├── ssl
    ├── secure-caller
    │   ├── src
    │   │   └── main
    │   │   │   ├── resources
    │   │   │       ├── application-dev.yml
    │   │   │       └── application.yml
    │   │   │   └── java
    │   │   │       └── pl
    │   │   │           └── piomin
    │   │   │               └── services
    │   │   │                   ├── controller
    │   │   │                       └── SecureCallerController.java
    │   │   │                   ├── configuration
    │   │   │                       └── ClientSSLProperties.java
    │   │   │                   └── SecureCaller.java
    │   ├── k8s
    │   │   ├── secret.yaml
    │   │   ├── cert.yaml
    │   │   └── deployment.yaml
    │   ├── skaffold.yaml
    │   └── pom.xml
    ├── secure-callme
    │   ├── k8s
    │   │   ├── secret.yaml
    │   │   ├── cert.yaml
    │   │   └── deployment.yaml
    │   ├── skaffold.yaml
    │   ├── src
    │   │   └── main
    │   │   │   ├── resources
    │   │   │       └── application.yml
    │   │   │   └── java
    │   │   │       └── pl
    │   │   │           └── piomin
    │   │   │               └── services
    │   │   │                   ├── SecureCallme.java
    │   │   │                   └── controller
    │   │   │                       └── SecureCallmeController.java
    │   └── pom.xml
    ├── secure-caller-bundle
    │   ├── k8s
    │   │   ├── secret.yaml
    │   │   ├── cert.yaml
    │   │   └── deployment.yaml
    │   ├── src
    │   │   └── main
    │   │   │   ├── resources
    │   │   │       ├── keystore.jks
    │   │   │       ├── keystore-client.jks
    │   │   │       ├── truststore-client.jks
    │   │   │       └── application.yml
    │   │   │   └── java
    │   │   │       └── pl
    │   │   │           └── piomin
    │   │   │               └── services
    │   │   │                   └── caller
    │   │   │                       ├── controller
    │   │   │                           └── SecureCallerBundleController.java
    │   │   │                       └── SecureCallerBundle.java
    │   ├── skaffold.yaml
    │   └── pom.xml
    ├── secure-callme-bundle
    │   ├── k8s
    │   │   ├── secret.yaml
    │   │   ├── cert.yaml
    │   │   └── deployment.yaml
    │   ├── src
    │   │   ├── main
    │   │   │   ├── resources
    │   │   │   │   ├── keystore.jks
    │   │   │   │   ├── truststore.jks
    │   │   │   │   └── application.yml
    │   │   │   └── java
    │   │   │   │   └── pl
    │   │   │   │       └── piomin
    │   │   │   │           └── services
    │   │   │   │               └── callme
    │   │   │   │                   ├── SecureCallmeBundle.java
    │   │   │   │                   └── controller
    │   │   │   │                       └── SecureCallmeBundleController.java
    │   │   └── test
    │   │   │   └── java
    │   │   │       └── pl
    │   │   │           └── piomin
    │   │   │               └── services
    │   │   │                   └── callme
    │   │   │                       └── SecureCallmeBundleTest.java
    │   ├── skaffold.yaml
    │   └── pom.xml
    ├── pom.xml
    └── readme.md
├── .gitignore
├── saml
    ├── truststore.jks
    ├── callme-saml
    │   ├── src
    │   │   └── main
    │   │   │   ├── java
    │   │   │       └── pl
    │   │   │       │   └── piomin
    │   │   │       │       └── samples
    │   │   │       │           └── security
    │   │   │       │               └── callme
    │   │   │       │                   └── saml
    │   │   │       │                       ├── CustomSamlValidationException.java
    │   │   │       │                       ├── GreetingController.java
    │   │   │       │                       ├── MainController.java
    │   │   │       │                       ├── CallmeSamlApplication.java
    │   │   │       │                       └── SecurityConfig.java
    │   │   │   └── resources
    │   │   │       ├── application.yml
    │   │   │       ├── rp-certificate.crt
    │   │   │       ├── templates
    │   │   │           └── index.html
    │   │   │       ├── rp-key.key
    │   │   │       └── metadata
    │   │   │           └── metadata-idp.xml
    │   └── pom.xml
    ├── docker-compose.yml
    ├── pom.xml
    ├── localhost-crt.pem
    └── localhost-key.pem
├── renovate.json
├── oauth
    ├── caller
    │   ├── src
    │   │   └── main
    │   │   │   ├── resources
    │   │   │       └── application.yml
    │   │   │   └── java
    │   │   │       └── pl
    │   │   │           └── piomin
    │   │   │               └── samples
    │   │   │                   └── security
    │   │   │                       └── caller
    │   │   │                           ├── CallerApplication.java
    │   │   │                           ├── config
    │   │   │                               └── SecurityConfig.java
    │   │   │                           └── controller
    │   │   │                               └── CallerController.java
    │   └── pom.xml
    ├── callme
    │   ├── src
    │   │   ├── main
    │   │   │   ├── java
    │   │   │   │   └── pl
    │   │   │   │   │   └── piomin
    │   │   │   │   │       └── samples
    │   │   │   │   │           └── security
    │   │   │   │   │               └── callme
    │   │   │   │   │                   ├── CallmeApplication.java
    │   │   │   │   │                   ├── controller
    │   │   │   │   │                       └── CallmeController.java
    │   │   │   │   │                   └── config
    │   │   │   │   │                       └── SecurityConfig.java
    │   │   │   └── resources
    │   │   │   │   └── application.yml
    │   │   └── test
    │   │   │   └── java
    │   │   │       └── pl
    │   │   │           └── piomin
    │   │   │               └── samples
    │   │   │                   └── security
    │   │   │                       └── callme
    │   │   │                           └── CallMeControllerTests.java
    │   └── pom.xml
    ├── gateway
    │   ├── src
    │   │   ├── test
    │   │   │   ├── java
    │   │   │   │   └── pl
    │   │   │   │   │   └── piomin
    │   │   │   │   │       └── samples
    │   │   │   │   │           └── security
    │   │   │   │   │               └── gateway
    │   │   │   │   │                   ├── CallmeController.java
    │   │   │   │   │                   └── GatewayApplicationTests.java
    │   │   │   └── resources
    │   │   │   │   ├── test-realm.json
    │   │   │   │   └── realm-export.json
    │   │   └── main
    │   │   │   ├── java
    │   │   │       └── pl
    │   │   │       │   └── piomin
    │   │   │       │       └── samples
    │   │   │       │           └── security
    │   │   │       │               └── gateway
    │   │   │       │                   ├── config
    │   │   │       │                       └── SecurityConfig.java
    │   │   │       │                   └── GatewayApplication.java
    │   │   │   └── resources
    │   │   │       └── application.yml
    │   └── pom.xml
    └── pom.xml
├── .circleci
    └── config.yml
├── pom.xml
└── README.md


/ssl/secure-caller/src/main/resources/application-dev.yml:
--------------------------------------------------------------------------------
1 | server.port: 9443


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Project exclude paths
2 | /callme/target/
3 | /gateway/target/


--------------------------------------------------------------------------------
/saml/truststore.jks:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/piomin/sample-spring-security-microservices/HEAD/saml/truststore.jks


--------------------------------------------------------------------------------
/ssl/secure-caller/k8s/secret.yaml:
--------------------------------------------------------------------------------
1 | kind: Secret
2 | apiVersion: v1
3 | metadata:
4 |   name: jks-password-secret
5 | data:
6 |   password: MTIzNDU2
7 | type: Opaque


--------------------------------------------------------------------------------
/ssl/secure-caller/skaffold.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: skaffold/v2beta22
2 | kind: Config
3 | build:
4 |   artifacts:
5 |     - image: piomin/secure-caller
6 |       jib: {}


--------------------------------------------------------------------------------
/ssl/secure-callme/k8s/secret.yaml:
--------------------------------------------------------------------------------
1 | kind: Secret
2 | apiVersion: v1
3 | metadata:
4 |   name: jks-password-secret
5 | data:
6 |   password: MTIzNDU2
7 | type: Opaque


--------------------------------------------------------------------------------
/ssl/secure-callme/skaffold.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: skaffold/v2beta22
2 | kind: Config
3 | build:
4 |   artifacts:
5 |     - image: piomin/secure-callme
6 |       jib: {}


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/k8s/secret.yaml:
--------------------------------------------------------------------------------
1 | kind: Secret
2 | apiVersion: v1
3 | metadata:
4 |   name: jks-password-secret
5 | data:
6 |   password: MTIzNDU2
7 | type: Opaque


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/k8s/secret.yaml:
--------------------------------------------------------------------------------
1 | kind: Secret
2 | apiVersion: v1
3 | metadata:
4 |   name: jks-password-secret
5 | data:
6 |   password: MTIzNDU2
7 | type: Opaque


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/src/main/resources/keystore.jks:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/piomin/sample-spring-security-microservices/HEAD/ssl/secure-caller-bundle/src/main/resources/keystore.jks


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/src/main/resources/keystore.jks:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/piomin/sample-spring-security-microservices/HEAD/ssl/secure-callme-bundle/src/main/resources/keystore.jks


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/src/main/resources/truststore.jks:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/piomin/sample-spring-security-microservices/HEAD/ssl/secure-callme-bundle/src/main/resources/truststore.jks


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/src/main/resources/keystore-client.jks:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/piomin/sample-spring-security-microservices/HEAD/ssl/secure-caller-bundle/src/main/resources/keystore-client.jks


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/src/main/resources/truststore-client.jks:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/piomin/sample-spring-security-microservices/HEAD/ssl/secure-caller-bundle/src/main/resources/truststore-client.jks


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/skaffold.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: skaffold/v2beta22
2 | kind: Config
3 | build:
4 |   artifacts:
5 |     - image: piomin/secure-caller-bundle
6 |       jib:
7 |         args:
8 |           - -DskipTests


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/skaffold.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: skaffold/v2beta22
2 | kind: Config
3 | build:
4 |   artifacts:
5 |     - image: piomin/secure-callme-bundle
6 |       jib:
7 |         args:
8 |           - -DskipTests


--------------------------------------------------------------------------------
/ssl/secure-callme/src/main/resources/application.yml:
--------------------------------------------------------------------------------
1 | server.port: 8443
2 | server.ssl:
3 |   enabled: true
4 |   key-store: ${CERT_PATH}/keystore.jks
5 |   key-store-password: ${PASSWORD}
6 |   trust-store: ${CERT_PATH}/truststore.jks
7 |   trust-store-password: ${PASSWORD}
8 |   client-auth: NEED


--------------------------------------------------------------------------------
/renovate.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
 3 |   "extends": [
 4 |     "config:base",":dependencyDashboard"
 5 |   ],
 6 |   "packageRules": [
 7 |     {
 8 |       "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
 9 |       "automerge": true
10 |     }
11 |   ],
12 |   "prCreation": "not-pending"
13 | }


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/java/pl/piomin/samples/security/callme/saml/CustomSamlValidationException.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme.saml;
 2 | 
 3 | import org.springframework.security.saml2.Saml2Exception;
 4 | 
 5 | public class CustomSamlValidationException extends Saml2Exception {
 6 |     public CustomSamlValidationException(String message) {
 7 |         super(message);
 8 |     }
 9 | }
10 | 


--------------------------------------------------------------------------------
/ssl/secure-callme/src/main/java/pl/piomin/services/SecureCallme.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services;
 2 | 
 3 | import org.springframework.boot.SpringApplication;
 4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
 5 | 
 6 | @SpringBootApplication
 7 | public class SecureCallme {
 8 | 
 9 |     public static void main(String[] args) {
10 |         SpringApplication.run(SecureCallme.class, args);
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/oauth/caller/src/main/resources/application.yml:
--------------------------------------------------------------------------------
 1 | spring:
 2 |   application:
 3 |     name: caller
 4 |   security:
 5 |     oauth2:
 6 |       resourceserver:
 7 |         jwt:
 8 |           jwk-set-uri: http://localhost:8080/realms/demo/protocol/openid-connect/certs
 9 | 
10 | logging.level:
11 |   org.springframework.cloud.gateway: DEBUG
12 |   org.springframework.security: DEBUG
13 |   org.springframework.web.reactive.function.client: TRACE
14 | 
15 | server.port: 8020


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/src/main/java/pl/piomin/services/callme/SecureCallmeBundle.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services.callme;
 2 | 
 3 | import org.springframework.boot.SpringApplication;
 4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
 5 | 
 6 | @SpringBootApplication
 7 | public class SecureCallmeBundle {
 8 | 
 9 |     public static void main(String[] args) {
10 |         SpringApplication.run(SecureCallmeBundle.class, args);
11 |     }
12 | }
13 | 


--------------------------------------------------------------------------------
/ssl/secure-callme/src/main/java/pl/piomin/services/controller/SecureCallmeController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services.controller;
 2 | 
 3 | import org.springframework.web.bind.annotation.GetMapping;
 4 | import org.springframework.web.bind.annotation.RestController;
 5 | 
 6 | @RestController
 7 | public class SecureCallmeController {
 8 | 
 9 |     @GetMapping("/callme")
10 |     public String call() {
11 |         return "I'm `secure-callme`!";
12 |     }
13 | 
14 | }
15 | 


--------------------------------------------------------------------------------
/oauth/callme/src/main/java/pl/piomin/samples/security/callme/CallmeApplication.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme;
 2 | 
 3 | import org.springframework.boot.SpringApplication;
 4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
 5 | 
 6 | @SpringBootApplication
 7 | public class CallmeApplication {
 8 | 
 9 |     public static void main(String[] args) {
10 |         SpringApplication.run(CallmeApplication.class, args);
11 |     }
12 | 
13 | }
14 | 


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/src/main/java/pl/piomin/services/callme/controller/SecureCallmeBundleController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services.callme.controller;
 2 | 
 3 | import org.springframework.web.bind.annotation.GetMapping;
 4 | import org.springframework.web.bind.annotation.RestController;
 5 | 
 6 | @RestController
 7 | public class SecureCallmeBundleController {
 8 | 
 9 |     @GetMapping("/callme")
10 |     public String call() {
11 |         return "I'm secure-callme-bundle!";
12 |     }
13 | 
14 | }
15 | 


--------------------------------------------------------------------------------
/oauth/callme/src/main/resources/application.yml:
--------------------------------------------------------------------------------
 1 | spring:
 2 |   application:
 3 |     name: callme
 4 |   security:
 5 |     oauth2:
 6 |       resourceserver:
 7 |         jwt:
 8 |           jwk-set-uri: http://localhost:8080/realms/demo/protocol/openid-connect/certs
 9 | #          issuer-uri: http://localhost:8080/realms/demo
10 | 
11 | logging.level:
12 |   org.springframework.cloud.gateway: DEBUG
13 |   org.springframework.security: DEBUG
14 |   org.springframework.web.reactive.function.client: TRACE
15 | 
16 | server.port: 8040


--------------------------------------------------------------------------------
/ssl/secure-caller/src/main/resources/application.yml:
--------------------------------------------------------------------------------
 1 | server.port: 8443
 2 | server.ssl:
 3 |   enabled: true
 4 |   key-store: ${CERT_PATH}/keystore.jks
 5 |   key-store-password: ${PASSWORD}
 6 |   trust-store: ${CERT_PATH}/truststore.jks
 7 |   trust-store-password: ${PASSWORD}
 8 |   client-auth: NEED
 9 | 
10 | client.url: https://${HOST}:8443/callme
11 | client.ssl:
12 |   key-store: ${CLIENT_CERT_PATH}/keystore.jks
13 |   key-store-password: ${PASSWORD}
14 |   trust-store: ${CLIENT_CERT_PATH}/truststore.jks
15 |   trust-store-password: ${PASSWORD}


--------------------------------------------------------------------------------
/ssl/secure-callme/k8s/cert.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: cert-manager.io/v1
 2 | kind: Certificate
 3 | metadata:
 4 |   name: secure-callme-cert
 5 | spec:
 6 |   keystores:
 7 |     jks:
 8 |       passwordSecretRef:
 9 |         name: jks-password-secret
10 |         key: password
11 |       create: true
12 |   issuerRef:
13 |     name: ss-clusterissuer
14 |     group: cert-manager.io
15 |     kind: ClusterIssuer
16 |   privateKey:
17 |     algorithm: ECDSA
18 |     size: 256
19 |   dnsNames:
20 |     - secure-callme
21 |   secretName: secure-callme-cert
22 |   commonName: secure-callme
23 |   duration: 1h
24 |   renewBefore: 5m


--------------------------------------------------------------------------------
/ssl/secure-caller/k8s/cert.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: cert-manager.io/v1
 2 | kind: Certificate
 3 | metadata:
 4 |   name: secure-caller-cert
 5 | spec:
 6 |   keystores:
 7 |     jks:
 8 |       passwordSecretRef:
 9 |         name: jks-password-secret
10 |         key: password
11 |       create: true
12 |   issuerRef:
13 |     name: ss-clusterissuer
14 |     group: cert-manager.io
15 |     kind: ClusterIssuer
16 |   privateKey:
17 |     algorithm: ECDSA
18 |     size: 256
19 |   dnsNames:
20 |     - localhost
21 |     - secure-caller
22 |   secretName: secure-caller-cert
23 |   commonName: localhost
24 |   duration: 1h
25 |   renewBefore: 5m


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/k8s/cert.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: cert-manager.io/v1
 2 | kind: Certificate
 3 | metadata:
 4 |   name: secure-caller-cert
 5 | spec:
 6 |   keystores:
 7 |     jks:
 8 |       passwordSecretRef:
 9 |         name: jks-password-secret
10 |         key: password
11 |       create: true
12 |   issuerRef:
13 |     name: ss-cluster-issuer
14 |     group: cert-manager.io
15 |     kind: ClusterIssuer
16 |   privateKey:
17 |     algorithm: ECDSA
18 |     size: 256
19 |   dnsNames:
20 |     - localhost
21 |     - secure-caller-bundle
22 |   secretName: secure-caller-cert
23 |   commonName: secure-caller-bundle
24 |   duration: 1h
25 |   renewBefore: 5m


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/k8s/cert.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: cert-manager.io/v1
 2 | kind: Certificate
 3 | metadata:
 4 |   name: secure-callme-cert
 5 | spec:
 6 |   keystores:
 7 |     jks:
 8 |       passwordSecretRef:
 9 |         name: jks-password-secret
10 |         key: password
11 |       create: true
12 |   issuerRef:
13 |     name: ss-cluster-issuer
14 |     group: cert-manager.io
15 |     kind: ClusterIssuer
16 |   privateKey:
17 |     algorithm: ECDSA
18 |     size: 256
19 |   dnsNames:
20 |     - secure-callme-bundle
21 |     - localhost
22 |   secretName: secure-callme-cert
23 |   commonName: secure-callme-bundle
24 |   duration: 1h
25 |   renewBefore: 5m


--------------------------------------------------------------------------------
/.circleci/config.yml:
--------------------------------------------------------------------------------
 1 | version: '2.1'
 2 | 
 3 | jobs:
 4 |   analyze:
 5 |     docker:
 6 |       - image: 'cimg/openjdk:25.0'
 7 |     steps:
 8 |       - checkout
 9 |       - run:
10 |           name: Analyze on SonarCloud
11 |           command: mvn verify sonar:sonar -DskipTests
12 |   test:
13 |     executor: machine_executor_amd64
14 |     steps:
15 |       - checkout
16 |       - run:
17 |           name: Maven Tests
18 |           command: mvn verify -Pbuild-image
19 | 
20 | orbs:
21 |   maven: circleci/maven@2.1.1
22 | 
23 | executors:
24 |   machine_executor_amd64:
25 |     machine:
26 |       image: ubuntu-2204:2024.05.1
27 |     environment:
28 |       architecture: "amd64"
29 |       platform: "linux/amd64"
30 | 
31 | workflows:
32 |   maven_test:
33 |     jobs:
34 |       - test
35 |       - analyze:
36 |           context: SonarCloud


--------------------------------------------------------------------------------
/oauth/gateway/src/test/java/pl/piomin/samples/security/gateway/CallmeController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.gateway;
 2 | 
 3 | import org.springframework.security.access.prepost.PreAuthorize;
 4 | import org.springframework.security.core.Authentication;
 5 | import org.springframework.security.core.context.SecurityContext;
 6 | import org.springframework.security.core.context.SecurityContextHolder;
 7 | import org.springframework.web.bind.annotation.GetMapping;
 8 | import org.springframework.web.bind.annotation.RequestMapping;
 9 | import org.springframework.web.bind.annotation.RestController;
10 | 
11 | @RestController
12 | @RequestMapping("/callme")
13 | public class CallmeController {
14 | 
15 |     @PreAuthorize("hasAuthority('SCOPE_TEST')")
16 |     @GetMapping("/ping")
17 |     public String ping() {
18 |         return "Hello!";
19 |     }
20 | }
21 | 


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/java/pl/piomin/samples/security/callme/saml/GreetingController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme.saml;
 2 | 
 3 | import org.springframework.security.access.prepost.PreAuthorize;
 4 | import org.springframework.web.bind.annotation.GetMapping;
 5 | import org.springframework.web.bind.annotation.RequestMapping;
 6 | import org.springframework.web.bind.annotation.RestController;
 7 | 
 8 | @RestController
 9 | @RequestMapping("/greetings")
10 | public class GreetingController {
11 | 
12 |     @GetMapping("/user")
13 |     @PreAuthorize("hasAuthority('ROLE_USER')")
14 |     public String greeting() {
15 |         return "I'm SAML user!";
16 |     }
17 | 
18 |     @GetMapping("/admin")
19 |     @PreAuthorize("hasAuthority('ROLE_ADMINS')")
20 |     public String admin() {
21 |         return "I'm SAML admin!";
22 |     }
23 | 
24 | }
25 | 


--------------------------------------------------------------------------------
/ssl/secure-caller/src/main/java/pl/piomin/services/controller/SecureCallerController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services.controller;
 2 | 
 3 | import org.springframework.beans.factory.annotation.Value;
 4 | import org.springframework.web.bind.annotation.GetMapping;
 5 | import org.springframework.web.bind.annotation.RestController;
 6 | import org.springframework.web.client.RestTemplate;
 7 | 
 8 | @RestController
 9 | public class SecureCallerController {
10 | 
11 |     RestTemplate restTemplate;
12 | 
13 |     @Value("${client.url}")
14 |     String clientUrl;
15 | 
16 |     public SecureCallerController(RestTemplate restTemplate) {
17 |         this.restTemplate = restTemplate;
18 |     }
19 | 
20 |     @GetMapping("/caller")
21 |     public String call() {
22 |         return "I'm `secure-caller`! calling... " +
23 |                 restTemplate.getForObject(clientUrl, String.class);
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------
/oauth/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 |     <parent>
 7 |         <groupId>pl.piomin.services</groupId>
 8 |         <artifactId>sample-spring-security-microservices</artifactId>
 9 |         <version>1.1-SNAPSHOT</version>
10 |     </parent>
11 | 
12 |     <artifactId>oauth</artifactId>
13 |     <packaging>pom</packaging>
14 | 
15 |     <properties>
16 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
17 |     </properties>
18 | 
19 |     <modules>
20 |         <module>callme</module>
21 |         <module>gateway</module>
22 |         <module>caller</module>
23 |     </modules>
24 | 
25 | </project>


--------------------------------------------------------------------------------
/oauth/caller/src/main/java/pl/piomin/samples/security/caller/CallerApplication.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.caller;
 2 | 
 3 | import org.springframework.boot.SpringApplication;
 4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
 5 | import org.springframework.context.annotation.Bean;
 6 | import org.springframework.security.oauth2.server.resource.web.reactive.function.client.ServletBearerExchangeFilterFunction;
 7 | import org.springframework.web.reactive.function.client.WebClient;
 8 | 
 9 | @SpringBootApplication
10 | public class CallerApplication {
11 | 
12 |     public static void main(String[] args) {
13 |         SpringApplication.run(CallerApplication.class, args);
14 |     }
15 | 
16 |     @Bean
17 |     public WebClient webClient() {
18 |         return WebClient.builder()
19 |                 .filter(new ServletBearerExchangeFilterFunction())
20 |                 .build();
21 |     }
22 | 
23 | }
24 | 


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/java/pl/piomin/samples/security/callme/saml/MainController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme.saml;
 2 | 
 3 | import org.springframework.security.core.annotation.AuthenticationPrincipal;
 4 | import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 5 | import org.springframework.stereotype.Controller;
 6 | import org.springframework.ui.Model;
 7 | import org.springframework.web.bind.annotation.GetMapping;
 8 | 
 9 | @Controller
10 | public class MainController {
11 | 
12 |     @GetMapping("/")
13 |     public String getPrincipal(@AuthenticationPrincipal Saml2AuthenticatedPrincipal principal, Model model) {
14 |         String emailAddress = principal.getFirstAttribute("email");
15 |         model.addAttribute("emailAddress", emailAddress);
16 |         model.addAttribute("userAttributes", principal.getAttributes());
17 |         return "index";
18 |     }
19 | 
20 | }
21 | 


--------------------------------------------------------------------------------
/ssl/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <groupId>pl.piomin.services</groupId>
 7 |         <artifactId>sample-spring-security-microservices</artifactId>
 8 |         <version>1.1-SNAPSHOT</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>ssl</artifactId>
13 |     <packaging>pom</packaging>
14 | 
15 |     <properties>
16 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
17 |     </properties>
18 | 
19 |     <modules>
20 |         <module>secure-caller</module>
21 |         <module>secure-callme</module>
22 |         <module>secure-callme-bundle</module>
23 |         <module>secure-caller-bundle</module>
24 |     </modules>
25 | 
26 | </project>


