKB324svzg/7GZ0VbuF1ZmOY6XEAhPfbOStj2T0XojfvEAP8wkjvulsvzRmG0Sw3mODbyTtHI+ecM87LVRrCP0KDg54dELqzaeN0Ymc49JEqxDJiGO0zpmdhk1sLQsyPPCHUi8DB/vipgEoYBsrf5l5hX3ZngUchsVOyi1UC5FKgpkiVZahx39Bf3uKRHr+d9P/MxjxHgGvVEOYxHgdaGf+I20FxlBKMzcF0hkMUvlDpR7V8pWkvaG1nA381kJL25BUToO6kdP2rCwLlWZ7xINIhsg6onk6To8NNbTqdJbMCW+T0t8giDSjcPqB+zxmutynVtp6Zqjdi+RPmdQIDAQABAoIBAAhjoBXHQBYLJHv8sAzHpV3ftX81WHK/1NylJyF2zB157utDI+ENqFewTDJ5UB3DMq5uQw4IjrMo7x4YttK+7PXzFDsEXWq4KEA5jz8D+BZUYYJ26yWvA48NP1s68uSbOO3fnKov6MiW5RGWH8nD4Mf4/k/wvJ7mhHlja4SSBTcKUUIXJB12rTdQWbze7qKr4DJWtza3qHVFN1ongUXISzGu6T2Wt+yEtIZKhF/6wPxLOW1QuxqDV2aQlgkPyfqBDlRbomWrEagNwl+5hz6hCZwCyTuMtM80IWE86jyaRVLApHWkERUh3QFVJtdNOlJYuHjG1zr28Ploxdf091AVVV0CgYEA7Z9PI/tfW+nnExWJn6yJa3pWVu0EKeqkDK2hQuNNkJnnplsFTMrVFbzGECceiWmPhgrkq1QYsypYi5nJsM+mXEqz3dtcOCacJd0FgirpKuKeBVE35Vqv+ezIgVQX3gHiFTLdFBEeE83UD7om7oOX2EbvqEd918xVsb88xzsFkc8CgYEAoL0Z16Hk8Ioqed5OkNhZFjRuK+hQK4MKvnHjsJYcRp9ZXkMdJJEKH7++yiVXnU0tbbv07nXFFgtJkHMFCZ3bbkJUupopYKUWX14bYi2KdoTey0Z4qAb/DM0DgLvetbjgrdwm0Gfjj3r/Yh1fC7O8hepfy4nZtTlt/FxwIl+ZqHsCgYAl2mL5EGo4ciJlX+D0lr+tZ2epoUgwhThs7Jvr09nfVyUX0xgdC5K2S8QhfpnWugIrEEEtKdBlejFwy6bdi7asrRnKFc+zAjONtI/UFJHgSwlxP2bwGmo+HgIy1/qVWydwyRF+yNtJvFgzySu6gywFQAedfwYFAoAEOLqt4jEY8QKBgDeA1LmW150PuJcYYny1mB2IwTo8H+LGfyE/5mWFkAH66DsaZafIxXwtE85tkpFoovUvX+YvmHyCLUbJ0MV/UtQB54v/y6Xpm44WytHd89/1BZGfpe4vbEaZTEpZlQ+e5UZjrKtuFC/pQuI4TieWStTbF3ULBrgDOq1XpgjYhhCdAoGBAJnv4z1l19df0OtZfaTGT9xo3gggNE1t7fkG1/mVxElcoaKrsJunsHONJXetEm0BYGeoF1XFlLqn0Y8Y2VZTVgN2bAe1X6w/2t/WvWQFC9grfIimbYluJlrBjnoiyzcA7FRDIqx53gvYbqonGC8fXMe/RE5i2y2eEZP/rrcSvKpd" ], 1162 | "certificate" : [ "MIIClTCCAX0CBgF0V/c1BjANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANkZXYwHhcNMjAwOTA0MDcxMjMyWhcNMzAwOTA0MDcxNDEyWjAOMQwwCgYDVQQDDANkZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVMxgQoHfbiy/OD/sZnRVu4XVmY5jpcQCE99s5K2PZPReiN+8QA/zCSO+6Wy/NGYbRLDeY4NvJO0cj55wzzstVGsI/QoODnh0QurNp43RiZzj0kSrEMmIY7TOmZ2GTWwtCzI88IdSLwMH++KmAShgGyt/mXmFfdmeBRyGxU7KLVQLkUqCmSJVlqHHf0F/e4pEev530/8zGPEeAa9UQ5jEeB1oZ/4jbQXGUEozNwXSGQxS+UOlHtXylaS9obWcDfzWQkvbkFROg7qR0/asLAuVZnvEg0iGyDqieTpOjw01tOp0lswJb5PS3yCINKNw+oH7PGa63KdW2npmqN2L5E+Z1AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB1jiBJgSodKd7KeJC+CvYGB3mH9k/wTKWJiuguWV0jXj9zS3IYSBwMvYD2a/pztHS5ePYFjBgBAEFXOjRwvoTYr9u+2s+5Sf1AVtdqOjeorOqDl55jnSLCzvx8kwVkFwMfB+GsDMs/CsW3IvORKRfhA0I8tsLxLWw5We2YS7uBCcXPWqOBOEOhSuUHdapMsu16x7GNY+MaFKegshrtxpVaLLb6rKF4JuZpK39+wEcJrU6Ie6WNI7W3IE3jifn6RmGYYrBYGMXGdZAVoP74TIEvFDJJ9WUunaE25TUz0LnnCJpu5Chjl1uF6FvrOgSugnTRo9hwk+PH1a0R5UanjNLQ=" ], 1163 | "priority" : [ "100" ] 1164 | } 1165 | }, { 1166 | "id" : "3ec6288d-081d-48c3-a4ad-7f23d1525114", 1167 | "name" : "aes-generated", 1168 | "providerId" : "aes-generated", 1169 | "subComponents" : { }, 1170 | "config" : { 1171 | "kid" : [ "b43fcbab-9f45-41fe-88c9-83aeb4c14c7a" ], 1172 | "secret" : [ "Xw2pWitdhZqhc3wkfDMUqg" ], 1173 | "priority" : [ "100" ] 1174 | } 1175 | } ] 1176 | }, 1177 | "internationalizationEnabled" : false, 1178 | "supportedLocales" : [ ], 1179 | "authenticationFlows" : [ { 1180 | "id" : "1b7b6d7a-1150-4298-a6c9-dba74e399309", 1181 | "alias" : "Account verification options", 1182 | "description" : "Method with which to verity the existing account", 1183 | "providerId" : "basic-flow", 1184 | "topLevel" : false, 1185 | "builtIn" : true, 1186 | "authenticationExecutions" : [ { 1187 | "authenticator" : "idp-email-verification", 1188 | "requirement" : "ALTERNATIVE", 1189 | "priority" : 10, 1190 | "userSetupAllowed" : false, 1191 | "autheticatorFlow" : false 1192 | }, { 1193 | "requirement" : "ALTERNATIVE", 1194 | "priority" : 20, 1195 | "flowAlias" : "Verify Existing Account by Re-authentication", 1196 | "userSetupAllowed" : false, 1197 | "autheticatorFlow" : true 1198 | } ] 1199 | }, { 1200 | "id" : "48a45952-cd8d-42d1-8c72-09e0b2456173", 1201 | "alias" : "Authentication Options", 1202 | "description" : "Authentication options.", 1203 | "providerId" : "basic-flow", 1204 | "topLevel" : false, 1205 | "builtIn" : true, 1206 | "authenticationExecutions" : [ { 1207 | "authenticator" : "basic-auth", 1208 | "requirement" : "REQUIRED", 1209 | "priority" : 10, 1210 | "userSetupAllowed" : false, 1211 | "autheticatorFlow" : false 1212 | }, { 1213 | "authenticator" : "basic-auth-otp", 1214 | "requirement" : "DISABLED", 1215 | "priority" : 20, 1216 | "userSetupAllowed" : false, 1217 | "autheticatorFlow" : false 1218 | }, { 1219 | "authenticator" : "auth-spnego", 1220 | "requirement" : "DISABLED", 1221 | "priority" : 30, 1222 | "userSetupAllowed" : false, 1223 | "autheticatorFlow" : false 1224 | } ] 1225 | }, { 1226 | "id" : "4941f537-ecca-403e-8a98-9445c1d62b07", 1227 | "alias" : "Browser - Conditional OTP", 1228 | "description" : "Flow to determine if the OTP is required for the authentication", 1229 | "providerId" : "basic-flow", 1230 | "topLevel" : false, 1231 | "builtIn" : true, 1232 | "authenticationExecutions" : [ { 1233 | "authenticator" : "conditional-user-configured", 1234 | "requirement" : "REQUIRED", 1235 | "priority" : 10, 1236 | "userSetupAllowed" : false, 1237 | "autheticatorFlow" : false 1238 | }, { 1239 | "authenticator" : "auth-otp-form", 1240 | "requirement" : "REQUIRED", 1241 | "priority" : 20, 1242 | "userSetupAllowed" : false, 1243 | "autheticatorFlow" : false 1244 | } ] 1245 | }, { 1246 | "id" : "9fce205f-0dee-4015-ac25-a86d7f9aef4c", 1247 | "alias" : "Direct Grant - Conditional OTP", 1248 | "description" : "Flow to determine if the OTP is required for the authentication", 1249 | "providerId" : "basic-flow", 1250 | "topLevel" : false, 1251 | "builtIn" : true, 1252 | "authenticationExecutions" : [ { 1253 | "authenticator" : "conditional-user-configured", 1254 | "requirement" : "REQUIRED", 1255 | "priority" : 10, 1256 | "userSetupAllowed" : false, 1257 | "autheticatorFlow" : false 1258 | }, { 1259 | "authenticator" : "direct-grant-validate-otp", 1260 | "requirement" : "REQUIRED", 1261 | "priority" : 20, 1262 | "userSetupAllowed" : false, 1263 | "autheticatorFlow" : false 1264 | } ] 1265 | }, { 1266 | "id" : "7c41fd68-2fba-4de9-8b5d-36ac7d066cf0", 1267 | "alias" : "First broker login - Conditional OTP", 1268 | "description" : "Flow to determine if the OTP is required for the authentication", 1269 | "providerId" : "basic-flow", 1270 | "topLevel" : false, 1271 | "builtIn" : true, 1272 | "authenticationExecutions" : [ { 1273 | "authenticator" : "conditional-user-configured", 1274 | "requirement" : "REQUIRED", 1275 | "priority" : 10, 1276 | "userSetupAllowed" : false, 1277 | "autheticatorFlow" : false 1278 | }, { 1279 | "authenticator" : "auth-otp-form", 1280 | "requirement" : "REQUIRED", 1281 | "priority" : 20, 1282 | "userSetupAllowed" : false, 1283 | "autheticatorFlow" : false 1284 | } ] 1285 | }, { 1286 | "id" : "3e8508b5-0366-48e8-9716-467f22d4db32", 1287 | "alias" : "Handle Existing Account", 1288 | "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", 1289 | "providerId" : "basic-flow", 1290 | "topLevel" : false, 1291 | "builtIn" : true, 1292 | "authenticationExecutions" : [ { 1293 | "authenticator" : "idp-confirm-link", 1294 | "requirement" : "REQUIRED", 1295 | "priority" : 10, 1296 | "userSetupAllowed" : false, 1297 | "autheticatorFlow" : false 1298 | }, { 1299 | "requirement" : "REQUIRED", 1300 | "priority" : 20, 1301 | "flowAlias" : "Account verification options", 1302 | "userSetupAllowed" : false, 1303 | "autheticatorFlow" : true 1304 | } ] 1305 | }, { 1306 | "id" : "b04c030f-8110-44e0-ac08-7887ddf825a2", 1307 | "alias" : "Reset - Conditional OTP", 1308 | "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", 1309 | "providerId" : "basic-flow", 1310 | "topLevel" : false, 1311 | "builtIn" : true, 1312 | "authenticationExecutions" : [ { 1313 | "authenticator" : "conditional-user-configured", 1314 | "requirement" : "REQUIRED", 1315 | "priority" : 10, 1316 | "userSetupAllowed" : false, 1317 | "autheticatorFlow" : false 1318 | }, { 1319 | "authenticator" : "reset-otp", 1320 | "requirement" : "REQUIRED", 1321 | "priority" : 20, 1322 | "userSetupAllowed" : false, 1323 | "autheticatorFlow" : false 1324 | } ] 1325 | }, { 1326 | "id" : "de632591-5fb9-49dc-895f-d29b2545db62", 1327 | "alias" : "User creation or linking", 1328 | "description" : "Flow for the existing/non-existing user alternatives", 1329 | "providerId" : "basic-flow", 1330 | "topLevel" : false, 1331 | "builtIn" : true, 1332 | "authenticationExecutions" : [ { 1333 | "authenticatorConfig" : "create unique user config", 1334 | "authenticator" : "idp-create-user-if-unique", 1335 | "requirement" : "ALTERNATIVE", 1336 | "priority" : 10, 1337 | "userSetupAllowed" : false, 1338 | "autheticatorFlow" : false 1339 | }, { 1340 | "requirement" : "ALTERNATIVE", 1341 | "priority" : 20, 1342 | "flowAlias" : "Handle Existing Account", 1343 | "userSetupAllowed" : false, 1344 | "autheticatorFlow" : true 1345 | } ] 1346 | }, { 1347 | "id" : "18c018d3-2fc9-429d-b270-96402240109f", 1348 | "alias" : "Verify Existing Account by Re-authentication", 1349 | "description" : "Reauthentication of existing account", 1350 | "providerId" : "basic-flow", 1351 | "topLevel" : false, 1352 | "builtIn" : true, 1353 | "authenticationExecutions" : [ { 1354 | "authenticator" : "idp-username-password-form", 1355 | "requirement" : "REQUIRED", 1356 | "priority" : 10, 1357 | "userSetupAllowed" : false, 1358 | "autheticatorFlow" : false 1359 | }, { 1360 | "requirement" : "CONDITIONAL", 1361 | "priority" : 20, 1362 | "flowAlias" : "First broker login - Conditional OTP", 1363 | "userSetupAllowed" : false, 1364 | "autheticatorFlow" : true 1365 | } ] 1366 | }, { 1367 | "id" : "38677859-8e01-4865-a6cd-5129f5c874b8", 1368 | "alias" : "browser", 1369 | "description" : "browser based authentication", 1370 | "providerId" : "basic-flow", 1371 | "topLevel" : true, 1372 | "builtIn" : true, 1373 | "authenticationExecutions" : [ { 1374 | "authenticator" : "auth-cookie", 1375 | "requirement" : "ALTERNATIVE", 1376 | "priority" : 10, 1377 | "userSetupAllowed" : false, 1378 | "autheticatorFlow" : false 1379 | }, { 1380 | "authenticator" : "auth-spnego", 1381 | "requirement" : "DISABLED", 1382 | "priority" : 20, 1383 | "userSetupAllowed" : false, 1384 | "autheticatorFlow" : false 1385 | }, { 1386 | "authenticator" : "identity-provider-redirector", 1387 | "requirement" : "ALTERNATIVE", 1388 | "priority" : 25, 1389 | "userSetupAllowed" : false, 1390 | "autheticatorFlow" : false 1391 | }, { 1392 | "requirement" : "ALTERNATIVE", 1393 | "priority" : 30, 1394 | "flowAlias" : "forms", 1395 | "userSetupAllowed" : false, 1396 | "autheticatorFlow" : true 1397 | } ] 1398 | }, { 1399 | "id" : "3e9a56de-9a0a-4b42-82cd-25bfdbe5bf53", 1400 | "alias" : "clients", 1401 | "description" : "Base authentication for clients", 1402 | "providerId" : "client-flow", 1403 | "topLevel" : true, 1404 | "builtIn" : true, 1405 | "authenticationExecutions" : [ { 1406 | "authenticator" : "client-secret", 1407 | "requirement" : "ALTERNATIVE", 1408 | "priority" : 10, 1409 | "userSetupAllowed" : false, 1410 | "autheticatorFlow" : false 1411 | }, { 1412 | "authenticator" : "client-jwt", 1413 | "requirement" : "ALTERNATIVE", 1414 | "priority" : 20, 1415 | "userSetupAllowed" : false, 1416 | "autheticatorFlow" : false 1417 | }, { 1418 | "authenticator" : "client-secret-jwt", 1419 | "requirement" : "ALTERNATIVE", 1420 | "priority" : 30, 1421 | "userSetupAllowed" : false, 1422 | "autheticatorFlow" : false 1423 | }, { 1424 | "authenticator" : "client-x509", 