├── .gitignore ├── .mvn └── wrapper │ ├── MavenWrapperDownloader.java │ ├── maven-wrapper.jar │ └── maven-wrapper.properties ├── README.adoc ├── client-app ├── pom.xml └── src │ └── main │ ├── java │ └── org │ │ └── springframework │ │ └── security │ │ └── oauth │ │ └── samples │ │ ├── OAuthClientApplication.java │ │ ├── config │ │ ├── SecurityConfig.java │ │ └── WebClientConfig.java │ │ └── web │ │ ├── AuthorizationController.java │ │ └── DefaultController.java │ └── resources │ ├── application.yml │ └── templates │ ├── index.html │ └── login.html ├── keycloak ├── oauth2-sample-realm-config.json └── run.sh ├── mvnw ├── mvnw.cmd ├── pom.xml └── resource-server ├── pom.xml └── src └── main ├── java └── org │ └── springframework │ └── security │ └── oauth │ └── samples │ ├── ResourceServerApplication.java │ ├── config │ └── ResourceServerConfig.java │ └── web │ └── MessagesController.java └── resources └── application.yml /.gitignore: -------------------------------------------------------------------------------- 1 | classes/ 2 | target/ 3 | */src/*/java/META-INF 4 | */src/META-INF/ 5 | */src/*/java/META-INF/ 6 | .classpath 7 | .springBeans 8 | .project 9 | .DS_Store 10 | .settings/ 11 | .idea/* 12 | out/ 13 | bin/ 14 | intellij/ 15 | build/ 16 | *.log 17 | *.log.* 18 | *.iml 19 | *.ipr 20 | *.iws 21 | .gradle/ 22 | atlassian-ide-plugin.xml 23 | !etc/eclipse/.checkstyle 24 | .checkstyle 25 | s101plugin.state 26 | .attach_pid* 27 | !.mvn/wrapper/maven-wrapper.jar 28 | !.idea/checkstyle-idea.xml 29 | !.idea/externalDependencies.xml 30 | keycloak/keycloak-*.zip 31 | keycloak/keycloak-*/ -------------------------------------------------------------------------------- /.mvn/wrapper/MavenWrapperDownloader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | import java.net.*; 17 | import java.io.*; 18 | import java.nio.channels.*; 19 | import java.util.Properties; 20 | 21 | public class MavenWrapperDownloader { 22 | 23 | private static final String WRAPPER_VERSION = "0.5.5"; 24 | /** 25 | * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided. 26 | */ 27 | private static final String DEFAULT_DOWNLOAD_URL = "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/" 28 | + WRAPPER_VERSION + "/maven-wrapper-" + WRAPPER_VERSION + ".jar"; 29 | 30 | /** 31 | * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to 32 | * use instead of the default one. 33 | */ 34 | private static final String MAVEN_WRAPPER_PROPERTIES_PATH = 35 | ".mvn/wrapper/maven-wrapper.properties"; 36 | 37 | /** 38 | * Path where the maven-wrapper.jar will be saved to. 39 | */ 40 | private static final String MAVEN_WRAPPER_JAR_PATH = 41 | ".mvn/wrapper/maven-wrapper.jar"; 42 | 43 | /** 44 | * Name of the property which should be used to override the default download url for the wrapper. 45 | */ 46 | private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl"; 47 | 48 | public static void main(String args[]) { 49 | System.out.println("- Downloader started"); 50 | File baseDirectory = new File(args[0]); 51 | System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath()); 52 | 53 | // If the maven-wrapper.properties exists, read it and check if it contains a custom 54 | // wrapperUrl parameter. 55 | File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH); 56 | String url = DEFAULT_DOWNLOAD_URL; 57 | if(mavenWrapperPropertyFile.exists()) { 58 | FileInputStream mavenWrapperPropertyFileInputStream = null; 59 | try { 60 | mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile); 61 | Properties mavenWrapperProperties = new Properties(); 62 | mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream); 63 | url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url); 64 | } catch (IOException e) { 65 | System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'"); 66 | } finally { 67 | try { 68 | if(mavenWrapperPropertyFileInputStream != null) { 69 | mavenWrapperPropertyFileInputStream.close(); 70 | } 71 | } catch (IOException e) { 72 | // Ignore ... 73 | } 74 | } 75 | } 76 | System.out.println("- Downloading from: " + url); 77 | 78 | File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH); 79 | if(!outputFile.getParentFile().exists()) { 80 | if(!outputFile.getParentFile().mkdirs()) { 81 | System.out.println( 82 | "- ERROR creating output directory '" + outputFile.getParentFile().getAbsolutePath() + "'"); 83 | } 84 | } 85 | System.out.println("- Downloading to: " + outputFile.getAbsolutePath()); 86 | try { 87 | downloadFileFromURL(url, outputFile); 88 | System.out.println("Done"); 89 | System.exit(0); 90 | } catch (Throwable e) { 91 | System.out.println("- Error downloading"); 92 | e.printStackTrace(); 93 | System.exit(1); 94 | } 95 | } 96 | 97 | private static void downloadFileFromURL(String urlString, File destination) throws Exception { 98 | if (System.getenv("MVNW_USERNAME") != null && System.getenv("MVNW_PASSWORD") != null) { 99 | String username = System.getenv("MVNW_USERNAME"); 100 | char[] password = System.getenv("MVNW_PASSWORD").toCharArray(); 101 | Authenticator.setDefault(new Authenticator() { 102 | @Override 103 | protected PasswordAuthentication getPasswordAuthentication() { 104 | return new PasswordAuthentication(username, password); 105 | } 106 | }); 107 | } 108 | URL website = new URL(urlString); 109 | ReadableByteChannel rbc; 110 | rbc = Channels.newChannel(website.openStream()); 111 | FileOutputStream fos = new FileOutputStream(destination); 112 | fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE); 113 | fos.close(); 114 | rbc.close(); 115 | } 116 | 117 | } 118 | -------------------------------------------------------------------------------- /.mvn/wrapper/maven-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jgrandja/spring-security-oauth-5-2-migrate/62945ee55d6b2116928624fa7ef9a3cdc60602ea/.mvn/wrapper/maven-wrapper.jar -------------------------------------------------------------------------------- /.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.2/apache-maven-3.6.2-bin.zip 2 | wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar 3 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | = Spring Security OAuth 5.2 Migration Sample 2 | 3 | This sample should be used for migrating a Spring Security OAuth 2.x application to Spring Security 5.2. 4 | 5 | This is the Spring Security 5.2 sample and the corresponding Spring Security OAuth 2.4 sample is https://github.com/jgrandja/spring-security-oauth-2-4-migrate[here]. 6 | 7 | See the https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide[OAuth 2.0 Migration Guide] for further details. 8 | 9 | == Run the Sample 10 | 11 | * Build the sample -> `./mvnw clean package` 12 | * Run Keycloak -> `cd keycloak && ./run.sh` 13 | ** IMPORTANT: Make sure to modify your `/etc/hosts` file to avoid problems with session cookie overwrites between `client-app` and `keycloak`. Simply add the entry `127.0.0.1 auth-server` 14 | * Run Resource Server -> `./mvnw -f resource-server spring-boot:run` 15 | * Run Client App -> `./mvnw -f client-app spring-boot:run` 16 | * Go to `http://localhost:8080` and login using *user1/password* 17 | -------------------------------------------------------------------------------- /client-app/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 4.0.0 6 | 7 | org.springframework.security.oauth2 8 | spring-security-oauth2-parent 9 | 1.0.0.BUILD-SNAPSHOT 10 | 11 | spring-security-oauth2-client-app 12 | 13 | 14 | 15 | org.springframework.boot 16 | spring-boot-starter-web 17 | 18 | 19 | org.springframework.boot 20 | spring-boot-starter-security 21 | 22 | 23 | org.springframework.boot 24 | spring-boot-starter-thymeleaf 25 | 26 | 27 | org.thymeleaf.extras 28 | thymeleaf-extras-springsecurity5 29 | 30 | 31 | org.springframework.boot 32 | spring-boot-starter-oauth2-client 33 | 34 | 35 | org.springframework 36 | spring-webflux 37 | 38 | 39 | io.projectreactor.netty 40 | reactor-netty 41 | 42 | 43 | org.webjars 44 | webjars-locator-core 45 | 46 | 47 | org.webjars 48 | bootstrap 49 | 3.3.7-1 50 | 51 | 52 | org.webjars 53 | jquery 54 | 3.4.1 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /client-app/src/main/java/org/springframework/security/oauth/samples/OAuthClientApplication.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.oauth.samples; 17 | 18 | import org.springframework.boot.SpringApplication; 19 | import org.springframework.boot.autoconfigure.SpringBootApplication; 20 | 21 | /** 22 | * @author Joe Grandja 23 | */ 24 | @SpringBootApplication 25 | public class OAuthClientApplication { 26 | 27 | public static void main(String[] args) { 28 | SpringApplication.run(OAuthClientApplication.class, args); 29 | } 30 | } -------------------------------------------------------------------------------- /client-app/src/main/java/org/springframework/security/oauth/samples/config/SecurityConfig.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.oauth.samples.config; 17 | 18 | import org.springframework.context.annotation.Bean; 19 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; 20 | import org.springframework.security.config.annotation.web.builders.WebSecurity; 21 | import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 22 | import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 23 | import org.springframework.security.core.userdetails.User; 24 | import org.springframework.security.core.userdetails.UserDetails; 25 | import org.springframework.security.core.userdetails.UserDetailsService; 26 | import org.springframework.security.provisioning.InMemoryUserDetailsManager; 27 | 28 | /** 29 | * @author Joe Grandja 30 | */ 31 | @EnableWebSecurity 32 | public class SecurityConfig extends WebSecurityConfigurerAdapter { 33 | 34 | // @formatter:off 35 | @Override 36 | public void configure(WebSecurity web) { 37 | web 38 | .ignoring() 39 | .antMatchers("/webjars/**"); 40 | 41 | } 42 | // @formatter:on 43 | 44 | // @formatter:off 45 | @Override 46 | protected void configure(HttpSecurity http) throws Exception { 47 | http 48 | .authorizeRequests() 49 | .anyRequest().authenticated() 50 | .and() 51 | .formLogin() 52 | .loginPage("/login") 53 | .failureUrl("/login-error") 54 | .permitAll() 55 | .and() 56 | .oauth2Client(); 57 | } 58 | // @formatter:on 59 | 60 | // @formatter:off 61 | @Bean 62 | public UserDetailsService users() { 63 | UserDetails user = User.withDefaultPasswordEncoder() 64 | .username("user1") 65 | .password("password") 66 | .roles("USER") 67 | .build(); 68 | return new InMemoryUserDetailsManager(user); 69 | } 70 | // @formatter:on 71 | } 72 | -------------------------------------------------------------------------------- /client-app/src/main/java/org/springframework/security/oauth/samples/config/WebClientConfig.