From c7c53f6f9a5a9c130e988d2bea598fb9cba6e61e Mon Sep 17 00:00:00 2001 From: Michael Stingl Date: Fri, 3 Apr 2026 13:06:12 +0200 Subject: [PATCH] feat(keycloak): modular client import via post-start pipeline MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extract OpenCloud clients (web, Android, iOS, Desktop) from the monolithic realm JSON into individual files in config/keycloak/clients/. A numbered post-start pipeline imports them after Keycloak starts: 00-wait-for-keycloak.sh — wait + kcadm.sh authenticate 10-import-clients.sh — partialImport each clients/*.json 11-assign-client-scopes.sh — assign scopes from *.scopes sidecars Each step is standalone and can be run manually for debugging: docker exec keycloak /bin/sh /opt/keycloak/bin/10-import-clients.sh Adding a new OIDC client = drop a .json + .scopes file in clients/. No realm JSON editing required. The .scopes sidecar files are a workaround for keycloak#16289 (partialImport ignores defaultClientScopes from client JSONs). When Keycloak fixes this, the .scopes files and step 11 can be removed. Changes: - docker-entrypoint-override.sh: slim orchestrator, forks pipeline - 00-wait-for-keycloak.sh: wait + authenticate (reusable) - 10-import-clients.sh: partialImport with {{OC_URL}} resolution - 11-assign-client-scopes.sh: reads .scopes sidecars, assigns via kcadm.sh - clients/*.scopes: defaultClientScopes per client (one line, csv) - opencloud-realm*.dist.json: removed 4 OC clients + roles.client entries - ldap-keycloak.yml, external-keycloak.yml: mount pipeline scripts + clients/ - README.md: admin & dev guide (adding clients, custom clients via Compose override, debugging) - validate-modular-clients.sh: jq-based full realm comparison (clients, client-scopes, roles, groups, realm settings) against original monolith — downloads upstream, starts throwaway containers Tested: both LDAP and autoprovisioning produce identical realms. Ref: coworking-nuernberg/opencloud-deploy#95 --- config/keycloak/00-wait-for-keycloak.sh | 25 + config/keycloak/10-import-clients.sh | 44 + config/keycloak/11-assign-client-scopes.sh | 56 + config/keycloak/README.md | 82 + config/keycloak/clients/OpenCloudAndroid.json | 3 +- .../keycloak/clients/OpenCloudAndroid.scopes | 1 + config/keycloak/clients/OpenCloudDesktop.json | 3 +- .../keycloak/clients/OpenCloudDesktop.scopes | 1 + config/keycloak/clients/OpenCloudIOS.json | 3 +- config/keycloak/clients/OpenCloudIOS.scopes | 1 + config/keycloak/clients/cyberduck.scopes | 1 + config/keycloak/clients/web.json | 3 +- config/keycloak/clients/web.scopes | 1 + config/keycloak/docker-entrypoint-override.sh | 15 +- ...opencloud-realm-autoprovisioning.dist.json | 4721 +++++++++-------- config/keycloak/opencloud-realm.dist.json | 258 +- config/keycloak/validate-modular-clients.sh | 254 + idm/ldap-keycloak.yml | 4 + testing/external-keycloak.yml | 4 + 19 files changed, 2986 insertions(+), 2494 deletions(-) create mode 100644 config/keycloak/00-wait-for-keycloak.sh create mode 100644 config/keycloak/10-import-clients.sh create mode 100644 config/keycloak/11-assign-client-scopes.sh create mode 100644 config/keycloak/README.md create mode 100644 config/keycloak/clients/OpenCloudAndroid.scopes create mode 100644 config/keycloak/clients/OpenCloudDesktop.scopes create mode 100644 config/keycloak/clients/OpenCloudIOS.scopes create mode 100644 config/keycloak/clients/cyberduck.scopes create mode 100644 config/keycloak/clients/web.scopes create mode 100755 config/keycloak/validate-modular-clients.sh diff --git a/config/keycloak/00-wait-for-keycloak.sh b/config/keycloak/00-wait-for-keycloak.sh new file mode 100644 index 00000000..1bceb31d --- /dev/null +++ b/config/keycloak/00-wait-for-keycloak.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# Wait for Keycloak to accept admin credentials via kcadm.sh. +# Exits 0 when ready, 1 on timeout. +# +# Usage: docker exec keycloak /bin/sh /opt/keycloak/bin/00-wait-for-keycloak.sh + +KCADM="/opt/keycloak/bin/kcadm.sh" +MAX_WAIT="${KC_MAX_WAIT:-120}" + +echo "[wait-for-kc] Waiting for Keycloak..." +elapsed=0 +while [ $elapsed -lt $MAX_WAIT ]; do + if $KCADM config credentials \ + --server http://localhost:8080 --realm master \ + --user "${KEYCLOAK_ADMIN:-kcadmin}" \ + --password "${KEYCLOAK_ADMIN_PASSWORD:-admin}" >/dev/null 2>&1; then + echo "[wait-for-kc] Ready (${elapsed}s)" + exit 0 + fi + sleep 2 + elapsed=$((elapsed + 2)) +done + +echo "[wait-for-kc] Not ready after ${MAX_WAIT}s" +exit 1 diff --git a/config/keycloak/10-import-clients.sh b/config/keycloak/10-import-clients.sh new file mode 100644 index 00000000..dc51770b --- /dev/null +++ b/config/keycloak/10-import-clients.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# Import Keycloak client definitions from /opt/keycloak/data/clients/*.json +# via kcadm.sh partialImport. Existing clients are skipped (idempotent). +# +# Requires: 00-wait-for-keycloak.sh ran first (kcadm.sh authenticated). +# Usage: docker exec keycloak /bin/sh /opt/keycloak/bin/10-import-clients.sh + +set -eu + +KCADM="/opt/keycloak/bin/kcadm.sh" +REALM="${KC_REALM_NAME:-openCloud}" +CLIENTS_DIR="/opt/keycloak/data/clients" +OC_URL="https://${OC_DOMAIN:-cloud.opencloud.test}" + +if [ ! -d "$CLIENTS_DIR" ] || ! ls "$CLIENTS_DIR"/*.json >/dev/null 2>&1; then + echo "[import-clients] No client files found — skipping" + exit 0 +fi + +for client_file in "$CLIENTS_DIR"/*.json; do + [ -f "$client_file" ] || continue + client_name=$(basename "$client_file" .json) + tmp_file=$(mktemp) + + # Keycloak's --import-realm resolves {{VAR}} from env vars. + # partialImport does not — we replicate this for {{OC_URL}}. + sed "s|{{OC_URL}}|${OC_URL}|g" "$client_file" > "$tmp_file" + + # Wrap in partialImport payload (SKIP existing) + tmp_payload=$(mktemp) + printf '{"ifResourceExists":"SKIP","clients":[' > "$tmp_payload" + cat "$tmp_file" >> "$tmp_payload" + printf ']}' >> "$tmp_payload" + + if $KCADM create partialImport -r "$REALM" -f "$tmp_payload" >/dev/null 2>&1; then + echo "[import-clients] $client_name" + else + echo "[import-clients] $client_name — failed" >&2 + fi + + rm -f "$tmp_file" "$tmp_payload" +done + +echo "[import-clients] Done" diff --git a/config/keycloak/11-assign-client-scopes.sh b/config/keycloak/11-assign-client-scopes.sh new file mode 100644 index 00000000..052a8b0e --- /dev/null +++ b/config/keycloak/11-assign-client-scopes.sh @@ -0,0 +1,56 @@ +#!/bin/sh +# Assign defaultClientScopes to imported Keycloak clients. +# +# Workaround: partialImport ignores defaultClientScopes from client JSONs. +# https://github.com/keycloak/keycloak/issues/16289 +# This script reads scope names from .scopes sidecar files and assigns +# them via kcadm.sh. Can be removed when Keycloak fixes the issue. +# +# Scopes not present in the realm are silently skipped (e.g. +# OpenCloudUnique_ID only exists in the LDAP realm variant). +# +# Requires: 00-wait-for-keycloak.sh ran first (kcadm.sh authenticated). +# Usage: docker exec keycloak /bin/sh /opt/keycloak/bin/11-assign-client-scopes.sh + +set -eu + +KCADM="/opt/keycloak/bin/kcadm.sh" +REALM="${KC_REALM_NAME:-openCloud}" +CLIENTS_DIR="/opt/keycloak/data/clients" + +if [ ! -d "$CLIENTS_DIR" ] || ! ls "$CLIENTS_DIR"/*.scopes >/dev/null 2>&1; then + echo "[assign-scopes] No .scopes files found — skipping" + exit 0 +fi + +# Cache all scope IDs once (avoid repeated API calls) +all_scopes=$($KCADM get client-scopes -r "$REALM" --fields id,name 2>/dev/null || true) + +for scopes_file in "$CLIENTS_DIR"/*.scopes; do + [ -f "$scopes_file" ] || continue + client_name=$(basename "$scopes_file" .scopes) + + client_id=$($KCADM get clients -r "$REALM" -q "clientId=$client_name" --fields id 2>/dev/null \ + | grep -o '[0-9a-f-]\{36\}' | head -1 || true) + if [ -z "$client_id" ]; then + echo "[assign-scopes] $client_name: client not found — skipping" + continue + fi + + assigned="" + skipped="" + for scope_name in $(tr ',' ' ' < "$scopes_file"); do + scope_id=$(echo "$all_scopes" | grep -A1 "\"$scope_name\"" | grep '"id"' \ + | grep -o '[0-9a-f-]\{36\}' | head -1) + if [ -n "$scope_id" ]; then + $KCADM update "clients/$client_id/default-client-scopes/$scope_id" \ + -r "$REALM" >/dev/null 2>&1 || true + assigned="$assigned $scope_name" + else + skipped="$skipped $scope_name" + fi + done + echo "[assign-scopes] $client_name:$assigned${skipped:+ (skipped:$skipped)}" +done + +echo "[assign-scopes] Done" diff --git a/config/keycloak/README.md b/config/keycloak/README.md new file mode 100644 index 00000000..6ce9f60b --- /dev/null +++ b/config/keycloak/README.md @@ -0,0 +1,82 @@ +# Keycloak Configuration + +## Realm Import + +On first start, Keycloak imports the realm from one of: + +- `opencloud-realm.dist.json` — LDAP/Keycloak shared user directory +- `opencloud-realm-autoprovisioning.dist.json` — auto-provisioning (demo/testing) + +The entrypoint replaces `cloud.opencloud.test` with `$OC_DOMAIN` before import. + +## Modular Client Definitions + +Clients are individual JSON files in `clients/`, imported via a post-start pipeline: + +``` +clients/ +├── web.json + web.scopes +├── OpenCloudAndroid.json + .scopes +├── OpenCloudDesktop.json + .scopes +├── OpenCloudIOS.json + .scopes +└── cyberduck.json + .scopes +``` + +**Post-start pipeline** (runs in background after Keycloak starts): + +| Step | Script | What it does | +|------|--------|-------------| +| 0 | `00-wait-for-keycloak.sh` | Wait for Keycloak, authenticate kcadm.sh | +| 1 | `10-import-clients.sh` | `partialImport` each `clients/*.json` (SKIP existing) | +| 2 | `11-assign-client-scopes.sh` | Assign scopes from `*.scopes` sidecars | + +**Adding a client:** drop a `.json` + `.scopes` file in `clients/`, restart Keycloak. + +### Why `.scopes` sidecar files? + +Keycloak's `partialImport` ignores `defaultClientScopes` from client JSONs +([keycloak#16289](https://github.com/keycloak/keycloak/issues/16289)). +The `.scopes` file works around this — one line, comma-separated scope names: + +``` +web-origins,profile,roles,groups,basic,email,OpenCloudUnique_ID +``` + +Scopes that don't exist in the realm are skipped (e.g. `OpenCloudUnique_ID` +only exists in the LDAP variant). When Keycloak fixes #16289, the `.scopes` +files and step 2 can be removed. + +## Custom Clients + +To add your own clients, mount a directory via Compose override — don't modify this repo: + +```yaml +# custom/keycloak-extra-clients.yml +services: + keycloak: + volumes: + - "./my-clients:/opt/keycloak/data/clients-custom:ro" +``` + +Add to `COMPOSE_FILE` and extend the pipeline to scan the additional path. + +## Validation + +Proves the modular approach produces an identical realm compared to the monolith: + +```bash +bash config/keycloak/validate-modular-clients.sh +``` + +Requires: docker, jq. Starts throwaway containers, compares clients, scopes, roles, +groups, and realm settings for both LDAP and autoprovisioning variants. + +## Debugging + +Each pipeline step can be run standalone: + +```bash +docker exec keycloak /bin/sh /opt/keycloak/bin/00-wait-for-keycloak.sh +docker exec keycloak /bin/sh /opt/keycloak/bin/10-import-clients.sh +docker exec keycloak /bin/sh /opt/keycloak/bin/11-assign-client-scopes.sh +``` diff --git a/config/keycloak/clients/OpenCloudAndroid.json b/config/keycloak/clients/OpenCloudAndroid.json index c21838d6..ef361ef7 100644 --- a/config/keycloak/clients/OpenCloudAndroid.json +++ b/config/keycloak/clients/OpenCloudAndroid.json @@ -47,7 +47,8 @@ "roles", "groups", "basic", - "email" + "email", + "OpenCloudUnique_ID" ], "optionalClientScopes": [ "address", diff --git a/config/keycloak/clients/OpenCloudAndroid.scopes b/config/keycloak/clients/OpenCloudAndroid.scopes new file mode 100644 index 00000000..d9c408b1 --- /dev/null +++ b/config/keycloak/clients/OpenCloudAndroid.scopes @@ -0,0 +1 @@ +web-origins,profile,roles,groups,basic,email,OpenCloudUnique_ID diff --git a/config/keycloak/clients/OpenCloudDesktop.json b/config/keycloak/clients/OpenCloudDesktop.json index d17a7cb6..890c948e 100644 --- a/config/keycloak/clients/OpenCloudDesktop.json +++ b/config/keycloak/clients/OpenCloudDesktop.json @@ -48,7 +48,8 @@ "roles", "groups", "basic", - "email" + "email", + "OpenCloudUnique_ID" ], "optionalClientScopes": [ "address", diff --git a/config/keycloak/clients/OpenCloudDesktop.scopes b/config/keycloak/clients/OpenCloudDesktop.scopes new file mode 100644 index 00000000..d9c408b1 --- /dev/null +++ b/config/keycloak/clients/OpenCloudDesktop.scopes @@ -0,0 +1 @@ +web-origins,profile,roles,groups,basic,email,OpenCloudUnique_ID diff --git a/config/keycloak/clients/OpenCloudIOS.json b/config/keycloak/clients/OpenCloudIOS.json index d09e0895..70e0e86e 100644 --- a/config/keycloak/clients/OpenCloudIOS.json +++ b/config/keycloak/clients/OpenCloudIOS.json @@ -47,7 +47,8 @@ "roles", "groups", "basic", - "email" + "email", + "OpenCloudUnique_ID" ], "optionalClientScopes": [ "address", diff --git a/config/keycloak/clients/OpenCloudIOS.scopes b/config/keycloak/clients/OpenCloudIOS.scopes new file mode 100644 index 00000000..d9c408b1 --- /dev/null +++ b/config/keycloak/clients/OpenCloudIOS.scopes @@ -0,0 +1 @@ +web-origins,profile,roles,groups,basic,email,OpenCloudUnique_ID diff --git a/config/keycloak/clients/cyberduck.scopes b/config/keycloak/clients/cyberduck.scopes new file mode 100644 index 00000000..729294a4 --- /dev/null +++ b/config/keycloak/clients/cyberduck.scopes @@ -0,0 +1 @@ +web-origins,profile,roles,groups,basic,email diff --git a/config/keycloak/clients/web.json b/config/keycloak/clients/web.json index 9ab819a4..4eeac6a1 100644 --- a/config/keycloak/clients/web.json +++ b/config/keycloak/clients/web.json @@ -58,7 +58,8 @@ "roles", "groups", "basic", - "email" + "email", + "OpenCloudUnique_ID" ], "optionalClientScopes": [ "address", diff --git a/config/keycloak/clients/web.scopes b/config/keycloak/clients/web.scopes new file mode 100644 index 