1425 | "requirement" : "ALTERNATIVE", 1426 | "priority" : 40, 1427 | "userSetupAllowed" : false, 1428 | "autheticatorFlow" : false 1429 | } ] 1430 | }, { 1431 | "id" : "9c73a7d8-87e9-484c-8fae-18eba1be413b", 1432 | "alias" : "direct grant", 1433 | "description" : "OpenID Connect Resource Owner Grant", 1434 | "providerId" : "basic-flow", 1435 | "topLevel" : true, 1436 | "builtIn" : true, 1437 | "authenticationExecutions" : [ { 1438 | "authenticator" : "direct-grant-validate-username", 1439 | "requirement" : "REQUIRED", 1440 | "priority" : 10, 1441 | "userSetupAllowed" : false, 1442 | "autheticatorFlow" : false 1443 | }, { 1444 | "authenticator" : "direct-grant-validate-password", 1445 | "requirement" : "REQUIRED", 1446 | "priority" : 20, 1447 | "userSetupAllowed" : false, 1448 | "autheticatorFlow" : false 1449 | }, { 1450 | "requirement" : "CONDITIONAL", 1451 | "priority" : 30, 1452 | "flowAlias" : "Direct Grant - Conditional OTP", 1453 | "userSetupAllowed" : false, 1454 | "autheticatorFlow" : true 1455 | } ] 1456 | }, { 1457 | "id" : "1953bd7b-188d-42fd-af2d-745d4fe44f2b", 1458 | "alias" : "docker auth", 1459 | "description" : "Used by Docker clients to authenticate against the IDP", 1460 | "providerId" : "basic-flow", 1461 | "topLevel" : true, 1462 | "builtIn" : true, 1463 | "authenticationExecutions" : [ { 1464 | "authenticator" : "docker-http-basic-authenticator", 1465 | "requirement" : "REQUIRED", 1466 | "priority" : 10, 1467 | "userSetupAllowed" : false, 1468 | "autheticatorFlow" : false 1469 | } ] 1470 | }, { 1471 | "id" : "695fd229-c145-4a5d-8655-662d45f838d5", 1472 | "alias" : "first broker login", 1473 | "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", 1474 | "providerId" : "basic-flow", 1475 | "topLevel" : true, 1476 | "builtIn" : true, 1477 | "authenticationExecutions" : [ { 1478 | "authenticatorConfig" : "review profile config", 1479 | "authenticator" : "idp-review-profile", 1480 | "requirement" : "REQUIRED", 1481 | "priority" : 10, 1482 | "userSetupAllowed" : false, 1483 | "autheticatorFlow" : false 1484 | }, { 1485 | "requirement" : "REQUIRED", 1486 | "priority" : 20, 1487 | "flowAlias" : "User creation or linking", 1488 | "userSetupAllowed" : false, 1489 | "autheticatorFlow" : true 1490 | } ] 1491 | }, { 1492 | "id" : "e976f5e4-315f-4f4b-b2fa-7f501e395446", 1493 | "alias" : "forms", 1494 | "description" : "Username, password, otp and other auth forms.", 1495 | "providerId" : "basic-flow", 1496 | "topLevel" : false, 1497 | "builtIn" : true, 1498 | "authenticationExecutions" : [ { 1499 | "authenticator" : "auth-username-password-form", 1500 | "requirement" : "REQUIRED", 1501 | "priority" : 10, 1502 | "userSetupAllowed" : false, 1503 | "autheticatorFlow" : false 1504 | }, { 1505 | "requirement" : "CONDITIONAL", 1506 | "priority" : 20, 1507 | "flowAlias" : "Browser - Conditional OTP", 1508 | "userSetupAllowed" : false, 1509 | "autheticatorFlow" : true 1510 | } ] 1511 | }, { 1512 | "id" : "eac4d0ff-a03d-42f1-9369-d7a7bbcccee0", 1513 | "alias" : "http challenge", 1514 | "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", 1515 | "providerId" : "basic-flow", 1516 | "topLevel" : true, 1517 | "builtIn" : true, 1518 | "authenticationExecutions" : [ { 1519 | "authenticator" : "no-cookie-redirect", 1520 | "requirement" : "REQUIRED", 1521 | "priority" : 10, 1522 | "userSetupAllowed" : false, 1523 | "autheticatorFlow" : false 1524 | }, { 1525 | "requirement" : "REQUIRED", 1526 | "priority" : 20, 1527 | "flowAlias" : "Authentication Options", 1528 | "userSetupAllowed" : false, 1529 | "autheticatorFlow" : true 1530 | } ] 1531 | }, { 1532 | "id" : "670adec1-ad50-4305-9ff3-717efccc62bd", 1533 | "alias" : "registration", 1534 | "description" : "registration flow", 1535 | "providerId" : "basic-flow", 1536 | "topLevel" : true, 1537 | "builtIn" : true, 1538 | "authenticationExecutions" : [ { 1539 | "authenticator" : "registration-page-form", 1540 | "requirement" : "REQUIRED", 1541 | "priority" : 10, 1542 | "flowAlias" : "registration form", 1543 | "userSetupAllowed" : false, 1544 | "autheticatorFlow" : true 1545 | } ] 1546 | }, { 1547 | "id" : "1fdb98e3-7581-4900-a41c-dbaf20115ef6", 1548 | "alias" : "registration form", 1549 | "description" : "registration form", 1550 | "providerId" : "form-flow", 1551 | "topLevel" : false, 1552 | "builtIn" : true, 1553 | "authenticationExecutions" : [ { 1554 | "authenticator" : "registration-user-creation", 1555 | "requirement" : "REQUIRED", 1556 | "priority" : 20, 1557 | "userSetupAllowed" : false, 1558 | "autheticatorFlow" : false 1559 | }, { 1560 | "authenticator" : "registration-profile-action", 1561 | "requirement" : "REQUIRED", 1562 | "priority" : 40, 1563 | "userSetupAllowed" : false, 1564 | "autheticatorFlow" : false 1565 | }, { 1566 | "authenticator" : "registration-password-action", 1567 | "requirement" : "REQUIRED", 1568 | "priority" : 50, 1569 | "userSetupAllowed" : false, 1570 | "autheticatorFlow" : false 1571 | }, { 1572 | "authenticator" : "registration-recaptcha-action", 1573 | "requirement" : "DISABLED", 1574 | "priority" : 60, 1575 | "userSetupAllowed" : false, 1576 | "autheticatorFlow" : false 1577 | } ] 1578 | }, { 1579 | "id" : "8de074de-c428-48ca-a715-51e69d677d33", 1580 | "alias" : "reset credentials", 1581 | "description" : "Reset credentials for a user if they forgot their password or something", 1582 | "providerId" : "basic-flow", 1583 | "topLevel" : true, 1584 | "builtIn" : true, 1585 | "authenticationExecutions" : [ { 1586 | "authenticator" : "reset-credentials-choose-user", 1587 | "requirement" : "REQUIRED", 1588 | "priority" : 10, 1589 | "userSetupAllowed" : false, 1590 | "autheticatorFlow" : false 1591 | }, { 1592 | "authenticator" : "reset-credential-email", 1593 | "requirement" : "REQUIRED", 1594 | "priority" : 20, 1595 | "userSetupAllowed" : false, 1596 | "autheticatorFlow" : false 1597 | }, { 1598 | "authenticator" : "reset-password", 1599 | "requirement" : "REQUIRED", 1600 | "priority" : 30, 1601 | "userSetupAllowed" : false, 1602 | "autheticatorFlow" : false 1603 | }, { 1604 | "requirement" : "CONDITIONAL", 1605 | "priority" : 40, 1606 | "flowAlias" : "Reset - Conditional OTP", 1607 | "userSetupAllowed" : false, 1608 | "autheticatorFlow" : true 1609 | } ] 1610 | }, { 1611 | "id" : "7b6cd0e4-708a-4cba-aa6b-1d9077883b33", 1612 | "alias" : "saml ecp", 1613 | "description" : "SAML ECP Profile Authentication Flow", 1614 | "providerId" : "basic-flow", 1615 | "topLevel" : true, 1616 | "builtIn" : true, 1617 | "authenticationExecutions" : [ { 1618 | "authenticator" : "http-basic-authenticator", 1619 | "requirement" : "REQUIRED", 1620 | "priority" : 10, 1621 | "userSetupAllowed" : false, 1622 | "autheticatorFlow" : false 1623 | } ] 1624 | } ], 1625 | "authenticatorConfig" : [ { 1626 | "id" : "9c5ab485-b6f5-4442-b13a-75984fcc610d", 1627 | "alias" : "create unique user config", 1628 | "config" : { 1629 | "require.password.update.after.registration" : "false" 1630 | } 1631 | }, { 1632 | "id" : "35e78571-4e8a-4bc6-83ad-c90dad44d5a0", 1633 | "alias" : "review profile config", 1634 | "config" : { 1635 | "update.profile.on.first.login" : "missing" 1636 | } 1637 | } ], 1638 | "requiredActions" : [ { 1639 | "alias" : "CONFIGURE_TOTP", 1640 | "name" : "Configure OTP", 1641 | "providerId" : "CONFIGURE_TOTP", 1642 | "enabled" : true, 1643 | "defaultAction" : false, 1644 | "priority" : 10, 1645 | "config" : { } 1646 | }, { 1647 | "alias" : "terms_and_conditions", 1648 | "name" : "Terms and Conditions", 1649 | "providerId" : "terms_and_conditions", 1650 | "enabled" : false, 1651 | "defaultAction" : false, 1652 | "priority" : 20, 1653 | "config" : { } 1654 | }, { 1655 | "alias" : "UPDATE_PASSWORD", 1656 | "name" : "Update Password", 1657 | "providerId" : "UPDATE_PASSWORD", 1658 | "enabled" : true, 1659 | "defaultAction" : false, 1660 | "priority" : 30, 1661 | "config" : { } 1662 | }, { 1663 | "alias" : "UPDATE_PROFILE", 1664 | "name" : "Update Profile", 1665 | "providerId" : "UPDATE_PROFILE", 1666 | "enabled" : true, 1667 | "defaultAction" : false, 1668 | "priority" : 40, 1669 | "config" : { } 1670 | }, { 1671 | "alias" : "VERIFY_EMAIL", 1672 | "name" : "Verify Email", 1673 | "providerId" : "VERIFY_EMAIL", 1674 | "enabled" : true, 1675 | "defaultAction" : false, 1676 | "priority" : 50, 1677 | "config" : { } 1678 | }, { 1679 | "alias" : "update_user_locale", 1680 | "name" : "Update User Locale", 1681 | "providerId" : "update_user_locale", 1682 | "enabled" : true, 1683 | "defaultAction" : false, 1684 | "priority" : 1000, 1685 | "config" : { } 1686 | } ], 1687 | "browserFlow" : "browser", 1688 | "registrationFlow" : "registration", 1689 | "directGrantFlow" : "direct grant", 1690 | "resetCredentialsFlow" : "reset credentials", 1691 | "clientAuthenticationFlow" : "clients", 1692 | "dockerAuthenticationFlow" : "docker auth", 1693 | "attributes" : { 1694 | "clientOfflineSessionMaxLifespan" : "0", 1695 | "clientSessionIdleTimeout" : "0", 1696 | "clientSessionMaxLifespan" : "0", 1697 | "clientOfflineSessionIdleTimeout" : "0" 1698 | }, 1699 | "keycloakVersion" : "11.0.1", 1700 | "userManagedAccessAllowed" : false 1701 | } -------------------------------------------------------------------------------- /keycloak/dev-users-0.json: -------------------------------------------------------------------------------- 1 | { 2 | "realm" : "dev", 3 | "users" : [ { 4 | "id" : "4a76657b-35f0-43d0-9653-9b0f60ebd4b9", 5 | "createdTimestamp" : 1599206941964, 6 | "username" : "user", 7 | "enabled" : true, 8 | "totp" : false, 9 | "emailVerified" : true, 10 | "firstName" : "User", 11 | "email" : "user@example.org", 12 | "credentials" : [ { 13 | "id" : "fdea0e27-1c7a-4562-a9e0-ccf7049743b4", 14 | "type" : "password", 15 | "createdDate" : 1599206957010, 16 | "secretData" : "{\"value\":\"CIw2sL7+25tiF64pIubf6Ann55xuK5NOu57x1OcOBuTItnCrUwgMKzqnHy+mWBHuBeY7v1XAkBZfkIKjDMVvtg==\",\"salt\":\"j2E5qynZhlrHuBvRsFbSdQ==\"}", 17 | "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" 18 | } ], 19 | "disableableCredentialTypes" : [ ], 20 | "requiredActions" : [ ], 21 | "realmRoles" : [ "uma_authorization", "offline_access" ], 22 | "clientRoles" : { 23 | "account" : [ "view-profile", "manage-account" ] 24 | }, 25 | "notBefore" : 0, 26 | "groups" : [ "/admin" ] 27 | } ] 28 | } -------------------------------------------------------------------------------- /keycloak/master-realm.json: -------------------------------------------------------------------------------- 1 | { 2 | "id" : "master", 3 | "realm" : "master", 4 | "displayName" : "Keycloak", 5 | "displayNameHtml" : "
Keycloak
