From 543dd0aa85f82b75df260ef4c80e1de23dffebc2 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Sun, 12 May 2024 08:15:13 -0700 Subject: [PATCH 01/11] feat(Dtr): add dtr idp configuration for backend (edc and puris backend application) --- DEPENDENCIES_BACKEND | 3 + DEPENDENCIES_FRONTEND | 2 +- backend/DEPENDENCIES | 3 + backend/pom.xml | 359 +- .../common/ddtr/logic/DtrAdapterService.java | 34 +- .../edc/logic/util/EdcRequestBodyBuilder.java | 11 +- .../security/DtrSecurityConfiguration.java | 73 + .../security/OAuth2ClientInterceptor.java | 163 + .../common/security/SecurityConfig.java | 12 + .../src/main/resources/application.properties | 7 +- .../security/OAuth2ClientInterceptorTest.java | 306 + .../controller/MaterialControllerTest.java | 11 +- ...aterialPartnerRelationsControllerTest.java | 4 +- .../controller/PartnerControllerTest.java | 10 +- .../controller/StockViewControllerTest.java | 5 +- .../src/test/resources/application.properties | 7 + charts/puris/Chart.yaml | 2 +- charts/puris/README.md | 12 + .../puris/templates/backend-deployment.yaml | 17 +- charts/puris/templates/backend-secrets.yaml | 3 + charts/puris/values.yaml | 25 + docs/DEVELOPMENT.md | 41 +- frontend/DEPENDENCIES | 2 +- local/cleanup.sh | 1 + local/docker-compose-infrastructure.yaml | 9 +- local/docker-compose.yaml | 15 +- local/generate-keys.sh | 53 +- local/keycloak/INSTALL.md | 76 +- local/keycloak/customer/Customer-realm.json | 2505 ++++++++ local/keycloak/customer/Customer-users-0.json | 55 + local/keycloak/supplier/Supplier-realm.json | 2505 ++++++++ local/keycloak/supplier/Supplier-users-0.json | 55 + local/miw/infrastructure.properties | 6 - local/miw/keycloak-setup.json | 5312 ++++++++--------- local/miw/keycloak.properties | 17 + .../config/customer/puris-backend.properties | 9 +- .../config/supplier/puris-backend.properties | 9 +- local/vault/put-keys.sh | 4 + 38 files changed, 8839 insertions(+), 2904 deletions(-) create mode 100644 backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java create mode 100644 backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/OAuth2ClientInterceptor.java create mode 100644 backend/src/test/java/org/eclipse/tractusx/puris/backend/common/security/OAuth2ClientInterceptorTest.java create mode 100644 local/keycloak/customer/Customer-realm.json create mode 100644 local/keycloak/customer/Customer-users-0.json create mode 100644 local/keycloak/supplier/Supplier-realm.json create mode 100644 local/keycloak/supplier/Supplier-users-0.json create mode 100644 local/miw/keycloak.properties diff --git a/DEPENDENCIES_BACKEND b/DEPENDENCIES_BACKEND index d5be54a6..78e96e3c 100644 --- a/DEPENDENCIES_BACKEND +++ b/DEPENDENCIES_BACKEND @@ -9,6 +9,7 @@ maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.15.3 maven/mavencentral/com.fasterxml.jackson.module/jackson-module-parameter-names/2.15.3, Apache-2.0, approved, #8803 maven/mavencentral/com.fasterxml/classmate/1.6.0, Apache-2.0, approved, clearlydefined maven/mavencentral/com.jayway.jsonpath/json-path/2.8.0, Apache-2.0, approved, clearlydefined +maven/mavencentral/com.squareup.okhttp3/mockwebserver/4.12.0, Apache-2.0, approved, clearlydefined maven/mavencentral/com.squareup.okhttp3/okhttp/4.12.0, Apache-2.0, approved, #11156 maven/mavencentral/com.squareup.okio/okio-jvm/3.6.0, Apache-2.0, approved, #11158 maven/mavencentral/com.squareup.okio/okio/3.6.0, Apache-2.0, approved, #11155 @@ -28,6 +29,7 @@ maven/mavencentral/jakarta.persistence/jakarta.persistence-api/3.1.0, EPL-2.0 OR maven/mavencentral/jakarta.transaction/jakarta.transaction-api/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jta maven/mavencentral/jakarta.validation/jakarta.validation-api/3.0.2, Apache-2.0, approved, ee4j.validation maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.1, BSD-3-Clause, approved, ee4j.jaxb +maven/mavencentral/junit/junit/4.13.2, EPL-2.0, approved, CQ23636 maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.11, Apache-2.0, approved, #7164 maven/mavencentral/net.bytebuddy/byte-buddy/1.14.11, Apache-2.0 AND BSD-3-Clause, approved, #7163 maven/mavencentral/net.minidev/accessors-smart/2.5.0, Apache-2.0, approved, clearlydefined @@ -48,6 +50,7 @@ maven/mavencentral/org.eclipse.angus/angus-activation/2.0.1, EPL-2.0 OR GPL-2.0- maven/mavencentral/org.glassfish.jaxb/jaxb-core/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl maven/mavencentral/org.glassfish.jaxb/jaxb-runtime/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl maven/mavencentral/org.glassfish.jaxb/txw2/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl +maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined maven/mavencentral/org.hibernate.common/hibernate-commons-annotations/6.0.6.Final, LGPL-2.1-only, approved, #6962 maven/mavencentral/org.hibernate.orm/hibernate-core/6.4.1.Final, LGPL-2.1-or-later AND (EPL-2.0 OR BSD-3-Clause) AND MIT, approved, #12490 diff --git a/DEPENDENCIES_FRONTEND b/DEPENDENCIES_FRONTEND index dbc2562c..09e994b8 100644 --- a/DEPENDENCIES_FRONTEND +++ b/DEPENDENCIES_FRONTEND @@ -211,7 +211,7 @@ npm/npmjs/-/reusify/1.0.4, MIT, approved, clearlydefined npm/npmjs/-/rimraf/3.0.2, ISC, approved, clearlydefined npm/npmjs/-/rollup/4.9.5, MIT, approved, clearlydefined npm/npmjs/-/run-parallel/1.2.0, MIT, approved, clearlydefined -npm/npmjs/-/scheduler/0.23.0, MIT, approved, clearlydefined +npm/npmjs/-/scheduler/0.23.0, MIT, approved, #14589 npm/npmjs/-/semver/6.3.1, ISC, approved, clearlydefined npm/npmjs/-/semver/7.5.4, ISC, approved, clearlydefined npm/npmjs/-/shebang-command/2.0.0, MIT, approved, clearlydefined diff --git a/backend/DEPENDENCIES b/backend/DEPENDENCIES index d5be54a6..78e96e3c 100644 --- a/backend/DEPENDENCIES +++ b/backend/DEPENDENCIES @@ -9,6 +9,7 @@ maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.15.3 maven/mavencentral/com.fasterxml.jackson.module/jackson-module-parameter-names/2.15.3, Apache-2.0, approved, #8803 maven/mavencentral/com.fasterxml/classmate/1.6.0, Apache-2.0, approved, clearlydefined maven/mavencentral/com.jayway.jsonpath/json-path/2.8.0, Apache-2.0, approved, clearlydefined +maven/mavencentral/com.squareup.okhttp3/mockwebserver/4.12.0, Apache-2.0, approved, clearlydefined maven/mavencentral/com.squareup.okhttp3/okhttp/4.12.0, Apache-2.0, approved, #11156 maven/mavencentral/com.squareup.okio/okio-jvm/3.6.0, Apache-2.0, approved, #11158 maven/mavencentral/com.squareup.okio/okio/3.6.0, Apache-2.0, approved, #11155 @@ -28,6 +29,7 @@ maven/mavencentral/jakarta.persistence/jakarta.persistence-api/3.1.0, EPL-2.0 OR maven/mavencentral/jakarta.transaction/jakarta.transaction-api/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jta maven/mavencentral/jakarta.validation/jakarta.validation-api/3.0.2, Apache-2.0, approved, ee4j.validation maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.1, BSD-3-Clause, approved, ee4j.jaxb +maven/mavencentral/junit/junit/4.13.2, EPL-2.0, approved, CQ23636 maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.11, Apache-2.0, approved, #7164 maven/mavencentral/net.bytebuddy/byte-buddy/1.14.11, Apache-2.0 AND BSD-3-Clause, approved, #7163 maven/mavencentral/net.minidev/accessors-smart/2.5.0, Apache-2.0, approved, clearlydefined @@ -48,6 +50,7 @@ maven/mavencentral/org.eclipse.angus/angus-activation/2.0.1, EPL-2.0 OR GPL-2.0- maven/mavencentral/org.glassfish.jaxb/jaxb-core/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl maven/mavencentral/org.glassfish.jaxb/jaxb-runtime/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl maven/mavencentral/org.glassfish.jaxb/txw2/4.0.4, BSD-3-Clause, approved, ee4j.jaxb-impl +maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined maven/mavencentral/org.hibernate.common/hibernate-commons-annotations/6.0.6.Final, LGPL-2.1-only, approved, #6962 maven/mavencentral/org.hibernate.orm/hibernate-core/6.4.1.Final, LGPL-2.1-or-later AND (EPL-2.0 OR BSD-3-Clause) AND MIT, approved, #12490 diff --git a/backend/pom.xml b/backend/pom.xml index 695aab26..6b58d4d5 100644 --- a/backend/pom.xml +++ b/backend/pom.xml @@ -24,182 +24,189 @@ - 4.0.0 - - org.springframework.boot - spring-boot-starter-parent - 3.2.2 - - - org.eclipse.tractusx.puris - puris-backend - 1.0.0 - puris-backend - PURIS Backend - - 17 - 2.3.0 - 8.0.1.Final - 2.2 - - - - org.springframework.boot - spring-boot-starter-data-jpa - - - org.springframework.boot - spring-boot-starter-security - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.session - spring-session-core - - - org.hsqldb - hsqldb - 2.7.1 - runtime - - - org.springframework.boot - spring-boot-configuration-processor - true - - - org.postgresql - postgresql - 42.7.2 - runtime - - - org.projectlombok - lombok - true - - - org.springframework.boot - spring-boot-starter-test - test - - - org.springframework.security - spring-security-test - test - - - org.springdoc - springdoc-openapi-starter-webmvc-ui - ${springdoc.version} - - - com.squareup.okhttp3 - okhttp - 4.12.0 - - - - org.hibernate.validator - hibernate-validator - ${hibernate-validator.version} - - - - org.modelmapper - modelmapper - 3.2.0 - - + 4.0.0 + + org.springframework.boot + spring-boot-starter-parent + 3.2.2 + + + org.eclipse.tractusx.puris + puris-backend + 1.0.0 + puris-backend + PURIS Backend + + 17 + 2.3.0 + 8.0.1.Final + 2.2 + 4.12.0 + + + + org.springframework.boot + spring-boot-starter-data-jpa + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.session + spring-session-core + + + org.hsqldb + hsqldb + 2.7.1 + runtime + + + org.springframework.boot + spring-boot-configuration-processor + true + + + org.postgresql + postgresql + 42.7.2 + runtime + + + org.projectlombok + lombok + true + + + org.springframework.boot + spring-boot-starter-test + test + + + org.springframework.security + spring-security-test + test + + + org.springdoc + springdoc-openapi-starter-webmvc-ui + ${springdoc.version} + + + com.squareup.okhttp3 + okhttp + ${okhttp.version} + + + com.squareup.okhttp3 + mockwebserver + ${okhttp.version} + test + + + + org.hibernate.validator + hibernate-validator + ${hibernate-validator.version} + + + + org.modelmapper + modelmapper + 3.2.0 + + - - - dash-licenses - https://repo.eclipse.org/content/repositories/dash-licenses - - + + + dash-licenses + https://repo.eclipse.org/content/repositories/dash-licenses + + - - - - org.eclipse.dash - license-tool-plugin - 1.0.2 - - automotive.tractusx - - DEPENDENCIES - - test - - - - license-check - - license-check - - - - - - org.springframework.boot - spring-boot-maven-plugin - - - - org.projectlombok - lombok - - - - org.hsqldb - hsqldb - - - - - - com.mycila - license-maven-plugin - 4.2 - - - -
scripts/license/header.txt
- - **/README - src/test/resources/** - src/main/resources/** - - - - - - - - - - ${project.basedir}/src/main/resources - - application.properties - - BOOT-INF/classes/ - - - - ${project.basedir}/ - - README.md - LICENSE - NOTICE.md - DEPENDENCIES - SECURITY.md - - META-INF - - - + + + + org.eclipse.dash + license-tool-plugin + 1.0.2 + + automotive.tractusx + + DEPENDENCIES + + test + + + + license-check + + license-check + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + org.projectlombok + lombok + + + + org.hsqldb + hsqldb + + + + + + com.mycila + license-maven-plugin + 4.2 + + + +
scripts/license/header.txt
+ + **/README + src/test/resources/** + src/main/resources/** + + + + + + + + + + ${project.basedir}/src/main/resources + + application.properties + + BOOT-INF/classes/ + + + + ${project.basedir}/ + + README.md + LICENSE + NOTICE.md + DEPENDENCIES + SECURITY.md + + META-INF + + + diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java index 10e1fa92..5c7e3e6b 100644 --- a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java @@ -24,10 +24,12 @@ import lombok.extern.slf4j.Slf4j; import okhttp3.*; import org.eclipse.tractusx.puris.backend.common.ddtr.logic.util.DtrRequestBodyBuilder; +import org.eclipse.tractusx.puris.backend.common.security.OAuth2ClientInterceptor; import org.eclipse.tractusx.puris.backend.common.util.VariablesService; import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Material; import org.eclipse.tractusx.puris.backend.masterdata.domain.model.MaterialPartnerRelation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.lang.Nullable; import org.springframework.stereotype.Service; import java.io.IOException; @@ -42,7 +44,7 @@ @Service @Slf4j public class DtrAdapterService { - private static final OkHttpClient CLIENT = new OkHttpClient(); + private OkHttpClient CLIENT; @Autowired private VariablesService variablesService; @@ -53,6 +55,18 @@ public class DtrAdapterService { @Autowired private DigitalTwinMappingService digitalTwinMappingService; + @Autowired(required = false) + public DtrAdapterService(@Nullable OAuth2ClientInterceptor oAuth2ClientInterceptor) { + OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder(); + + // add client interceptor if enabled by property + if (oAuth2ClientInterceptor != null) { + clientBuilder.addInterceptor(oAuth2ClientInterceptor); + } + + this.CLIENT = clientBuilder.build(); + } + private Response sendDtrPostRequest(JsonNode requestBody, List pathSegments) throws IOException { HttpUrl.Builder urlBuilder = HttpUrl.parse(variablesService.getDtrUrl()).newBuilder(); for (var pathSegment : pathSegments) { @@ -103,9 +117,9 @@ private Response sendDtrGetRequest(List pathSegments, Map mprs) { String twinId = digitalTwinMappingService.get(material).getProductTwinId(); @@ -127,11 +141,11 @@ public boolean updateProduct(Material material, List mp /** * Call this method when a new Material with a product flag was created in your MaterialService - or if a product * flag was later added to an existing Material. - * + *

* A new AAS will be registered for this Material at your dDTR. * - * @param material The Material - * @return true, if the DTR signaled a successful registration + * @param material The Material + * @return true, if the DTR signaled a successful registration */ public boolean registerProductAtDtr(Material material) { String twinId = digitalTwinMappingService.get(material).getProductTwinId(); @@ -152,14 +166,14 @@ public boolean registerProductAtDtr(Material material) { * Call this method when a MaterialPartnerRelation was created or updated it's flag signals that this partner is * a supplier for the referenced Material. * - * @param supplierPartnerRelation The MaterialPartnerRelation indicating a supplier for a given Material. + * @param supplierPartnerRelation The MaterialPartnerRelation indicating a supplier for a given Material. * @return */ public boolean registerMaterialAtDtr(MaterialPartnerRelation supplierPartnerRelation) { var body = dtrRequestBodyBuilder.createMaterialRegistrationRequestBody(supplierPartnerRelation); try (var response = sendDtrPostRequest(body, List.of("api", "v3.0", "shell-descriptors"))) { var bodyString = response.body().string(); - if(response.isSuccessful()) { + if (response.isSuccessful()) { return true; } log.error("Failed to register material at DTR " + supplierPartnerRelation.getMaterial().getOwnMaterialNumber() + "\n" + bodyString); @@ -174,7 +188,7 @@ public boolean updateMaterialAtDtr(MaterialPartnerRelation supplierPartnerRelati String idAsBase64 = Base64.getEncoder().encodeToString(supplierPartnerRelation.getPartnerCXNumber().getBytes(StandardCharsets.UTF_8)); try (var response = sendDtrPutRequest(body, List.of("api", "v3.0", "shell-descriptors", idAsBase64))) { var bodyString = response.body().string(); - if(response.isSuccessful()) { + if (response.isSuccessful()) { return true; } log.error("Failed to register material at DTR " + supplierPartnerRelation.getMaterial().getOwnMaterialNumber() + "\n" + bodyString); diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/edc/logic/util/EdcRequestBodyBuilder.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/edc/logic/util/EdcRequestBodyBuilder.java index b516d6b6..f5b44a9d 100644 --- a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/edc/logic/util/EdcRequestBodyBuilder.java +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/edc/logic/util/EdcRequestBodyBuilder.java @@ -24,9 +24,8 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.node.ObjectNode; - import lombok.extern.slf4j.Slf4j; - +import org.eclipse.tractusx.puris.backend.common.security.DtrSecurityConfiguration; import org.eclipse.tractusx.puris.backend.common.util.VariablesService; import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Partner; import org.springframework.beans.factory.annotation.Autowired; @@ -41,6 +40,8 @@ @Slf4j public class EdcRequestBodyBuilder { + @Autowired + private DtrSecurityConfiguration dtrSecurityConfig; @Autowired private VariablesService variablesService; @Autowired @@ -336,6 +337,12 @@ public JsonNode buildDtrRegistrationBody() { dataAddress.put("proxyMethod", "false"); dataAddress.put("type", "HttpData"); dataAddress.put("baseUrl", url); + // if IDP is configured, grant only read-access via idp + if (dtrSecurityConfig.isOauth2InterceptorEnabled()) { + dataAddress.put("oauth2:clientId", dtrSecurityConfig.getEdcClientId()); + dataAddress.put("oauth2:clientSecretKey", dtrSecurityConfig.getEdcClientSecretAlias()); + dataAddress.put("oauth2:tokenUrl", dtrSecurityConfig.getTokenUrl()); + } body.set("dataAddress", dataAddress); return body; diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java new file mode 100644 index 00000000..3fdd45a2 --- /dev/null +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2024 Volkswagen AG + * Copyright (c) 2024 Contributors to the Eclipse Foundation + * + * See the NOTICE file(s) distributed with this work for additional + * information regarding copyright ownership. + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0. + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +package org.eclipse.tractusx.puris.backend.common.security; + +import lombok.Getter; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Configuration; + +/** + * Configuration for the DTR clients: + *

    + *
  • PURIS client using the DTR directly with write access
    • + *
  • EDC client allowing read access
    • + *
+ */ +@Getter +@Configuration +public class DtrSecurityConfiguration { + + /** + * if true, then DTR is configured with IDP + **/ + @Value("${puris.dtr.idp.enabled:false}") + private boolean oauth2InterceptorEnabled; + /** + * token url of the OAuth2 identity provider + **/ + @Value("${puris.dtr.idp.tokenurl}") + String tokenUrl; + /** + * client id of the puris client with write access for DTR + **/ + @Value("${puris.dtr.idp.puris-client.id}") + String purisClientId; + /** + * client secret of the puris client with write access for DTR + **/ + @Value("${puris.dtr.idp.puris-client.secret}") + String purisClientSecret; + /** + * grant_type. Currently only client_credentials is supported + **/ + final String grant_type = "client_credentials"; + + /** + * client id of the edc client with read access for DTR + **/ + @Value("${puris.dtr.idp.edc-client.id}") + String edcClientId; + /** + * vault alias for the client secret of the edc client with read access for DTR + **/ + @Value("${puris.dtr.idp.edc-client.secret.alias}") + String edcClientSecretAlias; +} diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/OAuth2ClientInterceptor.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/OAuth2ClientInterceptor.java new file mode 100644 index 00000000..b5bae58f --- /dev/null +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/OAuth2ClientInterceptor.java @@ -0,0 +1,163 @@ +/* + * Copyright (c) 2024 Volkswagen AG + * Copyright (c) 2024 Contributors to the Eclipse Foundation + * + * See the NOTICE file(s) distributed with this work for additional + * information regarding copyright ownership. + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0. + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +package org.eclipse.tractusx.puris.backend.common.security; + +import com.fasterxml.jackson.databind.ObjectMapper; +import lombok.extern.slf4j.Slf4j; +import okhttp3.*; +import org.jetbrains.annotations.NotNull; + +import java.io.IOException; + +/** + * Class allowing to authenticate following OAuth2 (with e.g, client credential flow) against a service. + *

+ * Stores the jwt token and renews it, if outdated (via retry) + */ +@Slf4j +public class OAuth2ClientInterceptor implements Interceptor { + + public static final String KEY_GRANT_TYPE = "grant_type"; + public static final String KEY_CLIENT_ID = "client_id"; + public static final String KEY_CLIENT_SECRET = "client_secret"; + public static final String KEY_HEADER_AUTHORIZATION = "Authorization"; + private final ObjectMapper objectMapper; + + + /** + * creates OAuth2Client Interceptor that obtains jwtTokens and adds them as Bearer + * + * @param objectMapper to parse and read json value + * @param tokenUrl to authenticate against (full url including realm and protocol) + * @param clientId to authenticate against + * @param clientSecret to authenticate with + * @param grant_type to use as flow (e.g. client_credentials) + */ + public OAuth2ClientInterceptor(ObjectMapper objectMapper, + String tokenUrl, + String clientId, + String clientSecret, + String grant_type) { + this.objectMapper = objectMapper; + this.tokenUrl = tokenUrl; + this.clientId = clientId; + this.clientSecret = clientSecret; + this.grant_type = grant_type; + } + + /** + * contains token, if obtained; may be outdated + **/ + private String jwtAccessToken; + + private final String tokenUrl; + private final String clientId; + private final String clientSecret; + private final String grant_type; + + + @NotNull + @Override + public Response intercept(@NotNull Chain chain) throws IOException { + + //do before + Request request = chain.request(); + + // perform idp call & extract jwt + if (jwtAccessToken == null) { + if (!obtainAccessToken()) { + return new Response.Builder() + .request(request) + .protocol(Protocol.HTTP_2) + .code(403) + .message("Access token could not be obtained.") + .build(); + } + } + + // append token + Request requestWithToken = request.newBuilder() + .header(KEY_HEADER_AUTHORIZATION, "Bearer " + jwtAccessToken) + .build(); + + Response response = chain.proceed(requestWithToken); + + // if 401, assume the token to be invalid + if (response.code() == 401) { + log.debug("Oauth2 Client token renewal needed."); + obtainAccessToken(); + + requestWithToken = request.newBuilder() + .header("Authorization", "Bearer " + jwtAccessToken) + .build(); + + response = chain.proceed(requestWithToken); + } + return response; + } + + /** + * performs OAuth2 client credential request + *