--------------------------------------------------------------------------------
/ssl/readme.md:
--------------------------------------------------------------------------------
 1 | ## Demo for Spring Boot SSL on Kubernetes with CertManager
 2 | 
 3 | ### Steps to run demo locally 
 4 | 
 5 | #### Run `secure-callme`
 6 | 
 7 | Go to the `secure-callme` directory:
 8 | ```shell
 9 | cd secure-callme
10 | ```
11 | 
12 | Export keystore password and cert location path:
13 | ```shell
14 | export PASSWORD=123456
15 | export CERT_PATH=/Users/pminkows/Download/
16 | ```
17 | 
18 | Run the app in the `dev` mode:
19 | ```shell
20 | mvn spring-boot:run
21 | ```
22 | 
23 | #### Run `secure-caller`
24 | 
25 | Go to the `secure-caller` directory:
26 | ```shell
27 | cd secure-caller
28 | ```
29 | 
30 | Export keystore password and cert location path:
31 | ```shell
32 | export PASSWORD=123456
33 | export CERT_PATH=/Users/pminkows/Download/
34 | export CLIENT_CERT_PATH=/Users/pminkows/Download/
35 | export HOST=localhost
36 | ```
37 | 
38 | Run the app in the `dev` mode:
39 | ```shell
40 | mvn spring-boot:run
41 | ```
42 | 
43 | ### Steps to run demo on Kubernetes


--------------------------------------------------------------------------------
/oauth/caller/src/main/java/pl/piomin/samples/security/caller/config/SecurityConfig.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.caller.config;
 2 | 
 3 | import org.springframework.context.annotation.Bean;
 4 | import org.springframework.context.annotation.Configuration;
 5 | import org.springframework.security.config.Customizer;
 6 | import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 7 | import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 8 | import org.springframework.security.web.SecurityFilterChain;
 9 | 
10 | @Configuration
11 | @EnableWebSecurity
12 | public class SecurityConfig {
13 | 
14 |     @Bean
15 |     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
16 |         http.authorizeHttpRequests(authorize -> authorize.anyRequest().authenticated())
17 |                 .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()));
18 |         return http.build();
19 |     }
20 | }
21 | 


--------------------------------------------------------------------------------
/oauth/callme/src/main/java/pl/piomin/samples/security/callme/controller/CallmeController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme.controller;
 2 | 
 3 | import org.springframework.security.access.prepost.PreAuthorize;
 4 | import org.springframework.security.core.Authentication;
 5 | import org.springframework.security.core.context.SecurityContext;
 6 | import org.springframework.security.core.context.SecurityContextHolder;
 7 | import org.springframework.web.bind.annotation.GetMapping;
 8 | import org.springframework.web.bind.annotation.RequestMapping;
 9 | import org.springframework.web.bind.annotation.RestController;
10 | 
11 | @RestController
12 | @RequestMapping("/callme")
13 | public class CallmeController {
14 | 
15 |     @PreAuthorize("hasAuthority('SCOPE_TEST')")
16 |     @GetMapping("/ping")
17 |     public String ping() {
18 |         SecurityContext context = SecurityContextHolder.getContext();
19 |         Authentication authentication = context.getAuthentication();
20 |         return "Scopes: " + authentication.getAuthorities();
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/oauth/callme/src/main/java/pl/piomin/samples/security/callme/config/SecurityConfig.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme.config;
 2 | 
 3 | import org.springframework.context.annotation.Bean;
 4 | import org.springframework.context.annotation.Configuration;
 5 | import org.springframework.security.config.Customizer;
 6 | import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 7 | import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 8 | import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 9 | import org.springframework.security.web.SecurityFilterChain;
10 | 
11 | @Configuration
12 | @EnableWebSecurity
13 | @EnableMethodSecurity
14 | public class SecurityConfig {
15 | 
16 |     @Bean
17 |     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
18 |         http.authorizeHttpRequests(authorize -> authorize.anyRequest().authenticated())
19 |                 .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()));
20 |         return http.build();
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/saml/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | services:
 2 |   keycloak:
 3 | #    image: quay.io/keycloak/keycloak:24.0
 4 |     image: registry.redhat.io/rhbk/keycloak-rhel9:24-17
 5 |     environment:
 6 |       - KEYCLOAK_ADMIN=admin
 7 |       - KEYCLOAK_ADMIN_PASSWORD=admin
 8 |       - KC_HTTP_ENABLED=true
 9 |       - KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/localhost.key.pem
10 |       - KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/localhost.crt.pem
11 |       - KC_HTTPS_TRUST_STORE_FILE=/opt/keycloak/conf/truststore.jks
12 |       - KC_HTTPS_TRUST_STORE_PASSWORD=123456
13 |     ports:
14 |       - 8080:8080
15 |       - 8443:8443
16 |     volumes:
17 |       - /Users/pminkows/IdeaProjects/sample-spring-security-microservices/oauth/localhost-key.pem:/opt/keycloak/conf/localhost.key.pem
18 |       - /Users/pminkows/IdeaProjects/sample-spring-security-microservices/oauth/localhost-crt.pem:/opt/keycloak/conf/localhost.crt.pem
19 |       - /Users/pminkows/IdeaProjects/sample-spring-security-microservices/oauth/truststore.jks:/opt/keycloak/conf/truststore.jks
20 |       - ./config/:/opt/keycloak/data/import:ro
21 |     command: start-dev --import-realm


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/src/main/resources/application.yml:
--------------------------------------------------------------------------------
 1 | server.port: 8443
 2 | server.ssl.client-auth: NEED
 3 | server.ssl.bundle: server
 4 | spring.profiles.active: dev
 5 | management.endpoints.web.exposure.include: health, info
 6 | management.info.ssl.enabled: true
 7 | management.info.os.enabled: false
 8 | management.info.java.enabled: false
 9 | management.endpoint.health.show-details: always
10 | 
11 | ---
12 | spring.config.activate.on-profile: dev
13 | server.ssl.client-auth: NONE
14 | spring.ssl.bundle.jks:
15 |   server:
16 |     reload-on-update: true
17 |     keystore:
18 |       location: classpath:keystore.jks
19 |       password: 123456
20 |       type: JKS
21 |     truststore:
22 |       location: classpath:truststore.jks
23 |       password: 123456
24 |       type: JKS
25 | ---
26 | spring.config.activate.on-profile: prod
27 | spring.ssl.bundle.jks:
28 |   server:
29 |     reload-on-update: true
30 |     keystore:
31 |       location: ${CERT_PATH}/keystore.jks
32 |       password: ${PASSWORD}
33 |       type: JKS
34 |     truststore:
35 |       location: ${CERT_PATH}/truststore.jks
36 |       password: ${PASSWORD}
37 |       type: JKS


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/resources/application.yml:
--------------------------------------------------------------------------------
 1 | server.port: 8081
 2 | 
 3 | spring:
 4 |   security:
 5 |     saml2:
 6 |       relyingparty:
 7 |         registration:
 8 |           keycloak:
 9 |             identityprovider:
10 |               entity-id: https://localhost:8443/realms/spring-boot-keycloak
11 |               verification.credentials:
12 |                 - certificate-location: classpath:rp-certificate.crt
13 |               singlesignon.url: https://localhost:8443/realms/spring-boot-keycloak/protocol/saml
14 |               singlesignon.sign-request: false
15 |             signing:
16 |               credentials:
17 |                 - private-key-location: classpath:rp-key.key
18 |                   certificate-location: classpath:rp-certificate.crt
19 | #            singlelogout:
20 | #              url: https://localhost:8443/realms/spring-boot-keycloak
21 | #              binding: POST
22 | #              response-url: "{baseUrl}/logout/saml2/sso"
23 |             assertingparty:
24 | #              metadata-uri: classpath:metadata/metadata-idp.xml
25 |               metadata-uri: https://localhost:8443/realms/spring-boot-keycloak/protocol/saml/descriptor


--------------------------------------------------------------------------------
/oauth/gateway/src/main/java/pl/piomin/samples/security/gateway/config/SecurityConfig.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.gateway.config;
 2 | 
 3 | import org.springframework.context.annotation.Bean;
 4 | import org.springframework.context.annotation.Configuration;
 5 | import org.springframework.security.config.Customizer;
 6 | import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 7 | import org.springframework.security.config.web.server.ServerHttpSecurity;
 8 | import org.springframework.security.web.server.SecurityWebFilterChain;
 9 | 
10 | import static org.springframework.security.config.Customizer.withDefaults;
11 | 
12 | @Configuration
13 | @EnableWebFluxSecurity
14 | public class SecurityConfig {
15 | 
16 |     @Bean
17 |     public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
18 |         http.authorizeExchange(auth -> auth.anyExchange().authenticated())
19 |                 .oauth2Login(withDefaults())
20 |                 .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()));
21 |         http.csrf(ServerHttpSecurity.CsrfSpec::disable);
22 |         return http.build();
23 |     }
24 | 
25 | }
26 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <parent>
 8 |         <groupId>org.springframework.boot</groupId>
 9 |         <artifactId>spring-boot-starter-parent</artifactId>
10 |         <version>3.5.9</version>
11 |         <relativePath/>
12 |     </parent>
13 | 
14 |     <groupId>pl.piomin.services</groupId>
15 |     <artifactId>sample-spring-security-microservices</artifactId>
16 |     <version>1.1-SNAPSHOT</version>
17 |     <packaging>pom</packaging>
18 | 
19 |     <properties>
20 |         <sonar.projectKey>piomin_sample-spring-security-microservices</sonar.projectKey>
21 |         <sonar.organization>piomin</sonar.organization>
22 |         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
23 |         <java.version>17</java.version>
24 |         <spring-cloud.version>2025.0.0</spring-cloud.version>
25 |     </properties>
26 | 
27 |     <modules>
28 |         <module>ssl</module>
29 |         <module>oauth</module>
30 |         <module>saml</module>
31 |     </modules>
32 | 
33 | </project>
34 | 


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/src/main/java/pl/piomin/services/caller/controller/SecureCallerBundleController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services.caller.controller;
 2 | 
 3 | import org.springframework.beans.factory.annotation.Value;
 4 | import org.springframework.web.bind.annotation.GetMapping;
 5 | import org.springframework.web.bind.annotation.RestController;
 6 | import org.springframework.web.client.RestClient;
 7 | import org.springframework.web.client.RestTemplate;
 8 | 
 9 | @RestController
10 | public class SecureCallerBundleController {
11 | 
12 |     RestTemplate restTemplate;
13 |     RestClient restClient;
14 | 
15 |     @Value("${client.url}")
16 |     String clientUrl;
17 | 
18 |     public SecureCallerBundleController(RestTemplate restTemplate, RestClient restClient) {
19 |         this.restTemplate = restTemplate;
20 |         this.restClient = restClient;
21 |     }
22 | 
23 |     @GetMapping("/caller")
24 |     public String call() {
25 |         return "I'm `secure-caller`! calling... " +
26 |                 restTemplate.getForObject(clientUrl, String.class);
27 |     }
28 | 
29 |     @GetMapping("/caller/client")
30 |     public String call2() {
31 |         return "I'm `secure-caller`! calling... " +
32 |                 restClient.get().retrieve().body(String.class);
33 |     }
34 | }
35 | 


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/src/main/resources/application.yml:
--------------------------------------------------------------------------------
 1 | server.port: 8443
 2 | server.ssl.bundle: server
 3 | spring.profiles.active: dev
 4 | 
 5 | ---
 6 | spring.config.activate.on-profile: dev
 7 | server.port: 8444
 8 | client.url: https://localhost:8443/callme
 9 | spring.ssl.bundle.jks:
10 |   server:
11 |     reload-on-update: true
12 |     keystore:
13 |       location: classpath:keystore.jks
14 |       password: 123456
15 |       type: JKS
16 |   client:
17 |     reload-on-update: true
18 |     keystore:
19 |       location: classpath:keystore-client.jks
20 |       password: 123456
21 |       type: JKS
22 |     truststore:
23 |       location: classpath:truststore-client.jks
24 |       password: 123456
25 |       type: JKS
26 | ---
27 | spring.config.activate.on-profile: prod
28 | client.url: https://${HOST}:8443/callme
29 | spring.ssl.bundle.jks:
30 |   server:
31 |     reload-on-update: true
32 |     keystore:
33 |       location: ${CERT_PATH}/keystore.jks
34 |       password: ${PASSWORD}
35 |       type: JKS
36 |   client:
37 |     reload-on-update: true
38 |     keystore:
39 |       location: ${CLIENT_CERT_PATH}/keystore.jks
40 |       password: ${PASSWORD}
41 |       type: JKS
42 |     truststore:
43 |       location: ${CLIENT_CERT_PATH}/truststore.jks
44 |       password: ${PASSWORD}
45 |       type: JKS


--------------------------------------------------------------------------------
/saml/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <parent>
 8 |         <groupId>pl.piomin.services</groupId>
 9 |         <artifactId>sample-spring-security-microservices</artifactId>
10 |         <version>1.1-SNAPSHOT</version>
11 |     </parent>
12 | 
13 |     <artifactId>saml</artifactId>
14 |     <packaging>pom</packaging>
15 | 
16 |     <properties>
17 |         <java.version>21</java.version>
18 |         <maven.compiler.source>${java.version}</maven.compiler.source>
19 |         <maven.compiler.target>${java.version}</maven.compiler.target>
20 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
21 |     </properties>
22 | 
23 |     <modules>
24 |         <module>callme-saml</module>
25 |     </modules>
26 | 
27 |     <repositories>
28 |         <repository>
29 |             <id>shibboleth-build-releases</id>
30 |             <name>Shibboleth Build Releases Repository</name>
31 |             <url>https://build.shibboleth.net/nexus/content/repositories/releases/</url>
32 |         </repository>
33 |     </repositories>
34 | 
35 | </project>


--------------------------------------------------------------------------------
/ssl/secure-callme/k8s/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: secure-callme
 5 |   annotations:
 6 |     secret.reloader.stakater.com/reload: "secure-callme-cert"
 7 | spec:
 8 |   selector:
 9 |     matchLabels:
10 |       app.kubernetes.io/name: secure-callme
11 |   template:
12 |     metadata:
13 |       labels:
14 |         app.kubernetes.io/name: secure-callme
15 |     spec:
16 |       containers:
17 |         - image: piomin/secure-callme
18 |           name: secure-callme
19 |           ports:
20 |             - containerPort: 8443
21 |               name: https
22 |           env:
23 |             - name: PASSWORD
24 |               valueFrom:
25 |                 secretKeyRef:
26 |                   key: password
27 |                   name: jks-password-secret
28 |             - name: CERT_PATH
29 |               value: /opt/secret
30 |           volumeMounts:
31 |             - mountPath: /opt/secret
32 |               name: cert
33 |       volumes:
34 |         - name: cert
35 |           secret:
36 |             secretName: secure-callme-cert
37 | ---
38 | apiVersion: v1
39 | kind: Service
40 | metadata:
41 |   labels:
42 |     app.kubernetes.io/name: secure-callme
43 |   name: secure-callme
44 | spec:
45 |   ports:
46 |     - name: https
47 |       port: 8443
48 |       targetPort: 8443
49 |   selector:
50 |     app.kubernetes.io/name: secure-callme
51 |   type: ClusterIP


--------------------------------------------------------------------------------
/ssl/secure-caller/src/main/java/pl/piomin/services/configuration/ClientSSLProperties.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services.configuration;
 2 | 
 3 | import org.springframework.boot.context.properties.ConfigurationProperties;
 4 | import org.springframework.context.annotation.Configuration;
 5 | 
 6 | @Configuration
 7 | @ConfigurationProperties("client.ssl")
 8 | public class ClientSSLProperties {
 9 | 
10 |     private String keyStore;
11 |     private String keyStorePassword;
12 |     private String trustStore;
13 |     private String trustStorePassword;
14 | 
15 |     public String getKeyStore() {
16 |         return keyStore;
17 |     }
18 | 
19 |     public void setKeyStore(String keyStore) {
20 |         this.keyStore = keyStore;
21 |     }
22 | 
23 |     public String getKeyStorePassword() {
24 |         return keyStorePassword;
25 |     }
26 | 
27 |     public void setKeyStorePassword(String keyStorePassword) {
28 |         this.keyStorePassword = keyStorePassword;
29 |     }
30 | 
31 |     public String getTrustStore() {
32 |         return trustStore;
33 |     }
34 | 
35 |     public void setTrustStore(String trustStore) {
36 |         this.trustStore = trustStore;
37 |     }
38 | 
39 |     public String getTrustStorePassword() {
40 |         return trustStorePassword;
41 |     }
42 | 
43 |     public void setTrustStorePassword(String trustStorePassword) {
44 |         this.trustStorePassword = trustStorePassword;
45 |     }
46 | }
47 | 


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/resources/rp-certificate.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIDmzCCAoOgAwIBAgIUYsSTBrFWDd52POr90F/FyUF4og4wDQYJKoZIhvcNAQEL
 3 | BQAwXTELMAkGA1UEBhMCUEwxDDAKBgNVBAgMA01hejEMMAoGA1UEBwwDV2FyMSEw
 4 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnBpb21p
 5 | bjAeFw0yNDEwMjUxOTE3MzNaFw0yNTEwMjUxOTE3MzNaMF0xCzAJBgNVBAYTAlBM
 6 | MQwwCgYDVQQIDANNYXoxDDAKBgNVBAcMA1dhcjEhMB8GA1UECgwYSW50ZXJuZXQg
 7 | V2lkZ2l0cyBQdHkgTHRkMQ8wDQYDVQQDDAZwaW9taW4wggEiMA0GCSqGSIb3DQEB
 8 | AQUAA4IBDwAwggEKAoIBAQCrXxU7l9VLkT9Y0TrRp0IH1gjNOW45/g4oywN0QGvX
 9 | v98sm6pnm0zTasqVq5Q1whau7MgfOt8auWzAaNEvnD4/atY423yWSMLxxxzDlj4q
10 | 4wfbqU+RZpvkpboEYXh28Up3pn8jkczuYcc0kRuG3z3cSLQW3NimPcm+sbt+22JR
11 | P+e3wWLuc3tQBcEdGbDoIJmtwivvhUWbjKPQ6pnfjALDoKC0ZNYGwwr702GBD7Ox
12 | 9xQ6GmnBpO1CrUzAbCpM4NjgBpbWDTmmg7Hvxhbw+hxDY9SZCuqLhObO52fILA0X
13 | su7ok/8Fx/kSLQWyqdSICxnbeXt+ZJqhxRDKgDrHGxJ7AgMBAAGjUzBRMB0GA1Ud
14 | DgQWBBTSYgKQyqymGjZy/rkMxCSQwi07ADAfBgNVHSMEGDAWgBTSYgKQyqymGjZy
15 | /rkMxCSQwi07ADAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCf
16 | xdlLboSabkrwRPvBO9qG7B64/xxO2AbNTmfLm3AWdFMbrEigFdJ8E25WnVSmCjsZ
17 | XaO5ERwrwptYXlBYtazyJo/yTpaHTUqxxTK231rhlFtzeoxLIDo3FBq4TeheaJB1
18 | r2du8YEEEjDVEAvNnhn6BKb8iM8mUzBe1bBWbBcvPp/Iv8aXqEKyHL2jel/xP6R1
19 | 6oys/epjHgADbg+h0td8KccIu9rfI2C8R13ovx9D1rHCtSAy6dTrYKKwgYHyxGvp
20 | tCMpVlHFpzSMje0flIB9XrQLyGzYUD9jplLrfkuAHvcMQq0Hv3hFVH11I0Fn9cKS
21 | OOfAk5LsXJWfDTd3BY/E
22 | -----END CERTIFICATE-----
23 | 


--------------------------------------------------------------------------------
/oauth/gateway/src/main/java/pl/piomin/samples/security/gateway/GatewayApplication.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.gateway;
 2 | 
 3 | import org.slf4j.Logger;
 4 | import org.slf4j.LoggerFactory;
 5 | import reactor.core.publisher.Mono;
 6 | 
 7 | import org.springframework.boot.SpringApplication;
 8 | import org.springframework.boot.autoconfigure.SpringBootApplication;
 9 | import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
10 | import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
11 | import org.springframework.web.bind.annotation.GetMapping;
12 | import org.springframework.web.bind.annotation.RestController;
13 | import org.springframework.web.server.WebSession;
14 | 
15 | @SpringBootApplication
16 | @RestController
17 | public class GatewayApplication {
18 | 
19 |     private static final Logger LOGGER = LoggerFactory.getLogger(GatewayApplication.class);
20 | 
21 |     public static void main(String[] args) {
22 |         SpringApplication.run(GatewayApplication.class, args);
23 |     }
24 | 
25 |     @GetMapping(value = "/token")
26 |     public Mono<String> getHome(@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient) {
27 |         return Mono.just(authorizedClient.getAccessToken().getTokenValue());
28 |     }
29 | 
30 |     @GetMapping("/")
31 |     public Mono<String> index(WebSession session) {
32 |         return Mono.just(session.getId());
33 |     }
34 | 
35 | }
36 | 


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/k8s/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: secure-callme-bundle
 5 | spec:
 6 |   selector:
 7 |     matchLabels:
 8 |       app.kubernetes.io/name: secure-callme-bundle
 9 |   template:
10 |     metadata:
11 |       labels:
12 |         app.kubernetes.io/name: secure-callme-bundle
13 |     spec:
14 |       containers:
15 |         - image: piomin/secure-callme-bundle
16 |           name: secure-callme-bundle
17 |           ports:
18 |             - containerPort: 8443
19 |               name: https
20 |           env:
21 |             - name: PASSWORD
22 |               valueFrom:
23 |                 secretKeyRef:
24 |                   key: password
25 |                   name: jks-password-secret
26 |             - name: CERT_PATH
27 |               value: /opt/secret
28 |             - name: SPRING_PROFILES_ACTIVE
29 |               value: prod
30 |           volumeMounts:
31 |             - mountPath: /opt/secret
32 |               name: cert
33 |       volumes:
34 |         - name: cert
35 |           secret:
36 |             secretName: secure-callme-cert
37 | ---
38 | apiVersion: v1
39 | kind: Service
40 | metadata:
41 |   labels:
42 |     app.kubernetes.io/name: secure-callme-bundle
43 |   name: secure-callme-bundle
44 | spec:
45 |   ports:
46 |     - name: https
47 |       port: 8443
48 |       targetPort: 8443
49 |   selector:
50 |     app.kubernetes.io/name: secure-callme-bundle
51 |   type: ClusterIP


--------------------------------------------------------------------------------
/oauth/callme/src/test/java/pl/piomin/samples/security/callme/CallMeControllerTests.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme;
 2 | 
 3 | import org.junit.jupiter.api.Test;
 4 | import org.springframework.beans.factory.annotation.Autowired;
 5 | import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 6 | import org.springframework.boot.test.context.SpringBootTest;
 7 | import org.springframework.security.core.authority.SimpleGrantedAuthority;
 8 | import org.springframework.test.web.servlet.MockMvc;
 9 | 
10 | import java.util.List;
11 | 
12 | import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt;
13 | import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
14 | import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
15 | @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
16 | @AutoConfigureMockMvc
17 | public class CallMeControllerTests {
18 |     @Autowired
19 |     private MockMvc mockMvc;
20 | 
21 |     @Test
22 |     void whenLackingScopeThenForbidden() throws Exception {
23 |         this.mockMvc.perform(get("/callme/ping").with(jwt())).andExpect(status().isForbidden());
24 |     }
25 | 
26 |     @Test
27 |     void whenHavingScopeThenOk() throws Exception {
28 |         this.mockMvc.perform(get("/callme/ping").with(jwt().authorities(List.of(new SimpleGrantedAuthority("SCOPE_TEST"))))).andExpect(status().isOk());
29 |     }
30 | }
31 | 


--------------------------------------------------------------------------------
/oauth/caller/src/main/java/pl/piomin/samples/security/caller/controller/CallerController.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.caller.controller;
 2 | 
 3 | import org.springframework.security.access.prepost.PreAuthorize;
 4 | import org.springframework.security.core.Authentication;
 5 | import org.springframework.security.core.context.SecurityContext;
 6 | import org.springframework.security.core.context.SecurityContextHolder;
 7 | import org.springframework.web.bind.annotation.GetMapping;
 8 | import org.springframework.web.bind.annotation.RequestMapping;
 9 | import org.springframework.web.bind.annotation.RestController;
10 | import org.springframework.web.reactive.function.client.WebClient;
11 | 
12 | @RestController
13 | @RequestMapping("/caller")
14 | public class CallerController {
15 | 
16 |     private WebClient webClient;
17 | 
18 |     public CallerController(WebClient webClient) {
19 |         this.webClient = webClient;
20 |     }
21 | 
22 |     @PreAuthorize("hasAuthority('SCOPE_TEST')")
23 |     @GetMapping("/ping")
24 |     public String ping() {
25 |         SecurityContext context = SecurityContextHolder.getContext();
26 |         Authentication authentication = context.getAuthentication();
27 | 
28 |         String scopes = webClient
29 |                 .get()
30 |                 .uri("http://localhost:8040/callme/ping")
31 |                 .retrieve()
32 |                 .bodyToMono(String.class)
33 |                 .block();
34 |         return "Callme scopes: " + scopes;
35 |     }
36 | }
37 | 


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/resources/templates/index.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
 3 |       xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity6">
 4 | 
 5 | <head>
 6 |     <title>SAML 2.0 Login</title>
 7 |     <meta charset="utf-8" />
 8 |     <style>
 9 |         span,
10 |         dt {
11 |             font-weight: bold;
12 |         }
13 |     </style>
14 |     <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"
15 |           integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
16 | </head>
17 | 
18 | <body>
19 |     <main role="main" class="container">
20 |         <h1 class="mt-5">SAML 2.0 Login with Spring Security</h1>
21 |         <p class="lead">You are successfully logged in as <span sec:authentication="name"></span></p>
22 |         <h2 class="mt-2">User Identity Attributes</h2>
23 |         <table class='table table-striped'>
24 |             <thead>
25 |             <tr>
26 |                 <th>Attribute</th>
27 |                 <th>Value</th>
28 |             </tr>
29 |             </thead>
30 |             <tbody>
31 |             <tr th:each="userAttribute : ${userAttributes}">
32 |                 <th th:text="${userAttribute.key}"></th>
33 |                 <td th:text="${userAttribute.value}"></td>
34 |             </tr>
35 |             </tbody>
36 |         </table>
37 |     </main>
38 | </body>
39 | 
40 | </html>