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2002-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.oauth.samples.config; 17 | 18 | import org.springframework.context.annotation.Bean; 19 | import org.springframework.context.annotation.Configuration; 20 | import org.springframework.security.oauth2.client.OAuth2AuthorizationContext; 21 | import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest; 22 | import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager; 23 | import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider; 24 | import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder; 25 | import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; 26 | import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager; 27 | import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; 28 | import org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction; 29 | import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; 30 | import org.springframework.util.StringUtils; 31 | import org.springframework.web.reactive.function.client.WebClient; 32 | 33 | import javax.servlet.http.HttpServletRequest; 34 | import java.util.Collections; 35 | import java.util.HashMap; 36 | import java.util.Map; 37 | import java.util.function.Function; 38 | 39 | /** 40 | * @author Joe Grandja 41 | */ 42 | @Configuration 43 | public class WebClientConfig { 44 | 45 | @Bean 46 | WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) { 47 | ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = 48 | new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); 49 | return WebClient.builder() 50 | .apply(oauth2Client.oauth2Configuration()) 51 | .build(); 52 | } 53 | 54 | @Bean 55 | OAuth2AuthorizedClientManager authorizedClientManager(ClientRegistrationRepository clientRegistrationRepository, 56 | OAuth2AuthorizedClientRepository authorizedClientRepository) { 57 | OAuth2AuthorizedClientProvider authorizedClientProvider = 58 | OAuth2AuthorizedClientProviderBuilder.builder() 59 | .authorizationCode() 60 | .refreshToken() 61 | .clientCredentials() 62 | .password() 63 | .build(); 64 | DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager( 65 | clientRegistrationRepository, authorizedClientRepository); 66 | authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider); 67 | 68 | // For the `password` grant, the `username` and `password` are supplied via request parameters, 69 | // so map it to `OAuth2AuthorizationContext.getAttributes()`. 70 | authorizedClientManager.setContextAttributesMapper(contextAttributesMapper()); 71 | 72 | return authorizedClientManager; 73 | } 74 | 75 | private Function> contextAttributesMapper() { 76 | return authorizeRequest -> { 77 | Map contextAttributes = Collections.emptyMap(); 78 | HttpServletRequest servletRequest = authorizeRequest.getAttribute(HttpServletRequest.class.getName()); 79 | String username = servletRequest.getParameter(OAuth2ParameterNames.USERNAME); 80 | String password = servletRequest.getParameter(OAuth2ParameterNames.PASSWORD); 81 | if (StringUtils.hasText(username) && StringUtils.hasText(password)) { 82 | contextAttributes = new HashMap<>(); 83 | 84 | // `PasswordOAuth2AuthorizedClientProvider` requires both attributes 85 | contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username); 86 | contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password); 87 | } 88 | return contextAttributes; 89 | }; 90 | } 91 | } -------------------------------------------------------------------------------- /client-app/src/main/java/org/springframework/security/oauth/samples/web/AuthorizationController.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.oauth.samples.web; 17 | 18 | import org.springframework.beans.factory.annotation.Autowired; 19 | import org.springframework.beans.factory.annotation.Value; 20 | import org.springframework.stereotype.Controller; 21 | import org.springframework.ui.Model; 22 | import org.springframework.web.bind.annotation.GetMapping; 23 | import org.springframework.web.bind.annotation.PostMapping; 24 | import org.springframework.web.reactive.function.client.WebClient; 25 | 26 | import static org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId; 27 | 28 | /** 29 | * @author Joe Grandja 30 | */ 31 | @Controller 32 | public class AuthorizationController { 33 | 34 | @Value("${messages.base-uri}") 35 | private String messagesBaseUri; 36 | 37 | @Autowired 38 | private WebClient webClient; 39 | 40 | 41 | @GetMapping(value = "/authorize", params = "grant_type=authorization_code") 42 | public String authorization_code_grant(Model model) { 43 | String[] messages = retrieveMessages("messaging-client-auth-code"); 44 | model.addAttribute("messages", messages); 45 | return "index"; 46 | } 47 | 48 | @GetMapping("/authorized") // registered redirect_uri for authorization_code 49 | public String authorized(Model model) { 50 | String[] messages = retrieveMessages("messaging-client-auth-code"); 51 | model.addAttribute("messages", messages); 52 | return "index"; 53 | } 54 | 55 | @GetMapping(value = "/authorize", params = "grant_type=client_credentials") 56 | public String client_credentials_grant(Model model) { 57 | String[] messages = retrieveMessages("messaging-client-client-creds"); 58 | model.addAttribute("messages", messages); 59 | return "index"; 60 | } 61 | 62 | @PostMapping(value = "/authorize", params = "grant_type=password") 63 | public String password_grant(Model model) { 64 | String[] messages = retrieveMessages("messaging-client-password"); 65 | model.addAttribute("messages", messages); 66 | return "index"; 67 | } 68 | 69 | private String[] retrieveMessages(String clientRegistrationId) { 70 | return this.webClient 71 | .get() 72 | .uri(this.messagesBaseUri) 73 | .attributes(clientRegistrationId(clientRegistrationId)) 74 | .retrieve() 75 | .bodyToMono(String[].class) 76 | .block(); 77 | } 78 | } -------------------------------------------------------------------------------- /client-app/src/main/java/org/springframework/security/oauth/samples/web/DefaultController.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.oauth.samples.web; 17 | 18 | import org.springframework.stereotype.Controller; 19 | import org.springframework.ui.Model; 20 | import org.springframework.web.bind.annotation.GetMapping; 21 | 22 | /** 23 | * @author Joe Grandja 24 | */ 25 | @Controller 26 | public class DefaultController { 27 | 28 | @GetMapping("/") 29 | public String root() { 30 | return "redirect:/index"; 31 | } 32 | 33 | @GetMapping("/index") 34 | public String index() { 35 | return "index"; 36 | } 37 | 38 | @GetMapping("/login") 39 | public String login() { 40 | return "login"; 41 | } 42 | 43 | @GetMapping("/login-error") 44 | public String loginError(Model model) { 45 | model.addAttribute("loginError", true); 46 | return login(); 47 | } 48 | } -------------------------------------------------------------------------------- /client-app/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | server: 2 | port: 8080 3 | 4 | logging: 5 | level: 6 | root: INFO 7 | org.springframework.web: INFO 8 | org.springframework.security: INFO 9 | org.springframework.security.oauth2: INFO 10 | # org.springframework.boot.autoconfigure: DEBUG 11 | 12 | spring: 13 | thymeleaf: 14 | cache: false 15 | security: 16 | oauth2: 17 | client: 18 | registration: 19 | messaging-client-auth-code: 20 | provider: keycloak 21 | client-id: messaging-client 22 | client-secret: secret 23 | authorization-grant-type: authorization_code 24 | redirect-uri: "{baseUrl}/authorized" 25 | scope: message.read,message.write 26 | messaging-client-client-creds: 27 | provider: keycloak 28 | client-id: messaging-client 29 | client-secret: secret 30 | authorization-grant-type: client_credentials 31 | scope: message.read,message.write 32 | messaging-client-password: 33 | provider: keycloak 34 | client-id: messaging-client 35 | client-secret: secret 36 | authorization-grant-type: password 37 | scope: message.read,message.write 38 | provider: 39 | keycloak: 40 | authorization-uri: http://auth-server:8090/auth/realms/oauth2-sample/protocol/openid-connect/auth 41 | token-uri: http://auth-server:8090/auth/realms/oauth2-sample/protocol/openid-connect/token 42 | 43 | messages: 44 | base-uri: http://localhost:8092/messages 45 | -------------------------------------------------------------------------------- /client-app/src/main/resources/templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Spring Security OAuth 2.0 Sample 5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 33 |
34 |
35 |
36 |
37 |

Authorize the client with grant_type:

38 |
39 | 69 |
70 |

Messages:

71 | 72 | 73 | 74 | 75 | 76 | 77 |
message
78 |
79 |
80 |
81 | 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /client-app/src/main/resources/templates/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Spring Security OAuth 2.0 Sample 5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 |

Login

13 |

Wrong username or password

14 |
15 |
16 |
17 | 18 | 19 | user1 / password 20 |
21 |
22 |
23 |
24 | 25 | 26 |
27 |
28 | 29 |
30 |
31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /keycloak/oauth2-sample-realm-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "oauth2-sample", 3 | "realm": "oauth2-sample", 4 | "displayName": "Keycloak OAuth 2.0 Sample", 5 | "displayNameHtml": "
Keycloak OAuth 2.0 Sample
", 6 | "notBefore": 0, 7 | "revokeRefreshToken": false, 8 | "refreshTokenMaxReuse": 0, 9 | "accessTokenLifespan": 300, 10 | "accessTokenLifespanForImplicitFlow": 900, 11 | "ssoSessionIdleTimeout": 1800, 12 | "ssoSessionMaxLifespan": 36000, 13 | "ssoSessionIdleTimeoutRememberMe": 0, 14 | "ssoSessionMaxLifespanRememberMe": 0, 15 | "offlineSessionIdleTimeout": 2592000, 16 | "offlineSessionMaxLifespanEnabled": false, 17 | "offlineSessionMaxLifespan": 5184000, 18 | "accessCodeLifespan": 60, 19 | "accessCodeLifespanUserAction": 300, 20 | "accessCodeLifespanLogin": 1800, 21 | "actionTokenGeneratedByAdminLifespan": 43200, 22 | "actionTokenGeneratedByUserLifespan": 300, 23 | "enabled": true, 24 | "sslRequired": "external", 25 | "registrationAllowed": false, 26 | "registrationEmailAsUsername": false, 27 | "rememberMe": false, 28 | "verifyEmail": false, 29 | "loginWithEmailAllowed": true, 30 | "duplicateEmailsAllowed": false, 31 | "resetPasswordAllowed": false, 32 | "editUsernameAllowed": false, 33 | "bruteForceProtected": false, 34 | "permanentLockout": false, 35 | "maxFailureWaitSeconds": 900, 36 | "minimumQuickLoginWaitSeconds": 60, 37 | "waitIncrementSeconds": 60, 38 | "quickLoginCheckMilliSeconds": 1000, 39 | "maxDeltaTimeSeconds": 43200, 40 | "failureFactor": 30, 41 | "defaultRoles": [ 42 | "uma_authorization", 43 | "offline_access" 44 | ], 45 | "requiredCredentials": [ 46 | "password" 47 | ], 48 | "otpPolicyType": "totp", 49 | "otpPolicyAlgorithm": "HmacSHA1", 50 | "otpPolicyInitialCounter": 0, 51 | "otpPolicyDigits": 6, 52 | "otpPolicyLookAheadWindow": 1, 53 | "otpPolicyPeriod": 30, 54 | "otpSupportedApplications": [ 55 | "FreeOTP", 56 | "Google Authenticator" 57 | ], 58 | "scopeMappings": [ 59 | { 60 | "clientScope": "offline_access", 