+ * Sets {@code this.jwtToken} to the obtained token. Sets it to null, if not obtained. + * + * @return true, if token was obtained, else false + */ + private boolean obtainAccessToken() { + // Create an OkHttpClient instance to make the token request + OkHttpClient client = new OkHttpClient(); + + // Build the request body with client credentials and grant type + RequestBody requestBody = new FormBody.Builder() + .add(KEY_GRANT_TYPE, this.grant_type) + .add(KEY_CLIENT_ID, this.clientId) + .add(KEY_CLIENT_SECRET, this.clientSecret) + .build(); + + // Build the token request + Request tokenRequest = new Request.Builder() + .url(this.tokenUrl) + .post(requestBody) + .build(); + + // Execute the token request and parse the response + try (Response tokenResponse = client.newCall(tokenRequest).execute()) { + + if (tokenResponse.isSuccessful()) { + String responseBody = tokenResponse.body().string(); + + // Extract the access token from the response + // Assume the response body is in JSON format and has a field named "access_token" + jwtAccessToken = objectMapper.readTree(responseBody).get("access_token").asText(); + return true; + } else { + jwtAccessToken = null; + log.error("JWT could not be obtained. Please check configuration."); + return false; + } + + } catch (Exception e) { + log.error("Obtaining JWT failed: {}", e.toString()); + jwtAccessToken = null; + return false; + } + } +} diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/SecurityConfig.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/SecurityConfig.java index 4390b2e9..605f4b08 100644 --- a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/SecurityConfig.java +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/SecurityConfig.java @@ -20,6 +20,7 @@ package org.eclipse.tractusx.puris.backend.common.security; +import com.fasterxml.jackson.databind.ObjectMapper; import io.swagger.v3.oas.annotations.OpenAPIDefinition; import io.swagger.v3.oas.annotations.enums.SecuritySchemeIn; import io.swagger.v3.oas.annotations.enums.SecuritySchemeType; @@ -29,6 +30,7 @@ import jakarta.servlet.DispatcherType; import lombok.AllArgsConstructor; import org.eclipse.tractusx.puris.backend.common.security.logic.ApiKeyAuthenticationFilter; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.Customizer; @@ -55,6 +57,10 @@ public class SecurityConfig { private final ApiKeyAuthenticationFilter apiKeyAuthenticationFilter; + private final ObjectMapper objectMapper; + + private DtrSecurityConfiguration dtrSecurityConfiguration; + @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); @@ -96,4 +102,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http.build(); } + @Bean + @ConditionalOnProperty(name = "puris.dtr.idp.enabled", havingValue = "true") + public OAuth2ClientInterceptor oAuth2ClientInterceptor() { + return new OAuth2ClientInterceptor(objectMapper, dtrSecurityConfiguration.getTokenUrl(), dtrSecurityConfiguration.getPurisClientId(), dtrSecurityConfiguration.getPurisClientSecret(), dtrSecurityConfiguration.getGrant_type()); + } + } diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties index afec35e0..7e5a5cbc 100755 --- a/backend/src/main/resources/application.properties +++ b/backend/src/main/resources/application.properties @@ -14,7 +14,12 @@ puris.frameworkagreement.use=${PURIS_FRAMEWORKAGREEMENT_USE:false} puris.frameworkagreement.credential=${PURIS_FRAMEWORKAGREEMENT_CREDENTIAL:FrameworkAgreement.traceability} puris.api.key=${PURIS_API_KEY:test} puris.dtr.url=${PURIS_DTR_URL:http://localhost:4243} - +puris.dtr.idp.enabled=${PURIS_DTR_IDP_ENABLED:false} +puris.dtr.idp.tokenurl=${PURIS_DTR_IDP_TOKEN_URL:http://keycloak:8080/realms/Customer/protocol/openid-connect/token} +puris.dtr.idp.edc-client.id=${PURIS_DTR_IDP_EDC-CLIENT_ID:FOSS-DTR-CLIENT} +puris.dtr.idp.edc-client.secret.alias=${PURIS_DTR_IDP_EDC-CLIENT_SECRET_ALIAS} +puris.dtr.idp.puris-client.id=${PURIS_DTR_IDP_PURIS-CLIENT_ID:FOSS-DTR-CLIENT} +puris.dtr.idp.puris-client.secret=${PURIS_DTR_IDP_PURIS-CLIENT_SECRET} # Flag that decides whether the auto-generation feature of the puris backend is enabled. # Since all Material entities are required to have a CatenaX-Id, you must enter any pre-existing CatenaX-Id # via the materials-API of the backend, when you are inserting a new Material entity to the backend's diff --git a/backend/src/test/java/org/eclipse/tractusx/puris/backend/common/security/OAuth2ClientInterceptorTest.java b/backend/src/test/java/org/eclipse/tractusx/puris/backend/common/security/OAuth2ClientInterceptorTest.java new file mode 100644 index 00000000..d174fbf9 --- /dev/null +++ b/backend/src/test/java/org/eclipse/tractusx/puris/backend/common/security/OAuth2ClientInterceptorTest.java @@ -0,0 +1,306 @@ +/* + * Copyright (c) 2024 Volkswagen AG + * Copyright (c) 2024 Contributors to the Eclipse Foundation + * + * See the NOTICE file(s) distributed with this work for additional + * information regarding copyright ownership. + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0. + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +package org.eclipse.tractusx.puris.backend.common.security; + +import com.fasterxml.jackson.databind.ObjectMapper; +import okhttp3.Interceptor; +import okhttp3.Protocol; +import okhttp3.Request; +import okhttp3.Response; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import okio.Buffer; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.ArgumentCaptor; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.springframework.http.MediaType; + +import java.io.IOException; +import java.lang.reflect.Field; +import java.util.Arrays; +import java.util.List; +import java.util.Map; +import java.util.stream.Collectors; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.Mockito.*; + +public class OAuth2ClientInterceptorTest { + + public static final String VALUE_CLIENT_ID = "clientId"; + public static final String VALUE_CLIENT_SECRET = "clientSecret"; + public static final String VALUE_GRANT_TYPE = "client_credentials"; + public static final String VALUE_VALID_MOCK_BEARER_TOKEN = "mock-bearer-token"; + public static final String VALUE_INVALID_MOCK_BEARER_TOKEN = "initial-but-invalid-token"; + + /** + * Path to configure {@code tokenServer} url + **/ + private final String TOKEN_URL_PATH = "/mocked/token"; + /** + * Path to configure {@code actualRequestServer} url + **/ + private final String SERVICE_URL_PATH = "/actual/service"; + + private OAuth2ClientInterceptor oAuth2ClientInterceptor; + + /** + * Mock Server representing the OAuth2 Server + **/ + private MockWebServer tokenServer; + /** + * Mock Server representing the Server / Service that needs to be authenticated with the interceptor + **/ + private MockWebServer actualRequestServer; + + /** + * Interceptor chain to mock so that one can capture the request changes of the interceptor + **/ + @Mock + private Interceptor.Chain chain; + + @BeforeEach + public void setup() throws IOException { + tokenServer = new MockWebServer(); + tokenServer.start(); + + actualRequestServer = new MockWebServer(); + actualRequestServer.start(); + + MockitoAnnotations.openMocks(this); + + ObjectMapper objectMapper = new ObjectMapper(); + + oAuth2ClientInterceptor = new OAuth2ClientInterceptor(objectMapper, + tokenServer.url(TOKEN_URL_PATH).toString(), + VALUE_CLIENT_ID, + VALUE_CLIENT_SECRET, + VALUE_GRANT_TYPE + ); + } + + @AfterEach + public void teardown() throws IOException { + tokenServer.shutdown(); + actualRequestServer.shutdown(); + oAuth2ClientInterceptor = null; + } + + /** + * Checks that the JWT token is extracted correctly and + * inserted as BEARER token in intercepted request's auth header + *

+ * Verifies that the auth request against the OAauth2 server is correct. + */ + @Test + public void testInterceptor_obtainValidTokenSuccessfully() throws IOException, InterruptedException { + + // GIVEN + // Response of OAuth2 Server + MockResponse tokenResponse = new MockResponse() + .setResponseCode(200) + .setBody("{\"access_token\": \"" + VALUE_VALID_MOCK_BEARER_TOKEN + "\"}") + .addHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE); + + // Enqueue a mock response from the server + tokenServer.enqueue(tokenResponse); + + // Create a request against the intended service that needs authentication + Request request = new Request.Builder() + .url(actualRequestServer.url(SERVICE_URL_PATH)) + .build(); + + // needed as 401 might indicate outdated token + MockResponse mockResponse = new MockResponse() + .setResponseCode(200) + .setBody("OK") + .addHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE); + actualRequestServer.enqueue(mockResponse); + + // WHEN + // Mock the behavior of the chain + // return original request that needs token + when(chain.request()).thenReturn(request); + + // capture the requests sent via chain.proceed + ArgumentCaptor requestCaptor = ArgumentCaptor.forClass(Request.class); + when(chain.proceed(requestCaptor.capture())).thenReturn(mock(Response.class)); + + // DO -> trigger interceptor with request + oAuth2ClientInterceptor.intercept(chain); + + //THEN + verify(chain, times(1)).proceed(any(Request.class)); + + // Verify the request sent by the interceptor + RecordedRequest recordedRequest = tokenServer.takeRequest(); + + // Get the form body from the recorded request + Buffer requestBodyBuffer = recordedRequest.getBody(); + String requestBody = requestBodyBuffer.readUtf8(); + + // Split the form body string and convert to a map using streams + // form body like "key=value&key2=value2" + Map formFieldMap = Arrays.stream(requestBody.split("&")) + .map(formField -> formField.split("=")) + .filter(keyValue -> keyValue.length == 2) + .collect(Collectors.toMap(keyValue -> keyValue[0], keyValue -> keyValue[1])); + + // assert tokenRequest Values + assertEquals(TOKEN_URL_PATH, recordedRequest.getPath()); + assertEquals(VALUE_CLIENT_ID, formFieldMap.get(OAuth2ClientInterceptor.KEY_CLIENT_ID)); + assertEquals(VALUE_CLIENT_SECRET, formFieldMap.get(OAuth2ClientInterceptor.KEY_CLIENT_SECRET)); + assertEquals(VALUE_GRANT_TYPE, formFieldMap.get(OAuth2ClientInterceptor.KEY_GRANT_TYPE)); + + // Verify the intercepted request has the bearer token + Request interceptedRequest = requestCaptor.getValue(); + assertEquals("Bearer " + VALUE_VALID_MOCK_BEARER_TOKEN, + interceptedRequest.header(OAuth2ClientInterceptor.KEY_HEADER_AUTHORIZATION)); + } + + /** + * assumes that an invalid token has been set and needs to be renewed + */ + @Test + public void testInterceptor_refreshTokenSuccessfully() throws Exception { + + // GIVEN + // outdated Token already set + setJwtToken(VALUE_INVALID_MOCK_BEARER_TOKEN); + + MockResponse tokenResponse = new MockResponse() + .setResponseCode(200) + .setBody("{\"access_token\": \"" + VALUE_VALID_MOCK_BEARER_TOKEN + "\"}") + .addHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE); + + // Enqueue a mock response from the server + tokenServer.enqueue(tokenResponse); + + // Create a request against the server to be authenticated + Request request = new Request.Builder() + .url(actualRequestServer.url(SERVICE_URL_PATH)) + .build(); + + Response notAuthorizedMockResponse = new Response.Builder() + .request(request) + .protocol(Protocol.HTTP_2) + .message("Not Authorized.") + .code(401) + .build(); + + // Mock the behavior of the chain + // return original request that needs token + when(chain.request()).thenReturn(request); + + // First time request returns 401 due to invalid token + // Second is just OK + ArgumentCaptor requestCaptor = ArgumentCaptor.forClass(Request.class); + when(chain.proceed(requestCaptor.capture())) + .thenReturn(notAuthorizedMockResponse) + .thenReturn(mock(Response.class)); + + // DO + oAuth2ClientInterceptor.intercept(chain); + + // THEN + // proceed triggered first with outdated, then with updated token + verify(chain, times(2)).proceed(any(Request.class)); + + List interceptedRequests = requestCaptor.getAllValues(); + + // Verify the intercepted request has the outdated bearer token + Request interceptedRequestWithInvalidToken = interceptedRequests.get(0); + assertEquals("Bearer " + VALUE_INVALID_MOCK_BEARER_TOKEN, + interceptedRequestWithInvalidToken.header(OAuth2ClientInterceptor.KEY_HEADER_AUTHORIZATION)); + + // Verify the intercepted request has the updated bearer token + Request interceptedRequestWithValidToken = interceptedRequests.get(1); + assertEquals("Bearer " + VALUE_VALID_MOCK_BEARER_TOKEN, + interceptedRequestWithValidToken.header("Authorization")); + assertEquals(VALUE_VALID_MOCK_BEARER_TOKEN, getJwtToken()); + } + + /** + * chain is interrupted with 403 in case authentication does not work + */ + @Test + public void testInterceptor_failObtainToken() throws IOException { + + // GIVEN + // 401 response indicating invalid credentials + MockResponse tokenResponse = new MockResponse() + .setResponseCode(401) + .setBody(""" + { + "error": "invalid_client", + "error_description": "Invalid client or Invalid client credentials" + }""") + .addHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE); + + // Enqueue a mock response from the server + tokenServer.enqueue(tokenResponse); + + // Create a request against service to be authenticated + Request request = new Request.Builder() + .url(actualRequestServer.url(SERVICE_URL_PATH)) + .build(); + + // WHEN + // Mock the behavior of the chain + // return original request that needs token + when(chain.request()).thenReturn(request); + + //DO - trigger chain + Response response = oAuth2ClientInterceptor.intercept(chain); + + // THEN + // chain is aborted with 403 + verify(chain, times(0)).proceed(any(Request.class)); + assertEquals(403, response.code()); + } + + /** + * helper to get private field value of {@code oAuth2ClientInterceptor.jwtToken} + * + * @return value of the jwtToken field + * @throws Exception if field can not be accessed (illegal, not existing) + */ + private String getJwtToken() throws Exception { + Field jwtTokenField = oAuth2ClientInterceptor.getClass().getDeclaredField("jwtAccessToken"); + jwtTokenField.setAccessible(true); + return (String) jwtTokenField.get(oAuth2ClientInterceptor); + } + + /** + * helper to set private field value of {@code oAuth2ClientInterceptor.jwtToken} + * + * @throws Exception if field can not be accessed (illegal, not existing) + */ + private void setJwtToken(String jwtToken) throws Exception { + Field jwtTokenField = oAuth2ClientInterceptor.getClass().getDeclaredField("jwtAccessToken"); + jwtTokenField.setAccessible(true); + jwtTokenField.set(oAuth2ClientInterceptor, jwtToken); + } +} diff --git a/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/MaterialControllerTest.java b/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/MaterialControllerTest.java index 329ef766..dffae954 100644 --- a/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/MaterialControllerTest.java +++ b/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/MaterialControllerTest.java @@ -20,10 +20,10 @@ package org.eclipse.tractusx.puris.backend.masterdata.controller; import com.fasterxml.jackson.databind.ObjectMapper; +import org.eclipse.tractusx.puris.backend.common.security.DtrSecurityConfiguration; import org.eclipse.tractusx.puris.backend.common.security.SecurityConfig; import org.eclipse.tractusx.puris.backend.common.security.annotation.WithMockApiKey; import org.eclipse.tractusx.puris.backend.common.security.logic.ApiKeyAuthenticationProvider; -import org.eclipse.tractusx.puris.backend.masterdata.controller.MaterialController; import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Material; import org.eclipse.tractusx.puris.backend.masterdata.logic.dto.MaterialEntityDto; import org.eclipse.tractusx.puris.backend.masterdata.logic.service.MaterialService; @@ -37,6 +37,7 @@ import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.result.MockMvcResultMatchers; + import java.util.Arrays; import java.util.List; import java.util.UUID; @@ -46,7 +47,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; @WebMvcTest(MaterialController.class) -@Import({ SecurityConfig.class, ApiKeyAuthenticationProvider.class }) +@Import({SecurityConfig.class, ApiKeyAuthenticationProvider.class, DtrSecurityConfiguration.class}) public class MaterialControllerTest { @Autowired @@ -57,13 +58,13 @@ public class MaterialControllerTest { private final ModelMapper modelMapper = new ModelMapper(); private final String materialNumber = "MNR-7307-AU340474.001"; - private final MaterialEntityDto materialDto = new MaterialEntityDto(false, false, materialNumber, String.valueOf(UUID.randomUUID()),"TestMaterialDto"); + private final MaterialEntityDto materialDto = new MaterialEntityDto(false, false, materialNumber, String.valueOf(UUID.randomUUID()), "TestMaterialDto"); @Test @WithMockApiKey void createMaterialTest() throws Exception { // when - Material createdMaterial = modelMapper.map(materialDto,Material.class); + Material createdMaterial = modelMapper.map(materialDto, Material.class); when(materialService.findByOwnMaterialNumber(materialNumber)).thenReturn(null); when(materialService.create(createdMaterial)).thenReturn(createdMaterial); @@ -80,7 +81,7 @@ void createMaterialTest() throws Exception { @WithMockApiKey void updateMaterialTest() throws Exception { // when - Material existingMaterial = modelMapper.map(materialDto,Material.class); + Material existingMaterial = modelMapper.map(materialDto, Material.class); when(materialService.findByOwnMaterialNumber(materialNumber)).thenReturn(existingMaterial); when(materialService.update(existingMaterial)).thenReturn(existingMaterial); diff --git a/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/MaterialPartnerRelationsControllerTest.java b/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/MaterialPartnerRelationsControllerTest.java index 3bc87575..22b70b83 100644 --- a/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/MaterialPartnerRelationsControllerTest.java +++ b/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/MaterialPartnerRelationsControllerTest.java @@ -21,6 +21,7 @@ */ package org.eclipse.tractusx.puris.backend.masterdata.controller; +import org.eclipse.tractusx.puris.backend.common.security.DtrSecurityConfiguration; import org.eclipse.tractusx.puris.backend.common.security.SecurityConfig; import org.eclipse.tractusx.puris.backend.common.security.annotation.WithMockApiKey; import org.eclipse.tractusx.puris.backend.common.security.logic.ApiKeyAuthenticationProvider; @@ -49,7 +50,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; @WebMvcTest(MaterialPartnerRelationsController.class) -@Import({SecurityConfig.class, ApiKeyAuthenticationProvider.class}) +@Import({SecurityConfig.class, ApiKeyAuthenticationProvider.class, DtrSecurityConfiguration.class}) public class MaterialPartnerRelationsControllerTest { @Autowired @@ -87,7 +88,6 @@ public void createMaterialPartnerRelationTest() throws Exception { true, true); - // when when(materialService.findByOwnMaterialNumber(materialNumber)).thenReturn(material); when(partnerService.findByBpnl(bpnl)).thenReturn(partner); diff --git a/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/PartnerControllerTest.java b/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/PartnerControllerTest.java index 65ffbc7b..035cd384 100644 --- a/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/PartnerControllerTest.java +++ b/backend/src/test/java/org/eclipse/tractusx/puris/backend/masterdata/controller/PartnerControllerTest.java @@ -20,10 +20,10 @@ package org.eclipse.tractusx.puris.backend.masterdata.controller; import com.fasterxml.jackson.databind.ObjectMapper; +import org.eclipse.tractusx.puris.backend.common.security.DtrSecurityConfiguration; import org.eclipse.tractusx.puris.backend.common.security.SecurityConfig; import org.eclipse.tractusx.puris.backend.common.security.annotation.WithMockApiKey; import org.eclipse.tractusx.puris.backend.common.security.logic.ApiKeyAuthenticationProvider; -import org.eclipse.tractusx.puris.backend.masterdata.controller.PartnerController; import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Address; import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Partner; import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Site; @@ -31,7 +31,6 @@ import org.eclipse.tractusx.puris.backend.masterdata.logic.dto.PartnerDto; import org.eclipse.tractusx.puris.backend.masterdata.logic.dto.SiteDto; import org.eclipse.tractusx.puris.backend.masterdata.logic.service.PartnerService; -import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.modelmapper.ModelMapper; import org.springframework.beans.factory.annotation.Autowired; @@ -42,13 +41,16 @@ import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.result.MockMvcResultMatchers; -import java.util.*; +import java.util.Arrays; +import java.util.List; +import java.util.TreeSet; +import java.util.UUID; import static org.mockito.Mockito.*; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; @WebMvcTest(PartnerController.class) -@Import({SecurityConfig.class, ApiKeyAuthenticationProvider.class}) +@Import({SecurityConfig.class, ApiKeyAuthenticationProvider.class, DtrSecurityConfiguration.class}) public class PartnerControllerTest { @Autowired diff --git a/backend/src/test/java/org/eclipse/tractusx/puris/backend/stock/controller/StockViewControllerTest.java b/backend/src/test/java/org/eclipse/tractusx/puris/backend/stock/controller/StockViewControllerTest.java index 008007d2..bc44137f 100644 --- a/backend/src/test/java/org/eclipse/tractusx/puris/backend/stock/controller/StockViewControllerTest.java +++ b/backend/src/test/java/org/eclipse/tractusx/puris/backend/stock/controller/StockViewControllerTest.java @@ -21,6 +21,7 @@ import com.fasterxml.jackson.core.type.TypeReference; import com.fasterxml.jackson.databind.ObjectMapper; +import org.eclipse.tractusx.puris.backend.common.security.DtrSecurityConfiguration; import org.eclipse.tractusx.puris.backend.common.security.SecurityConfig; import org.eclipse.tractusx.puris.backend.common.security.annotation.WithMockApiKey; import org.eclipse.tractusx.puris.backend.common.security.logic.ApiKeyAuthenticationProvider; @@ -50,7 +51,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; @WebMvcTest(StockViewController.class) -@Import({ SecurityConfig.class, ApiKeyAuthenticationProvider.class }) +@Import({SecurityConfig.class, ApiKeyAuthenticationProvider.class, DtrSecurityConfiguration.class}) class StockViewControllerTest { @Autowired @@ -85,7 +86,7 @@ class StockViewControllerTest { @Test @WithMockApiKey - void getMaterials_GivenTwoMaterials_ReturnsListOfMaterials() throws Exception{ + void getMaterials_GivenTwoMaterials_ReturnsListOfMaterials() throws Exception { // given Material material1 = Material.builder() diff --git a/backend/src/test/resources/application.properties b/backend/src/test/resources/application.properties index 91252480..144d46db 100755 --- a/backend/src/test/resources/application.properties +++ b/backend/src/test/resources/application.properties @@ -1,3 +1,4 @@ +logging.level.org.eclipse.tractusx.puris=DEBUG # Server Config server.port=${SERVER_PORT:8081} puris.demonstrator.role=${PURIS_DEMONSTRATOR_ROLE:customer} @@ -11,6 +12,12 @@ puris.frameworkagreement.use=${PURIS_FRAMEWORKAGREEMENT_USE:false} puris.frameworkagreement.credential=${PURIS_FRAMEWORKAGREEMENT_CREDENTIAL:FrameworkAgreement.traceability} puris.api.key=${PURIS_API_KEY:test} puris.dtr.url=${PURIS_DTR_URL:http://localhost:4243} +puris.dtr.idp.enabled=${PURIS_DTR_IDP_ENABLED:true} +puris.dtr.idp.tokenurl=${PURIS_DTR_IDP_TOKEN_URL:http://keycloak:8080/realms/Customer/protocol/openid-connect/token} +puris.dtr.idp.edc-client.id=${PURIS_DTR_IDP_EDC-CLIENT_ID:FOSS-DTR-CLIENT} +puris.dtr.idp.edc-client.secret.alias=${PURIS_DTR_IDP_EDC-CLIENT_SECRET_ALIAS:test-alias} +puris.dtr.idp.puris-client.id=${PURIS_DTR_IDP_PURIS-CLIENT_ID:FOSS-DTR-CLIENT} +puris.dtr.idp.puris-client.secret=${PURIS_DTR_IDP_PURIS-CLIENT_SECRET:test} puris.generatematerialcatenaxid=${PURIS_GENERATEMATERIALCATENAXID:true} # DB Configuration diff --git a/charts/puris/Chart.yaml b/charts/puris/Chart.yaml index a6ada138..06142577 100644 --- a/charts/puris/Chart.yaml +++ b/charts/puris/Chart.yaml @@ -35,7 +35,7 @@ dependencies: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.2.0 +version: 2.