--------------------------------------------------------------------------------
/oauth/gateway/src/main/resources/application.yml:
--------------------------------------------------------------------------------
 1 | spring:
 2 |   application:
 3 |     name: gateway
 4 |   cloud:
 5 |     gateway:
 6 |       default-filters:
 7 |         - TokenRelay=
 8 |       routes:
 9 |         - id: callme-service
10 |           uri: http://localhost:8040
11 |           predicates:
12 |             - Path=/callme/**
13 |         - id: caller-service
14 |           uri: http://localhost:8020
15 |           predicates:
16 |             - Path=/caller/**
17 |   security:
18 |     oauth2:
19 |       resourceserver:
20 |         jwt:
21 |           jwk-set-uri: http://localhost:8080/realms/demo/protocol/openid-connect/certs
22 |       client:
23 |         provider:
24 |           keycloak:
25 |             issuer-uri: http://localhost:8080/realms/demo
26 |         registration:
27 |           spring-with-test-scope:
28 |             provider: keycloak
29 |             client-id: spring-with-test-scope
30 |             client-secret: IWLSnakHG8aNTWNaWuSj0a11UY4lzxd9
31 |             authorization-grant-type: authorization_code
32 |             scope: openid
33 | #          keycloak-without-test-scope:
34 | #            provider: keycloak
35 | #            client-id: spring-without-test-scope
36 | #            client-secret: f6fc369d-49ce-4132-8282-5b5d413eba23
37 | #            authorization-grant-type: authorization_code
38 | #            redirect-uri: "{baseUrl}/login/oauth2/code/spring-without-test-scope"
39 | 
40 | server.port: 8060
41 | 
42 | logging.level:
43 |   org.springframework.cloud.gateway: DEBUG
44 |   org.springframework.security: DEBUG
45 |   org.springframework.web.reactive.function.client: TRACE


--------------------------------------------------------------------------------
/oauth/gateway/src/test/resources/test-realm.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "realm": "demo",
 3 |   "enabled": true,
 4 |   "users": [
 5 |     {
 6 |       "username": "keycloak",
 7 |       "enabled": true,
 8 |       "credentials": [
 9 |         {
10 |           "type": "password",
11 |           "value": "test"
12 |         }
13 |       ],
14 |       "realmRoles": [
15 |         "user"
16 |       ]
17 |     }
18 |   ],
19 |   "roles": {
20 |     "realm": [
21 |       {
22 |         "name": "user",
23 |         "description": "User privileges"
24 |       },
25 |       {
26 |         "name": "admin",
27 |         "description": "Administrator privileges"
28 |       }
29 |     ]
30 |   },
31 |   "defaultRoles": [
32 |     "user"
33 |   ],
34 |   "clients": [
35 |     {
36 |       "clientId": "spring-without-test-scope",
37 |       "enabled": true,
38 |       "clientAuthenticatorType": "client-secret",
39 |       "secret": "f6fc369d-49ce-4132-8282-5b5d413eba23",
40 |       "publicClient": true,
41 |       "redirectUris": [
42 |         "*"
43 |       ],
44 |       "webOrigins": [
45 |         "*"
46 |       ],
47 |       "defaultClientScopes": [
48 |         "role_list",
49 |         "profile",
50 |         "email"
51 |       ]
52 |     },
53 |     {
54 |       "clientId": "spring-with-test-scope",
55 |       "enabled": true,
56 |       "clientAuthenticatorType": "client-secret",
57 |       "secret": "c6480137-1526-4c3e-aed3-295aabcb7609",
58 |       "publicClient": true,
59 |       "redirectUris": [
60 |         "*"
61 |       ],
62 |       "webOrigins": [
63 |         "*"
64 |       ],
65 |       "defaultClientScopes": [
66 |         "role_list",
67 |         "profile",
68 |         "email",
69 |         "TEST"
70 |       ]
71 |     }
72 |   ]
73 | }


--------------------------------------------------------------------------------
/ssl/secure-caller/k8s/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: secure-caller
 5 |   annotations:
 6 |     secret.reloader.stakater.com/reload: "secure-caller-cert,secure-callme-cert"
 7 | spec:
 8 |   selector:
 9 |     matchLabels:
10 |       app.kubernetes.io/name: secure-caller
11 |   template:
12 |     metadata:
13 |       labels:
14 |         app.kubernetes.io/name: secure-caller
15 |     spec:
16 |       containers:
17 |         - image: piomin/secure-caller
18 |           name: secure-caller
19 |           ports:
20 |             - containerPort: 8443
21 |               name: https
22 |           env:
23 |             - name: PASSWORD
24 |               valueFrom:
25 |                 secretKeyRef:
26 |                   key: password
27 |                   name: jks-password-secret
28 |             - name: CERT_PATH
29 |               value: /opt/secret
30 |             - name: CLIENT_CERT_PATH
31 |               value: /opt/client-secret
32 |             - name: HOST
33 |               value: secure-callme
34 |           volumeMounts:
35 |             - mountPath: /opt/secret
36 |               name: cert
37 |             - mountPath: /opt/client-secret
38 |               name: client-cert
39 |       volumes:
40 |         - name: cert
41 |           secret:
42 |             secretName: secure-caller-cert
43 |         - name: client-cert
44 |           secret:
45 |             secretName: secure-callme-cert
46 | ---
47 | apiVersion: v1
48 | kind: Service
49 | metadata:
50 |   labels:
51 |     app.kubernetes.io/name: secure-caller
52 |   name: secure-caller
53 | spec:
54 |   ports:
55 |     - name: https
56 |       port: 8443
57 |       targetPort: 8443
58 |   selector:
59 |     app.kubernetes.io/name: secure-caller
60 |   type: ClusterIP


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/java/pl/piomin/samples/security/callme/saml/CallmeSamlApplication.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme.saml;
 2 | 
 3 | import org.springframework.boot.SpringApplication;
 4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
 5 | import org.springframework.context.annotation.Bean;
 6 | import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 7 | import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 8 | import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 9 | import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
10 | import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
11 | 
12 | @SpringBootApplication
13 | public class CallmeSamlApplication {
14 | 
15 |     public static void main(String[] args) {
16 |         SpringApplication.run(CallmeSamlApplication.class, args);
17 |     }
18 | 
19 | //    @Bean
20 | //    Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) {
21 | //        RelyingPartyRegistrationResolver registrationResolver =
22 | //                new DefaultRelyingPartyRegistrationResolver(registrations);
23 | //        OpenSaml4AuthenticationRequestResolver authenticationRequestResolver =
24 | //                new OpenSaml4AuthenticationRequestResolver(registrationResolver);
25 | //        authenticationRequestResolver.setAuthnRequestCustomizer((context) -> context
26 | //                .getAuthnRequest().setForceAuthn(true));
27 | //        return authenticationRequestResolver;
28 | //    }
29 | }
30 | 


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/k8s/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: secure-caller-bundle
 5 | spec:
 6 |   selector:
 7 |     matchLabels:
 8 |       app.kubernetes.io/name: secure-caller-bundle
 9 |   template:
10 |     metadata:
11 |       labels:
12 |         app.kubernetes.io/name: secure-caller-bundle
13 |     spec:
14 |       containers:
15 |         - image: piomin/secure-caller-bundle
16 |           name: secure-caller-bundle
17 |           ports:
18 |             - containerPort: 8443
19 |               name: https
20 |           env:
21 |             - name: PASSWORD
22 |               valueFrom:
23 |                 secretKeyRef:
24 |                   key: password
25 |                   name: jks-password-secret
26 |             - name: CERT_PATH
27 |               value: /opt/secret
28 |             - name: CLIENT_CERT_PATH
29 |               value: /opt/client-secret
30 |             - name: HOST
31 |               value: secure-callme-bundle
32 |             - name: SPRING_PROFILES_ACTIVE
33 |               value: prod
34 |           volumeMounts:
35 |             - mountPath: /opt/secret
36 |               name: cert
37 |             - mountPath: /opt/client-secret
38 |               name: client-cert
39 |       volumes:
40 |         - name: cert
41 |           secret:
42 |             secretName: secure-caller-cert
43 |         - name: client-cert
44 |           secret:
45 |             secretName: secure-callme-cert
46 | ---
47 | apiVersion: v1
48 | kind: Service
49 | metadata:
50 |   labels:
51 |     app.kubernetes.io/name: secure-caller-bundle
52 |   name: secure-caller-bundle
53 | spec:
54 |   ports:
55 |     - name: https
56 |       port: 8443
57 |       targetPort: 8443
58 |   selector:
59 |     app.kubernetes.io/name: secure-caller-bundle
60 |   type: ClusterIP


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/resources/rp-key.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN PRIVATE KEY-----
 2 | MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrXxU7l9VLkT9Y
 3 | 0TrRp0IH1gjNOW45/g4oywN0QGvXv98sm6pnm0zTasqVq5Q1whau7MgfOt8auWzA
 4 | aNEvnD4/atY423yWSMLxxxzDlj4q4wfbqU+RZpvkpboEYXh28Up3pn8jkczuYcc0
 5 | kRuG3z3cSLQW3NimPcm+sbt+22JRP+e3wWLuc3tQBcEdGbDoIJmtwivvhUWbjKPQ
 6 | 6pnfjALDoKC0ZNYGwwr702GBD7Ox9xQ6GmnBpO1CrUzAbCpM4NjgBpbWDTmmg7Hv
 7 | xhbw+hxDY9SZCuqLhObO52fILA0Xsu7ok/8Fx/kSLQWyqdSICxnbeXt+ZJqhxRDK
 8 | gDrHGxJ7AgMBAAECggEAGYofGPWE1TE9VphAAtTBc3eDckpX0g65v3yZ9C5RpCK1
 9 | OOmuGKi9Z1in/mxGt0hIpyMko/rbGxl9SqOUYVsQr9TVPj3/sEoBu5SoBcITW8Lf
10 | /e2arRm0q/vC4DpCgL9vEKvgkMV+3Bv4Wy4xAwWsK3MuW6XoJ8ZXlbLZNYuueFsl
11 | 9WJ0KAjcBmCh9iuRgAAclrPnEYwDxVF5rBcDlwOVFomfsj+hS+l7GE6VDDpKgnEJ
12 | RbyLExBIOmSe74XEvDMXRcIQXX4FCKrp97Rn0JZE8UsWfF/CXBcalZ0W7haAK0Oo
13 | WEBujh4RXD4CrYiEpELB0504FKozuFtQ0LiRM9KiUQKBgQDqD9e1QTA4HBlfZfwp
14 | qcBVT9VfX5gHQr/HdEiC+Fq7MaJPMQDVTUVlC5Da8CSSHXEUC6ELXMT2Jkbmbn7N
15 | rNG5h+UKYpAbY+k4DK0DD2RgXaGlpnsTcZftAgTpb6EnR6t6zfZRas8Xh+Id8lTE
16 | lUBrNtyWyqdedJ4FvxwR4d+hWQKBgQC7bwZWuRwMuxMjcZ3qwDU2sJSokCkTAwhH
17 | 3QV9Jnyh98b0jBWDgHZPG6WlL2ff9J+x1/vMVQIOyaggpfC1xMjq8/iasfcJYODP
18 | G61WiQRG4M3M7v2k1USHMDSmXW7EUk0G6ZuWGy28SWKaEyBz6/4hrA4108mYr39X
19 | rwPCPnvj8wKBgCqg+Ahq9v1BIN3fFS4BXKYtBA96uZWY8pTA+PPhh6TQRV9m7V/r
20 | 0te0Y418byytcArWk14eZ0Dtd7xAI5gSAaBov65EhTp31+H9bQVBqGZkpywkRgYk
21 | iicAVySs0Az3YKPdHx909IK0nNoXaJjlFfZw53wPLKxnUOB7DgGzwacBAoGAJkw+
22 | QFQcfiFvfKuHd+MEPIOCLJsgOWlCNOTdbUAC8VlehrNk5fTGt81PYFw6XlFum/kk
23 | 0xB/liPwPZOKhqmJ4DAvmPRKJNlttgPSvD7M5+qhQoGGxDprgTABYgjvTCAA6yuq
24 | hdZR1woroo3L8MPErn6ofKkkpRUe8PyqyPLZf68CgYB/JfzTPkswE6G8cLCaIHme
25 | EgHe2oE0h+g7hjXfvOqueFqrrZm/TKUqvRkcmzbsIMhMi97ulq9wLSwvuBbiVv6d
26 | 4a0p7GHi43dMmBaQxsxCEhGko56GKWu91kw8Fb5C3ui8zeH2zIQ2JhltVGWdUj1q
27 | XMm2j1gQp+fEUYyjcmivFw==
28 | -----END PRIVATE KEY-----
29 | 


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/src/test/java/pl/piomin/services/callme/SecureCallmeBundleTest.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services.callme;
 2 | 
 3 | import org.junit.jupiter.api.Test;
 4 | import org.springframework.beans.factory.annotation.Autowired;
 5 | import org.springframework.boot.ssl.SslBundles;
 6 | import org.springframework.boot.test.context.SpringBootTest;
 7 | import org.springframework.boot.test.context.TestConfiguration;
 8 | import org.springframework.boot.test.web.client.TestRestTemplate;
 9 | import org.springframework.boot.test.web.server.LocalServerPort;
10 | import org.springframework.boot.web.client.RestTemplateBuilder;
11 | import org.springframework.context.annotation.Bean;
12 | import org.springframework.context.annotation.Primary;
13 | import org.springframework.http.client.ClientHttpRequestFactory;
14 | import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
15 | import org.springframework.web.client.RestTemplate;
16 | 
17 | import javax.net.ssl.SSLContext;
18 | 
19 | import java.net.http.HttpClient;
20 | 
21 | import static org.junit.jupiter.api.Assertions.assertEquals;
22 | 
23 | @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
24 | public class SecureCallmeBundleTest {
25 | 
26 |     @Autowired
27 |     RestTemplate restTemplate;
28 |     @LocalServerPort
29 |     Integer port;
30 | 
31 |     @Test
32 |     void call() {
33 |         String res = restTemplate.getForObject("https://localhost:" + port + "/callme", String.class);
34 |         assertEquals("I'm secure-callme-bundle!", res);
35 |     }
36 | 
37 |     @TestConfiguration
38 |     public static class TestRestTemplateConfiguration {
39 |         @Bean
40 |         @Primary
41 |         RestTemplate restTemplate(RestTemplateBuilder builder, SslBundles sslBundles) {
42 |             return builder.setSslBundle(sslBundles.getBundle("server")).build();
43 |         }
44 |     }
45 | }
46 | 


--------------------------------------------------------------------------------
/saml/callme-saml/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 |     <parent>
 7 |         <groupId>pl.piomin.services</groupId>
 8 |         <artifactId>saml</artifactId>
 9 |         <version>1.1-SNAPSHOT</version>
10 |     </parent>
11 | 
12 |     <artifactId>callme-saml</artifactId>
13 | 
14 |     <properties>
15 |         <java.version>21</java.version>
16 |     </properties>
17 | 
18 |     <dependencies>
19 |         <dependency>
20 |             <groupId>org.springframework.boot</groupId>
21 |             <artifactId>spring-boot-starter-security</artifactId>
22 |         </dependency>
23 |         <dependency>
24 |             <groupId>org.springframework.boot</groupId>
25 |             <artifactId>spring-boot-starter-thymeleaf</artifactId>
26 |         </dependency>
27 |         <dependency>
28 |             <groupId>org.springframework.boot</groupId>
29 |             <artifactId>spring-boot-starter-web</artifactId>
30 |         </dependency>
31 |         <dependency>
32 |             <groupId>org.thymeleaf.extras</groupId>
33 |             <artifactId>thymeleaf-extras-springsecurity6</artifactId>
34 |         </dependency>
35 |         <dependency>
36 |             <groupId>org.springframework.boot</groupId>
37 |             <artifactId>spring-boot-starter-test</artifactId>
38 |             <scope>test</scope>
39 |         </dependency>
40 |         <dependency>
41 |             <groupId>org.springframework.security</groupId>
42 |             <artifactId>spring-security-test</artifactId>
43 |             <scope>test</scope>
44 |         </dependency>
45 |         <dependency>
46 |             <groupId>org.springframework.security</groupId>
47 |             <artifactId>spring-security-saml2-service-provider</artifactId>
48 |         </dependency>
49 |     </dependencies>
50 | 
51 | </project>


--------------------------------------------------------------------------------
/ssl/secure-callme/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <groupId>pl.piomin.services</groupId>
 7 |         <artifactId>ssl</artifactId>
 8 |         <version>1.1-SNAPSHOT</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>secure-callme</artifactId>
13 | 
14 |     <properties>
15 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
16 |     </properties>
17 | 
18 |     <dependencies>
19 |         <dependency>
20 |             <groupId>org.springframework.boot</groupId>
21 |             <artifactId>spring-boot-starter-web</artifactId>
22 |         </dependency>
23 |     </dependencies>
24 | 
25 |     <build>
26 |         <plugins>
27 |             <plugin>
28 |                 <groupId>org.springframework.boot</groupId>
29 |                 <artifactId>spring-boot-maven-plugin</artifactId>
30 |             </plugin>
31 |             <plugin>
32 |                 <groupId>com.google.cloud.tools</groupId>
33 |                 <artifactId>jib-maven-plugin</artifactId>
34 |                 <version>3.5.1</version>
35 |             </plugin>
36 |             <plugin>
37 |                 <groupId>org.jacoco</groupId>
38 |                 <artifactId>jacoco-maven-plugin</artifactId>
39 |                 <version>0.8.14</version>
40 |                 <executions>
41 |                     <execution>
42 |                         <goals>
43 |                             <goal>prepare-agent</goal>
44 |                         </goals>
45 |                     </execution>
46 |                     <execution>
47 |                         <id>report</id>
48 |                         <phase>test</phase>
49 |                         <goals>
50 |                             <goal>report</goal>
51 |                         </goals>
52 |                     </execution>
53 |                 </executions>
54 |             </plugin>
55 |         </plugins>
56 |     </build>
57 | 
58 | </project>


--------------------------------------------------------------------------------
/saml/localhost-crt.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIGDTCCA/WgAwIBAgIUY/L0vHWsYvxqdLe/DRM9cVDW9xEwDQYJKoZIhvcNAQEL
 3 | BQAwgY0xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpvd2llY2tpZTEPMA0GA1UE
 4 | BwwGV2Fyc2F3MQ0wCwYDVQQKDARUZXN0MQ0wCwYDVQQLDARUZXN0MQ8wDQYDVQQD
 5 | DAZwaW9taW4xKDAmBgkqhkiG9w0BCQEWGXBpb3RyLm1pbmtvd3NraUBnbWFpbC5j
 6 | b20wHhcNMjQxMDE4MTU1MzQwWhcNMjUxMDE4MTU1MzQwWjCBjTELMAkGA1UEBhMC
 7 | UEwxFDASBgNVBAgMC01hem93aWVja2llMQ8wDQYDVQQHDAZXYXJzYXcxDTALBgNV
 8 | BAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxDzANBgNVBAMMBnBpb21pbjEoMCYGCSqG
 9 | SIb3DQEJARYZcGlvdHIubWlua293c2tpQGdtYWlsLmNvbTCCAiIwDQYJKoZIhvcN
10 | AQEBBQADggIPADCCAgoCggIBAKjjWI9ISDgGEKZbHI45FN0jOvRSh/tS/235gaPI
11 | f47oy1Dcv8ydTSheMN+VU5Nhoryh9npE5TWJVdcc4gGPE7t9BtAay1a+9IiYDmza
12 | P5yG/uj/n5fny68ML36QsHW3+D8ZcGlsJLkNRBCmqOQ4TF8PbvjldIPMHbZ9jrha
13 | ldsjJyFsH7u0yDlFrmzUbdbNVCmsVs5OnFktnaPGRripznaWt2pVSJM77xNley8y
14 | RsvGDuj97ZZP0N4/0VGC5xpHVJeg28D43lQw4gKQvhGJU24mJJzboYUauJl3T/BN
15 | mfMFl6Xq4xAK1fQYy/HzzyfFVYTblbYnm/AZnlyI8fL5M0NmXLpZwA0vLbdIpfmh
16 | nOppCjCN+o/hFE2to0crCFeBwWNFv6l0mde8qwJT5G94zjBiHU+J6epLE8B2F+3b
17 | vKZDAKzf8OGQlxjewnXEYGq6DDVqaS+VogOrzVK1TZsAeJmCWl5Ve/wC/5vNn2uF
18 | q67YB0g+br71wy8P0OCEMMiF4OW4F59dOT2C7/RW/2yc8uxUe/oG/ascqtjwLo+Z
19 | mQDXfAyqm+TXu7g7sCPokK1hv9v1i2h38tanvggPJNY9iAVdAeyHl1zeyVobYe2n
20 | yZJDKcro/kR9KXYH9Epcsj+3zXs+Zauwp5tJUHUZ18i6og7vRNfpO6at0208dSDY
21 | qUNZAgMBAAGjYzBhMB8GA1UdIwQYMBaAFP702Z0Q+iVq4zYB1rat1lPvs57tMAkG
22 | A1UdEwQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MB0GA1UdDgQWBBRKDzGXUPoH
23 | /EZp4Jt1rFm0m7WLhjANBgkqhkiG9w0BAQsFAAOCAgEAlRgFkmM9MLTzcsBMtMGM
24 | mH1sN056g25rnQY1N2IVe/63xJ3dI62THwE4AJ5b1Zt0K9axxvEeI+qD7PwLjsSU
25 | qujQbE9XBxPVPt/IU355W3gvFeZZ43rvw7M3UsF5Rbj6rYCw2CDrUCfSm4GQs6Fu
26 | yNCv+JX6WefUWFDeAlFJORHY8j/T9BbZdsfU+akBnLTf0/GxqgbvpZakBNk/nHse
27 | YsH0Mop0kCm9ttLrKbtaH5ZZa5FbvwYhHd517DlNTz/2PwB19+mN1tKLWHJkHEUc
28 | h07hVH1l6887wENCXqHUHq5eGKXQ0aQhtVFN99NcC4td6FJqyTAIXVTbAQoh5Qs5
29 | GbvZg6Vsg6C8p4JegYdyuR1dM6BhcRaFTPmC24P4OcTijmHq0nFMlIfAN0NJW0qD
30 | FrN6Xz24Wnjyom1vwdgxIeh8W/KNfd+CbSGYyABcCcYzt+WU1QDLitpW9YavATz4
31 | utjWz3CEpWhqQv5gRzrVeLNyTaJbzFPED5PX0mca6sntOuIs5ueEWJfRqJr/rQyZ
32 | FSX2/CmDUJVH/6umvQ9b7f7NJJ469p2UxJXp7TtZq+q8vcv3/e0Eu9m/EYuW4ugA
33 | RC77eI8tinCNID7NGYAkO26kCfVM7TAguSgBlVNhdHhbPncgyNHSDN00sUMdF9Dd
34 | TyJWsZ7g53hfT4UOAAB6bT8=
35 | -----END CERTIFICATE-----
36 | 


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/src/main/java/pl/piomin/services/caller/SecureCallerBundle.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services.caller;
 2 | 
 3 | import org.slf4j.Logger;
 4 | import org.slf4j.LoggerFactory;
 5 | import org.springframework.beans.factory.annotation.Autowired;
 6 | import org.springframework.beans.factory.annotation.Value;
 7 | import org.springframework.beans.factory.support.DefaultSingletonBeanRegistry;
 8 | import org.springframework.boot.SpringApplication;
 9 | import org.springframework.boot.autoconfigure.SpringBootApplication;
10 | import org.springframework.boot.autoconfigure.web.client.RestClientSsl;
11 | import org.springframework.boot.ssl.SslBundles;
12 | import org.springframework.boot.web.client.RestTemplateBuilder;
13 | import org.springframework.context.ApplicationContext;
14 | import org.springframework.context.annotation.Bean;
15 | import org.springframework.web.client.RestClient;
16 | import org.springframework.web.client.RestTemplate;
17 | 
18 | import java.security.KeyStoreException;
19 | 
20 | 
21 | @SpringBootApplication
22 | public class SecureCallerBundle {
23 | 
24 |     private static final Logger LOG = LoggerFactory.getLogger(SecureCallerBundle.class);
25 |     public static void main(String[] args) {
26 |         SpringApplication.run(SecureCallerBundle.class, args);
27 |     }
28 | 
29 |     @Autowired
30 |     ApplicationContext context;
31 | 
32 |     @Bean("restTemplate")
33 |     RestTemplate builder(RestTemplateBuilder builder, SslBundles sslBundles) {
34 |         sslBundles.addBundleUpdateHandler("client", sslBundle -> {
35 |             try {
36 |                 LOG.info("Bundle updated: " + sslBundle.getStores().getKeyStore().getCertificate("certificate"));
37 |             } catch (KeyStoreException e) {
38 |                 LOG.error("Error on getting certificate", e);
39 |             }
40 |             DefaultSingletonBeanRegistry registry = (DefaultSingletonBeanRegistry) context.getAutowireCapableBeanFactory();
41 |             registry.destroySingleton("restTemplate");
42 |             registry.registerSingleton("restTemplate", builder.setSslBundle(sslBundle).build());
43 |         });
44 |         return builder.setSslBundle(sslBundles.getBundle("client")).build();
45 |     }
46 | 
47 |     @Value("${client.url}")
48 |     String clientUrl;
49 | 
50 |     @Bean
51 |     RestClient restClient(RestClient.Builder restClientBuilder, RestClientSsl ssl) {
52 |         return restClientBuilder.baseUrl(clientUrl)
53 |                 .apply(ssl.fromBundle("client"))
54 |                 .build();
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/ssl/secure-caller/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <groupId>pl.piomin.services</groupId>
 7 |         <artifactId>ssl</artifactId>
 8 |         <version>1.1-SNAPSHOT</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>secure-caller</artifactId>
13 | 
14 |     <properties>
15 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
16 |     </properties>
17 | 
18 |     <dependencies>
19 |         <dependency>
20 |             <groupId>org.springframework.boot</groupId>
21 |             <artifactId>spring-boot-starter-web</artifactId>
22 |         </dependency>
23 |         <dependency>
24 |             <groupId>org.apache.httpcomponents.client5</groupId>
25 |             <artifactId>httpclient5</artifactId>
26 |         </dependency>
27 |     </dependencies>
28 | 
29 |     <build>
30 |         <plugins>
31 |             <plugin>
32 |                 <groupId>org.springframework.boot</groupId>
33 |                 <artifactId>spring-boot-maven-plugin</artifactId>
34 |                 <configuration>
35 |                     <profiles>
36 |                         <profile>dev</profile>
37 |                     </profiles>
38 |                 </configuration>
39 |             </plugin>
40 |             <plugin>
41 |                 <groupId>com.google.cloud.tools</groupId>
42 |                 <artifactId>jib-maven-plugin</artifactId>
43 |                 <version>3.5.1</version>
44 |             </plugin>
45 |             <plugin>
46 |                 <groupId>org.jacoco</groupId>
47 |                 <artifactId>jacoco-maven-plugin</artifactId>
48 |                 <version>0.8.14</version>
49 |                 <executions>
50 |                     <execution>
51 |                         <goals>
52 |                             <goal>prepare-agent</goal>
53 |                         </goals>
54 |                     </execution>
55 |                     <execution>
56 |                         <id>report</id>
57 |                         <phase>test</phase>
58 |                         <goals>
59 |                             <goal>report</goal>
60 |                         </goals>
61 |                     </execution>
62 |                 </executions>
63 |             </plugin>
64 |         </plugins>
65 |     </build>
66 | 
67 | </project>