00000000..d9c408b1 --- /dev/null +++ b/config/keycloak/clients/web.scopes @@ -0,0 +1 @@ +web-origins,profile,roles,groups,basic,email,OpenCloudUnique_ID diff --git a/config/keycloak/docker-entrypoint-override.sh b/config/keycloak/docker-entrypoint-override.sh index 9cf3eeb0..bb814bd0 100644 --- a/config/keycloak/docker-entrypoint-override.sh +++ b/config/keycloak/docker-entrypoint-override.sh @@ -4,8 +4,21 @@ log_level=$(printf '%s' "$KC_LOG_LEVEL" | tr '[:upper:]' '[:lower:]') case "$log_level" in trace|debug) printenv ;; *) ;; esac # replace openCloud domain and LDAP password in keycloak realm import -mkdir /opt/keycloak/data/import +mkdir -p /opt/keycloak/data/import sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json +# Post-start pipeline (background): import modular client definitions. +# Each step is standalone and can be run manually for debugging: +# docker exec keycloak /bin/sh /opt/keycloak/bin/10-import-clients.sh +( + if ! /bin/sh /opt/keycloak/bin/00-wait-for-keycloak.sh; then + echo "[post-start] Keycloak not ready — skipping client import" + exit 0 + fi + /bin/sh /opt/keycloak/bin/10-import-clients.sh + /bin/sh /opt/keycloak/bin/11-assign-client-scopes.sh + echo "[post-start] Done" +) & + # run original docker-entrypoint /opt/keycloak/bin/kc.sh "$@" diff --git a/config/keycloak/opencloud-realm-autoprovisioning.dist.json b/config/keycloak/opencloud-realm-autoprovisioning.dist.json index 989616a2..aa315a9b 100644 --- a/config/keycloak/opencloud-realm-autoprovisioning.dist.json +++ b/config/keycloak/opencloud-realm-autoprovisioning.dist.json @@ -1,2285 +1,2542 @@ { - "id" : "openCloud", - "realm" : "openCloud", - "displayName" : "OpenCloud", - "notBefore" : 0, - "defaultSignatureAlgorithm" : "RS256", - "revokeRefreshToken" : false, - "refreshTokenMaxReuse" : 0, - "accessTokenLifespan" : 300, - "accessTokenLifespanForImplicitFlow" : 900, - "ssoSessionIdleTimeout" : 1800, - "ssoSessionMaxLifespan" : 36000, - "ssoSessionIdleTimeoutRememberMe" : 0, - "ssoSessionMaxLifespanRememberMe" : 0, - "offlineSessionIdleTimeout" : 2592000, - "offlineSessionMaxLifespanEnabled" : false, - "offlineSessionMaxLifespan" : 5184000, - "clientSessionIdleTimeout" : 0, - "clientSessionMaxLifespan" : 0, - "clientOfflineSessionIdleTimeout" : 0, - "clientOfflineSessionMaxLifespan" : 0, - "accessCodeLifespan" : 60, - "accessCodeLifespanUserAction" : 300, - "accessCodeLifespanLogin" : 1800, - "actionTokenGeneratedByAdminLifespan" : 43200, - "actionTokenGeneratedByUserLifespan" : 300, - "oauth2DeviceCodeLifespan" : 600, - "oauth2DevicePollingInterval" : 5, - "enabled" : true, - "sslRequired" : "external", - "registrationAllowed" : false, - "registrationEmailAsUsername" : false, - "rememberMe" : false, - "verifyEmail" : false, - "loginWithEmailAllowed" : true, - "duplicateEmailsAllowed" : false, - "resetPasswordAllowed" : false, - "editUsernameAllowed" : false, - "bruteForceProtected" : true, - "permanentLockout" : false, - "maxTemporaryLockouts" : 0, - "maxFailureWaitSeconds" : 900, - "minimumQuickLoginWaitSeconds" : 60, - "waitIncrementSeconds" : 60, - "quickLoginCheckMilliSeconds" : 1000, - "maxDeltaTimeSeconds" : 43200, - "failureFactor" : 30, - "roles" : { - "realm" : [ { - "id" : "2d576514-4aae-46aa-9d9c-075f55f4d988", - "name" : "uma_authorization", - "description" : "${role_uma_authorization}", - "composite" : false, - "clientRole" : false, - "containerId" : "openCloud", - "attributes" : { } - }, { - "id" : "2aadd357-682c-406b-8874-293091995fdd", - "name" : "opencloudSpaceAdmin", - "description" : "", - "composite" : false, - "clientRole" : false, - "containerId" : "openCloud", - "attributes" : { } - }, { - "id" : "38071a68-456a-4553-846a-fa67bf5596cc", - "name" : "opencloudGuest", - "description" : "", - "composite" : false, - "clientRole" : false, - "containerId" : "openCloud", - "attributes" : { } - }, { - "id" : "71881883-1768-46bd-a24d-a356a2afdf7f", - "name" : "opencloudAdmin", - "description" : "", - "composite" : false, - "clientRole" : false, - "containerId" : "openCloud", - "attributes" : { } - }, { - "id" : "e2145b30-bf6f-49fb-af3f-1b40168bfcef", - "name" : "offline_access", - "description" : "${role_offline-access}", - "composite" : false, - "clientRole" : false, - "containerId" : "openCloud", - "attributes" : { } - }, { - "id" : "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", - "name" : "default-roles-opencloud", - "description" : "${role_default-roles}", - "composite" : true, - "composites" : { - "realm" : [ "offline_access", "uma_authorization" ], - "client" : { - "account" : [ "manage-account", "view-profile" ] - } + "id": "openCloud", + "realm": "openCloud", + "displayName": "OpenCloud", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": true, + "permanentLockout": false, + "maxTemporaryLockouts": 0, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "2d576514-4aae-46aa-9d9c-075f55f4d988", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "openCloud", + "attributes": {} + }, + { + "id": "2aadd357-682c-406b-8874-293091995fdd", + "name": "opencloudSpaceAdmin", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "openCloud", + "attributes": {} + }, + { + "id": "38071a68-456a-4553-846a-fa67bf5596cc", + "name": "opencloudGuest", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "openCloud", + "attributes": {} }, - "clientRole" : false, - "containerId" : "openCloud", - "attributes" : { } - }, { - "id" : "d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11", - "name" : "opencloudUser", - "description" : "", - "composite" : false, - "clientRole" : false, - "containerId" : "openCloud", - "attributes" : { } - } ], - "client" : { - "_system" : [ ], - "realm-management" : [ { - "id" : "979ce053-a671-4b50-81d5-da4bdf7404c9", - "name" : "view-clients", - "description" : "${role_view-clients}", - "composite" : true, - "composites" : { - "client" : { - "realm-management" : [ "query-clients" ] + { + "id": "71881883-1768-46bd-a24d-a356a2afdf7f", + "name": "opencloudAdmin", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "openCloud", + "attributes": {} + }, + { + "id": "e2145b30-bf6f-49fb-af3f-1b40168bfcef", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "openCloud", + "attributes": {} + }, + { + "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", + "name": "default-roles-opencloud", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] } }, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "4bec4791-e888-4dac-bc95-71720d5981b9", - "name" : "query-users", - "description" : "${role_query-users}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "955b4406-b04f-432d-a61a-571675874341", - "name" : "manage-authorization", - "description" : "${role_manage-authorization}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "baa219af-2773-4d59-b06b-485f10fbbab3", - "name" : "view-events", - "description" : "${role_view-events}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "f280bc03-d079-478d-be06-3590580b25e9", - "name" : "manage-users", - "description" : "${role_manage-users}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "db698163-84ad-46c9-958f-bb5f80ae78b5", - "name" : "query-clients", - "description" : "${role_query-clients}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "36c04d89-abf7-4a2c-a808-8efa9aca1435", - "name" : "manage-clients", - "description" : "${role_manage-clients}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "06eae953-11d5-4344-b089-ffce1e68d5d8", - "name" : "query-realms", - "description" : "${role_query-realms}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "afe8aa78-2f06-43a5-8c99-cf68a1f5a86a", - "name" : "realm-admin", - "description" : "${role_realm-admin}", - "composite" : true, - "composites" : { - "client" : { - "realm-management" : [ "view-clients", "query-users", "manage-authorization", "view-events", "manage-users", "query-clients", "manage-clients", "query-realms", "impersonation", "manage-realm", "manage-identity-providers", "view-authorization", "create-client", "query-groups", "view-users", "view-realm", "view-identity-providers", "manage-events" ] - } + "clientRole": false, + "containerId": "openCloud", + "attributes": {} + }, + { + "id": "d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11", + "name": "opencloudUser", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "openCloud", + "attributes": {} + } + ], + "client": { + "_system": [], + "realm-management": [ + { + "id": "979ce053-a671-4b50-81d5-da4bdf7404c9", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} }, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "22ee128a-b28e-4c6a-aa8e-ad4136d74e1b", - "name" : "impersonation", - "description" : "${role_impersonation}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "89d4f119-7f87-44d9-8eef-d207304de778", - "name" : "manage-realm", - "description" : "${role_manage-realm}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "ebffeff4-6794-4003-a2ab-a79eff7d1baa", - "name" : "manage-identity-providers", - "description" : "${role_manage-identity-providers}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "2361a7ff-d2b3-43f5-b360-ad0e44fba65c", - "name" : "view-authorization", - "description" : "${role_view-authorization}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "f7bf6d7a-a861-49c6-8f6f-225c18d0a03a", - "name" : "create-client", - "description" : "${role_create-client}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "34ccce1c-5a7e-4268-8836-2276545be900", - "name" : "query-groups", - "description" : "${role_query-groups}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "430f7831-8f22-4518-bd15-2998eae45a51", - "name" : "view-users", - "description" : "${role_view-users}", - "composite" : true, - "composites" : { - "client" : { - "realm-management" : [ "query-groups", "query-users" ] - } + { + "id": "4bec4791-e888-4dac-bc95-71720d5981b9", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} }, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "371a31e6-4494-4b74-b3ea-d030663423ed", - "name" : "view-realm", - "description" : "${role_view-realm}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "e875775b-7a3e-4a5d-9e4e-376351b78626", - "name" : "view-identity-providers", - "description" : "${role_view-identity-providers}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - }, { - "id" : "3dce7929-ee1f-40cd-9be1-7addcae92cef", - "name" : "manage-events", - "description" : "${role_manage-events}", - "composite" : false, - "clientRole" : true, - "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes" : { } - } ], - "OpenCloudDesktop" : [ ], - "web" : [ ], - "security-admin-console" : [ ], - "OpenCloudAndroid" : [ ], - "admin-cli" : [ ], - "OpenCloudIOS" : [ ], - "account-console" : [ ], - "broker" : [ { - "id" : "81fad68a-8dd8-4d79-9a8f-206a82460145", - "name" : "read-token", - "description" : "${role_read-token}", - "composite" : false, - "clientRole" : true, - "containerId" : "002faf0a-716c-4230-81c7-ce22d1eb832c", - "attributes" : { } - } ], - "account" : [ { - "id" : "c49a49da-8ad0-44cb-b518-6d7d72cbe494", - "name" : "manage-account", - "description" : "${role_manage-account}", - "composite" : true, - "composites" : { - "client" : { - "account" : [ "manage-account-links" ] - } + { + "id": "955b4406-b04f-432d-a61a-571675874341", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} }, - "clientRole" : true, - "containerId" : "9850adad-7910-4b67-a790-da6444361618", - "attributes" : { } - }, { - "id" : "9dc2244e-b8a7-44f1-b173-d2b929fedcca", - "name" : "view-consent", - "description" : "${role_view-consent}", - "composite" : false, - "clientRole" : true, - "containerId" : "9850adad-7910-4b67-a790-da6444361618", - "attributes" : { } - }, { - "id" : "ce115327-99c9-44d4-ba7d-820397dc11e6", - "name" : "manage-account-links", - "description" : "${role_manage-account-links}", - "composite" : false, - "clientRole" : true, - "containerId" : "9850adad-7910-4b67-a790-da6444361618", - "attributes" : { } - }, { - "id" : "2ffdf854-084b-467a-91c6-7f07844efc9a", - "name" : "view-groups", - "description" : "${role_view-groups}", - "composite" : false, - "clientRole" : true, - "containerId" : "9850adad-7910-4b67-a790-da6444361618", - "attributes" : { } - }, { - "id" : "8c45ca71-32aa-4547-932d-412da5e371ed", - "name" : "view-profile", - "description" : "${role_view-profile}", - "composite" : false, - "clientRole" : true, - "containerId" : "9850adad-7910-4b67-a790-da6444361618", - "attributes" : { } - }, { - "id" : "cbeecf6d-9af8-4746-877b-74800a894c35", - "name" : "view-applications", - "description" : "${role_view-applications}", - "composite" : false, - "clientRole" : true, - "containerId" : "9850adad-7910-4b67-a790-da6444361618", - "attributes" : { } - }, { - "id" : "ea798f64-b5f8-417f-9fe0-d3cd9172884f", - "name" : "delete-account", - "description" : "${role_delete-account}", - "composite" : false, - "clientRole" : true, - "containerId" : "9850adad-7910-4b67-a790-da6444361618", - "attributes" : { } - }, { - "id" : "e73aaf6d-e67b-491a-9cc3-78c32c82b42c", - "name" : "manage-consent", - "description" : "${role_manage-consent}", - "composite" : true, - "composites" : { - "client" : { - "account" : [ "view-consent" ] - } + { + "id": "baa219af-2773-4d59-b06b-485f10fbbab3", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "f280bc03-d079-478d-be06-3590580b25e9", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "db698163-84ad-46c9-958f-bb5f80ae78b5", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "36c04d89-abf7-4a2c-a808-8efa9aca1435", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "06eae953-11d5-4344-b089-ffce1e68d5d8", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "afe8aa78-2f06-43a5-8c99-cf68a1f5a86a", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "view-clients", + "query-users", + "manage-authorization", + "view-events", + "manage-users", + "query-clients", + "manage-clients", + "query-realms", + "impersonation", + "manage-realm", + "manage-identity-providers", + "view-authorization", + "create-client", + "query-groups", + "view-users", + "view-realm", + "view-identity-providers", + "manage-events" + ] + } + }, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "22ee128a-b28e-4c6a-aa8e-ad4136d74e1b", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "89d4f119-7f87-44d9-8eef-d207304de778", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "ebffeff4-6794-4003-a2ab-a79eff7d1baa", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "2361a7ff-d2b3-43f5-b360-ad0e44fba65c", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} }, - "clientRole" : true, - "containerId" : "9850adad-7910-4b67-a790-da6444361618", - "attributes" : { } - } ] + { + "id": "f7bf6d7a-a861-49c6-8f6f-225c18d0a03a", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "34ccce1c-5a7e-4268-8836-2276545be900", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "430f7831-8f22-4518-bd15-2998eae45a51", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "371a31e6-4494-4b74-b3ea-d030663423ed", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "e875775b-7a3e-4a5d-9e4e-376351b78626", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "3dce7929-ee1f-40cd-9be1-7addcae92cef", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "81fad68a-8dd8-4d79-9a8f-206a82460145", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "002faf0a-716c-4230-81c7-ce22d1eb832c", + "attributes": {} + } + ], + "account": [ + { + "id": "c49a49da-8ad0-44cb-b518-6d7d72cbe494", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "9dc2244e-b8a7-44f1-b173-d2b929fedcca", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "ce115327-99c9-44d4-ba7d-820397dc11e6", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "2ffdf854-084b-467a-91c6-7f07844efc9a", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "8c45ca71-32aa-4547-932d-412da5e371ed", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "cbeecf6d-9af8-4746-877b-74800a894c35", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "ea798f64-b5f8-417f-9fe0-d3cd9172884f", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "e73aaf6d-e67b-491a-9cc3-78c32c82b42c", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + } + ] } }, - "groups" : [ { - "id" : "6c80a8fa-46cd-4b35-be85-870b0b958e05", - "name" : "apollos", - "path" : "/apollos", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - }, { - "id" : "9f66dc0f-cc44-4027-84d7-ce03dcdb5087", - "name" : "basic-haters", - "path" : "/basic-haters", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - }, { - "id" : "0fef936b-b54a-4b2b-a86b-c35e08ef5048", - "name" : "bible-readers", - "path" : "/bible-readers", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - }, { - "id" : "e7dfcc97-3025-4db7-96a3-758b05459277", - "name" : "chess-lovers", - "path" : "/chess-lovers", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - }, { - "id" : "cd9d7c10-9f35-4178-85c4-422fa1c29fb6", - "name" : "machine-lovers", - "path" : "/machine-lovers", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - }, { - "id" : "ccff9d71-70c3-4a96-b674-bc4fc80317fe", - "name" : "programmers", - "path" : "/programmers", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - }, { - "id" : "77b31946-728d-43a4-83f9-78987dc36fc7", - "name" : "unix-lovers", - "path" : "/unix-lovers", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - }, { - "id" : "1f85df7f-0531-439a-97a3-026e59dce5c6", - "name" : "users", - "path" : "/users", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - }, { - "id" : "8fb43876-9bf6-4db7-8552-61f6ae8c5f11", - "name" : "vlsi-lovers", - "path" : "/vlsi-lovers", - "subGroups" : [ ], - "attributes" : { }, - "realmRoles" : [ ], - "clientRoles" : { } - } ], - "defaultRole" : { - "id" : "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", - "name" : "default-roles-opencloud", - "description" : "${role_default-roles}", - "composite" : true, - "clientRole" : false, - "containerId" : "openCloud" - }, - "requiredCredentials" : [ "password" ], - "otpPolicyType" : "totp", - "otpPolicyAlgorithm" : "HmacSHA1", - "otpPolicyInitialCounter" : 0, - "otpPolicyDigits" : 6, - "otpPolicyLookAheadWindow" : 1, - "otpPolicyPeriod" : 30, - "otpPolicyCodeReusable" : false, - "otpSupportedApplications" : [ "totpAppFreeOTPName", "totpAppGoogleName", "totpAppMicrosoftAuthenticatorName" ], - "localizationTexts" : { }, - "webAuthnPolicyRpEntityName" : "keycloak", - "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], - "webAuthnPolicyRpId" : "", - "webAuthnPolicyAttestationConveyancePreference" : "not specified", - "webAuthnPolicyAuthenticatorAttachment" : "not specified", - "webAuthnPolicyRequireResidentKey" : "not specified", - "webAuthnPolicyUserVerificationRequirement" : "not specified", - "webAuthnPolicyCreateTimeout" : 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, - "webAuthnPolicyAcceptableAaguids" : [ ], - "webAuthnPolicyExtraOrigins" : [ ], - "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], - "webAuthnPolicyPasswordlessRpId" : "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", - "webAuthnPolicyPasswordlessCreateTimeout" : 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, - "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], - "webAuthnPolicyPasswordlessExtraOrigins" : [ ], - "users" : [ { - "id" : "0ab77e6d-23b4-4ba3-9843-a3b3efdcfc53", - "username" : "admin", - "firstName" : "Admin", - "email" : "admin@example.org", - "emailVerified" : true, - "createdTimestamp" : 1743086161853, - "enabled" : true, - "totp" : false, - "credentials" : [ { - "id" : "e637b1d3-26a9-4df1-bf6a-33ef404194aa", - "type" : "password", - "userLabel" : "My password", - "createdDate" : 1743086173787, - "secretData" : "{\"value\":\"EZgBDLSPYAw7TDpjmzPZONXc49EdyGnE3kYF7HQwvMs=\",\"salt\":\"BOQfraUlcLUBtPbChIoanQ==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "opencloudAdmin", "default-roles-opencloud" ], - "notBefore" : 0, - "groups" : [ "/users" ] - }, { - "id" : "9b06fea1-729b-45b9-a264-cdc4318b36ce", - "username" : "alan", - "firstName" : "Alan", - "lastName" : "Turing", - "email" : "alan@example.org", - "emailVerified" : true, - "createdTimestamp" : 1743086820550, - "enabled" : true, - "totp" : false, - "credentials" : [ { - "id" : "c0b7e92d-b328-4619-bb40-b862595c676b", - "type" : "password", - "userLabel" : "My password", - "createdDate" : 1743086831206, - "secretData" : "{\"value\":\"DZm1M4KmP9iH78U7r3tfRe5iAnHpew7dRu8Wn9o2WiI=\",\"salt\":\"LLKr5fYFCreH9I4qdgNNLg==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-opencloud", "opencloudUser" ], - "notBefore" : 0, - "groups" : [ "/chess-lovers", "/machine-lovers", "/programmers", "/users" ] - }, { - "id" : "a0b207c7-69e1-47da-8279-07596d8271fc", - "username" : "dennis", - "firstName" : "Dennis", - "lastName" : "Ritchie", - "email" : "dennis@example.org", - "emailVerified" : true, - "createdTimestamp" : 1743086900197, - "enabled" : true, - "totp" : false, - "credentials" : [ { - "id" : "f9adca7d-ad6a-4290-ae50-540774fcd93f", - "type" : "password", - "userLabel" : "My password", - "createdDate" : 1743086912368, - "secretData" : "{\"value\":\"f+LIZnxSY/sEo7DKGqWZFSeaEFTTIhAmBVTVvIPLTV4=\",\"salt\":\"58Lzve1a1V8NrY9K7GUHgA==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "opencloudAdmin", "default-roles-opencloud" ], - "notBefore" : 0, - "groups" : [ "/basic-haters", "/programmers", "/unix-lovers", "/users" ] - }, { - "id" : "c5212e4a-1b85-4028-b5e4-03484c46bd1c", - "username" : "lynn", - "firstName" : "Lynn", - "lastName" : "Conway", - "email" : "lynn@example.org", - "emailVerified" : true, - "createdTimestamp" : 1743086963636, - "enabled" : true, - "totp" : false, - "credentials" : [ { - "id" : "e68b2724-8856-4892-a6d9-3c45b035ec1b", - "type" : "password", - "userLabel" : "My password", - "createdDate" : 1743086975605, - "secretData" : "{\"value\":\"xlnjYqq8JCpk+XMZ1W2EB+b8mizrxfFz24na73hL1Wc=\",\"salt\":\"ArB8wLvsFEiWI9OLIDJFNQ==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-opencloud", "opencloudUser" ], - "notBefore" : 0, - "groups" : [ "/programmers", "/users", "/vlsi-lovers" ] - }, { - "id" : "932f373d-0935-4cae-85a4-a46f7091cc26", - "username" : "margaret", - "firstName" : "Margaret", - "lastName" : "Hamilton", - "email" : "margaret@example.org", - "emailVerified" : true, - "createdTimestamp" : 1743087042652, - "enabled" : true, - "totp" : false, - "credentials" : [ { - "id" : "0512312a-06f6-44dd-b02d-2a5698de4e20", - "type" : "password", - "userLabel" : "My password", - "createdDate" : 1743087054145, - "secretData" : "{\"value\":\"/C6K2MGtckKOSenXZqj6BM3OAAeowEL6vR3Ya11ByTg=\",\"salt\":\"qpdRtjJyN/kM+1VSQ0dAJw==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "opencloudSpaceAdmin", "default-roles-opencloud" ], - "notBefore" : 0, - "groups" : [ "/apollos", "/programmers", "/users" ] - }, { - "id" : "13c3b0db-b6a5-49b5-8f9e-d23729517d9d", - "username" : "mary", - "firstName" : "Mary", - "lastName" : "Kenneth Keller", - "email" : "mary@example.org", - "emailVerified" : true, - "createdTimestamp" : 1743087096263, - "enabled" : true, - "totp" : false, - "credentials" : [ { - "id" : "d7b7ee6d-7122-4cf9-94de-e66caa5faa80", - "type" : "password", - "userLabel" : "My password", - "createdDate" : 1743087105788, - "secretData" : "{\"value\":\"oqauYuZpnCxtBFSVEhmY+vtONnvSC9VOAMBUK5gC8+8=\",\"salt\":\"HPRafx27pEj0GpedUMt09A==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-opencloud", "opencloudUser" ], - "notBefore" : 0, - "groups" : [ "/bible-readers", "/users" ] - } ], - "scopeMappings" : [ { - "clientScope" : "offline_access", - "roles" : [ "offline_access" ] - }, { - "clientScope" : "roles", - "roles" : [ "opencloudGuest", "opencloudAdmin", "opencloudSpaceAdmin", "opencloudUser" ] - } ], - "clientScopeMappings" : { - "account" : [ { - "client" : "account-console", - "roles" : [ "manage-account", "view-groups" ] - } ] - }, - "clients" : [ { - "id" : "294b6cf4-b646-4f6c-bab2-616546ec3167", - "clientId" : "_system", - "name" : "_system", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "secret" : "**********", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : false, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "client.secret.creation.time" : "1718778122", - "post.logout.redirect.uris" : "+" + "groups": [ + { + "id": "6c80a8fa-46cd-4b35-be85-870b0b958e05", + "name": "apollos", + "path": "/apollos", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "profile", "roles", "basic", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "9850adad-7910-4b67-a790-da6444361618", - "clientId" : "account", - "name" : "${client_account}", - "rootUrl" : "${authBaseUrl}", - "baseUrl" : "/realms/openCloud/account/", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "secret" : "**********", - "redirectUris" : [ "/realms/openCloud/account/*" ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : false, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "client.secret.creation.time" : "1718778122", - "post.logout.redirect.uris" : "+" + { + "id": "9f66dc0f-cc44-4027-84d7-ce03dcdb5087", + "name": "basic-haters", + "path": "/basic-haters", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "basic" ], - "optionalClientScopes" : [ ] - }, { - "id" : "55bb4cdc-045b-422a-8830-61245949d6aa", - "clientId" : "account-console", - "name" : "${client_account-console}", - "rootUrl" : "${authBaseUrl}", - "baseUrl" : "/realms/openCloud/account/", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ "/realms/openCloud/account/*" ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "post.logout.redirect.uris" : "+", - "pkce.code.challenge.method" : "S256" + { + "id": "0fef936b-b54a-4b2b-a86b-c35e08ef5048", + "name": "bible-readers", + "path": "/bible-readers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "protocolMappers" : [ { - "id" : "9bf413ed-402f-438d-a72c-033f3c45dab2", - "name" : "audience resolve", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-audience-resolve-mapper", - "consentRequired" : false, - "config" : { } - } ], - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "basic", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "2969b8ff-2ab3-4907-aaa7-091a7a627ccb", - "clientId" : "admin-cli", - "name" : "${client_admin-cli}", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : false, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : true, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "post.logout.redirect.uris" : "+" + { + "id": "e7dfcc97-3025-4db7-96a3-758b05459277", + "name": "chess-lovers", + "path": "/chess-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "basic" ], - "optionalClientScopes" : [ ] - }, { - "id" : "002faf0a-716c-4230-81c7-ce22d1eb832c", - "clientId" : "broker", - "name" : "${client_broker}", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "secret" : "**********", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : false, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "client.secret.creation.time" : "1718778122", - "post.logout.redirect.uris" : "+" + { + "id": "cd9d7c10-9f35-4178-85c4-422fa1c29fb6", + "name": "machine-lovers", + "path": "/machine-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "basic" ], - "optionalClientScopes" : [ ] - }, { - "id" : "c8367556-1d13-4979-b4f6-5e2cff1f82ae", - "clientId" : "OpenCloudAndroid", - "name" : "OpenCloud Android App", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "secret" : "**********", - "redirectUris" : [ "oc://android.opencloud.eu" ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : true, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "saml.assertion.signature" : "false", - "saml.force.post.binding" : "false", - "saml.multivalued.roles" : "false", - "saml.encrypt" : "false", - "post.logout.redirect.uris" : "oc://android.opencloud.eu", - "backchannel.logout.revoke.offline.tokens" : "false", - "saml.server.signature" : "false", - "saml.server.signature.keyinfo.ext" : "false", - "exclude.session.state.from.auth.response" : "false", - "backchannel.logout.session.required" : "true", - "client_credentials.use_refresh_token" : "false", - "saml_force_name_id_format" : "false", - "saml.client.signature" : "false", - "tls.client.certificate.bound.access.tokens" : "false", - "saml.authnstatement" : "false", - "display.on.consent.screen" : "false", - "saml.onetimeuse.condition" : "false" + { + "id": "ccff9d71-70c3-4a96-b674-bc4fc80317fe", + "name": "programmers", + "path": "/programmers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : true, - "nodeReRegistrationTimeout" : -1, - "defaultClientScopes" : [ "web-origins", "profile", "roles", "groups", "basic", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "6ae0e3da-38ff-47a4-a76e-b59eec0a2de9", - "clientId" : "OpenCloudIOS", - "name" : "OpenCloud iOS App", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "secret" : "**********", - "redirectUris" : [ "oc://ios.opencloud.eu" ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : true, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "saml.assertion.signature" : "false", - "saml.force.post.binding" : "false", - "saml.multivalued.roles" : "false", - "saml.encrypt" : "false", - "post.logout.redirect.uris" : "oc://ios.opencloud.eu", - "backchannel.logout.revoke.offline.tokens" : "false", - "saml.server.signature" : "false", - "saml.server.signature.keyinfo.ext" : "false", - "exclude.session.state.from.auth.response" : "false", - "backchannel.logout.session.required" : "true", - "client_credentials.use_refresh_token" : "false", - "saml_force_name_id_format" : "false", - "saml.client.signature" : "false", - "tls.client.certificate.bound.access.tokens" : "false", - "saml.authnstatement" : "false", - "display.on.consent.screen" : "false", - "saml.onetimeuse.condition" : "false" + { + "id": "77b31946-728d-43a4-83f9-78987dc36fc7", + "name": "unix-lovers", + "path": "/unix-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : true, - "nodeReRegistrationTimeout" : -1, - "defaultClientScopes" : [ "web-origins", "profile", "roles", "groups", "basic", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "clientId" : "realm-management", - "name" : "${client_realm-management}", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : true, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : false, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "post.logout.redirect.uris" : "+" + { + "id": "1f85df7f-0531-439a-97a3-026e59dce5c6", + "name": "users", + "path": "/users", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ ], - "optionalClientScopes" : [ ] - }, { - "id" : "97264f49-a8c1-4585-99b6-e706339c62f8", - "clientId" : "security-admin-console", - "name" : "${client_security-admin-console}", - "rootUrl" : "${authAdminUrl}", - "baseUrl" : "/admin/openCloud/console/", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ "/admin/openCloud/console/*" ], - "webOrigins" : [ "+" ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "post.logout.redirect.uris" : "+", - "pkce.code.challenge.method" : "S256" + { + "id": "8fb43876-9bf6-4db7-8552-61f6ae8c5f11", + "name": "vlsi-lovers", + "path": "/vlsi-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + } + ], + "defaultRole": { + "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", + "name": "default-roles-opencloud", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "openCloud" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "localizationTexts": {}, + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyExtraOrigins": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "webAuthnPolicyPasswordlessExtraOrigins": [], + "users": [ + { + "id": "0ab77e6d-23b4-4ba3-9843-a3b3efdcfc53", + "username": "admin", + "firstName": "Admin", + "email": "admin@example.org", + "emailVerified": true, + "createdTimestamp": 1743086161853, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "e637b1d3-26a9-4df1-bf6a-33ef404194aa", + "type": "password", + "userLabel": "My password", + "createdDate": 1743086173787, + "secretData": "{\"value\":\"EZgBDLSPYAw7TDpjmzPZONXc49EdyGnE3kYF7HQwvMs=\",\"salt\":\"BOQfraUlcLUBtPbChIoanQ==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "opencloudAdmin", + "default-roles-opencloud" + ], + "notBefore": 0, + "groups": [ + "/users" + ] }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "protocolMappers" : [ { - "id" : "96092024-21dd-4d31-a004-2c5b96031da3", - "name" : "locale", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "locale", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "locale", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - } ], - "defaultClientScopes" : [ "basic" ], - "optionalClientScopes" : [ ] - }, { - "id" : "54b18eca-cf79-4263-9db9-2d79f8a1c831", - "clientId" : "web", - "name" : "OpenCloud Web App", - "description" : "", - "rootUrl" : "https://cloud.opencloud.test", - "adminUrl" : "https://cloud.opencloud.test", - "baseUrl" : "", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ "https://cloud.opencloud.test/", "https://cloud.opencloud.test/oidc-callback.html", "https://cloud.opencloud.test/oidc-silent-redirect.html" ], - "webOrigins" : [ "https://cloud.opencloud.test" ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : true, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "saml.assertion.signature" : "false", - "saml.force.post.binding" : "false", - "saml.multivalued.roles" : "false", - "saml.encrypt" : "false", - "post.logout.redirect.uris" : "+", - "oauth2.device.authorization.grant.enabled" : "false", - "backchannel.logout.revoke.offline.tokens" : "false", - "saml.server.signature" : "false", - "saml.server.signature.keyinfo.ext" : "false", - "exclude.session.state.from.auth.response" : "false", - "oidc.ciba.grant.enabled" : "false", - "backchannel.logout.session.required" : "true", - "backchannel.logout.url" : "https://cloud.opencloud.test/backchannel_logout", - "client_credentials.use_refresh_token" : "false", - "saml_force_name_id_format" : "false", - "saml.client.signature" : "false", - "tls.client.certificate.bound.access.tokens" : "false", - "saml.authnstatement" : "false", - "display.on.consent.screen" : "false", - "saml.onetimeuse.condition" : "false" + { + "id": "9b06fea1-729b-45b9-a264-cdc4318b36ce", + "username": "alan", + "firstName": "Alan", + "lastName": "Turing", + "email": "alan@example.org", + "emailVerified": true, + "createdTimestamp": 1743086820550, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "c0b7e92d-b328-4619-bb40-b862595c676b", + "type": "password", + "userLabel": "My password", + "createdDate": 1743086831206, + "secretData": "{\"value\":\"DZm1M4KmP9iH78U7r3tfRe5iAnHpew7dRu8Wn9o2WiI=\",\"salt\":\"LLKr5fYFCreH9I4qdgNNLg==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-opencloud", + "opencloudUser" + ], + "notBefore": 0, + "groups": [ + "/chess-lovers", + "/machine-lovers", + "/programmers", + "/users" + ] }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : true, - "nodeReRegistrationTimeout" : -1, - "defaultClientScopes" : [ "web-origins", "profile", "roles", "groups", "basic", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "fc7d8a8e-cb92-4cb0-b404-d723c07d8d4f", - "clientId" : "OpenCloudDesktop", - "name" : "OpenCloud Desktop Client", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "secret" : "**********", - "redirectUris" : [ "http://127.0.0.1", "http://localhost" ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : true, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "saml.assertion.signature" : "false", - "saml.force.post.binding" : "false", - "saml.multivalued.roles" : "false", - "saml.encrypt" : "false", - "post.logout.redirect.uris" : "+", - "backchannel.logout.revoke.offline.tokens" : "false", - "saml.server.signature" : "false", - "saml.server.signature.keyinfo.ext" : "false", - "exclude.session.state.from.auth.response" : "false", - "backchannel.logout.session.required" : "true", - "client_credentials.use_refresh_token" : "false", - "saml_force_name_id_format" : "false", - "saml.client.signature" : "false", - "tls.client.certificate.bound.access.tokens" : "false", - "saml.authnstatement" : "false", - "display.on.consent.screen" : "false", - "saml.onetimeuse.condition" : "false" + { + "id": "a0b207c7-69e1-47da-8279-07596d8271fc", + "username": "dennis", + "firstName": "Dennis", + "lastName": "Ritchie", + "email": "dennis@example.org", + "emailVerified": true, + "createdTimestamp": 1743086900197, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "f9adca7d-ad6a-4290-ae50-540774fcd93f", + "type": "password", + "userLabel": "My password", + "createdDate": 1743086912368, + "secretData": "{\"value\":\"f+LIZnxSY/sEo7DKGqWZFSeaEFTTIhAmBVTVvIPLTV4=\",\"salt\":\"58Lzve1a1V8NrY9K7GUHgA==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "opencloudAdmin", + "default-roles-opencloud" + ], + "notBefore": 0, + "groups": [ + "/basic-haters", + "/programmers", + "/unix-lovers", + "/users" + ] }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : true, - "nodeReRegistrationTimeout" : -1, - "defaultClientScopes" : [ "web-origins", "profile", "roles", "groups", "basic", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - } ], - "clientScopes" : [ { - "id" : "258e56a8-1eeb-49ea-957b-aff8df4656ba", - "name" : "email", - "description" : "OpenID Connect built-in scope: email", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "consent.screen.text" : "${emailScopeConsentText}", - "display.on.consent.screen" : "true" + { + "id": "c5212e4a-1b85-4028-b5e4-03484c46bd1c", + "username": "lynn", + "firstName": "Lynn", + "lastName": "Conway", + "email": "lynn@example.org", + "emailVerified": true, + "createdTimestamp": 1743086963636, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "e68b2724-8856-4892-a6d9-3c45b035ec1b", + "type": "password", + "userLabel": "My password", + "createdDate": 1743086975605, + "secretData": "{\"value\":\"xlnjYqq8JCpk+XMZ1W2EB+b8mizrxfFz24na73hL1Wc=\",\"salt\":\"ArB8wLvsFEiWI9OLIDJFNQ==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-opencloud", + "opencloudUser" + ], + "notBefore": 0, + "groups": [ + "/programmers", + "/users", + "/vlsi-lovers" + ] }, - "protocolMappers" : [ { - "id" : "068bcfb6-4a17-4c20-b083-ae542a7f76c8", - "name" : "email verified", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "emailVerified", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "email_verified", - "jsonType.label" : "boolean", - "userinfo.token.claim" : "true" - } - }, { - "id" : "c00d6c21-2fd1-435f-9ee9-87e011048cbe", - "name" : "email", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "email", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "email", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - } ] - }, { - "id" : "b3e1e47e-3912-4b55-ba89-b0198e767682", - "name" : "address", - "description" : "OpenID Connect built-in scope: address", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "consent.screen.text" : "${addressScopeConsentText}", - "display.on.consent.screen" : "true" + { + "id": "932f373d-0935-4cae-85a4-a46f7091cc26", + "username": "margaret", + "firstName": "Margaret", + "lastName": "Hamilton", + "email": "margaret@example.org", + "emailVerified": true, + "createdTimestamp": 1743087042652, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "0512312a-06f6-44dd-b02d-2a5698de4e20", + "type": "password", + "userLabel": "My password", + "createdDate": 1743087054145, + "secretData": "{\"value\":\"/C6K2MGtckKOSenXZqj6BM3OAAeowEL6vR3Ya11ByTg=\",\"salt\":\"qpdRtjJyN/kM+1VSQ0dAJw==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "opencloudSpaceAdmin", + "default-roles-opencloud" + ], + "notBefore": 0, + "groups": [ + "/apollos", + "/programmers", + "/users" + ] }, - "protocolMappers" : [ { - "id" : "876baab9-39d1-4845-abb4-561a58aa152d", - "name" : "address", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-address-mapper", - "consentRequired" : false, - "config" : { - "user.attribute.formatted" : "formatted", - "user.attribute.country" : "country", - "user.attribute.postal_code" : "postal_code", - "userinfo.token.claim" : "true", - "user.attribute.street" : "street", - "id.token.claim" : "true", - "user.attribute.region" : "region", - "access.token.claim" : "true", - "user.attribute.locality" : "locality" - } - } ] - }, { - "id" : "9cae7ced-e7d9-4f7b-8e54-7402125f6ead", - "name" : "offline_access", - "description" : "OpenID Connect built-in scope: offline_access", - "protocol" : "openid-connect", - "attributes" : { - "consent.screen.text" : "${offlineAccessScopeConsentText}", - "display.on.consent.screen" : "true" + { + "id": "13c3b0db-b6a5-49b5-8f9e-d23729517d9d", + "username": "mary", + "firstName": "Mary", + "lastName": "Kenneth Keller", + "email": "mary@example.org", + "emailVerified": true, + "createdTimestamp": 1743087096263, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "d7b7ee6d-7122-4cf9-94de-e66caa5faa80", + "type": "password", + "userLabel": "My password", + "createdDate": 1743087105788, + "secretData": "{\"value\":\"oqauYuZpnCxtBFSVEhmY+vtONnvSC9VOAMBUK5gC8+8=\",\"salt\":\"HPRafx27pEj0GpedUMt09A==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-opencloud", + "opencloudUser" + ], + "notBefore": 0, + "groups": [ + "/bible-readers", + "/users" + ] } - }, { - "id" : "8eb1f69b-b941-4185-bca1-f916953f7cf5", - "name" : "role_list", - "description" : "SAML role list", - "protocol" : "saml", - "attributes" : { - "consent.screen.text" : "${samlRoleListScopeConsentText}", - "display.on.consent.screen" : "true" + ], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] }, - "protocolMappers" : [ { - "id" : "fb587847-806f-4443-bab0-501efc0f0b46", - "name" : "role list", - "protocol" : "saml", - "protocolMapper" : "saml-role-list-mapper", - "consentRequired" : false, - "config" : { - "single" : "false", - "attribute.nameformat" : "Basic", - "attribute.name" : "Role" + { + "clientScope": "roles", + "roles": [ + "opencloudGuest", + "opencloudAdmin", + "opencloudSpaceAdmin", + "opencloudUser" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] } - } ] - }, { - "id" : "947da1ff-f614-48fc-9ecb-c98cbcfd3390", - "name" : "profile", - "description" : "OpenID Connect built-in scope: profile", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "consent.screen.text" : "${profileScopeConsentText}", - "display.on.consent.screen" : "true" + ] + }, + "clients": [ + { + "id": "294b6cf4-b646-4f6c-bab2-616546ec3167", + "clientId": "_system", + "name": "_system", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1718778122", + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, - "protocolMappers" : [ { - "id" : "46fec552-2f92-408a-84cf-ba98bf8e35fd", - "name" : "family name", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "lastName", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "family_name", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "c7ed5458-4d32-423e-8ea1-d112c45045d4", - "name" : "middle name", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "middleName", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "middle_name", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "e18d1ce4-3969-4ec1-9941-a27fd7555245", - "name" : "picture", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "picture", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "picture", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "dab85a5e-9af8-4fcd-88e4-9d3ae50dd5b6", - "name" : "locale", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "locale", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "locale", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "7484f47e-3bb1-48d0-ba64-e8330dcefe6e", - "name" : "profile", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "profile", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "profile", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "fcd00995-9693-4803-8f41-c84044be83ed", - "name" : "website", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "website", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "website", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "f09e7268-5284-449b-849b-cf8225523584", - "name" : "full name", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-full-name-mapper", - "consentRequired" : false, - "config" : { - "id.token.claim" : "true", - "access.token.claim" : "true", - "userinfo.token.claim" : "true" - } - }, { - "id" : "0317f4b3-3f7b-47ab-88d3-5d6f604d944d", - "name" : "nickname", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "nickname", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "nickname", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "db81244c-e739-461b-8822-52ceaa11bdf4", - "name" : "updated at", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "updatedAt", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "updated_at", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "c6a16bf9-9370-4dff-a718-be53131bb238", - "name" : "gender", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "gender", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "gender", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "32d76647-b542-484c-9062-edc34eb350e0", - "name" : "birthdate", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "birthdate", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "birthdate", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "ac6530db-6463-446b-99da-32d5298b5fa0", - "name" : "zoneinfo", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "zoneinfo", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "zoneinfo", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "ed10983b-8700-415e-933e-226ce3f397a6", - "name" : "given name", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "firstName", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "given_name", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "8205ccd0-1266-4060-b5df-3a6eb229d91e", - "name" : "username", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "username", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "preferred_username", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - } ] - }, { - "id" : "79713daf-89ca-4ed4-ad97-a88b13ee9a18", - "name" : "phone", - "description" : "OpenID Connect built-in scope: phone", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "consent.screen.text" : "${phoneScopeConsentText}", - "display.on.consent.screen" : "true" + { + "id": "9850adad-7910-4b67-a790-da6444361618", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/openCloud/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/realms/openCloud/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1718778122", + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "basic" + ], + "optionalClientScopes": [] }, - "protocolMappers" : [ { - "id" : "b5f4f5ed-1008-42ba-8b3b-7d8851a2a680", - "name" : "phone number", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "phoneNumber", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "phone_number", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" - } - }, { - "id" : "08a246f1-2b4c-4def-af5c-aefc31b4820d", - "name" : "phone number verified", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "phoneNumberVerified", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "phone_number_verified", - "jsonType.label" : "boolean", - "userinfo.token.claim" : "true" - } - } ] - }, { - "id" : "c3a6224b-49aa-4a25-953d-7e326d66893d", - "name" : "basic", - "description" : "OpenID Connect scope for add all basic claims to the token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "display.on.consent.screen" : "false" + { + "id": "55bb4cdc-045b-422a-8830-61245949d6aa", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/openCloud/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/openCloud/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "9bf413ed-402f-438d-a72c-033f3c45dab2", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, - "protocolMappers" : [ { - "id" : "2d4f3f17-1ab7-429e-88e1-cdf08d3533c6", - "name" : "auth_time", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usersessionmodel-note-mapper", - "consentRequired" : false, - "config" : { - "user.session.note" : "AUTH_TIME", - "introspection.token.claim" : "true", - "userinfo.token.claim" : "true", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "auth_time", - "jsonType.label" : "long" - } - }, { - "id" : "3e7da934-3de3-4bd1-a565-8ac62419c138", - "name" : "sub", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-sub-mapper", - "consentRequired" : false, - "config" : { - "introspection.token.claim" : "true", - "access.token.claim" : "true" - } - } ] - }, { - "id" : "0c72b80b-28d5-48d8-b593-c99030aab58d", - "name" : "roles", - "description" : "OpenID Connect scope for add user roles to the access token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "consent.screen.text" : "${rolesScopeConsentText}", - "display.on.consent.screen" : "true" + { + "id": "2969b8ff-2ab3-4907-aaa7-091a7a627ccb", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "basic" + ], + "optionalClientScopes": [] }, - "protocolMappers" : [ { - "id" : "bc7f015e-329f-4e99-be6b-72382f4310c7", - "name" : "client roles", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-client-role-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "foo", - "access.token.claim" : "true", - "claim.name" : "resource_access.${client_id}.roles", - "jsonType.label" : "String", - "multivalued" : "true" - } - }, { - "id" : "215f645f-ad0b-4523-9ece-f09f69ead5c4", - "name" : "audience resolve", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-audience-resolve-mapper", - "consentRequired" : false, - "config" : { } - }, { - "id" : "4a10b958-d34d-413a-b349-1415d02cdcde", - "name" : "realm roles", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-realm-role-mapper", - "consentRequired" : false, - "config" : { - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "roles", - "jsonType.label" : "String", - "userinfo.token.claim" : "true", - "multivalued" : "true" - } - } ] - }, { - "id" : "7438d93e-b07a-4913-9419-3273be364c4b", - "name" : "groups", - "description" : "OpenID Connect scope for add user groups to the access token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "display.on.consent.screen" : "true", - "gui.order" : "", - "consent.screen.text" : "" + { + "id": "002faf0a-716c-4230-81c7-ce22d1eb832c", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1718778122", + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "basic" + ], + "optionalClientScopes": [] }, - "protocolMappers" : [ { - "id" : "5349faf2-64a6-481f-b207-39ffef2cd597", - "name" : "groups", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-group-membership-mapper", - "consentRequired" : false, - "config" : { - "full.path" : "false", - "introspection.token.claim" : "true", - "userinfo.token.claim" : "true", - "multivalued" : "true", - "id.token.claim" : "true", - "lightweight.claim" : "false", - "access.token.claim" : "true", - "claim.name" : "groups" - } - } ] - }, { - "id" : "5ce87358-3bca-4874-a6f0-6dccae6209a8", - "name" : "web-origins", - "description" : "OpenID Connect scope for add allowed web origins to the access token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "consent.screen.text" : "", - "display.on.consent.screen" : "false" + { + "id": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [], + "optionalClientScopes": [] }, - "protocolMappers" : [ { - "id" : "bbd23c51-918d-4ea6-9ac0-db68b512fb0a", - "name" : "allowed web origins", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-allowed-origins-mapper", - "consentRequired" : false, - "config" : { } - } ] - }, { - "id" : "86883395-e439-4cab-9d8d-31d71389969c", - "name" : "acr", - "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "display.on.consent.screen" : "false" + { + "id": "97264f49-a8c1-4585-99b6-e706339c62f8", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/openCloud/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/openCloud/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "96092024-21dd-4d31-a004-2c5b96031da3", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ], + "defaultClientScopes": [ + "basic" + ], + "optionalClientScopes": [] + } + ], + "clientScopes": [ + { + "id": "258e56a8-1eeb-49ea-957b-aff8df4656ba", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${emailScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "068bcfb6-4a17-4c20-b083-ae542a7f76c8", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean", + "userinfo.token.claim": "true" + } + }, + { + "id": "c00d6c21-2fd1-435f-9ee9-87e011048cbe", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ] }, - "protocolMappers" : [ { - "id" : "b849b14b-7c9c-4b7b-9329-c56debefb47c", - "name" : "acr loa level", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-acr-mapper", - "consentRequired" : false, - "config" : { - "id.token.claim" : "true", - "access.token.claim" : "true", - "userinfo.token.claim" : "true" - } - } ] - }, { - "id" : "bdb3e320-76c8-4ad7-9d0f-a08efc060101", - "name" : "microprofile-jwt", - "description" : "Microprofile - JWT built-in scope", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "false" + { + "id": "b3e1e47e-3912-4b55-ba89-b0198e767682", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${addressScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "876baab9-39d1-4845-abb4-561a58aa152d", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] }, - "protocolMappers" : [ { - "id" : "1d08316c-493b-42ab-afa3-66f621860661", - "name" : "groups", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-realm-role-mapper", - "consentRequired" : false, - "config" : { - "multivalued" : "true", - "userinfo.token.claim" : "true", - "user.attribute" : "foo", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "groups", - "jsonType.label" : "String" - } - }, { - "id" : "52061d2d-7a41-4f1d-ba1b-3c4a53e739e4", - "name" : "upn", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "username", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "upn", - "jsonType.label" : "String", - "userinfo.token.claim" : "true" + { + "id": "9cae7ced-e7d9-4f7b-8e54-7402125f6ead", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" } - } ] - } ], - "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins", "acr", "basic", "groups" ], - "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], - "browserSecurityHeaders" : { - "contentSecurityPolicyReportOnly" : "", - "xContentTypeOptions" : "nosniff", - "referrerPolicy" : "no-referrer", - "xRobotsTag" : "none", - "xFrameOptions" : "SAMEORIGIN", - "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection" : "1; mode=block", - "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + { + "id": "8eb1f69b-b941-4185-bca1-f916953f7cf5", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "fb587847-806f-4443-bab0-501efc0f0b46", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "947da1ff-f614-48fc-9ecb-c98cbcfd3390", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${profileScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "46fec552-2f92-408a-84cf-ba98bf8e35fd", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "c7ed5458-4d32-423e-8ea1-d112c45045d4", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "e18d1ce4-3969-4ec1-9941-a27fd7555245", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "dab85a5e-9af8-4fcd-88e4-9d3ae50dd5b6", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "7484f47e-3bb1-48d0-ba64-e8330dcefe6e", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "fcd00995-9693-4803-8f41-c84044be83ed", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "f09e7268-5284-449b-849b-cf8225523584", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "0317f4b3-3f7b-47ab-88d3-5d6f604d944d", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "db81244c-e739-461b-8822-52ceaa11bdf4", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "c6a16bf9-9370-4dff-a718-be53131bb238", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "32d76647-b542-484c-9062-edc34eb350e0", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "ac6530db-6463-446b-99da-32d5298b5fa0", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "ed10983b-8700-415e-933e-226ce3f397a6", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "8205ccd0-1266-4060-b5df-3a6eb229d91e", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "79713daf-89ca-4ed4-ad97-a88b13ee9a18", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${phoneScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "b5f4f5ed-1008-42ba-8b3b-7d8851a2a680", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "08a246f1-2b4c-4def-af5c-aefc31b4820d", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "c3a6224b-49aa-4a25-953d-7e326d66893d", + "name": "basic", + "description": "OpenID