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/puris/README.md b/charts/puris/README.md index 1f6bb1d9..01a4cfd8 100644 --- a/charts/puris/README.md +++ b/charts/puris/README.md @@ -64,7 +64,15 @@ $ helm install puris --namespace puris --create-namespace . | backend.puris.datasource.password | string | `nil` | Password for the database user. Ignored if postgres.enabled is true. | | backend.puris.datasource.url | string | `"jdbc:postgresql://postgresql-name:5432/puris-database"` | URL of the database. Ignored if postgres.enabled is true. | | backend.puris.datasource.username | string | `"db-user"` | Username of the database. Ignored if postgres.enabled is true. | +| backend.puris.deliverysubmodel.apiassetid | string | `"deliverysubmodel-api-asset"` | Asset ID for DeliverySubmodel API | +| backend.puris.demandsubmodel.apiassetid | string | `"demandsubmodel-api-asset"` | Asset ID for DemandSubmodel API | | backend.puris.demonstrator.role | string | `nil` | Current role of the PURIS demonstrator. Default value should be empty. Can be set to "customer" or "supplier" to enable demonstration setup | +| backend.puris.dtr.idp.clients.edc.id | string | `"FOSS-EDC-CLIENT"` | id of the client that has a service account with roles to view the DTR. Used by the application to create DTR asset in the edc with read only access. See Admin Guide. Mandatory if backend.puris.dtr.idp.enabled = true. | +| backend.puris.dtr.idp.clients.edc.secret.alias | string | `"path/secret-name"` | alias for the vault used by the EDC in which the secret is stored. Mandatory if backend.puris.dtr.idp.enabled = true. | +| backend.puris.dtr.idp.clients.puris.id | string | `"FOSS-PURIS-CLIENT"` | id of the client that has a service account with roles to manage the DTR. Used by the application to create and update digital twins. See Admin Guide. Mandatory if backend.puris.dtr.idp.enabled = true. | +| backend.puris.dtr.idp.clients.puris.secret | string | `nil` | secret of the client with write access (no vault alias). No default value will be created if empty. Mandatory if backend.puris.dtr.idp.enabled = true. | +| backend.puris.dtr.idp.enabled | bool | `true` | enables the usage of the IDP for the DTR. | +| backend.puris.dtr.idp.tokenurl | string | `"https://keycloak-service.com/realms/your-realm/openid-connect/token"` | token url of the idp for your specific realm. May be different to other idp token url in this config. Mandatory if backend.puris.dtr.idp.enabled = true. | | backend.puris.dtr.url | string | `"http://localhost:4243"` | Endpoint for DTR | | backend.puris.edc.controlplane.host | string | `"172.17.0.2"` | | | backend.puris.edc.controlplane.key | string | `"password"` | Key for the EDC control plane | @@ -74,6 +82,7 @@ $ helm install puris --namespace puris --create-namespace . | backend.puris.edr.deletiontimer | int | `2` | Number of minutes before received authentication data of a consumer pull is removed from memory | | backend.puris.existingSecret | string | `"secret-backend-puris"` | Secret for backend passwords. For more information look into 'backend-secrets.yaml' file. | | backend.puris.frameworkagreement.credential | string | `"FrameworkAgreement.traceability"` | The name of the framework agreement | +| backend.puris.frameworkagreement.use | bool | `true` | enables the usage of the framework agreement | | backend.puris.generatematerialcatenaxid | bool | `true` | Flag that decides whether the auto-generation feature of the puris backend is enabled. Since all Material entities are required to have a CatenaX-Id, you must enter any pre-existing CatenaX-Id via the materials-API of the backend, when you are inserting a new Material entity to the backend's database. If a CatenaX-Id was not assigned to your Material so far, then this feature can auto-generate one randomly. In a real-world-scenario, you must then use this randomly generated CatenaX-Id for the lifetime of that Material entity. | | backend.puris.itemstocksubmodel.apiassetid | string | `"itemstocksubmodel-api-asset"` | Asset ID for ItemStockSubmodel API | | backend.puris.jpa.hibernate.ddl-auto | string | `"create"` | Initialises SQL database with Hibernate property "create" to allow Hibernate to first drop all tables and then create new ones | @@ -86,6 +95,7 @@ $ helm install puris --namespace puris --create-namespace . | backend.puris.own.site.name | string | `"YOUR-SITE-NAME"` | Own site name | | backend.puris.own.streetnumber | string | `"Musterstraße 110A"` | Own street and number | | backend.puris.own.zipcodeandcity | string | `"12345 Musterhausen"` | Own zipcode and city | +| backend.puris.productionsubmodel.apiassetid | string | `"productionsubmodel-api-asset"` | Asset ID for ProductionSubmodel API | | backend.readinessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":120,"periodSeconds":25,"successThreshold":1,"timeoutSeconds":1}` | Checks if the pod is fully ready to operate | | backend.readinessProbe.failureThreshold | int | `3` | Number of failures (threshold) for a readiness probe | | backend.readinessProbe.initialDelaySeconds | int | `120` | Delay in seconds after which an initial readiness probe is checked | @@ -185,3 +195,5 @@ $ helm install puris --namespace puris --create-namespace . | postgresql.fullnameOverride | string | `"backend-postgresql"` | Possibility to override the fullname | | postgresql.service.ports.postgresql | int | `5432` | Port of postgres database. | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) diff --git a/charts/puris/templates/backend-deployment.yaml b/charts/puris/templates/backend-deployment.yaml index 4fe0bfb2..eaaed38d 100644 --- a/charts/puris/templates/backend-deployment.yaml +++ b/charts/puris/templates/backend-deployment.yaml @@ -150,7 +150,22 @@ spec: - name: PURIS_FRAMEWORKAGREEMENT_CREDENTIAL value: "{{ .Values.backend.puris.frameworkagreement.credential }}" - name: PURIS_DTR_URL - value: "{{ .Values.backend.puris.dtr.url }}" + value: "{{ .Values.backend.puris.dtr.url }}" + - name: PURIS_DTR_IDP_ENABLED + value: "{{ .Values.backend.puris.dtr.idp.enabled }}" + - name: PURIS_DTR_IDP_TOKENURL + value: "{{ .Values.backend.puris.dtr.idp.tokenurl }}" + - name: PURIS_DTR_IDP_EDC-CLIENT_ID + value: "{{ .Values.backend.puris.dtr.idp.clients.edc.id }}" + - name: PURIS_DTR_IDP_EDC-CLIENT_SECRET_ALIAS + value: "{{ .Values.backend.puris.dtr.idp.clients.edc.secret.alias }}" + - name: PURIS_DTR_IDP_PURIS_CLIENT_ID + value: "{{ .Values.backend.puris.dtr.idp.clients.puris.id}}" + - name: PURIS_DTR_IDP_PURIS-CLIENT_SECRET + valueFrom: + secretKeyRef: + name: "{{ .Values.backend.puris.existingSecret }}" + key: "puris-dtr-idp-puris-client-secret" - name: PURIS_GENERATEMATERIALCATENAXID value: "{{ .Values.backend.puris.generatematerialcatenaxid | default true}}" ###################################### diff --git a/charts/puris/templates/backend-secrets.yaml b/charts/puris/templates/backend-secrets.yaml index df820dc5..7346cbf0 100644 --- a/charts/puris/templates/backend-secrets.yaml +++ b/charts/puris/templates/backend-secrets.yaml @@ -16,10 +16,13 @@ data: puris-api-key: {{ (.Values.backend.puris.api.key | b64enc) | default (index $secret.data "puris-api-key") | quote }} puris-datasource-password: {{ (.Values.backend.puris.datasource.password | b64enc) | default (index $secret.data "puris-datasource-password") | quote }} puris-edc-controlplane-key: {{ (.Values.backend.puris.edc.controlplane.key | b64enc) | default (index $secret.data "puris-edc-controlplane-key") | quote }} + puris-dtr-idp-puris-client-secret: {{ (.Values.backend.puris.dtr.idp.clients.puris.secret | b64enc) | default (index $secret.data "puris-dtr-idp-puris-client-secret") | quote }} {{ else -}} stringData: # if secret doesn't exist, use provided value from values file or generate a random one puris-api-key: {{ .Values.backend.puris.api.key | default ( randAlphaNum 32 ) | quote }} puris-datasource-password: {{ .Values.backend.puris.datasource.password | default ( randAlphaNum 32 ) | quote }} puris-edc-controlplane-key: {{ .Values.backend.puris.edc.controlplane.key | default ( randAlphaNum 32 ) | quote }} + # don't generate a random one as this is set in identity provider + puris-dtr-idp-puris-client-secret: {{ .Values.backend.puris.dtr.idp.clients.puris.secret | quote }} {{ end }} diff --git a/charts/puris/values.yaml b/charts/puris/values.yaml index 0785491f..54aa9eaf 100644 --- a/charts/puris/values.yaml +++ b/charts/puris/values.yaml @@ -424,6 +424,8 @@ backend: # -- Asset ID for DeliverySubmodel API apiassetid: deliverysubmodel-api-asset frameworkagreement: + # -- enables the usage of the framework agreement + use: true # -- The name of the framework agreement credential: FrameworkAgreement.traceability edr: @@ -432,6 +434,29 @@ backend: dtr: # --Endpoint for DTR url: http://localhost:4243 + idp: + # -- enables the usage of the IDP for the DTR. + enabled: true + # -- token url of the idp for your specific realm. May be different to other idp token url in this config. + # Mandatory if backend.puris.dtr.idp.enabled = true. + tokenurl: https://keycloak-service.com/realms/your-realm/openid-connect/token + clients: + edc: + # -- id of the client that has a service account with roles to view the DTR. Used by the application to create + # DTR asset in the edc with read only access. See Admin Guide. Mandatory if + # backend.puris.dtr.idp.enabled = true. + id: FOSS-EDC-CLIENT + secret: + # -- alias for the vault used by the EDC in which the secret is stored. Mandatory if + # backend.puris.dtr.idp.enabled = true. + alias: path/secret-name + puris: + # -- id of the client that has a service account with roles to manage the DTR. Used by the application to + # create and update digital twins. See Admin Guide. Mandatory if backend.puris.dtr.idp.enabled = true. + id: FOSS-PURIS-CLIENT + # -- secret of the client with write access (no vault alias). No default value will be created if empty. + # Mandatory if backend.puris.dtr.idp.enabled = true. + secret: # -- Flag that decides whether the auto-generation feature of the puris backend is enabled. # Since all Material entities are required to have a CatenaX-Id, you must enter any pre-existing CatenaX-Id # via the materials-API of the backend, when you are inserting a new Material entity to the backend's diff --git a/docs/DEVELOPMENT.md b/docs/DEVELOPMENT.md index 593eeb10..8f7ab850 100644 --- a/docs/DEVELOPMENT.md +++ b/docs/DEVELOPMENT.md @@ -1,6 +1,6 @@ ## Setup development database -For local development a postgresql database is needed. The file local/docker-compose-dev-postgres.yaml provides a +For local development a postgresql database is needed. The file local/docker-compose-dev-postgres.yaml provides a postgres that can be started freshly for development: ```shell @@ -14,21 +14,26 @@ docker compose -f docker-compose-dev-postgres.yaml down ``` _NOTE: For testing purposes HyperSql is still used but excluded for spring run._ +ll ## Keeping dependencies-files up to date + ### Backend -Navigate to the `./backend` folder and run: +Navigate to the `./backend` folder and run: + ``` mvn org.eclipse.dash:license-tool-plugin:license-check cp DEPENDENCIES ../DEPENDENCIES_BACKEND ``` -The first line runs the maven license tool with the parameters specified in the + +The first line runs the maven license tool with the parameters specified in the `./backend/pom.xml` and produces a DEPENDENCIES file in the .`/backend` folder. -Then this file gets copied to the PURIS-project root folder under the name `DEPENDENCIES_BACKEND`. -Both files should be updated prior to any pull request. +Then this file gets copied to the PURIS-project root folder under the name `DEPENDENCIES_BACKEND`. +Both files should be updated prior to any pull request. ### Frontend + ``` # move to a persistent folder. Could also be ~/jars. mv org.eclipse.dash.licenses-1.0.2.jar ~/coding/org.eclipse.dash.licenses-1.0.2.jar @@ -45,19 +50,25 @@ eclipseDashTool package-lock.json -project automotive.tractusx -summary ../DEPEN ## Frontend container building workaround to use environment variables for vue ### The mechanism for docker is the following: + - `.env` has vite variables -- `.env.dockerbuild` has the vite variable that maps on an environment variable (`VITE_BACKEND_BASE_URL=$BACKEND_BASE_URL`) +- `.env.dockerbuild` has the vite variable that maps on an environment + variable (`VITE_BACKEND_BASE_URL=$BACKEND_BASE_URL`) - `src/config.json` has the environment variable names and the environment variable to substring in a json format. ### When building the container: + 1. `.env.dockerbuild` is used 2. vite / vue builds the application into a dest folder, that will be served by nginx -> Result for the .env:
VITE_BACKEND_BASE_URL won't write a variable value BUT a placeholder into the built files ($BACKEND_BASE_URL) +> Result for the .env:
VITE_BACKEND_BASE_URL won't write a variable value BUT a placeholder into the built files ( +> $BACKEND_BASE_URL) ### When building the container, there is a "start-nginx.sh" file that does the following + 1. Collects the environment variables (set for the docker container / set via helm as `BACKEND_BASE_URL`) -2. Looks-up the "to replace string" from `config.json` (e.g., for `BACKEND_BASE_URL`, it will search for `$BACKEND_BASE-URL` in the built files) +2. Looks-up the "to replace string" from `config.json` (e.g., for `BACKEND_BASE_URL`, it will search + for `$BACKEND_BASE-URL` in the built files) 3. Does the replacement in the built files 4. Starts nginx @@ -66,8 +77,9 @@ eclipseDashTool package-lock.json -project automotive.tractusx -summary ../DEPEN When changing the helm charts due to changes of e.g. environment variables, one should test locally whether the changes work. -First thing one should check is whether the templates may be resolved / substituted correctly and if your changes are +First thing one should check is whether the templates may be resolved / substituted correctly and if your changes are defaulted correctly: + ```shell cd charts/puris helm template . @@ -75,17 +87,20 @@ helm template . ``` Now build your images as explained in the respective install.mds. + - [backend](../backend/INSTALL.md) - [frontend](../frontend/INSTALL.md) Now you need to update your Chart.yml and values.yml: + - Chart.yml: change `appVersion` to your build tag (e.g., `dev`) - values.yml: for both frontend and backend change the image - - `repository` should be set to the image name used during docker build (e.g., `puris-backend`, `puris-frontend`) - - `pullPolicy` should be set to `Never` + - `repository` should be set to the image name used during docker build (e.g., `puris-backend`, `puris-frontend`) + - `pullPolicy` should be set to `Never` -Now depending on your runtime environment you need to load the images into it (we assume, you built puris-backend:dev +Now depending on your runtime environment you need to load the images into it (we assume, you built puris-backend:dev and (puris-frontend:dev): + ```shell # minikube minikube image load puris-backend:dev @@ -96,6 +111,7 @@ docker image ls | grep puris-backend minikube image ls --format table | grep puris-frontend docker image ls | grep puris-frontend ``` + ```shell # kind kind load puris-backend:dev @@ -108,6 +124,7 @@ docker image ls | grep puris-backend docker exec -it {container-id} crictl images | grep puris-frontend docker image ls | grep puris-frontend ``` + **ATTENTION: MAKE SURE THAT THE IMAGE ID IN YOUR KUBERNETES ENVIRONMENT IS THE SAME AS IN YOUR LOCAL DOCKER.** Else you can delete images as follows: diff --git a/frontend/DEPENDENCIES b/frontend/DEPENDENCIES index dbc2562c..09e994b8 100644 --- a/frontend/DEPENDENCIES +++ b/frontend/DEPENDENCIES @@ -211,7 +211,7 @@ npm/npmjs/-/reusify/1.0.4, MIT, approved, clearlydefined npm/npmjs/-/rimraf/3.0.2, ISC, approved, clearlydefined npm/npmjs/-/rollup/4.9.5, MIT, approved, clearlydefined npm/npmjs/-/run-parallel/1.2.0, MIT, approved, clearlydefined -npm/npmjs/-/scheduler/0.23.0, MIT, approved, clearlydefined +npm/npmjs/-/scheduler/0.23.0, MIT, approved, #14589 npm/npmjs/-/semver/6.3.1, ISC, approved, clearlydefined npm/npmjs/-/semver/7.5.4, ISC, approved, clearlydefined npm/npmjs/-/shebang-command/2.0.0, MIT, approved, clearlydefined diff --git a/local/cleanup.sh b/local/cleanup.sh index c769c67d..681e70a9 100644 --- a/local/cleanup.sh +++ b/local/cleanup.sh @@ -22,6 +22,7 @@ docker compose down -v docker compose -f docker-compose-infrastructure.yaml down -v +docker compose -f docker-compose-idp.yaml down -v docker image rm local-vault rm .env rm ./vault/secrets -r diff --git a/local/docker-compose-infrastructure.yaml b/local/docker-compose-infrastructure.yaml index 9cf87ecc..6477990f 100644 --- a/local/docker-compose-infrastructure.yaml +++ b/local/docker-compose-infrastructure.yaml @@ -48,16 +48,21 @@ services: - miw-net keycloak: - image: quay.io/keycloak/keycloak:21.1 + image: quay.io/keycloak/keycloak:23.0.1 env_file: - - ./miw/infrastructure.properties + - ./miw/keycloak.properties environment: DB_SCHEMA: public command: + - --verbose - start-dev - --import-realm volumes: - ./miw/keycloak-setup.json:/opt/keycloak/data/import/miw_test_realm.json + - ./keycloak/supplier/Supplier-realm.json:/opt/keycloak/data/import/Supplier-realm.json + - ./keycloak/supplier/Supplier-users-0.json:/opt/keycloak/data/import/Supplier-users-0.json + - ./keycloak/customer/Customer-realm.json:/opt/keycloak/data/import/Customer-realm.json + - ./keycloak/customer/Customer-users-0.json:/opt/keycloak/data/import/Customer-users-0.json ports: - "127.0.0.1:8080:8080" depends_on: diff --git a/local/docker-compose.yaml b/local/docker-compose.yaml index b0accbcd..79d3d890 100644 --- a/local/docker-compose.yaml +++ b/local/docker-compose.yaml @@ -83,7 +83,7 @@ services: postgres-customer: condition: service_healthy healthcheck: - test: [ "CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors" ] + test: ["CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors"] interval: 4s timeout: 3s retries: 15 @@ -111,7 +111,7 @@ services: ports: - "127.0.0.1:5433:5432" healthcheck: - test: [ "CMD-SHELL", "pg_isready -d puris-customer -U ${PG_USER}" ] + test: ["CMD-SHELL", "pg_isready -d puris-customer -U ${PG_USER}"] interval: 4s timeout: 3s retries: 15 @@ -227,7 +227,7 @@ services: postgres-supplier: condition: service_healthy healthcheck: - test: [ "CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors" ] + test: ["CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors"] interval: 4s timeout: 3s retries: 15 @@ -238,8 +238,13 @@ services: SPRING_DATASOURCE_URL: jdbc:postgresql://supplier-postgres:5432/dtr_database SPRING_DATASOURCE_USERNAME: ${PG_USER} SPRING_DATASOURCE_PASSWORD: ${PG_PW} - SPRING_PROFILES_ACTIVE: local + REGISTRY_IDM_OWNING_TENANT_ID: ${SUPPLIER_BPNL} + REGISTRY_USE_GRANULAR_ACCESS_CONTROL: false JAVA_TOOL_OPTIONS: "-Xms512m -Xmx1024m" + # outcomment SPRING_PROFILES_ACTIVE if idp should be used + SPRING_PROFILES_ACTIVE: local + REGISTRY_IDM_PUBLIC_CLIENT_ID: ${KC_READ_CLIENT_ID} + SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "http://keycloak-supplier:10080/realms/Catena-X" networks: - miw-net extra_hosts: @@ -255,7 +260,7 @@ services: ports: - "127.0.0.1:5435:5432" healthcheck: - test: [ "CMD-SHELL", "pg_isready -d puris-supplier -U ${PG_USER}" ] + test: ["CMD-SHELL", "pg_isready -d puris-supplier -U ${PG_USER}"] interval: 4s timeout: 3s retries: 15 diff --git a/local/generate-keys.sh b/local/generate-keys.sh index 61c742f1..49194643 100644 --- a/local/generate-keys.sh +++ b/local/generate-keys.sh @@ -25,6 +25,14 @@ # create folders, if not existing mkdir -p ./vault/secrets +CUSTOMER_KC_DTR_EDC_CLIENT_SECRET=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` +CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` +SUPPLIER_KC_DTR_EDC_CLIENT_SECRET=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` +SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` + +CUSTOMER_KC_MIW_CLIENT_SECRET=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` +SUPPLIER_KC_MIW_CLIENT_SECRET=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` + # generate .env echo "Creating .env" cat << EOF > .env @@ -34,12 +42,18 @@ PG_USER=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` PG_PW=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` VAULT_SECRETS_DIR=/vault/secrets/ KC_MIW_ENC=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` + +CUSTOMER_BPNL=BPNL4444444444XX CUSTOMER_OAUTH_SECRET_ALIAS=customer.miw.secret CUSTOMER_OAUTH_CLIENT_ID=customer_private_client CUSTOMER_PRIVATE_KEY_ALIAS=customer-key CUSTOMER_PUBLIC_KEY_ALIAS=customer-cert CUSTOMER_ENCRYPTION_KEYS_ALIAS=customer-encryption-keys CUSTOMER_BACKEND_API_KEY=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` +CUSTOMER_KC_DTR_EDC_CLIENT_ALIAS=customer.dtr.edc-client.secret +CUSTOMER_KC_DTR_PURIS_CLIENT_ALIAS=customer.dtr.puris-client.secret + +SUPPLIER_BPNL=BPNL1234567890ZZ SUPPLIER_OAUTH_SECRET_ALIAS=supplier.miw.secret SUPPLIER_OAUTH_CLIENT_ID=supplier_private_client SUPPLIER_PRIVATE_KEY_ALIAS=supplier-key @@ -47,9 +61,21 @@ SUPPLIER_PUBLIC_KEY_ALIAS=supplier-cert SUPPLIER_ENCRYPTION_KEYS_ALIAS=supplier-encryption-keys SUPPLIER_BACKEND_API_KEY=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` KEYCLOAK_MIW_PUBLIC_CLIENT=miw_public +SUPPLIER_KC_DTR_EDC_CLIENT_ALIAS=supplier.dtr.edc-client.secret +SUPPLIER_KC_DTR_PURIS_CLIENT_ALIAS=supplier.dtr.puris-client.secret + KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` KEYCLOAK_CLIENT_ID=miw_private_client +SUPPLIER_KC_MIW_CLIENT_SECRET=$SUPPLIER_KC_MIW_CLIENT_SECRET +CUSTOMER_KC_MIW_CLIENT_SECRET=$CUSTOMER_KC_MIW_CLIENT_SECRET + +KC_READ_CLIENT_ID=FOSS-EDC_CLIENT +CUSTOMER_KC_DTR_EDC_CLIENT_SECRET=$CUSTOMER_KC_DTR_EDC_CLIENT_SECRET +SUPPLIER_KC_DTR_EDC_CLIENT_SECRET=$SUPPLIER_KC_DTR_EDC_CLIENT_SECRET +KC_MANAGE_CLIENT_ID=FOSS-DTR-CLIENT +CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET=$CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET +SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET=$SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET EOF echo "Creating customer key, cert, keys and SHA... " @@ -57,15 +83,19 @@ CUSTOMER_CERT="./vault/secrets/customer.cert" CUSTOMER_KEY="./vault/secrets/customer.key" CUSTOMER_ENCRYPTION_KEYS="./vault/secrets/customer-encryption.keys" CUSTOMER_MIW_CLIENT_SECRET="./vault/secrets/customer.miw.secret" + +CUSTOMER_KC_DTR_EDC_CLIENT_SECRET_FILE_PATH="./vault/secrets/customer.dtr.edc-client.secret" +echo -n $CUSTOMER_KC_DTR_EDC_CLIENT_SECRET >> $CUSTOMER_KC_DTR_EDC_CLIENT_SECRET_FILE_PATH +CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET_FILE_PATH="./vault/secrets/customer.dtr.puris-client.secret" +echo -n $CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET>> $CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET_FILE_PATH + openssl req -newkey rsa:2048 -new -batch -nodes -x509 -days 3650 -text -keyout $CUSTOMER_KEY -out $CUSTOMER_CERT # EDC token encryption keys for edc-extensions/data-encryption key=`openssl rand -base64 32` printf "${key}" > $CUSTOMER_ENCRYPTION_KEYS -# Generate new random password for customer in miw -miw_secret=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` -printf "${miw_secret}" > $CUSTOMER_MIW_CLIENT_SECRET -jq ".clients[5].secret = \"$miw_secret\"" ./miw/keycloak-setup.json > ./miw/keycloak-setup-temp.json +# Save customer secret (miw) to file for vault put +printf "${CUSTOMER_KC_MIW_CLIENT_SECRET}" > $CUSTOMER_MIW_CLIENT_SECRET CUSTOMER_CERT_SHA="$(openssl x509 -in "$CUSTOMER_CERT" -noout -sha256 -fingerprint | tr '[:upper:]' '[:lower:]' | tr -d : | sed 's/.