", 6 | "notBefore" : 0, 7 | "revokeRefreshToken" : false, 8 | "refreshTokenMaxReuse" : 0, 9 | "accessTokenLifespan" : 60, 10 | "accessTokenLifespanForImplicitFlow" : 900, 11 | "ssoSessionIdleTimeout" : 1800, 12 | "ssoSessionMaxLifespan" : 36000, 13 | "ssoSessionIdleTimeoutRememberMe" : 0, 14 | "ssoSessionMaxLifespanRememberMe" : 0, 15 | "offlineSessionIdleTimeout" : 2592000, 16 | "offlineSessionMaxLifespanEnabled" : false, 17 | "offlineSessionMaxLifespan" : 5184000, 18 | "clientSessionIdleTimeout" : 0, 19 | "clientSessionMaxLifespan" : 0, 20 | "clientOfflineSessionIdleTimeout" : 0, 21 | "clientOfflineSessionMaxLifespan" : 0, 22 | "accessCodeLifespan" : 60, 23 | "accessCodeLifespanUserAction" : 300, 24 | "accessCodeLifespanLogin" : 1800, 25 | "actionTokenGeneratedByAdminLifespan" : 43200, 26 | "actionTokenGeneratedByUserLifespan" : 300, 27 | "enabled" : true, 28 | "sslRequired" : "external", 29 | "registrationAllowed" : false, 30 | "registrationEmailAsUsername" : false, 31 | "rememberMe" : false, 32 | "verifyEmail" : false, 33 | "loginWithEmailAllowed" : true, 34 | "duplicateEmailsAllowed" : false, 35 | "resetPasswordAllowed" : false, 36 | "editUsernameAllowed" : false, 37 | "bruteForceProtected" : false, 38 | "permanentLockout" : false, 39 | "maxFailureWaitSeconds" : 900, 40 | "minimumQuickLoginWaitSeconds" : 60, 41 | "waitIncrementSeconds" : 60, 42 | "quickLoginCheckMilliSeconds" : 1000, 43 | "maxDeltaTimeSeconds" : 43200, 44 | "failureFactor" : 30, 45 | "roles" : { 46 | "realm" : [ { 47 | "id" : "cad5f054-24d6-40f7-b0a7-f92473e004cd", 48 | "name" : "uma_authorization", 49 | "description" : "${role_uma_authorization}", 50 | "composite" : false, 51 | "clientRole" : false, 52 | "containerId" : "master", 53 | "attributes" : { } 54 | }, { 55 | "id" : "8dc31889-2998-4388-b537-9607b03675bd", 56 | "name" : "admin", 57 | "description" : "${role_admin}", 58 | "composite" : true, 59 | "composites" : { 60 | "realm" : [ "create-realm" ], 61 | "client" : { 62 | "dev-realm" : [ "query-users", "view-clients", "create-client", "view-authorization", "manage-realm", "query-groups", "manage-identity-providers", "manage-clients", "query-clients", "view-realm", "manage-users", "view-events", "query-realms", "manage-authorization", "view-users", "manage-events", "view-identity-providers", "impersonation" ], 63 | "master-realm" : [ "manage-authorization", "manage-users", "view-clients", "create-client", "query-clients", "manage-realm", "manage-clients", "view-users", "view-authorization", "query-groups", "view-realm", "impersonation", "manage-events", "query-users", "manage-identity-providers", "view-events", "view-identity-providers", "query-realms" ] 64 | } 65 | }, 66 | "clientRole" : false, 67 | "containerId" : "master", 68 | "attributes" : { } 69 | }, { 70 | "id" : "a659f9f4-73ae-4f38-8032-a041fd67d8a2", 71 | "name" : "offline_access", 72 | "description" : "${role_offline-access}", 73 | "composite" : false, 74 | "clientRole" : false, 75 | "containerId" : "master", 76 | "attributes" : { } 77 | }, { 78 | "id" : "71c209e5-c04b-4327-8167-4d39c1de8849", 79 | "name" : "create-realm", 80 | "description" : "${role_create-realm}", 81 | "composite" : false, 82 | "clientRole" : false, 83 | "containerId" : "master", 84 | "attributes" : { } 85 | } ], 86 | "client" : { 87 | "dev-realm" : [ { 88 | "id" : "c51aec14-2d64-49fa-86d9-63bb501da7f4", 89 | "name" : "query-users", 90 | "description" : "${role_query-users}", 91 | "composite" : false, 92 | "clientRole" : true, 93 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 94 | "attributes" : { } 95 | }, { 96 | "id" : "1dd2bf97-e307-46bc-8625-3e083f8330bc", 97 | "name" : "view-clients", 98 | "description" : "${role_view-clients}", 99 | "composite" : true, 100 | "composites" : { 101 | "client" : { 102 | "dev-realm" : [ "query-clients" ] 103 | } 104 | }, 105 | "clientRole" : true, 106 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 107 | "attributes" : { } 108 | }, { 109 | "id" : "e3025dbd-9f86-45cc-897d-82c9c159835f", 110 | "name" : "query-clients", 111 | "description" : "${role_query-clients}", 112 | "composite" : false, 113 | "clientRole" : true, 114 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 115 | "attributes" : { } 116 | }, { 117 | "id" : "f5c1488a-87c7-409c-b7ee-b5dbc390283e", 118 | "name" : "view-realm", 119 | "description" : "${role_view-realm}", 120 | "composite" : false, 121 | "clientRole" : true, 122 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 123 | "attributes" : { } 124 | }, { 125 | "id" : "9ad6a24a-b454-4a7d-b923-3fc03fcf3150", 126 | "name" : "manage-users", 127 | "description" : "${role_manage-users}", 128 | "composite" : false, 129 | "clientRole" : true, 130 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 131 | "attributes" : { } 132 | }, { 133 | "id" : "ebe63f18-06eb-410b-b607-83e00889bea5", 134 | "name" : "view-events", 135 | "description" : "${role_view-events}", 136 | "composite" : false, 137 | "clientRole" : true, 138 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 139 | "attributes" : { } 140 | }, { 141 | "id" : "37e04442-4e4e-4a8e-b2dd-9b11cb4b70e1", 142 | "name" : "create-client", 143 | "description" : "${role_create-client}", 144 | "composite" : false, 145 | "clientRole" : true, 146 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 147 | "attributes" : { } 148 | }, { 149 | "id" : "d18fd670-73a9-4566-af4c-d3dcc8c53e1f", 150 | "name" : "view-authorization", 151 | "description" : "${role_view-authorization}", 152 | "composite" : false, 153 | "clientRole" : true, 154 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 155 | "attributes" : { } 156 | }, { 157 | "id" : "b4f1201e-d913-49ba-89d0-faeb4781dfe5", 158 | "name" : "manage-realm", 159 | "description" : "${role_manage-realm}", 160 | "composite" : false, 161 | "clientRole" : true, 162 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 163 | "attributes" : { } 164 | }, { 165 | "id" : "3d35386e-f292-4aeb-8871-48b3fcd0ed27", 166 | "name" : "query-realms", 167 | "description" : "${role_query-realms}", 168 | "composite" : false, 169 | "clientRole" : true, 170 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 171 | "attributes" : { } 172 | }, { 173 | "id" : "638a8f5a-406d-4c1e-98b2-42a4e03ac64a", 174 | "name" : "manage-authorization", 175 | "description" : "${role_manage-authorization}", 176 | "composite" : false, 177 | "clientRole" : true, 178 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 179 | "attributes" : { } 180 | }, { 181 | "id" : "cdabd507-7a29-442d-9d21-f2309ef74a78", 182 | "name" : "view-users", 183 | "description" : "${role_view-users}", 184 | "composite" : true, 185 | "composites" : { 186 | "client" : { 187 | "dev-realm" : [ "query-users", "query-groups" ] 188 | } 189 | }, 190 | "clientRole" : true, 191 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 192 | "attributes" : { } 193 | }, { 194 | "id" : "dd1affe9-36d7-4836-9c9f-31c4b3f42ecd", 195 | "name" : "manage-events", 196 | "description" : "${role_manage-events}", 197 | "composite" : false, 198 | "clientRole" : true, 199 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 200 | "attributes" : { } 201 | }, { 202 | "id" : "00b62a9c-1117-4b82-af14-b4e2665e8273", 203 | "name" : "query-groups", 204 | "description" : "${role_query-groups}", 205 | "composite" : false, 206 | "clientRole" : true, 207 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 208 | "attributes" : { } 209 | }, { 210 | "id" : "07832e35-a3c5-457d-9ce7-bf2e145c2086", 211 | "name" : "view-identity-providers", 212 | "description" : "${role_view-identity-providers}", 213 | "composite" : false, 214 | "clientRole" : true, 215 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 216 | "attributes" : { } 217 | }, { 218 | "id" : "b97ba415-b89b-4ae8-be5e-c0216329ce8c", 219 | "name" : "impersonation", 220 | "description" : "${role_impersonation}", 221 | "composite" : false, 222 | "clientRole" : true, 223 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 224 | "attributes" : { } 225 | }, { 226 | "id" : "7d097e09-ec6f-4782-a43b-a18c3e437ba2", 227 | "name" : "manage-identity-providers", 228 | "description" : "${role_manage-identity-providers}", 229 | "composite" : false, 230 | "clientRole" : true, 231 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 232 | "attributes" : { } 233 | }, { 234 | "id" : "64fde750-86c8-4055-aae5-f1da33e3e95c", 235 | "name" : "manage-clients", 236 | "description" : "${role_manage-clients}", 237 | "composite" : false, 238 | "clientRole" : true, 239 | "containerId" : "0293c8bf-a31a-415f-a340-0c27f348d876", 240 | "attributes" : { } 241 | } ], 242 | "security-admin-console" : [ ], 243 | "admin-cli" : [ ], 244 | "account-console" : [ ], 245 | "broker" : [ { 246 | "id" : "607200b5-f7ad-4c5d-aa1a-ac0e5a248c94", 247 | "name" : "read-token", 248 | "description" : "${role_read-token}", 249 | "composite" : false, 250 | "clientRole" : true, 251 | "containerId" : "f60749f5-624e-4fef-a136-0611f8ac93e7", 252 | "attributes" : { } 253 | } ], 254 | "master-realm" : [ { 255 | "id" : "80f7f3de-55cc-428b-bbac-a681c8ae4d6f", 256 | "name" : "manage-authorization", 257 | "description" : "${role_manage-authorization}", 258 | "composite" : false, 259 | "clientRole" : true, 260 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 261 | "attributes" : { } 262 | }, { 263 | "id" : "19005818-4d3a-4533-8b3e-43d1c0d158ef", 264 | "name" : "query-groups", 265 | "description" : "${role_query-groups}", 266 | "composite" : false, 267 | "clientRole" : true, 268 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 269 | "attributes" : { } 270 | }, { 271 | "id" : "4284be5b-9588-42d4-bf83-9c990ec3c36f", 272 | "name" : "view-realm", 273 | "description" : "${role_view-realm}", 274 | "composite" : false, 275 | "clientRole" : true, 276 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 277 | "attributes" : { } 278 | }, { 279 | "id" : "157cddba-8116-4a0c-8259-bfe70a0c3dc5", 280 | "name" : "manage-users", 281 | "description" : "${role_manage-users}", 282 | "composite" : false, 283 | "clientRole" : true, 284 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 285 | "attributes" : { } 286 | }, { 287 | "id" : "46fd0062-dda6-4026-973d-e690b81a2679", 288 | "name" : "impersonation", 289 | "description" : "${role_impersonation}", 290 | "composite" : false, 291 | "clientRole" : true, 292 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 293 | "attributes" : { } 294 | }, { 295 | "id" : "525317f3-2930-43b1-8247-d0c0a854416f", 296 | "name" : "manage-events", 297 | "description" : "${role_manage-events}", 298 | "composite" : false, 299 | "clientRole" : true, 300 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 301 | "attributes" : { } 302 | }, { 303 | "id" : "a5a45110-09a1-45cc-b881-59d9b1f5c8f7", 304 | "name" : "view-clients", 305 | "description" : "${role_view-clients}", 306 | "composite" : true, 307 | "composites" : { 308 | "client" : { 309 | "master-realm" : [ "query-clients" ] 310 | } 311 | }, 312 | "clientRole" : true, 313 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 314 | "attributes" : { } 315 | }, { 316 | "id" : "c0386bc7-e7f4-4a6c-9014-43849ba81b06", 317 | "name" : "create-client", 318 | "description" : "${role_create-client}", 319 | "composite" : false, 320 | "clientRole" : true, 321 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 322 | "attributes" : { } 323 | }, { 324 | "id" : "7954b97e-12e2-494e-8909-ec64bb5cbba7", 325 | "name" : "query-clients", 326 | "description" : "${role_query-clients}", 327 | "composite" : false, 328 | "clientRole" : true, 329 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 330 | "attributes" : { } 331 | }, { 332 | "id" : "26f2ebe0-036a-4fa0-aed6-eed7c04019b7", 333 | "name" : "manage-realm", 334 | "description" : "${role_manage-realm}", 335 | "composite" : false, 336 | "clientRole" : true, 337 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 338 | "attributes" : { } 339 | }, { 340 | "id" : "a7527e18-4ad7-4a05-9b3d-91f23dff9df9", 341 | "name" : "manage-clients", 342 | "description" : "${role_manage-clients}", 343 | "composite" : false, 344 | "clientRole" : true, 345 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 346 | "attributes" : { } 347 | }, { 348 | "id" : "ebb73dd5-ed8f-4f38-bd1f-572fea07255c", 349 | "name" : "view-users", 350 | "description" : "${role_view-users}", 351 | "composite" : true, 352 | "composites" : { 353 | "client" : { 354 | "master-realm" : [ "query-groups", "query-users" ] 355 | } 356 | }, 357 | "clientRole" : true, 358 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 359 | "attributes" : { } 360 | }, { 361 | "id" : "84e87a3b-9569-427e-a8c6-2c9598fb0b76", 362 | "name" : "view-authorization", 363 | "description" : "${role_view-authorization}", 364 | "composite" : false, 365 | "clientRole" : true, 366 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 367 | "attributes" : { } 368 | }, { 369 | "id" : "af8bdca5-dbfb-4f40-8203-6e5946abbc4d", 370 | "name" : "query-users", 371 | "description" : "${role_query-users}", 372 | "composite" : false, 373 | "clientRole" : true, 374 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 375 | "attributes" : { } 376 | }, { 377 | "id" : "a439373e-9864-49da-92db-45678bbab177", 378 | "name" : "manage-identity-providers", 379 | "description" : "${role_manage-identity-providers}", 380 | "composite" : false, 381 | "clientRole" : true, 382 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 383 | "attributes" : { } 384 | }, { 385 | "id" : "835d6e58-c206-4d33-91c2-bdadc0ad1e7f", 386 | "name" : "view-events", 387 | "description" : "${role_view-events}", 388 | "composite" : false, 389 | "clientRole" : true, 390 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 391 | "attributes" : { } 392 | }, { 393 | "id" : "ab0fc51c-9d38-4b9e-a9fe-32633e39a602", 394 | "name" : "view-identity-providers", 395 | "description" : "${role_view-identity-providers}", 396 | "composite" : false, 397 | "clientRole" : true, 398 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 399 | "attributes" : { } 400 | }, { 401 | "id" : "47fe8879-c577-47c7-b7e2-7bd0fe7eb7e4", 402 | "name" : "query-realms", 403 | "description" : "${role_query-realms}", 404 | "composite" : false, 405 | "clientRole" : true, 406 | "containerId" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 407 | "attributes" : { } 408 | } ], 409 | "account" : [ { 410 | "id" : "35950037-b29c-4045-a992-ab4d66253598", 411 | "name" : "manage-account", 412 | "description" : "${role_manage-account}", 413 | "composite" : true, 414 | "composites" : { 415 | "client" : { 416 | "account" : [ "manage-account-links" ] 417 | } 418 | }, 419 | "clientRole" : true, 420 | "containerId" : "f2cd1338-bcdc-42ad-a795-7d517967a776", 421 | "attributes" : { } 422 | }, { 423 | "id" : "4e869e10-f3d9-44e7-86f6-ae21fe4dca8b", 424 | "name" : "manage-consent", 425 | "description" : "${role_manage-consent}", 426 | "composite" : true, 427 | "composites" : { 428 | "client" : { 429 | "account" : [ "view-consent" ] 430 | } 431 | }, 432 | "clientRole" : true, 433 | "containerId" : "f2cd1338-bcdc-42ad-a795-7d517967a776", 434 | "attributes" : { } 435 | }, { 436 | "id" : "5b3921ae-6eaa-49da-b49f-d5e840c6eb78", 437 | "name" : "view-profile", 438 | "description" : "${role_view-profile}", 439 | "composite" : false, 440 | "clientRole" : true, 441 | "containerId" : "f2cd1338-bcdc-42ad-a795-7d517967a776", 442 | "attributes" : { } 443 | }, { 444 | "id" : "a5079642-8c16-4ea9-ae6a-5a07664ec384", 445 | "name" : "manage-account-links", 446 | "description" : "${role_manage-account-links}", 447 | "composite" : false, 448 | "clientRole" : true, 449 | "containerId" : "f2cd1338-bcdc-42ad-a795-7d517967a776", 450 | "attributes" : { } 451 | }, { 452 | "id" : "8fcd9d22-f96a-4f6b-acb8-e79314d0904f", 453 | "name" : "view-consent", 454 | "description" : "${role_view-consent}", 455 | "composite" : false, 456 | "clientRole" : true, 457 | "containerId" : "f2cd1338-bcdc-42ad-a795-7d517967a776", 458 | "attributes" : { } 459 | }, { 460 | "id" : "74d82bac-6bb3-49ee-bc7c-774a27a3ff55", 461 | "name" : "view-applications", 462 | "description" : "${role_view-applications}", 463 | "composite" : false, 464 | "clientRole" : true, 465 | "containerId" : "f2cd1338-bcdc-42ad-a795-7d517967a776", 466 | "attributes" : { } 467 | } ] 468 | } 469 | }, 470 | "groups" : [ ], 471 | "defaultRoles" : [ "offline_access", "uma_authorization" ], 472 | "requiredCredentials" : [ "password" ], 473 | "otpPolicyType" : "totp", 474 | "otpPolicyAlgorithm" : "HmacSHA1", 475 | "otpPolicyInitialCounter" : 0, 476 | "otpPolicyDigits" : 6, 477 | "otpPolicyLookAheadWindow" : 1, 478 | "otpPolicyPeriod" : 30, 479 | "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], 480 | "webAuthnPolicyRpEntityName" : "keycloak", 481 | "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], 482 | "webAuthnPolicyRpId" : "", 483 | "webAuthnPolicyAttestationConveyancePreference" : "not specified", 484 | "webAuthnPolicyAuthenticatorAttachment" : "not specified", 485 | "webAuthnPolicyRequireResidentKey" : "not specified", 486 | "webAuthnPolicyUserVerificationRequirement" : "not specified", 487 | "webAuthnPolicyCreateTimeout" : 0, 488 | "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, 489 | "webAuthnPolicyAcceptableAaguids" : [ ], 490 | "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", 491 | "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], 492 | "webAuthnPolicyPasswordlessRpId" : "", 493 | "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", 494 | "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", 495 | "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", 496 | "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", 497 | "webAuthnPolicyPasswordlessCreateTimeout" : 0, 498 | "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, 499 | "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], 500 | "scopeMappings" : [ { 501 | "clientScope" : "offline_access", 502 | "roles" : [ "offline_access" ] 503 | } ], 504 | "clientScopeMappings" : { 505 | "account" : [ { 506 | "client" : "account-console", 507 | "roles" : [ "manage-account" ] 508 | } ] 509 | }, 510 | "clients" : [ { 511 | "id" : "f2cd1338-bcdc-42ad-a795-7d517967a776", 512 | "clientId" : "account", 513 | "name" : "${client_account}", 514 | "rootUrl" : "${authBaseUrl}", 515 | "baseUrl" : "/realms/master/account/", 516 | "surrogateAuthRequired" : false, 517 | "enabled" : true, 518 | "alwaysDisplayInConsole" : false, 519 | "clientAuthenticatorType" : "client-secret", 520 | "secret" : "76254543-ec2d-41d0-97c3-639f3a70a7c3", 521 | "defaultRoles" : [ "manage-account", "view-profile" ], 522 | "redirectUris" : [ "/realms/master/account/*" ], 523 | "webOrigins" : [ ], 524 | "notBefore" : 0, 525 | "bearerOnly" : false, 526 | "consentRequired" : false, 527 | "standardFlowEnabled" : true, 528 | "implicitFlowEnabled" : false, 529 | "directAccessGrantsEnabled" : false, 530 | "serviceAccountsEnabled" : false, 531 | "publicClient" : false, 532 | "frontchannelLogout" : false, 533 | "protocol" : "openid-connect", 534 | "attributes" : { }, 535 | "authenticationFlowBindingOverrides" : { }, 536 | "fullScopeAllowed" : false, 537 | "nodeReRegistrationTimeout" : 0, 538 | "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], 539 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 540 | }, { 541 | "id" : "49b0230d-b130-413e-81ca-de8a1e035c1a", 542 | "clientId" : "account-console", 543 | "name" : "${client_account-console}", 544 | "rootUrl" : "${authBaseUrl}", 545 | "baseUrl" : "/realms/master/account/", 546 | "surrogateAuthRequired" : false, 547 | "enabled" : true, 548 | "alwaysDisplayInConsole" : false, 549 | "clientAuthenticatorType" : "client-secret", 550 | "secret" : "20f75ef3-a1ed-481d-8e91-33bd9a4df8ea", 551 | "redirectUris" : [ "/realms/master/account/*" ], 552 | "webOrigins" : [ ], 553 | "notBefore" : 0, 554 | "bearerOnly" : false, 555 | "consentRequired" : false, 556 | "standardFlowEnabled" : true, 557 | "implicitFlowEnabled" : false, 558 | "directAccessGrantsEnabled" : false, 559 | "serviceAccountsEnabled" : false, 560 | "publicClient" : true, 561 | "frontchannelLogout" : false, 562 | "protocol" : "openid-connect", 563 | "attributes" : { 564 | "pkce.code.challenge.method" : "S256" 565 | }, 566 | "authenticationFlowBindingOverrides" : { }, 567 | "fullScopeAllowed" : false, 568 | "nodeReRegistrationTimeout" : 0, 569 | "protocolMappers" : [ { 570 | "id" : "f1386b3b-facc-4650-a893-7d1cd4a1a25b", 571 | "name" : "audience resolve", 572 | "protocol" : "openid-connect", 573 | "protocolMapper" : "oidc-audience-resolve-mapper", 574 | "consentRequired" : false, 575 | "config" : { } 576 | } ], 577 | "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], 578 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 579 | }, { 580 | "id" : "5ad87442-ff5a-4cec-a864-884732e78ed0", 581 | "clientId" : "admin-cli", 582 | "name" : "${client_admin-cli}", 583 | "surrogateAuthRequired" : false, 584 | "enabled" : true, 585 | "alwaysDisplayInConsole" : false, 586 | "clientAuthenticatorType" : "client-secret", 587 | "secret" : "efaf8475-3349-423e-861f-1a2845ee04cb", 588 | "redirectUris" : [ ], 589 | "webOrigins" : [ ], 590 | "notBefore" : 0, 591 | "bearerOnly" : false, 592 | "consentRequired" : false, 593 | "standardFlowEnabled" : false, 594 | "implicitFlowEnabled" : false, 595 | "directAccessGrantsEnabled" : true, 596 | "serviceAccountsEnabled" : false, 597 | "publicClient" : true, 598 | "frontchannelLogout" : false, 599 | "protocol" : "openid-connect", 600 | "attributes" : { }, 601 | "authenticationFlowBindingOverrides" : { }, 602 | "fullScopeAllowed" : false, 603 | "nodeReRegistrationTimeout" : 0, 604 | "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], 605 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 606 | }, { 607 | "id" : "f60749f5-624e-4fef-a136-0611f8ac93e7", 608 | "clientId" : "broker", 609 | "name" : "${client_broker}", 610 | "surrogateAuthRequired" : false, 611 | "enabled" : true, 612 | "alwaysDisplayInConsole" : false, 613 | "clientAuthenticatorType" : "client-secret", 614 | "secret" : "3f3ecf73-9f47-4fc3-b711-3865bfa7179b", 615 | "redirectUris" : [ ], 616 | "webOrigins" : [ ], 617 | "notBefore" : 0, 618 | "bearerOnly" : false, 619 | "consentRequired" : false, 620 | "standardFlowEnabled" : true, 621 | "implicitFlowEnabled" : false, 622 | "directAccessGrantsEnabled" : false, 623 | "serviceAccountsEnabled" : false, 624 | "publicClient" : false, 625 | "frontchannelLogout" : false, 626 | "protocol" : "openid-connect", 627 | "attributes" : { }, 628 | "authenticationFlowBindingOverrides" : { }, 629 | "fullScopeAllowed" : false, 630 | "nodeReRegistrationTimeout" : 0, 631 | "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], 632 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 633 | }, { 634 | "id" : "0293c8bf-a31a-415f-a340-0c27f348d876", 635 | "clientId" : "dev-realm", 636 | "name" : "dev Realm", 637 | "surrogateAuthRequired" : false, 638 | "enabled" : true, 639 | "alwaysDisplayInConsole" : false, 640 | "clientAuthenticatorType" : "client-secret", 641 | "secret" : "3d10a2e9-5171-48f4-9083-a7ec18dc2ba8", 642 | "redirectUris" : [ ], 643 | "webOrigins" : [ ], 644 | "notBefore" : 0, 645 | "bearerOnly" : true, 646 | "consentRequired" : false, 647 | "standardFlowEnabled" : true, 648 | "implicitFlowEnabled" : false, 649 | "directAccessGrantsEnabled" : false, 650 | "serviceAccountsEnabled" : false, 651 | "publicClient" : false, 652 | "frontchannelLogout" : false, 653 | "attributes" : { }, 654 | "authenticationFlowBindingOverrides" : { }, 655 | "fullScopeAllowed" : true, 656 | "nodeReRegistrationTimeout" : 0, 657 | "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], 658 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 