Connect scope for add all basic claims to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "2d4f3f17-1ab7-429e-88e1-cdf08d3533c6", + "name": "auth_time", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "AUTH_TIME", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "auth_time", + "jsonType.label": "long" + } + }, + { + "id": "3e7da934-3de3-4bd1-a565-8ac62419c138", + "name": "sub", + "protocol": "openid-connect", + "protocolMapper": "oidc-sub-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "0c72b80b-28d5-48d8-b593-c99030aab58d", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "consent.screen.text": "${rolesScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "bc7f015e-329f-4e99-be6b-72382f4310c7", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "215f645f-ad0b-4523-9ece-f09f69ead5c4", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "4a10b958-d34d-413a-b349-1415d02cdcde", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "roles", + "jsonType.label": "String", + "userinfo.token.claim": "true", + "multivalued": "true" + } + } + ] + }, + { + "id": "7438d93e-b07a-4913-9419-3273be364c4b", + "name": "groups", + "description": "OpenID Connect scope for add user groups to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "5349faf2-64a6-481f-b207-39ffef2cd597", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "full.path": "false", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "multivalued": "true", + "id.token.claim": "true", + "lightweight.claim": "false", + "access.token.claim": "true", + "claim.name": "groups" + } + } + ] + }, + { + "id": "5ce87358-3bca-4874-a6f0-6dccae6209a8", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "consent.screen.text": "", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "bbd23c51-918d-4ea6-9ac0-db68b512fb0a", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "86883395-e439-4cab-9d8d-31d71389969c", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "b849b14b-7c9c-4b7b-9329-c56debefb47c", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "bdb3e320-76c8-4ad7-9d0f-a08efc060101", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "1d08316c-493b-42ab-afa3-66f621860661", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "52061d2d-7a41-4f1d-ba1b-3c4a53e739e4", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr", + "basic", + "groups" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, - "smtpServer" : { }, + "smtpServer": {}, "loginTheme": "opencloud", "accountTheme": "", "adminTheme": "", "emailTheme": "", - "eventsEnabled" : false, - "eventsListeners" : [ "jboss-logging" ], - "enabledEventTypes" : [ ], - "adminEventsEnabled" : false, - "adminEventsDetailsEnabled" : false, - "identityProviders" : [ ], - "identityProviderMappers" : [ ], - "components" : { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { - "id" : "4682fe74-f3a9-445a-a7ab-557fb532fe6b", - "name" : "Consent Required", - "providerId" : "consent-required", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { } - }, { - "id" : "c46009e5-c8b5-4051-bf7f-7b1481a9aa86", - "name" : "Max Clients Limit", - "providerId" : "max-clients", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { - "max-clients" : [ "200" ] - } - }, { - "id" : "43edf979-28d2-46c8-9f93-48b3de185570", - "name" : "Allowed Protocol Mapper Types", - "providerId" : "allowed-protocol-mappers", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { - "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper" ] - } - }, { - "id" : "6fc7d765-7da8-4985-ba0b-e83827b04bd3", - "name" : "Allowed Client Scopes", - "providerId" : "allowed-client-templates", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { - "allow-default-scopes" : [ "true" ] + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "4682fe74-f3a9-445a-a7ab-557fb532fe6b", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "c46009e5-c8b5-4051-bf7f-7b1481a9aa86", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "43edf979-28d2-46c8-9f93-48b3de185570", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-address-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "saml-user-property-mapper", + "oidc-usermodel-attribute-mapper" + ] + } + }, + { + "id": "6fc7d765-7da8-4985-ba0b-e83827b04bd3", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-full-name-mapper", + "saml-role-list-mapper", + "saml-user-attribute-mapper", + "saml-user-property-mapper" + ] + } + }, + { + "id": "e3eadb04-8862-4567-869c-a76485268159", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "c788e6bf-2f57-4a82-b32e-ac8d48a4f676", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "c016f2b3-cf74-410e-a852-f6c7b49e0f5a", + "name": "Block Client Registration", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } } - }, { - "id" : "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6", - "name" : "Allowed Protocol Mapper Types", - "providerId" : "allowed-protocol-mappers", - "subType" : "authenticated", - "subComponents" : { }, - "config" : { - "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper" ] + ], + "org.keycloak.userprofile.UserProfileProvider": [ + { + "id": "28d6b4ce-33d4-40c0-adef-b27e35b7e122", + "providerId": "declarative-user-profile", + "subComponents": {}, + "config": { + "kc.user.profile.config": [ + "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}],\"unmanagedAttributePolicy\":\"ENABLED\"}" + ] + } } - }, { - "id" : "e3eadb04-8862-4567-869c-a76485268159", - "name" : "Allowed Client Scopes", - "providerId" : "allowed-client-templates", - "subType" : "authenticated", - "subComponents" : { }, - "config" : { - "allow-default-scopes" : [ "true" ] + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "0e3d0048-cb16-49c3-8a9a-05d83f0daeca", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEpAIBAAKCAQEAwxeLRFBDpJcw/7Fob14CGSDlADK9kuT7kua/3IDmu7Vjd6a49evFJtCORBvLHz4/XNyycyNpAUWAIDKJ3Pkx/qcdYl2Ec0n5Yy2XYfnZybYhFsB7G5ZXG/ySj1E6aXWoC15WWgk+bjvd8LcWB2fKPKzqqd2TiHnRZds4D0rbpC8F7bsMhApTHGO68hggrYA/RPg/znd1bGwN2xb6XU0LK/BKZQB9etIW5tWmI28H24nFOnk1YpbijTavkdNwIEYWeyD5EJBHOO6CPO49SyLernPrlTnXS28Tn8IQNsU9v6n7vZS2hvJD7MoZqW7C6UGZvLecpMwsCJSNeeQ8gQWSyQIDAQABAoIBAA1OPwWY+tAQLruVqDOGRBreIzg0/bh1zRGrErVRhksRlzfbI1zEaIUZ7sYG5j7agjxNYg9XwCrhyFgJ0lzDky0UzTx+99BcIHnq61r3jSrEdPPGC29pfMXwHzfOmK8GIwCpfba00DD4/M1U01gMdF7YhUWyEsSZWFZ70dI7Lwk+vEsDeZ3ua9D9twXmnWvIObG1Yihni6JYEv+c4uaLQzf+zwuG1ZCBOk95GzuBWO6p9K8H21xgfbo0bny5P5o5yI0O3lRVSu3fQsKDT3C5PHKPxb9wmX4DWKq1t46DuSgjjPtkQgx1rCojn9TSGBTJtx5qdqB35YnnTiSOWZkuUkECgYEA4JHglqoLD+RJFIPFtH2jVMkvrr9gpsglbT4mA5d+6lVucaj/FJRBT5amLHbO+NX93msvA+RZTy/c5b4MRr5LVCgt6Bs6VTpCNzTFWs0K8TGD32V/bYMeNUTkrORNopX0VwS/oMPKTmq/sie7pRVb4JVIR/ChGKP3pTU+nOoF4GkCgYEA3mWAww/nbCV5Vl6mT3hSA4fDehcGMg+qtU6N4RzhfHJyuVfpdsx9Oui5lFuI/sUBVgz8XUQAX1zw0q53AKJC/ocoxFfMABp390DMsNWKZOMWX+/2YgPyf+Dgx89sPeLOkKLwox28hTgOCvva13HifhyIqGYwQjYojX85aOuN02ECgYEA3fVw/Jku+9MPpDYlx6JSN+/tsBM5rT6vN00w92XaLDSqR67YB3gNIWPt9I6tPOcM17QqsPcWipztASoZKibVf2WDEiEvQ6OkZLpEwd1djkz5YWkJTK1GwzHHr1aroSIDcaqg2H4Ly/vYYnbBEYaN2+jQm0Irh5Ywo9p/e0oW6tkCgYEAziUwMZ9wWGJ0EocxicBx5SvXGjh1WboD9oOWJ/BpYr2DciH3GlN6UTyfqNEgL2fVUTpAQwNhhQPVhrSJQmEl0GDgfP8U7ZObV+kM021dFx8YAl2f+ELIaZi9QvkV0FeIObGPdON/d8z511yVAddipps0YUQ3v2gMNvyS7ppJoIECgYBP6ljL98KwNYSBfwah7ACxzdggEJuOjFp7e6tPZEop+X0HEt0pxlerexK+v9wUYbl6dWRURefbr/t/GNpFIOmGWbkpmK7jAiYNacsvVpupewyIKNOXHnTHNialtRAxk7TY8JOEmIRl4vk6ZwqENGFo4tU/yYn9oP9Nz2/1jgVIUA==" + ], + "certificate": [ + "MIICoTCCAYkCBgGV1yVaSDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlvcGVuQ2xvdWQwHhcNMjUwMzI3MTAyNjQ0WhcNMzUwMzI3MTAyODI0WjAUMRIwEAYDVQQDDAlvcGVuQ2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDF4tEUEOklzD/sWhvXgIZIOUAMr2S5PuS5r/cgOa7tWN3prj168Um0I5EG8sfPj9c3LJzI2kBRYAgMonc+TH+px1iXYRzSfljLZdh+dnJtiEWwHsbllcb/JKPUTppdagLXlZaCT5uO93wtxYHZ8o8rOqp3ZOIedFl2zgPStukLwXtuwyEClMcY7ryGCCtgD9E+D/Od3VsbA3bFvpdTQsr8EplAH160hbm1aYjbwfbicU6eTViluKNNq+R03AgRhZ7IPkQkEc47oI87j1LIt6uc+uVOddLbxOfwhA2xT2/qfu9lLaG8kPsyhmpbsLpQZm8t5ykzCwIlI155DyBBZLJAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGPTwCeraemz1GDGzVueX6Y5TbMK0d/n2fngPzNSm1rvgvu0ytK5nNd12j5E+YPl3hhe28bi0LhibXsTCvmDNPyLW1oxEVOCSnTiUs099KKSAkvLK1FTZ4HfDNbywNusxo493mXEYb4A+WhO9Gec/x5xnaC279f5WjBMBw7s+AbGngIKpWtTLtYHSD2V657oOca5dJGbHmxq/QanLX0v3o+NCVKhKtWCMofu3HYSwq7865Yun4b6RnX3FpGNYSNmZjmiQpBzXaCdbxoPYr1KiSCYF/tvoo2ADU8dfbPmhCsfQbM0sVAZT+b8wjgXq0HCdJSKQIdVZmJHqRV+ljrwQPY=" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "f92ecf31-c3c7-4c3b-af20-839fc05bcf99", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "kid": [ + "a57cc5a8-181d-4942-9093-b0568b672dba" + ], + "secret": [ + "pNpCYTnhYgUc-t_PpJIBhq4-9RcQmB9vnsT58Q7mbEkT1RhzwXwZf1POPvNPX8Z7uAlyqyiEUCc5s32CU5geK5qZa4t38GnSLFapvIXRutfViWk79wDkY-XkZh9xm7ORR_oSa2TCAJRhbk6J67TvHoTt2l30BpnwyfvlcLvUQN8" + ], + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "a137a686-5876-4faf-8d1e-e3a59f55095e", + "name": "hmac-generated-hs512", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "kid": [ + "551622db-d7f1-47cf-9b83-6dc3a82301f9" + ], + "secret": [ + "xdV-rQ9wlN6Ch7OVQaOCRYg79WX5jt_WsEa3Q1m6yHVwQhLYAE97fEuL1QJPt2crUjt19198m91M-Eio4YYoruQsg4NuKVQ2N7qLKZJLKFP8gWbINqUVO0YWGQskRlxfcWODnZLgONJZ-mkJHh8cHihwoqnL7Lu_oZJ9czLe2k4" + ], + "priority": [ + "100" + ], + "algorithm": [ + "HS512" + ] + } + }, + { + "id": "992dcc80-dc41-4b00-bab8-6ec1c839f3a4", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "kid": [ + "2181e50d-35ca-4caf-9ed3-c3c7f12f0069" + ], + "secret": [ + "SVLTDd1ufHzK1ByoiCGEDA" + ], + "priority": [ + "100" + ] + } } - }, { - "id" : "c788e6bf-2f57-4a82-b32e-ac8d48a4f676", - "name" : "Full Scope Disabled", - "providerId" : "scope", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "8964f931-b866-4a05-ab1c-89331a566887", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] }, { - "id": "c016f2b3-cf74-410e-a852-f6c7b49e0f5a", - "name": "Block Client Registration", - "providerId": "trusted-hosts", - "subType": "anonymous", - "subComponents": {}, - "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] - } + "id": "123e5711-1ee5-4f7e-ac9c-64c644daaea9", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "be73b7f5-9a66-487c-b7dd-80e0f7ac0c7c", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "597ca917-91fc-4898-a279-cd592af286e3", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "3daadb6b-4d63-4be1-a89e-ec8e41e72afa", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "5942598c-d7e9-4941-b13e-4a8a75e2c2a3", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "6e4b336e-eb5f-423c-8d32-4ab94d1122e6", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "35ac1997-b6af-44ff-ab27-c34f9be32e56", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "a3473070-fe69-4de1-a0b2-dd54b8a769d5", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "cc714857-b114-4df6-9030-b464bbb3964d", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "0ebe891c-1a72-4842-bf29-a9abe9c2a4d2", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "d97d5579-b3d4-49c4-a60e-0e1e6b1c9d79", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "009f7c28-0f41-4237-9911-9091c3d751b7", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "f9911022-b3cf-4d96-9a96-51bc53c437eb", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "c53eb19d-49e9-4252-8a10-4d5c6a12e61b", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "3b4f48d3-1706-4630-80e0-e0542780a1f7", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "5520aa89-cd76-438a-abae-7ccd3a2d7615", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "cce548d6-9bef-4449-88ea-99b949488fe7", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] } - ], - "org.keycloak.userprofile.UserProfileProvider" : [ { - "id" : "28d6b4ce-33d4-40c0-adef-b27e35b7e122", - "providerId" : "declarative-user-profile", - "subComponents" : { }, - "config" : { - "kc.user.profile.config" : [ "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}],\"unmanagedAttributePolicy\":\"ENABLED\"}" ] - } - } ], - "org.keycloak.keys.KeyProvider" : [ { - "id" : "0e3d0048-cb16-49c3-8a9a-05d83f0daeca", - "name" : "rsa-generated", - "providerId" : "rsa-generated", - "subComponents" : { }, - "config" : { - "privateKey" : [ "MIIEpAIBAAKCAQEAwxeLRFBDpJcw/7Fob14CGSDlADK9kuT7kua/3IDmu7Vjd6a49evFJtCORBvLHz4/XNyycyNpAUWAIDKJ3Pkx/qcdYl2Ec0n5Yy2XYfnZybYhFsB7G5ZXG/ySj1E6aXWoC15WWgk+bjvd8LcWB2fKPKzqqd2TiHnRZds4D0rbpC8F7bsMhApTHGO68hggrYA/RPg/znd1bGwN2xb6XU0LK/BKZQB9etIW5tWmI28H24nFOnk1YpbijTavkdNwIEYWeyD5EJBHOO6CPO49SyLernPrlTnXS28Tn8IQNsU9v6n7vZS2hvJD7MoZqW7C6UGZvLecpMwsCJSNeeQ8gQWSyQIDAQABAoIBAA1OPwWY+tAQLruVqDOGRBreIzg0/bh1zRGrErVRhksRlzfbI1zEaIUZ7sYG5j7agjxNYg9XwCrhyFgJ0lzDky0UzTx+99BcIHnq61r3jSrEdPPGC29pfMXwHzfOmK8GIwCpfba00DD4/M1U01gMdF7YhUWyEsSZWFZ70dI7Lwk+vEsDeZ3ua9D9twXmnWvIObG1Yihni6JYEv+c4uaLQzf+zwuG1ZCBOk95GzuBWO6p9K8H21xgfbo0bny5P5o5yI0O3lRVSu3fQsKDT3C5PHKPxb9wmX4DWKq1t46DuSgjjPtkQgx1rCojn9TSGBTJtx5qdqB35YnnTiSOWZkuUkECgYEA4JHglqoLD+RJFIPFtH2jVMkvrr9gpsglbT4mA5d+6lVucaj/FJRBT5amLHbO+NX93msvA+RZTy/c5b4MRr5LVCgt6Bs6VTpCNzTFWs0K8TGD32V/bYMeNUTkrORNopX0VwS/oMPKTmq/sie7pRVb4JVIR/ChGKP3pTU+nOoF4GkCgYEA3mWAww/nbCV5Vl6mT3hSA4fDehcGMg+qtU6N4RzhfHJyuVfpdsx9Oui5lFuI/sUBVgz8XUQAX1zw0q53AKJC/ocoxFfMABp390DMsNWKZOMWX+/2YgPyf+Dgx89sPeLOkKLwox28hTgOCvva13HifhyIqGYwQjYojX85aOuN02ECgYEA3fVw/Jku+9MPpDYlx6JSN+/tsBM5rT6vN00w92XaLDSqR67YB3gNIWPt9I6tPOcM17QqsPcWipztASoZKibVf2WDEiEvQ6OkZLpEwd1djkz5YWkJTK1GwzHHr1aroSIDcaqg2H4Ly/vYYnbBEYaN2+jQm0Irh5Ywo9p/e0oW6tkCgYEAziUwMZ9wWGJ0EocxicBx5SvXGjh1WboD9oOWJ/BpYr2DciH3GlN6UTyfqNEgL2fVUTpAQwNhhQPVhrSJQmEl0GDgfP8U7ZObV+kM021dFx8YAl2f+ELIaZi9QvkV0FeIObGPdON/d8z511yVAddipps0YUQ3v2gMNvyS7ppJoIECgYBP6ljL98KwNYSBfwah7ACxzdggEJuOjFp7e6tPZEop+X0HEt0pxlerexK+v9wUYbl6dWRURefbr/t/GNpFIOmGWbkpmK7jAiYNacsvVpupewyIKNOXHnTHNialtRAxk7TY8JOEmIRl4vk6ZwqENGFo4tU/yYn9oP9Nz2/1jgVIUA==" ], - "certificate" : [ "MIICoTCCAYkCBgGV1yVaSDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlvcGVuQ2xvdWQwHhcNMjUwMzI3MTAyNjQ0WhcNMzUwMzI3MTAyODI0WjAUMRIwEAYDVQQDDAlvcGVuQ2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDF4tEUEOklzD/sWhvXgIZIOUAMr2S5PuS5r/cgOa7tWN3prj168Um0I5EG8sfPj9c3LJzI2kBRYAgMonc+TH+px1iXYRzSfljLZdh+dnJtiEWwHsbllcb/JKPUTppdagLXlZaCT5uO93wtxYHZ8o8rOqp3ZOIedFl2zgPStukLwXtuwyEClMcY7ryGCCtgD9E+D/Od3VsbA3bFvpdTQsr8EplAH160hbm1aYjbwfbicU6eTViluKNNq+R03AgRhZ7IPkQkEc47oI87j1LIt6uc+uVOddLbxOfwhA2xT2/qfu9lLaG8kPsyhmpbsLpQZm8t5ykzCwIlI155DyBBZLJAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGPTwCeraemz1GDGzVueX6Y5TbMK0d/n2fngPzNSm1rvgvu0ytK5nNd12j5E+YPl3hhe28bi0LhibXsTCvmDNPyLW1oxEVOCSnTiUs099KKSAkvLK1FTZ4HfDNbywNusxo493mXEYb4A+WhO9Gec/x5xnaC279f5WjBMBw7s+AbGngIKpWtTLtYHSD2V657oOca5dJGbHmxq/QanLX0v3o+NCVKhKtWCMofu3HYSwq7865Yun4b6RnX3FpGNYSNmZjmiQpBzXaCdbxoPYr1KiSCYF/tvoo2ADU8dfbPmhCsfQbM0sVAZT+b8wjgXq0HCdJSKQIdVZmJHqRV+ljrwQPY=" ], - "priority" : [ "100" ] - } - }, { - "id" : "f92ecf31-c3c7-4c3b-af20-839fc05bcf99", - "name" : "hmac-generated", - "providerId" : "hmac-generated", - "subComponents" : { }, - "config" : { - "kid" : [ "a57cc5a8-181d-4942-9093-b0568b672dba" ], - "secret" : [ "pNpCYTnhYgUc-t_PpJIBhq4-9RcQmB9vnsT58Q7mbEkT1RhzwXwZf1POPvNPX8Z7uAlyqyiEUCc5s32CU5geK5qZa4t38GnSLFapvIXRutfViWk79wDkY-XkZh9xm7ORR_oSa2TCAJRhbk6J67TvHoTt2l30BpnwyfvlcLvUQN8" ], - "priority" : [ "100" ], - "algorithm" : [ "HS256" ] - } - }, { - "id" : "a137a686-5876-4faf-8d1e-e3a59f55095e", - "name" : "hmac-generated-hs512", - "providerId" : "hmac-generated", - "subComponents" : { }, - "config" : { - "kid" : [ "551622db-d7f1-47cf-9b83-6dc3a82301f9" ], - "secret" : [ "xdV-rQ9wlN6Ch7OVQaOCRYg79WX5jt_WsEa3Q1m6yHVwQhLYAE97fEuL1QJPt2crUjt19198m91M-Eio4YYoruQsg4NuKVQ2N7qLKZJLKFP8gWbINqUVO0YWGQskRlxfcWODnZLgONJZ-mkJHh8cHihwoqnL7Lu_oZJ9czLe2k4" ], - "priority" : [ "100" ], - "algorithm" : [ "HS512" ] + ], + "authenticatorConfig": [ + { + "id": "0848606c-7510-4b09-ba0e-4dc2ef3d63f8", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" } - }, { - "id" : "992dcc80-dc41-4b00-bab8-6ec1c839f3a4", - "name" : "aes-generated", - "providerId" : "aes-generated", - "subComponents" : { }, - "config" : { - "kid" : [ "2181e50d-35ca-4caf-9ed3-c3c7f12f0069" ], - "secret" : [ "SVLTDd1ufHzK1ByoiCGEDA" ], - "priority" : [ "100" ] + }, + { + "id": "91a8dee7-c679-4202-866e-234eb4164cfd", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" } - } ] - }, - "internationalizationEnabled" : false, - "supportedLocales" : [ ], - "authenticationFlows" : [ { - "id" : "8964f931-b866-4a05-ab1c-89331a566887", - "alias" : "Account verification options", - "description" : "Method with which to verity the existing account", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "idp-email-verification", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "ALTERNATIVE", - "priority" : 20, - "autheticatorFlow" : true, - "flowAlias" : "Verify Existing Account by Re-authentication", - "userSetupAllowed" : false - } ] - }, { - "id" : "123e5711-1ee5-4f7e-ac9c-64c644daaea9", - "alias" : "Browser - Conditional OTP", - "description" : "Flow to determine if the OTP is required for the authentication", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "conditional-user-configured", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "auth-otp-form", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - } ] - }, { - "id" : "be73b7f5-9a66-487c-b7dd-80e0f7ac0c7c", - "alias" : "Direct Grant - Conditional OTP", - "description" : "Flow to determine if the OTP is required for the authentication", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "conditional-user-configured", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "direct-grant-validate-otp", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - } ] - }, { - "id" : "597ca917-91fc-4898-a279-cd592af286e3", - "alias" : "First broker login - Conditional OTP", - "description" : "Flow to determine if the OTP is required for the authentication", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "conditional-user-configured", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "auth-otp-form", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - } ] - }, { - "id" : "3daadb6b-4d63-4be1-a89e-ec8e41e72afa", - "alias" : "Handle Existing Account", - "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "idp-confirm-link", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : true, - "flowAlias" : "Account verification options", - "userSetupAllowed" : false - } ] - }, { - "id" : "5942598c-d7e9-4941-b13e-4a8a75e2c2a3", - "alias" : "Reset - Conditional OTP", - "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "conditional-user-configured", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "reset-otp", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - } ] - }, { - "id" : "6e4b336e-eb5f-423c-8d32-4ab94d1122e6", - "alias" : "User creation or linking", - "description" : "Flow for the existing/non-existing user alternatives", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticatorConfig" : "create unique user config", - "authenticator" : "idp-create-user-if-unique", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "ALTERNATIVE", - "priority" : 20, - "autheticatorFlow" : true, - "flowAlias" : "Handle Existing Account", - "userSetupAllowed" : false - } ] - }, { - "id" : "35ac1997-b6af-44ff-ab27-c34f9be32e56", - "alias" : "Verify Existing Account by Re-authentication", - "description" : "Reauthentication of existing account", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "idp-username-password-form", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "CONDITIONAL", - "priority" : 20, - "autheticatorFlow" : true, - "flowAlias" : "First broker login - Conditional OTP", - "userSetupAllowed" : false - } ] - }, { - "id" : "a3473070-fe69-4de1-a0b2-dd54b8a769d5", - "alias" : "browser", - "description" : "browser based authentication", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "auth-cookie", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "auth-spnego", - "authenticatorFlow" : false, - "requirement" : "DISABLED", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "identity-provider-redirector", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 25, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "ALTERNATIVE", - "priority" : 30, - "autheticatorFlow" : true, - "flowAlias" : "forms", - "userSetupAllowed" : false - } ] - }, { - "id" : "cc714857-b114-4df6-9030-b464bbb3964d", - "alias" : "clients", - "description" : "Base authentication for clients", - "providerId" : "client-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "client-secret", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "client-jwt", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "client-secret-jwt", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 30, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "client-x509", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 40, - "autheticatorFlow" : false, - "userSetupAllowed" : false - } ] - }, { - "id" : "0ebe891c-1a72-4842-bf29-a9abe9c2a4d2", - "alias" : "direct grant", - "description" : "OpenID Connect Resource Owner Grant", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "direct-grant-validate-username", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "direct-grant-validate-password", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "CONDITIONAL", - "priority" : 30, - "autheticatorFlow" : true, - "flowAlias" : "Direct Grant - Conditional OTP", - "userSetupAllowed" : false - } ] - }, { - "id" : "d97d5579-b3d4-49c4-a60e-0e1e6b1c9d79", - "alias" : "docker auth", - "description" : "Used by Docker clients to authenticate against the IDP", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "docker-http-basic-authenticator", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - } ] - }, { - "id" : "009f7c28-0f41-4237-9911-9091c3d751b7", - "alias" : "first broker login", - "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticatorConfig" : "review profile config", - "authenticator" : "idp-review-profile", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : true, - "flowAlias" : "User creation or linking", - "userSetupAllowed" : false - } ] - }, { - "id" : "f9911022-b3cf-4d96-9a96-51bc53c437eb", - "alias" : "forms", - "description" : "Username, password, otp and other auth forms.", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "auth-username-password-form", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "CONDITIONAL", - "priority" : 20, - "autheticatorFlow" : true, - "flowAlias" : "Browser - Conditional OTP", - "userSetupAllowed" : false - } ] - }, { - "id" : "c53eb19d-49e9-4252-8a10-4d5c6a12e61b", - "alias" : "registration", - "description" : "registration flow", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "registration-page-form", - "authenticatorFlow" : true, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : true, - "flowAlias" : "registration form", - "userSetupAllowed" : false - } ] - }, { - "id" : "3b4f48d3-1706-4630-80e0-e0542780a1f7", - "alias" : "registration form", - "description" : "registration form", - "providerId" : "form-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "registration-user-creation", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "registration-password-action", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 50, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "registration-recaptcha-action", - "authenticatorFlow" : false, - "requirement" : "DISABLED", - "priority" : 60, - "autheticatorFlow" : false, - "userSetupAllowed" : false - } ] - }, { - "id" : "5520aa89-cd76-438a-abae-7ccd3a2d7615", - "alias" : "reset credentials", - "description" : "Reset credentials for a user if they forgot their password or something", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "reset-credentials-choose-user", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "reset-credential-email", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticator" : "reset-password", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 30, - "autheticatorFlow" : false, - "userSetupAllowed" : false - }, { - "authenticatorFlow" : true, - "requirement" : "CONDITIONAL", - "priority" : 40, - "autheticatorFlow" : true, - "flowAlias" : "Reset - Conditional OTP", - "userSetupAllowed" : false - } ] - }, { - "id" : "cce548d6-9bef-4449-88ea-99b949488fe7", - "alias" : "saml ecp", - "description" : "SAML ECP Profile Authentication Flow", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "http-basic-authenticator", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "autheticatorFlow" : false, - "userSetupAllowed" : false - } ] - } ], - "authenticatorConfig" : [ { - "id" : "0848606c-7510-4b09-ba0e-4dc2ef3d63f8", - "alias" : "create unique user config", - "config" : { - "require.password.update.after.registration" : "false" } - }, { - "id" : "91a8dee7-c679-4202-866e-234eb4164cfd", - "alias" : "review profile config", - "config" : { - "update.profile.on.first.login" : "missing" + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "delete_credential", + "name": "Delete Credential", + "providerId": "delete_credential", + "enabled": true, + "defaultAction": false, + "priority": 100, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} } - } ], - "requiredActions" : [ { - "alias" : "CONFIGURE_TOTP", - "name" : "Configure OTP", - "providerId" : "CONFIGURE_TOTP", - "enabled" : true, - "defaultAction" : false, - "priority" : 10, - "config" : { } - }, { - "alias" : "TERMS_AND_CONDITIONS", - "name" : "Terms and Conditions", - "providerId" : "TERMS_AND_CONDITIONS", - "enabled" : false, - "defaultAction" : false, - "priority" : 20, - "config" : { } - }, { - "alias" : "UPDATE_PASSWORD", - "name" : "Update Password", - "providerId" : "UPDATE_PASSWORD", - "enabled" : true, - "defaultAction" : false, - "priority" : 30, - "config" : { } - }, { - "alias" : "UPDATE_PROFILE", - "name" : "Update Profile", - "providerId" : "UPDATE_PROFILE", - "enabled" : true, - "defaultAction" : false, - "priority" : 40, - "config" : { } - }, { - "alias" : "VERIFY_EMAIL", - "name" : "Verify Email", - "providerId" : "VERIFY_EMAIL", - "enabled" : true, - "defaultAction" : false, - "priority" : 50, - "config" : { } - }, { - "alias" : "delete_account", - "name" : "Delete Account", - "providerId" : "delete_account", - "enabled" : false, - "defaultAction" : false, - "priority" : 60, - "config" : { } - }, { - "alias" : "delete_credential", - "name" : "Delete Credential", - "providerId" : "delete_credential", - "enabled" : true, - "defaultAction" : false, - "priority" : 100, - "config" : { } - }, { - "alias" : "update_user_locale", - "name" : "Update User Locale", - "providerId" : "update_user_locale", - "enabled" : true, - "defaultAction" : false, - "priority" : 1000, - "config" : { } - } ], - "browserFlow" : "browser", - "registrationFlow" : "registration", - "directGrantFlow" : "direct grant", - "resetCredentialsFlow" : "reset credentials", - "clientAuthenticationFlow" : "clients", - "dockerAuthenticationFlow" : "docker