--------------------------------------------------------------------------------
/ssl/secure-caller-bundle/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 |     <parent>
 7 |         <groupId>pl.piomin.services</groupId>
 8 |         <artifactId>ssl</artifactId>
 9 |         <version>1.1-SNAPSHOT</version>
10 |     </parent>
11 | 
12 |     <artifactId>secure-caller-bundle</artifactId>
13 | 
14 |     <properties>
15 |         <java.version>17</java.version>
16 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
17 |     </properties>
18 | 
19 |     <dependencies>
20 |         <dependency>
21 |             <groupId>org.springframework.boot</groupId>
22 |             <artifactId>spring-boot-starter-web</artifactId>
23 |         </dependency>
24 |         <dependency>
25 |             <groupId>org.apache.httpcomponents.client5</groupId>
26 |             <artifactId>httpclient5</artifactId>
27 |         </dependency>
28 |     </dependencies>
29 | 
30 |     <build>
31 |         <plugins>
32 |             <plugin>
33 |                 <groupId>org.springframework.boot</groupId>
34 |                 <artifactId>spring-boot-maven-plugin</artifactId>
35 |                 <configuration>
36 |                     <profiles>
37 |                         <profile>dev</profile>
38 |                     </profiles>
39 |                 </configuration>
40 |             </plugin>
41 |             <plugin>
42 |                 <groupId>com.google.cloud.tools</groupId>
43 |                 <artifactId>jib-maven-plugin</artifactId>
44 |                 <version>3.5.1</version>
45 |             </plugin>
46 |             <plugin>
47 |                 <groupId>org.jacoco</groupId>
48 |                 <artifactId>jacoco-maven-plugin</artifactId>
49 |                 <version>0.8.14</version>
50 |                 <executions>
51 |                     <execution>
52 |                         <goals>
53 |                             <goal>prepare-agent</goal>
54 |                         </goals>
55 |                     </execution>
56 |                     <execution>
57 |                         <id>report</id>
58 |                         <phase>test</phase>
59 |                         <goals>
60 |                             <goal>report</goal>
61 |                         </goals>
62 |                     </execution>
63 |                 </executions>
64 |             </plugin>
65 |         </plugins>
66 |     </build>
67 | 
68 | </project>


--------------------------------------------------------------------------------
/ssl/secure-callme-bundle/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 |     <parent>
 7 |         <groupId>pl.piomin.services</groupId>
 8 |         <artifactId>ssl</artifactId>
 9 |         <version>1.1-SNAPSHOT</version>
10 |     </parent>
11 | 
12 |     <artifactId>secure-callme-bundle</artifactId>
13 | 
14 |     <properties>
15 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
16 |     </properties>
17 | 
18 |     <dependencies>
19 |         <dependency>
20 |             <groupId>org.springframework.boot</groupId>
21 |             <artifactId>spring-boot-starter-web</artifactId>
22 |         </dependency>
23 |         <dependency>
24 |             <groupId>org.springframework.boot</groupId>
25 |             <artifactId>spring-boot-starter-actuator</artifactId>
26 |         </dependency>
27 |         <dependency>
28 |             <groupId>org.springframework.boot</groupId>
29 |             <artifactId>spring-boot-starter-test</artifactId>
30 |             <scope>test</scope>
31 |         </dependency>
32 |     </dependencies>
33 | 
34 |     <build>
35 |         <plugins>
36 |             <plugin>
37 |                 <groupId>org.springframework.boot</groupId>
38 |                 <artifactId>spring-boot-maven-plugin</artifactId>
39 |                 <executions>
40 |                     <execution>
41 |                         <goals>
42 |                             <goal>build-info</goal>
43 |                         </goals>
44 |                     </execution>
45 |                 </executions>
46 |             </plugin>
47 |             <plugin>
48 |                 <groupId>com.google.cloud.tools</groupId>
49 |                 <artifactId>jib-maven-plugin</artifactId>
50 |                 <version>3.5.1</version>
51 |             </plugin>
52 |             <plugin>
53 |                 <groupId>org.jacoco</groupId>
54 |                 <artifactId>jacoco-maven-plugin</artifactId>
55 |                 <version>0.8.14</version>
56 |                 <executions>
57 |                     <execution>
58 |                         <goals>
59 |                             <goal>prepare-agent</goal>
60 |                         </goals>
61 |                     </execution>
62 |                     <execution>
63 |                         <id>report</id>
64 |                         <phase>test</phase>
65 |                         <goals>
66 |                             <goal>report</goal>
67 |                         </goals>
68 |                     </execution>
69 |                 </executions>
70 |             </plugin>
71 |         </plugins>
72 |     </build>
73 | 
74 | </project>


--------------------------------------------------------------------------------
/oauth/caller/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 |     <parent>
 7 |         <groupId>pl.piomin.services</groupId>
 8 |         <artifactId>oauth</artifactId>
 9 |         <version>1.1-SNAPSHOT</version>
10 |     </parent>
11 | 
12 |     <artifactId>caller</artifactId>
13 | 
14 |     <properties>
15 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
16 |     </properties>
17 | 
18 |     <dependencies>
19 |         <dependency>
20 |             <groupId>org.springframework.boot</groupId>
21 |             <artifactId>spring-boot-starter-web</artifactId>
22 |         </dependency>
23 |         <dependency>
24 |             <groupId>org.springframework.boot</groupId>
25 |             <artifactId>spring-boot-starter-security</artifactId>
26 |         </dependency>
27 | <!--        <dependency>-->
28 | <!--            <groupId>org.springframework.boot</groupId>-->
29 | <!--            <artifactId>spring-boot-starter-oauth2-client</artifactId>-->
30 | <!--        </dependency>-->
31 |         <dependency>
32 |             <groupId>org.springframework.security</groupId>
33 |             <artifactId>spring-security-oauth2-resource-server</artifactId>
34 |         </dependency>
35 |         <dependency>
36 |             <groupId>org.springframework.security</groupId>
37 |             <artifactId>spring-security-oauth2-jose</artifactId>
38 |         </dependency>
39 |         <dependency>
40 |             <groupId>org.springframework</groupId>
41 |             <artifactId>spring-webflux</artifactId>
42 |         </dependency>
43 |     </dependencies>
44 | 
45 |     <build>
46 |         <plugins>
47 |             <plugin>
48 |                 <groupId>org.springframework.boot</groupId>
49 |                 <artifactId>spring-boot-maven-plugin</artifactId>
50 |             </plugin>
51 |             <plugin>
52 |                 <groupId>org.jacoco</groupId>
53 |                 <artifactId>jacoco-maven-plugin</artifactId>
54 |                 <version>0.8.14</version>
55 |                 <executions>
56 |                     <execution>
57 |                         <goals>
58 |                             <goal>prepare-agent</goal>
59 |                         </goals>
60 |                     </execution>
61 |                     <execution>
62 |                         <id>report</id>
63 |                         <phase>test</phase>
64 |                         <goals>
65 |                             <goal>report</goal>
66 |                         </goals>
67 |                     </execution>
68 |                 </executions>
69 |             </plugin>
70 |         </plugins>
71 |     </build>
72 | 
73 | </project>


--------------------------------------------------------------------------------
/ssl/secure-caller/src/main/java/pl/piomin/services/SecureCaller.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.services;
 2 | 
 3 | import org.apache.hc.client5.http.classic.HttpClient;
 4 | import org.apache.hc.client5.http.impl.classic.HttpClients;
 5 | import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
 6 | import org.apache.hc.client5.http.io.HttpClientConnectionManager;
 7 | import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 8 | import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactoryBuilder;
 9 | import org.apache.hc.core5.ssl.SSLContextBuilder;
10 | import org.springframework.beans.factory.annotation.Autowired;
11 | import org.springframework.boot.SpringApplication;
12 | import org.springframework.boot.autoconfigure.SpringBootApplication;
13 | import org.springframework.boot.web.client.RestTemplateBuilder;
14 | import org.springframework.context.annotation.Bean;
15 | import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
16 | import org.springframework.web.client.RestTemplate;
17 | import pl.piomin.services.configuration.ClientSSLProperties;
18 | 
19 | import javax.net.ssl.SSLContext;
20 | import java.io.File;
21 | import java.io.IOException;
22 | import java.security.GeneralSecurityException;
23 | 
24 | 
25 | @SpringBootApplication
26 | public class SecureCaller {
27 | 
28 |     public static void main(String[] args) {
29 |         SpringApplication.run(SecureCaller.class, args);
30 |     }
31 | 
32 |     @Autowired
33 |     ClientSSLProperties clientSSLProperties;
34 | 
35 |     @Bean
36 |     RestTemplate builder(RestTemplateBuilder builder) throws GeneralSecurityException, IOException {
37 |         final SSLContext sslContext = new SSLContextBuilder()
38 |                 .loadTrustMaterial(
39 |                         new File(clientSSLProperties.getTrustStore()),
40 |                         clientSSLProperties.getTrustStorePassword().toCharArray())
41 |                 .loadKeyMaterial(
42 |                         new File(clientSSLProperties.getKeyStore()),
43 |                         clientSSLProperties.getKeyStorePassword().toCharArray(),
44 |                         clientSSLProperties.getKeyStorePassword().toCharArray()
45 |                 )
46 |                 .build();
47 | 
48 |         final SSLConnectionSocketFactory sslSocketFactory = SSLConnectionSocketFactoryBuilder.create()
49 |                 .setSslContext(sslContext)
50 |                 .build();
51 | 
52 |         final HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create()
53 |                 .setSSLSocketFactory(sslSocketFactory)
54 |                 .build();
55 | 
56 |         final HttpClient httpClient = HttpClients.custom()
57 |                 .setConnectionManager(cm)
58 |                 .evictExpiredConnections()
59 |                 .build();
60 | 
61 | 
62 |         return builder
63 |                 .requestFactory(() -> new HttpComponentsClientHttpRequestFactory(httpClient))
64 |                 .build();
65 |     }
66 | }
67 | 


--------------------------------------------------------------------------------
/saml/localhost-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN PRIVATE KEY-----
 2 | MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCo41iPSEg4BhCm
 3 | WxyOORTdIzr0Uof7Uv9t+YGjyH+O6MtQ3L/MnU0oXjDflVOTYaK8ofZ6ROU1iVXX
 4 | HOIBjxO7fQbQGstWvvSImA5s2j+chv7o/5+X58uvDC9+kLB1t/g/GXBpbCS5DUQQ
 5 | pqjkOExfD2745XSDzB22fY64WpXbIychbB+7tMg5Ra5s1G3WzVQprFbOTpxZLZ2j
 6 | xka4qc52lrdqVUiTO+8TZXsvMkbLxg7o/e2WT9DeP9FRgucaR1SXoNvA+N5UMOIC
 7 | kL4RiVNuJiSc26GFGriZd0/wTZnzBZel6uMQCtX0GMvx888nxVWE25W2J5vwGZ5c
 8 | iPHy+TNDZly6WcANLy23SKX5oZzqaQowjfqP4RRNraNHKwhXgcFjRb+pdJnXvKsC
 9 | U+RveM4wYh1PienqSxPAdhft27ymQwCs3/DhkJcY3sJ1xGBqugw1amkvlaIDq81S
10 | tU2bAHiZglpeVXv8Av+bzZ9rhauu2AdIPm6+9cMvD9DghDDIheDluBefXTk9gu/0
11 | Vv9snPLsVHv6Bv2rHKrY8C6PmZkA13wMqpvk17u4O7Aj6JCtYb/b9Ytod/LWp74I
12 | DyTWPYgFXQHsh5dc3slaG2Htp8mSQynK6P5EfSl2B/RKXLI/t817PmWrsKebSVB1
13 | GdfIuqIO70TX6TumrdNtPHUg2KlDWQIDAQABAoICABK2T8leT5wfdehMp4MNiYV/
14 | 4ggQfd8HgOQRNT8tl46AtggxUTHtSs96ci1PmPk3I+YFBu9go0m1e/SPz22vSdcn
15 | 4OGdWmKz2RmqSUzfuJUR8vvjWK4mwU9ViQyboOWGGuP44FbZ4866DMzQfl187F9K
16 | 8Td0Ct8QdklSK4Y7CSgEwtDl7zUnsFiCIzONLNdUHCta3CpTFOkfj/wFm6/ZppXG
17 | mK9YICiqBxDt2UJvLl9lBCFmAxU4pjJ9vSYsHAlyFkoPiVGd8VpAKUZx/ZEpVzxY
18 | zw0vG3wJLCNa0BlWq8Q8niMEvaA5Jx/6wFwAMLdeGp3UC4gpZtJpMD3d8XrDiB2U
19 | 6mkq602u7vvx308IiMSPk8Oegv0f698APpoXv1NfRvGz79K0xrdmDTTDgFsC1Y6K
20 | O33M8pB2qyjlH4Pt9Xmf408PFTQGhF0B+x7+1+l6vuT8TYOOsmz8sgg48OZBpLGU
21 | /NUBIyVls6lQTYKE549nDSEh3M6cqRgMjM8wZkY0+cRDb/juAmD9OK9xXhuk2GRG
22 | 3bRkmM3ppy/U4wbs74XD5kv/TN9iuBvxikI0ImSDbmW68rpIObfgXyAK2wJpEcz3
23 | EJo4Rj2b6dX6NQFSa2c6LUB3L0jKlIbgnLNrRS9lqQWWzwx6RgAKPDNG93aJKuio
24 | /WL0NjBZ54jFMOnod9UFAoIBAQDswluo7dCfznR6Z+sPVem/WwOvwFT71QdzuZFA
25 | Nmzxa2FeFJo1fkOUVWXzcyJIIMsJJSKeTmsW/ntjwnqGerEpGQcAkfouxeViO3ak
26 | +EInTwApxFqb7MaYEYrlgKbtt/i3IrPBu3yAQAiDD+JyGGmbSTylRgsZ2UN6hLTu
27 | NAMHgmJ2dNenWGvPNvolkPMbjgJNJwvHT1a6M85BmhCk3QKXkmbBFFhUB1THTx/K
28 | TAJToevcobRJoJmzCH2DGzwUhrRFDG1y6tGyJGfTioxuzyoXxA9Wm1DGveSHaK94
29 | Pn6xeArV8vtMQMwQaSRX/rIwnLxY9oxuuFFhwpOp3BkHhxN9AoIBAQC2nPeQrYyp
30 | S/Z5MmZB+NZlk5ky7OIZORJzAXzKcwoEXCSDNxTCsX0FOZSPbyRE8Cgo9X6wav9A
31 | pbpAWrgpaWxU7xj6KiGSlGShJQNfSxixnB8LFzBDMKu/w0Hyb1n+7ERCTiIcy0s9
32 | pS1Z0KHohDte3mLJJyJ1BY/lVTR0QgKA5lOea55Y8TjNuexlv8YS0ovMgiVMcgQF
33 | WfKSxLJuN+IZzJVddqMi9Fzoz/mAUdA2RHdy+9WxbZoJUyeRR6tPK7XgZwt22D9D
34 | eWsZpfNKEbbrQmJHxJomgRfrDMNSo9Y4BUbP9CV9wo9ds7WnKOpgeVZc8XpAIiqb
35 | qxQNxkTSeT4NAoIBAQDRBnbuGafKrvde6kg47dzEuJH0pJVjEJzXqsl2K5bbPbZk
36 | 3UOYXrVDTHIKEWf+zhTzKfn6UblyP5KobJbIC6JFancoJbj/enAd3enNk/Czy6eV
37 | OGnWp6BduX8rR/4Yegf3h4e0TtaIVAAv1eJSYQM7udj1AXXjiFFu5aLnerwB8TcE
38 | 5ftPH11vQFZwvBwmA6Y8f3CCsqUbF4nNmTuAki8rqnFVnaSt6xsKK+0hKSIUvCwE
39 | Si9loYiQ67oD+hN8+8BEBcjLYE1qPYH83aFGY1gCS3JPQCh8jkIo2l+whVxNSnIm
40 | mbMLi1meU3VmytJ+4KHY2TL6vXf8G1FK8aqXXsXxAoIBAFvo6u1FfCtlUTs0s6T2
41 | sinTvOKVuUKKqA98KyvV9K+3FKV6HpfTLyJnFa+Pd8i+uufKj6YJZElMYE6tmk01
42 | g1HIOWEHvXgB+hflAip/KIGUG0fAtwjKQVc11kZH5xrYHY7ltmOZqlfvf8DZsfPO
43 | QfeApGWrrbsKPp9lYA43fv0Tb/inH76SQk3BCws3F2E32SboRg+QvxdWazGVkFzL
44 | AaCMiIzO/lLEfNKsgl4kT1BQ63HS8H3ptQKGeL61PLKPRG4aTvnU4xp5zP7OuIGK
45 | Iu+LrN2ERTWl+bzS4qgAT/xII5jcv9XpC7FUltP4UuaVi3MiEq6ew6Uv2NsJ9G+e
46 | mC0CggEBAMvJHAPGEj790kJNjrHXK462FpsRbNMFG4+QTWy0VFHdt5fqPmPSOBj+
47 | o4qe8SS+nbsrw67W913Cgc2Jdr04jmF5OxQsMCKf6Olkil9wnImhky9V+34/3aov
48 | LGZA9kBlJ3yeWOxLsz8SQtJCI1vXoHBe9szKjbwsTzBu24lMlPjYce4lwx7dD6Gg
49 | zUo/8ZrBZ45zw9hn0CqmhELbjUwwEhYbJ/+I3WEIHYBVA70eG2eEBGYN15+dm5zC
50 | w7Cs9IUMEBZdqki8umbaFfM5yWcO7jwcyvHJzCaQlJW1U3ws6V19LpITav2Rpws8
51 | BuL223jUPh1mNb7bg9DAnjrisAY1UVc=
52 | -----END PRIVATE KEY-----
53 | 


--------------------------------------------------------------------------------
/oauth/gateway/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <parent>
 6 |         <groupId>pl.piomin.services</groupId>
 7 |         <artifactId>oauth</artifactId>
 8 |         <version>1.1-SNAPSHOT</version>
 9 |     </parent>
10 |     <modelVersion>4.0.0</modelVersion>
11 | 
12 |     <artifactId>gateway</artifactId>
13 | 
14 |     <properties>
15 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
16 |     </properties>
17 | 
18 |     <dependencies>
19 |         <dependency>
20 |             <groupId>org.springframework.boot</groupId>
21 |             <artifactId>spring-boot-starter-oauth2-client</artifactId>
22 |         </dependency>
23 |         <dependency>
24 |             <groupId>org.springframework.security</groupId>
25 |             <artifactId>spring-security-oauth2-resource-server</artifactId>
26 |         </dependency>
27 |         <dependency>
28 |             <groupId>org.springframework.security</groupId>
29 |             <artifactId>spring-security-oauth2-jose</artifactId>
30 |         </dependency>
31 |         <dependency>
32 |             <groupId>org.springframework.cloud</groupId>
33 |             <artifactId>spring-cloud-starter-gateway</artifactId>
34 |         </dependency>
35 |         <dependency>
36 |             <groupId>org.springframework.boot</groupId>
37 |             <artifactId>spring-boot-starter-test</artifactId>
38 |             <scope>test</scope>
39 |         </dependency>
40 |         <dependency>
41 |             <groupId>com.github.dasniko</groupId>
42 |             <artifactId>testcontainers-keycloak</artifactId>
43 |             <version>4.0.1</version>
44 |             <scope>test</scope>
45 |         </dependency>
46 |         <dependency>
47 |             <groupId>org.testcontainers</groupId>
48 |             <artifactId>junit-jupiter</artifactId>
49 |             <version>1.21.4</version>
50 |             <scope>test</scope>
51 |         </dependency>
52 |     </dependencies>
53 | 
54 |     <dependencyManagement>
55 |         <dependencies>
56 |             <dependency>
57 |                 <groupId>org.springframework.cloud</groupId>
58 |                 <artifactId>spring-cloud-dependencies</artifactId>
59 |                 <version>${spring-cloud.version}</version>
60 |                 <type>pom</type>
61 |                 <scope>import</scope>
62 |             </dependency>
63 |         </dependencies>
64 |     </dependencyManagement>
65 |     <build>
66 |         <plugins>
67 |             <plugin>
68 |                 <groupId>org.springframework.boot</groupId>
69 |                 <artifactId>spring-boot-maven-plugin</artifactId>
70 |             </plugin>
71 |             <plugin>
72 |                 <groupId>org.jacoco</groupId>
73 |                 <artifactId>jacoco-maven-plugin</artifactId>
74 |                 <version>0.8.14</version>
75 |                 <executions>
76 |                     <execution>
77 |                         <goals>
78 |                             <goal>prepare-agent</goal>
79 |                         </goals>
80 |                     </execution>
81 |                     <execution>
82 |                         <id>report</id>
83 |                         <phase>test</phase>
84 |                         <goals>
85 |                             <goal>report</goal>
86 |                         </goals>
87 |                     </execution>
88 |                 </executions>
89 |             </plugin>
90 |         </plugins>
91 |     </build>
92 | 
93 | </project>