61 | "roles": [ 62 | "offline_access" 63 | ] 64 | } 65 | ], 66 | "clients": [ 67 | { 68 | "id": "c67970d6-af16-49bf-98ea-2972534f29b4", 69 | "clientId": "account", 70 | "name": "${client_account}", 71 | "baseUrl": "/auth/realms/oauth2-sample/account", 72 | "surrogateAuthRequired": false, 73 | "enabled": true, 74 | "clientAuthenticatorType": "client-secret", 75 | "secret": "**********", 76 | "defaultRoles": [ 77 | "manage-account", 78 | "view-profile" 79 | ], 80 | "redirectUris": [ 81 | "/auth/realms/oauth2-sample/account/*" 82 | ], 83 | "webOrigins": [], 84 | "notBefore": 0, 85 | "bearerOnly": false, 86 | "consentRequired": false, 87 | "standardFlowEnabled": true, 88 | "implicitFlowEnabled": false, 89 | "directAccessGrantsEnabled": false, 90 | "serviceAccountsEnabled": false, 91 | "publicClient": false, 92 | "frontchannelLogout": false, 93 | "protocol": "openid-connect", 94 | "attributes": {}, 95 | "authenticationFlowBindingOverrides": {}, 96 | "fullScopeAllowed": false, 97 | "nodeReRegistrationTimeout": 0, 98 | "defaultClientScopes": [ 99 | "web-origins", 100 | "role_list", 101 | "profile", 102 | "roles", 103 | "email" 104 | ], 105 | "optionalClientScopes": [ 106 | "address", 107 | "phone", 108 | "offline_access", 109 | "microprofile-jwt" 110 | ] 111 | }, 112 | { 113 | "id": "8db3cf0a-f836-4ea7-8fe8-0970cc709468", 114 | "clientId": "admin-cli", 115 | "name": "${client_admin-cli}", 116 | "surrogateAuthRequired": false, 117 | "enabled": true, 118 | "clientAuthenticatorType": "client-secret", 119 | "secret": "**********", 120 | "redirectUris": [], 121 | "webOrigins": [], 122 | "notBefore": 0, 123 | "bearerOnly": false, 124 | "consentRequired": false, 125 | "standardFlowEnabled": false, 126 | "implicitFlowEnabled": false, 127 | "directAccessGrantsEnabled": true, 128 | "serviceAccountsEnabled": false, 129 | "publicClient": true, 130 | "frontchannelLogout": false, 131 | "protocol": "openid-connect", 132 | "attributes": {}, 133 | "authenticationFlowBindingOverrides": {}, 134 | "fullScopeAllowed": false, 135 | "nodeReRegistrationTimeout": 0, 136 | "defaultClientScopes": [ 137 | "web-origins", 138 | "role_list", 139 | "profile", 140 | "roles", 141 | "email" 142 | ], 143 | "optionalClientScopes": [ 144 | "address", 145 | "phone", 146 | "offline_access", 147 | "microprofile-jwt" 148 | ] 149 | }, 150 | { 151 | "id": "27914bf5-40db-449f-b7de-891e18947a98", 152 | "clientId": "broker", 153 | "name": "${client_broker}", 154 | "surrogateAuthRequired": false, 155 | "enabled": true, 156 | "clientAuthenticatorType": "client-secret", 157 | "secret": "**********", 158 | "redirectUris": [], 159 | "webOrigins": [], 160 | "notBefore": 0, 161 | "bearerOnly": false, 162 | "consentRequired": false, 163 | "standardFlowEnabled": true, 164 | "implicitFlowEnabled": false, 165 | "directAccessGrantsEnabled": false, 166 | "serviceAccountsEnabled": false, 167 | "publicClient": false, 168 | "frontchannelLogout": false, 169 | "protocol": "openid-connect", 170 | "attributes": {}, 171 | "authenticationFlowBindingOverrides": {}, 172 | "fullScopeAllowed": false, 173 | "nodeReRegistrationTimeout": 0, 174 | "defaultClientScopes": [ 175 | "web-origins", 176 | "role_list", 177 | "profile", 178 | "roles", 179 | "email" 180 | ], 181 | "optionalClientScopes": [ 182 | "address", 183 | "phone", 184 | "offline_access", 185 | "microprofile-jwt" 186 | ] 187 | }, 188 | { 189 | "id": "e7811107-bd7a-4a09-b979-10e0ada83100", 190 | "clientId": "messaging-client", 191 | "surrogateAuthRequired": false, 192 | "enabled": true, 193 | "clientAuthenticatorType": "client-secret", 194 | "secret": "secret", 195 | "redirectUris": [ 196 | "http://localhost:8080/authorized" 197 | ], 198 | "webOrigins": [], 199 | "notBefore": 0, 200 | "bearerOnly": false, 201 | "consentRequired": false, 202 | "standardFlowEnabled": true, 203 | "implicitFlowEnabled": false, 204 | "directAccessGrantsEnabled": true, 205 | "serviceAccountsEnabled": true, 206 | "publicClient": false, 207 | "frontchannelLogout": false, 208 | "protocol": "openid-connect", 209 | "attributes": { 210 | "saml.assertion.signature": "false", 211 | "saml.force.post.binding": "false", 212 | "saml.multivalued.roles": "false", 213 | "saml.encrypt": "false", 214 | "saml.server.signature": "false", 215 | "saml.server.signature.keyinfo.ext": "false", 216 | "exclude.session.state.from.auth.response": "false", 217 | "saml_force_name_id_format": "false", 218 | "saml.client.signature": "false", 219 | "tls.client.certificate.bound.access.tokens": "false", 220 | "saml.authnstatement": "false", 221 | "display.on.consent.screen": "false", 222 | "saml.onetimeuse.condition": "false" 223 | }, 224 | "authenticationFlowBindingOverrides": {}, 225 | "fullScopeAllowed": true, 226 | "nodeReRegistrationTimeout": -1, 227 | "protocolMappers": [ 228 | { 229 | "id": "fb36275e-76ea-42d4-8e19-4caa3dd7ef38", 230 | "name": "Client Host", 231 | "protocol": "openid-connect", 232 | "protocolMapper": "oidc-usersessionmodel-note-mapper", 233 | "consentRequired": false, 234 | "config": { 235 | "user.session.note": "clientHost", 236 | "id.token.claim": "true", 237 | "access.token.claim": "true", 238 | "claim.name": "clientHost", 239 | "jsonType.label": "String" 240 | } 241 | }, 242 | { 243 | "id": "cab81089-d2a1-464e-9a30-79e2fc719cc2", 244 | "name": "Client ID", 245 | "protocol": "openid-connect", 246 | "protocolMapper": "oidc-usersessionmodel-note-mapper", 247 | "consentRequired": false, 248 | "config": { 249 | "user.session.note": "clientId", 250 | "id.token.claim": "true", 251 | "access.token.claim": "true", 252 | "claim.name": "clientId", 253 | "jsonType.label": "String" 254 | } 255 | }, 256 | { 257 | "id": "012bb73e-72aa-42ae-9374-fe22ea1f4db9", 258 | "name": "Client IP Address", 259 | "protocol": "openid-connect", 260 | "protocolMapper": "oidc-usersessionmodel-note-mapper", 261 | "consentRequired": false, 262 | "config": { 263 | "user.session.note": "clientAddress", 264 | "id.token.claim": "true", 265 | "access.token.claim": "true", 266 | "claim.name": "clientAddress", 267 | "jsonType.label": "String" 268 | } 269 | } 270 | ], 271 | "defaultClientScopes": [ 272 | "role_list" 273 | ], 274 | "optionalClientScopes": [ 275 | "message.read", 276 | "message.write" 277 | ] 278 | }, 279 | { 280 | "id": "8d725ab0-4d43-45a3-a0c7-14b822b6e33b", 281 | "clientId": "realm-management", 282 | "name": "${client_realm-management}", 283 | "surrogateAuthRequired": false, 284 | "enabled": true, 285 | "clientAuthenticatorType": "client-secret", 286 | "secret": "**********", 287 | "redirectUris": [], 288 | "webOrigins": [], 289 | "notBefore": 0, 290 | "bearerOnly": true, 291 | "consentRequired": false, 292 | "standardFlowEnabled": true, 293 | "implicitFlowEnabled": false, 294 | "directAccessGrantsEnabled": false, 295 | "serviceAccountsEnabled": false, 296 | "publicClient": false, 297 | "frontchannelLogout": false, 298 | "protocol": "openid-connect", 299 | "attributes": {}, 300 | "authenticationFlowBindingOverrides": {}, 301 | "fullScopeAllowed": false, 302 | "nodeReRegistrationTimeout": 0, 303 | "defaultClientScopes": [ 304 | "web-origins", 305 | "role_list", 306 | "profile", 307 | "roles", 308 | "email" 309 | ], 310 | "optionalClientScopes": [ 311 | "address", 312 | "phone", 313 | "offline_access", 314 | "microprofile-jwt" 315 | ] 316 | }, 317 | { 318 | "id": "91693cc5-b122-4d58-ac8b-fbc3d736efe2", 319 | "clientId": "security-admin-console", 320 | "name": "${client_security-admin-console}", 321 | "baseUrl": "/auth/admin/oauth2-sample/console/index.html", 322 | "surrogateAuthRequired": false, 323 | "enabled": true, 324 | "clientAuthenticatorType": "client-secret", 325 | "secret": "**********", 326 | "redirectUris": [ 327 | "/auth/admin/oauth2-sample/console/*" 328 | ], 329 | "webOrigins": [], 330 | "notBefore": 0, 331 | "bearerOnly": false, 332 | "consentRequired": false, 333 | "standardFlowEnabled": true, 334 | "implicitFlowEnabled": false, 335 | "directAccessGrantsEnabled": false, 336 | "serviceAccountsEnabled": false, 337 | "publicClient": true, 338 | "frontchannelLogout": false, 339 | "protocol": "openid-connect", 340 | "attributes": {}, 341 | "authenticationFlowBindingOverrides": {}, 342 | "fullScopeAllowed": false, 343 | "nodeReRegistrationTimeout": 0, 344 | "protocolMappers": [ 345 | { 346 | "id": "43c11c67-f7a9-4017-978a-142790f0b9c3", 347 | "name": "locale", 348 | "protocol": "openid-connect", 349 | "protocolMapper": "oidc-usermodel-attribute-mapper", 350 | "consentRequired": false, 351 | "config": { 352 | "userinfo.token.claim": "true", 353 | "user.attribute": "locale", 354 | "id.token.claim": "true", 355 | "access.token.claim": "true", 356 | "claim.name": "locale", 357 | "jsonType.label": "String" 358 | } 359 | } 360 | ], 361 | "defaultClientScopes": [ 362 | "web-origins", 363 | "role_list", 364 | "profile", 365 | "roles", 366 | "email" 367 | ], 368 | "optionalClientScopes": [ 369 | "address", 370 | "phone", 371 | "offline_access", 372 | "microprofile-jwt" 373 | ] 374 | } 375 | ], 376 | "clientScopes": [ 377 | { 378 | "id": "903487d2-c2a1-4f37-a6f8-bee8f62b2f25", 379 | "name": "address", 380 | "description": "OpenID Connect built-in scope: address", 381 | "protocol": "openid-connect", 382 | "attributes": { 383 | "include.in.token.scope": "true", 384 | "display.on.consent.screen": "true", 385 | "consent.screen.text": "${addressScopeConsentText}" 386 | }, 387 | "protocolMappers": [ 388 | { 389 | "id": "eca88076-ae84-4ef5-8c41-b19176e426c6", 390 | "name": "address", 391 | "protocol": "openid-connect", 392 | "protocolMapper": "oidc-address-mapper", 393 | "consentRequired": false, 394 | "config": { 395 | "user.attribute.formatted": "formatted", 396 | "user.attribute.country": "country", 397 | "user.attribute.postal_code": "postal_code", 398 | "userinfo.token.claim": "true", 399 | "user.attribute.street": "street", 400 | "id.token.claim": "true", 401 | "user.attribute.region": "region", 402 | "access.token.claim": "true", 403 | "user.attribute.locality": "locality" 404 | } 405 | } 406 | ] 407 | }, 408 | { 409 | "id": "a1287d34-a8f0-417a-a14c-bdc21b030f7d", 410 | "name": "email", 411 | "description": "OpenID Connect built-in scope: email", 412 | "protocol": "openid-connect", 413 | "attributes": { 414 | "include.in.token.scope": "true", 415 | "display.on.consent.screen": "true", 416 | "consent.screen.text": "${emailScopeConsentText}" 417 | }, 418 | "protocolMappers": [ 419 | { 420 | "id": "9c9dc144-e6e4-480a-8495-f41d4d287dcd", 421 | "name": "email verified", 422 | "protocol": "openid-connect", 423 | "protocolMapper": "oidc-usermodel-property-mapper", 424 | "consentRequired": false, 425 | "config": { 426 | "userinfo.token.claim": "true", 427 | "user.attribute": "emailVerified", 428 | "id.token.claim": "true", 429 | "access.token.claim": "true", 430 | "claim.name": "email_verified", 431 | "jsonType.label": "boolean" 432 | } 433 | }, 434 | { 435 | "id": "d2e54024-5959-4527-84d2-1f6acde879da", 436 | "name": "email", 437 | "protocol": "openid-connect", 438 | "protocolMapper": "oidc-usermodel-property-mapper", 439 | "consentRequired": false, 440 | "config": { 441 | "userinfo.token.claim": "true", 442 | "user.attribute": "email", 443 | "id.token.claim": "true", 444 | "access.token.claim": "true", 445 | "claim.name": "email", 446 | "jsonType.label": "String" 447 | } 448 | } 449 | ] 450 | }, 451 | { 452 | "id": "df715527-26dd-48ca-b5df-81e62c6784f3", 453 | "name": "message.read", 454 | "description": "", 455 | "protocol": "openid-connect", 456 | "attributes": { 457 | "include.in.token.scope": "true", 458 | "display.on.consent.screen": "true", 459 | "consent.screen.text": "Grant message.read" 460 | } 461 | }, 462 | { 463 | "id": "af132aaf-d3f0-407f-898d-dbbb4ef08767", 464 | "name": "message.write", 465 | "protocol": "openid-connect", 466 | "attributes": { 467 | "include.in.token.scope": "true", 468 | "display.on.consent.screen": "true", 469 | "consent.screen.text": "Grant message.write" 470 | } 471 | }, 472 | { 473 | "id": "5e0929e4-762f-45da-87f5-53e465597ba9", 474 | "name": "microprofile-jwt", 475 | "description": "Microprofile - JWT built-in scope", 476 | "protocol": "openid-connect", 477 | "attributes": { 478 | "include.in.token.scope": "true", 479 | "display.on.consent.screen": "false" 480 | }, 481 | "protocolMappers": [ 482 | { 483 | "id": "675acacd-2538-4538-a7ea-b0f119dd4c1e", 484 | "name": "upn", 485 | "protocol": "openid-connect", 486 | "protocolMapper": "oidc-usermodel-property-mapper", 487 | "consentRequired": false, 488 | "config": { 489 | "userinfo.token.claim": "true", 490 | "user.attribute": "username", 491 | "id.token.claim": "true", 492 | "access.token.claim": "true", 493 | "claim.name": "upn", 494 | "jsonType.label": "String" 495 | } 496 | }, 497 | { 498 | "id": "9aa6f812-7227-4467-9bce-eb40e8531d79", 499 | "name": "groups", 500 | "protocol": "openid-connect", 501 | "protocolMapper": "oidc-usermodel-realm-role-mapper", 502 | "consentRequired": false, 503 | "config": { 504 | "multivalued": "true", 505 | "user.attribute": "foo", 506 | "id.token.claim": "true", 507 | "access.token.claim": "true", 508 | "claim.name": "groups", 509 | "jsonType.label": "String" 510 | } 511 | } 512 | ] 513 | }, 514 | { 515 | "id": "df056111-8f34-4274-b725-d49538f6acbd", 516 | "name": "offline_access", 517 | "description": "OpenID Connect built-in scope: offline_access", 518 | "protocol": "openid-connect", 519 | "attributes": { 520 | "consent.screen.text": "${offlineAccessScopeConsentText}", 521 | "display.on.consent.screen": "true" 522 | } 523 | }, 524 | { 525 | "id": "fde90e3d-223f-4403-bf63-01a570f2ff93", 526 | "name": "phone", 527 | "description": "OpenID Connect built-in scope: phone", 528 | "protocol": "openid-connect", 529 | "attributes": { 530 | "include.in.token.scope": "true", 531 | "display.on.consent.screen": "true", 532 | "consent.screen.text": "${phoneScopeConsentText}" 533 | }, 534 | "protocolMappers": [ 535 | { 536 | "id": "4ea3a574-43c2-4e13-a698-039a152724b0", 537 | "name": "phone number verified", 538 | "protocol": "openid-connect", 539 | "protocolMapper": "oidc-usermodel-attribute-mapper", 540 | "consentRequired": false, 541 | "config": { 542 | "userinfo.token.claim": "true", 543 | "user.attribute": "phoneNumberVerified", 544 | "id.token.claim": "true", 545 | "access.token.claim": "true", 546 | "claim.name": "phone_number_verified", 547 | "jsonType.label": "boolean" 548 | } 549 | }, 550 | { 551 | "id": "1078c48e-f68f-474c-bb14-eae99fb04342", 552 | "name": "phone number", 553 | "protocol": "openid-connect", 554 | "protocolMapper": "oidc-usermodel-attribute-mapper", 555 | "consentRequired": false, 556 | "config": { 557 | "userinfo.token.claim": "true", 558 | "user.attribute": "phoneNumber", 559 | "id.token.claim": "true", 560 | "access.token.claim": "true", 561 | "claim.name": "phone_number", 562 | "jsonType.label": "String" 563 | } 564 | } 565 | ] 566 | }, 567 | { 568 | "id": "b846621f-7ff4-4a0c-9342-7c8171d271c0", 569 | "name": "profile", 570 | "description": "OpenID Connect built-in scope: profile", 571 | "protocol": "openid-connect", 572 | "attributes": { 573 | "include.in.token.scope": "true", 574 | "display.on.consent.screen": "true", 575 | "consent.screen.text": "${profileScopeConsentText}" 576 | }, 577 | "protocolMappers": [ 578 | { 579 | "id": "4c4b3530-bd57-4a76-ba48-8537b0cc25c3", 580 | "name": "middle name", 581 | "protocol": "openid-connect", 582 | "protocolMapper": "oidc-usermodel-attribute-mapper", 583 | "consentRequired": false, 584 | "config": { 585 | "userinfo.token.claim": "true", 586 | "user.attribute": "middleName", 587 | "id.token.claim": "true", 588 | "access.token.claim": "true", 589 | "claim.name": "middle_name", 590 | "jsonType.label": "String" 591 | } 592 | }, 593 | { 594 | "id": "8e876080-b947-4857-a172-2ff72930b56a", 595 | "name": "zoneinfo", 596 | "protocol": "openid-connect", 597 | "protocolMapper": "oidc-usermodel-attribute-mapper", 598 | "consentRequired": false, 599 | "config": { 600 | "userinfo.token.claim": "true", 601 | "user.attribute": "zoneinfo", 602 | "id.token.claim": "true", 603 | "access.token.claim": "true", 604 | "claim.name": "zoneinfo", 605 | "jsonType.label": "String" 606 | } 607 | }, 608 | { 609 | "id": "b34d119d-e22a-49c3-98e1-766084606516", 610 | "name": "updated at", 611 | "protocol": "openid-connect", 612 | "protocolMapper": "oidc-usermodel-attribute-mapper", 613 | "consentRequired": false, 614 | "config": { 615 | "userinfo.token.claim": "true", 616 | "user.attribute": "updatedAt", 617 | "id.token.claim": "true", 618 | "access.token.claim": "true", 619 | "claim.name": "updated_at", 620 | "jsonType.label": "String" 621 | } 622 | }, 623 | { 624 | "id": "38ef101c-702e-4608-a5e4-a2f64ab0bd78", 625 | "name": "family name", 626 | "protocol": "openid-connect", 627 | "protocolMapper": "oidc-usermodel-property-mapper", 628 | "consentRequired": false, 629 | "config": { 630 | "userinfo.token.claim": "true", 631 | "user.attribute": "lastName", 632 | "id.token.claim": "true", 633 | "access.token.claim": "true", 634 | "claim.name": "family_name", 635 | "jsonType.label": "String" 636 | } 637 | }, 638 | { 639 | "id": "3980fe66-be0b-4212-b078-ef4fafa50d44", 640 | "name": "website", 641 | "protocol": "openid-connect", 642 | "protocolMapper": "oidc-usermodel-attribute-mapper", 643 | "consentRequired": false, 644 | "config": { 645 | "userinfo.token.claim": "true", 646 | "user.attribute": "website", 647 | "id.token.claim": "true", 648 | "access.token.claim": "true", 649 | "claim.name": "website", 650 | "jsonType.label": "String" 651 | } 652 | }, 653 | { 654 | "id": "77583b1b-0182-4bd9-ae37-73057a7c1085", 655 | "name": "nickname", 656 | "protocol": "openid-connect", 657 | "protocolMapper": "oidc-usermodel-attribute-mapper", 658 | "consentRequired": false, 659 | "config": { 660 | "userinfo.token.claim": "true", 661 | "user.attribute": "nickname", 662 | "id.token.claim": "true", 663 | "access.token.claim": "true", 664 | "claim.name": "nickname", 665 | "jsonType.label": "String" 666 | } 667 | }, 668 | { 669 | "id": "e4724dad-16bc-40f7-9ac4-42ca986fbcd2", 670 | "name": "profile", 671 | "protocol": "openid-connect", 672 | "protocolMapper": "oidc-usermodel-attribute-mapper", 673 | "consentRequired": false, 674 | "config": { 675 | "userinfo.token.claim": "true", 676 | "user.attribute": "profile", 677 | "id.token.claim": "true", 678 | "access.token.claim": "true", 679 | "claim.name": "profile", 680 | "jsonType.label": "String" 681 | } 682 | }, 683 | { 684 | "id": "65712e68-d56a-410c-bcfd-c19a5ee5c738", 685 | "name": "birthdate", 686 | "protocol": "openid-connect", 687 | "protocolMapper": "oidc-usermodel-attribute-mapper", 688 | "consentRequired": false, 689 | "config": { 690 | "userinfo.token.claim": "true", 691 | "user.attribute": "birthdate", 692 | "id.token.claim": "true", 693 | "access.token.claim": "true", 694 | "claim.name": "birthdate", 695 | "jsonType.label": "String" 696 | } 697 | }, 698 | { 699 | "id": "e0bb58b0-1f97-424f-bab3-4a5de50a1f5a", 700 | "name": "username", 701 | "protocol": "openid-connect", 702 | "protocolMapper": "oidc-usermodel-property-mapper", 703 | "consentRequired": false, 704 | "config": { 705 | "userinfo.token.claim": "true", 706 | "user.attribute": "username", 707 | "id.token.claim": "true", 708 | "access.token.claim": "true", 709 | "claim.name": "preferred_username", 710 | "jsonType.label": "String" 711 | } 712 | }, 713 | { 714 | "id": "774e650a-97e5-4383-a007-9a9040d7cfd3", 715 | "name": "full name", 716 | "protocol": "openid-connect", 717 | "protocolMapper": "oidc-full-name-mapper", 718 | "consentRequired": false, 719 | "config": { 720 | "id.token.claim": "true", 721 | "access.token.claim": "true", 722 | "userinfo.token.claim": "true" 723 | } 724 | }, 725 | { 726 | "id": "4c0eea6b-e1f4-4bf5-87f4-ae780278c490", 727 | "name": "gender", 728 | "protocol": "openid-connect", 729 | "protocolMapper": "oidc-usermodel-attribute-mapper", 730 | "consentRequired": false, 731 | "config": { 732 | "userinfo.token.claim": "true", 733 | "user.attribute": "gender", 734 | "id.token.claim": "true", 735 | "access.token.claim": "true", 736 | "claim.name": "gender", 737 | "jsonType.label": "String" 738 | } 739 | }, 740 | { 741 | "id": "b604f698-9de5-4e19-a6b8-31d5be3f7ec3", 742 | "name": "given name", 743 | "protocol": "openid-connect", 744 | "protocolMapper": "oidc-usermodel-property-mapper", 745 | "consentRequired": false, 746 | "config": { 747 | "userinfo.token.claim": "true", 748 | "user.attribute": "firstName", 749 | "id.token.claim": "true", 750 | "access.token.claim": "true", 751 | "claim.name": "given_name", 752 | "jsonType.label": "String" 753 | } 754 | }, 755 | { 756 | "id": "c571f65a-b05a-4696-9f65-997f7cd7fb1a", 757 | "name": "picture", 758 | "protocol": "openid-connect", 759 | "protocolMapper": "oidc-usermodel-attribute-mapper", 760 | "consentRequired": false, 761 | "config": { 762 | "userinfo.token.claim": "true", 763 | "user.attribute": "picture", 764 | "id.token.claim": "true", 765 | "access.token.claim": "true", 766 | "claim.name": "picture", 767 | "jsonType.label": "String" 768 | } 769 | }, 770 | { 771 | "id": "71130bf6-7ab6-4b64-922c-cffb5361ff8d", 772 | "name": "locale", 773 | "protocol": "openid-connect", 774 | "protocolMapper": "oidc-usermodel-attribute-mapper", 775 | "consentRequired": false, 776 | "config": { 777 | "userinfo.token.claim": "true", 778 | "user.attribute": "locale", 779 | "id.token.claim": "true", 780 | "access.token.claim": "true", 781 | "claim.name": "locale", 782 | "jsonType.label": "String" 783 | } 784 | } 785 | ] 786 | }, 787 | { 788 | "id": "bc133230-429f-46ee-9f94-8372982d2ee1", 789 | "name": "role_list", 790 | "description": "SAML role list", 791 | "protocol": "saml", 792 | "attributes": { 793 | "consent.screen.text": "${samlRoleListScopeConsentText}", 794 | "display.on.consent.screen": "true" 795 | }, 796 | "protocolMappers": [ 797 | { 798 | "id": "509b5858-f59e-4671-8eda-026d7c730cfb", 799 | "name": "role list", 800 | "protocol": "saml", 801 | "protocolMapper": "saml-role-list-mapper", 802 | "consentRequired": false, 803 | "config": { 804 | "single": "false", 805 | "attribute.nameformat": "Basic", 806 | "attribute.name": "Role" 807 | } 808 | } 809 | ] 810 | }, 811 | { 812 | "id": "259143f7-3a5f-4ee2-9dfd-80abec2a0ea7", 813 | "name": "roles", 814 | "description": "OpenID Connect scope for add user roles to the access token", 815 | "protocol": "openid-connect", 816 | "attributes": { 817 | "include.in.token.scope": "false", 818 | "display.on.consent.screen": "true", 819 | "consent.screen.text": "${rolesScopeConsentText}" 820 | }, 821 | "protocolMappers": [ 822 | { 823 | "id": "85668dfe-a03b-4297-96c7-9c83a0fa9f19", 824 | "name": "realm roles", 825 | "protocol": "openid-connect", 826 | "protocolMapper": "oidc-usermodel-realm-role-mapper", 827 | "consentRequired": false, 828 | "config": { 829 | "user.attribute": "foo", 830 | "access.token.claim": "true", 831 | "claim.name": "realm_access.roles", 832 | "jsonType.label": "String", 833 | "multivalued": "true" 834 | } 835 | }, 836 | { 837 | "id": "03200562-dd3a-41c1-8f90-5ee4b5070688", 838 | "name": "audience resolve", 839 | "protocol": "openid-connect", 840 | "protocolMapper": "oidc-audience-resolve-mapper", 841 | "consentRequired": false, 842 | "config": {} 843 | }, 844 | { 845 | "id": "abc20049-040c-43cd-9dae-5558ad15cd9d", 846 | "name": "client roles", 847 | "protocol": "openid-connect", 848 | "protocolMapper": "oidc-usermodel-client-role-mapper", 849 | "consentRequired": false, 850 | "config": { 851 | "user.attribute": "foo", 852 | "access.token.claim": "true", 853 | "claim.name": "resource_access.${client_id}.roles", 854 | "jsonType.label": "String", 855 | "multivalued": "true" 856 | } 857 | } 858 | ] 859 | }, 860 | { 861 | "id": "506754c6-43bb-44ec-8f84-0d8a36f345c3", 862 | "name": "web-origins", 863 | "description": "OpenID Connect scope for add allowed web origins to the access token", 864 | "protocol": "openid-connect", 865 | "attributes": { 866 | "include.in.token.scope": "false", 867 | "display.on.consent.screen": "false", 868 | "consent.screen.text": "" 869 | }, 870 | "protocolMappers": [ 871 | { 872 | "id": "657d0147-0e18-4a66-bb0b-74111417b654", 873 | "name": "allowed web origins", 874 | "protocol": "openid-connect", 875 | "protocolMapper": "oidc-allowed-origins-mapper", 876 | "consentRequired": false, 877 | "config": {} 878 | } 879 | ] 880 | } 881 | ], 882 | "defaultDefaultClientScopes": [ 883 | "role_list", 884 | "profile", 885 | "email", 886 | "roles", 887 | "web-origins" 888 | ], 889 | "defaultOptionalClientScopes": [ 890 | "offline_access", 891 | "address", 892 | "phone", 893 | "microprofile-jwt" 894 | ], 895 | "browserSecurityHeaders": { 896 | "contentSecurityPolicyReportOnly": "", 897 | "xContentTypeOptions": "nosniff", 898 | "xRobotsTag": "none", 899 | "xFrameOptions": "SAMEORIGIN", 900 | "xXSSProtection": "1; mode=block", 901 | "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", 902 | "strictTransportSecurity": "max-age=31536000; includeSubDomains" 903 | }, 904 | "smtpServer": {}, 905 | "eventsEnabled": false, 906 | "eventsListeners": [ 907 | "jboss-logging" 908 | ], 909 | "enabledEventTypes": [], 910 | "adminEventsEnabled": false, 911 | "adminEventsDetailsEnabled": false, 912 | "components": { 913 | "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ 914 | { 915 | "id": "cc0b059f-ef3b-412f-a6d7-aafa47957512", 916 | "name": "Allowed Protocol Mapper Types", 917 | "providerId": "allowed-protocol-mappers", 918 | "subType": "anonymous", 919 | "subComponents": {}, 920 | "config": { 921 | "allowed-protocol-mapper-types": [ 922 | "oidc-full-name-mapper", 923 | "saml-user-property-mapper", 924 | "oidc-sha256-pairwise-sub-mapper", 925 | "oidc-address-mapper", 926 | "saml-role-list-mapper", 927 | "saml-user-attribute-mapper", 928 | "oidc-usermodel-property-mapper", 929 | "oidc-usermodel-attribute-mapper" 930 | ] 931 | } 932 | }, 933 | { 934 | "id": "c08d58d9-d886-48dc-982e-9fe1d2ad22ab", 935 | "name": "Max Clients Limit", 936 | "providerId": "max-clients", 937 | "subType": "anonymous", 938 | "subComponents": {}, 939 | "config": { 940 | "max-clients": [ 941 | "200" 942 | ] 943 | } 944 | }, 945 | { 946 | "id": "18892106-a405-45d6-9177-8ebc182384e5", 947 | "name": "Allowed Client Scopes", 948 | "providerId": "allowed-client-templates", 949 | "subType": "authenticated", 950 | "subComponents": {}, 951 | "config": { 952 | "allow-default-scopes": [ 953 | "true" 954 | ] 955 | } 956 | }, 957 | { 958 | "id": "9778e3a4-c612-4d5e-8349-c984eaf7202a", 959 | "name": "Allowed Protocol Mapper Types", 960 | "providerId": "allowed-protocol-mappers", 961 | "subType": "authenticated", 962 | "subComponents": {}, 963 | "config": { 964 | "allowed-protocol-mapper-types": [ 965 | "oidc-full-name-mapper", 966 | "saml-user-attribute-mapper", 967 | "oidc-address-mapper", 968 | "saml-role-list-mapper", 969 | "oidc-sha256-pairwise-sub-mapper", 970 | "saml-user-property-mapper", 971 | "oidc-usermodel-property-mapper", 972 | "oidc-usermodel-attribute-mapper" 973 | ] 974 | } 975 | }, 976 | { 977 | "id": "61077ec5-7d87-4ec4-a4d2-0e79524690fd", 978 | "name": "Full Scope Disabled", 979 | "providerId": "scope", 980 | "subType": "anonymous", 981 | "subComponents": {}, 982 | "config": {} 983 | }, 984 | { 985 | "id": "b0b09807-e3d1-4df6-8f83-092c85052945", 986 | "name": "Allowed Client Scopes", 987 | "providerId": "allowed-client-templates", 988 | "subType": "anonymous", 989 | "subComponents": {}, 990 | "config": { 991 | "allow-default-scopes": [ 992 | "true" 993 | ] 994 | } 995 | }, 996 | { 997 | "id": "a5a7b1c1-533b-49dd-9d16-5e93ab69445a", 998 | "name": "Trusted Hosts", 999 | "providerId": "trusted-hosts", 1000 | "subType": "anonymous", 1001 | "subComponents": {}, 1002 | "config": { 1003 | "host-sending-registration-request-must-match": [ 1004 | "true" 1005 | ], 1006 | "client-uris-must-match": [ 1007 | "true" 1008 | ] 1009 | } 1010 | }, 1011 | { 1012 | "id": "5de68f2f-f6e3-4871-997f-3f78a9f94277", 1013 | "name": "Consent Required", 1014 | "providerId": "consent-required", 1015 | "subType": "anonymous", 1016 | "subComponents": {}, 1017 | "config": {} 1018 | } 1019 | ], 1020 | "org.keycloak.keys.KeyProvider": [ 1021 | { 1022 | "id": "0275394b-2822-4e1f-b400-95cd441af565", 1023 | "name": "rsa-generated", 1024 | "providerId": "rsa-generated", 1025 | "subComponents": {}, 1026 | "config": { 1027 | "priority": [ 1028 | "100" 1029 | ] 1030 | } 1031 | }, 1032 | { 1033 | "id": "8e5772f0-2a3e-4510-a1d4-fac2c6421211", 1034 | "name": "aes-generated", 1035 | "providerId": "aes-generated", 1036 | "subComponents": {}, 1037 | "config": { 1038 | "priority": [ 1039 | "100" 1040 | ] 1041 | } 1042 | }, 1043 | { 1044 | "id": "c5c84caa-acd7-4a75-8bd7-8b8d22562a4e", 1045 | "name": "hmac-generated", 1046 | "providerId": "hmac-generated", 1047 | "subComponents": {}, 1048 | "config": { 1049 | "priority": [ 1050 | "100" 1051 | ], 1052 | "algorithm": [ 1053 | "HS256" 1054 | ] 1055 | } 1056 | } 1057 | ] 1058 | }, 1059 | "internationalizationEnabled": false, 1060 | "supportedLocales": [], 1061 | "authenticationFlows": [ 1062 | { 1063 | "id": "87cbf786-b5bb-467d-adc7-39a12904793f", 1064 | "alias": "Handle Existing Account", 1065 | "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", 1066 | "providerId": "basic-flow", 1067 | "topLevel": false, 1068 | "builtIn": true, 1069 | "authenticationExecutions": [ 1070 | { 1071 | "authenticator": "idp-confirm-link", 1072 | "requirement": "REQUIRED", 1073 | "priority": 10, 1074 | "userSetupAllowed": false, 1075 | "autheticatorFlow": false 1076 | }, 1077 | { 1078 | "authenticator": "idp-email-verification", 1079 | "requirement": "ALTERNATIVE", 1080 | "priority": 20, 1081 | "userSetupAllowed": false, 1082 | "autheticatorFlow": false 1083 | }, 1084 | { 1085 | "requirement": "ALTERNATIVE", 1086 | "priority": 30, 1087 | "flowAlias": "Verify Existing Account by Re-authentication", 1088 | "userSetupAllowed": false, 1089 | "autheticatorFlow": true 1090 | } 1091 | ] 1092 | }, 1093 | { 1094 | "id": "8fbbfbd5-4396-4700-a571-b46b9f9c03c5", 1095 | "alias": "Verify Existing Account by Re-authentication", 1096 | "description": "Reauthentication of existing account", 1097 | "providerId": "basic-flow", 1098 | "topLevel": false, 1099 | "builtIn": true, 1100 | "authenticationExecutions": [ 1101 | { 1102 | "authenticator": "idp-username-password-form", 1103 | "requirement": "REQUIRED", 1104 | "priority": 10, 1105 | "userSetupAllowed": false, 1106 | "autheticatorFlow": false 1107 | }, 1108 | { 1109 | "authenticator": "auth-otp-form", 1110 | "requirement": "OPTIONAL", 1111 | "priority": 20, 1112 | "userSetupAllowed": false, 1113 | "autheticatorFlow": false 1114 | } 1115 | ] 1116 | }, 1117 | { 1118 | "id": "86672dc7-038f-447a-9415-a01aacf67e70", 1119 | "alias": "browser", 1120 | "description": "browser based authentication", 1121 | "providerId": "basic-flow", 1122 | "topLevel": true, 1123 | "builtIn": true, 1124 | "authenticationExecutions": [ 1125 | { 1126 | "authenticator": "auth-cookie", 1127 | "requirement": "ALTERNATIVE", 1128 | "priority": 10, 1129 | "userSetupAllowed": false, 1130 | "autheticatorFlow": false 1131 | }, 1132 | { 1133 | "authenticator": "auth-spnego", 1134 | "requirement": "DISABLED", 1135 | "priority": 20, 1136 | "userSetupAllowed": false, 1137 | "autheticatorFlow": false 1138 | }, 1139 | { 1140 | "authenticator": "identity-provider-redirector", 1141 | "requirement": "ALTERNATIVE", 1142 | "priority": 25, 1143 | "userSetupAllowed": false, 1144 | "autheticatorFlow": false 1145 | }, 1146 | { 1147 | "requirement": "ALTERNATIVE", 1148 | "priority": 30, 1149 | "flowAlias": "forms", 1150 | "userSetupAllowed": false, 1151 | "autheticatorFlow": true 1152 | } 1153 | ] 1154 | }, 1155 | { 1156 | "id": "2ad58f9a-860f-4eed-959d-e3f44b6fce74", 1157 | "alias": "clients", 1158 | "description": "Base authentication for clients", 1159 | "providerId": "client-flow", 1160 | "topLevel": true, 1161 | "builtIn": true, 1162 | "authenticationExecutions": [ 1163 | { 1164 | "authenticator": "client-secret", 1165 | "requirement": "ALTERNATIVE", 1166 | "priority": 10, 1167 | "userSetupAllowed": false, 1168 | "autheticatorFlow": false 1169 | }, 1170 | { 1171 | "authenticator": "client-jwt", 1172 | "requirement": "ALTERNATIVE", 1173 | "priority": 20, 1174 | "userSetupAllowed": false, 1175 | "autheticatorFlow": false 1176 | }, 1177 | { 1178 | "authenticator": "client-secret-jwt", 1179 | "requirement": "ALTERNATIVE", 1180 | "priority": 30, 1181 | "userSetupAllowed": false, 1182 | "autheticatorFlow": false 1183 | }, 1184 | { 1185 | "authenticator": "client-x509", 1186 | "requirement": "ALTERNATIVE", 1187 | "priority": 40, 1188 | "userSetupAllowed": false, 