659 | }, { 660 | "id" : "f70f5546-2db0-4408-ab8c-d69eb9d83845", 661 | "clientId" : "master-realm", 662 | "name" : "master Realm", 663 | "surrogateAuthRequired" : false, 664 | "enabled" : true, 665 | "alwaysDisplayInConsole" : false, 666 | "clientAuthenticatorType" : "client-secret", 667 | "secret" : "722c0b4b-56fb-4cb4-b255-b15bc39483d0", 668 | "redirectUris" : [ ], 669 | "webOrigins" : [ ], 670 | "notBefore" : 0, 671 | "bearerOnly" : true, 672 | "consentRequired" : false, 673 | "standardFlowEnabled" : true, 674 | "implicitFlowEnabled" : false, 675 | "directAccessGrantsEnabled" : false, 676 | "serviceAccountsEnabled" : false, 677 | "publicClient" : false, 678 | "frontchannelLogout" : false, 679 | "attributes" : { }, 680 | "authenticationFlowBindingOverrides" : { }, 681 | "fullScopeAllowed" : true, 682 | "nodeReRegistrationTimeout" : 0, 683 | "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], 684 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 685 | }, { 686 | "id" : "226f00b2-2a6f-4ffe-8226-e447e33b9831", 687 | "clientId" : "security-admin-console", 688 | "name" : "${client_security-admin-console}", 689 | "rootUrl" : "${authAdminUrl}", 690 | "baseUrl" : "/admin/master/console/", 691 | "surrogateAuthRequired" : false, 692 | "enabled" : true, 693 | "alwaysDisplayInConsole" : false, 694 | "clientAuthenticatorType" : "client-secret", 695 | "secret" : "73005432-f689-48a2-a3de-1e2535e8562f", 696 | "redirectUris" : [ "/admin/master/console/*" ], 697 | "webOrigins" : [ "+" ], 698 | "notBefore" : 0, 699 | "bearerOnly" : false, 700 | "consentRequired" : false, 701 | "standardFlowEnabled" : true, 702 | "implicitFlowEnabled" : false, 703 | "directAccessGrantsEnabled" : false, 704 | "serviceAccountsEnabled" : false, 705 | "publicClient" : true, 706 | "frontchannelLogout" : false, 707 | "protocol" : "openid-connect", 708 | "attributes" : { 709 | "pkce.code.challenge.method" : "S256" 710 | }, 711 | "authenticationFlowBindingOverrides" : { }, 712 | "fullScopeAllowed" : false, 713 | "nodeReRegistrationTimeout" : 0, 714 | "protocolMappers" : [ { 715 | "id" : "1787c71e-8fca-471c-b5e1-24c7524ccdd7", 716 | "name" : "locale", 717 | "protocol" : "openid-connect", 718 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 719 | "consentRequired" : false, 720 | "config" : { 721 | "userinfo.token.claim" : "true", 722 | "user.attribute" : "locale", 723 | "id.token.claim" : "true", 724 | "access.token.claim" : "true", 725 | "claim.name" : "locale", 726 | "jsonType.label" : "String" 727 | } 728 | } ], 729 | "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], 730 | "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] 731 | } ], 732 | "clientScopes" : [ { 733 | "id" : "258c890d-5677-4dc9-94f3-157591c2410d", 734 | "name" : "role_list", 735 | "description" : "SAML role list", 736 | "protocol" : "saml", 737 | "attributes" : { 738 | "consent.screen.text" : "${samlRoleListScopeConsentText}", 739 | "display.on.consent.screen" : "true" 740 | }, 741 | "protocolMappers" : [ { 742 | "id" : "79e9a230-bf9d-4953-ae77-f9c404d22299", 743 | "name" : "role list", 744 | "protocol" : "saml", 745 | "protocolMapper" : "saml-role-list-mapper", 746 | "consentRequired" : false, 747 | "config" : { 748 | "single" : "false", 749 | "attribute.nameformat" : "Basic", 750 | "attribute.name" : "Role" 751 | } 752 | } ] 753 | }, { 754 | "id" : "2d7b1132-cd54-46b1-ad0d-7312c6845780", 755 | "name" : "phone", 756 | "description" : "OpenID Connect built-in scope: phone", 757 | "protocol" : "openid-connect", 758 | "attributes" : { 759 | "include.in.token.scope" : "true", 760 | "display.on.consent.screen" : "true", 761 | "consent.screen.text" : "${phoneScopeConsentText}" 762 | }, 763 | "protocolMappers" : [ { 764 | "id" : "a6111334-bb2d-4883-813e-c9f63d7afe61", 765 | "name" : "phone number", 766 | "protocol" : "openid-connect", 767 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 768 | "consentRequired" : false, 769 | "config" : { 770 | "userinfo.token.claim" : "true", 771 | "user.attribute" : "phoneNumber", 772 | "id.token.claim" : "true", 773 | "access.token.claim" : "true", 774 | "claim.name" : "phone_number", 775 | "jsonType.label" : "String" 776 | } 777 | }, { 778 | "id" : "542fe316-69c2-4054-bde5-a20ba75e9b98", 779 | "name" : "phone number verified", 780 | "protocol" : "openid-connect", 781 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 782 | "consentRequired" : false, 783 | "config" : { 784 | "userinfo.token.claim" : "true", 785 | "user.attribute" : "phoneNumberVerified", 786 | "id.token.claim" : "true", 787 | "access.token.claim" : "true", 788 | "claim.name" : "phone_number_verified", 789 | "jsonType.label" : "boolean" 790 | } 791 | } ] 792 | }, { 793 | "id" : "3a799201-dd8d-49fa-b032-7c5b362badd6", 794 | "name" : "roles", 795 | "description" : "OpenID Connect scope for add user roles to the access token", 796 | "protocol" : "openid-connect", 797 | "attributes" : { 798 | "include.in.token.scope" : "false", 799 | "display.on.consent.screen" : "true", 800 | "consent.screen.text" : "${rolesScopeConsentText}" 801 | }, 802 | "protocolMappers" : [ { 803 | "id" : "d797e179-c9a2-4124-a569-5121db2b7d74", 804 | "name" : "client roles", 805 | "protocol" : "openid-connect", 806 | "protocolMapper" : "oidc-usermodel-client-role-mapper", 807 | "consentRequired" : false, 808 | "config" : { 809 | "user.attribute" : "foo", 810 | "access.token.claim" : "true", 811 | "claim.name" : "resource_access.${client_id}.roles", 812 | "jsonType.label" : "String", 813 | "multivalued" : "true" 814 | } 815 | }, { 816 | "id" : "f18b3091-1af6-4ffe-8406-387a166c798e", 817 | "name" : "realm roles", 818 | "protocol" : "openid-connect", 819 | "protocolMapper" : "oidc-usermodel-realm-role-mapper", 820 | "consentRequired" : false, 821 | "config" : { 822 | "user.attribute" : "foo", 823 | "access.token.claim" : "true", 824 | "claim.name" : "realm_access.roles", 825 | "jsonType.label" : "String", 826 | "multivalued" : "true" 827 | } 828 | }, { 829 | "id" : "b0f2cc26-6445-4d41-a37b-dbf1cf37e1d9", 830 | "name" : "audience resolve", 831 | "protocol" : "openid-connect", 832 | "protocolMapper" : "oidc-audience-resolve-mapper", 833 | "consentRequired" : false, 834 | "config" : { } 835 | } ] 836 | }, { 837 | "id" : "6e9e7bfc-0fe1-4b02-9309-1dc5deb4a4f6", 838 | "name" : "profile", 839 | "description" : "OpenID Connect built-in scope: profile", 840 | "protocol" : "openid-connect", 841 | "attributes" : { 842 | "include.in.token.scope" : "true", 843 | "display.on.consent.screen" : "true", 844 | "consent.screen.text" : "${profileScopeConsentText}" 845 | }, 846 | "protocolMappers" : [ { 847 | "id" : "11b295a3-a0ef-47c5-b04b-a68bcb2b0fa7", 848 | "name" : "full name", 849 | "protocol" : "openid-connect", 850 | "protocolMapper" : "oidc-full-name-mapper", 851 | "consentRequired" : false, 852 | "config" : { 853 | "id.token.claim" : "true", 854 | "access.token.claim" : "true", 855 | "userinfo.token.claim" : "true" 856 | } 857 | }, { 858 | "id" : "3f04ca33-47c0-4bd4-b6e6-6daf3eb89c23", 859 | "name" : "middle name", 860 | "protocol" : "openid-connect", 861 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 862 | "consentRequired" : false, 863 | "config" : { 864 | "userinfo.token.claim" : "true", 865 | "user.attribute" : "middleName", 866 | "id.token.claim" : "true", 867 | "access.token.claim" : "true", 868 | "claim.name" : "middle_name", 869 | "jsonType.label" : "String" 870 | } 871 | }, { 872 | "id" : "419a8448-1379-4916-ab86-975a9a703566", 873 | "name" : "website", 874 | "protocol" : "openid-connect", 875 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 876 | "consentRequired" : false, 877 | "config" : { 878 | "userinfo.token.claim" : "true", 879 | "user.attribute" : "website", 880 | "id.token.claim" : "true", 881 | "access.token.claim" : "true", 882 | "claim.name" : "website", 883 | "jsonType.label" : "String" 884 | } 885 | }, { 886 | "id" : "1ab731ed-90c5-4dad-8ca9-685882511e4e", 887 | "name" : "gender", 888 | "protocol" : "openid-connect", 889 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 890 | "consentRequired" : false, 891 | "config" : { 892 | "userinfo.token.claim" : "true", 893 | "user.attribute" : "gender", 894 | "id.token.claim" : "true", 895 | "access.token.claim" : "true", 896 | "claim.name" : "gender", 897 | "jsonType.label" : "String" 898 | } 899 | }, { 900 | "id" : "9c2353c5-bca7-4407-b7da-455ee6eae42d", 901 | "name" : "username", 902 | "protocol" : "openid-connect", 903 | "protocolMapper" : "oidc-usermodel-property-mapper", 904 | "consentRequired" : false, 905 | "config" : { 906 | "userinfo.token.claim" : "true", 907 | "user.attribute" : "username", 908 | "id.token.claim" : "true", 909 | "access.token.claim" : "true", 910 | "claim.name" : "preferred_username", 911 | "jsonType.label" : "String" 912 | } 913 | }, { 914 | "id" : "213e0c5d-96c3-4921-82e3-b5791ef872bd", 915 | "name" : "nickname", 916 | "protocol" : "openid-connect", 917 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 918 | "consentRequired" : false, 919 | "config" : { 920 | "userinfo.token.claim" : "true", 921 | "user.attribute" : "nickname", 922 | "id.token.claim" : "true", 923 | "access.token.claim" : "true", 924 | "claim.name" : "nickname", 925 | "jsonType.label" : "String" 926 | } 927 | }, { 928 | "id" : "c95dfc56-db42-44bf-9c31-1894080890d1", 929 | "name" : "updated at", 930 | "protocol" : "openid-connect", 931 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 932 | "consentRequired" : false, 933 | "config" : { 934 | "userinfo.token.claim" : "true", 935 | "user.attribute" : "updatedAt", 936 | "id.token.claim" : "true", 937 | "access.token.claim" : "true", 938 | "claim.name" : "updated_at", 939 | "jsonType.label" : "String" 940 | } 941 | }, { 942 | "id" : "44fb5153-90c1-4eca-aed7-cb1f254251de", 943 | "name" : "family name", 944 | "protocol" : "openid-connect", 945 | "protocolMapper" : "oidc-usermodel-property-mapper", 946 | "consentRequired" : false, 947 | "config" : { 948 | "userinfo.token.claim" : "true", 949 | "user.attribute" : "lastName", 950 | "id.token.claim" : "true", 951 | "access.token.claim" : "true", 952 | "claim.name" : "family_name", 953 | "jsonType.label" : "String" 954 | } 955 | }, { 956 | "id" : "314f45a5-f214-40ec-9f7b-d2e43f331e30", 957 | "name" : "birthdate", 958 | "protocol" : "openid-connect", 959 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 960 | "consentRequired" : false, 961 | "config" : { 962 | "userinfo.token.claim" : "true", 963 | "user.attribute" : "birthdate", 964 | "id.token.claim" : "true", 965 | "access.token.claim" : "true", 966 | "claim.name" : "birthdate", 967 | "jsonType.label" : "String" 968 | } 969 | }, { 970 | "id" : "a9d1284e-2e85-4d91-94f8-f4352270dfd4", 971 | "name" : "profile", 972 | "protocol" : "openid-connect", 973 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 974 | "consentRequired" : false, 975 | "config" : { 976 | "userinfo.token.claim" : "true", 977 | "user.attribute" : "profile", 978 | "id.token.claim" : "true", 979 | "access.token.claim" : "true", 980 | "claim.name" : "profile", 981 | "jsonType.label" : "String" 982 | } 983 | }, { 984 | "id" : "c7a7a67b-3d6c-451e-89fc-a8953144dafc", 985 | "name" : "given name", 986 | "protocol" : "openid-connect", 987 | "protocolMapper" : "oidc-usermodel-property-mapper", 988 | "consentRequired" : false, 989 | "config" : { 990 | "userinfo.token.claim" : "true", 991 | "user.attribute" : "firstName", 992 | "id.token.claim" : "true", 993 | "access.token.claim" : "true", 994 | "claim.name" : "given_name", 995 | "jsonType.label" : "String" 996 | } 997 | }, { 998 | "id" : "4577415b-f74e-4516-bde2-4cc53f3de427", 999 | "name" : "locale", 1000 | "protocol" : "openid-connect", 1001 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 1002 | "consentRequired" : false, 1003 | "config" : { 1004 | "userinfo.token.claim" : "true", 1005 | "user.attribute" : "locale", 1006 | "id.token.claim" : "true", 1007 | "access.token.claim" : "true", 1008 | "claim.name" : "locale", 1009 | "jsonType.label" : "String" 1010 | } 1011 | }, { 1012 | "id" : "e543cc27-5cbe-4106-8a35-b28ee8e569f6", 1013 | "name" : "picture", 1014 | "protocol" : "openid-connect", 1015 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 1016 | "consentRequired" : false, 1017 | "config" : { 1018 | "userinfo.token.claim" : "true", 1019 | "user.attribute" : "picture", 1020 | "id.token.claim" : "true", 1021 | "access.token.claim" : "true", 1022 | "claim.name" : "picture", 1023 | "jsonType.label" : "String" 1024 | } 1025 | }, { 1026 | "id" : "ca296388-d837-416a-b589-512762e76542", 1027 | "name" : "zoneinfo", 1028 | "protocol" : "openid-connect", 1029 | "protocolMapper" : "oidc-usermodel-attribute-mapper", 1030 | "consentRequired" : false, 1031 | "config" : { 1032 | "userinfo.token.claim" : "true", 1033 | "user.attribute" : "zoneinfo", 1034 | "id.token.claim" : "true", 1035 | "access.token.claim" : "true", 1036 | "claim.name" : "zoneinfo", 1037 | "jsonType.label" : "String" 1038 | } 1039 | } ] 1040 | }, { 1041 | "id" : "8539e05c-e271-4f77-a745-2d72afc62437", 1042 | "name" : "address", 1043 | "description" : "OpenID Connect built-in scope: address", 1044 | "protocol" : "openid-connect", 1045 | "attributes" : { 1046 | "include.in.token.scope" : "true", 1047 | "display.on.consent.screen" : "true", 1048 | "consent.screen.text" : "${addressScopeConsentText}" 1049 | }, 1050 | "protocolMappers" : [ { 1051 | "id" : "b8f69bba-1d85-4487-a2cb-eadb4a7badc5", 1052 | "name" : "address", 1053 | "protocol" : "openid-connect", 1054 | "protocolMapper" : "oidc-address-mapper", 1055 | "consentRequired" : false, 1056 | "config" : { 1057 | "user.attribute.formatted" : "formatted", 1058 | "user.attribute.country" : "country", 1059 | "user.attribute.postal_code" : "postal_code", 1060 | "userinfo.token.claim" : "true", 1061 | "user.attribute.street" : "street", 1062 | "id.token.claim" : "true", 1063 | "user.attribute.region" : "region", 1064 | "access.token.claim" : "true", 1065 | "user.attribute.locality" : "locality" 1066 | } 1067 | } ] 1068 | }, { 1069 | "id" : "9aac9900-652f-4db9-ad95-40823d5f53a6", 1070 | "name" : "microprofile-jwt", 1071 | "description" : "Microprofile - JWT built-in scope", 1072 | "protocol" : "openid-connect", 1073 | "attributes" : { 1074 | "include.in.token.scope" : "true", 1075 | "display.on.consent.screen" : "false" 1076 | }, 1077 | "protocolMappers" : [ { 1078 | "id" : "ea893d63-e5d8-45ad-91ef-b9b7a5d66cbe", 1079 | "name" : "groups", 1080 | "protocol" : "openid-connect", 1081 | "protocolMapper" : "oidc-usermodel-realm-role-mapper", 1082 | "consentRequired" : false, 1083 | "config" : { 1084 | "multivalued" : "true", 1085 | "user.attribute" : "foo", 1086 | "id.token.claim" : "true", 1087 | "access.token.claim" : "true", 1088 | "claim.name" : "groups", 1089 | "jsonType.label" : "String" 1090 | } 1091 | }, { 1092 | "id" : "2cb2dba4-67a7-4e1d-9d62-948f7a55f9f5", 1093 | "name" : "upn", 1094 | "protocol" : "openid-connect", 1095 | "protocolMapper" : "oidc-usermodel-property-mapper", 1096 | "consentRequired" : false, 1097 | "config" : { 1098 | "userinfo.token.claim" : "true", 1099 | "user.attribute" : "username", 1100 | "id.token.claim" : "true", 1101 | "access.token.claim" : "true", 1102 | "claim.name" : "upn", 1103 | "jsonType.label" : "String" 1104 | } 1105 | } ] 1106 | }, { 1107 | "id" : "d50d7286-379f-43d9-a0fd-75598c70ec5c", 1108 | "name" : "offline_access", 1109 | "description" : "OpenID Connect built-in scope: offline_access", 1110 | "protocol" : "openid-connect", 1111 | "attributes" : { 1112 | "consent.screen.text" : "${offlineAccessScopeConsentText}", 1113 | "display.on.consent.screen" : "true" 1114 | } 1115 | }, { 1116 | "id" : "eaffce1b-3ab9-4426-a788-6afe0804cc70", 1117 | "name" : "email", 1118 | "description" : "OpenID Connect built-in scope: email", 1119 | "protocol" : "openid-connect", 1120 | "attributes" : { 1121 | "include.in.token.scope" : "true", 1122 | "display.on.consent.screen" : "true", 1123 | "consent.screen.text" : "${emailScopeConsentText}" 1124 | }, 1125 | "protocolMappers" : [ { 1126 | "id" : "4b73f522-92da-45e9-a661-f7e10bef2232", 1127 | "name" : "email", 1128 | "protocol" : "openid-connect", 1129 | "protocolMapper" : "oidc-usermodel-property-mapper", 1130 | "consentRequired" : false, 1131 | "config" : { 1132 | "userinfo.token.claim" : "true", 1133 | "user.attribute" : "email", 1134 | "id.token.claim" : "true", 1135 | "access.token.claim" : "true", 1136 | "claim.name" : "email", 1137 | "jsonType.label" : "String" 1138 | } 1139 | }, { 1140 | "id" : "0ee8ca8c-35e4-4e49-93ab-16c1065685b6", 1141 | "name" : "email verified", 1142 | "protocol" : "openid-connect", 1143 | "protocolMapper" : "oidc-usermodel-property-mapper", 1144 | "consentRequired" : false, 1145 | "config" : { 1146 | "userinfo.token.claim" : "true", 1147 | "user.attribute" : "emailVerified", 1148 | "id.token.claim" : "true", 1149 | "access.token.claim" : "true", 1150 | "claim.name" : "email_verified", 1151 | "jsonType.label" : "boolean" 1152 | } 1153 | } ] 1154 | }, { 1155 | "id" : "fbb8008a-5b39-4ab9-be4e-7909e741ec8a", 1156 | "name" : "web-origins", 1157 | "description" : "OpenID Connect scope for add allowed web origins to the access token", 1158 | "protocol" : "openid-connect", 1159 | "attributes" : { 1160 | "include.in.token.scope" : "false", 1161 | "display.on.consent.screen" : "false", 1162 | "consent.screen.text" : "" 1163 | }, 1164 | "protocolMappers" : [ { 1165 | "id" : "feafce8b-97af-401c-aed1-08892b4a7d93", 1166 | "name" : "allowed web origins", 1167 | "protocol" : "openid-connect", 1168 | "protocolMapper" : "oidc-allowed-origins-mapper", 1169 | "consentRequired" : false, 1170 | "config" : { } 1171 | } ] 1172 | } ], 1173 | "defaultDefaultClientScopes" : [ "role_list", "roles", "profile", "email", "web-origins" ], 1174 | "defaultOptionalClientScopes" : [ "phone", "address", "microprofile-jwt", "offline_access" ], 1175 | "browserSecurityHeaders" : { 1176 | "contentSecurityPolicyReportOnly" : "", 1177 | "xContentTypeOptions" : "nosniff", 1178 | "xRobotsTag" : "none", 1179 | "xFrameOptions" : "SAMEORIGIN", 1180 | "xXSSProtection" : "1; mode=block", 1181 | "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", 1182 | "strictTransportSecurity" : "max-age=31536000; includeSubDomains" 1183 | }, 1184 | "smtpServer" : { }, 1185 | "eventsEnabled" : false, 1186 | "eventsListeners" : [ "jboss-logging" ], 1187 | "enabledEventTypes" : [ ], 1188 | "adminEventsEnabled" : false, 1189 | "adminEventsDetailsEnabled" : false, 1190 | "components" : { 1191 | "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { 1192 | "id" : "ff2cddc7-a43c-4f2a-bc1c-5effb5e600d8", 1193 | "name" : "Allowed Protocol Mapper Types", 1194 | "providerId" : "allowed-protocol-mappers", 1195 | "subType" : "authenticated", 1196 | "subComponents" : { }, 1197 | "config" : { 1198 | "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper" ] 1199 | } 1200 | }, { 1201 | "id" : "18a3cd84-c565-4790-b050-daaa7007bc80", 1202 | "name" : "Allowed Client Scopes", 1203 | "providerId" : "allowed-client-templates", 1204 | "subType" : "authenticated", 1205 | "subComponents" : { }, 1206 | "config" : { 1207 | "allow-default-scopes" : [ "true" ] 1208 | } 1209 | }, { 1210 | "id" : "f23b7304-0a7a-460c-9375-3585f4eeb7d9", 1211 | "name" : "Allowed Protocol Mapper Types", 1212 | "providerId" : "allowed-protocol-mappers", 1213 | "subType" : "anonymous", 1214 | "subComponents" : { }, 1215 | "config" : { 1216 | "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "oidc-address-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper" ] 1217 | } 1218 | }, { 1219 | "id" : "6bfbc581-5833-4e92-a79c-fd3fb41e9851", 1220 | "name" : "Consent Required", 1221 | "providerId" : "consent-required", 1222 | "subType" : "anonymous", 1223 | "subComponents" : { }, 1224 | "config" : { } 1225 | }, { 1226 | "id" : "cf0456dd-c630-4de2-b499-e653407250e2", 1227 | "name" : "Full Scope Disabled", 1228 | "providerId" : "scope", 1229 | "subType" : "anonymous", 1230 | "subComponents" : { }, 1231 | "config" : { } 1232 | }, { 1233 | "id" : "30beeb7f-5cd6-4d80-97ab-b94ef00a9c99", 1234 | "name" : "Allowed Client Scopes", 1235 | "providerId" : "allowed-client-templates", 1236 | "subType" : "anonymous", 1237 | "subComponents" : { }, 1238 | "config" : { 1239 | "allow-default-scopes" : [ "true" ] 1240 | } 1241 | }, { 1242 | "id" : "16f7b39c-98e7-40c3-be74-f94fab9ae3d4", 1243 | "name" : "Max Clients Limit", 1244 | "providerId" : "max-clients", 1245 | "subType" : "anonymous", 1246 | "subComponents" : { }, 1247 | "config" : { 1248 | "max-clients" : [ "200" ] 1249 | } 1250 | }, { 1251 | "id" : "7e5c0921-c8b9-4a8d-8d3e-5d1503358e49", 1252 | "name" : "Trusted Hosts", 1253 | "providerId" : "trusted-hosts", 1254 | "subType" : "anonymous", 1255 | "subComponents" : { }, 1256 | "config" : { 1257 | "host-sending-registration-request-must-match" : [ "true" ], 1258 | "client-uris-must-match" : [ "true" ] 1259 | } 1260 | } ], 1261 | "org.keycloak.keys.KeyProvider" : [ { 1262 | "id" : "9453f436-5cad-4c28-a252-b2df7bba6bba", 1263 | "name" : "fallback-HS256", 1264 | "providerId" : "hmac-generated", 1265 | "subComponents" : { }, 1266 | "config" : { 1267 | "kid" : [ "24156499-2e00-4d25-bb99-6e78b511183e" ], 1268 | "secret" : [ "xJP82vaFxL_PnNM22n1TvHjH0rqWW04LfiUpvJi1RBBsN9eTq5NX4DYWdNx5SsoNzNAJKgu2a_0Cz-R8SqKQKQ" ], 1269 | "priority" : [ "-100" ], 1270 | "algorithm" : [ "HS256" ] 1271 | } 1272 | }, { 1273 | "id" : "c84b228b-91da-4fdc-9ef5-8dbcc486c9a2", 1274 | "name" : "fallback-RS256", 1275 | "providerId" : "rsa-generated", 1276 | "subComponents" : { }, 1277 | "config" : { 1278 | "privateKey" : [ "MIIEpAIBAAKCAQEAivX39zs3onLJil3ElqS4kOFZ89BlwZxWrNngO7NPiOgUr33rTdaBmGi/7xYtcTWKTtt6RGoY1Do9p7+jxtF2buGDMHXpDLkvS6jDGjIbsAdYJks/Welq+7/eLeyg/tWa6cFDHVhF4lN5UliKcDAnYUyh4a6/42zyr8w+Ei7JgKXQ28RtDv4Js9emyR6CsYfmNpRQf9mgeu5N3Wmf/LOzb52HSyA+PcIhq4yRfl/UWoU4ULa0NItUOFKb4R3LCK/wyOOa04iV/K46QKyH8lhxHpjRX3iljo4Z7IFD7+oGgkywpwXviuNYzLWHBR+jnj9LnutDoecLNLMDA8dt+RsQ3QIDAQABAoIBAAUnBaC3I2L0mqB0xZtIVEea83jk20EIiPYzxeqwxVwwLsQrCRSDxZ5fE+7LhbfS4mP2I1xyCqWj2zFjG7F9hsSpu/GKDbAZFbXadhF8liY6v3v8AkdVLlBTVuuhAH8ycGIGdnSaF01DBxaUjd2HC47CBqaVkivemEkIa6zE61fHv8NWvCivPb9Wegw4dd1H3jIJU4UM2tBXEu1x+mYme+a/kfuwEebJv2Mq7zX/W87ilwbduB9W1ZXJCXdaKJu8T6aayrDG7uMRwI1UV7jgl5GzLK+GbhY8n3K7GMZbwgg4RypWJ/CUY+xtzTDbPMSyxIGCsAAND2W1hhtJxy1EhUkCgYEA8S8pzk3AMGFwBedbuzeNcWuq6Ol1LeSSlxoCXhVgnZEhBZPn7g8nQYDi90oEJ+rZCa8RsgrlkvP5mX72pS9LBnNc4OAbmHyKSFhVITZXKmM3Pi+BmQNNkkJZjeavnZ5BRqLAiTZRkDAKIVF62vS6A1bU4KRFsHtALHnOIi8brRsCgYEAk39ASG3eJVLNdglRn+Ro6wFSlyp5iCncG2xJ/JHl8AYnTpgH5URYEL3oWdfNDOk0TalcomTA1nt8RmX8K1ap4PeB9Fwu3ocGspVxNOF59crlAsjQvhfstGasgP9E51AZznSlPSqbAFxvY1CR3EOXRpETESlYFsxQg3AR5h8m8WcCgYBJjBlSiREvb7cqhbfKapFeYffXWMHcAdTV8R+Bs0EoK4aHXegfB03wQq5zvIVx6sLOmi1qPrptSqr1rOrnynk1eV58ULr5kBjXIOCs5RZFncXN18zMbV5tWIBYrl0lUooTUTQnY4IR1yRvrpopRPGobQUzj8SUobEbHvXGJNlquwKBgQCLyMeFXQpxWN37ha1j2TZNsf0x4kE3eGRvYNtlkGfYaByMcazZ7UGA7Fnt+4ULPWAiUeXGybGwE2ud1D1+XS22VRtGGK8ameEREmwtb5sEBHuxfdvGrCnadov53PLSPamXbhjDtUMcvn2aI9t4Yl5VtFvbodEoGg4b4vQzoUZo9QKBgQCGLp1NoqFCB1/76Y8Y3CEyZ7NBtMcyEHmxI8IRGKTpBF3ERqRXwUoLS6obt7UzNb0ht+rjQWlQ+00/51+zZj2VHlrMyvN6Yv1An1neRC8HlBcTXPBiQJJB4eWFt1bUq3VnuMRV1hTMPN9nXOvZK3tpCycy0ek/2IAWR8FEoyxbHw==" ], 