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/resources/metadata/metadata-idp.xml:
--------------------------------------------------------------------------------
 1 | <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://localhost:8443/realms/spring-boot-keycloak">
 2 |     <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 3 |         <md:KeyDescriptor use="signing">
 4 |             <ds:KeyInfo>
 5 |                 <ds:KeyName>A1qiBcTHayXcWUFEyrKGntLiZFBqekhqa3J9e7jbqfI</ds:KeyName>
 6 |                 <ds:X509Data>
 7 |                     <ds:X509Certificate>MIICtzCCAZ8CBgGSxMdFejANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRzcHJpbmctYm9vdC1rZXljbG9hazAeFw0yNDEwMjUxNzQyMjZaFw0zNDEwMjUxNzQ0MDZaMB8xHTAbBgNVBAMMFHNwcmluZy1ib290LWtleWNsb2FrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuYmKlvK0z+Q8kSVlQVPSypdr7QSbRqfTkhz1CosBN0p+o0mB0OumJCDnxh30c+Ij+Qinfb72wNsqX+w0Vb/5tpld5axEwZbaZo8c60W7Xj4r2k0fnCLtjMPLiCxqbJunNbvD9ZevBy4KLmbYgVW2arLvr0HQxB5DHx9asGaK7TGv4SOl7IoPNVuFZuBkyQqjsI/86sRIWJneRC2wusFPQFUA24uNoWYJWjlOeNRUwX70pFytTCakOdD6JrEiA/xx/TZjtm1YuXNWj0f+EOSx1PGMysLn8SMiTV55L2lcdau7LbrKVc5GNmK4nBQDN9+MfrEzfkL+cZgnF8hMMz5TDQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB+M+bahzXxFgk+I4xYZOMSfBPze7jT84Cb4+Pe9hZhpC7vGgYmApD/0tWrXnVsVONXOV8Ck7soGMr62Nq3Qaf0OsGWaI835T3FouQXfKMM3KgIimon0mn1IBulNicHRVxlnNn/wqzRkK0Uq3c9d6qXWU5tLB6UUL/ToGKB+cSdKEwf3B5MAGfDfUYLHzN2kVojIg4Hagtnyqcl1Cfc48EqJipqDA8mEz+qUlA3qz6FsO0u9svvzJtf8DW+GfPkXhqzMfV1GTjMF/VmmXBa/r+sIhfkILB4zriW8WN9M8H6bhl7IMYpGA3Xsju1eudHIL0ZQb3hb4VVJc4/5KlAbcEZ</ds:X509Certificate>
 8 |                 </ds:X509Data>
 9 |             </ds:KeyInfo>
10 |         </md:KeyDescriptor>
11 |         <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml/resolve" index="0"/>
12 |         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml"/>
13 |         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml"/>
14 |         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml"/>
15 |         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml"/>
16 |         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
17 |         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
18 |         <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
19 |         <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
20 |         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml"/>
21 |         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml"/>
22 |         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml"/>
23 |         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/realms/spring-boot-keycloak/protocol/saml"/>
24 |     </md:IDPSSODescriptor>
25 | </md:EntityDescriptor>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Example Project for Security in Spring Boot and Microservices [![Twitter](https://img.shields.io/twitter/follow/piotr_minkowski.svg?style=social&logo=twitter&label=Follow%20Me)](https://twitter.com/piotr_minkowski)
 2 | 
 3 | [![CircleCI](https://circleci.com/gh/piomin/sample-spring-security-microservices.svg?style=svg)](https://circleci.com/gh/piomin/sample-spring-security-microservices)
 4 | 
 5 | [![SonarCloud](https://sonarcloud.io/images/project_badges/sonarcloud-black.svg)](https://sonarcloud.io/dashboard?id=piomin_sample-spring-security-microservices)
 6 | [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=piomin_sample-spring-security-microservices&metric=bugs)](https://sonarcloud.io/dashboard?id=piomin_sample-spring-security-microservices)
 7 | [![Coverage](https://sonarcloud.io/api/project_badges/measure?project=piomin_sample-spring-security-microservices&metric=coverage)](https://sonarcloud.io/dashboard?id=piomin_sample-spring-security-microservices)
 8 | [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=piomin_sample-spring-security-microservices&metric=ncloc)](https://sonarcloud.io/dashboard?id=piomin_sample-spring-security-microservices)
 9 | 
10 | In this project I'm demonstrating you the most interesting features of [Spring Cloud Project](https://spring.io/projects/spring-cloud) for building microservice-based architecture.
11 | 
12 | -----
13 | 
14 | I'm publishing on my blog and maintaining example repositories just as a hobby. But if you feel it's worth donating:
15 | 
16 | [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/piotrminkowski)
17 | 
18 | 1. How to renew certificates in your Spring Boot apps on Kubernetes with **Cert Manager** and **Stakater Reloader**. The example is available in the branch [master](https://github.com/piomin/sample-spring-security-microservices/tree/master).  A detailed guide may be found in the following article: [Renew Certificates on Kubernetes with Cert Manager and Reloader](https://piotrminkowski.com/2022/12/02/renew-certificates-on-kubernetes-with-cert-manager-and-reloader/) 
19 | 2. How to reload `SslBundles` with Spring Boot and run the apps on Kubernetes. A detailed guide may be found in the following article: [Spring Boot SSL Hot Reload on Kubernetes](https://piotrminkowski.com/2024/02/19/spring-boot-ssl-hot-reload-on-kubernetes/)
20 | 3. How to use OAuth2 with Spring Cloud and integrate Spring Boot app with **Keycloak**. A detailed guide may be found in the following article: [Microservices with Spring Cloud Gateway, OAuth2 and Keycloak](https://piotrminkowski.com/2024/03/01/microservices-with-spring-cloud-gateway-oauth2-and-keycloak/)
21 | 4. How to use SAML2 with Spring Boot and integrate it with **Keycloak** through the OpenSAML **Shibboleth** library. A detailed guide may be found in the following article: [Spring Boot with SAML2 and Keycloak](https://piotrminkowski.com/2024/10/28/spring-boot-with-saml2-and-keycloak/)
22 | 
23 | 
24 | ## Getting Started
25 | 
26 | ### SSL
27 | 
28 | To access an example with Spring Boot `SSLBundle` go to the `ssl` directory.
29 | First, run the `secure-callme-bundle` app:
30 | ```shell
31 | cd ssl/secure-callme-bundle
32 | mvn spring-boot:run
33 | ```
34 | 
35 | First, run the `secure-caller-bundle` app:
36 | ```shell
37 | cd ssl/secure-caller-bundle
38 | mvn spring-boot:run
39 | ```
40 | 
41 | Then call the endpoint exposed by the with the curl command:
42 | ```shell
43 | curl https://localhost:8444/caller/ping --insecure
44 | ```
45 | 
46 | ### SAML2
47 | 
48 | To access an example with Spring Boot SAML 2.0 example go to the `saml` directory.
49 | First, run the Keycloak container:
50 | ```shell
51 | cd saml
52 | docker compose up
53 | ```
54 | 
55 | Once the Keycloak is started go to `callme-saml` and run the app:
56 | ```shell
57 | cd callme-saml
58 | mvn spring-boot:run
59 | ```
60 | 
61 | ### OAuth2
62 | 
63 | To access an example with Spring Boot OAuth2 example go to the `oauth` directory.
64 | While building the `gateway` app it runs Testcontainer with Keycloak and simulates a downstream service:
65 | ```shell
66 | cd oauth/gateway
67 | mvn clean package
68 | ```
69 | 


--------------------------------------------------------------------------------
/oauth/callme/pom.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
  3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5 |     <parent>
  6 |         <groupId>pl.piomin.services</groupId>
  7 |         <artifactId>oauth</artifactId>
  8 |         <version>1.1-SNAPSHOT</version>
  9 |     </parent>
 10 |     <modelVersion>4.0.0</modelVersion>
 11 | 
 12 |     <artifactId>callme</artifactId>
 13 | 
 14 |     <properties>
 15 |         <sonar.moduleKey>${project.artifactId}</sonar.moduleKey>
 16 |     </properties>
 17 | 
 18 |     <dependencies>
 19 |         <dependency>
 20 |             <groupId>org.springframework.boot</groupId>
 21 |             <artifactId>spring-boot-starter-web</artifactId>
 22 |         </dependency>
 23 |         <dependency>
 24 |             <groupId>org.springframework.boot</groupId>
 25 |             <artifactId>spring-boot-starter-security</artifactId>
 26 |         </dependency>
 27 |         <dependency>
 28 |             <groupId>org.springframework.security</groupId>
 29 |             <artifactId>spring-security-oauth2-resource-server</artifactId>
 30 |         </dependency>
 31 |         <dependency>
 32 |             <groupId>org.springframework.security</groupId>
 33 |             <artifactId>spring-security-oauth2-jose</artifactId>
 34 |         </dependency>
 35 |         <dependency>
 36 |             <groupId>org.springframework.boot</groupId>
 37 |             <artifactId>spring-boot-starter-test</artifactId>
 38 |             <scope>test</scope>
 39 |         </dependency>
 40 |         <dependency>
 41 |             <groupId>org.springframework.security</groupId>
 42 |             <artifactId>spring-security-test</artifactId>
 43 |             <scope>test</scope>
 44 |         </dependency>
 45 |     </dependencies>
 46 | 
 47 |     <build>
 48 |         <plugins>
 49 |             <plugin>
 50 |                 <groupId>org.springframework.boot</groupId>
 51 |                 <artifactId>spring-boot-maven-plugin</artifactId>
 52 |             </plugin>
 53 |             <plugin>
 54 |                 <groupId>org.jacoco</groupId>
 55 |                 <artifactId>jacoco-maven-plugin</artifactId>
 56 |                 <version>0.8.14</version>
 57 |                 <executions>
 58 |                     <execution>
 59 |                         <goals>
 60 |                             <goal>prepare-agent</goal>
 61 |                         </goals>
 62 |                     </execution>
 63 |                     <execution>
 64 |                         <id>report</id>
 65 |                         <phase>test</phase>
 66 |                         <goals>
 67 |                             <goal>report</goal>
 68 |                         </goals>
 69 |                     </execution>
 70 |                 </executions>
 71 |             </plugin>
 72 |         </plugins>
 73 |     </build>
 74 | 
 75 |     <profiles>
 76 |         <profile>
 77 |             <id>build-image</id>
 78 |             <build>
 79 |                 <plugins>
 80 |                     <plugin>
 81 |                         <groupId>org.springframework.boot</groupId>
 82 |                         <artifactId>spring-boot-maven-plugin</artifactId>
 83 |                         <configuration>
 84 |                             <image>
 85 |                                 <builder>paketobuildpacks/builder-jammy-base:latest</builder>
 86 |                                 <name>sample-spring-security-microservices/${project.artifactId}:${project.version}</name>
 87 |                             </image>
 88 |                         </configuration>
 89 |                         <executions>
 90 |                             <execution>
 91 |                                 <goals>
 92 |                                     <goal>build-image</goal>
 93 |                                 </goals>
 94 |                             </execution>
 95 |                         </executions>
 96 |                     </plugin>
 97 |                 </plugins>
 98 |             </build>
 99 |         </profile>
100 |     </profiles>
101 | 
102 | </project>


--------------------------------------------------------------------------------
/saml/callme-saml/src/main/java/pl/piomin/samples/security/callme/saml/SecurityConfig.java:
--------------------------------------------------------------------------------
 1 | package pl.piomin.samples.security.callme.saml;
 2 | 
 3 | import org.opensaml.core.xml.schema.impl.XSStringImpl;
 4 | import org.opensaml.saml.saml2.core.Attribute;
 5 | import org.opensaml.saml.saml2.core.AttributeStatement;
 6 | import org.slf4j.Logger;
 7 | import org.slf4j.LoggerFactory;
 8 | import org.springframework.context.annotation.Bean;
 9 | import org.springframework.context.annotation.Configuration;
10 | import org.springframework.security.authentication.ProviderManager;
11 | import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
12 | import org.springframework.security.config.annotation.web.builders.HttpSecurity;
13 | import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
14 | import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
15 | import org.springframework.security.core.AuthenticatedPrincipal;
16 | import org.springframework.security.core.GrantedAuthority;
17 | import org.springframework.security.core.authority.SimpleGrantedAuthority;
18 | import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
19 | import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
20 | import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
21 | import org.springframework.security.web.SecurityFilterChain;
22 | 
23 | import java.util.List;
24 | 
25 | import static org.springframework.security.config.Customizer.withDefaults;
26 | 
27 | @Configuration
28 | @EnableWebSecurity
29 | @EnableMethodSecurity
30 | public class SecurityConfig {
31 | 
32 |     private static final Logger LOG = LoggerFactory.getLogger(SecurityConfig.class);
33 | 
34 |     @Bean
35 |     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
36 | 
37 |         OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
38 |         provider.setResponseValidator((responseToken) -> {
39 |             Saml2ResponseValidatorResult result = OpenSaml4AuthenticationProvider
40 |                     .createDefaultResponseValidator()
41 |                     .convert(responseToken);
42 |             if (result == null || result.hasErrors()) {
43 |                 String inResponseTo = responseToken.getResponse().getInResponseTo();
44 |                 throw new CustomSamlValidationException(inResponseTo);
45 |             }
46 |             LOG.info("SAML2 RESPONSE: {}", responseToken.getToken().getSaml2Response());
47 |             return result;
48 |         });
49 | 
50 |         provider.setResponseAuthenticationConverter(token -> {
51 |             var auth = OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter().convert(token);
52 |             LOG.info("AUTHORITIES: {}", auth.getAuthorities());
53 | 
54 |             var attrValues = token.getResponse().getAssertions().stream()
55 |                     .flatMap(as -> as.getAttributeStatements().stream())
56 |                     .flatMap(attrs -> attrs.getAttributes().stream())
57 |                         .filter(attrs -> attrs.getName().equals("member"))
58 |                         .findFirst().orElseThrow().getAttributeValues();
59 | 
60 |             if (!attrValues.isEmpty()) {
61 |                 var member = ((XSStringImpl) attrValues.getFirst()).getValue();
62 |                 LOG.info("MEMBER: {}", member);
63 |                 List<GrantedAuthority> authoritiesList = List.of(
64 |                         new SimpleGrantedAuthority("ROLE_USER"),
65 |                         new SimpleGrantedAuthority("ROLE_" + member.toUpperCase().replaceFirst("/", ""))
66 |                 );
67 | 
68 |                 LOG.info("NEW AUTHORITIES: {}", authoritiesList);
69 |                 return new Saml2Authentication((AuthenticatedPrincipal) auth.getPrincipal(), auth.getSaml2Response(), authoritiesList);
70 |             } else return auth;
71 |         });
72 | 
73 |         http.csrf(AbstractHttpConfigurer::disable)
74 |                 .authorizeHttpRequests(authorize -> authorize.anyRequest()
75 |                         .authenticated())
76 | //                .saml2Login(withDefaults())
77 |                 .saml2Login(saml2 -> saml2
78 |                         .authenticationManager(new ProviderManager(provider))
79 |                 )
80 |                 .saml2Metadata(withDefaults());
81 |         return http.build();
82 |     }
83 | 
84 | }
85 | 


--------------------------------------------------------------------------------
/oauth/gateway/src/test/java/pl/piomin/samples/security/gateway/GatewayApplicationTests.java:
--------------------------------------------------------------------------------
  1 | package pl.piomin.samples.security.gateway;
  2 | 
  3 | import dasniko.testcontainers.keycloak.KeycloakContainer;
  4 | import org.apache.http.client.utils.URIBuilder;
  5 | import org.junit.jupiter.api.MethodOrderer;
  6 | import org.junit.jupiter.api.Order;
  7 | import org.junit.jupiter.api.Test;
  8 | import org.junit.jupiter.api.TestMethodOrder;
  9 | import org.springframework.beans.factory.annotation.Autowired;
 10 | import org.springframework.boot.json.JacksonJsonParser;
 11 | import org.springframework.boot.test.context.SpringBootTest;
 12 | import org.springframework.http.MediaType;
 13 | import org.springframework.test.context.DynamicPropertyRegistry;
 14 | import org.springframework.test.context.DynamicPropertySource;
 15 | import org.springframework.test.web.reactive.server.WebTestClient;
 16 | import org.springframework.util.LinkedMultiValueMap;
 17 | import org.springframework.util.MultiValueMap;
 18 | import org.springframework.web.reactive.function.BodyInserters;
 19 | import org.springframework.web.reactive.function.client.WebClient;
 20 | import org.testcontainers.junit.jupiter.Container;
 21 | import org.testcontainers.junit.jupiter.Testcontainers;
 22 | 
 23 | import java.net.URI;
 24 | import java.net.URISyntaxException;
 25 | import java.util.Collections;
 26 | 
 27 | import static org.junit.jupiter.api.Assertions.assertNotNull;
 28 | 
 29 | @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.DEFINED_PORT)
 30 | @Testcontainers
 31 | @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
 32 | public class GatewayApplicationTests {
 33 | 
 34 |     static String accessToken;
 35 | 
 36 |     @Autowired
 37 |     WebTestClient webTestClient;
 38 | 
 39 |     @Container
 40 |     static KeycloakContainer keycloak = new KeycloakContainer()
 41 |             .withRealmImportFile("realm-export.json")
 42 |             .withExposedPorts(8080, 9000);
 43 | 
 44 |     @DynamicPropertySource
 45 |     static void registerResourceServerIssuerProperty(DynamicPropertyRegistry registry) {
 46 |         registry.add("spring.security.oauth2.client.provider.keycloak.issuer-uri",
 47 |                 () -> keycloak.getAuthServerUrl() + "/realms/demo");
 48 |         registry.add("spring.security.oauth2.resourceserver.jwt.jwk-set-uri",
 49 |                 () -> keycloak.getAuthServerUrl() + "/realms/demo/protocol/openid-connect/certs");
 50 |         registry.add("spring.cloud.gateway.routes[0].uri",
 51 |                 () -> "http://localhost:8060");
 52 |         registry.add("spring.cloud.gateway.routes[0].id", () -> "callme-service");
 53 |         registry.add("spring.cloud.gateway.routes[0].predicates[0]", () -> "Path=/callme/**");
 54 |     }
 55 | 
 56 |     @Test
 57 |     @Order(1)
 58 |     void shouldStart() {
 59 | 
 60 |     }
 61 | 
 62 |     @Test
 63 |     @Order(1)
 64 |     void shouldBeRedirectedToLoginPage() {
 65 |         webTestClient.get().uri("/callme/ping")
 66 |                 .exchange()
 67 |                 .expectStatus().is3xxRedirection();
 68 |     }
 69 | 
 70 |     @Test
 71 |     @Order(2)
 72 |     void shouldObtainAccessToken() throws URISyntaxException {
 73 |         URI authorizationURI = new URIBuilder(keycloak.getAuthServerUrl() + "/realms/demo/protocol/openid-connect/token").build();
 74 |         WebClient webclient = WebClient.builder().build();
 75 |         MultiValueMap<String, String> formData = new LinkedMultiValueMap<>();
 76 |         formData.put("grant_type", Collections.singletonList("password"));
 77 |         formData.put("client_id", Collections.singletonList("spring-with-test-scope"));
 78 |         formData.put("username", Collections.singletonList("spring"));
 79 |         formData.put("password", Collections.singletonList("Spring_123"));
 80 | 
 81 |         String result = webclient.post()
 82 |                 .uri(authorizationURI)
 83 |                 .contentType(MediaType.APPLICATION_FORM_URLENCODED)
 84 |                 .body(BodyInserters.fromFormData(formData))
 85 |                 .retrieve()
 86 |                 .bodyToMono(String.class)
 87 |                 .block();
 88 |         JacksonJsonParser jsonParser = new JacksonJsonParser();
 89 |         accessToken = jsonParser.parseMap(result)
 90 |                 .get("access_token")
 91 |                 .toString();
 92 |         assertNotNull(accessToken);
 93 |     }
 94 | 
 95 |     @Test
 96 |     @Order(3)
 97 |     void shouldReturnToken() {
 98 |         webTestClient.get().uri("/callme/ping")
 99 |                 .header("Authorization", "Bearer " + accessToken)
100 |                 .exchange()
101 |                 .expectStatus().is2xxSuccessful()
102 |                 .expectBody(String.class).isEqualTo("Hello!");
103 |     }
104 | }
105 | 