1189 | "autheticatorFlow": false 1190 | } 1191 | ] 1192 | }, 1193 | { 1194 | "id": "f1824c03-2e37-49ec-afc0-f58416a100a9", 1195 | "alias": "direct grant", 1196 | "description": "OpenID Connect Resource Owner Grant", 1197 | "providerId": "basic-flow", 1198 | "topLevel": true, 1199 | "builtIn": true, 1200 | "authenticationExecutions": [ 1201 | { 1202 | "authenticator": "direct-grant-validate-username", 1203 | "requirement": "REQUIRED", 1204 | "priority": 10, 1205 | "userSetupAllowed": false, 1206 | "autheticatorFlow": false 1207 | }, 1208 | { 1209 | "authenticator": "direct-grant-validate-password", 1210 | "requirement": "REQUIRED", 1211 | "priority": 20, 1212 | "userSetupAllowed": false, 1213 | "autheticatorFlow": false 1214 | }, 1215 | { 1216 | "authenticator": "direct-grant-validate-otp", 1217 | "requirement": "OPTIONAL", 1218 | "priority": 30, 1219 | "userSetupAllowed": false, 1220 | "autheticatorFlow": false 1221 | } 1222 | ] 1223 | }, 1224 | { 1225 | "id": "6790702f-972c-4534-b9dd-1baef6341c3f", 1226 | "alias": "docker auth", 1227 | "description": "Used by Docker clients to authenticate against the IDP", 1228 | "providerId": "basic-flow", 1229 | "topLevel": true, 1230 | "builtIn": true, 1231 | "authenticationExecutions": [ 1232 | { 1233 | "authenticator": "docker-http-basic-authenticator", 1234 | "requirement": "REQUIRED", 1235 | "priority": 10, 1236 | "userSetupAllowed": false, 1237 | "autheticatorFlow": false 1238 | } 1239 | ] 1240 | }, 1241 | { 1242 | "id": "cd695ed7-81e9-4617-bc64-ec96f47f8102", 1243 | "alias": "first broker login", 1244 | "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", 1245 | "providerId": "basic-flow", 1246 | "topLevel": true, 1247 | "builtIn": true, 1248 | "authenticationExecutions": [ 1249 | { 1250 | "authenticatorConfig": "review profile config", 1251 | "authenticator": "idp-review-profile", 1252 | "requirement": "REQUIRED", 1253 | "priority": 10, 1254 | "userSetupAllowed": false, 1255 | "autheticatorFlow": false 1256 | }, 1257 | { 1258 | "authenticatorConfig": "create unique user config", 1259 | "authenticator": "idp-create-user-if-unique", 1260 | "requirement": "ALTERNATIVE", 1261 | "priority": 20, 1262 | "userSetupAllowed": false, 1263 | "autheticatorFlow": false 1264 | }, 1265 | { 1266 | "requirement": "ALTERNATIVE", 1267 | "priority": 30, 1268 | "flowAlias": "Handle Existing Account", 1269 | "userSetupAllowed": false, 1270 | "autheticatorFlow": true 1271 | } 1272 | ] 1273 | }, 1274 | { 1275 | "id": "95b31dcc-ef90-4926-88c0-a5346151d997", 1276 | "alias": "forms", 1277 | "description": "Username, password, otp and other auth forms.", 1278 | "providerId": "basic-flow", 1279 | "topLevel": false, 1280 | "builtIn": true, 1281 | "authenticationExecutions": [ 1282 | { 1283 | "authenticator": "auth-username-password-form", 1284 | "requirement": "REQUIRED", 1285 | "priority": 10, 1286 | "userSetupAllowed": false, 1287 | "autheticatorFlow": false 1288 | }, 1289 | { 1290 | "authenticator": "auth-otp-form", 1291 | "requirement": "OPTIONAL", 1292 | "priority": 20, 1293 | "userSetupAllowed": false, 1294 | "autheticatorFlow": false 1295 | } 1296 | ] 1297 | }, 1298 | { 1299 | "id": "94c6b38a-50a7-4143-8c35-5c228bc4e0a7", 1300 | "alias": "http challenge", 1301 | "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", 1302 | "providerId": "basic-flow", 1303 | "topLevel": true, 1304 | "builtIn": true, 1305 | "authenticationExecutions": [ 1306 | { 1307 | "authenticator": "no-cookie-redirect", 1308 | "requirement": "REQUIRED", 1309 | "priority": 10, 1310 | "userSetupAllowed": false, 1311 | "autheticatorFlow": false 1312 | }, 1313 | { 1314 | "authenticator": "basic-auth", 1315 | "requirement": "REQUIRED", 1316 | "priority": 20, 1317 | "userSetupAllowed": false, 1318 | "autheticatorFlow": false 1319 | }, 1320 | { 1321 | "authenticator": "basic-auth-otp", 1322 | "requirement": "DISABLED", 1323 | "priority": 30, 1324 | "userSetupAllowed": false, 1325 | "autheticatorFlow": false 1326 | }, 1327 | { 1328 | "authenticator": "auth-spnego", 1329 | "requirement": "DISABLED", 1330 | "priority": 40, 1331 | "userSetupAllowed": false, 1332 | "autheticatorFlow": false 1333 | } 1334 | ] 1335 | }, 1336 | { 1337 | "id": "57f3cd30-cca1-41dc-9f4b-ffd178a58615", 1338 | "alias": "registration", 1339 | "description": "registration flow", 1340 | "providerId": "basic-flow", 1341 | "topLevel": true, 1342 | "builtIn": true, 1343 | "authenticationExecutions": [ 1344 | { 1345 | "authenticator": "registration-page-form", 1346 | "requirement": "REQUIRED", 1347 | "priority": 10, 1348 | "flowAlias": "registration form", 1349 | "userSetupAllowed": false, 1350 | "autheticatorFlow": true 1351 | } 1352 | ] 1353 | }, 1354 | { 1355 | "id": "77612098-68e5-44f5-a647-26d306a99961", 1356 | "alias": "registration form", 1357 | "description": "registration form", 1358 | "providerId": "form-flow", 1359 | "topLevel": false, 1360 | "builtIn": true, 1361 | "authenticationExecutions": [ 1362 | { 1363 | "authenticator": "registration-user-creation", 1364 | "requirement": "REQUIRED", 1365 | "priority": 20, 1366 | "userSetupAllowed": false, 1367 | "autheticatorFlow": false 1368 | }, 1369 | { 1370 | "authenticator": "registration-profile-action", 1371 | "requirement": "REQUIRED", 1372 | "priority": 40, 1373 | "userSetupAllowed": false, 1374 | "autheticatorFlow": false 1375 | }, 1376 | { 1377 | "authenticator": "registration-password-action", 1378 | "requirement": "REQUIRED", 1379 | "priority": 50, 1380 | "userSetupAllowed": false, 1381 | "autheticatorFlow": false 1382 | }, 1383 | { 1384 | "authenticator": "registration-recaptcha-action", 1385 | "requirement": "DISABLED", 1386 | "priority": 60, 1387 | "userSetupAllowed": false, 1388 | "autheticatorFlow": false 1389 | } 1390 | ] 1391 | }, 1392 | { 1393 | "id": "20a872a8-b0e0-424a-92a4-2060e9c4ae05", 1394 | "alias": "reset credentials", 1395 | "description": "Reset credentials for a user if they forgot their password or something", 1396 | "providerId": "basic-flow", 1397 | "topLevel": true, 1398 | "builtIn": true, 1399 | "authenticationExecutions": [ 1400 | { 1401 | "authenticator": "reset-credentials-choose-user", 1402 | "requirement": "REQUIRED", 1403 | "priority": 10, 1404 | "userSetupAllowed": false, 1405 | "autheticatorFlow": false 1406 | }, 1407 | { 1408 | "authenticator": "reset-credential-email", 1409 | "requirement": "REQUIRED", 1410 | "priority": 20, 1411 | "userSetupAllowed": false, 1412 | "autheticatorFlow": false 1413 | }, 1414 | { 1415 | "authenticator": "reset-password", 1416 | "requirement": "REQUIRED", 1417 | "priority": 30, 1418 | "userSetupAllowed": false, 1419 | "autheticatorFlow": false 1420 | }, 1421 | { 1422 | "authenticator": "reset-otp", 1423 | "requirement": "OPTIONAL", 1424 | "priority": 40, 1425 | "userSetupAllowed": false, 1426 | "autheticatorFlow": false 1427 | } 1428 | ] 1429 | }, 1430 | { 1431 | "id": "6c5b1dd0-17ec-4b7d-bde0-296376eb22a7", 1432 | "alias": "saml ecp", 1433 | "description": "SAML ECP Profile Authentication Flow", 1434 | "providerId": "basic-flow", 1435 | "topLevel": true, 1436 | "builtIn": true, 1437 | "authenticationExecutions": [ 1438 | { 1439 | "authenticator": "http-basic-authenticator", 1440 | "requirement": "REQUIRED", 1441 | "priority": 10, 1442 | "userSetupAllowed": false, 1443 | "autheticatorFlow": false 1444 | } 1445 | ] 1446 | } 1447 | ], 1448 | "authenticatorConfig": [ 1449 | { 1450 | "id": "e18db139-f808-4c28-a9a3-28df7917988a", 1451 | "alias": "create unique user config", 1452 | "config": { 1453 | "require.password.update.after.registration": "false" 1454 | } 1455 | }, 1456 | { 1457 | "id": "af7864bc-26f3-4b20-9ffb-ce35ca8a10bd", 1458 | "alias": "review profile config", 1459 | "config": { 1460 | "update.profile.on.first.login": "missing" 1461 | } 1462 | } 1463 | ], 1464 | "requiredActions": [ 1465 | { 1466 | "alias": "CONFIGURE_TOTP", 1467 | "name": "Configure OTP", 1468 | "providerId": "CONFIGURE_TOTP", 1469 | "enabled": true, 1470 | "defaultAction": false, 1471 | "priority": 10, 1472 | "config": {} 1473 | }, 1474 | { 1475 | "alias": "terms_and_conditions", 1476 | "name": "Terms and Conditions", 1477 | "providerId": "terms_and_conditions", 1478 | "enabled": false, 1479 | "defaultAction": false, 1480 | "priority": 20, 1481 | "config": {} 1482 | }, 1483 | { 1484 | "alias": "UPDATE_PASSWORD", 1485 | "name": "Update Password", 1486 | "providerId": "UPDATE_PASSWORD", 1487 | "enabled": true, 1488 | "defaultAction": false, 1489 | "priority": 30, 1490 | "config": {} 1491 | }, 1492 | { 1493 | "alias": "UPDATE_PROFILE", 1494 | "name": "Update Profile", 1495 | "providerId": "UPDATE_PROFILE", 1496 | "enabled": true, 1497 | "defaultAction": false, 1498 | "priority": 40, 1499 | "config": {} 1500 | }, 1501 | { 1502 | "alias": "VERIFY_EMAIL", 1503 | "name": "Verify Email", 1504 | "providerId": "VERIFY_EMAIL", 1505 | "enabled": true, 1506 | "defaultAction": false, 1507 | "priority": 50, 1508 | "config": {} 1509 | } 1510 | ], 1511 | "browserFlow": "browser", 1512 | "registrationFlow": "registration", 1513 | "directGrantFlow": "direct grant", 1514 | "resetCredentialsFlow": "reset credentials", 1515 | "clientAuthenticationFlow": "clients", 1516 | "dockerAuthenticationFlow": "docker auth", 1517 | "attributes": { 1518 | "_browser_header.xXSSProtection": "1; mode=block", 1519 | "_browser_header.xFrameOptions": "SAMEORIGIN", 1520 | "_browser_header.strictTransportSecurity": "max-age=31536000; includeSubDomains", 1521 | "permanentLockout": "false", 1522 | "quickLoginCheckMilliSeconds": "1000", 1523 | "displayName": "Keycloak OAuth 2.0 Sample", 1524 | "_browser_header.xRobotsTag": "none", 1525 | "maxFailureWaitSeconds": "900", 1526 | "minimumQuickLoginWaitSeconds": "60", 1527 | "displayNameHtml": "
Keycloak OAuth 2.0 Sample