*=//')" @@ -74,18 +104,19 @@ SUPPLIER_CERT="./vault/secrets/supplier.cert" SUPPLIER_KEY="./vault/secrets/supplier.key" SUPPLIER_ENCRYPTION_KEYS="./vault/secrets/supplier-encryption.keys" SUPPLIER_MIW_CLIENT_SECRET="./vault/secrets/supplier.miw.secret" + +SUPPLIER_KC_DTR_EDC_CLIENT_SECRET_FILE_PATH="./vault/secrets/supplier.dtr.edc-client.secret" +echo -n $SUPPLIER_KC_DTR_EDC_CLIENT_SECRET >> $SUPPLIER_KC_DTR_EDC_CLIENT_SECRET_FILE_PATH +SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET_FILE_PATH="./vault/secrets/supplier.dtr.puris-client.secret" +echo -n $SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET >> $SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET_FILE_PATH + openssl req -newkey rsa:2048 -new -batch -nodes -x509 -days 3650 -text -keyout $SUPPLIER_KEY -out $SUPPLIER_CERT # EDC token encryption keys for edc-extensions/data-encryption key=`openssl rand -base64 32` printf "${key}" > $SUPPLIER_ENCRYPTION_KEYS -# Generate new random password for supplier in miw -miw_secret=`openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32` -printf "${miw_secret}" > $SUPPLIER_MIW_CLIENT_SECRET -jq ".clients[6].secret = \"$miw_secret\"" ./miw/keycloak-setup-temp.json > ./miw/keycloak-setup.json - -# remove temp file -rm ./miw/keycloak-setup-temp.json +# Save customer secret (miw) to file for vault put +printf "${SUPPLIER_KC_MIW_CLIENT_SECRET}" > $SUPPLIER_MIW_CLIENT_SECRET SUPPLIER_CERT_SHA="$(openssl x509 -in "$SUPPLIER_CERT" -noout -sha256 -fingerprint | tr '[:upper:]' '[:lower:]' | tr -d : | sed 's/.*=//')" diff --git a/local/keycloak/INSTALL.md b/local/keycloak/INSTALL.md index fe6ed687..9df80f9a 100644 --- a/local/keycloak/INSTALL.md +++ b/local/keycloak/INSTALL.md @@ -1,20 +1,21 @@ -# Running the Keyckloak with a Sample Realm +# Running the Keyckloak with a Sample Realm (Frontend) Runs a Keycloak with an `admin` user overall and a user `puris_user` with the role `PURIS_USER` and a user `puris_admin` -with the role `PURIS_ADMIN` in the client `Cl3-PURIS`. Username = Password. +with the role `PURIS_ADMIN` in the client `Cl3-PURIS`. Username = Password. ```sh cd local/keycloak docker run -p 10081:8080 --name keycloak \ -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \ -v ./puris-config/:/opt/keycloak/data/import \ -quay.io/keycloak/keycloak:23.0 \ +quay.io/keycloak/keycloak:23.0.1 \ start-dev --import-realm ``` ## Updating the data If you would like to update the keycloak data, you can do as follows: + ```shell # Create temporary keycloak data docker volume docker volume create kc-temp-data @@ -24,7 +25,7 @@ docker run -p 8081:8080 --name kc-temp \ -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \ -v ./puris-config/:/opt/keycloak/data/import \ -v kc-temp-data:/opt/keycloak/data \ -quay.io/keycloak/keycloak:23.0.0 \ +quay.io/keycloak/keycloak:23.0.1 \ start-dev # Open http://localhost:8181 and modify the realms @@ -52,3 +53,70 @@ docker volume rm kc-temp-data # make sure to remove the array "org.keycloak.keys.KeyProvider" (contains unneeded credentials) # from realm file ``` + +## Updating Data via compose (DTR) + +When running keycloak in the compose one may perform changes via the admin console. If these changes need to be applied +to the local setup in future, an export is needed. This export can be done as follows. + +1. Do the export in the docker container + +```shell +# create interactive shell in docker container of keycloak with changes +docker exec -it keycloak /bin/sh + +# change directory and create export folder +cd /opt/keycloak +mkdir exports + +# perform export (note: some things can't be exported when stil running - for us should be ok) +bin/kc.sh export --dir exports +``` + +2. Get the export to the import files + +```shell +# assume you opened the shell in local/keycloak/supplier +docker cp keycloak:/opt/keycloak/exports import +``` + +The import should already consider all files in the directory on container creation of the keycloak + +## Verify your DTR configuration + +The DTR supports the client_credentials grant_type. Thus, the following configuration needs to be done: + +- configure a client for the application in question (e.g. for the EDC) +- in the client enable authentication and service account roles +- save +- in the client, add roles following the dtr documentation +- in the client > service account tab -> add roles accordingly + +The PURIS applications needs two clients: + +- one for the EDC having read access for twins (used when discovering and reading twins as partner) +- one for the DTR having administrative privileges (used to create and update shell-descriptors) + +To verify your role and client configuration is working, you can do as follows using the local deployment: + +```shell +# open shell to any container e.g. dtr +docker exec -it keycloak /bin/sh + +CLIENT_ID=YOUR CLIENT ID +CLIENT_SECRET=YOUR CLIENT SECRET +REALM=YOUR REALM +DTR_ADDRESS=YOUR DTR address like http://dtr-supplier:4243/api/v3/shell-descriptors + +# Get token and save to BEARER_TOKEN +RESPONSE=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET" \ + --header="Content-Type: application/x-www-form-urlencoded" \ + http://keycloak:8080/realms/$REALM/protocol/openid-connect/token) + +BEARER_TOKEN=$(echo "$RESPONSE" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p') + +# Get all shell-descriptors (validates role view_digital_twin if no 400) +wget --header="Authorization: Bearer $BEARER_TOKEN" $DTR_ADDRESS +``` + +Note: verification using postman on host does not work because the iss claim uses the external port. diff --git a/local/keycloak/customer/Customer-realm.json b/local/keycloak/customer/Customer-realm.json new file mode 100644 index 00000000..9aef4181 --- /dev/null +++ b/local/keycloak/customer/Customer-realm.json @@ -0,0 +1,2505 @@ +{ + "id": "365008e7-9d93-4b0b-a2d5-4e1c5409f6e7", + "realm": "${CUSTOMER_KC_REALM_NAME}", + "displayName": "", + "displayNameHtml": "", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "cfe0a556-f5f6-4836-a9e0-4381eabb130d", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "365008e7-9d93-4b0b-a2d5-4e1c5409f6e7", + "attributes": {} + }, + { + "id": "62a99fe3-4fde-40b1-8907-4306d2e41990", + "name": "default-roles-cl-puris", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "365008e7-9d93-4b0b-a2d5-4e1c5409f6e7", + "attributes": {} + }, + { + "id": "64edcaa3-a705-4004-a55c-6d0fe373c056", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "365008e7-9d93-4b0b-a2d5-4e1c5409f6e7", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "a44962cc-5872-4e7d-8215-6c34bfd8279b", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "028c790f-de13-439b-8a04-4060bd0a9117", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "c1948951-5d86-473b-b621-dfebecac3e24", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "7cc34c6f-358a-4bb7-bcd3-f300e8d6b49a", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "28d1790c-e98a-4759-8720-802a3b1f7e30", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "576c7302-1ec4-487a-bc0d-c024976adfd3", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "80d7561d-a4d0-4b8e-b627-c96414d099d2", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "b5fb1ece-6aec-4a61-8683-a8a34a3436a0", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "a86b3909-94d9-4f2e-819a-a11e4842f1ad", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "a2cbfabc-f12d-4802-a94a-ff08782794e2", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "4d913f36-aa55-4f01-8caf-5b5fe6f382a3", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "e0c5ba14-d46d-4a68-a4ed-de67e7aeb74d", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "031e3ff1-54b7-44b5-bd65-44cdc19506dc", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "64fe0d74-edb2-47bf-ba37-a2bc08ad894b", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "8335ca6b-0a87-4400-8ec3-7d32256c4662", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "7a5105cf-274b-4bbd-bc86-8ef1e6d135a2", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "9b5c6f84-3add-4947-af12-24ab3379107f", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "d9140725-6f45-493b-812d-ae9c01229728", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + }, + { + "id": "7b9c09ae-6b82-4ef7-866e-e0158c21edc0", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "manage-events", + "impersonation", + "manage-authorization", + "view-users", + "view-authorization", + "view-clients", + "view-identity-providers", + "view-realm", + "manage-users", + "query-realms", + "manage-identity-providers", + "query-groups", + "manage-clients", + "query-clients", + "manage-realm", + "create-client", + "view-events", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "attributes": {} + } + ], + "${KC_MANAGE_CLIENT_ID}": [ + { + "id": "45691f0f-7b59-4dcb-974b-056357956ac4", + "name": "update_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "f700e632-de0c-4078-bce7-3b8c3e15296c", + "attributes": {} + }, + { + "id": "ea8d6774-71c6-4292-bfff-87c405bb3157", + "name": "write_access_rules", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "f700e632-de0c-4078-bce7-3b8c3e15296c", + "attributes": {} + }, + { + "id": "8939ab48-ea27-492c-aa22-7335fe9ab446", + "name": "submodel_access_control", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "f700e632-de0c-4078-bce7-3b8c3e15296c", + "attributes": {} + }, + { + "id": "b53a17d8-a0a9-449e-a047-f42b40dbaa0e", + "name": "view_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "f700e632-de0c-4078-bce7-3b8c3e15296c", + "attributes": {} + }, + { + "id": "f34b960b-80bf-4c03-8d96-fc2ce37d6480", + "name": "delete_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "f700e632-de0c-4078-bce7-3b8c3e15296c", + "attributes": {} + }, + { + "id": "6c897bac-88a8-4a12-bd0a-0e273f766763", + "name": "read_access_rules", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "f700e632-de0c-4078-bce7-3b8c3e15296c", + "attributes": {} + }, + { + "id": "7a92d49e-f165-4846-b3ad-6beaed0daec5", + "name": "add_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "f700e632-de0c-4078-bce7-3b8c3e15296c", + "attributes": {} + } + ], + "security-admin-console": [], + "${KC_READ_CLIENT_ID}": [ + { + "id": "72c7dfc2-b5eb-4fd1-b9cc-fb8a97cbd6bd", + "name": "add_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "b8cce906-802a-4930-b738-85338a6a1690", + "attributes": {} + }, + { + "id": "4cd92c0f-065d-4842-a2df-83728f357bf4", + "name": "delete_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "b8cce906-802a-4930-b738-85338a6a1690", + "attributes": {} + }, + { + "id": "a61914e8-4b6c-4973-ac44-737030de24d8", + "name": "update_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "b8cce906-802a-4930-b738-85338a6a1690", + "attributes": {} + }, + { + "id": "38a19192-206c-42a4-9d54-8ba896be6972", + "name": "write_access_rules", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "b8cce906-802a-4930-b738-85338a6a1690", + "attributes": {} + }, + { + "id": "331c4082-f7c2-448d-b31e-e489b0daa595", + "name": "submodel_access_control", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "b8cce906-802a-4930-b738-85338a6a1690", + "attributes": {} + }, + { + "id": "b010354c-3cc1-4712-82c2-e34e1937ac7f", + "name": "read_access_rules", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "b8cce906-802a-4930-b738-85338a6a1690", + "attributes": {} + }, + { + "id": "eef0d63d-0332-47bf-9eaa-967a8884e6f5", + "name": "view_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "b8cce906-802a-4930-b738-85338a6a1690", + "attributes": {} + } + ], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "46f5a90d-4109-48b5-bc38-ce9484e2fcf4", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "d5081d15-3637-4f54-9a94-1c256091e7b9", + "attributes": {} + } + ], + "account": [ + { + "id": "55d5e60e-6776-4c0b-acab-b572962d9f29", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "attributes": {} + }, + { + "id": "5447ccc6-392e-4a7b-80dd-4c98bdd9a05f", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "attributes": {} + }, + { + "id": "0cff897b-b21a-465b-b951-d66376563d95", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "attributes": {} + }, + { + "id": "da079c6b-ed22-4c45-988c-c12c8be4ccfd", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "attributes": {} + }, + { + "id": "14804f1f-8f19-4897-a3c4-ca62b431f262", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "attributes": {} + }, + { + "id": "35c441f9-5f01-41a8-9b54-785e008a0443", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "attributes": {} + }, + { + "id": "563ed5f8-eccd-4309-a96f-526e58b80735", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "attributes": {} + }, + { + "id": "c8297397-03a1-4a68-8418-3bd7595984b8", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "attributes": {} + } + ] + } + }, + "groups": [], + "defaultRole": { + "id": "62a99fe3-4fde-40b1-8907-4306d2e41990", + "name": "default-roles-cl-puris", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "365008e7-9d93-4b0b-a2d5-4e1c5409f6e7" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "localizationTexts": {}, + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyExtraOrigins": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "webAuthnPolicyPasswordlessExtraOrigins": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "f700e632-de0c-4078-bce7-3b8c3e15296c", + "clientId": "${KC_MANAGE_CLIENT_ID}", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "${CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET}", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1712066409", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "5ce7e141-025a-4aed-9903-7cc55e1d75f7", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "dc557be3-ee62-45fb-b9b3-b728270b62e3", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "fb0c6b4c-deb4-483a-a130-472cb84f339e", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "b8cce906-802a-4930-b738-85338a6a1690", + "clientId": "${KC_READ_CLIENT_ID}", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "${CUSTOMER_KC_DTR_EDC_CLIENT_SECRET}", + "redirectUris": [ + "" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1711643730", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "a9120597-e238-4215-a822-6f20357042a5", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "bbadb594-1939-4654-8da1-6a2cd75233e2", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "718c55a1-5736-484f-b953-02ef4faa2380", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "86aa6342-3cdd-4ebd-a806-4e5553ad0c17", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/${CUSTOMER_KC_REALM_NAME}/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/${CUSTOMER_KC_REALM_NAME}/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "d9ba0910-9ee1-4a8f-9928-3592e9b97b9b", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/${CUSTOMER_KC_REALM_NAME}/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/${CUSTOMER_KC_REALM_NAME}/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "b1478b90-4b80-49e9-8175-3ffdb5c38fa0", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "444245ee-6c64-4ff5-b186-566314e75927", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "d5081d15-3637-4f54-9a94-1c256091e7b9", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "6a31c337-00a4-4690-b5bb-bf02779c6bbd", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "ce624823-a823-48da-9bc2-9b1d8ba31298", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/${CUSTOMER_KC_REALM_NAME}/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/${CUSTOMER_KC_REALM_NAME}/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "ac013752-6074-441f-b4a9-2133f60fc7d8", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "00395b3b-68d7-43d0-876a-c29b43fa0ddb", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "17889067-e4be-40ba-9145-a1c21dfc5c8d", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "2379f21b-ddcb-4575-932a-347d87919920", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "e07c9818-746a-40c5-bc40-d9d447879423", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "3d347749-bced-4bf0-948b-05ec7b78393b", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "e5a2829f-3671-4fc4-b52e-6d48e81ee60b", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "e982ab6e-6d6c-4bad-81ef-8dfe8ecaeb99", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "d06844e2-2e57-4200-9dad-ecd1f936aac2", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "752aa847-74c3-4bfc-b095-d843d67d94a7", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "68415388-2546-4663-8bab-4e7b702c26e3", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "introspection.token.claim": "true", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "46a73f01-76b7-45c2-bab2-ef16e43ac34f", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "5fbe7258-389b-4f7a-ae5b-9c06d33061a2", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String" + } + }, + { + "id": "5ee95187-d6fd-4b33-806b-8f7505119351", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + }, + { + "id": "387a7151-81fa-42a0-a53f-94c70eeafca6", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "ecea355e-fa63-4a7c-bf78-42e43693f9b7", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "0951278f-be85-4336-ae43-ffa5f4e312cb", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + }, + { + "id": "a5755aea-5994-486c-9dae-b10f8931e9ce", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "1b168540-7f49-4282-8683-d0896167a2b5", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "dc50adca-e392-44eb-8126-dd18ce69d455", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "1b980a7e-9d9f-4160-8bbf-72f1a7a65d71", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "dc1916cd-ba28-44c9-bdb2-66af8034402d", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "2c7d03f6-3e34-408c-b6f1-a37eb425c013", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "b3a800f7-1324-4201-a4f7-318aa9575b2d", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "5ffdf1ad-6761-4110-947d-d6c8bbee2eb2", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "4cd24b1c-8003-41da-bb4b-653be7d98a81", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "ac758532-4f0e-4094-b7eb-e7097d264481", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "ac4bf253-2123-4ac3-bc1e-e0a698e6a306", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "e66a1401-877b-4a25-b502-4eeb9aeb7c58", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "51050cee-1499-4d0b-9cd1-05167447b09d", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "b114f1c5-242a-4ec8-8156-57194d7b0866", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "96c88056-f75c-431b-ad57-63942cfe013c", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "ecef5135-6b74-4504-80c3-ae748944ff11", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "fb79ed73-a078-4ec8-a04d-4ce8ef852e9e", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "2331c50a-35bf-4a10-8fc6-f9e556fc41f4", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "d8b38b60-24ec-4ae5-8ef9-7b76086d4ca8", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "0c7cdf20-2c3f-4cfb-9e0c-1acb2f10517c", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "a77f4a08-ecda-4a45-8f74-8d71c4c0db05", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "9a8c3a14-1780-4ab3-aa7b-2640d17a48b1", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", + "saml-user-attribute-mapper", + "oidc-address-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", + "oidc-full-name-mapper" + ] + } + }, + { + "id": "61e1cbc2-d5c9-4b4e-823a-234b33d5f6d5", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "d8825c45-15c2-404d-a1d2-db63d9c5f0b7", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "60f2ebf4-4e51-4b32-828d-c4581398adf5", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "a86245c5-a367-486a-a7be-5c0359ee98aa", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "13ac135a-4426-46b3-ac21-9c216a8cc189", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "ab336f7e-ffe4-4908-ae06-800f13627dad", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-address-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", + "saml-user-attribute-mapper" + ] + } + }, + { + "id": "2ada6f3c-2bc9-4d27-9386-2842ed205362", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "df627e9f-3231-4bb8-b33b-84f5a40baea1", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEpAIBAAKCAQEA0YeejQNKkHAUEZ2MeilAbZwrlj0C2XnlkC1ammC3sKjeszVRRWiMG+CkLrRuRL59OoFGK1eL7QKVpofecjstzwto8CcHBPeL+BEEW1Z4lxxgIMNqdTWCwebQelF46Yez0wzlYW1DRizAx9JVO816D7MoXh55Z5xvii7hrV5OR+/0D1nGHQryePPiA/Nr0xj6Z5UhYBV+em3FSuA+w0K0C6KxQJP6+Abzeop98Cv7uxOs/G90LYr5UbIA3ES54ip7aDjUDPY/kLHoBPSCA072JbRKZTAOL2FGQVH2udvu/MhBNYE33F0GPqkKLJg75hp0skL5UP6JmKs8u4RLSl4vRQIDAQABAoIBAAo7WtpnUxMolfeiP5jmPiIxd84XXqCWG51lyZXeVo9cP7vKmmm5nZXtlgw90rYCrgTXCUEr6PEC/kx/4rSl/9UA0/gI6oaAkXzkqoIh/94z4YctY8Z40tDQilUJeM5r9QkVCSKFKRLaiUjOFEweUEacqMJShKUy9h4ZBKY9rl7u2dbUeBpPKpnb2qQS726Qlz5zAr++drB73ULH/zUtIEbfwR1t/62EeETPJhaEHeWS9Ch7wTVlkogxYOb46zsG8sqGGLB2sd9FJgiI+98XAahjiTEGXfjC08E5tFvEy+t6MzkXJaigmVmtgqkrx72npQ/OzutxYLtWGfoooP+IlWUCgYEA7BNA3hG7yR5GxRP9joomneC9RJU9GvLm/vLzPrMsrSE08x4i0ihbIBGX098y1iaZrZ2AkuAcuRWs97A89tDc9HEThDTlVKLoPDAoC7SkoLTWH2rRJ0B+1MnRanClcjhSaZu30mRBgKPItrp5JPjGjBwObvoD3Xisp4Q8Vs4aRwMCgYEA4zbQLDb9Y/xvsVq0BHevzAgrW6Ac2ojXj2QQW4GRSNsDs4jE2UjtP9s4/DfHi6yQ5YZ0uxS77bOq7lHvG7q1+/SYUqb5SxTm7IQ4El15PTLOM/+2TnxFxz2GVzayGXL+F4tOJja707VCDHcgKcUxxlc8S3I7iBknuhI/8XxumhcCgYBfR+oPdxLWuoyPsGDPLf0mDXX2f1F5Vf5beg0pCkIG4ncvhMNDFRyqVc90qQooms293+rr3N5a6V+1XIFOkMANPLJG0t6YiWO4Hyuahd9IKZSee4tND1/hXE9UaYCtGARTMZFArkwtsm0pKxwICwx/sjc1HV1//tuYhOuhkW/TpwKBgQCRqEjpn1Lvbxu3KXtvxb5n4PDSqyD0I3d0z+QAlV4qw2RrComO9cZKAmJUpfmBG95Dld9tMwyKhHxWjSXos9gILjQcADieHkcvZk9/znZzegdgpFQdmmMtJ87gSAsCb4peU4qEyt+8B13RGej/fg+7o57eituJEv85tItTZr6MfwKBgQDcZzM75FfNm0oEbQos9QNRsP1PfGy8YK+NUggCH0+fGV647FrlHtRcBvAfdnQ0PE5iVdtGNXWyBnbyvFuevIb9Ce4zuPEeAdxcIfS6m/ldr7xt9P2g9L+WeSpR1lJvfc+AcUHUk8yXTOwx+5dp4Z1ZCvKQXIix/F28iCa9bC+Vaw==" + ], + "keyUse": [ + "ENC" + ], + "certificate": [ + "MIICnzCCAYcCBgGOhekZqDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhDbC1QVVJJUzAeFw0yNDAzMjgxNjMyMDlaFw0zNDAzMjgxNjMzNDlaMBMxETAPBgNVBAMMCENsLVBVUklTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YeejQNKkHAUEZ2MeilAbZwrlj0C2XnlkC1ammC3sKjeszVRRWiMG+CkLrRuRL59OoFGK1eL7QKVpofecjstzwto8CcHBPeL+BEEW1Z4lxxgIMNqdTWCwebQelF46Yez0wzlYW1DRizAx9JVO816D7MoXh55Z5xvii7hrV5OR+/0D1nGHQryePPiA/Nr0xj6Z5UhYBV+em3FSuA+w0K0C6KxQJP6+Abzeop98Cv7uxOs/G90LYr5UbIA3ES54ip7aDjUDPY/kLHoBPSCA072JbRKZTAOL2FGQVH2udvu/MhBNYE33F0GPqkKLJg75hp0skL5UP6JmKs8u4RLSl4vRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCy5e2Sunc9GmoHMiWNaAso62nLCDAksPTZijuLFZpQcIK7EzgUnwM58tZFj21uP4X3pt6VkVVgYRb/PMSk16aQb5oiFkrgG9hEs5TgTDRvC6wFNa74LBbD8KJsZbzDwAFg9VWD/Mql7JxuSYYrmp+GTn4i2AYL8kIy8kz+O8jdfjZEnq9EPw8OX+2UdRtjryLmMhWjN1Cof/YM6NA6zw9skcGnMTSzHaeHLBbdgO7VoqCmicBruHUPlYHRQH/LAs60kSB0NJiedeSVjcLviFYiVErRpamPI0wQWftfKPc0Jhu06HEGQZQRA071i4q5QBByhtmz+a9HoENwfYWJiem9" + ], + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "d47b5ee4-91f6-4b01-9a58-9628b1785d6f", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEpAIBAAKCAQEAu7NeqY5ALx52kgQrJ2BJzB1r0hW4UDlgX1tG5/Er51/Qc+VyHKxETZuAX4KW1sHOnjwmPoGg0I6GoeVrRrCPlUDl8nlP0Rf05XwZiEqnUJHpiqHaKa5L/m+mnBFhM8dlPzQhZLgh7vI/uoyPqpDm5T7c9ZS6GyiKFeYgC5jUL6AAn23Gzv1sRv94GoUFLYknvITeAt1o6w/0i+BGDmlVqBsp1mfpNPzdrmRVpnweQcdWjFFiYhauh9ACIKqQaK1lzv0aAKwELNRc+l8/VhzgDiRGDQ93J8tV6mqFuDTByzTZv7tDCnKXk37XrYr62BXIMgT5KDW0q6ewqxgH+WYUDQIDAQABAoIBACTqgsgzR5Fc2vId6sTcTbdc4/tWNUFl/3vRrnDowHtJn2xj6J0WDnr7BfUC8Jq9VF9Psi/h+9h456bIweAN0reGo5McY+PaY9qMnVLuZ9jTUcznx0oiUyTwHaMdUfJGmbWkEZtHEbl2oK0Wfx0LUbYttnSAc1frEbl74LqXLMhOxya0Pmft8mvJFuZW3tEolCzAZqkbyH0EgEwLnrcNmiSeV0jy0SEV885iojm8h4SFtzWST3T+wcx16IauokmsZk2BRSLeREk2x18ymDJh4aaxivWAv7ZlZsmpJam/sVzJB7WxFIqySJ45NBudE8bC3F9r2DRhzDtX5nb8EkDRr1ECgYEA/LyVi7vtsQafFBP7cFpOlIgP93glGVadXTRsK8DV0fjJxyLSBhKNKzM8+bs8LLo9j3i+g/ddg6lnK2v373HjtOWq5RTMRchFMf91lepnQKhCVnvSZoGQpQYQDjI+lsRH78CFP+I4/Ji11bY+qBkLgQI1J7rLSLdttOkNA/kHTNkCgYEAvh/PetC34PQFLMDhC/EP8kiTD7lGi12mpp+zNNBvVV1DEU4LID08vuCs0tmWkponQwizCIlJC6miaAw7ha28IuV06UcMZf3G0Ssn9VSW7TZe8tp7dFlsjHcof/JMBohcz8481HpdOuGlALfoXUaekYqNjxEe+hjoSdquFzMMEFUCgYEAj9IJD8Fbm3d3IwfT97WMLf3XiC24ftjJJ/bi72sGwjvfJxDrj0UTTFgWBM7FiXZZ/cDqOVKUxo2qBg2kw3994r0nKMFTFQrIRZFnqm3/X83gIjLIIkjstNvkWw/Aii8b+JUHvrjPUP7dysWwlhvabgmBkiA7+h9XsLFGFNKrktECgYBIts/akAMTlSB5ildIAu1vY5RjOiAh4zJ+naujcmhyRJYHA0s8DE+0TSesCK4O6chEWgpnJGJ8hGdp1evZ56WBzzJUmejDBTlJ/HBu4uhKVzYfObJnwF/EpTonHRs4kGS20ZDwTtBjWbOKv8uuCPlSfqQ/aHPpgScuP+W/V7WwdQKBgQDotWhr2DhjD3rkMMnyMoLrRZnqf4fZYMlK3QK61OP3+HaDEuYKs2UEcj5IsFnv0l0kDzOC5Y6NpC2NP+QyvG0j4vqJ14K+OsMAsEcSzlwzzCs6kciEB4XoKlhPfrOQ4tq4LCJxylryzglH7I8Y5YweEavDU2H0hqccnYBEoUuT8g==" + ], + "keyUse": [ + "SIG" + ], + "certificate": [ + "MIICnzCCAYcCBgGOhekX8jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhDbC1QVVJJUzAeFw0yNDAzMjgxNjMyMDlaFw0zNDAzMjgxNjMzNDlaMBMxETAPBgNVBAMMCENsLVBVUklTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu7NeqY5ALx52kgQrJ2BJzB1r0hW4UDlgX1tG5/Er51/Qc+VyHKxETZuAX4KW1sHOnjwmPoGg0I6GoeVrRrCPlUDl8nlP0Rf05XwZiEqnUJHpiqHaKa5L/m+mnBFhM8dlPzQhZLgh7vI/uoyPqpDm5T7c9ZS6GyiKFeYgC5jUL6AAn23Gzv1sRv94GoUFLYknvITeAt1o6w/0i+BGDmlVqBsp1mfpNPzdrmRVpnweQcdWjFFiYhauh9ACIKqQaK1lzv0aAKwELNRc+l8/VhzgDiRGDQ93J8tV6mqFuDTByzTZv7tDCnKXk37XrYr62BXIMgT5KDW0q6ewqxgH+WYUDQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6RenlO1g20+p8zl0Gy0pcKw1i34jR1CZ2sqyuOOCzZWzyCSu6+mM7Cl1OUm9V6oHZq18uAlUhAYLuXy4sKPe0RIgVKtfH+7lZ42XffWvknGCrvuG1ALUhjr1DARu6jdleAa5HXZqicZfZf31DQjekmkaVNmGttw0X8zKUePQX1lQi5RXrCwtkjRYuboioUEfy2T5DSgoMSDcEeaDpxdqgHbtZEjtABM7GCSRjMcTYwz3k5gCyJsCWuXSlkXzze3Ve62AGqgZUcsnzFkHUt/tZCF3vY0C6L0xF4SdSwF2m14JFRo43/nspjbI/1y+HVDwA6C3MfXH4fgt5kvqu7K9N" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "69df03b4-19bf-4543-89ea-40b8e5d1bbb8", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "kid": [ + "cf82b862-cb7a-4e75-b173-c3ea6a36589f" + ], + "secret": [ + "gAnBN8ZzcOpWZduo-mGBBQ" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "849e2629-1370-47f9-aedc-bee024de5adb", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "kid": [ + "b1e3f30a-17b0-4220-85c3-6a7f04a9931f" + ], + "secret": [ + "f8838BBD6L5fxbbqgE2XyFyUncffqXsJLU-uyCg194ArteHoUYxJDHzrTENhLmUAB7nKFUOdOJoWJxf_DUg8Zg" + ], + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "f220f718-49f8-4490-a30e-c6f2c057180d", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "ad747103-29ff-4d9e-b010-b2c328fc3f42", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "b4128e0e-0b5b-4e81-977b-dca8b41fcb86", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "58277503-6f70-41b9-974b-3ab4c7be16e6", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "cd7d478f-4ab9-484a-9003-7667e408a516", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "5d420d4d-706b-4490-8e01-f758932c6789", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "074d5456-780a-4c2f-8a8e-fc9cfcf52409", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "e11e8927-1df2-43e1-aa5c-b805bb016676", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "5c0c9505-64e9-42a0-8faf-2ce2b60fa4a3", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "17a4621b-50b9-4945-b1c1-c6a6d655db4a", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "ce990642-5d1f-49b1-9f1b-31012e93b5ee", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "9d5cb9d4-0053-489d-8baa-6b2b31c7362b", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "c8945edd-e46b-434b-82f0-bd583ac8a391", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "7def0726-041f-43a4-a877-cc2e74edaac7", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "99a78a9f-2aca-4ff1-9723-375598daad74", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "ef765c26-3ce4-45cb-9fb1-e243494aa310", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "a1b69423-a9c1-4647-9811-931f9d2767e9", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "7eb9caa4-352e-40a7-ae07-10d405e3e975", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "7955973a-53f3-4bbe-b88e-392f40bc50a7", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "0a394e01-8322-4172-b1a4-ef5083121981", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaAuthRequestedUserHint": "login_hint", + "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5", + "realmReusableOtpCode": "false", + "cibaExpiresIn": "120", + "oauth2DeviceCodeLifespan": "600", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "frontendUrl": "", + "acr.loa.map": "{}" + }, + "keycloakVersion": "23.0.1", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} \ No newline at end of file diff --git a/local/keycloak/customer/Customer-users-0.json b/local/keycloak/customer/Customer-users-0.json new file mode 100644 index 00000000..ec9e5d20 --- /dev/null +++ b/local/keycloak/customer/Customer-users-0.json @@ -0,0 +1,55 @@ +{ + "realm": "${CUSTOMER_KC_REALM_NAME}", + "users": [ + { + "id": "dbc2c61d-2bfd-4fa9-85bb-8b08b60c2934", + "createdTimestamp": 1712066409143, + "username": "service-account-${KC_MANAGE_CLIENT_ID}", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "${KC_MANAGE_CLIENT_ID}", + "credentials": [], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-cl-puris" + ], + "clientRoles": { + "${KC_MANAGE_CLIENT_ID}": [ + "update_digital_twin", + "write_access_rules", + "submodel_access_control", + "view_digital_twin", + "delete_digital_twin", + "read_access_rules", + "add_digital_twin" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "04bd5491-d1c0-4ce1-8bf9-cf895700b2b7", + "createdTimestamp": 1711643730251, + "username": "service-account-${KC_READ_CLIENT_ID}", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "${KC_READ_CLIENT_ID}", + "credentials": [], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-cl-puris" + ], + "clientRoles": { + "${KC_READ_CLIENT_ID}": [ + "view_digital_twin" + ] + }, + "notBefore": 0, + "groups": [] + } + ] +} diff --git a/local/keycloak/supplier/Supplier-realm.json b/local/keycloak/supplier/Supplier-realm.json new file mode 100644 index 00000000..77fdc4de --- /dev/null +++ b/local/keycloak/supplier/Supplier-realm.json @@ -0,0 +1,2505 @@ +{ + "id": "abe25177-e0ce-4a98-aaef-c5b396a7177f", + "realm": "${SUPPLIER_KC_REALM_NAME}", + "displayName": "", + "displayNameHtml": "", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "3324d946-cd90-4093-975c-5ed30802f0b5", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "abe25177-e0ce-4a98-aaef-c5b396a7177f", + "attributes": {} + }, + { + "id": "b598aeff-b6b8-43ff-9a67-feeb678fba99", + "name": "default-roles-cl-puris", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "abe25177-e0ce-4a98-aaef-c5b396a7177f", + "attributes": {} + }, + { + "id": "1c5a9dd1-56a7-4782-9b19-6cda15aab77b", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "abe25177-e0ce-4a98-aaef-c5b396a7177f", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "4a1c9768-d782-49da-b0c2-d84ca179e59c", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "fef0b514-e6bd-4bf5-a20e-76fdc6b61f32", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "20f04b64-8e71-435c-8150-2a1c1a0bb819", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "bef4b422-a150-4b33-ac02-c6d1d92ca5f5", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "4fd496f1-4d98-4579-8909-3b558ea9e729", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "2c1f4599-16e5-4bd5-97f0-7fa354a0af28", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "56cf6af3-5e7d-45c1-b2e8-7f932e90c4ad", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "023bc612-91d4-4c6a-a23b-16d4caca008a", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "4e6aae6e-e89f-4eed-8c13-7696eb3c51f1", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "6a56e194-7118-41ff-a6af-1946ce8616ba", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "b1d8a441-ef86-44bb-80ec-23e1ab3f22b8", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "ea18b5bc-58b5-4f99-ac1e-7dad04ca4c32", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "8c4e8c6b-6a0b-4e3b-8d2e-d9f98afcff8c", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "4b39be3e-2cbe-4c7e-8509-5e8f1e10931d", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "03b98a8d-27a3-44b7-ba1f-23401f690bcb", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "d25cce1f-6dab-4cf8-8204-63d050fdefc0", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "3d078e2f-1475-43d8-94d5-b8b11fac779c", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "5ddff09d-d8b2-4ee1-8295-b5649c28d380", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + }, + { + "id": "5c837a39-2e40-4a65-a627-cb732eaed00e", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "manage-events", + "impersonation", + "manage-authorization", + "view-users", + "view-authorization", + "view-clients", + "view-identity-providers", + "view-realm", + "manage-users", + "query-realms", + "manage-identity-providers", + "query-groups", + "manage-clients", + "query-clients", + "manage-realm", + "create-client", + "view-events", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "432c383a-685c-434b-87a1-2bcc13106d9a", + "attributes": {} + } + ], + "${KC_MANAGE_CLIENT_ID}": [ + { + "id": "dea19d5b-0c86-4274-a34a-3294606961e0", + "name": "update_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "fd7b8c2d-cd0a-4dad-81b0-4dfa872d9d18", + "attributes": {} + }, + { + "id": "f546a4ee-d970-46cd-aa1b-3944edad309f", + "name": "write_access_rules", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "fd7b8c2d-cd0a-4dad-81b0-4dfa872d9d18", + "attributes": {} + }, + { + "id": "3d7abf66-2c73-487f-9514-abb956e554be", + "name": "submodel_access_control", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "fd7b8c2d-cd0a-4dad-81b0-4dfa872d9d18", + "attributes": {} + }, + { + "id": "265ce066-6f35-4507-8a41-ab4631c9b180", + "name": "view_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "fd7b8c2d-cd0a-4dad-81b0-4dfa872d9d18", + "attributes": {} + }, + { + "id": "0592bd8e-66ba-4e3e-8eea-16a577ac6e3c", + "name": "delete_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "fd7b8c2d-cd0a-4dad-81b0-4dfa872d9d18", + "attributes": {} + }, + { + "id": "693bf3e4-f36a-4d2e-b288-abe4b98cf5ed", + "name": "read_access_rules", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "fd7b8c2d-cd0a-4dad-81b0-4dfa872d9d18", + "attributes": {} + }, + { + "id": "27adab73-ddc4-4113-9d24-5f4ff167fd2a", + "name": "add_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "fd7b8c2d-cd0a-4dad-81b0-4dfa872d9d18", + "attributes": {} + } + ], + "security-admin-console": [], + "${KC_READ_CLIENT_ID}": [ + { + "id": "84a28a44-64c0-4ce7-9dd6-3a474078c30c", + "name": "add_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e28c4c96-7b0b-4a1d-9abe-5474f9957ced", + "attributes": {} + }, + { + "id": "57fb1dbc-cac8-4893-a61e-1c996f186660", + "name": "delete_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e28c4c96-7b0b-4a1d-9abe-5474f9957ced", + "attributes": {} + }, + { + "id": "2d80725f-602d-42c4-9585-5c3889fc6b2b", + "name": "update_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e28c4c96-7b0b-4a1d-9abe-5474f9957ced", + "attributes": {} + }, + { + "id": "93a683de-0ff9-46db-ac24-d3e0da914fe4", + "name": "write_access_rules", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e28c4c96-7b0b-4a1d-9abe-5474f9957ced", + "attributes": {} + }, + { + "id": "243bbcc9-d5cd-488a-a596-bd308c206894", + "name": "submodel_access_control", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e28c4c96-7b0b-4a1d-9abe-5474f9957ced", + "attributes": {} + }, + { + "id": "b12a2b2e-cbb1-40d9-adad-98d1730bba3a", + "name": "read_access_rules", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e28c4c96-7b0b-4a1d-9abe-5474f9957ced", + "attributes": {} + }, + { + "id": "247705cb-5f65-40f7-9cca-d2974390cfaf", + "name": "view_digital_twin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e28c4c96-7b0b-4a1d-9abe-5474f9957ced", + "attributes": {} + } + ], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "8a5772f4-e801-45ac-8f4e-77a079e8bc68", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "9ab90324-e37a-47c7-827e-06128bce2d1a", + "attributes": {} + } + ], + "account": [ + { + "id": "4ba7601d-8146-424a-8be7-979eb43fb57f", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "8aa7c318-8350-46af-9839-9f114eeda538", + "attributes": {} + }, + { + "id": "cbdb8b01-a234-4403-b335-ecd0f2dc19d7", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "8aa7c318-8350-46af-9839-9f114eeda538", + "attributes": {} + }, + { + "id": "ff8ccce7-615e-45f4-9636-88dc1cf75ecd", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "8aa7c318-8350-46af-9839-9f114eeda538", + "attributes": {} + }, + { + "id": "04bd2fe2-ce1f-4903-b0f7-62ef1e695789", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "8aa7c318-8350-46af-9839-9f114eeda538", + "attributes": {} + }, + { + "id": "2c520f7f-9607-4881-a7a3-df838983cf3c", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "8aa7c318-8350-46af-9839-9f114eeda538", + "attributes": {} + }, + { + "id": "9fb506e9-e43e-42da-b26c-86c12f83805b", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "8aa7c318-8350-46af-9839-9f114eeda538", + "attributes": {} + }, + { + "id": "4f4cfa78-0dc5-4961-ad40-c6a36c781db9", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "8aa7c318-8350-46af-9839-9f114eeda538", + "attributes": {} + }, + { + "id": "847de8f9-c56f-4e69-8318-4310c59e7b8c", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "8aa7c318-8350-46af-9839-9f114eeda538", + "attributes": {} + } + ] + } + }, + "groups": [], + "defaultRole": { + "id": "b598aeff-b6b8-43ff-9a67-feeb678fba99", + "name": "default-roles-cl-puris", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "abe25177-e0ce-4a98-aaef-c5b396a7177f" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "localizationTexts": {}, + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyExtraOrigins": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "webAuthnPolicyPasswordlessExtraOrigins": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "fd7b8c2d-cd0a-4dad-81b0-4dfa872d9d18", + "clientId": "${KC_MANAGE_CLIENT_ID}", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "${SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET}", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1712066409", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "95bb5795-7a1d-473c-9104-e2eae209fe75", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "982f9797-d21f-474d-8729-2f20f0ffef3b", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "f70f867d-4ab8-4c94-81bf-f127163e18c8", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "e28c4c96-7b0b-4a1d-9abe-5474f9957ced", + "clientId": "${KC_READ_CLIENT_ID}", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "${SUPPLIER_KC_DTR_EDC_CLIENT_SECRET}", + "redirectUris": [ + "" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1711643730", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "7592c693-8b24-4d1d-8de9-a4b18435a105", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "ded7e680-2e98-4d2c-855c-c58467ee2c80", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "8bead602-a54a-44e6-8cc3-98037345e436", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "8aa7c318-8350-46af-9839-9f114eeda538", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/${SUPPLIER_KC_REALM_NAME}/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/${SUPPLIER_KC_REALM_NAME}/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "9463d712-e0c7-4414-849c-3afddcc8fcc8", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/${SUPPLIER_KC_REALM_NAME}/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/${SUPPLIER_KC_REALM_NAME}/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "5bdc7d15-977d-4486-a239-d4c47a381c11", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "9563558d-01d1-4ed0-bb92-c2ad62b41aa0", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "9ab90324-e37a-47c7-827e-06128bce2d1a", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "432c383a-685c-434b-87a1-2bcc13106d9a", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "c078a058-772c-4ad9-84e7-6f3de8b9c7fc", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/${SUPPLIER_KC_REALM_NAME}/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/${SUPPLIER_KC_REALM_NAME}/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "1f49a925-58fa-4d5e-9b64-ba46797b0d95", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "dc6e11cf-dc45-4069-aa04-b7a865d44586", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "475a57cf-04a9-4104-a541-6a3155b384e5", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "608b5f52-be90-4834-b801-49c19721a6fb", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "999689df-2196-41b0-9817-a8f0b32029c5", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "59a2c33b-8408-43a3-9b61-3e571396519f", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "21efc6c6-5c7f-4bac-88cb-2ec67e2f499c", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "c6328d25-2326-4643-b018-6f625ad8ec7f", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "237e3f96-8442-47ed-9341-682a0ee07a5f", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "5ad9513d-7eee-4ebc-ab4f-93e017804939", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "79e94178-6a35-48f0-b32d-acc9a01c4b02", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "introspection.token.claim": "true", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "8a680fbb-f69d-4cde-a59a-5db615dcce3c", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "574bc10a-8412-49cb-8c2e-03056067cd27", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String" + } + }, + { + "id": "02f4c34d-9ea8-4af7-9059-b8b211000156", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + }, + { + "id": "09b86703-a50b-452a-9e60-8182afcc2844", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "171b0ab3-7142-4b94-b81b-5ed521573e08", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "ef83a677-5bea-4f8e-b916-7352776c209c", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + }, + { + "id": "19064f1c-9eab-4fff-a540-452e5f7a540e", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "1f002f72-04dd-4a07-bbeb-75989476731d", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "3770271d-b609-41b2-b4d9-8c8005395ac3", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "0b3bc83f-f595-4ee8-b350-8eedb4bdf3b0", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "d53efe96-5963-4d5e-bc35-6b94606c495d", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "1a6c751d-4714-4c3e-ae27-02c5b427c315", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "aee2b2a3-e1c2-4bd6-837f-941d15268763", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "44b95b9e-674a-44ee-8d65-423af83294a2", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "a67fae26-1f6f-457d-ad43-5721f8aa8ce2", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "1ab1ef52-00d0-4514-aae4-6bd42393ca53", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "a22e330f-fc7f-4fe7-b62b-ce667fae3d7c", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "afdd4145-5498-4dd2-8985-bfa10b830ecf", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "89d670f6-08ab-4108-a932-6764537a513c", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "7afb69e7-186c-4803-8b0e-017579bd2945", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "87028996-43d7-4859-93e3-fd5df177fad9", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "59134c29-8b7f-4846-8d1a-c5a179e8a114", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "b7a9a918-9ac0-4094-91a4-2dac89d954ea", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "421a9554-ec48-4c24-ac97-a5d17f786adf", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "f8f10dc3-ea7c-4f3e-8d78-34fd9a57f70d", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "dd9b6265-757f-4455-9586-6db344818821", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "41c0a93a-2905-4163-8d52-fb979ed7a5f2", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "0d42c99e-ebb4-45d4-a09a-291591480c6b", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", + "saml-user-attribute-mapper", + "oidc-address-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", + "oidc-full-name-mapper" + ] + } + }, + { + "id": "58763965-8162-402d-a125-793435083496", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "7b8ae7dd-dae3-46af-80ba-4ee070f5bccc", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "11c41be8-aa8e-4b8a-8c3e-92144f35edea", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "206a649d-cb01-4fda-ad2d-bc7dfe66d755", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "7ea0f826-48c0-4bc6-a088-de3eb65b2ae2", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "0e200f90-1dca-4d6c-b477-21d1dc42e77f", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-address-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", + "saml-user-attribute-mapper" + ] + } + }, + { + "id": "bc2c7d86-1d50-4ac5-9a26-c1294c09dfcf", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "626be7e5-9810-490f-b889-ba81c791f7d4", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEpAIBAAKCAQEA0YeejQNKkHAUEZ2MeilAbZwrlj0C2XnlkC1ammC3sKjeszVRRWiMG+CkLrRuRL59OoFGK1eL7QKVpofecjstzwto8CcHBPeL+BEEW1Z4lxxgIMNqdTWCwebQelF46Yez0wzlYW1DRizAx9JVO816D7MoXh55Z5xvii7hrV5OR+/0D1nGHQryePPiA/Nr0xj6Z5UhYBV+em3FSuA+w0K0C6KxQJP6+Abzeop98Cv7uxOs/G90LYr5UbIA3ES54ip7aDjUDPY/kLHoBPSCA072JbRKZTAOL2FGQVH2udvu/MhBNYE33F0GPqkKLJg75hp0skL5UP6JmKs8u4RLSl4vRQIDAQABAoIBAAo7WtpnUxMolfeiP5jmPiIxd84XXqCWG51lyZXeVo9cP7vKmmm5nZXtlgw90rYCrgTXCUEr6PEC/kx/4rSl/9UA0/gI6oaAkXzkqoIh/94z4YctY8Z40tDQilUJeM5r9QkVCSKFKRLaiUjOFEweUEacqMJShKUy9h4ZBKY9rl7u2dbUeBpPKpnb2qQS726Qlz5zAr++drB73ULH/zUtIEbfwR1t/62EeETPJhaEHeWS9Ch7wTVlkogxYOb46zsG8sqGGLB2sd9FJgiI+98XAahjiTEGXfjC08E5tFvEy+t6MzkXJaigmVmtgqkrx72npQ/OzutxYLtWGfoooP+IlWUCgYEA7BNA3hG7yR5GxRP9joomneC9RJU9GvLm/vLzPrMsrSE08x4i0ihbIBGX098y1iaZrZ2AkuAcuRWs97A89tDc9HEThDTlVKLoPDAoC7SkoLTWH2rRJ0B+1MnRanClcjhSaZu30mRBgKPItrp5JPjGjBwObvoD3Xisp4Q8Vs4aRwMCgYEA4zbQLDb9Y/xvsVq0BHevzAgrW6Ac2ojXj2QQW4GRSNsDs4jE2UjtP9s4/DfHi6yQ5YZ0uxS77bOq7lHvG7q1+/SYUqb5SxTm7IQ4El15PTLOM/+2TnxFxz2GVzayGXL+F4tOJja707VCDHcgKcUxxlc8S3I7iBknuhI/8XxumhcCgYBfR+oPdxLWuoyPsGDPLf0mDXX2f1F5Vf5beg0pCkIG4ncvhMNDFRyqVc90qQooms293+rr3N5a6V+1XIFOkMANPLJG0t6YiWO4Hyuahd9IKZSee4tND1/hXE9UaYCtGARTMZFArkwtsm0pKxwICwx/sjc1HV1//tuYhOuhkW/TpwKBgQCRqEjpn1Lvbxu3KXtvxb5n4PDSqyD0I3d0z+QAlV4qw2RrComO9cZKAmJUpfmBG95Dld9tMwyKhHxWjSXos9gILjQcADieHkcvZk9/znZzegdgpFQdmmMtJ87gSAsCb4peU4qEyt+8B13RGej/fg+7o57eituJEv85tItTZr6MfwKBgQDcZzM75FfNm0oEbQos9QNRsP1PfGy8YK+NUggCH0+fGV647FrlHtRcBvAfdnQ0PE5iVdtGNXWyBnbyvFuevIb9Ce4zuPEeAdxcIfS6m/ldr7xt9P2g9L+WeSpR1lJvfc+AcUHUk8yXTOwx+5dp4Z1ZCvKQXIix/F28iCa9bC+Vaw==" + ], + "keyUse": [ + "ENC" + ], + "certificate": [ + "MIICnzCCAYcCBgGOhekZqDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhDbC1QVVJJUzAeFw0yNDAzMjgxNjMyMDlaFw0zNDAzMjgxNjMzNDlaMBMxETAPBgNVBAMMCENsLVBVUklTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YeejQNKkHAUEZ2MeilAbZwrlj0C2XnlkC1ammC3sKjeszVRRWiMG+CkLrRuRL59OoFGK1eL7QKVpofecjstzwto8CcHBPeL+BEEW1Z4lxxgIMNqdTWCwebQelF46Yez0wzlYW1DRizAx9JVO816D7MoXh55Z5xvii7hrV5OR+/0D1nGHQryePPiA/Nr0xj6Z5UhYBV+em3FSuA+w0K0C6KxQJP6+Abzeop98Cv7uxOs/G90LYr5UbIA3ES54ip7aDjUDPY/kLHoBPSCA072JbRKZTAOL2FGQVH2udvu/MhBNYE33F0GPqkKLJg75hp0skL5UP6JmKs8u4RLSl4vRQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCy5e2Sunc9GmoHMiWNaAso62nLCDAksPTZijuLFZpQcIK7EzgUnwM58tZFj21uP4X3pt6VkVVgYRb/PMSk16aQb5oiFkrgG9hEs5TgTDRvC6wFNa74LBbD8KJsZbzDwAFg9VWD/Mql7JxuSYYrmp+GTn4i2AYL8kIy8kz+O8jdfjZEnq9EPw8OX+2UdRtjryLmMhWjN1Cof/YM6NA6zw9skcGnMTSzHaeHLBbdgO7VoqCmicBruHUPlYHRQH/LAs60kSB0NJiedeSVjcLviFYiVErRpamPI0wQWftfKPc0Jhu06HEGQZQRA071i4q5QBByhtmz+a9HoENwfYWJiem9" + ], + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "39eb05da-6682-49ea-a7d3-7149bfda1739", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEpAIBAAKCAQEAu7NeqY5ALx52kgQrJ2BJzB1r0hW4UDlgX1tG5/Er51/Qc+VyHKxETZuAX4KW1sHOnjwmPoGg0I6GoeVrRrCPlUDl8nlP0Rf05XwZiEqnUJHpiqHaKa5L/m+mnBFhM8dlPzQhZLgh7vI/uoyPqpDm5T7c9ZS6GyiKFeYgC5jUL6AAn23Gzv1sRv94GoUFLYknvITeAt1o6w/0i+BGDmlVqBsp1mfpNPzdrmRVpnweQcdWjFFiYhauh9ACIKqQaK1lzv0aAKwELNRc+l8/VhzgDiRGDQ93J8tV6mqFuDTByzTZv7tDCnKXk37XrYr62BXIMgT5KDW0q6ewqxgH+WYUDQIDAQABAoIBACTqgsgzR5Fc2vId6sTcTbdc4/tWNUFl/3vRrnDowHtJn2xj6J0WDnr7BfUC8Jq9VF9Psi/h+9h456bIweAN0reGo5McY+PaY9qMnVLuZ9jTUcznx0oiUyTwHaMdUfJGmbWkEZtHEbl2oK0Wfx0LUbYttnSAc1frEbl74LqXLMhOxya0Pmft8mvJFuZW3tEolCzAZqkbyH0EgEwLnrcNmiSeV0jy0SEV885iojm8h4SFtzWST3T+wcx16IauokmsZk2BRSLeREk2x18ymDJh4aaxivWAv7ZlZsmpJam/sVzJB7WxFIqySJ45NBudE8bC3F9r2DRhzDtX5nb8EkDRr1ECgYEA/LyVi7vtsQafFBP7cFpOlIgP93glGVadXTRsK8DV0fjJxyLSBhKNKzM8+bs8LLo9j3i+g/ddg6lnK2v373HjtOWq5RTMRchFMf91lepnQKhCVnvSZoGQpQYQDjI+lsRH78CFP+I4/Ji11bY+qBkLgQI1J7rLSLdttOkNA/kHTNkCgYEAvh/PetC34PQFLMDhC/EP8kiTD7lGi12mpp+zNNBvVV1DEU4LID08vuCs0tmWkponQwizCIlJC6miaAw7ha28IuV06UcMZf3G0Ssn9VSW7TZe8tp7dFlsjHcof/JMBohcz8481HpdOuGlALfoXUaekYqNjxEe+hjoSdquFzMMEFUCgYEAj9IJD8Fbm3d3IwfT97WMLf3XiC24ftjJJ/bi72sGwjvfJxDrj0UTTFgWBM7FiXZZ/cDqOVKUxo2qBg2kw3994r0nKMFTFQrIRZFnqm3/X83gIjLIIkjstNvkWw/Aii8b+JUHvrjPUP7dysWwlhvabgmBkiA7+h9XsLFGFNKrktECgYBIts/akAMTlSB5ildIAu1vY5RjOiAh4zJ+naujcmhyRJYHA0s8DE+0TSesCK4O6chEWgpnJGJ8hGdp1evZ56WBzzJUmejDBTlJ/HBu4uhKVzYfObJnwF/EpTonHRs4kGS20ZDwTtBjWbOKv8uuCPlSfqQ/aHPpgScuP+W/V7WwdQKBgQDotWhr2DhjD3rkMMnyMoLrRZnqf4fZYMlK3QK61OP3+HaDEuYKs2UEcj5IsFnv0l0kDzOC5Y6NpC2NP+QyvG0j4vqJ14K+OsMAsEcSzlwzzCs6kciEB4XoKlhPfrOQ4tq4LCJxylryzglH7I8Y5YweEavDU2H0hqccnYBEoUuT8g==" + ], + "keyUse": [ + "SIG" + ], + "certificate": [ + "MIICnzCCAYcCBgGOhekX8jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhDbC1QVVJJUzAeFw0yNDAzMjgxNjMyMDlaFw0zNDAzMjgxNjMzNDlaMBMxETAPBgNVBAMMCENsLVBVUklTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu7NeqY5ALx52kgQrJ2BJzB1r0hW4UDlgX1tG5/Er51/Qc+VyHKxETZuAX4KW1sHOnjwmPoGg0I6GoeVrRrCPlUDl8nlP0Rf05XwZiEqnUJHpiqHaKa5L/m+mnBFhM8dlPzQhZLgh7vI/uoyPqpDm5T7c9ZS6GyiKFeYgC5jUL6AAn23Gzv1sRv94GoUFLYknvITeAt1o6w/0i+BGDmlVqBsp1mfpNPzdrmRVpnweQcdWjFFiYhauh9ACIKqQaK1lzv0aAKwELNRc+l8/VhzgDiRGDQ93J8tV6mqFuDTByzTZv7tDCnKXk37XrYr62BXIMgT5KDW0q6ewqxgH+WYUDQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6RenlO1g20+p8zl0Gy0pcKw1i34jR1CZ2sqyuOOCzZWzyCSu6+mM7Cl1OUm9V6oHZq18uAlUhAYLuXy4sKPe0RIgVKtfH+7lZ42XffWvknGCrvuG1ALUhjr1DARu6jdleAa5HXZqicZfZf31DQjekmkaVNmGttw0X8zKUePQX1lQi5RXrCwtkjRYuboioUEfy2T5DSgoMSDcEeaDpxdqgHbtZEjtABM7GCSRjMcTYwz3k5gCyJsCWuXSlkXzze3Ve62AGqgZUcsnzFkHUt/tZCF3vY0C6L0xF4SdSwF2m14JFRo43/nspjbI/1y+HVDwA6C3MfXH4fgt5kvqu7K9N" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "c61709a4-b827-4de0-a352-257accee080a", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "kid": [ + "cf82b862-cb7a-4e75-b173-c3ea6a36589f" + ], + "secret": [ + "gAnBN8ZzcOpWZduo-mGBBQ" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "6a13a452-14f9-4134-aba0-45db31a9b5dc", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "kid": [ + "b1e3f30a-17b0-4220-85c3-6a7f04a9931f" + ], + "secret": [ + "f8838BBD6L5fxbbqgE2XyFyUncffqXsJLU-uyCg194ArteHoUYxJDHzrTENhLmUAB7nKFUOdOJoWJxf_DUg8Zg" + ], + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "977fbba5-eab0-4715-8467-b6ecf3a6dbb3", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "6281183e-8e3f-4e8d-a56f-1bc1baf44b97", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "4ba64df4-3a9a-419c-b10e-ec389aee1d48", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "438f57c9-796d-4692-8994-6422ee01f69f", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "612cbcfe-76eb-4d08-a698-bad0a6093955", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "6a249e6d-f117-4a9d-a1a0-c54dbbab6501", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "b9997819-85a0-4d69-9192-4a783c7616a9", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "90e9c634-8a56-418e-a825-81fd34c10d73", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "c1f9ea61-bfbf-408f-8390-4a74f3bdcd03", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "c9ffa4f3-ced3-4636-9dd2-5c428b9e7dd4", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "7edde2d0-68b2-4fe4-ad9b-94ecb40d7f27", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "2b560056-36ae-4f65-a310-b715a2ab892a", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "f5dcf7e5-663c-45ba-a15c-8f5f1f4d4b44", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "9868f4c9-1e9e-4a37-94b3-c611d678c0b0", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "43a55a73-2ec3-4ed9-8680-5a857e41706f", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "dcc32c67-e517-4b65-907f-169532c47450", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "b91dd90d-ed1d-4e88-9dee-2a22385f02e7", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "da6646bf-a81c-4573-938e-2fd095f8322b", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "3c2e34ac-6383-4675-bad1-4d1fb60daf44", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "41ee4237-89a7-4048-bc4d-628b32308818", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaAuthRequestedUserHint": "login_hint", + "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5", + "realmReusableOtpCode": "false", + "cibaExpiresIn": "120", + "oauth2DeviceCodeLifespan": "600", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "frontendUrl": "", + "acr.loa.map": "{}" + }, + "keycloakVersion": "23.0.1", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} diff --git a/local/keycloak/supplier/Supplier-users-0.json b/local/keycloak/supplier/Supplier-users-0.json new file mode 100644 index 00000000..2852580a --- /dev/null +++ b/local/keycloak/supplier/Supplier-users-0.json @@ -0,0 +1,55 @@ +{ + "realm": "${SUPPLIER_KC_REALM_NAME}", + "users": [ + { + "id": "509f9b55-ea1b-4bc8-964d-9d47bafe3d55", + "createdTimestamp": 1712066409143, + "username": "service-account-${KC_MANAGE_CLIENT_ID}", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "${KC_MANAGE_CLIENT_ID}", + "credentials": [], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-cl-puris" + ], + "clientRoles": { + "${KC_MANAGE_CLIENT_ID}": [ + "update_digital_twin", + "write_access_rules", + "submodel_access_control", + "view_digital_twin", + "delete_digital_twin", + "read_access_rules", + "add_digital_twin" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "12e82c52-1786-417b-8258-70a41ec3ec55", + "createdTimestamp": 1711643730251, + "username": "service-account-${KC_READ_CLIENT_ID}", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "${KC_READ_CLIENT_ID}", + "credentials": [], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-cl-puris" + ], + "clientRoles": { + "${KC_READ_CLIENT_ID}": [ + "view_digital_twin" + ] + }, + "notBefore": 0, + "groups": [] + } + ] +} diff --git a/local/miw/infrastructure.properties b/local/miw/infrastructure.properties index be43806d..fcad298c 100644 --- a/local/miw/infrastructure.properties +++ b/local/miw/infrastructure.properties @@ -1,11 +1,6 @@ KEYCLOAK_MIW_PUBLIC_CLIENT=${KEYCLOAK_MIW_PUBLIC_CLIENT} DB_DATABASE=keycloak -KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN} -KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD} -KC_HOSTNAME=keycloak - ENFORCE_HTTPS_IN_DID_RESOLUTION=false - KEYCLOAK_CLIENT_ID=${KEYCLOAK_CLIENT_ID} ENCRYPTION_KEY=${KC_MIW_ENC} AUTHORITY_WALLET_BPN=BPNL000000000000 @@ -16,7 +11,6 @@ VC_SCHEMA_LINK="https://www.w3.org/2018/credentials/v1, https://catenax-ng.githu VC_EXPIRY_DATE=01-01-2025 SUPPORTED_FRAMEWORK_VC_TYPES="PcfCredential, SustainabilityCredential, QualityCredential, TraceabilityCredential, BehaviorTwinCredential, ResiliencyCredential" MIW_HOST_NAME=miw - AUTH_SERVER_URL=http://keycloak:8080 APPLICATION_PORT=80 MANAGEMENT_PORT=8090 diff --git a/local/miw/keycloak-setup.json b/local/miw/keycloak-setup.json index baa73ae2..6a9a913e 100644 --- a/local/miw/keycloak-setup.json +++ b/local/miw/keycloak-setup.json @@ -1,2763 +1,2763 @@ { - "id": "e980fcc5-9e29-485c-bd56-440783e32014", - "realm": "miw_test", - "notBefore": 0, - "defaultSignatureAlgorithm": "RS256", - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 28800, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 1800, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 28800, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "enabled": true, - "sslRequired": "external", - "registrationAllowed": false, - "registrationEmailAsUsername": false, - "rememberMe": false, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": false, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "roles": { - "realm": [ - { - "id": "ad36b1ad-a3cb-4594-853b-b5744b86fcdb", - "name": "uma_authorization", - "description": "${role_uma_authorization}", - "composite": false, - "clientRole": false, - "containerId": "e980fcc5-9e29-485c-bd56-440783e32014", - "attributes": {} - }, - { - "id": "3247ecc3-6884-4548-bfaa-0f47cce0cda6", - "name": "default-roles-miw_test", - "description": "${role_default-roles}", - "composite": true, - "composites": { - "realm": [ - "offline_access", - "uma_authorization" - ], - "client": { + "id": "e980fcc5-9e29-485c-bd56-440783e32014", + "realm": "miw_test", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 28800, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 28800, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "ad36b1ad-a3cb-4594-853b-b5744b86fcdb", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "e980fcc5-9e29-485c-bd56-440783e32014", + "attributes": {} + }, + { + "id": "3247ecc3-6884-4548-bfaa-0f47cce0cda6", + "name": "default-roles-miw_test", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "realm-management": [ + "manage-users" + ], + "account": [ + "view-profile", + "manage-account" + ] + } + }, + "clientRole": false, + "containerId": "e980fcc5-9e29-485c-bd56-440783e32014", + "attributes": {} + }, + { + "id": "ce1ee2c7-517c-4cf0-a96f-3adac1d200a7", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "e980fcc5-9e29-485c-bd56-440783e32014", + "attributes": {} + } + ], + "client": { "realm-management": [ - "manage-users" + { + "id": "e9eb031a-9dc3-413f-be30-8a396cf9a783", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "b33997ba-a7cb-4f47-8272-d04c18e51416", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "c66b4177-f470-4164-851c-018fa4445d78", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "ac2965ec-c2f2-4e30-b8fd-e3a34afc0070", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "fc813275-05d3-408f-a0d5-6943a66ada3f", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "73d25c6c-ca63-414e-a908-22d2f2cb18f6", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "2073b2f4-c5de-491f-a34d-ea0c687cae4e", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "3f5e2b33-5611-4289-a36d-236b81485938", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "9e9436f9-6f9a-4a86-adaa-da935522e551", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "272c47ae-68d9-459a-8d8c-39b95136681b", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "8d3984f8-408c-4c9f-8af5-dcdbbf76118c", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-users", + "query-groups" + ] + } + }, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "9beee882-a768-42ed-b142-74e238928634", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "manage-identity-providers", + "manage-authorization", + "query-users", + "create-client", + "manage-events", + "view-realm", + "manage-users", + "view-identity-providers", + "impersonation", + "query-realms", + "view-users", + "view-clients", + "view-authorization", + "query-groups", + "query-clients", + "view-events", + "manage-clients", + "manage-realm" + ] + } + }, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "df03dd95-6720-4ec8-a21e-25f124b9be51", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "9f0a02be-2609-496c-82cc-c07b82d2b4cc", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "f2d938d7-835f-414b-af54-289c97fed144", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "6dea15cf-8398-442a-9df6-639c45cce53b", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "8f0da98f-988a-46cf-be03-44e12f1c3ad6", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "3f2173cd-352d-4928-9525-1fdbaf289309", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + }, + { + "id": "d0c8168f-9ac4-4ac8-a908-715fda68959c", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "f2604867-9227-4947-8d36-6abc754f9883", + "attributes": {} + } + ], + "security-admin-console": [], + "miw_private_client": [ + { + "id": "232e256b-81b3-4282-8198-2a4557a2687a", + "name": "view_wallets", + "description": "view_wallets", + "composite": false, + "clientRole": true, + "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", + "attributes": {} + }, + { + "id": "2a1f1417-4eed-4ff9-b569-7461f7ae0ead", + "name": "add_wallets", + "description": "add_wallets", + "composite": false, + "clientRole": true, + "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", + "attributes": {} + }, + { + "id": "737ec30a-c542-419a-8533-8caa7a267b68", + "name": "update_wallet", + "description": "update_wallet", + "composite": false, + "clientRole": true, + "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", + "attributes": {} + }, + { + "id": "b32143a1-23cc-4ea5-96b0-aec079958ca0", + "name": "view_wallet", + "description": "view_wallet", + "composite": false, + "clientRole": true, + "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", + "attributes": {} + }, + { + "id": "8ac5652e-103e-49a2-a7d0-4a9cdc958543", + "name": "update_wallets", + "description": "update_wallets", + "composite": false, + "clientRole": true, + "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", + "attributes": {} + } ], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "bd277caa-1e1f-474a-9fb9-a0f6ec21bfa5", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "f6dd02a1-9c2b-4af9-81bf-200efc0fcf22", + "attributes": {} + } + ], + "miw_public": [], "account": [ - "view-profile", - "manage-account" + { + "id": "cbe6b27b-83b2-4c40-ba6b-e776b32d919c", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "356d12b7-0894-474f-8701-c51c78182351", + "attributes": {} + }, + { + "id": "2e9938b0-51ea-47f6-91d5-93020fbbe094", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "356d12b7-0894-474f-8701-c51c78182351", + "attributes": {} + }, + { + "id": "000f2103-4f84-4ab2-b2e9-72e006a7aa7a", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "356d12b7-0894-474f-8701-c51c78182351", + "attributes": {} + }, + { + "id": "d0d1ec92-4928-4446-ab70-af4a5ec941f0", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "356d12b7-0894-474f-8701-c51c78182351", + "attributes": {} + }, + { + "id": "be516b3c-47c9-4da9-b65a-c0269c066cd2", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "356d12b7-0894-474f-8701-c51c78182351", + "attributes": {} + }, + { + "id": "f628b4e8-783f-4b2b-ad20-9ce7191ef39b", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "356d12b7-0894-474f-8701-c51c78182351", + "attributes": {} + }, + { + "id": "465eff9a-73da-4fd3-ac96-e84db10cc263", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "356d12b7-0894-474f-8701-c51c78182351", + "attributes": {} + }, + { + "id": "631c870f-24e9-4058-b506-993520d68d24", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "356d12b7-0894-474f-8701-c51c78182351", + "attributes": {} + } ] - } - }, - "clientRole": false, - "containerId": "e980fcc5-9e29-485c-bd56-440783e32014", - "attributes": {} - }, - { - "id": "ce1ee2c7-517c-4cf0-a96f-3adac1d200a7", - "name": "offline_access", - "description": "${role_offline-access}", - "composite": false, + } + }, + "groups": [], + "defaultRole": { + "id": "3247ecc3-6884-4548-bfaa-0f47cce0cda6", + "name": "default-roles-miw_test", + "description": "${role_default-roles}", + "composite": true, "clientRole": false, - "containerId": "e980fcc5-9e29-485c-bd56-440783e32014", - "attributes": {} - } + "containerId": "e980fcc5-9e29-485c-bd56-440783e32014" + }, + "requiredCredentials": [ + "password" ], - "client": { - "realm-management": [ - { - "id": "e9eb031a-9dc3-413f-be30-8a396cf9a783", - "name": "manage-authorization", - "description": "${role_manage-authorization}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "b33997ba-a7cb-4f47-8272-d04c18e51416", - "name": "manage-identity-providers", - "description": "${role_manage-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "c66b4177-f470-4164-851c-018fa4445d78", - "name": "query-users", - "description": "${role_query-users}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "ac2965ec-c2f2-4e30-b8fd-e3a34afc0070", - "name": "create-client", - "description": "${role_create-client}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "fc813275-05d3-408f-a0d5-6943a66ada3f", - "name": "manage-events", - "description": "${role_manage-events}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "73d25c6c-ca63-414e-a908-22d2f2cb18f6", - "name": "view-realm", - "description": "${role_view-realm}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "2073b2f4-c5de-491f-a34d-ea0c687cae4e", - "name": "manage-users", - "description": "${role_manage-users}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "3f5e2b33-5611-4289-a36d-236b81485938", - "name": "view-identity-providers", - "description": "${role_view-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "9e9436f9-6f9a-4a86-adaa-da935522e551", - "name": "impersonation", - "description": "${role_impersonation}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "272c47ae-68d9-459a-8d8c-39b95136681b", - "name": "query-realms", - "description": "${role_query-realms}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "8d3984f8-408c-4c9f-8af5-dcdbbf76118c", - "name": "view-users", - "description": "${role_view-users}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-users", - "query-groups" - ] - } - }, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "9beee882-a768-42ed-b142-74e238928634", - "name": "realm-admin", - "description": "${role_realm-admin}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "manage-identity-providers", - "manage-authorization", - "query-users", - "create-client", - "manage-events", - "view-realm", - "manage-users", - "view-identity-providers", - "impersonation", - "query-realms", - "view-users", - "view-clients", - "view-authorization", - "query-groups", - "query-clients", - "view-events", - "manage-clients", - "manage-realm" - ] - } - }, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "df03dd95-6720-4ec8-a21e-25f124b9be51", - "name": "view-authorization", - "description": "${role_view-authorization}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "9f0a02be-2609-496c-82cc-c07b82d2b4cc", - "name": "view-clients", - "description": "${role_view-clients}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-clients" - ] - } - }, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "f2d938d7-835f-414b-af54-289c97fed144", - "name": "query-groups", - "description": "${role_query-groups}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "6dea15cf-8398-442a-9df6-639c45cce53b", - "name": "query-clients", - "description": "${role_query-clients}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "8f0da98f-988a-46cf-be03-44e12f1c3ad6", - "name": "view-events", - "description": "${role_view-events}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "3f2173cd-352d-4928-9525-1fdbaf289309", - "name": "manage-clients", - "description": "${role_manage-clients}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - }, - { - "id": "d0c8168f-9ac4-4ac8-a908-715fda68959c", - "name": "manage-realm", - "description": "${role_manage-realm}", - "composite": false, - "clientRole": true, - "containerId": "f2604867-9227-4947-8d36-6abc754f9883", - "attributes": {} - } - ], - "security-admin-console": [], - "miw_private_client": [ - { - "id": "232e256b-81b3-4282-8198-2a4557a2687a", - "name": "view_wallets", - "description": "view_wallets", - "composite": false, - "clientRole": true, - "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", - "attributes": {} - }, - { - "id": "2a1f1417-4eed-4ff9-b569-7461f7ae0ead", - "name": "add_wallets", - "description": "add_wallets", - "composite": false, - "clientRole": true, - "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", - "attributes": {} - }, - { - "id": "737ec30a-c542-419a-8533-8caa7a267b68", - "name": "update_wallet", - "description": "update_wallet", - "composite": false, - "clientRole": true, - "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", - "attributes": {} - }, - { - "id": "b32143a1-23cc-4ea5-96b0-aec079958ca0", - "name": "view_wallet", - "description": "view_wallet", - "composite": false, - "clientRole": true, - "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", - "attributes": {} - }, - { - "id": "8ac5652e-103e-49a2-a7d0-4a9cdc958543", - "name": "update_wallets", - "description": "update_wallets", - "composite": false, - "clientRole": true, - "containerId": "774d507f-5aa3-4d16-be24-0e461f35d66a", - "attributes": {} + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppMicrosoftAuthenticatorName", + "totpAppGoogleName", + "totpAppFreeOTPName" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users": [ + { + "id": "7e5c957b-2f20-41e0-85fb-e84656caadfe", + "createdTimestamp": 1687957169104, + "username": "service-account-miw_private_client", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "miw_private_client", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-miw_test" + ], + "clientRoles": { + "miw_private_client": [ + "view_wallets", + "update_wallet", + "add_wallets", + "view_wallet", + "update_wallets" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "44f821c3-823a-4271-9f7a-2fe026f9a41a", + "createdTimestamp": 