--------------------------------------------------------------------------------
/oauth/gateway/src/test/resources/realm-export.json:
--------------------------------------------------------------------------------
   1 | {
   2 |   "id": "4f9e1112-f254-4f70-a92e-cbe3e8d98865",
   3 |   "realm": "demo",
   4 |   "notBefore": 0,
   5 |   "defaultSignatureAlgorithm": "RS256",
   6 |   "revokeRefreshToken": false,
   7 |   "refreshTokenMaxReuse": 0,
   8 |   "accessTokenLifespan": 300,
   9 |   "accessTokenLifespanForImplicitFlow": 900,
  10 |   "ssoSessionIdleTimeout": 1800,
  11 |   "ssoSessionMaxLifespan": 36000,
  12 |   "ssoSessionIdleTimeoutRememberMe": 0,
  13 |   "ssoSessionMaxLifespanRememberMe": 0,
  14 |   "offlineSessionIdleTimeout": 2592000,
  15 |   "offlineSessionMaxLifespanEnabled": false,
  16 |   "offlineSessionMaxLifespan": 5184000,
  17 |   "clientSessionIdleTimeout": 0,
  18 |   "clientSessionMaxLifespan": 0,
  19 |   "clientOfflineSessionIdleTimeout": 0,
  20 |   "clientOfflineSessionMaxLifespan": 0,
  21 |   "accessCodeLifespan": 60,
  22 |   "accessCodeLifespanUserAction": 300,
  23 |   "accessCodeLifespanLogin": 1800,
  24 |   "actionTokenGeneratedByAdminLifespan": 43200,
  25 |   "actionTokenGeneratedByUserLifespan": 300,
  26 |   "oauth2DeviceCodeLifespan": 600,
  27 |   "oauth2DevicePollingInterval": 5,
  28 |   "enabled": true,
  29 |   "sslRequired": "external",
  30 |   "registrationAllowed": false,
  31 |   "registrationEmailAsUsername": false,
  32 |   "rememberMe": false,
  33 |   "verifyEmail": false,
  34 |   "loginWithEmailAllowed": true,
  35 |   "duplicateEmailsAllowed": false,
  36 |   "resetPasswordAllowed": false,
  37 |   "editUsernameAllowed": false,
  38 |   "bruteForceProtected": false,
  39 |   "permanentLockout": false,
  40 |   "maxFailureWaitSeconds": 900,
  41 |   "minimumQuickLoginWaitSeconds": 60,
  42 |   "waitIncrementSeconds": 60,
  43 |   "quickLoginCheckMilliSeconds": 1000,
  44 |   "maxDeltaTimeSeconds": 43200,
  45 |   "failureFactor": 30,
  46 |   "roles": {
  47 |     "realm": [
  48 |       {
  49 |         "id": "eb367128-5a18-4612-af8c-1495f515337f",
  50 |         "name": "uma_authorization",
  51 |         "description": "${role_uma_authorization}",
  52 |         "composite": false,
  53 |         "clientRole": false,
  54 |         "containerId": "4f9e1112-f254-4f70-a92e-cbe3e8d98865",
  55 |         "attributes": {}
  56 |       },
  57 |       {
  58 |         "id": "32b01779-8a04-4bc9-9e73-91be12dca4b0",
  59 |         "name": "USER",
  60 |         "description": "",
  61 |         "composite": false,
  62 |         "clientRole": false,
  63 |         "containerId": "4f9e1112-f254-4f70-a92e-cbe3e8d98865",
  64 |         "attributes": {}
  65 |       },
  66 |       {
  67 |         "id": "554c4233-4d09-456b-a471-d6d86b9d1526",
  68 |         "name": "default-roles-demo",
  69 |         "description": "${role_default-roles}",
  70 |         "composite": true,
  71 |         "composites": {
  72 |           "realm": [
  73 |             "offline_access",
  74 |             "uma_authorization"
  75 |           ],
  76 |           "client": {
  77 |             "account": [
  78 |               "manage-account",
  79 |               "view-profile"
  80 |             ]
  81 |           }
  82 |         },
  83 |         "clientRole": false,
  84 |         "containerId": "4f9e1112-f254-4f70-a92e-cbe3e8d98865",
  85 |         "attributes": {}
  86 |       },
  87 |       {
  88 |         "id": "1eebeddf-5877-4859-9268-a1eec5dc59c1",
  89 |         "name": "offline_access",
  90 |         "description": "${role_offline-access}",
  91 |         "composite": false,
  92 |         "clientRole": false,
  93 |         "containerId": "4f9e1112-f254-4f70-a92e-cbe3e8d98865",
  94 |         "attributes": {}
  95 |       }
  96 |     ],
  97 |     "client": {
  98 |       "realm-management": [
  99 |         {
 100 |           "id": "0d752f2a-0a59-4135-b16d-7e9a0cea86df",
 101 |           "name": "manage-identity-providers",
 102 |           "description": "${role_manage-identity-providers}",
 103 |           "composite": false,
 104 |           "clientRole": true,
 105 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 106 |           "attributes": {}
 107 |         },
 108 |         {
 109 |           "id": "ee9350fa-9cbc-48f9-ae35-d5f1b81698b2",
 110 |           "name": "query-groups",
 111 |           "description": "${role_query-groups}",
 112 |           "composite": false,
 113 |           "clientRole": true,
 114 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 115 |           "attributes": {}
 116 |         },
 117 |         {
 118 |           "id": "f394f330-c13c-406b-8641-cd84cc2902a5",
 119 |           "name": "query-users",
 120 |           "description": "${role_query-users}",
 121 |           "composite": false,
 122 |           "clientRole": true,
 123 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 124 |           "attributes": {}
 125 |         },
 126 |         {
 127 |           "id": "56738e8b-0554-4261-b4ed-1947f1d2dc73",
 128 |           "name": "manage-events",
 129 |           "description": "${role_manage-events}",
 130 |           "composite": false,
 131 |           "clientRole": true,
 132 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 133 |           "attributes": {}
 134 |         },
 135 |         {
 136 |           "id": "69aee728-1fb9-4968-9fc8-b98b6fa15fea",
 137 |           "name": "query-clients",
 138 |           "description": "${role_query-clients}",
 139 |           "composite": false,
 140 |           "clientRole": true,
 141 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 142 |           "attributes": {}
 143 |         },
 144 |         {
 145 |           "id": "c4dd25c0-b3f5-4995-ba3c-83a46b13399f",
 146 |           "name": "manage-authorization",
 147 |           "description": "${role_manage-authorization}",
 148 |           "composite": false,
 149 |           "clientRole": true,
 150 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 151 |           "attributes": {}
 152 |         },
 153 |         {
 154 |           "id": "969537df-924c-4b94-8120-8db018391dd1",
 155 |           "name": "view-clients",
 156 |           "description": "${role_view-clients}",
 157 |           "composite": true,
 158 |           "composites": {
 159 |             "client": {
 160 |               "realm-management": [
 161 |                 "query-clients"
 162 |               ]
 163 |             }
 164 |           },
 165 |           "clientRole": true,
 166 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 167 |           "attributes": {}
 168 |         },
 169 |         {
 170 |           "id": "7e517f7f-db20-4827-a7f8-574ca31d4798",
 171 |           "name": "manage-clients",
 172 |           "description": "${role_manage-clients}",
 173 |           "composite": false,
 174 |           "clientRole": true,
 175 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 176 |           "attributes": {}
 177 |         },
 178 |         {
 179 |           "id": "245d6a27-32e4-4b93-bc5a-d55a0ad9c6a4",
 180 |           "name": "view-identity-providers",
 181 |           "description": "${role_view-identity-providers}",
 182 |           "composite": false,
 183 |           "clientRole": true,
 184 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 185 |           "attributes": {}
 186 |         },
 187 |         {
 188 |           "id": "848be7c3-777b-4f9a-beba-65c5c29d5c91",
 189 |           "name": "realm-admin",
 190 |           "description": "${role_realm-admin}",
 191 |           "composite": true,
 192 |           "composites": {
 193 |             "client": {
 194 |               "realm-management": [
 195 |                 "manage-identity-providers",
 196 |                 "query-groups",
 197 |                 "query-users",
 198 |                 "manage-events",
 199 |                 "query-clients",
 200 |                 "manage-authorization",
 201 |                 "view-clients",
 202 |                 "view-identity-providers",
 203 |                 "manage-clients",
 204 |                 "view-authorization",
 205 |                 "manage-users",
 206 |                 "view-events",
 207 |                 "manage-realm",
 208 |                 "query-realms",
 209 |                 "impersonation",
 210 |                 "view-users",
 211 |                 "create-client",
 212 |                 "view-realm"
 213 |               ]
 214 |             }
 215 |           },
 216 |           "clientRole": true,
 217 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 218 |           "attributes": {}
 219 |         },
 220 |         {
 221 |           "id": "32a7513d-9f55-47d8-a9c3-57f8388b3956",
 222 |           "name": "view-authorization",
 223 |           "description": "${role_view-authorization}",
 224 |           "composite": false,
 225 |           "clientRole": true,
 226 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 227 |           "attributes": {}
 228 |         },
 229 |         {
 230 |           "id": "30f1fd84-3549-4f8e-8cec-2de80e2db2c6",
 231 |           "name": "manage-users",
 232 |           "description": "${role_manage-users}",
 233 |           "composite": false,
 234 |           "clientRole": true,
 235 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 236 |           "attributes": {}
 237 |         },
 238 |         {
 239 |           "id": "ba7917a0-3bf1-4fea-8705-bce70a78285c",
 240 |           "name": "view-events",
 241 |           "description": "${role_view-events}",
 242 |           "composite": false,
 243 |           "clientRole": true,
 244 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 245 |           "attributes": {}
 246 |         },
 247 |         {
 248 |           "id": "fb705148-295d-4444-a047-491875fedafe",
 249 |           "name": "manage-realm",
 250 |           "description": "${role_manage-realm}",
 251 |           "composite": false,
 252 |           "clientRole": true,
 253 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 254 |           "attributes": {}
 255 |         },
 256 |         {
 257 |           "id": "04d7fa95-d76b-4f8d-a359-a5d65c53ca11",
 258 |           "name": "query-realms",
 259 |           "description": "${role_query-realms}",
 260 |           "composite": false,
 261 |           "clientRole": true,
 262 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 263 |           "attributes": {}
 264 |         },
 265 |         {
 266 |           "id": "1158ceeb-4ad3-4b36-9220-322f0f5b2796",
 267 |           "name": "impersonation",
 268 |           "description": "${role_impersonation}",
 269 |           "composite": false,
 270 |           "clientRole": true,
 271 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 272 |           "attributes": {}
 273 |         },
 274 |         {
 275 |           "id": "5e33082f-a78b-4798-9e93-f334b628c8ef",
 276 |           "name": "view-users",
 277 |           "description": "${role_view-users}",
 278 |           "composite": true,
 279 |           "composites": {
 280 |             "client": {
 281 |               "realm-management": [
 282 |                 "query-groups",
 283 |                 "query-users"
 284 |               ]
 285 |             }
 286 |           },
 287 |           "clientRole": true,
 288 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 289 |           "attributes": {}
 290 |         },
 291 |         {
 292 |           "id": "9fea5c85-83d7-4fb5-a6c3-b8f6f03766b8",
 293 |           "name": "create-client",
 294 |           "description": "${role_create-client}",
 295 |           "composite": false,
 296 |           "clientRole": true,
 297 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 298 |           "attributes": {}
 299 |         },
 300 |         {
 301 |           "id": "b6a4bedb-2727-4119-9d57-e6ac53533be7",
 302 |           "name": "view-realm",
 303 |           "description": "${role_view-realm}",
 304 |           "composite": false,
 305 |           "clientRole": true,
 306 |           "containerId": "2955862f-58a5-4d81-b578-6691d707d074",
 307 |           "attributes": {}
 308 |         }
 309 |       ],
 310 |       "security-admin-console": [],
 311 |       "admin-cli": [],
 312 |       "account-console": [],
 313 |       "broker": [
 314 |         {
 315 |           "id": "e7540012-c5c4-46f7-abbc-2ef82ab3efca",
 316 |           "name": "read-token",
 317 |           "description": "${role_read-token}",
 318 |           "composite": false,
 319 |           "clientRole": true,
 320 |           "containerId": "38363b4a-8051-4265-83e7-aefee4ca8392",
 321 |           "attributes": {}
 322 |         }
 323 |       ],
 324 |       "account": [
 325 |         {
 326 |           "id": "efb95449-ef8e-4b28-a6d0-45934c5df1cf",
 327 |           "name": "manage-account",
 328 |           "description": "${role_manage-account}",
 329 |           "composite": true,
 330 |           "composites": {
 331 |             "client": {
 332 |               "account": [
 333 |                 "manage-account-links"
 334 |               ]
 335 |             }
 336 |           },
 337 |           "clientRole": true,
 338 |           "containerId": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 339 |           "attributes": {}
 340 |         },
 341 |         {
 342 |           "id": "84fcb6f3-dae4-4560-b3fd-2bfaea928bc7",
 343 |           "name": "manage-account-links",
 344 |           "description": "${role_manage-account-links}",
 345 |           "composite": false,
 346 |           "clientRole": true,
 347 |           "containerId": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 348 |           "attributes": {}
 349 |         },
 350 |         {
 351 |           "id": "ac1f1c48-a463-4eca-b722-9de798babf2f",
 352 |           "name": "view-consent",
 353 |           "description": "${role_view-consent}",
 354 |           "composite": false,
 355 |           "clientRole": true,
 356 |           "containerId": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 357 |           "attributes": {}
 358 |         },
 359 |         {
 360 |           "id": "9aa188eb-38a1-46dc-a4d3-949a3f2c89de",
 361 |           "name": "view-groups",
 362 |           "description": "${role_view-groups}",
 363 |           "composite": false,
 364 |           "clientRole": true,
 365 |           "containerId": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 366 |           "attributes": {}
 367 |         },
 368 |         {
 369 |           "id": "b357a260-95e3-47a6-9b20-8e700436c92d",
 370 |           "name": "delete-account",
 371 |           "description": "${role_delete-account}",
 372 |           "composite": false,
 373 |           "clientRole": true,
 374 |           "containerId": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 375 |           "attributes": {}
 376 |         },
 377 |         {
 378 |           "id": "f841bb71-8424-4a83-8bfb-931b3df9fe27",
 379 |           "name": "view-applications",
 380 |           "description": "${role_view-applications}",
 381 |           "composite": false,
 382 |           "clientRole": true,
 383 |           "containerId": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 384 |           "attributes": {}
 385 |         },
 386 |         {
 387 |           "id": "ddb11f37-c8d2-4bae-9da9-53ced9896ff5",
 388 |           "name": "manage-consent",
 389 |           "description": "${role_manage-consent}",
 390 |           "composite": true,
 391 |           "composites": {
 392 |             "client": {
 393 |               "account": [
 394 |                 "view-consent"
 395 |               ]
 396 |             }
 397 |           },
 398 |           "clientRole": true,
 399 |           "containerId": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 400 |           "attributes": {}
 401 |         },
 402 |         {
 403 |           "id": "8036e72f-0dcd-435c-a4e9-e5d59254052b",
 404 |           "name": "view-profile",
 405 |           "description": "${role_view-profile}",
 406 |           "composite": false,
 407 |           "clientRole": true,
 408 |           "containerId": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 409 |           "attributes": {}
 410 |         }
 411 |       ],
 412 |       "spring-with-test-scope": []
 413 |     }
 414 |   },
 415 |   "groups": [],
 416 |   "defaultRole": {
 417 |     "id": "554c4233-4d09-456b-a471-d6d86b9d1526",
 418 |     "name": "default-roles-demo",
 419 |     "description": "${role_default-roles}",
 420 |     "composite": true,
 421 |     "clientRole": false,
 422 |     "containerId": "4f9e1112-f254-4f70-a92e-cbe3e8d98865"
 423 |   },
 424 |   "requiredCredentials": [
 425 |     "password"
 426 |   ],
 427 |   "otpPolicyType": "totp",
 428 |   "otpPolicyAlgorithm": "HmacSHA1",
 429 |   "otpPolicyInitialCounter": 0,
 430 |   "otpPolicyDigits": 6,
 431 |   "otpPolicyLookAheadWindow": 1,
 432 |   "otpPolicyPeriod": 30,
 433 |   "otpPolicyCodeReusable": false,
 434 |   "otpSupportedApplications": [
 435 |     "totpAppFreeOTPName",
 436 |     "totpAppGoogleName",
 437 |     "totpAppMicrosoftAuthenticatorName"
 438 |   ],
 439 |   "localizationTexts": {},
 440 |   "webAuthnPolicyRpEntityName": "keycloak",
 441 |   "webAuthnPolicySignatureAlgorithms": [
 442 |     "ES256"
 443 |   ],
 444 |   "webAuthnPolicyRpId": "",
 445 |   "webAuthnPolicyAttestationConveyancePreference": "not specified",
 446 |   "webAuthnPolicyAuthenticatorAttachment": "not specified",
 447 |   "webAuthnPolicyRequireResidentKey": "not specified",
 448 |   "webAuthnPolicyUserVerificationRequirement": "not specified",
 449 |   "webAuthnPolicyCreateTimeout": 0,
 450 |   "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
 451 |   "webAuthnPolicyAcceptableAaguids": [],
 452 |   "webAuthnPolicyExtraOrigins": [],
 453 |   "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
 454 |   "webAuthnPolicyPasswordlessSignatureAlgorithms": [
 455 |     "ES256"
 456 |   ],
 457 |   "webAuthnPolicyPasswordlessRpId": "",
 458 |   "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
 459 |   "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
 460 |   "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
 461 |   "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
 462 |   "webAuthnPolicyPasswordlessCreateTimeout": 0,
 463 |   "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
 464 |   "webAuthnPolicyPasswordlessAcceptableAaguids": [],
 465 |   "webAuthnPolicyPasswordlessExtraOrigins": [],
 466 |   "users": [
 467 |     {
 468 |       "id": "f08e96f4-c42f-45ff-8dac-5833939caefd",
 469 |       "createdTimestamp": 1708966689642,
 470 |       "username": "service-account-spring-with-test-scope",
 471 |       "enabled": true,
 472 |       "totp": false,
 473 |       "emailVerified": false,
 474 |       "serviceAccountClientId": "spring-with-test-scope",
 475 |       "disableableCredentialTypes": [],
 476 |       "requiredActions": [],
 477 |       "realmRoles": [
 478 |         "default-roles-demo"
 479 |       ],
 480 |       "notBefore": 0,
 481 |       "groups": []
 482 |     }, {
 483 |       "username": "spring",
 484 |       "email": "piotr.minkowski@gmail.com",
 485 |       "firstName": "Piotr",
 486 |       "lastName": "Minkowski",
 487 |       "enabled": true,
 488 |       "credentials": [
 489 |         {
 490 |           "type": "password",
 491 |           "value": "Spring_123"
 492 |         }
 493 |       ],
 494 |       "realmRoles": [
 495 |         "default-roles-demo",
 496 |         "USER"
 497 |       ]
 498 |     }
 499 |   ],
 500 |   "scopeMappings": [
 501 |     {
 502 |       "clientScope": "offline_access",
 503 |       "roles": [
 504 |         "offline_access"
 505 |       ]
 506 |     }
 507 |   ],
 508 |   "clientScopeMappings": {
 509 |     "account": [
 510 |       {
 511 |         "client": "account-console",
 512 |         "roles": [
 513 |           "manage-account",
 514 |           "view-groups"
 515 |         ]
 516 |       }
 517 |     ]
 518 |   },
 519 |   "clients": [
 520 |     {
 521 |       "id": "89655faf-3735-4dc2-b91b-cae6c4d09d8f",
 522 |       "clientId": "account",
 523 |       "name": "${client_account}",
 524 |       "rootUrl": "${authBaseUrl}",
 525 |       "baseUrl": "/realms/demo/account/",
 526 |       "surrogateAuthRequired": false,
 527 |       "enabled": true,
 528 |       "alwaysDisplayInConsole": false,
 529 |       "clientAuthenticatorType": "client-secret",
 530 |       "redirectUris": [
 531 |         "/realms/demo/account/*"
 532 |       ],
 533 |       "webOrigins": [],
 534 |       "notBefore": 0,
 535 |       "bearerOnly": false,
 536 |       "consentRequired": false,
 537 |       "standardFlowEnabled": true,
 538 |       "implicitFlowEnabled": false,
 539 |       "directAccessGrantsEnabled": false,
 540 |       "serviceAccountsEnabled": false,
 541 |       "publicClient": true,
 542 |       "frontchannelLogout": false,
 543 |       "protocol": "openid-connect",
 544 |       "attributes": {
 545 |         "post.logout.redirect.uris": "+"
 546 |       },
 547 |       "authenticationFlowBindingOverrides": {},
 548 |       "fullScopeAllowed": false,
 549 |       "nodeReRegistrationTimeout": 0,
 550 |       "defaultClientScopes": [
 551 |         "web-origins",
 552 |         "acr",
 553 |         "profile",
 554 |         "roles",
 555 |         "email"
 556 |       ],
 557 |       "optionalClientScopes": [
 558 |         "address",
 559 |         "phone",
 560 |         "offline_access",
 561 |         "microprofile-jwt"
 562 |       ]
 563 |     },
 564 |     {
 565 |       "id": "f3997272-761b-452f-ab04-f3545773c1e8",
 566 |       "clientId": "account-console",
 567 |       "name": "${client_account-console}",
 568 |       "rootUrl": "${authBaseUrl}",
 569 |       "baseUrl": "/realms/demo/account/",
 570 |       "surrogateAuthRequired": false,
 571 |       "enabled": true,
 572 |       "alwaysDisplayInConsole": false,
 573 |       "clientAuthenticatorType": "client-secret",
 574 |       "redirectUris": [
 575 |         "/realms/demo/account/*"
 576 |       ],
 577 |       "webOrigins": [],
 578 |       "notBefore": 0,
 579 |       "bearerOnly": false,
 580 |       "consentRequired": false,
 581 |       "standardFlowEnabled": true,
 582 |       "implicitFlowEnabled": false,
 583 |       "directAccessGrantsEnabled": false,
 584 |       "serviceAccountsEnabled": false,
 585 |       "publicClient": true,
 586 |       "frontchannelLogout": false,
 587 |       "protocol": "openid-connect",
 588 |       "attributes": {
 589 |         "post.logout.redirect.uris": "+",
 590 |         "pkce.code.challenge.method": "S256"
 591 |       },
 592 |       "authenticationFlowBindingOverrides": {},
 593 |       "fullScopeAllowed": false,
 594 |       "nodeReRegistrationTimeout": 0,
 595 |       "protocolMappers": [
 596 |         {
 597 |           "id": "42f280a1-f189-4fdb-92e2-3fcfb4b0ebcf",
 598 |           "name": "audience resolve",
 599 |           "protocol": "openid-connect",
 600 |           "protocolMapper": "oidc-audience-resolve-mapper",
 601 |           "consentRequired": false,
 602 |           "config": {}
 603 |         }
 604 |       ],
 605 |       "defaultClientScopes": [
 606 |         "web-origins",
 607 |         "acr",
 608 |         "profile",
 609 |         "roles",
 610 |         "email"
 611 |       ],
 612 |       "optionalClientScopes": [
 613 |         "address",
 614 |         "phone",
 615 |         "offline_access",
 616 |         "microprofile-jwt"
 617 |       ]
 618 |     },
 619 |     {
 620 |       "id": "cfd55a45-7166-4c40-9ada-bdcbec2c6999",
 621 |       "clientId": "admin-cli",
 622 |       "name": "${client_admin-cli}",
 623 |       "surrogateAuthRequired": false,
 624 |       "enabled": true,
 625 |       "alwaysDisplayInConsole": false,
 626 |       "clientAuthenticatorType": "client-secret",
 627 |       "redirectUris": [],
 628 |       "webOrigins": [],
 629 |       "notBefore": 0,
 630 |       "bearerOnly": false,
 631 |       "consentRequired": false,
 632 |       "standardFlowEnabled": false,
 633 |       "implicitFlowEnabled": false,
 634 |       "directAccessGrantsEnabled": true,
 635 |       "serviceAccountsEnabled": false,
 636 |       "publicClient": true,
 637 |       "frontchannelLogout": false,
 638 |       "protocol": "openid-connect",
 639 |       "attributes": {},
 640 |       "authenticationFlowBindingOverrides": {},
 641 |       "fullScopeAllowed": false,
 642 |       "nodeReRegistrationTimeout": 0,
 643 |       "defaultClientScopes": [
 644 |         "web-origins",
 645 |         "acr",
 646 |         "profile",
 647 |         "roles",
 648 |         "email"
 649 |       ],
 650 |       "optionalClientScopes": [
 651 |         "address",
 652 |         "phone",
 653 |         "offline_access",
 654 |         "microprofile-jwt"
 655 |       ]
 656 |     },
 657 |     {
 658 |       "id": "38363b4a-8051-4265-83e7-aefee4ca8392",
 659 |       "clientId": "broker",
 660 |       "name": "${client_broker}",
 661 |       "surrogateAuthRequired": false,
 662 |       "enabled": true,
 663 |       "alwaysDisplayInConsole": false,
 664 |       "clientAuthenticatorType": "client-secret",
 665 |       "redirectUris": [],
 666 |       "webOrigins": [],
 667 |       "notBefore": 0,
 668 |       "bearerOnly": true,
 669 |       "consentRequired": false,
 670 |       "standardFlowEnabled": true,
 671 |       "implicitFlowEnabled": false,
 672 |       "directAccessGrantsEnabled": false,
 673 |       "serviceAccountsEnabled": false,
 674 |       "publicClient": false,
 675 |       "frontchannelLogout": false,
 676 |       "protocol": "openid-connect",
 677 |       "attributes": {},
 678 |       "authenticationFlowBindingOverrides": {},
 679 |       "fullScopeAllowed": false,
 680 |       "nodeReRegistrationTimeout": 0,
 681 |       "defaultClientScopes": [
 682 |         "web-origins",
 683 |         "acr",
 684 |         "profile",
 685 |         "roles",
 686 |         "email"
 687 |       ],
 688 |       "optionalClientScopes": [
 689 |         "address",
 690 |         "phone",
 691 |         "offline_access",
 692 |         "microprofile-jwt"
 693 |       ]
 694 |     },
 695 |     {
 696 |       "id": "2955862f-58a5-4d81-b578-6691d707d074",
 697 |       "clientId": "realm-management",
 698 |       "name": "${client_realm-management}",
 699 |       "surrogateAuthRequired": false,
 700 |       "enabled": true,
 701 |       "alwaysDisplayInConsole": false,
 702 |       "clientAuthenticatorType": "client-secret",
 703 |       "redirectUris": [],
 704 |       "webOrigins": [],
 705 |       "notBefore": 0,
 706 |       "bearerOnly": true,
 707 |       "consentRequired": false,
 708 |       "standardFlowEnabled": true,
 709 |       "implicitFlowEnabled": false,
 710 |       "directAccessGrantsEnabled": false,
 711 |       "serviceAccountsEnabled": false,
 712 |       "publicClient": false,
 713 |       "frontchannelLogout": false,
 714 |       "protocol": "openid-connect",
 715 |       "attributes": {},
 716 |       "authenticationFlowBindingOverrides": {},
 717 |       "fullScopeAllowed": false,
 718 |       "nodeReRegistrationTimeout": 0,
 719 |       "defaultClientScopes": [
 720 |         "web-origins",
 721 |         "acr",
 722 |         "profile",
 723 |         "roles",
 724 |         "email"
 725 |       ],
 726 |       "optionalClientScopes": [
 727 |         "address",
 728 |         "phone",
 729 |         "offline_access",
 730 |         "microprofile-jwt"
 731 |       ]
 732 |     },
 733 |     {
 734 |       "id": "1e81f14a-9211-4224-bc7a-16208aa53390",
 735 |       "clientId": "security-admin-console",
 736 |       "name": "${client_security-admin-console}",
 737 |       "rootUrl": "${authAdminUrl}",
 738 |       "baseUrl": "/admin/demo/console/",
 739 |       "surrogateAuthRequired": false,
 740 |       "enabled": true,
 741 |       "alwaysDisplayInConsole": false,
 742 |       "clientAuthenticatorType": "client-secret",
 743 |       "redirectUris": [
 744 |         "/admin/demo/console/*"
 745 |       ],
 746 |       "webOrigins": [
 747 |         "+"
 748 |       ],
 749 |       "notBefore": 0,
 750 |       "bearerOnly": false,
 751 |       "consentRequired": false,
 752 |       "standardFlowEnabled": true,
 753 |       "implicitFlowEnabled": false,
 754 |       "directAccessGrantsEnabled": false,
 755 |       "serviceAccountsEnabled": false,
 756 |       "publicClient": true,
 757 |       "frontchannelLogout": false,
 758 |       "protocol": "openid-connect",
 759 |       "attributes": {
 760 |         "post.logout.redirect.uris": "+",
 761 |         "pkce.code.challenge.method": "S256"
 762 |       },
 763 |       "authenticationFlowBindingOverrides": {},