", 1528 | "failureFactor": "30", 1529 | "actionTokenGeneratedByUserLifespan": "300", 1530 | "maxDeltaTimeSeconds": "43200", 1531 | "_browser_header.xContentTypeOptions": "nosniff", 1532 | "offlineSessionMaxLifespan": "5184000", 1533 | "actionTokenGeneratedByAdminLifespan": "43200", 1534 | "_browser_header.contentSecurityPolicyReportOnly": "", 1535 | "bruteForceProtected": "false", 1536 | "_browser_header.contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", 1537 | "waitIncrementSeconds": "60", 1538 | "offlineSessionMaxLifespanEnabled": "false" 1539 | }, 1540 | "keycloakVersion": "7.0.1", 1541 | "userManagedAccessAllowed": false 1542 | } -------------------------------------------------------------------------------- /keycloak/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # https://stackoverflow.com/a/246128/1098564 4 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 5 | 6 | # https://stackoverflow.com/a/47181236/1098564 7 | wget -c https://downloads.jboss.org/keycloak/7.0.1/keycloak-7.0.1.zip 8 | 9 | #https://askubuntu.com/a/994965/109301 10 | unzip -n keycloak-7.0.1.zip 11 | cd keycloak-7.0.1/bin 12 | ./add-user-keycloak.sh -r master -u admin -p password 13 | ./add-user-keycloak.sh -r oauth2-sample -u user1 -p password 14 | ./standalone.sh -Djboss.socket.binding.port-offset=10 -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=$DIR/oauth2-sample-realm-config.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING 15 | -------------------------------------------------------------------------------- /mvnw: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ---------------------------------------------------------------------------- 3 | # Licensed to the Apache Software Foundation (ASF) under one 4 | # or more contributor license agreements. See the NOTICE file 5 | # distributed with this work for additional information 6 | # regarding copyright ownership. The ASF licenses this file 7 | # to you under the Apache License, Version 2.0 (the 8 | # "License"); you may not use this file except in compliance 9 | # with the License. You may obtain a copy of the License at 10 | # 11 | # https://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, 14 | # software distributed under the License is distributed on an 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | # KIND, either express or implied. See the License for the 17 | # specific language governing permissions and limitations 18 | # under the License. 19 | # ---------------------------------------------------------------------------- 20 | 21 | # ---------------------------------------------------------------------------- 22 | # Maven2 Start Up Batch script 23 | # 24 | # Required ENV vars: 25 | # ------------------ 26 | # JAVA_HOME - location of a JDK home dir 27 | # 28 | # Optional ENV vars 29 | # ----------------- 30 | # M2_HOME - location of maven2's installed home dir 31 | # MAVEN_OPTS - parameters passed to the Java VM when running Maven 32 | # e.g. to debug Maven itself, use 33 | # set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 34 | # MAVEN_SKIP_RC - flag to disable loading of mavenrc files 35 | # ---------------------------------------------------------------------------- 36 | 37 | if [ -z "$MAVEN_SKIP_RC" ] ; then 38 | 39 | if [ -f /etc/mavenrc ] ; then 40 | . /etc/mavenrc 41 | fi 42 | 43 | if [ -f "$HOME/.mavenrc" ] ; then 44 | . "$HOME/.mavenrc" 45 | fi 46 | 47 | fi 48 | 49 | # OS specific support. $var _must_ be set to either true or false. 50 | cygwin=false; 51 | darwin=false; 52 | mingw=false 53 | case "`uname`" in 54 | CYGWIN*) cygwin=true ;; 55 | MINGW*) mingw=true;; 56 | Darwin*) darwin=true 57 | # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home 58 | # See https://developer.apple.com/library/mac/qa/qa1170/_index.html 59 | if [ -z "$JAVA_HOME" ]; then 60 | if [ -x "/usr/libexec/java_home" ]; then 61 | export JAVA_HOME="`/usr/libexec/java_home`" 62 | else 63 | export JAVA_HOME="/Library/Java/Home" 64 | fi 65 | fi 66 | ;; 67 | esac 68 | 69 | if [ -z "$JAVA_HOME" ] ; then 70 | if [ -r /etc/gentoo-release ] ; then 71 | JAVA_HOME=`java-config --jre-home` 72 | fi 73 | fi 74 | 75 | if [ -z "$M2_HOME" ] ; then 76 | ## resolve links - $0 may be a link to maven's home 77 | PRG="$0" 78 | 79 | # need this for relative symlinks 80 | while [ -h "$PRG" ] ; do 81 | ls=`ls -ld "$PRG"` 82 | link=`expr "$ls" : '.*-> \(.*\)$'` 83 | if expr "$link" : '/.*' > /dev/null; then 84 | PRG="$link" 85 | else 86 | PRG="`dirname "$PRG"`/$link" 87 | fi 88 | done 89 | 90 | saveddir=`pwd` 91 | 92 | M2_HOME=`dirname "$PRG"`/.. 93 | 94 | # make it fully qualified 95 | M2_HOME=`cd "$M2_HOME" && pwd` 96 | 97 | cd "$saveddir" 98 | # echo Using m2 at $M2_HOME 99 | fi 100 | 101 | # For Cygwin, ensure paths are in UNIX format before anything is touched 102 | if $cygwin ; then 103 | [ -n "$M2_HOME" ] && 104 | M2_HOME=`cygpath --unix "$M2_HOME"` 105 | [ -n "$JAVA_HOME" ] && 106 | JAVA_HOME=`cygpath --unix "$JAVA_HOME"` 107 | [ -n "$CLASSPATH" ] && 108 | CLASSPATH=`cygpath --path --unix "$CLASSPATH"` 109 | fi 110 | 111 | # For Mingw, ensure paths are in UNIX format before anything is touched 112 | if $mingw ; then 113 | [ -n "$M2_HOME" ] && 114 | M2_HOME="`(cd "$M2_HOME"; pwd)`" 115 | [ -n "$JAVA_HOME" ] && 116 | JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" 117 | fi 118 | 119 | if [ -z "$JAVA_HOME" ]; then 120 | javaExecutable="`which javac`" 121 | if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then 122 | # readlink(1) is not available as standard on Solaris 10. 123 | readLink=`which readlink` 124 | if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then 125 | if $darwin ; then 126 | javaHome="`dirname \"$javaExecutable\"`" 127 | javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" 128 | else 129 | javaExecutable="`readlink -f \"$javaExecutable\"`" 130 | fi 131 | javaHome="`dirname \"$javaExecutable\"`" 132 | javaHome=`expr "$javaHome" : '\(.*\)/bin'` 133 | JAVA_HOME="$javaHome" 134 | export JAVA_HOME 135 | fi 136 | fi 137 | fi 138 | 139 | if [ -z "$JAVACMD" ] ; then 140 | if [ -n "$JAVA_HOME" ] ; then 141 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 142 | # IBM's JDK on AIX uses strange locations for the executables 143 | JAVACMD="$JAVA_HOME/jre/sh/java" 144 | else 145 | JAVACMD="$JAVA_HOME/bin/java" 146 | fi 147 | else 148 | JAVACMD="`which java`" 149 | fi 150 | fi 151 | 152 | if [ ! -x "$JAVACMD" ] ; then 153 | echo "Error: JAVA_HOME is not defined correctly." >&2 154 | echo " We cannot execute $JAVACMD" >&2 155 | exit 1 156 | fi 157 | 158 | if [ -z "$JAVA_HOME" ] ; then 159 | echo "Warning: JAVA_HOME environment variable is not set." 160 | fi 161 | 162 | CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher 163 | 164 | # traverses directory structure from process work directory to filesystem root 165 | # first directory with .mvn subdirectory is considered project base directory 166 | find_maven_basedir() { 167 | 168 | if [ -z "$1" ] 169 | then 170 | echo "Path not specified to find_maven_basedir" 171 | return 1 172 | fi 173 | 174 | basedir="$1" 175 | wdir="$1" 176 | while [ "$wdir" != '/' ] ; do 177 | if [ -d "$wdir"/.mvn ] ; then 178 | basedir=$wdir 179 | break 180 | fi 181 | # workaround for JBEAP-8937 (on Solaris 10/Sparc) 182 | if [ -d "${wdir}" ]; then 183 | wdir=`cd "$wdir/.."; pwd` 184 | fi 185 | # end of workaround 186 | done 187 | echo "${basedir}" 188 | } 189 | 190 | # concatenates all lines of a file 191 | concat_lines() { 192 | if [ -f "$1" ]; then 193 | echo "$(tr -s '\n' ' ' < "$1")" 194 | fi 195 | } 196 | 197 | BASE_DIR=`find_maven_basedir "$(pwd)"` 198 | if [ -z "$BASE_DIR" ]; then 199 | exit 1; 200 | fi 201 | 202 | ########################################################################################## 203 | # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central 204 | # This allows using the maven wrapper in projects that prohibit checking in binary data. 205 | ########################################################################################## 206 | if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then 207 | if [ "$MVNW_VERBOSE" = true ]; then 208 | echo "Found .mvn/wrapper/maven-wrapper.jar" 209 | fi 210 | else 211 | if [ "$MVNW_VERBOSE" = true ]; then 212 | echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..." 213 | fi 214 | if [ -n "$MVNW_REPOURL" ]; then 215 | jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar" 216 | else 217 | jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar" 218 | fi 219 | while IFS="=" read key value; do 220 | case "$key" in (wrapperUrl) jarUrl="$value"; break ;; 221 | esac 222 | done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties" 223 | if [ "$MVNW_VERBOSE" = true ]; then 224 | echo "Downloading from: $jarUrl" 225 | fi 226 | wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" 227 | if $cygwin; then 228 | wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"` 229 | fi 230 | 231 | if command -v wget > /dev/null; then 232 | if [ "$MVNW_VERBOSE" = true ]; then 233 | echo "Found wget ... using wget" 234 | fi 235 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then 236 | wget "$jarUrl" -O "$wrapperJarPath" 237 | else 238 | wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" 239 | fi 240 | elif command -v curl > /dev/null; then 241 | if [ "$MVNW_VERBOSE" = true ]; then 242 | echo "Found curl ... using curl" 243 | fi 244 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then 245 | curl -o "$wrapperJarPath" "$jarUrl" -f 246 | else 247 | curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f 248 | fi 249 | 250 | else 251 | if [ "$MVNW_VERBOSE" = true ]; then 252 | echo "Falling back to using Java to download" 253 | fi 254 | javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java" 255 | # For Cygwin, switch paths to Windows format before running javac 256 | if $cygwin; then 257 | javaClass=`cygpath --path --windows "$javaClass"` 258 | fi 259 | if [ -e "$javaClass" ]; then 260 | if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then 261 | if [ "$MVNW_VERBOSE" = true ]; then 262 | echo " - Compiling MavenWrapperDownloader.java ..." 263 | fi 264 | # Compiling the Java class 265 | ("$JAVA_HOME/bin/javac" "$javaClass") 266 | fi 267 | if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then 268 | # Running the downloader 269 | if [ "$MVNW_VERBOSE" = true ]; then 270 | echo " - Running MavenWrapperDownloader.java ..." 271 | fi 272 | ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR") 273 | fi 274 | fi 275 | fi 276 | fi 277 | ########################################################################################## 278 | # End of extension 279 | ########################################################################################## 280 | 281 | export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"} 282 | if [ "$MVNW_VERBOSE" = true ]; then 283 | echo $MAVEN_PROJECTBASEDIR 284 | fi 285 | MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" 286 | 287 | # For Cygwin, switch paths to Windows format before running java 288 | if $cygwin; then 289 | [ -n "$M2_HOME" ] && 290 | M2_HOME=`cygpath --path --windows "$M2_HOME"` 291 | [ -n "$JAVA_HOME" ] && 292 | JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` 293 | [ -n "$CLASSPATH" ] && 294 | CLASSPATH=`cygpath --path --windows "$CLASSPATH"` 295 | [ -n "$MAVEN_PROJECTBASEDIR" ] && 296 | MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"` 297 | fi 298 | 299 | # Provide a "standardized" way to retrieve the CLI args that will 300 | # work with both Windows and non-Windows executions. 