1279 | "certificate" : [ "MIICmzCCAYMCBgF0V/cJdDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwOTA0MDcxMjIxWhcNMzAwOTA0MDcxNDAxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCK9ff3OzeicsmKXcSWpLiQ4Vnz0GXBnFas2eA7s0+I6BSvfetN1oGYaL/vFi1xNYpO23pEahjUOj2nv6PG0XZu4YMwdekMuS9LqMMaMhuwB1gmSz9Z6Wr7v94t7KD+1ZrpwUMdWEXiU3lSWIpwMCdhTKHhrr/jbPKvzD4SLsmApdDbxG0O/gmz16bJHoKxh+Y2lFB/2aB67k3daZ/8s7NvnYdLID49wiGrjJF+X9RahThQtrQ0i1Q4UpvhHcsIr/DI45rTiJX8rjpArIfyWHEemNFfeKWOjhnsgUPv6gaCTLCnBe+K41jMtYcFH6OeP0ue60Oh5ws0swMDx235GxDdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFCHwjTLd01UxjZQz4idygi1G+tNj3fvtvAIJ7qtvK/oZLNdVqOEH1RL5NDbhfoCKzeWRqzgGVAghof91qD3vzuzH/q8q9thL/bX/UgoPntoA45pZMNN0yRtiedaRKzrpk0rAgKLfoSXZYlPpjK/myyWn+nSruPVyy7/CZRAOfxySBrWqqdb0byUurnV50hqLd6pk8rFrdHP3AGLOmo2ROCM94+PEIVqPeBGaTVryHQQwReAxrtM6dwoRfWIMyVVdnPOb30lVgUhSsC52toPejvwTsXbsfI7fW++YKaa2gBA1aVhMvX13KSScBLjaGBOc+m7DCn9gwXQmhFVGt/hpys=" ], 1280 | "priority" : [ "-100" ], 1281 | "algorithm" : [ "RS256" ] 1282 | } 1283 | } ] 1284 | }, 1285 | "internationalizationEnabled" : false, 1286 | "supportedLocales" : [ ], 1287 | "authenticationFlows" : [ { 1288 | "id" : "5e924963-ee24-49e5-9d66-01fd4663913b", 1289 | "alias" : "Account verification options", 1290 | "description" : "Method with which to verity the existing account", 1291 | "providerId" : "basic-flow", 1292 | "topLevel" : false, 1293 | "builtIn" : true, 1294 | "authenticationExecutions" : [ { 1295 | "authenticator" : "idp-email-verification", 1296 | "requirement" : "ALTERNATIVE", 1297 | "priority" : 10, 1298 | "userSetupAllowed" : false, 1299 | "autheticatorFlow" : false 1300 | }, { 1301 | "requirement" : "ALTERNATIVE", 1302 | "priority" : 20, 1303 | "flowAlias" : "Verify Existing Account by Re-authentication", 1304 | "userSetupAllowed" : false, 1305 | "autheticatorFlow" : true 1306 | } ] 1307 | }, { 1308 | "id" : "c4f19766-543a-4813-8ba5-560fbf7d04ba", 1309 | "alias" : "Authentication Options", 1310 | "description" : "Authentication options.", 1311 | "providerId" : "basic-flow", 1312 | "topLevel" : false, 1313 | "builtIn" : true, 1314 | "authenticationExecutions" : [ { 1315 | "authenticator" : "basic-auth", 1316 | "requirement" : "REQUIRED", 1317 | "priority" : 10, 1318 | "userSetupAllowed" : false, 1319 | "autheticatorFlow" : false 1320 | }, { 1321 | "authenticator" : "basic-auth-otp", 1322 | "requirement" : "DISABLED", 1323 | "priority" : 20, 1324 | "userSetupAllowed" : false, 1325 | "autheticatorFlow" : false 1326 | }, { 1327 | "authenticator" : "auth-spnego", 1328 | "requirement" : "DISABLED", 1329 | "priority" : 30, 1330 | "userSetupAllowed" : false, 1331 | "autheticatorFlow" : false 1332 | } ] 1333 | }, { 1334 | "id" : "f0097d54-cc50-457b-8c67-27ef68ff3a52", 1335 | "alias" : "Browser - Conditional OTP", 1336 | "description" : "Flow to determine if the OTP is required for the authentication", 1337 | "providerId" : "basic-flow", 1338 | "topLevel" : false, 1339 | "builtIn" : true, 1340 | "authenticationExecutions" : [ { 1341 | "authenticator" : "conditional-user-configured", 1342 | "requirement" : "REQUIRED", 1343 | "priority" : 10, 1344 | "userSetupAllowed" : false, 1345 | "autheticatorFlow" : false 1346 | }, { 1347 | "authenticator" : "auth-otp-form", 1348 | "requirement" : "REQUIRED", 1349 | "priority" : 20, 1350 | "userSetupAllowed" : false, 1351 | "autheticatorFlow" : false 1352 | } ] 1353 | }, { 1354 | "id" : "1dfbc9d4-1beb-4da9-8e21-61c0483d0280", 1355 | "alias" : "Direct Grant - Conditional OTP", 1356 | "description" : "Flow to determine if the OTP is required for the authentication", 1357 | "providerId" : "basic-flow", 1358 | "topLevel" : false, 1359 | "builtIn" : true, 1360 | "authenticationExecutions" : [ { 1361 | "authenticator" : "conditional-user-configured", 1362 | "requirement" : "REQUIRED", 1363 | "priority" : 10, 1364 | "userSetupAllowed" : false, 1365 | "autheticatorFlow" : false 1366 | }, { 1367 | "authenticator" : "direct-grant-validate-otp", 1368 | "requirement" : "REQUIRED", 1369 | "priority" : 20, 1370 | "userSetupAllowed" : false, 1371 | "autheticatorFlow" : false 1372 | } ] 1373 | }, { 1374 | "id" : "62481b81-ca5b-4579-9a3d-0992246e5bbf", 1375 | "alias" : "First broker login - Conditional OTP", 1376 | "description" : "Flow to determine if the OTP is required for the authentication", 1377 | "providerId" : "basic-flow", 1378 | "topLevel" : false, 1379 | "builtIn" : true, 1380 | "authenticationExecutions" : [ { 1381 | "authenticator" : "conditional-user-configured", 1382 | "requirement" : "REQUIRED", 1383 | "priority" : 10, 1384 | "userSetupAllowed" : false, 1385 | "autheticatorFlow" : false 1386 | }, { 1387 | "authenticator" : "auth-otp-form", 1388 | "requirement" : "REQUIRED", 1389 | "priority" : 20, 1390 | "userSetupAllowed" : false, 1391 | "autheticatorFlow" : false 1392 | } ] 1393 | }, { 1394 | "id" : "f8df0708-b3f8-46d7-be2b-06677170ee3f", 1395 | "alias" : "Handle Existing Account", 1396 | "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", 1397 | "providerId" : "basic-flow", 1398 | "topLevel" : false, 1399 | "builtIn" : true, 1400 | "authenticationExecutions" : [ { 1401 | "authenticator" : "idp-confirm-link", 1402 | "requirement" : "REQUIRED", 1403 | "priority" : 10, 1404 | "userSetupAllowed" : false, 1405 | "autheticatorFlow" : false 1406 | }, { 1407 | "requirement" : "REQUIRED", 1408 | "priority" : 20, 1409 | "flowAlias" : "Account verification options", 1410 | "userSetupAllowed" : false, 1411 | "autheticatorFlow" : true 1412 | } ] 1413 | }, { 1414 | "id" : "86fa9546-00fa-4917-81e2-f98f26ae1d0a", 1415 | "alias" : "Reset - Conditional OTP", 1416 | "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", 1417 | "providerId" : "basic-flow", 1418 | "topLevel" : false, 1419 | "builtIn" : true, 1420 | "authenticationExecutions" : [ { 1421 | "authenticator" : "conditional-user-configured", 1422 | "requirement" : "REQUIRED", 1423 | "priority" : 10, 1424 | "userSetupAllowed" : false, 1425 | "autheticatorFlow" : false 1426 | }, { 1427 | "authenticator" : "reset-otp", 1428 | "requirement" : "REQUIRED", 1429 | "priority" : 20, 1430 | "userSetupAllowed" : false, 1431 | "autheticatorFlow" : false 1432 | } ] 1433 | }, { 1434 | "id" : "217452ec-fd7f-4059-9bdd-a97c41973a43", 1435 | "alias" : "User creation or linking", 1436 | "description" : "Flow for the existing/non-existing user alternatives", 1437 | "providerId" : "basic-flow", 1438 | "topLevel" : false, 1439 | "builtIn" : true, 1440 | "authenticationExecutions" : [ { 1441 | "authenticatorConfig" : "create unique user config", 1442 | "authenticator" : "idp-create-user-if-unique", 1443 | "requirement" : "ALTERNATIVE", 1444 | "priority" : 10, 1445 | "userSetupAllowed" : false, 1446 | "autheticatorFlow" : false 1447 | }, { 1448 | "requirement" : "ALTERNATIVE", 1449 | "priority" : 20, 1450 | "flowAlias" : "Handle Existing Account", 1451 | "userSetupAllowed" : false, 1452 | "autheticatorFlow" : true 1453 | } ] 1454 | }, { 1455 | "id" : "ae7bac05-3e31-4079-aafa-dbd51bfe2857", 1456 | "alias" : "Verify Existing Account by Re-authentication", 1457 | "description" : "Reauthentication of existing account", 1458 | "providerId" : "basic-flow", 1459 | "topLevel" : false, 1460 | "builtIn" : true, 1461 | "authenticationExecutions" : [ { 1462 | "authenticator" : "idp-username-password-form", 1463 | "requirement" : "REQUIRED", 1464 | "priority" : 10, 1465 | "userSetupAllowed" : false, 1466 | "autheticatorFlow" : false 1467 | }, { 1468 | "requirement" : "CONDITIONAL", 1469 | "priority" : 20, 1470 | "flowAlias" : "First broker login - Conditional OTP", 1471 | "userSetupAllowed" : false, 1472 | "autheticatorFlow" : true 1473 | } ] 1474 | }, { 1475 | "id" : "cfd3aecd-d321-480a-82f2-3f8a5959f231", 1476 | "alias" : "browser", 1477 | "description" : "browser based authentication", 1478 | "providerId" : "basic-flow", 1479 | "topLevel" : true, 1480 | "builtIn" : true, 1481 | "authenticationExecutions" : [ { 1482 | "authenticator" : "auth-cookie", 1483 | "requirement" : "ALTERNATIVE", 1484 | "priority" : 10, 1485 | "userSetupAllowed" : false, 1486 | "autheticatorFlow" : false 1487 | }, { 1488 | "authenticator" : "auth-spnego", 1489 | "requirement" : "DISABLED", 1490 | "priority" : 20, 1491 | "userSetupAllowed" : false, 1492 | "autheticatorFlow" : false 1493 | }, { 1494 | "authenticator" : "identity-provider-redirector", 1495 | "requirement" : "ALTERNATIVE", 1496 | "priority" : 25, 1497 | "userSetupAllowed" : false, 1498 | "autheticatorFlow" : false 1499 | }, { 1500 | "requirement" : "ALTERNATIVE", 1501 | "priority" : 30, 1502 | "flowAlias" : "forms", 1503 | "userSetupAllowed" : false, 1504 | "autheticatorFlow" : true 1505 | } ] 1506 | }, { 1507 | "id" : "5912af0d-2081-4cd5-a402-baac4fb5311f", 1508 | "alias" : "clients", 1509 | "description" : "Base authentication for clients", 1510 | "providerId" : "client-flow", 1511 | "topLevel" : true, 1512 | "builtIn" : true, 1513 | "authenticationExecutions" : [ { 1514 | "authenticator" : "client-secret", 1515 | "requirement" : "ALTERNATIVE", 1516 | "priority" : 10, 1517 | "userSetupAllowed" : false, 1518 | "autheticatorFlow" : false 1519 | }, { 1520 | "authenticator" : "client-jwt", 1521 | "requirement" : "ALTERNATIVE", 1522 | "priority" : 20, 1523 | "userSetupAllowed" : false, 1524 | "autheticatorFlow" : false 1525 | }, { 1526 | "authenticator" : "client-secret-jwt", 1527 | "requirement" : "ALTERNATIVE", 1528 | "priority" : 30, 1529 | "userSetupAllowed" : false, 1530 | "autheticatorFlow" : false 1531 | }, { 1532 | "authenticator" : "client-x509", 1533 | "requirement" : "ALTERNATIVE", 1534 | "priority" : 40, 1535 | "userSetupAllowed" : false, 1536 | "autheticatorFlow" : false 1537 | } ] 1538 | }, { 1539 | "id" : "a199ab86-3392-463e-861c-bb250f0acace", 1540 | "alias" : "direct grant", 1541 | "description" : "OpenID Connect Resource Owner Grant", 1542 | "providerId" : "basic-flow", 1543 | "topLevel" : true, 1544 | "builtIn" : true, 1545 | "authenticationExecutions" : [ { 1546 | "authenticator" : "direct-grant-validate-username", 1547 | "requirement" : "REQUIRED", 1548 | "priority" : 10, 1549 | "userSetupAllowed" : false, 1550 | "autheticatorFlow" : false 1551 | }, { 1552 | "authenticator" : "direct-grant-validate-password", 1553 | "requirement" : "REQUIRED", 1554 | "priority" : 20, 1555 | "userSetupAllowed" : false, 1556 | "autheticatorFlow" : false 1557 | }, { 1558 | "requirement" : "CONDITIONAL", 1559 | "priority" : 30, 1560 | "flowAlias" : "Direct Grant - Conditional OTP", 1561 | "userSetupAllowed" : false, 1562 | "autheticatorFlow" : true 1563 | } ] 1564 | }, { 1565 | "id" : "93e18bde-6fc3-4b37-8c44-30a1b83375ef", 1566 | "alias" : "docker auth", 1567 | "description" : "Used by Docker clients to authenticate against the IDP", 1568 | "providerId" : "basic-flow", 1569 | "topLevel" : true, 1570 | "builtIn" : true, 1571 | "authenticationExecutions" : [ { 1572 | "authenticator" : "docker-http-basic-authenticator", 1573 | "requirement" : "REQUIRED", 1574 | "priority" : 10, 1575 | "userSetupAllowed" : false, 1576 | "autheticatorFlow" : false 1577 | } ] 1578 | }, { 1579 | "id" : "4bb37ae5-1286-4dcc-af69-8c57cc727c92", 1580 | "alias" : "first broker login", 1581 | "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", 1582 | "providerId" : "basic-flow", 1583 | "topLevel" : true, 1584 | "builtIn" : true, 1585 | "authenticationExecutions" : [ { 1586 | "authenticatorConfig" : "review profile config", 1587 | "authenticator" : "idp-review-profile", 1588 | "requirement" : "REQUIRED", 1589 | "priority" : 10, 1590 | "userSetupAllowed" : false, 1591 | "autheticatorFlow" : false 1592 | }, { 1593 | "requirement" : "REQUIRED", 1594 | "priority" : 20, 1595 | "flowAlias" : "User creation or linking", 1596 | "userSetupAllowed" : false, 1597 | "autheticatorFlow" : true 1598 | } ] 1599 | }, { 1600 | "id" : "38f7f88a-9e87-4d38-9751-d9d2c230b013", 1601 | "alias" : "forms", 1602 | "description" : "Username, password, otp and other auth forms.", 1603 | "providerId" : "basic-flow", 1604 | "topLevel" : false, 1605 | "builtIn" : true, 1606 | "authenticationExecutions" : [ { 1607 | "authenticator" : "auth-username-password-form", 1608 | "requirement" : "REQUIRED", 1609 | "priority" : 10, 1610 | "userSetupAllowed" : false, 1611 | "autheticatorFlow" : false 1612 | }, { 1613 | "requirement" : "CONDITIONAL", 1614 | "priority" : 20, 1615 | "flowAlias" : "Browser - Conditional OTP", 1616 | "userSetupAllowed" : false, 1617 | "autheticatorFlow" : true 1618 | } ] 1619 | }, { 1620 | "id" : "69b5b234-9c90-48b7-8745-63a696ece93e", 1621 | "alias" : "http challenge", 1622 | "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", 1623 | "providerId" : "basic-flow", 1624 | "topLevel" : true, 1625 | "builtIn" : true, 1626 | "authenticationExecutions" : [ { 1627 | "authenticator" : "no-cookie-redirect", 1628 | "requirement" : "REQUIRED", 1629 | "priority" : 10, 1630 | "userSetupAllowed" : false, 1631 | "autheticatorFlow" : false 1632 | }, { 1633 | "requirement" : "REQUIRED", 1634 | "priority" : 20, 1635 | "flowAlias" : "Authentication Options", 1636 | "userSetupAllowed" : false, 1637 | "autheticatorFlow" : true 1638 | } ] 1639 | }, { 1640 | "id" : "99193279-085b-4255-bf23-6118a66228ae", 1641 | "alias" : "registration", 1642 | "description" : "registration flow", 1643 | "providerId" : "basic-flow", 1644 | "topLevel" : true, 1645 | "builtIn" : true, 1646 | "authenticationExecutions" : [ { 1647 | "authenticator" : "registration-page-form", 1648 | "requirement" : "REQUIRED", 1649 | "priority" : 10, 1650 | "flowAlias" : "registration form", 1651 | "userSetupAllowed" : false, 1652 | "autheticatorFlow" : true 1653 | } ] 1654 | }, { 1655 | "id" : "39db9e5c-fa22-4d83-9f85-c301d2b15a64", 1656 | "alias" : "registration form", 1657 | "description" : "registration form", 1658 | "providerId" : "form-flow", 1659 | "topLevel" : false, 1660 | "builtIn" : true, 1661 | "authenticationExecutions" : [ { 1662 | "authenticator" : "registration-user-creation", 1663 | "requirement" : "REQUIRED", 1664 | "priority" : 20, 1665 | "userSetupAllowed" : false, 1666 | "autheticatorFlow" : false 1667 | }, { 1668 | "authenticator" : "registration-profile-action", 1669 | "requirement" : "REQUIRED", 1670 | "priority" : 40, 1671 | "userSetupAllowed" : false, 1672 | "autheticatorFlow" : false 1673 | }, { 1674 | "authenticator" : "registration-password-action", 1675 | "requirement" : "REQUIRED", 1676 | "priority" : 50, 1677 | "userSetupAllowed" : false, 1678 | "autheticatorFlow" : false 1679 | }, { 1680 | "authenticator" : "registration-recaptcha-action", 1681 | "requirement" : "DISABLED", 1682 | "priority" : 60, 1683 | "userSetupAllowed" : false, 1684 | "autheticatorFlow" : false 1685 | } ] 1686 | }, { 1687 | "id" : "8e1e3f2a-c696-4336-a8df-d50e65b4e549", 1688 | "alias" : "reset credentials", 1689 | "description" : "Reset credentials for a user if they forgot their password or something", 1690 | "providerId" : "basic-flow", 1691 | "topLevel" : true, 1692 | "builtIn" : true, 1693 | "authenticationExecutions" : [ { 1694 | "authenticator" : "reset-credentials-choose-user", 1695 | "requirement" : "REQUIRED", 1696 | "priority" : 10, 1697 | "userSetupAllowed" : false, 1698 | "autheticatorFlow" : false 1699 | }, { 1700 | "authenticator" : "reset-credential-email", 1701 | "requirement" : "REQUIRED", 1702 | "priority" : 20, 1703 | "userSetupAllowed" : false, 1704 | "autheticatorFlow" : false 1705 | }, { 1706 | "authenticator" : "reset-password", 1707 | "requirement" : "REQUIRED", 1708 | "priority" : 30, 1709 | "userSetupAllowed" : false, 1710 | "autheticatorFlow" : false 1711 | }, { 1712 | "requirement" : "CONDITIONAL", 1713 | "priority" : 40, 1714 | "flowAlias" : "Reset - Conditional OTP", 1715 | "userSetupAllowed" : false, 1716 | "autheticatorFlow" : true 1717 | } ] 1718 | }, { 1719 | "id" : "60d55a19-9176-4281-ba0d-e4e6b3cb0a7c", 1720 | "alias" : "saml ecp", 1721 | "description" : "SAML ECP Profile Authentication Flow", 1722 | "providerId" : "basic-flow", 1723 | "topLevel" : true, 1724 | "builtIn" : true, 1725 | "authenticationExecutions" : [ { 1726 | "authenticator" : "http-basic-authenticator", 1727 | "requirement" : "REQUIRED", 1728 | "priority" : 10, 1729 | "userSetupAllowed" : false, 1730 | "autheticatorFlow" : false 1731 | } ] 1732 | } ], 1733 | "authenticatorConfig" : [ { 1734 | "id" : "14af9123-8093-4803-900a-9eba40caf47d", 1735 | "alias" : "create unique user config", 1736 | "config" : { 1737 | "require.password.update.after.registration" : "false" 1738 | } 1739 | }, { 1740 | "id" : "99dccdae-9b59-495b-ab66-c56a718b0a01", 1741 | "alias" : "review profile config", 1742 | "config" : { 1743 | "update.profile.on.first.login" : "missing" 1744 | } 1745 | } ], 1746 | "requiredActions" : [ { 1747 | "alias" : "CONFIGURE_TOTP", 1748 | "name" : "Configure OTP", 1749 | "providerId" : "CONFIGURE_TOTP", 1750 | "enabled" : true, 1751 | "defaultAction" : false, 1752 | "priority" : 10, 1753 | "config" : { } 1754 | }, { 1755 | "alias" : "terms_and_conditions", 1756 | "name" : "Terms and Conditions", 1757 | "providerId" : "terms_and_conditions", 1758 | "enabled" : false, 1759 | "defaultAction" : false, 1760 | "priority" : 20, 1761 | "config" : { } 1762 | }, { 1763 | "alias" : "UPDATE_PASSWORD", 1764 | "name" : "Update Password", 1765 | "providerId" : "UPDATE_PASSWORD", 1766 | "enabled" : true, 1767 | "defaultAction" : false, 1768 | "priority" : 30, 1769 | "config" : { } 1770 | }, { 1771 | "alias" : "UPDATE_PROFILE", 1772 | "name" : "Update Profile", 1773 | "providerId" : "UPDATE_PROFILE", 1774 | "enabled" : true, 1775 | "defaultAction" : false, 1776 | "priority" : 40, 1777 | "config" : { } 1778 | }, { 1779 | "alias" : "VERIFY_EMAIL", 1780 | "name" : "Verify Email", 1781 | "providerId" : "VERIFY_EMAIL", 1782 | "enabled" : true, 1783 | "defaultAction" : false, 1784 | "priority" : 50, 1785 | "config" : { } 1786 | }, { 1787 | "alias" : "update_user_locale", 1788 | "name" : "Update User Locale", 1789 | "providerId" : "update_user_locale", 1790 | "enabled" : true, 1791 | "defaultAction" : false, 1792 | "priority" : 1000, 1793 | "config" : { } 1794 | } ], 1795 | "browserFlow" : "browser", 1796 | "registrationFlow" : "registration", 1797 | "directGrantFlow" : "direct grant", 1798 | "resetCredentialsFlow" : "reset credentials", 1799 | "clientAuthenticationFlow" : "clients", 1800 | "dockerAuthenticationFlow" : "docker auth", 1801 | "attributes" : { }, 1802 | "keycloakVersion" : "11.0.1", 1803 | "userManagedAccessAllowed" : false 1804 | } -------------------------------------------------------------------------------- /keycloak/master-users-0.json: -------------------------------------------------------------------------------- 1 | { 2 | "realm" : "master", 3 | "users" : [ { 4 | "id" : "98432f98-0594-469b-ae9b-7fc442e14b48", 5 | "createdTimestamp" : 1599203405680, 6 | "username" : "admin", 7 | "enabled" : true, 8 | "totp" : false, 9 | "emailVerified" : false, 10 | "credentials" : [ { 11 | "id" : "0c5d45cb-7c56-4d9e-a130-673878cf8716", 12 | "type" : "password", 13 | "createdDate" : 1599203405921, 14 | "secretData" : "{\"value\":\"HYigm8YnZHMLww9MhkcHlnKGUG81gZm10jTizqX5JsTC+++ThIUL9ZXDLlhwcLBAnTmjRc0VtjvhejWNMMuvmQ==\",\"salt\":\"MvXxfigvuUFRQ/a/L5/9mA==\"}", 15 | "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" 16 | } ], 17 | "disableableCredentialTypes" : [ ], 18 | "requiredActions" : [ ], 19 | "realmRoles" : [ "uma_authorization", "admin", "offline_access" ], 20 | "clientRoles" : { 21 | "account" : [ "manage-account", "view-profile" ] 22 | }, 23 | "notBefore" : 0, 24 | "groups" : [ ] 25 | } ] 26 | } -------------------------------------------------------------------------------- /nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | server { 2 | # listen 443 ssl; 3 | listen 80; 4 | server_name _; 5 | # include ssl/ssl.conf; 6 | 7 | # Fix 'upstream sent too big header while reading response header from upstream' during refresh 8 | proxy_buffer_size 128k; 9 | proxy_buffers 4 256k; 10 | proxy_busy_buffers_size 256k; 11 | 12 | location /oauth2/ { 13 | proxy_pass http://proxy:4180; 14 | proxy_set_header Host $host; 15 | proxy_set_header X-Real-IP $remote_addr; 16 | proxy_set_header X-Scheme $scheme; 17 | proxy_set_header X-Auth-Request-Redirect $request_uri; 18 | # or, if you are handling multiple domains: 19 | # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; 20 | } 21 | location = /oauth2/auth { 22 | internal; 23 | proxy_pass http://proxy:4180; 24 | proxy_set_header Host $host; 25 | proxy_set_header X-Real-IP $remote_addr; 26 | proxy_set_header X-Scheme $scheme; 27 | # nginx auth_request includes headers but not body 28 | proxy_set_header Content-Length ""; 29 | proxy_pass_request_body off; 30 | } 31 | 32 | location / { 33 | auth_request /oauth2/auth; 34 | error_page 401 = /oauth2/sign_in; 35 | 36 | # pass information via X-User and X-Email headers to backend, 37 | # requires running with --set-xauthrequest flag 38 | auth_request_set $user $upstream_http_x_auth_request_user; 39 | auth_request_set $email $upstream_http_x_auth_request_email; 40 | proxy_set_header X-User $user; 41 | proxy_set_header X-Email $email; 42 | 43 | # if you enabled --pass-access-token, this will pass the token to the backend 44 | auth_request_set $token $upstream_http_x_auth_request_access_token; 45 | proxy_set_header X-Access-Token $token; 46 | 47 | # if you enabled --cookie-refresh, this is needed for it to work with auth_request 48 | auth_request_set $auth_cookie $upstream_http_set_cookie; 49 | add_header Set-Cookie $auth_cookie; 50 | 51 | # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb 52 | # limit and so the OAuth2 Proxy splits these into multiple parts. 53 | # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, 54 | # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. 55 | auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; 56 | 57 | # Extract the Cookie attributes from the first Set-Cookie header and append them 58 | # to the second part ($upstream_cookie_* variables only contain the raw cookie content) 59 | if ($auth_cookie ~* "(; .*)") { 60 | set $auth_cookie_name_0 $auth_cookie; 61 | set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1"; 62 | } 63 | 64 | # Send both Set-Cookie headers now if there was a second part 65 | if ($auth_cookie_name_upstream_1) { 66 | add_header Set-Cookie $auth_cookie_name_0; 67 | add_header Set-Cookie $auth_cookie_name_1; 68 | } 69 | 70 | proxy_pass http://server/; 71 | } 72 | } 73 | --------------------------------------------------------------------------------