 764 |       "fullScopeAllowed": false,
 765 |       "nodeReRegistrationTimeout": 0,
 766 |       "protocolMappers": [
 767 |         {
 768 |           "id": "37f7b15a-1ed4-4930-9a5d-c682fe406b70",
 769 |           "name": "locale",
 770 |           "protocol": "openid-connect",
 771 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
 772 |           "consentRequired": false,
 773 |           "config": {
 774 |             "introspection.token.claim": "true",
 775 |             "userinfo.token.claim": "true",
 776 |             "user.attribute": "locale",
 777 |             "id.token.claim": "true",
 778 |             "access.token.claim": "true",
 779 |             "claim.name": "locale",
 780 |             "jsonType.label": "String"
 781 |           }
 782 |         }
 783 |       ],
 784 |       "defaultClientScopes": [
 785 |         "web-origins",
 786 |         "acr",
 787 |         "profile",
 788 |         "roles",
 789 |         "email"
 790 |       ],
 791 |       "optionalClientScopes": [
 792 |         "address",
 793 |         "phone",
 794 |         "offline_access",
 795 |         "microprofile-jwt"
 796 |       ]
 797 |     },
 798 |     {
 799 |       "id": "a0e8542b-2820-426a-89ba-73866c17eabb",
 800 |       "clientId": "spring-with-test-scope",
 801 |       "name": "",
 802 |       "description": "",
 803 |       "rootUrl": "",
 804 |       "adminUrl": "",
 805 |       "baseUrl": "",
 806 |       "surrogateAuthRequired": false,
 807 |       "enabled": true,
 808 |       "alwaysDisplayInConsole": false,
 809 |       "clientAuthenticatorType": "client-secret",
 810 |       "secret": "IWLSnakHG8aNTWNaWuSj0a11UY4lzxd9",
 811 |       "redirectUris": [
 812 |         "*"
 813 |       ],
 814 |       "webOrigins": [],
 815 |       "notBefore": 0,
 816 |       "bearerOnly": false,
 817 |       "consentRequired": false,
 818 |       "standardFlowEnabled": true,
 819 |       "implicitFlowEnabled": true,
 820 |       "directAccessGrantsEnabled": true,
 821 |       "serviceAccountsEnabled": true,
 822 |       "publicClient": true,
 823 |       "frontchannelLogout": true,
 824 |       "protocol": "openid-connect",
 825 |       "attributes": {
 826 |         "oidc.ciba.grant.enabled": "false",
 827 |         "client.secret.creation.time": "1708966689",
 828 |         "backchannel.logout.session.required": "true",
 829 |         "oauth2.device.authorization.grant.enabled": "true",
 830 |         "display.on.consent.screen": "false",
 831 |         "backchannel.logout.revoke.offline.tokens": "false"
 832 |       },
 833 |       "authenticationFlowBindingOverrides": {},
 834 |       "fullScopeAllowed": true,
 835 |       "nodeReRegistrationTimeout": -1,
 836 |       "protocolMappers": [
 837 |         {
 838 |           "id": "e9ad5230-81a0-43f7-bba8-36239ffc6b52",
 839 |           "name": "Client ID",
 840 |           "protocol": "openid-connect",
 841 |           "protocolMapper": "oidc-usersessionmodel-note-mapper",
 842 |           "consentRequired": false,
 843 |           "config": {
 844 |             "user.session.note": "client_id",
 845 |             "introspection.token.claim": "true",
 846 |             "id.token.claim": "true",
 847 |             "access.token.claim": "true",
 848 |             "claim.name": "client_id",
 849 |             "jsonType.label": "String"
 850 |           }
 851 |         },
 852 |         {
 853 |           "id": "2a0a360f-2902-4acd-9a87-d77a04b214e5",
 854 |           "name": "Client Host",
 855 |           "protocol": "openid-connect",
 856 |           "protocolMapper": "oidc-usersessionmodel-note-mapper",
 857 |           "consentRequired": false,
 858 |           "config": {
 859 |             "user.session.note": "clientHost",
 860 |             "introspection.token.claim": "true",
 861 |             "id.token.claim": "true",
 862 |             "access.token.claim": "true",
 863 |             "claim.name": "clientHost",
 864 |             "jsonType.label": "String"
 865 |           }
 866 |         },
 867 |         {
 868 |           "id": "c23a09bc-b29c-4676-b3c3-377660818d2e",
 869 |           "name": "Client IP Address",
 870 |           "protocol": "openid-connect",
 871 |           "protocolMapper": "oidc-usersessionmodel-note-mapper",
 872 |           "consentRequired": false,
 873 |           "config": {
 874 |             "user.session.note": "clientAddress",
 875 |             "introspection.token.claim": "true",
 876 |             "id.token.claim": "true",
 877 |             "access.token.claim": "true",
 878 |             "claim.name": "clientAddress",
 879 |             "jsonType.label": "String"
 880 |           }
 881 |         }
 882 |       ],
 883 |       "defaultClientScopes": [
 884 |         "web-origins",
 885 |         "acr",
 886 |         "TEST",
 887 |         "profile",
 888 |         "roles",
 889 |         "email"
 890 |       ],
 891 |       "optionalClientScopes": [
 892 |         "address",
 893 |         "phone",
 894 |         "offline_access",
 895 |         "microprofile-jwt"
 896 |       ]
 897 |     }
 898 |   ],
 899 |   "clientScopes": [
 900 |     {
 901 |       "id": "14aeb9e4-d546-4a57-a46d-dd198c2e474b",
 902 |       "name": "offline_access",
 903 |       "description": "OpenID Connect built-in scope: offline_access",
 904 |       "protocol": "openid-connect",
 905 |       "attributes": {
 906 |         "consent.screen.text": "${offlineAccessScopeConsentText}",
 907 |         "display.on.consent.screen": "true"
 908 |       }
 909 |     },
 910 |     {
 911 |       "id": "75614a06-9fb3-466b-ad1b-09e2c709b713",
 912 |       "name": "profile",
 913 |       "description": "OpenID Connect built-in scope: profile",
 914 |       "protocol": "openid-connect",
 915 |       "attributes": {
 916 |         "include.in.token.scope": "true",
 917 |         "display.on.consent.screen": "true",
 918 |         "consent.screen.text": "${profileScopeConsentText}"
 919 |       },
 920 |       "protocolMappers": [
 921 |         {
 922 |           "id": "3483780b-dca3-4219-b6aa-3c3eccd89aac",
 923 |           "name": "locale",
 924 |           "protocol": "openid-connect",
 925 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
 926 |           "consentRequired": false,
 927 |           "config": {
 928 |             "introspection.token.claim": "true",
 929 |             "userinfo.token.claim": "true",
 930 |             "user.attribute": "locale",
 931 |             "id.token.claim": "true",
 932 |             "access.token.claim": "true",
 933 |             "claim.name": "locale",
 934 |             "jsonType.label": "String"
 935 |           }
 936 |         },
 937 |         {
 938 |           "id": "25757e7d-8344-4e48-8bed-c8581c22f099",
 939 |           "name": "nickname",
 940 |           "protocol": "openid-connect",
 941 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
 942 |           "consentRequired": false,
 943 |           "config": {
 944 |             "introspection.token.claim": "true",
 945 |             "userinfo.token.claim": "true",
 946 |             "user.attribute": "nickname",
 947 |             "id.token.claim": "true",
 948 |             "access.token.claim": "true",
 949 |             "claim.name": "nickname",
 950 |             "jsonType.label": "String"
 951 |           }
 952 |         },
 953 |         {
 954 |           "id": "09150a54-8ae2-428b-b146-a76a4a0856e7",
 955 |           "name": "gender",
 956 |           "protocol": "openid-connect",
 957 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
 958 |           "consentRequired": false,
 959 |           "config": {
 960 |             "introspection.token.claim": "true",
 961 |             "userinfo.token.claim": "true",
 962 |             "user.attribute": "gender",
 963 |             "id.token.claim": "true",
 964 |             "access.token.claim": "true",
 965 |             "claim.name": "gender",
 966 |             "jsonType.label": "String"
 967 |           }
 968 |         },
 969 |         {
 970 |           "id": "7215834d-485d-4d5d-8fee-808db16615aa",
 971 |           "name": "middle name",
 972 |           "protocol": "openid-connect",
 973 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
 974 |           "consentRequired": false,
 975 |           "config": {
 976 |             "introspection.token.claim": "true",
 977 |             "userinfo.token.claim": "true",
 978 |             "user.attribute": "middleName",
 979 |             "id.token.claim": "true",
 980 |             "access.token.claim": "true",
 981 |             "claim.name": "middle_name",
 982 |             "jsonType.label": "String"
 983 |           }
 984 |         },
 985 |         {
 986 |           "id": "befdb28f-e861-40c6-af37-660070b20dfb",
 987 |           "name": "profile",
 988 |           "protocol": "openid-connect",
 989 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
 990 |           "consentRequired": false,
 991 |           "config": {
 992 |             "introspection.token.claim": "true",
 993 |             "userinfo.token.claim": "true",
 994 |             "user.attribute": "profile",
 995 |             "id.token.claim": "true",
 996 |             "access.token.claim": "true",
 997 |             "claim.name": "profile",
 998 |             "jsonType.label": "String"
 999 |           }
1000 |         },
1001 |         {
1002 |           "id": "d5cf7d6b-8c44-4839-b6aa-aa96ad04e133",
1003 |           "name": "birthdate",
1004 |           "protocol": "openid-connect",
1005 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1006 |           "consentRequired": false,
1007 |           "config": {
1008 |             "introspection.token.claim": "true",
1009 |             "userinfo.token.claim": "true",
1010 |             "user.attribute": "birthdate",
1011 |             "id.token.claim": "true",
1012 |             "access.token.claim": "true",
1013 |             "claim.name": "birthdate",
1014 |             "jsonType.label": "String"
1015 |           }
1016 |         },
1017 |         {
1018 |           "id": "99146a5f-9437-465f-95b3-c228fd3a9976",
1019 |           "name": "given name",
1020 |           "protocol": "openid-connect",
1021 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1022 |           "consentRequired": false,
1023 |           "config": {
1024 |             "introspection.token.claim": "true",
1025 |             "userinfo.token.claim": "true",
1026 |             "user.attribute": "firstName",
1027 |             "id.token.claim": "true",
1028 |             "access.token.claim": "true",
1029 |             "claim.name": "given_name",
1030 |             "jsonType.label": "String"
1031 |           }
1032 |         },
1033 |         {
1034 |           "id": "7dfa9437-4156-42e8-b5b5-bca8ea52a6fe",
1035 |           "name": "zoneinfo",
1036 |           "protocol": "openid-connect",
1037 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1038 |           "consentRequired": false,
1039 |           "config": {
1040 |             "introspection.token.claim": "true",
1041 |             "userinfo.token.claim": "true",
1042 |             "user.attribute": "zoneinfo",
1043 |             "id.token.claim": "true",
1044 |             "access.token.claim": "true",
1045 |             "claim.name": "zoneinfo",
1046 |             "jsonType.label": "String"
1047 |           }
1048 |         },
1049 |         {
1050 |           "id": "43a7d8a9-0dcd-4fe0-b20a-ebcf48f5a38a",
1051 |           "name": "full name",
1052 |           "protocol": "openid-connect",
1053 |           "protocolMapper": "oidc-full-name-mapper",
1054 |           "consentRequired": false,
1055 |           "config": {
1056 |             "id.token.claim": "true",
1057 |             "introspection.token.claim": "true",
1058 |             "access.token.claim": "true",
1059 |             "userinfo.token.claim": "true"
1060 |           }
1061 |         },
1062 |         {
1063 |           "id": "05a01a36-cde8-4f21-828a-1818506b8ce9",
1064 |           "name": "family name",
1065 |           "protocol": "openid-connect",
1066 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1067 |           "consentRequired": false,
1068 |           "config": {
1069 |             "introspection.token.claim": "true",
1070 |             "userinfo.token.claim": "true",
1071 |             "user.attribute": "lastName",
1072 |             "id.token.claim": "true",
1073 |             "access.token.claim": "true",
1074 |             "claim.name": "family_name",
1075 |             "jsonType.label": "String"
1076 |           }
1077 |         },
1078 |         {
1079 |           "id": "2b285d61-96e9-46d9-8277-fb7bc08b343b",
1080 |           "name": "picture",
1081 |           "protocol": "openid-connect",
1082 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1083 |           "consentRequired": false,
1084 |           "config": {
1085 |             "introspection.token.claim": "true",
1086 |             "userinfo.token.claim": "true",
1087 |             "user.attribute": "picture",
1088 |             "id.token.claim": "true",
1089 |             "access.token.claim": "true",
1090 |             "claim.name": "picture",
1091 |             "jsonType.label": "String"
1092 |           }
1093 |         },
1094 |         {
1095 |           "id": "4849894e-dc15-48ee-93e4-6065eebcb558",
1096 |           "name": "updated at",
1097 |           "protocol": "openid-connect",
1098 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1099 |           "consentRequired": false,
1100 |           "config": {
1101 |             "introspection.token.claim": "true",
1102 |             "userinfo.token.claim": "true",
1103 |             "user.attribute": "updatedAt",
1104 |             "id.token.claim": "true",
1105 |             "access.token.claim": "true",
1106 |             "claim.name": "updated_at",
1107 |             "jsonType.label": "long"
1108 |           }
1109 |         },
1110 |         {
1111 |           "id": "0a17ebfb-b3dc-4dbb-8980-c2c3d00ec031",
1112 |           "name": "username",
1113 |           "protocol": "openid-connect",
1114 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1115 |           "consentRequired": false,
1116 |           "config": {
1117 |             "introspection.token.claim": "true",
1118 |             "userinfo.token.claim": "true",
1119 |             "user.attribute": "username",
1120 |             "id.token.claim": "true",
1121 |             "access.token.claim": "true",
1122 |             "claim.name": "preferred_username",
1123 |             "jsonType.label": "String"
1124 |           }
1125 |         },
1126 |         {
1127 |           "id": "f8b125b6-f943-4f9a-a1f3-6d964e79ca77",
1128 |           "name": "website",
1129 |           "protocol": "openid-connect",
1130 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1131 |           "consentRequired": false,
1132 |           "config": {
1133 |             "introspection.token.claim": "true",
1134 |             "userinfo.token.claim": "true",
1135 |             "user.attribute": "website",
1136 |             "id.token.claim": "true",
1137 |             "access.token.claim": "true",
1138 |             "claim.name": "website",
1139 |             "jsonType.label": "String"
1140 |           }
1141 |         }
1142 |       ]
1143 |     },
1144 |     {
1145 |       "id": "6006db13-8a86-4189-8236-c463d74e128c",
1146 |       "name": "email",
1147 |       "description": "OpenID Connect built-in scope: email",
1148 |       "protocol": "openid-connect",
1149 |       "attributes": {
1150 |         "include.in.token.scope": "true",
1151 |         "display.on.consent.screen": "true",
1152 |         "consent.screen.text": "${emailScopeConsentText}"
1153 |       },
1154 |       "protocolMappers": [
1155 |         {
1156 |           "id": "3348237b-d54c-4992-9ff7-626936d0b1c3",
1157 |           "name": "email verified",
1158 |           "protocol": "openid-connect",
1159 |           "protocolMapper": "oidc-usermodel-property-mapper",
1160 |           "consentRequired": false,
1161 |           "config": {
1162 |             "introspection.token.claim": "true",
1163 |             "userinfo.token.claim": "true",
1164 |             "user.attribute": "emailVerified",
1165 |             "id.token.claim": "true",
1166 |             "access.token.claim": "true",
1167 |             "claim.name": "email_verified",
1168 |             "jsonType.label": "boolean"
1169 |           }
1170 |         },
1171 |         {
1172 |           "id": "561397a1-6fe1-4910-b2b8-e8a62ddf45ca",
1173 |           "name": "email",
1174 |           "protocol": "openid-connect",
1175 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1176 |           "consentRequired": false,
1177 |           "config": {
1178 |             "introspection.token.claim": "true",
1179 |             "userinfo.token.claim": "true",
1180 |             "user.attribute": "email",
1181 |             "id.token.claim": "true",
1182 |             "access.token.claim": "true",
1183 |             "claim.name": "email",
1184 |             "jsonType.label": "String"
1185 |           }
1186 |         }
1187 |       ]
1188 |     },
1189 |     {
1190 |       "id": "42c32a00-023d-4901-9385-5229261e042b",
1191 |       "name": "acr",
1192 |       "description": "OpenID Connect scope for add acr (authentication context class reference) to the token",
1193 |       "protocol": "openid-connect",
1194 |       "attributes": {
1195 |         "include.in.token.scope": "false",
1196 |         "display.on.consent.screen": "false"
1197 |       },
1198 |       "protocolMappers": [
1199 |         {
1200 |           "id": "4ca0063b-e84c-4ade-8198-b98c2af6109b",
1201 |           "name": "acr loa level",
1202 |           "protocol": "openid-connect",
1203 |           "protocolMapper": "oidc-acr-mapper",
1204 |           "consentRequired": false,
1205 |           "config": {
1206 |             "id.token.claim": "true",
1207 |             "introspection.token.claim": "true",
1208 |             "access.token.claim": "true"
1209 |           }
1210 |         }
1211 |       ]
1212 |     },
1213 |     {
1214 |       "id": "04d40695-3afe-437c-aac0-a3ad7721048b",
1215 |       "name": "microprofile-jwt",
1216 |       "description": "Microprofile - JWT built-in scope",
1217 |       "protocol": "openid-connect",
1218 |       "attributes": {
1219 |         "include.in.token.scope": "true",
1220 |         "display.on.consent.screen": "false"
1221 |       },
1222 |       "protocolMappers": [
1223 |         {
1224 |           "id": "b2b3fa95-9301-4a75-a576-0e0c71872e5e",
1225 |           "name": "upn",
1226 |           "protocol": "openid-connect",
1227 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1228 |           "consentRequired": false,
1229 |           "config": {
1230 |             "introspection.token.claim": "true",
1231 |             "userinfo.token.claim": "true",
1232 |             "user.attribute": "username",
1233 |             "id.token.claim": "true",
1234 |             "access.token.claim": "true",
1235 |             "claim.name": "upn",
1236 |             "jsonType.label": "String"
1237 |           }
1238 |         },
1239 |         {
1240 |           "id": "eb7abecb-09df-445c-a5ac-b906eb84d7ef",
1241 |           "name": "groups",
1242 |           "protocol": "openid-connect",
1243 |           "protocolMapper": "oidc-usermodel-realm-role-mapper",
1244 |           "consentRequired": false,
1245 |           "config": {
1246 |             "introspection.token.claim": "true",
1247 |             "multivalued": "true",
1248 |             "user.attribute": "foo",
1249 |             "id.token.claim": "true",
1250 |             "access.token.claim": "true",
1251 |             "claim.name": "groups",
1252 |             "jsonType.label": "String"
1253 |           }
1254 |         }
1255 |       ]
1256 |     },
1257 |     {
1258 |       "id": "1220684e-e78d-42b4-9348-2e2de133860f",
1259 |       "name": "web-origins",
1260 |       "description": "OpenID Connect scope for add allowed web origins to the access token",
1261 |       "protocol": "openid-connect",
1262 |       "attributes": {
1263 |         "include.in.token.scope": "false",
1264 |         "display.on.consent.screen": "false",
1265 |         "consent.screen.text": ""
1266 |       },
1267 |       "protocolMappers": [
1268 |         {
1269 |           "id": "527b913f-f92e-49c4-be9b-f65391768d60",
1270 |           "name": "allowed web origins",
1271 |           "protocol": "openid-connect",
1272 |           "protocolMapper": "oidc-allowed-origins-mapper",
1273 |           "consentRequired": false,
1274 |           "config": {
1275 |             "introspection.token.claim": "true",
1276 |             "access.token.claim": "true"
1277 |           }
1278 |         }
1279 |       ]
1280 |     },
1281 |     {
1282 |       "id": "9ad87b4c-7c4e-4b38-b93b-5fbe0d9efde6",
1283 |       "name": "TEST",
1284 |       "description": "",
1285 |       "protocol": "openid-connect",
1286 |       "attributes": {
1287 |         "include.in.token.scope": "true",
1288 |         "display.on.consent.screen": "true",
1289 |         "gui.order": "",
1290 |         "consent.screen.text": ""
1291 |       }
1292 |     },
1293 |     {
1294 |       "id": "1869a902-489a-4ce2-a729-f639b636c651",
1295 |       "name": "address",
1296 |       "description": "OpenID Connect built-in scope: address",
1297 |       "protocol": "openid-connect",
1298 |       "attributes": {
1299 |         "include.in.token.scope": "true",
1300 |         "display.on.consent.screen": "true",
1301 |         "consent.screen.text": "${addressScopeConsentText}"
1302 |       },
1303 |       "protocolMappers": [
1304 |         {
1305 |           "id": "3b06c0a9-eb82-4aaf-b175-f22f4afe153f",
1306 |           "name": "address",
1307 |           "protocol": "openid-connect",
1308 |           "protocolMapper": "oidc-address-mapper",
1309 |           "consentRequired": false,
1310 |           "config": {
1311 |             "user.attribute.formatted": "formatted",
1312 |             "user.attribute.country": "country",
1313 |             "introspection.token.claim": "true",
1314 |             "user.attribute.postal_code": "postal_code",
1315 |             "userinfo.token.claim": "true",
1316 |             "user.attribute.street": "street",
1317 |             "id.token.claim": "true",
1318 |             "user.attribute.region": "region",
1319 |             "access.token.claim": "true",
1320 |             "user.attribute.locality": "locality"
1321 |           }
1322 |         }
1323 |       ]
1324 |     },
1325 |     {
1326 |       "id": "64c5d036-700c-4ab1-b559-4ae00fd6adb5",
1327 |       "name": "phone",
1328 |       "description": "OpenID Connect built-in scope: phone",
1329 |       "protocol": "openid-connect",
1330 |       "attributes": {
1331 |         "include.in.token.scope": "true",
1332 |         "display.on.consent.screen": "true",
1333 |         "consent.screen.text": "${phoneScopeConsentText}"
1334 |       },
1335 |       "protocolMappers": [
1336 |         {
1337 |           "id": "80e568b7-4e46-46a5-8d68-c3229642366b",
1338 |           "name": "phone number",
1339 |           "protocol": "openid-connect",
1340 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1341 |           "consentRequired": false,
1342 |           "config": {
1343 |             "introspection.token.claim": "true",
1344 |             "userinfo.token.claim": "true",
1345 |             "user.attribute": "phoneNumber",
1346 |             "id.token.claim": "true",
1347 |             "access.token.claim": "true",
1348 |             "claim.name": "phone_number",
1349 |             "jsonType.label": "String"
1350 |           }
1351 |         },
1352 |         {
1353 |           "id": "e8a0436f-e6fd-4410-846d-3bd644b7f4b0",
1354 |           "name": "phone number verified",
1355 |           "protocol": "openid-connect",
1356 |           "protocolMapper": "oidc-usermodel-attribute-mapper",
1357 |           "consentRequired": false,
1358 |           "config": {
1359 |             "introspection.token.claim": "true",
1360 |             "userinfo.token.claim": "true",
1361 |             "user.attribute": "phoneNumberVerified",
1362 |             "id.token.claim": "true",
1363 |             "access.token.claim": "true",
1364 |             "claim.name": "phone_number_verified",
1365 |             "jsonType.label": "boolean"
1366 |           }
1367 |         }
1368 |       ]
1369 |     },
1370 |     {
1371 |       "id": "67b57903-6e9d-4c83-8f2a-84480d701d40",
1372 |       "name": "role_list",
1373 |       "description": "SAML role list",
1374 |       "protocol": "saml",
1375 |       "attributes": {
1376 |         "consent.screen.text": "${samlRoleListScopeConsentText}",
1377 |         "display.on.consent.screen": "true"
1378 |       },
1379 |       "protocolMappers": [
1380 |         {
1381 |           "id": "04ca0bb8-f284-48f7-8556-d07682ab20be",
1382 |           "name": "role list",
1383 |           "protocol": "saml",
1384 |           "protocolMapper": "saml-role-list-mapper",
1385 |           "consentRequired": false,
1386 |           "config": {
1387 |             "single": "false",
1388 |             "attribute.nameformat": "Basic",
1389 |             "attribute.name": "Role"
1390 |           }
1391 |         }
1392 |       ]
1393 |     },
1394 |     {
1395 |       "id": "d0657cd1-b78b-4140-8051-8b20369d633c",
1396 |       "name": "roles",
1397 |       "description": "OpenID Connect scope for add user roles to the access token",
1398 |       "protocol": "openid-connect",
1399 |       "attributes": {
1400 |         "include.in.token.scope": "false",
1401 |         "display.on.consent.screen": "true",
1402 |         "consent.screen.text": "${rolesScopeConsentText}"
1403 |       },
1404 |       "protocolMappers": [
1405 |         {
1406 |           "id": "8962874f-fba2-4d49-b31e-ffa778ed6c2a",
1407 |           "name": "audience resolve",
1408 |           "protocol": "openid-connect",
1409 |           "protocolMapper": "oidc-audience-resolve-mapper",
1410 |           "consentRequired": false,
1411 |           "config": {
1412 |             "introspection.token.claim": "true",
1413 |             "access.token.claim": "true"
1414 |           }
1415 |         },
1416 |         {
1417 |           "id": "f5a3952f-898a-4871-9eaf-12b54a5c4869",
1418 |           "name": "client roles",
1419 |           "protocol": "openid-connect",
1420 |           "protocolMapper": "oidc-usermodel-client-role-mapper",
1421 |           "consentRequired": false,
1422 |           "config": {
1423 |             "introspection.token.claim": "true",
1424 |             "multivalued": "true",
1425 |             "user.attribute": "foo",
1426 |             "access.token.claim": "true",
1427 |             "claim.name": "resource_access.${client_id}.roles",
1428 |             "jsonType.label": "String"
1429 |           }
1430 |         },
1431 |         {
1432 |           "id": "36ab92f7-fc4f-48ea-80c0-86853c1d1d7a",
1433 |           "name": "realm roles",
1434 |           "protocol": "openid-connect",
1435 |           "protocolMapper": "oidc-usermodel-realm-role-mapper",
1436 |           "consentRequired": false,
1437 |           "config": {
1438 |             "introspection.token.claim": "true",
1439 |             "multivalued": "true",
1440 |             "user.attribute": "foo",
1441 |             "access.token.claim": "true",
1442 |             "claim.name": "realm_access.roles",
1443 |             "jsonType.label": "String"
1444 |           }
1445 |         }
1446 |       ]
1447 |     }
1448 |   ],
1449 |   "defaultDefaultClientScopes": [
1450 |     "role_list",
1451 |     "profile",
1452 |     "email",
1453 |     "roles",
1454 |     "web-origins",
1455 |     "acr",
1456 |     "TEST"
1457 |   ],
1458 |   "defaultOptionalClientScopes": [
1459 |     "offline_access",
1460 |     "address",
1461 |     "phone",
1462 |     "microprofile-jwt"
1463 |   ],
1464 |   "browserSecurityHeaders": {
1465 |     "contentSecurityPolicyReportOnly": "",
1466 |     "xContentTypeOptions": "nosniff",
1467 |     "referrerPolicy": "no-referrer",
1468 |     "xRobotsTag": "none",
1469 |     "xFrameOptions": "SAMEORIGIN",
1470 |     "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
1471 |     "xXSSProtection": "1; mode=block",
1472 |     "strictTransportSecurity": "max-age=31536000; includeSubDomains"
1473 |   },
1474 |   "smtpServer": {},
1475 |   "eventsEnabled": false,
1476 |   "eventsListeners": [
1477 |     "jboss-logging"
1478 |   ],
1479 |   "enabledEventTypes": [],
1480 |   "adminEventsEnabled": false,
1481 |   "adminEventsDetailsEnabled": false,
1482 |   "identityProviders": [],
1483 |   "identityProviderMappers": [],
1484 |   "components": {
1485 |     "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