301 | MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@" 302 | export MAVEN_CMD_LINE_ARGS 303 | 304 | WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 305 | 306 | exec "$JAVACMD" \ 307 | $MAVEN_OPTS \ 308 | -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ 309 | "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ 310 | ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@" 311 | -------------------------------------------------------------------------------- /mvnw.cmd: -------------------------------------------------------------------------------- 1 | @REM ---------------------------------------------------------------------------- 2 | @REM Licensed to the Apache Software Foundation (ASF) under one 3 | @REM or more contributor license agreements. See the NOTICE file 4 | @REM distributed with this work for additional information 5 | @REM regarding copyright ownership. The ASF licenses this file 6 | @REM to you under the Apache License, Version 2.0 (the 7 | @REM "License"); you may not use this file except in compliance 8 | @REM with the License. You may obtain a copy of the License at 9 | @REM 10 | @REM https://www.apache.org/licenses/LICENSE-2.0 11 | @REM 12 | @REM Unless required by applicable law or agreed to in writing, 13 | @REM software distributed under the License is distributed on an 14 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | @REM KIND, either express or implied. See the License for the 16 | @REM specific language governing permissions and limitations 17 | @REM under the License. 18 | @REM ---------------------------------------------------------------------------- 19 | 20 | @REM ---------------------------------------------------------------------------- 21 | @REM Maven2 Start Up Batch script 22 | @REM 23 | @REM Required ENV vars: 24 | @REM JAVA_HOME - location of a JDK home dir 25 | @REM 26 | @REM Optional ENV vars 27 | @REM M2_HOME - location of maven2's installed home dir 28 | @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands 29 | @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending 30 | @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven 31 | @REM e.g. to debug Maven itself, use 32 | @REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 33 | @REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files 34 | @REM ---------------------------------------------------------------------------- 35 | 36 | @REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' 37 | @echo off 38 | @REM set title of command window 39 | title %0 40 | @REM enable echoing by setting MAVEN_BATCH_ECHO to 'on' 41 | @if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% 42 | 43 | @REM set %HOME% to equivalent of $HOME 44 | if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") 45 | 46 | @REM Execute a user defined script before this one 47 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre 48 | @REM check for pre script, once with legacy .bat ending and once with .cmd ending 49 | if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" 50 | if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" 51 | :skipRcPre 52 | 53 | @setlocal 54 | 55 | set ERROR_CODE=0 56 | 57 | @REM To isolate internal variables from possible post scripts, we use another setlocal 58 | @setlocal 59 | 60 | @REM ==== START VALIDATION ==== 61 | if not "%JAVA_HOME%" == "" goto OkJHome 62 | 63 | echo. 64 | echo Error: JAVA_HOME not found in your environment. >&2 65 | echo Please set the JAVA_HOME variable in your environment to match the >&2 66 | echo location of your Java installation. >&2 67 | echo. 68 | goto error 69 | 70 | :OkJHome 71 | if exist "%JAVA_HOME%\bin\java.exe" goto init 72 | 73 | echo. 74 | echo Error: JAVA_HOME is set to an invalid directory. >&2 75 | echo JAVA_HOME = "%JAVA_HOME%" >&2 76 | echo Please set the JAVA_HOME variable in your environment to match the >&2 77 | echo location of your Java installation. >&2 78 | echo. 79 | goto error 80 | 81 | @REM ==== END VALIDATION ==== 82 | 83 | :init 84 | 85 | @REM Find the project base dir, i.e. the directory that contains the folder ".mvn". 86 | @REM Fallback to current working directory if not found. 87 | 88 | set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% 89 | IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir 90 | 91 | set EXEC_DIR=%CD% 92 | set WDIR=%EXEC_DIR% 93 | :findBaseDir 94 | IF EXIST "%WDIR%"\.mvn goto baseDirFound 95 | cd .. 96 | IF "%WDIR%"=="%CD%" goto baseDirNotFound 97 | set WDIR=%CD% 98 | goto findBaseDir 99 | 100 | :baseDirFound 101 | set MAVEN_PROJECTBASEDIR=%WDIR% 102 | cd "%EXEC_DIR%" 103 | goto endDetectBaseDir 104 | 105 | :baseDirNotFound 106 | set MAVEN_PROJECTBASEDIR=%EXEC_DIR% 107 | cd "%EXEC_DIR%" 108 | 109 | :endDetectBaseDir 110 | 111 | IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig 112 | 113 | @setlocal EnableExtensions EnableDelayedExpansion 114 | for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a 115 | @endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% 116 | 117 | :endReadAdditionalConfig 118 | 119 | SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" 120 | set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" 121 | set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain 122 | 123 | set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar" 124 | 125 | FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( 126 | IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B 127 | ) 128 | 129 | @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central 130 | @REM This allows using the maven wrapper in projects that prohibit checking in binary data. 131 | if exist %WRAPPER_JAR% ( 132 | if "%MVNW_VERBOSE%" == "true" ( 133 | echo Found %WRAPPER_JAR% 134 | ) 135 | ) else ( 136 | if not "%MVNW_REPOURL%" == "" ( 137 | SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar" 138 | ) 139 | if "%MVNW_VERBOSE%" == "true" ( 140 | echo Couldn't find %WRAPPER_JAR%, downloading it ... 141 | echo Downloading from: %DOWNLOAD_URL% 142 | ) 143 | 144 | powershell -Command "&{"^ 145 | "$webclient = new-object System.Net.WebClient;"^ 146 | "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^ 147 | "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^ 148 | "}"^ 149 | "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^ 150 | "}" 151 | if "%MVNW_VERBOSE%" == "true" ( 152 | echo Finished downloading %WRAPPER_JAR% 153 | ) 154 | ) 155 | @REM End of extension 156 | 157 | @REM Provide a "standardized" way to retrieve the CLI args that will 158 | @REM work with both Windows and non-Windows executions. 159 | set MAVEN_CMD_LINE_ARGS=%* 160 | 161 | %MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %* 162 | if ERRORLEVEL 1 goto error 163 | goto end 164 | 165 | :error 166 | set ERROR_CODE=1 167 | 168 | :end 169 | @endlocal & set ERROR_CODE=%ERROR_CODE% 170 | 171 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost 172 | @REM check for post script, once with legacy .bat ending and once with .cmd ending 173 | if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" 174 | if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" 175 | :skipRcPost 176 | 177 | @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' 178 | if "%MAVEN_BATCH_PAUSE%" == "on" pause 179 | 180 | if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% 181 | 182 | exit /B %ERROR_CODE% 183 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 4.0.0 6 | 7 | org.springframework.boot 8 | spring-boot-starter-parent 9 | 2.2.1.RELEASE 10 | 11 | 12 | org.springframework.security.oauth2 13 | spring-security-oauth2-parent 14 | 1.0.0.BUILD-SNAPSHOT 15 | pom 16 | 17 | 18 | client-app 19 | resource-server 20 | 21 | 22 | 23 | 1.8 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | org.springframework.boot 36 | spring-boot-maven-plugin 37 | 38 | 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /resource-server/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 4.0.0 6 | 7 | org.springframework.security.oauth2 8 | spring-security-oauth2-parent 9 | 1.0.0.BUILD-SNAPSHOT 10 | 11 | spring-security-oauth2-resource-server 12 | 13 | 14 | 15 | org.springframework.boot 16 | spring-boot-starter-web 17 | 18 | 19 | org.springframework.boot 20 | spring-boot-starter-security 21 | 22 | 23 | org.springframework.boot 24 | spring-boot-starter-oauth2-resource-server 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /resource-server/src/main/java/org/springframework/security/oauth/samples/ResourceServerApplication.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.oauth.samples; 17 | 18 | import org.springframework.boot.SpringApplication; 19 | import org.springframework.boot.autoconfigure.SpringBootApplication; 20 | 21 | /** 22 | * @author Joe Grandja 23 | */ 24 | @SpringBootApplication 25 | public class ResourceServerApplication { 26 | 27 | public static void main(String[] args) { 28 | SpringApplication.run(ResourceServerApplication.class, args); 29 | } 30 | } -------------------------------------------------------------------------------- /resource-server/src/main/java/org/springframework/security/oauth/samples/config/ResourceServerConfig.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.oauth.samples.config; 17 | 18 | import org.springframework.security.config.annotation.web.builders.HttpSecurity; 19 | import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 20 | import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 21 | 22 | /** 23 | * @author Joe Grandja 24 | */ 25 | @EnableWebSecurity 26 | public class ResourceServerConfig extends WebSecurityConfigurerAdapter { 27 | 28 | // @formatter:off 29 | @Override 30 | protected void configure(HttpSecurity http) throws Exception { 31 | http 32 | .mvcMatcher("/messages/**") 33 | .authorizeRequests() 34 | .mvcMatchers("/messages/**").access("hasAuthority('SCOPE_message.read')") 35 | .and() 36 | .oauth2ResourceServer() 37 | .jwt(); 38 | } 39 | // @formatter:on 40 | } -------------------------------------------------------------------------------- /resource-server/src/main/java/org/springframework/security/oauth/samples/web/MessagesController.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2012-2019 the original author or authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package org.springframework.security.oauth.samples.web; 17 | 18 | import org.springframework.web.bind.annotation.GetMapping; 19 | import org.springframework.web.bind.annotation.RestController; 20 | 21 | /** 22 | * @author Joe Grandja 23 | */ 24 | @RestController 25 | public class MessagesController { 26 | 27 | @GetMapping("/messages") 28 | public String[] getMessages() { 29 | String[] messages = new String[] {"Message 1", "Message 2", "Message 3"}; 30 | return messages; 31 | } 32 | } -------------------------------------------------------------------------------- /resource-server/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | server: 2 | port: 8092 3 | 4 | logging: 5 | level: 6 | root: INFO 7 | org.springframework.web: INFO 8 | org.springframework.security: INFO 9 | org.springframework.security.oauth2: INFO 10 | # org.springframework.boot.autoconfigure: DEBUG 11 | 12 | spring: 13 | security: 14 | oauth2: 15 | resourceserver: 16 | jwt: 17 | jwk-set-uri: http://localhost:8090/auth/realms/oauth2-sample/protocol/openid-connect/certs 18 | --------------------------------------------------------------------------------