auth", - "firstBrokerLoginFlow" : "first broker login", - "attributes" : { - "cibaBackchannelTokenDeliveryMode" : "poll", - "cibaAuthRequestedUserHint" : "login_hint", - "clientOfflineSessionMaxLifespan" : "0", - "oauth2DevicePollingInterval" : "5", - "clientSessionIdleTimeout" : "0", - "clientOfflineSessionIdleTimeout" : "0", - "cibaInterval" : "5", - "realmReusableOtpCode" : "false", - "cibaExpiresIn" : "120", - "oauth2DeviceCodeLifespan" : "600", - "parRequestUriLifespan" : "60", - "clientSessionMaxLifespan" : "0", - "organizationsEnabled" : "false" + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "firstBrokerLoginFlow": "first broker login", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaAuthRequestedUserHint": "login_hint", + "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5", + "realmReusableOtpCode": "false", + "cibaExpiresIn": "120", + "oauth2DeviceCodeLifespan": "600", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "organizationsEnabled": "false" }, - "keycloakVersion" : "25.0.0", - "userManagedAccessAllowed" : false, - "organizationsEnabled" : false, - "clientProfiles" : { - "profiles" : [ ] + "keycloakVersion": "25.0.0", + "userManagedAccessAllowed": false, + "organizationsEnabled": false, + "clientProfiles": { + "profiles": [] }, - "clientPolicies" : { - "policies" : [ ] + "clientPolicies": { + "policies": [] } -} +} \ No newline at end of file diff --git a/config/keycloak/opencloud-realm.dist.json b/config/keycloak/opencloud-realm.dist.json index 552b4277..cc631e57 100644 --- a/config/keycloak/opencloud-realm.dist.json +++ b/config/keycloak/opencloud-realm.dist.json @@ -340,12 +340,8 @@ "attributes": {} } ], - "OpenCloudDesktop": [], - "web": [], "security-admin-console": [], - "OpenCloudIOS": [], "admin-cli": [], - "OpenCloudAndroid": [], "account-console": [], "broker": [ { @@ -627,187 +623,6 @@ ] }, "clients": [ - { - "id": "c8367556-1d13-4979-b4f6-5e2cff1f82ae", - "clientId": "OpenCloudAndroid", - "name": "OpenCloud Android App", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "oc://android.opencloud.eu" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "oc://android.opencloud.eu", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "OpenCloudUnique_ID", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "fc7d8a8e-cb92-4cb0-b404-d723c07d8d4f", - "clientId": "OpenCloudDesktop", - "name": "OpenCloud Desktop Client", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "http://127.0.0.1", - "http://localhost" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "OpenCloudUnique_ID", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "6ae0e3da-38ff-47a4-a76e-b59eec0a2de9", - "clientId": "OpenCloudIOS", - "name": "OpenCloud iOS App", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "oc://ios.opencloud.eu" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "oc://ios.opencloud.eu", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "OpenCloudUnique_ID", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, { "id": "294b6cf4-b646-4f6c-bab2-616546ec3167", "clientId": "_system", @@ -1090,77 +905,6 @@ "basic" ], "optionalClientScopes": [] - }, - { - "id": "54b18eca-cf79-4263-9db9-2d79f8a1c831", - "clientId": "web", - "name": "OpenCloud Web App", - "description": "", - "rootUrl": "https://cloud.opencloud.test", - "adminUrl": "https://cloud.opencloud.test", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "https://cloud.opencloud.test/", - "https://cloud.opencloud.test/oidc-silent-redirect.html", - "https://cloud.opencloud.test/oidc-callback.html" - ], - "webOrigins": [ - "https://cloud.opencloud.test" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.url": "https://cloud.opencloud.test/backchannel_logout", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "OpenCloudUnique_ID", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] } ], "clientScopes": [ @@ -3049,4 +2793,4 @@ "clientPolicies": { "policies": [] } -} +} \ No newline at end of file diff --git a/config/keycloak/validate-modular-clients.sh b/config/keycloak/validate-modular-clients.sh new file mode 100755 index 00000000..9b553662 --- /dev/null +++ b/config/keycloak/validate-modular-clients.sh @@ -0,0 +1,254 @@ +#!/bin/bash +# validate-modular-clients.sh — Prove modular client import matches monolith. +# +# Starts two throwaway Keycloak containers per realm variant: +# A) Original monolith realm (clients embedded in realm JSON) +# B) Slim realm + modular client import via entrypoint pipeline +# +# Compares: clients, client-scopes, roles, groups, realm settings. +# Tests both realm variants (LDAP and autoprovisioning). +# +# Usage: bash config/keycloak/validate-modular-clients.sh +# Prereqs: docker, jq +# +# Exit 0 = identical, exit 1 = differences found. + +set -euo pipefail + +SCRIPT_DIR="$(dirname "$0")" +KC_IMAGE="quay.io/keycloak/keycloak:26.5.6" +REALM="openCloud" +WORK=$(mktemp -d) +RAW_BASE="https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/main/config/keycloak" +RESULT=0 + +trap 'docker rm -f kc-validate-a kc-validate-b 2>/dev/null; rm -rf "$WORK"' EXIT + +echo "=== Modular Keycloak Realm Validation ===" +echo " Keycloak: $KC_IMAGE" +echo " Work dir: $WORK" + +# ── Helpers ────────────────────────────────────────────────────────── + +wait_for_kc() { + local name="$1" max=60 + echo -n " Waiting for $name" + for i in $(seq 1 $max); do + if docker exec "$name" /opt/keycloak/bin/kcadm.sh config credentials \ + --server http://localhost:8080 --realm master \ + --user admin --password admin 2>/dev/null; then + echo " ready (${i}s)" + return 0 + fi + echo -n "." + sleep 1 + done + echo " TIMEOUT"; return 1 +} + +wait_for_pipeline() { + local name="$1" max=90 + echo -n " Waiting for post-start pipeline" + for i in $(seq 1 $max); do + if docker logs "$name" 2>&1 | grep -q "\[post-start\] Done"; then + echo " done (${i}s)" + return 0 + fi + echo -n "." + sleep 1 + done + echo " TIMEOUT"; return 1 +} + +export_all() { + local name="$1" prefix="$2" + local KCADM="docker exec $name /opt/keycloak/bin/kcadm.sh" + docker exec "$name" /opt/keycloak/bin/kcadm.sh config credentials \ + --server http://localhost:8080 --realm master --user admin --password admin >/dev/null 2>&1 + $KCADM get clients -r "$REALM" > "$prefix-clients.json" + $KCADM get client-scopes -r "$REALM" > "$prefix-client-scopes.json" + $KCADM get roles -r "$REALM" > "$prefix-roles.json" + $KCADM get groups -r "$REALM" > "$prefix-groups.json" + $KCADM get "realms/$REALM" > "$prefix-realm.json" +} + +# Normalize JSON: remove volatile fields, sort keys and arrays +normalize() { + jq 'walk( + if type == "object" then del(.id, .containerId, .secret, .["client.secret.creation.time"]) + elif type == "array" then sort_by(tostring) + else . end + )' "$1" | jq -S . +} + +# Compare two JSON arrays by a key field (clientId or name) +compare_by_key() { + local orig="$1" mod="$2" label="$3" key="$4" + local a b + a=$(normalize "$orig") + b=$(normalize "$mod") + + local orig_keys mod_keys + orig_keys=$(echo "$a" | jq -r ".[].$key // empty" | sort) + mod_keys=$(echo "$b" | jq -r ".[].$key // empty" | sort) + + local all_ok=true + local new_items="" + + # Items only in modular (new) + while IFS= read -r name; do + [ -z "$name" ] && continue + if ! echo "$orig_keys" | grep -qx "$name"; then + new_items="$new_items $name" + fi + done <<< "$mod_keys" + + # Compare each original item + while IFS= read -r name; do + [ -z "$name" ] && continue + if ! echo "$mod_keys" | grep -qx "$name"; then + echo " MISSING $name" + all_ok=false + continue + fi + + local orig_item mod_item + orig_item=$(echo "$a" | jq -c --arg n "$name" "[.[] | select(.$key == \$n)][0]" | jq -S .) + mod_item=$(echo "$b" | jq -c --arg n "$name" "[.[] | select(.$key == \$n)][0]" | jq -S .) + + if [ "$orig_item" = "$mod_item" ]; then + echo " OK $name" + else + echo " DIFFER $name" + diff <(echo "$orig_item" | jq .) <(echo "$mod_item" | jq .) | head -20 | sed 's/^/ /' + all_ok=false + fi + done <<< "$orig_keys" + + for name in $new_items; do + echo " NEW $name" + done + + local count + count=$(echo "$orig_keys" | grep -c . || true) + local new_count + new_count=$(echo "$new_items" | wc -w | tr -d ' ') + + echo "" + if $all_ok; then + local extra="" + [ "$new_count" -gt 0 ] && extra=" + $new_count new" + echo " PASS $label: $count items identical$extra" + else + echo " FAIL $label: differences found" + RESULT=1 + fi +} + +# Compare two realm settings objects +compare_realm() { + local orig="$1" mod="$2" label="$3" + local a b + a=$(normalize "$orig") + b=$(normalize "$mod") + + local diffs + diffs=$(diff <(echo "$a") <(echo "$b") || true) + + if [ -z "$diffs" ]; then + local count + count=$(echo "$a" | jq 'keys | length') + echo " PASS $label: $count settings identical" + else + local diff_keys + diff_keys=$(diff <(echo "$a" | jq -S 'to_entries[]' | jq -s 'sort_by(.key)') \ + <(echo "$b" | jq -S 'to_entries[]' | jq -s 'sort_by(.key)') \ + | grep '"key"' | sed 's/.*"key": *"\(.*\)".*/\1/' | sort -u || true) + local count + count=$(echo "$diff_keys" | grep -c . || true) + echo " WARN $label: $count setting(s) differ:" + echo "$diff_keys" | sed 's/^/ /' + fi +} + +# ── Test one realm variant ─────────────────────────────────────────── + +test_variant() { + local variant_name="$1" original_url="$2" slim_json="$3" + + echo "" + echo "--- $variant_name ---" + echo " Downloading original..." + curl -sfL "$original_url" -o "$WORK/original-realm.json" + + # A: Original monolith + docker rm -f kc-validate-a 2>/dev/null || true + docker run --rm -d --name kc-validate-a \ + -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \ + -v "$WORK/original-realm.json:/opt/keycloak/data/import/${REALM}-realm.json:ro" \ + "$KC_IMAGE" start-dev --import-realm + wait_for_kc kc-validate-a + export_all kc-validate-a "$WORK/${variant_name}-orig" + docker stop kc-validate-a 2>/dev/null || true + + # B: Slim realm + modular pipeline + docker rm -f kc-validate-b 2>/dev/null || true + docker run --rm -d --name kc-validate-b \ + -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \ + -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \ + -e OC_DOMAIN=cloud.opencloud.test \ + -v "$SCRIPT_DIR/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh:ro" \ + -v "$SCRIPT_DIR/00-wait-for-keycloak.sh:/opt/keycloak/bin/00-wait-for-keycloak.sh:ro" \ + -v "$SCRIPT_DIR/10-import-clients.sh:/opt/keycloak/bin/10-import-clients.sh:ro" \ + -v "$SCRIPT_DIR/11-assign-client-scopes.sh:/opt/keycloak/bin/11-assign-client-scopes.sh:ro" \ + -v "$slim_json:/opt/keycloak/data/import-dist/openCloud-realm.json:ro" \ + -v "$SCRIPT_DIR/clients:/opt/keycloak/data/clients:ro" \ + --entrypoint "/bin/sh" \ + "$KC_IMAGE" /opt/keycloak/bin/docker-entrypoint-override.sh start-dev --import-realm + wait_for_pipeline kc-validate-b + export_all kc-validate-b "$WORK/${variant_name}-mod" + docker stop kc-validate-b 2>/dev/null || true + + # Compare + echo "" + echo " Clients:" + compare_by_key "$WORK/${variant_name}-orig-clients.json" "$WORK/${variant_name}-mod-clients.json" "clients" "clientId" + + echo "" + echo " Client Scopes:" + compare_by_key "$WORK/${variant_name}-orig-client-scopes.json" "$WORK/${variant_name}-mod-client-scopes.json" "client-scopes" "name" + + echo "" + echo " Roles:" + compare_by_key "$WORK/${variant_name}-orig-roles.json" "$WORK/${variant_name}-mod-roles.json" "roles" "name" + + echo "" + echo " Groups:" + compare_by_key "$WORK/${variant_name}-orig-groups.json" "$WORK/${variant_name}-mod-groups.json" "groups" "name" + + echo "" + echo " Realm Settings:" + compare_realm "$WORK/${variant_name}-orig-realm.json" "$WORK/${variant_name}-mod-realm.json" "realm-settings" +} + +# ══════════════════════════════════════════════════════════════════════ + +echo "" +echo "Test 1: LDAP realm" +test_variant "ldap" \ + "$RAW_BASE/opencloud-realm.dist.json" \ + "$SCRIPT_DIR/opencloud-realm.dist.json" + +echo "" +echo "Test 2: Autoprovisioning realm" +test_variant "auto" \ + "$RAW_BASE/opencloud-realm-autoprovisioning.dist.json" \ + "$SCRIPT_DIR/opencloud-realm-autoprovisioning.dist.json" + +echo "" +if [ $RESULT -eq 0 ]; then + echo "=== All tests passed ===" +else + echo "=== FAILURES detected ===" +fi +exit $RESULT diff --git a/idm/ldap-keycloak.yml b/idm/ldap-keycloak.yml index f843ec4b..7969b360 100644 --- a/idm/ldap-keycloak.yml +++ b/idm/ldap-keycloak.yml @@ -85,7 +85,11 @@ services: entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ] volumes: - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh" + - "./config/keycloak/00-wait-for-keycloak.sh:/opt/keycloak/bin/00-wait-for-keycloak.sh:ro" + - "./config/keycloak/10-import-clients.sh:/opt/keycloak/bin/10-import-clients.sh:ro" + - "./config/keycloak/11-assign-client-scopes.sh:/opt/keycloak/bin/11-assign-client-scopes.sh:ro" - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json" + - "./config/keycloak/clients:/opt/keycloak/data/clients:ro" - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud" environment: LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin} diff --git a/testing/external-keycloak.yml b/testing/external-keycloak.yml index bf9639e6..30a1097e 100644 --- a/testing/external-keycloak.yml +++ b/testing/external-keycloak.yml @@ -22,7 +22,11 @@ services: entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ] volumes: - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh" + - "./config/keycloak/00-wait-for-keycloak.sh:/opt/keycloak/bin/00-wait-for-keycloak.sh:ro" + - "./config/keycloak/10-import-clients.sh:/opt/keycloak/bin/10-import-clients.sh:ro" + - "./config/keycloak/11-assign-client-scopes.sh:/opt/keycloak/bin/11-assign-client-scopes.sh:ro" - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json" + - "./config/keycloak/clients:/opt/keycloak/data/clients:ro" - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud" environment: OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}