1486 |       {
1487 |         "id": "a1722568-457c-4de0-b3e5-003fed1d7140",
1488 |         "name": "Max Clients Limit",
1489 |         "providerId": "max-clients",
1490 |         "subType": "anonymous",
1491 |         "subComponents": {},
1492 |         "config": {
1493 |           "max-clients": [
1494 |             "200"
1495 |           ]
1496 |         }
1497 |       },
1498 |       {
1499 |         "id": "55d900ce-adc3-4923-a246-6c4350ce0d63",
1500 |         "name": "Allowed Protocol Mapper Types",
1501 |         "providerId": "allowed-protocol-mappers",
1502 |         "subType": "authenticated",
1503 |         "subComponents": {},
1504 |         "config": {
1505 |           "allowed-protocol-mapper-types": [
1506 |             "oidc-sha256-pairwise-sub-mapper",
1507 |             "oidc-usermodel-property-mapper",
1508 |             "oidc-full-name-mapper",
1509 |             "saml-user-property-mapper",
1510 |             "saml-user-attribute-mapper",
1511 |             "oidc-address-mapper",
1512 |             "oidc-usermodel-attribute-mapper",
1513 |             "saml-role-list-mapper"
1514 |           ]
1515 |         }
1516 |       },
1517 |       {
1518 |         "id": "fa9582f0-c4db-47b3-9011-a44708bcd356",
1519 |         "name": "Full Scope Disabled",
1520 |         "providerId": "scope",
1521 |         "subType": "anonymous",
1522 |         "subComponents": {},
1523 |         "config": {}
1524 |       },
1525 |       {
1526 |         "id": "1df1f757-6d23-4a9e-88e0-c1bd505783e5",
1527 |         "name": "Allowed Protocol Mapper Types",
1528 |         "providerId": "allowed-protocol-mappers",
1529 |         "subType": "anonymous",
1530 |         "subComponents": {},
1531 |         "config": {
1532 |           "allowed-protocol-mapper-types": [
1533 |             "oidc-usermodel-property-mapper",
1534 |             "oidc-full-name-mapper",
1535 |             "saml-role-list-mapper",
1536 |             "saml-user-property-mapper",
1537 |             "oidc-address-mapper",
1538 |             "oidc-usermodel-attribute-mapper",
1539 |             "oidc-sha256-pairwise-sub-mapper",
1540 |             "saml-user-attribute-mapper"
1541 |           ]
1542 |         }
1543 |       },
1544 |       {
1545 |         "id": "b666b3a2-3ea5-4e23-946e-51f74be4208e",
1546 |         "name": "Consent Required",
1547 |         "providerId": "consent-required",
1548 |         "subType": "anonymous",
1549 |         "subComponents": {},
1550 |         "config": {}
1551 |       },
1552 |       {
1553 |         "id": "8d98ef10-96db-418e-98c1-4d49dd0565eb",
1554 |         "name": "Allowed Client Scopes",
1555 |         "providerId": "allowed-client-templates",
1556 |         "subType": "authenticated",
1557 |         "subComponents": {},
1558 |         "config": {
1559 |           "allow-default-scopes": [
1560 |             "true"
1561 |           ]
1562 |         }
1563 |       },
1564 |       {
1565 |         "id": "599ab3a5-3fc2-41a7-ac22-a5bcef69df99",
1566 |         "name": "Allowed Client Scopes",
1567 |         "providerId": "allowed-client-templates",
1568 |         "subType": "anonymous",
1569 |         "subComponents": {},
1570 |         "config": {
1571 |           "allow-default-scopes": [
1572 |             "true"
1573 |           ]
1574 |         }
1575 |       },
1576 |       {
1577 |         "id": "39cc13ca-82d4-4f89-aea7-7c676629537f",
1578 |         "name": "Trusted Hosts",
1579 |         "providerId": "trusted-hosts",
1580 |         "subType": "anonymous",
1581 |         "subComponents": {},
1582 |         "config": {
1583 |           "host-sending-registration-request-must-match": [
1584 |             "true"
1585 |           ],
1586 |           "client-uris-must-match": [
1587 |             "true"
1588 |           ]
1589 |         }
1590 |       }
1591 |     ],
1592 |     "org.keycloak.keys.KeyProvider": [
1593 |       {
1594 |         "id": "57d769b5-0e13-4f2b-980c-60e9ca3e201f",
1595 |         "name": "aes-generated",
1596 |         "providerId": "aes-generated",
1597 |         "subComponents": {},
1598 |         "config": {
1599 |           "priority": [
1600 |             "100"
1601 |           ]
1602 |         }
1603 |       },
1604 |       {
1605 |         "id": "48af13b1-4d23-420a-9805-c459aac7fc18",
1606 |         "name": "rsa-enc-generated",
1607 |         "providerId": "rsa-enc-generated",
1608 |         "subComponents": {},
1609 |         "config": {
1610 |           "priority": [
1611 |             "100"
1612 |           ],
1613 |           "algorithm": [
1614 |             "RSA-OAEP"
1615 |           ]
1616 |         }
1617 |       },
1618 |       {
1619 |         "id": "b52512d8-f584-4f8a-b3ef-9925f76cc7b3",
1620 |         "name": "hmac-generated",
1621 |         "providerId": "hmac-generated",
1622 |         "subComponents": {},
1623 |         "config": {
1624 |           "priority": [
1625 |             "100"
1626 |           ],
1627 |           "algorithm": [
1628 |             "HS256"
1629 |           ]
1630 |         }
1631 |       },
1632 |       {
1633 |         "id": "9fb248d0-ba13-4113-a2f2-a2779ff61de7",
1634 |         "name": "rsa-generated",
1635 |         "providerId": "rsa-generated",
1636 |         "subComponents": {},
1637 |         "config": {
1638 |           "priority": [
1639 |             "100"
1640 |           ]
1641 |         }
1642 |       }
1643 |     ]
1644 |   },
1645 |   "internationalizationEnabled": false,
1646 |   "supportedLocales": [],
1647 |   "authenticationFlows": [
1648 |     {
1649 |       "id": "a903d1d7-07b3-4730-b1f3-9d881ea2f742",
1650 |       "alias": "Account verification options",
1651 |       "description": "Method with which to verity the existing account",
1652 |       "providerId": "basic-flow",
1653 |       "topLevel": false,
1654 |       "builtIn": true,
1655 |       "authenticationExecutions": [
1656 |         {
1657 |           "authenticator": "idp-email-verification",
1658 |           "authenticatorFlow": false,
1659 |           "requirement": "ALTERNATIVE",
1660 |           "priority": 10,
1661 |           "autheticatorFlow": false,
1662 |           "userSetupAllowed": false
1663 |         },
1664 |         {
1665 |           "authenticatorFlow": true,
1666 |           "requirement": "ALTERNATIVE",
1667 |           "priority": 20,
1668 |           "autheticatorFlow": true,
1669 |           "flowAlias": "Verify Existing Account by Re-authentication",
1670 |           "userSetupAllowed": false
1671 |         }
1672 |       ]
1673 |     },
1674 |     {
1675 |       "id": "0c4d7019-ea94-435c-aad3-e854ff527e18",
1676 |       "alias": "Browser - Conditional OTP",
1677 |       "description": "Flow to determine if the OTP is required for the authentication",
1678 |       "providerId": "basic-flow",
1679 |       "topLevel": false,
1680 |       "builtIn": true,
1681 |       "authenticationExecutions": [
1682 |         {
1683 |           "authenticator": "conditional-user-configured",
1684 |           "authenticatorFlow": false,
1685 |           "requirement": "REQUIRED",
1686 |           "priority": 10,
1687 |           "autheticatorFlow": false,
1688 |           "userSetupAllowed": false
1689 |         },
1690 |         {
1691 |           "authenticator": "auth-otp-form",
1692 |           "authenticatorFlow": false,
1693 |           "requirement": "REQUIRED",
1694 |           "priority": 20,
1695 |           "autheticatorFlow": false,
1696 |           "userSetupAllowed": false
1697 |         }
1698 |       ]
1699 |     },
1700 |     {
1701 |       "id": "057e72ec-efcc-4fe5-a80c-409d4578f7d6",
1702 |       "alias": "Direct Grant - Conditional OTP",
1703 |       "description": "Flow to determine if the OTP is required for the authentication",
1704 |       "providerId": "basic-flow",
1705 |       "topLevel": false,
1706 |       "builtIn": true,
1707 |       "authenticationExecutions": [
1708 |         {
1709 |           "authenticator": "conditional-user-configured",
1710 |           "authenticatorFlow": false,
1711 |           "requirement": "REQUIRED",
1712 |           "priority": 10,
1713 |           "autheticatorFlow": false,
1714 |           "userSetupAllowed": false
1715 |         },
1716 |         {
1717 |           "authenticator": "direct-grant-validate-otp",
1718 |           "authenticatorFlow": false,
1719 |           "requirement": "REQUIRED",
1720 |           "priority": 20,
1721 |           "autheticatorFlow": false,
1722 |           "userSetupAllowed": false
1723 |         }
1724 |       ]
1725 |     },
1726 |     {
1727 |       "id": "53e01b53-e68d-4d0b-a349-0737cd6984f2",
1728 |       "alias": "First broker login - Conditional OTP",
1729 |       "description": "Flow to determine if the OTP is required for the authentication",
1730 |       "providerId": "basic-flow",
1731 |       "topLevel": false,
1732 |       "builtIn": true,
1733 |       "authenticationExecutions": [
1734 |         {
1735 |           "authenticator": "conditional-user-configured",
1736 |           "authenticatorFlow": false,
1737 |           "requirement": "REQUIRED",
1738 |           "priority": 10,
1739 |           "autheticatorFlow": false,
1740 |           "userSetupAllowed": false
1741 |         },
1742 |         {
1743 |           "authenticator": "auth-otp-form",
1744 |           "authenticatorFlow": false,
1745 |           "requirement": "REQUIRED",
1746 |           "priority": 20,
1747 |           "autheticatorFlow": false,
1748 |           "userSetupAllowed": false
1749 |         }
1750 |       ]
1751 |     },
1752 |     {
1753 |       "id": "72e8b90b-1efc-4a4b-aa3f-dbbec5115900",
1754 |       "alias": "Handle Existing Account",
1755 |       "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
1756 |       "providerId": "basic-flow",
1757 |       "topLevel": false,
1758 |       "builtIn": true,
1759 |       "authenticationExecutions": [
1760 |         {
1761 |           "authenticator": "idp-confirm-link",
1762 |           "authenticatorFlow": false,
1763 |           "requirement": "REQUIRED",
1764 |           "priority": 10,
1765 |           "autheticatorFlow": false,
1766 |           "userSetupAllowed": false
1767 |         },
1768 |         {
1769 |           "authenticatorFlow": true,
1770 |           "requirement": "REQUIRED",
1771 |           "priority": 20,
1772 |           "autheticatorFlow": true,
1773 |           "flowAlias": "Account verification options",
1774 |           "userSetupAllowed": false
1775 |         }
1776 |       ]
1777 |     },
1778 |     {
1779 |       "id": "c236bba7-8ca3-4cec-8fb4-ba93e840a97e",
1780 |       "alias": "Reset - Conditional OTP",
1781 |       "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
1782 |       "providerId": "basic-flow",
1783 |       "topLevel": false,
1784 |       "builtIn": true,
1785 |       "authenticationExecutions": [
1786 |         {
1787 |           "authenticator": "conditional-user-configured",
1788 |           "authenticatorFlow": false,
1789 |           "requirement": "REQUIRED",
1790 |           "priority": 10,
1791 |           "autheticatorFlow": false,
1792 |           "userSetupAllowed": false
1793 |         },
1794 |         {
1795 |           "authenticator": "reset-otp",
1796 |           "authenticatorFlow": false,
1797 |           "requirement": "REQUIRED",
1798 |           "priority": 20,
1799 |           "autheticatorFlow": false,
1800 |           "userSetupAllowed": false
1801 |         }
1802 |       ]
1803 |     },
1804 |     {
1805 |       "id": "ee6d6b7f-5f92-4b54-9571-5c439ddcdc33",
1806 |       "alias": "User creation or linking",
1807 |       "description": "Flow for the existing/non-existing user alternatives",
1808 |       "providerId": "basic-flow",
1809 |       "topLevel": false,
1810 |       "builtIn": true,
1811 |       "authenticationExecutions": [
1812 |         {
1813 |           "authenticatorConfig": "create unique user config",
1814 |           "authenticator": "idp-create-user-if-unique",
1815 |           "authenticatorFlow": false,
1816 |           "requirement": "ALTERNATIVE",
1817 |           "priority": 10,
1818 |           "autheticatorFlow": false,
1819 |           "userSetupAllowed": false
1820 |         },
1821 |         {
1822 |           "authenticatorFlow": true,
1823 |           "requirement": "ALTERNATIVE",
1824 |           "priority": 20,
1825 |           "autheticatorFlow": true,
1826 |           "flowAlias": "Handle Existing Account",
1827 |           "userSetupAllowed": false
1828 |         }
1829 |       ]
1830 |     },
1831 |     {
1832 |       "id": "6f5063e3-6d12-4a20-8965-f13c4b168606",
1833 |       "alias": "Verify Existing Account by Re-authentication",
1834 |       "description": "Reauthentication of existing account",
1835 |       "providerId": "basic-flow",
1836 |       "topLevel": false,
1837 |       "builtIn": true,
1838 |       "authenticationExecutions": [
1839 |         {
1840 |           "authenticator": "idp-username-password-form",
1841 |           "authenticatorFlow": false,
1842 |           "requirement": "REQUIRED",
1843 |           "priority": 10,
1844 |           "autheticatorFlow": false,
1845 |           "userSetupAllowed": false
1846 |         },
1847 |         {
1848 |           "authenticatorFlow": true,
1849 |           "requirement": "CONDITIONAL",
1850 |           "priority": 20,
1851 |           "autheticatorFlow": true,
1852 |           "flowAlias": "First broker login - Conditional OTP",
1853 |           "userSetupAllowed": false
1854 |         }
1855 |       ]
1856 |     },
1857 |     {
1858 |       "id": "1117d64a-95d6-4e0a-9a63-321ef04b67f8",
1859 |       "alias": "browser",
1860 |       "description": "browser based authentication",
1861 |       "providerId": "basic-flow",
1862 |       "topLevel": true,
1863 |       "builtIn": true,
1864 |       "authenticationExecutions": [
1865 |         {
1866 |           "authenticator": "auth-cookie",
1867 |           "authenticatorFlow": false,
1868 |           "requirement": "ALTERNATIVE",
1869 |           "priority": 10,
1870 |           "autheticatorFlow": false,
1871 |           "userSetupAllowed": false
1872 |         },
1873 |         {
1874 |           "authenticator": "auth-spnego",
1875 |           "authenticatorFlow": false,
1876 |           "requirement": "DISABLED",
1877 |           "priority": 20,
1878 |           "autheticatorFlow": false,
1879 |           "userSetupAllowed": false
1880 |         },
1881 |         {
1882 |           "authenticator": "identity-provider-redirector",
1883 |           "authenticatorFlow": false,
1884 |           "requirement": "ALTERNATIVE",
1885 |           "priority": 25,
1886 |           "autheticatorFlow": false,
1887 |           "userSetupAllowed": false
1888 |         },
1889 |         {
1890 |           "authenticatorFlow": true,
1891 |           "requirement": "ALTERNATIVE",
1892 |           "priority": 30,
1893 |           "autheticatorFlow": true,
1894 |           "flowAlias": "forms",
1895 |           "userSetupAllowed": false
1896 |         }
1897 |       ]
1898 |     },
1899 |     {
1900 |       "id": "db0d6bb6-6a59-490e-8b20-5f5884d3e26e",
1901 |       "alias": "clients",
1902 |       "description": "Base authentication for clients",
1903 |       "providerId": "client-flow",
1904 |       "topLevel": true,
1905 |       "builtIn": true,
1906 |       "authenticationExecutions": [
1907 |         {
1908 |           "authenticator": "client-secret",
1909 |           "authenticatorFlow": false,
1910 |           "requirement": "ALTERNATIVE",
1911 |           "priority": 10,
1912 |           "autheticatorFlow": false,
1913 |           "userSetupAllowed": false
1914 |         },
1915 |         {
1916 |           "authenticator": "client-jwt",
1917 |           "authenticatorFlow": false,
1918 |           "requirement": "ALTERNATIVE",
1919 |           "priority": 20,
1920 |           "autheticatorFlow": false,
1921 |           "userSetupAllowed": false
1922 |         },
1923 |         {
1924 |           "authenticator": "client-secret-jwt",
1925 |           "authenticatorFlow": false,
1926 |           "requirement": "ALTERNATIVE",
1927 |           "priority": 30,
1928 |           "autheticatorFlow": false,
1929 |           "userSetupAllowed": false
1930 |         },
1931 |         {
1932 |           "authenticator": "client-x509",
1933 |           "authenticatorFlow": false,
1934 |           "requirement": "ALTERNATIVE",
1935 |           "priority": 40,
1936 |           "autheticatorFlow": false,
1937 |           "userSetupAllowed": false
1938 |         }
1939 |       ]
1940 |     },
1941 |     {
1942 |       "id": "178a973b-8f03-4160-aeee-63d40a812df5",
1943 |       "alias": "direct grant",
1944 |       "description": "OpenID Connect Resource Owner Grant",
1945 |       "providerId": "basic-flow",
1946 |       "topLevel": true,
1947 |       "builtIn": true,
1948 |       "authenticationExecutions": [
1949 |         {
1950 |           "authenticator": "direct-grant-validate-username",
1951 |           "authenticatorFlow": false,
1952 |           "requirement": "REQUIRED",
1953 |           "priority": 10,
1954 |           "autheticatorFlow": false,
1955 |           "userSetupAllowed": false
1956 |         },
1957 |         {
1958 |           "authenticator": "direct-grant-validate-password",
1959 |           "authenticatorFlow": false,
1960 |           "requirement": "REQUIRED",
1961 |           "priority": 20,
1962 |           "autheticatorFlow": false,
1963 |           "userSetupAllowed": false
1964 |         },
1965 |         {
1966 |           "authenticatorFlow": true,
1967 |           "requirement": "CONDITIONAL",
1968 |           "priority": 30,
1969 |           "autheticatorFlow": true,
1970 |           "flowAlias": "Direct Grant - Conditional OTP",
1971 |           "userSetupAllowed": false
1972 |         }
1973 |       ]
1974 |     },
1975 |     {
1976 |       "id": "c7d05645-3228-473e-8df4-623dd6472f7d",
1977 |       "alias": "docker auth",
1978 |       "description": "Used by Docker clients to authenticate against the IDP",
1979 |       "providerId": "basic-flow",
1980 |       "topLevel": true,
1981 |       "builtIn": true,
1982 |       "authenticationExecutions": [
1983 |         {
1984 |           "authenticator": "docker-http-basic-authenticator",
1985 |           "authenticatorFlow": false,
1986 |           "requirement": "REQUIRED",
1987 |           "priority": 10,
1988 |           "autheticatorFlow": false,
1989 |           "userSetupAllowed": false
1990 |         }
1991 |       ]
1992 |     },
1993 |     {
1994 |       "id": "bb266296-26f7-4e36-8062-ec60571d4b47",
1995 |       "alias": "first broker login",
1996 |       "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
1997 |       "providerId": "basic-flow",
1998 |       "topLevel": true,
1999 |       "builtIn": true,
2000 |       "authenticationExecutions": [
2001 |         {
2002 |           "authenticatorConfig": "review profile config",
2003 |           "authenticator": "idp-review-profile",
2004 |           "authenticatorFlow": false,
2005 |           "requirement": "REQUIRED",
2006 |           "priority": 10,
2007 |           "autheticatorFlow": false,
2008 |           "userSetupAllowed": false
2009 |         },
2010 |         {
2011 |           "authenticatorFlow": true,
2012 |           "requirement": "REQUIRED",
2013 |           "priority": 20,
2014 |           "autheticatorFlow": true,
2015 |           "flowAlias": "User creation or linking",
2016 |           "userSetupAllowed": false
2017 |         }
2018 |       ]
2019 |     },
2020 |     {
2021 |       "id": "1810e955-c81f-466a-9f71-bff67a7eb64f",
2022 |       "alias": "forms",
2023 |       "description": "Username, password, otp and other auth forms.",
2024 |       "providerId": "basic-flow",
2025 |       "topLevel": false,
2026 |       "builtIn": true,
2027 |       "authenticationExecutions": [
2028 |         {
2029 |           "authenticator": "auth-username-password-form",
2030 |           "authenticatorFlow": false,
2031 |           "requirement": "REQUIRED",
2032 |           "priority": 10,
2033 |           "autheticatorFlow": false,
2034 |           "userSetupAllowed": false
2035 |         },
2036 |         {
2037 |           "authenticatorFlow": true,
2038 |           "requirement": "CONDITIONAL",
2039 |           "priority": 20,
2040 |           "autheticatorFlow": true,
2041 |           "flowAlias": "Browser - Conditional OTP",
2042 |           "userSetupAllowed": false
2043 |         }
2044 |       ]
2045 |     },
2046 |     {
2047 |       "id": "8e4d4765-c94d-42f0-b933-daf4014e9142",
2048 |       "alias": "registration",
2049 |       "description": "registration flow",
2050 |       "providerId": "basic-flow",
2051 |       "topLevel": true,
2052 |       "builtIn": true,
2053 |       "authenticationExecutions": [
2054 |         {
2055 |           "authenticator": "registration-page-form",
2056 |           "authenticatorFlow": true,
2057 |           "requirement": "REQUIRED",
2058 |           "priority": 10,
2059 |           "autheticatorFlow": true,
2060 |           "flowAlias": "registration form",
2061 |           "userSetupAllowed": false
2062 |         }
2063 |       ]
2064 |     },
2065 |     {
2066 |       "id": "f0f3b9b2-1eae-47da-982b-1c0fb3cdb516",
2067 |       "alias": "registration form",
2068 |       "description": "registration form",
2069 |       "providerId": "form-flow",
2070 |       "topLevel": false,
2071 |       "builtIn": true,
2072 |       "authenticationExecutions": [
2073 |         {
2074 |           "authenticator": "registration-user-creation",
2075 |           "authenticatorFlow": false,
2076 |           "requirement": "REQUIRED",
2077 |           "priority": 20,
2078 |           "autheticatorFlow": false,
2079 |           "userSetupAllowed": false
2080 |         },
2081 |         {
2082 |           "authenticator": "registration-password-action",
2083 |           "authenticatorFlow": false,
2084 |           "requirement": "REQUIRED",
2085 |           "priority": 50,
2086 |           "autheticatorFlow": false,
2087 |           "userSetupAllowed": false
2088 |         },
2089 |         {
2090 |           "authenticator": "registration-recaptcha-action",
2091 |           "authenticatorFlow": false,
2092 |           "requirement": "DISABLED",
2093 |           "priority": 60,
2094 |           "autheticatorFlow": false,
2095 |           "userSetupAllowed": false
2096 |         }
2097 |       ]
2098 |     },
2099 |     {
2100 |       "id": "4a5fc767-449a-491e-927c-8917be81b92f",
2101 |       "alias": "reset credentials",
2102 |       "description": "Reset credentials for a user if they forgot their password or something",
2103 |       "providerId": "basic-flow",
2104 |       "topLevel": true,
2105 |       "builtIn": true,
2106 |       "authenticationExecutions": [
2107 |         {
2108 |           "authenticator": "reset-credentials-choose-user",
2109 |           "authenticatorFlow": false,
2110 |           "requirement": "REQUIRED",
2111 |           "priority": 10,
2112 |           "autheticatorFlow": false,
2113 |           "userSetupAllowed": false
2114 |         },
2115 |         {
2116 |           "authenticator": "reset-credential-email",
2117 |           "authenticatorFlow": false,
2118 |           "requirement": "REQUIRED",
2119 |           "priority": 20,
2120 |           "autheticatorFlow": false,
2121 |           "userSetupAllowed": false
2122 |         },
2123 |         {
2124 |           "authenticator": "reset-password",
2125 |           "authenticatorFlow": false,
2126 |           "requirement": "REQUIRED",
2127 |           "priority": 30,
2128 |           "autheticatorFlow": false,
2129 |           "userSetupAllowed": false
2130 |         },
2131 |         {
2132 |           "authenticatorFlow": true,
2133 |           "requirement": "CONDITIONAL",
2134 |           "priority": 40,
2135 |           "autheticatorFlow": true,
2136 |           "flowAlias": "Reset - Conditional OTP",
2137 |           "userSetupAllowed": false
2138 |         }
2139 |       ]
2140 |     },
2141 |     {
2142 |       "id": "ed0b5d6e-9633-4d71-bcd2-01c7bbaf84df",
2143 |       "alias": "saml ecp",
2144 |       "description": "SAML ECP Profile Authentication Flow",
2145 |       "providerId": "basic-flow",
2146 |       "topLevel": true,
2147 |       "builtIn": true,
2148 |       "authenticationExecutions": [
2149 |         {
2150 |           "authenticator": "http-basic-authenticator",
2151 |           "authenticatorFlow": false,
2152 |           "requirement": "REQUIRED",
2153 |           "priority": 10,
2154 |           "autheticatorFlow": false,
2155 |           "userSetupAllowed": false
2156 |         }
2157 |       ]
2158 |     }
2159 |   ],
2160 |   "authenticatorConfig": [
2161 |     {
2162 |       "id": "7cee3b79-8aaf-4514-8349-f55577dd13f8",
2163 |       "alias": "create unique user config",
2164 |       "config": {
2165 |         "require.password.update.after.registration": "false"
2166 |       }
2167 |     },
2168 |     {
2169 |       "id": "79ff2c77-922f-40e7-9b70-f0dbb71aa4eb",
2170 |       "alias": "review profile config",
2171 |       "config": {
2172 |         "update.profile.on.first.login": "missing"
2173 |       }
2174 |     }
2175 |   ],
2176 |   "requiredActions": [
2177 |     {
2178 |       "alias": "CONFIGURE_TOTP",
2179 |       "name": "Configure OTP",
2180 |       "providerId": "CONFIGURE_TOTP",
2181 |       "enabled": true,
2182 |       "defaultAction": false,
2183 |       "priority": 10,
2184 |       "config": {}
2185 |     },
2186 |     {
2187 |       "alias": "TERMS_AND_CONDITIONS",
2188 |       "name": "Terms and Conditions",
2189 |       "providerId": "TERMS_AND_CONDITIONS",
2190 |       "enabled": false,
2191 |       "defaultAction": false,
2192 |       "priority": 20,
2193 |       "config": {}
2194 |     },
2195 |     {
2196 |       "alias": "UPDATE_PASSWORD",
2197 |       "name": "Update Password",
2198 |       "providerId": "UPDATE_PASSWORD",
2199 |       "enabled": true,
2200 |       "defaultAction": false,
2201 |       "priority": 30,
2202 |       "config": {}
2203 |     },
2204 |     {
2205 |       "alias": "UPDATE_PROFILE",
2206 |       "name": "Update Profile",
2207 |       "providerId": "UPDATE_PROFILE",
2208 |       "enabled": true,
2209 |       "defaultAction": false,
2210 |       "priority": 40,
2211 |       "config": {}
2212 |     },
2213 |     {
2214 |       "alias": "VERIFY_EMAIL",
2215 |       "name": "Verify Email",
2216 |       "providerId": "VERIFY_EMAIL",
2217 |       "enabled": true,
2218 |       "defaultAction": false,
2219 |       "priority": 50,
2220 |       "config": {}
2221 |     },
2222 |     {
2223 |       "alias": "delete_account",
2224 |       "name": "Delete Account",
2225 |       "providerId": "delete_account",
2226 |       "enabled": false,
2227 |       "defaultAction": false,
2228 |       "priority": 60,
2229 |       "config": {}
2230 |     },
2231 |     {
2232 |       "alias": "webauthn-register",
2233 |       "name": "Webauthn Register",
2234 |       "providerId": "webauthn-register",
2235 |       "enabled": true,
2236 |       "defaultAction": false,
2237 |       "priority": 70,
2238 |       "config": {}
2239 |     },
2240 |     {
2241 |       "alias": "webauthn-register-passwordless",
2242 |       "name": "Webauthn Register Passwordless",
2243 |       "providerId": "webauthn-register-passwordless",
2244 |       "enabled": true,
2245 |       "defaultAction": false,
2246 |       "priority": 80,
2247 |       "config": {}
2248 |     },
2249 |     {
2250 |       "alias": "update_user_locale",
2251 |       "name": "Update User Locale",
2252 |       "providerId": "update_user_locale",
2253 |       "enabled": true,
2254 |       "defaultAction": false,
2255 |       "priority": 1000,
2256 |       "config": {}
2257 |     }
2258 |   ],
2259 |   "browserFlow": "browser",
2260 |   "registrationFlow": "registration",
2261 |   "directGrantFlow": "direct grant",
2262 |   "resetCredentialsFlow": "reset credentials",
2263 |   "clientAuthenticationFlow": "clients",
2264 |   "dockerAuthenticationFlow": "docker auth",
2265 |   "attributes": {
2266 |     "cibaBackchannelTokenDeliveryMode": "poll",
2267 |     "cibaExpiresIn": "120",
2268 |     "cibaAuthRequestedUserHint": "login_hint",
2269 |     "oauth2DeviceCodeLifespan": "600",
2270 |     "oauth2DevicePollingInterval": "5",
2271 |     "parRequestUriLifespan": "60",
2272 |     "cibaInterval": "5",
2273 |     "realmReusableOtpCode": "false"
2274 |   },
2275 |   "keycloakVersion": "23.0.7",
2276 |   "userManagedAccessAllowed": false,
2277 |   "clientProfiles": {
2278 |     "profiles": []
2279 |   },
2280 |   "clientPolicies": {
2281 |     "policies": []
2282 |   }
2283 | }


--------------------------------------------------------------------------------