1692873511927, + "username": "service-account-customer_private_client", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "customer_private_client", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-miw_test" + ], + "clientRoles": { + "miw_private_client": [ + "view_wallets", + "update_wallet", + "add_wallets", + "view_wallet", + "update_wallets" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "c6d700e5-a61a-46a7-a097-ea130feb497c", + "createdTimestamp": 1687957169104, + "username": "service-account-supplier_private_client", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "supplier_private_client", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-miw_test" + ], + "clientRoles": { + "miw_private_client": [ + "view_wallets", + "update_wallet", + "add_wallets", + "view_wallet", + "update_wallets" + ] + }, + "notBefore": 0, + "groups": [] } - ], - "admin-cli": [], - "account-console": [], - "broker": [ + ], + "scopeMappings": [ { - "id": "bd277caa-1e1f-474a-9fb9-a0f6ec21bfa5", - "name": "read-token", - "description": "${role_read-token}", - "composite": false, - "clientRole": true, - "containerId": "f6dd02a1-9c2b-4af9-81bf-200efc0fcf22", - "attributes": {} + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] } - ], - "miw_public": [], - "account": [ - { - "id": "cbe6b27b-83b2-4c40-ba6b-e776b32d919c", - "name": "manage-account-links", - "description": "${role_manage-account-links}", - "composite": false, - "clientRole": true, - "containerId": "356d12b7-0894-474f-8701-c51c78182351", - "attributes": {} - }, - { - "id": "2e9938b0-51ea-47f6-91d5-93020fbbe094", - "name": "view-profile", - "description": "${role_view-profile}", - "composite": false, - "clientRole": true, - "containerId": "356d12b7-0894-474f-8701-c51c78182351", - "attributes": {} - }, - { - "id": "000f2103-4f84-4ab2-b2e9-72e006a7aa7a", - "name": "delete-account", - "description": "${role_delete-account}", - "composite": false, - "clientRole": true, - "containerId": "356d12b7-0894-474f-8701-c51c78182351", - "attributes": {} - }, - { - "id": "d0d1ec92-4928-4446-ab70-af4a5ec941f0", - "name": "manage-consent", - "description": "${role_manage-consent}", - "composite": true, - "composites": { - "client": { - "account": [ - "view-consent" - ] + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] } - }, - "clientRole": true, - "containerId": "356d12b7-0894-474f-8701-c51c78182351", - "attributes": {} + ] + }, + "clients": [ + { + "id": "356d12b7-0894-474f-8701-c51c78182351", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/miw_test/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/miw_test/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "be516b3c-47c9-4da9-b65a-c0269c066cd2", - "name": "view-consent", - "description": "${role_view-consent}", - "composite": false, - "clientRole": true, - "containerId": "356d12b7-0894-474f-8701-c51c78182351", - "attributes": {} + "id": "e33fa081-88ee-4443-955a-22b57d96bd9a", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/miw_test/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/miw_test/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "db8af579-9b62-4a5d-8f21-9113cacce594", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "f628b4e8-783f-4b2b-ad20-9ce7191ef39b", - "name": "manage-account", - "description": "${role_manage-account}", - "composite": true, - "composites": { - "client": { - "account": [ - "manage-account-links" - ] - } - }, - "clientRole": true, - "containerId": "356d12b7-0894-474f-8701-c51c78182351", - "attributes": {} + "id": "e6ecff04-23e9-4828-ae48-2eaf9cf21086", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "465eff9a-73da-4fd3-ac96-e84db10cc263", - "name": "view-applications", - "description": "${role_view-applications}", - "composite": false, - "clientRole": true, - "containerId": "356d12b7-0894-474f-8701-c51c78182351", - "attributes": {} + "id": "f6dd02a1-9c2b-4af9-81bf-200efc0fcf22", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "631c870f-24e9-4058-b506-993520d68d24", - "name": "view-groups", - "description": "${role_view-groups}", - "composite": false, - "clientRole": true, - "containerId": "356d12b7-0894-474f-8701-c51c78182351", - "attributes": {} - } - ] - } - }, - "groups": [], - "defaultRole": { - "id": "3247ecc3-6884-4548-bfaa-0f47cce0cda6", - "name": "default-roles-miw_test", - "description": "${role_default-roles}", - "composite": true, - "clientRole": false, - "containerId": "e980fcc5-9e29-485c-bd56-440783e32014" - }, - "requiredCredentials": [ - "password" - ], - "otpPolicyType": "totp", - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyInitialCounter": 0, - "otpPolicyDigits": 6, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpPolicyCodeReusable": false, - "otpSupportedApplications": [ - "totpAppMicrosoftAuthenticatorName", - "totpAppGoogleName", - "totpAppFreeOTPName" - ], - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "users": [ - { - "id": "7e5c957b-2f20-41e0-85fb-e84656caadfe", - "createdTimestamp": 1687957169104, - "username": "service-account-miw_private_client", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "miw_private_client", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "default-roles-miw_test" - ], - "clientRoles": { - "miw_private_client": [ - "view_wallets", - "update_wallet", - "add_wallets", - "view_wallet", - "update_wallets" - ] - }, - "notBefore": 0, - "groups": [] - }, - { - "id": "44f821c3-823a-4271-9f7a-2fe026f9a41a", - "createdTimestamp": 1692873511927, - "username": "service-account-customer_private_client", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "customer_private_client", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "default-roles-miw_test" - ], - "clientRoles": { - "miw_private_client": [ - "view_wallets", - "update_wallet", - "add_wallets", - "view_wallet", - "update_wallets" - ] - }, - "notBefore": 0, - "groups": [] - }, - { - "id": "c6d700e5-a61a-46a7-a097-ea130feb497c", - "createdTimestamp": 1687957169104, - "username": "service-account-supplier_private_client", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "supplier_private_client", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "default-roles-miw_test" - ], - "clientRoles": { - "miw_private_client": [ - "view_wallets", - "update_wallet", - "add_wallets", - "view_wallet", - "update_wallets" - ] - }, - "notBefore": 0, - "groups": [] - } - ], - "scopeMappings": [ - { - "clientScope": "offline_access", - "roles": [ - "offline_access" - ] - } - ], - "clientScopeMappings": { - "account": [ - { - "client": "account-console", - "roles": [ - "manage-account", - "view-groups" - ] - } - ] - }, - "clients": [ - { - "id": "356d12b7-0894-474f-8701-c51c78182351", - "clientId": "account", - "name": "${client_account}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/miw_test/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/miw_test/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "e33fa081-88ee-4443-955a-22b57d96bd9a", - "clientId": "account-console", - "name": "${client_account-console}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/miw_test/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/miw_test/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+", - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "db8af579-9b62-4a5d-8f21-9113cacce594", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "e6ecff04-23e9-4828-ae48-2eaf9cf21086", - "clientId": "admin-cli", - "name": "${client_admin-cli}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "f6dd02a1-9c2b-4af9-81bf-200efc0fcf22", - "clientId": "broker", - "name": "${client_broker}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "774d507f-5aa3-4d16-be24-0e461f35d66a", - "clientId": "miw_private_client", - "name": "miw_private_client", - "description": "miw_private_client", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "miw_private_client", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1684923648", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "767fc59d-4812-4147-a4c0-c1d36854a111", - "name": "User Client Role", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "usermodel.clientRoleMapping.clientId": "miw_private_client", - "multivalued": "true", - "userinfo.token.claim": "true" - } + "id": "774d507f-5aa3-4d16-be24-0e461f35d66a", + "clientId": "miw_private_client", + "name": "miw_private_client", + "description": "miw_private_client", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "miw_private_client", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1684923648", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "767fc59d-4812-4147-a4c0-c1d36854a111", + "name": "User Client Role", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "usermodel.clientRoleMapping.clientId": "miw_private_client", + "multivalued": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "c46e9cc6-3057-4640-a78b-e12fc3a714df", + "name": "BPN", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "aggregate.attrs": "false", + "userinfo.token.claim": "true", + "multivalued": "false", + "user.attribute": "BPN", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "BPN" + } + }, + { + "id": "f446598c-1637-4585-b2b6-0204d2e6e92e", + "name": "client_bpn_mapper", + "protocol": "openid-connect", + "protocolMapper": "oidc-hardcoded-claim-mapper", + "consentRequired": false, + "config": { + "claim.value": "BPNL000000000000", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "BPN", + "access.tokenResponse.claim": "false" + } + }, + { + "id": "1340463e-a737-4507-8ecb-b01715a9fde4", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "9096587b-3781-4104-b1ec-458c7ca95e8d", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + }, + { + "id": "370515a5-370a-4b68-9704-9a67407c1390", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "c46e9cc6-3057-4640-a78b-e12fc3a714df", - "name": "BPN", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "aggregate.attrs": "false", - "userinfo.token.claim": "true", - "multivalued": "false", - "user.attribute": "BPN", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "BPN" - } + "id": "0375eb3d-9526-4b9d-a651-7dddda3d1b41", + "clientId": "customer_private_client", + "name": "customer_private_client", + "description": "customer_private_client", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "${CUSTOMER_KC_MIW_CLIENT_SECRET}", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1692873511", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "767fc59d-4812-4147-a4c0-c1d36854a222", + "name": "User Client Role", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "usermodel.clientRoleMapping.clientId": "customer_private_client", + "multivalued": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "c46e9cc6-3057-4640-a78b-e12fc3a71333", + "name": "BPN", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "aggregate.attrs": "false", + "userinfo.token.claim": "true", + "multivalued": "false", + "user.attribute": "BPN", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "BPN" + } + }, + { + "id": "f446598c-1637-4585-b2b6-0204d2e6e444", + "name": "client_bpn_mapper", + "protocol": "openid-connect", + "protocolMapper": "oidc-hardcoded-claim-mapper", + "consentRequired": false, + "config": { + "claim.value": "BPNL4444444444XX", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "BPN", + "access.tokenResponse.claim": "false" + } + }, + { + "id": "e807edbf-49c7-4104-bdb1-5369a4a88092", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "8f3c30da-f509-446a-a54d-b58c1eaa2cfa", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + }, + { + "id": "f377ce45-0016-43f9-86f4-b81cb5bc7fd9", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "f446598c-1637-4585-b2b6-0204d2e6e92e", - "name": "client_bpn_mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-hardcoded-claim-mapper", - "consentRequired": false, - "config": { - "claim.value": "BPNL000000000000", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "BPN", - "access.tokenResponse.claim": "false" - } + "id": "17d99f9a-22c7-4381-9a08-f843c36b64ac", + "clientId": "supplier_private_client", + "name": "supplier_private_client", + "description": "supplier_private_client", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "${SUPPLIER_KC_MIW_CLIENT_SECRET}", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1684923648", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "97d1d2b2-f6cc-44b8-b21a-da97a85dc802", + "name": "User Client Role", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "usermodel.clientRoleMapping.clientId": "supplier_private_client", + "multivalued": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "88a5eb86-9660-4ae5-a333-31939392e74c", + "name": "BPN", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "aggregate.attrs": "false", + "userinfo.token.claim": "true", + "multivalued": "false", + "user.attribute": "BPN", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "BPN" + } + }, + { + "id": "fc48fb2e-e9a2-453a-b74a-c12dd1621a23", + "name": "client_bpn_mapper", + "protocol": "openid-connect", + "protocolMapper": "oidc-hardcoded-claim-mapper", + "consentRequired": false, + "config": { + "claim.value": "BPNL1234567890ZZ", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "BPN", + "access.tokenResponse.claim": "false" + } + }, + { + "id": "dc84e461-56b1-4bc1-9252-4a16f6cba69c", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "f184e1cf-f226-40c9-aee4-7699926fa41c", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + }, + { + "id": "2c49f4ef-d427-49ac-8664-5c040271f381", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "1340463e-a737-4507-8ecb-b01715a9fde4", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } + "id": "7dbe3954-6da4-43f1-a1df-cf160fee58e2", + "clientId": "miw_public", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "http://localhost:8080/*", + "http://localhost/*", + "http://localhost:8087/*" + ], + "webOrigins": [ + "http://localhost:8080", + "http://localhost", + "http://localhost:8087" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "1312c58c-7950-4e3f-b45d-a77b827a62d7", + "name": "BPN_user_attribute", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "aggregate.attrs": "false", + "userinfo.token.claim": "true", + "multivalued": "false", + "user.attribute": "BPN", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "BPN" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "9096587b-3781-4104-b1ec-458c7ca95e8d", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } + "id": "f2604867-9227-4947-8d36-6abc754f9883", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] }, { - "id": "370515a5-370a-4b68-9704-9a67407c1390", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } + "id": "d966ce87-fa07-4c99-9ed1-899961993d88", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/miw_test/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/miw_test/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "088895dc-a6b7-4d7a-b8e8-70804dd7a4be", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "0375eb3d-9526-4b9d-a651-7dddda3d1b41", - "clientId": "customer_private_client", - "name": "customer_private_client", - "description": "customer_private_client", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1692873511", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "767fc59d-4812-4147-a4c0-c1d36854a222", - "name": "User Client Role", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "usermodel.clientRoleMapping.clientId": "customer_private_client", - "multivalued": "true", - "userinfo.token.claim": "true" - } - }, - { - "id": "c46e9cc6-3057-4640-a78b-e12fc3a71333", - "name": "BPN", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "aggregate.attrs": "false", - "userinfo.token.claim": "true", - "multivalued": "false", - "user.attribute": "BPN", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "BPN" - } + ], + "clientScopes": [ + { + "id": "e7addfcc-9187-43b2-9dd8-d883c3d7d4ce", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "7f56bfa8-3c9c-4ddb-ba03-bf3baee76b5e", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "7ae07240-7a54-4e77-a3ed-1cff45e70a6f", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + } + ] }, { - "id": "f446598c-1637-4585-b2b6-0204d2e6e444", - "name": "client_bpn_mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-hardcoded-claim-mapper", - "consentRequired": false, - "config": { - "claim.value": "BPNL4444444444XX", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "BPN", - "access.tokenResponse.claim": "false" - } + "id": "6447876f-32c7-42b7-864c-61b8c12f651f", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } }, { - "id": "e807edbf-49c7-4104-bdb1-5369a4a88092", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } + "id": "7b162106-cbc9-4c05-9043-6fbece4d7600", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "445b2b60-0bf1-4eb8-ab60-99351b616da6", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] }, { - "id": "8f3c30da-f509-446a-a54d-b58c1eaa2cfa", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } + "id": "ad308290-1c37-4d33-99f3-8d23e2f74501", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "7fbc621e-a6ad-48d4-b981-55be57bae980", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "3eacc647-eff9-48a4-a9ca-cdd8b1a02665", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] }, { - "id": "f377ce45-0016-43f9-86f4-b81cb5bc7fd9", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "17d99f9a-22c7-4381-9a08-f843c36b64ac", - "clientId": "supplier_private_client", - "name": "supplier_private_client", - "description": "supplier_private_client", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1684923648", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "97d1d2b2-f6cc-44b8-b21a-da97a85dc802", - "name": "User Client Role", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "usermodel.clientRoleMapping.clientId": "supplier_private_client", - "multivalued": "true", - "userinfo.token.claim": "true" - } + "id": "f6d808aa-019d-4f3f-951e-dda5a77f841c", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "d3204d28-9023-4cf6-b996-fd845180c8dd", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] }, { - "id": "88a5eb86-9660-4ae5-a333-31939392e74c", - "name": "BPN", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "aggregate.attrs": "false", - "userinfo.token.claim": "true", - "multivalued": "false", - "user.attribute": "BPN", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "BPN" - } + "id": "fcfb1f12-dc72-4529-be32-51b16d4b7c58", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "7091a3bd-ffd1-40cf-82cf-636aa49728ce", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "27f9ab53-8807-4ef1-b9a0-12a8a76ab5ec", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "29402017-bf33-48c2-8e7c-9eae2c44e929", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "6e24f73b-8529-43ff-9815-2901cb1d5a91", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "a45c35be-f77d-4627-9bf9-a3414722e484", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "eba7c338-cce4-4cd6-8044-083273ddca3a", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "bfb08dad-0a9f-41fd-871b-1fbfb0d43594", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "b8f94365-aa92-44d7-9f96-84822aef4cad", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "b8849581-e158-4daf-98f0-b23f351b7362", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "7104be3f-1760-4fa7-9ad7-985959f852f2", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "c7a9ba7a-62bf-4846-9b2f-56a8c6b31901", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "1e5a4e39-1fbc-4245-bced-f1271c01cf28", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "20bca7ef-8879-4b77-85fc-e38dd86518da", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "679465a3-8205-404b-ac12-f0ce50194f71", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + } + ] }, { - "id": "fc48fb2e-e9a2-453a-b74a-c12dd1621a23", - "name": "client_bpn_mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-hardcoded-claim-mapper", - "consentRequired": false, - "config": { - "claim.value": "BPNL1234567890ZZ", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "BPN", - "access.tokenResponse.claim": "false" - } + "id": "fc9f5da4-557c-432f-87ec-128c07e09c79", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "bbe96ba8-010c-4798-83e5-38fa3c7e7d66", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "15f0c6ce-d7a5-4165-9ae2-978e3776d4a4", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] }, { - "id": "dc84e461-56b1-4bc1-9252-4a16f6cba69c", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } + "id": "96747a05-db5f-4289-bca2-8e3ebc0b244e", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "7db29b64-30f8-43df-99f7-73f16db774b4", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "1fa84511-e274-4ffb-8cb7-a426dd5ebe4a", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "8594b20e-3ade-4661-bea2-bf0b5d47ff1e", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] }, { - "id": "f184e1cf-f226-40c9-aee4-7699926fa41c", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } + "id": "801527ae-e765-4d90-8d87-5547fc96d2be", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "5519fbcf-8042-4b00-9c2a-a79bf16b9d59", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] }, { - "id": "2c49f4ef-d427-49ac-8664-5c040271f381", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "7dbe3954-6da4-43f1-a1df-cf160fee58e2", - "clientId": "miw_public", - "name": "", - "description": "", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "http://localhost:8080/*", - "http://localhost/*", - "http://localhost:8087/*" - ], - "webOrigins": [ - "http://localhost:8080", - "http://localhost", - "http://localhost:8087" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "1312c58c-7950-4e3f-b45d-a77b827a62d7", - "name": "BPN_user_attribute", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "aggregate.attrs": "false", - "userinfo.token.claim": "true", - "multivalued": "false", - "user.attribute": "BPN", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "BPN" - } + "id": "99a7cadd-76c0-406f-88bf-24947fec442e", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "a57ca5de-7d7a-4695-b181-1099790ec07f", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] } - ], - "defaultClientScopes": [ - "web-origins", - "acr", + ], + "defaultDefaultClientScopes": [ + "role_list", "profile", + "email", "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "f2604867-9227-4947-8d36-6abc754f9883", - "clientId": "realm-management", - "name": "${client_realm-management}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", + "acr" + ], + "defaultOptionalClientScopes": [ "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "d966ce87-fa07-4c99-9ed1-899961993d88", - "clientId": "security-admin-console", - "name": "${client_security-admin-console}", - "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/miw_test/console/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/admin/miw_test/console/*" - ], - "webOrigins": [ - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+", - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "088895dc-a6b7-4d7a-b8e8-70804dd7a4be", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ "address", "phone", - "offline_access", "microprofile-jwt" - ] - } - ], - "clientScopes": [ - { - "id": "e7addfcc-9187-43b2-9dd8-d883c3d7d4ce", - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "7f56bfa8-3c9c-4ddb-ba03-bf3baee76b5e", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "7ae07240-7a54-4e77-a3ed-1cff45e70a6f", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "6447876f-32c7-42b7-864c-61b8c12f651f", - "name": "offline_access", - "description": "OpenID Connect built-in scope: offline_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - }, - { - "id": "7b162106-cbc9-4c05-9043-6fbece4d7600", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "445b2b60-0bf1-4eb8-ab60-99351b616da6", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "ad308290-1c37-4d33-99f3-8d23e2f74501", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "7fbc621e-a6ad-48d4-b981-55be57bae980", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - }, - { - "id": "3eacc647-eff9-48a4-a9ca-cdd8b1a02665", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "f6d808aa-019d-4f3f-951e-dda5a77f841c", - "name": "acr", - "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "d3204d28-9023-4cf6-b996-fd845180c8dd", - "name": "acr loa level", - "protocol": "openid-connect", - "protocolMapper": "oidc-acr-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - } - ] - }, - { - "id": "fcfb1f12-dc72-4529-be32-51b16d4b7c58", - "name": "profile", - "description": "OpenID Connect built-in scope: profile", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "7091a3bd-ffd1-40cf-82cf-636aa49728ce", - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "nickname", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "nickname", - "jsonType.label": "String" - } - }, - { - "id": "27f9ab53-8807-4ef1-b9a0-12a8a76ab5ec", - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "birthdate", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "birthdate", - "jsonType.label": "String" - } - }, - { - "id": "29402017-bf33-48c2-8e7c-9eae2c44e929", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - }, - { - "id": "6e24f73b-8529-43ff-9815-2901cb1d5a91", - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "long" - } - }, - { - "id": "a45c35be-f77d-4627-9bf9-a3414722e484", - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String" - } - }, - { - "id": "eba7c338-cce4-4cd6-8044-083273ddca3a", - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - }, - { - "id": "bfb08dad-0a9f-41fd-871b-1fbfb0d43594", - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "profile", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "profile", - "jsonType.label": "String" - } - }, - { - "id": "b8f94365-aa92-44d7-9f96-84822aef4cad", - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "lastName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "family_name", - "jsonType.label": "String" - } - }, - { - "id": "b8849581-e158-4daf-98f0-b23f351b7362", - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String" - } - }, - { - "id": "7104be3f-1760-4fa7-9ad7-985959f852f2", - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "website", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String" - } - }, - { - "id": "c7a9ba7a-62bf-4846-9b2f-56a8c6b31901", - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "gender", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "gender", - "jsonType.label": "String" - } - }, - { - "id": "1e5a4e39-1fbc-4245-bced-f1271c01cf28", - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "middleName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String" - } - }, - { - "id": "20bca7ef-8879-4b77-85fc-e38dd86518da", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - }, - { - "id": "679465a3-8205-404b-ac12-f0ce50194f71", - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "zoneinfo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "fc9f5da4-557c-432f-87ec-128c07e09c79", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "bbe96ba8-010c-4798-83e5-38fa3c7e7d66", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - }, - { - "id": "15f0c6ce-d7a5-4165-9ae2-978e3776d4a4", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - } - ] - }, - { - "id": "96747a05-db5f-4289-bca2-8e3ebc0b244e", - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "7db29b64-30f8-43df-99f7-73f16db774b4", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - }, - { - "id": "1fa84511-e274-4ffb-8cb7-a426dd5ebe4a", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "id": "8594b20e-3ade-4661-bea2-bf0b5d47ff1e", - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" - } - } - ] - }, - { - "id": "801527ae-e765-4d90-8d87-5547fc96d2be", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "5519fbcf-8042-4b00-9c2a-a79bf16b9d59", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "id": "99a7cadd-76c0-406f-88bf-24947fec442e", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "a57ca5de-7d7a-4695-b181-1099790ec07f", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - } - ], - "defaultDefaultClientScopes": [ - "role_list", - "profile", - "email", - "roles", - "web-origins", - "acr" - ], - "defaultOptionalClientScopes": [ - "offline_access", - "address", - "phone", - "microprofile-jwt" - ], - "browserSecurityHeaders": { - "contentSecurityPolicyReportOnly": "", - "xContentTypeOptions": "nosniff", - "xRobotsTag": "none", - "xFrameOptions": "SAMEORIGIN", - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection": "1; mode=block", - "strictTransportSecurity": "max-age=31536000; includeSubDomains" - }, - "smtpServer": {}, - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "enabledEventTypes": [], - "adminEventsEnabled": false, - "adminEventsDetailsEnabled": false, - "identityProviders": [], - "identityProviderMappers": [], - "components": { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "id": "bc6e125a-0c96-4a44-ac91-bf6ecc035cec", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "a9aceec7-3d4d-4fc7-9ee7-b0862b3f212a", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "476306a8-3346-430b-a6da-f3fc52910ce9", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, - { - "id": "b3cc2af0-dc32-4a7d-9298-fdc664f3bb83", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", - "saml-user-attribute-mapper", - "saml-user-property-mapper", - "oidc-full-name-mapper", - "oidc-usermodel-attribute-mapper", - "saml-role-list-mapper", - "oidc-address-mapper", - "oidc-usermodel-property-mapper" - ] - } - }, - { - "id": "7da42bd3-7368-4be2-bc0c-82067fc48463", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "oidc-full-name-mapper", - "saml-user-attribute-mapper", - "oidc-address-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-property-mapper", - "saml-user-property-mapper", - "oidc-usermodel-attribute-mapper", - "saml-role-list-mapper" - ] - } - }, - { - "id": "706c9166-d41a-4d1e-872c-45c587b0ac6b", - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "bc67afe8-8f95-49eb-915c-18d11f4bbc2b", - "name": "Consent Required", - "providerId": "consent-required", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "c8570184-4c4c-460f-9d78-95d36838e89a", - "name": "Trusted Hosts", - "providerId": "trusted-hosts", - "subType": "anonymous", - "subComponents": {}, - "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] - } - } ], - "org.keycloak.userprofile.UserProfileProvider": [ - { - "id": "254a0e2b-b22b-4e1e-94ba-feb82f4e55f4", - "providerId": "declarative-user-profile", - "subComponents": {}, - "config": {} - } - ] - }, - "internationalizationEnabled": false, - "supportedLocales": [], - "authenticationFlows": [ - { - "id": "04cc2aa7-9e5b-4178-a1a2-dad58cf99367", - "alias": "Account verification options", - "description": "Method with which to verity the existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false - } - ] - }, - { - "id": "fa4d6b27-5fac-4b3b-9cbc-badb7cfe90ed", - "alias": "Authentication Options", - "description": "Authentication options.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "basic-auth", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "basic-auth-otp", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, - { - "id": "266db702-5928-4149-b2bd-701d0722eb93", - "alias": "Browser - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "dd326252-8827-445d-a098-9ec953932387", - "alias": "Direct Grant - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "bc6e125a-0c96-4a44-ac91-bf6ecc035cec", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "a9aceec7-3d4d-4fc7-9ee7-b0862b3f212a", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "476306a8-3346-430b-a6da-f3fc52910ce9", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "b3cc2af0-dc32-4a7d-9298-fdc664f3bb83", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-sha256-pairwise-sub-mapper", + "saml-user-attribute-mapper", + "saml-user-property-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-attribute-mapper", + "saml-role-list-mapper", + "oidc-address-mapper", + "oidc-usermodel-property-mapper" + ] + } + }, + { + "id": "7da42bd3-7368-4be2-bc0c-82067fc48463", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-full-name-mapper", + "saml-user-attribute-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", + "saml-user-property-mapper", + "oidc-usermodel-attribute-mapper", + "saml-role-list-mapper" + ] + } + }, + { + "id": "706c9166-d41a-4d1e-872c-45c587b0ac6b", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "bc67afe8-8f95-49eb-915c-18d11f4bbc2b", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "c8570184-4c4c-460f-9d78-95d36838e89a", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + } + ], + "org.keycloak.userprofile.UserProfileProvider": [ + { + "id": "254a0e2b-b22b-4e1e-94ba-feb82f4e55f4", + "providerId": "declarative-user-profile", + "subComponents": {}, + "config": {} + } + ] }, - { - "id": "b8f5c247-b9ba-40c7-a14e-05a235bed46f", - "alias": "First broker login - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "04cc2aa7-9e5b-4178-a1a2-dad58cf99367", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] }, { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "f40cbe9a-ad2a-476c-b85d-ec426ce100b2", - "alias": "Handle Existing Account", - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "fa4d6b27-5fac-4b3b-9cbc-badb7cfe90ed", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] }, { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Account verification options", - "userSetupAllowed": false - } - ] - }, - { - "id": "60ba180d-92f3-4195-abd4-a925121994e7", - "alias": "Reset - Conditional OTP", - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "266db702-5928-4149-b2bd-701d0722eb93", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] }, { - "authenticator": "reset-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "0b5f7bb3-59e5-4d0e-9e8e-6d0e52984ad2", - "alias": "User creation or linking", - "description": "Flow for the existing/non-existing user alternatives", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "create unique user config", - "authenticator": "idp-create-user-if-unique", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "dd326252-8827-445d-a098-9ec953932387", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] }, { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Handle Existing Account", - "userSetupAllowed": false - } - ] - }, - { - "id": "37290b7b-23f8-4653-ad2c-2593db5760f3", - "alias": "Verify Existing Account by Re-authentication", - "description": "Reauthentication of existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "b8f5c247-b9ba-40c7-a14e-05a235bed46f", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] }, { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "2e5ceac1-9c0d-4109-b8f2-22c9efb00f0b", - "alias": "browser", - "description": "browser based authentication", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "f40cbe9a-ad2a-476c-b85d-ec426ce100b2", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] }, { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "60ba180d-92f3-4195-abd4-a925121994e7", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] }, { - "authenticator": "identity-provider-redirector", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 25, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "0b5f7bb3-59e5-4d0e-9e8e-6d0e52984ad2", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] }, { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 30, - "autheticatorFlow": true, - "flowAlias": "forms", - "userSetupAllowed": false - } - ] - }, - { - "id": "c35579f7-cd70-4c66-9ee7-c21bf7ddd1e0", - "alias": "clients", - "description": "Base authentication for clients", - "providerId": "client-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "37290b7b-23f8-4653-ad2c-2593db5760f3", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] }, { - "authenticator": "client-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "2e5ceac1-9c0d-4109-b8f2-22c9efb00f0b", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] }, { - "authenticator": "client-secret-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "c35579f7-cd70-4c66-9ee7-c21bf7ddd1e0", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] }, { - "authenticator": "client-x509", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 40, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "c2487b50-dbf9-4536-be9d-940c8ac5eb21", - "alias": "direct grant", - "description": "OpenID Connect Resource Owner Grant", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "c2487b50-dbf9-4536-be9d-940c8ac5eb21", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] }, { - "authenticator": "direct-grant-validate-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "e98419d1-4cb4-469d-a866-2adc9fdb4c6a", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] }, { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 30, - "autheticatorFlow": true, - "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "e98419d1-4cb4-469d-a866-2adc9fdb4c6a", - "alias": "docker auth", - "description": "Used by Docker clients to authenticate against the IDP", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "672acd89-be23-48ee-ac51-c5d846e77faf", - "alias": "first broker login", - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "review profile config", - "authenticator": "idp-review-profile", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "672acd89-be23-48ee-ac51-c5d846e77faf", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] }, { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "User creation or linking", - "userSetupAllowed": false - } - ] - }, - { - "id": "1099c284-d2f6-44de-b1b3-87d5cb0990c1", - "alias": "forms", - "description": "Username, password, otp and other auth forms.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "1099c284-d2f6-44de-b1b3-87d5cb0990c1", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] }, { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "d02c9502-c51d-4968-ba5d-d3771054e85a", - "alias": "http challenge", - "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "no-cookie-redirect", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "d02c9502-c51d-4968-ba5d-d3771054e85a", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Authentication Options", + "userSetupAllowed": false + } + ] }, { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Authentication Options", - "userSetupAllowed": false - } - ] - }, - { - "id": "18ee7c5d-3b4b-45c7-8d5a-761c2de30711", - "alias": "registration", - "description": "registration flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": true, - "flowAlias": "registration form", - "userSetupAllowed": false - } - ] - }, - { - "id": "41c9dfb7-686d-4679-b471-abd04c08519d", - "alias": "registration form", - "description": "registration form", - "providerId": "form-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "18ee7c5d-3b4b-45c7-8d5a-761c2de30711", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] }, { - "authenticator": "registration-profile-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 40, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "41c9dfb7-686d-4679-b471-abd04c08519d", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] }, { - "authenticator": "registration-password-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 50, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "2d4c9ede-ca14-4454-bf7b-60e9c23b1951", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] }, { - "authenticator": "registration-recaptcha-action", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 60, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "d1fea7bd-8e31-4b67-9cb8-b720c2b5b49c", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] } - ] - }, - { - "id": "2d4c9ede-ca14-4454-bf7b-60e9c23b1951", - "alias": "reset credentials", - "description": "Reset credentials for a user if they forgot their password or something", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-credential-email", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, + ], + "authenticatorConfig": [ { - "authenticator": "reset-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false + "id": "519345fd-5f36-411f-ac29-9a28fea6e1f1", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } }, { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 40, - "autheticatorFlow": true, - "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false + "id": "2ad5fe8b-f6aa-4608-bbc2-cbf2ff218b67", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } } - ] - }, - { - "id": "d1fea7bd-8e31-4b67-9cb8-b720c2b5b49c", - "alias": "saml ecp", - "description": "SAML ECP Profile Authentication Flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} } - ] - } - ], - "authenticatorConfig": [ - { - "id": "519345fd-5f36-411f-ac29-9a28fea6e1f1", - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" - } - }, - { - "id": "2ad5fe8b-f6aa-4608-bbc2-cbf2ff218b67", - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" - } - } - ], - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "name": "Configure OTP", - "providerId": "CONFIGURE_TOTP", - "enabled": true, - "defaultAction": false, - "priority": 10, - "config": {} - }, - { - "alias": "TERMS_AND_CONDITIONS", - "name": "Terms and Conditions", - "providerId": "TERMS_AND_CONDITIONS", - "enabled": false, - "defaultAction": false, - "priority": 20, - "config": {} - }, - { - "alias": "UPDATE_PASSWORD", - "name": "Update Password", - "providerId": "UPDATE_PASSWORD", - "enabled": true, - "defaultAction": false, - "priority": 30, - "config": {} - }, - { - "alias": "UPDATE_PROFILE", - "name": "Update Profile", - "providerId": "UPDATE_PROFILE", - "enabled": true, - "defaultAction": false, - "priority": 40, - "config": {} - }, - { - "alias": "VERIFY_EMAIL", - "name": "Verify Email", - "providerId": "VERIFY_EMAIL", - "enabled": true, - "defaultAction": false, - "priority": 50, - "config": {} - }, - { - "alias": "delete_account", - "name": "Delete Account", - "providerId": "delete_account", - "enabled": false, - "defaultAction": false, - "priority": 60, - "config": {} - }, - { - "alias": "webauthn-register", - "name": "Webauthn Register", - "providerId": "webauthn-register", - "enabled": true, - "defaultAction": false, - "priority": 70, - "config": {} + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaAuthRequestedUserHint": "login_hint", + "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", + "actionTokenGeneratedByUserLifespan-execute-actions": "", + "actionTokenGeneratedByUserLifespan-verify-email": "", + "clientOfflineSessionIdleTimeout": "0", + "actionTokenGeneratedByUserLifespan-reset-credentials": "", + "cibaInterval": "5", + "realmReusableOtpCode": "false", + "cibaExpiresIn": "120", + "oauth2DeviceCodeLifespan": "600", + "actionTokenGeneratedByUserLifespan-idp-verify-account-via-email": "", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0" }, - { - "alias": "webauthn-register-passwordless", - "name": "Webauthn Register Passwordless", - "providerId": "webauthn-register-passwordless", - "enabled": true, - "defaultAction": false, - "priority": 80, - "config": {} + "keycloakVersion": "21.1", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] }, - { - "alias": "update_user_locale", - "name": "Update User Locale", - "providerId": "update_user_locale", - "enabled": true, - "defaultAction": false, - "priority": 1000, - "config": {} + "clientPolicies": { + "policies": [] } - ], - "browserFlow": "browser", - "registrationFlow": "registration", - "directGrantFlow": "direct grant", - "resetCredentialsFlow": "reset credentials", - "clientAuthenticationFlow": "clients", - "dockerAuthenticationFlow": "docker auth", - "attributes": { - "cibaBackchannelTokenDeliveryMode": "poll", - "cibaAuthRequestedUserHint": "login_hint", - "clientOfflineSessionMaxLifespan": "0", - "oauth2DevicePollingInterval": "5", - "clientSessionIdleTimeout": "0", - "actionTokenGeneratedByUserLifespan-execute-actions": "", - "actionTokenGeneratedByUserLifespan-verify-email": "", - "clientOfflineSessionIdleTimeout": "0", - "actionTokenGeneratedByUserLifespan-reset-credentials": "", - "cibaInterval": "5", - "realmReusableOtpCode": "false", - "cibaExpiresIn": "120", - "oauth2DeviceCodeLifespan": "600", - "actionTokenGeneratedByUserLifespan-idp-verify-account-via-email": "", - "parRequestUriLifespan": "60", - "clientSessionMaxLifespan": "0" - }, - "keycloakVersion": "21.1", - "userManagedAccessAllowed": false, - "clientProfiles": { - "profiles": [] - }, - "clientPolicies": { - "policies": [] - } } diff --git a/local/miw/keycloak.properties b/local/miw/keycloak.properties new file mode 100644 index 00000000..fdfc081a --- /dev/null +++ b/local/miw/keycloak.properties @@ -0,0 +1,17 @@ +KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN} +KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD} +KC_HOSTNAME=keycloak +KC_HTTP_PORT=8080 +# miw information +SUPPLIER_KC_MIW_CLIENT_SECRET=${SUPPLIER_KC_MIW_CLIENT_SECRET} +CUSTOMER_KC_MIW_CLIENT_SECRET=${CUSTOMER_KC_MIW_CLIENT_SECRET} +# clients have same name +KC_READ_CLIENT_ID=${KC_READ_CLIENT_ID} +KC_MANAGE_CLIENT_ID=${KC_MANAGE_CLIENT_ID} +# realm and secrets +CUSTOMER_KC_REALM_NAME=Customer +SUPPLIER_KC_REALM_NAME=Supplier +CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET=${CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET} +CUSTOMER_KC_DTR_EDC_CLIENT_SECRET=${CUSTOMER_KC_DTR_EDC_CLIENT_SECRET} +SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET=${SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET} +SUPPLIER_KC_DTR_EDC_CLIENT_SECRET=${SUPPLIER_KC_DTR_EDC_CLIENT_SECRET} diff --git a/local/tractus-x-edc/config/customer/puris-backend.properties b/local/tractus-x-edc/config/customer/puris-backend.properties index 8ed2802c..07f56a95 100644 --- a/local/tractus-x-edc/config/customer/puris-backend.properties +++ b/local/tractus-x-edc/config/customer/puris-backend.properties @@ -11,7 +11,14 @@ puris.frameworkagreement.credential=FrameworkAgreement.traceability puris.api.key=${CUSTOMER_BACKEND_API_KEY} puris.dtr.url=http://dtr-customer:4243 puris.generatematerialcatenaxid=true - +# dtr client idp config +puris.dtr.idp.enabled=true +puris.dtr.idp.tokenurl=http://keycloak:8080/realms/Customer/protocol/openid-connect/token +puris.dtr.idp.edc-client.id=${KC_READ_CLIENT_ID} +puris.dtr.idp.edc-client.secret.alias=${CUSTOMER_KC_DTR_EDC_CLIENT_ALIAS} +puris.dtr.idp.puris-client.id=${KC_MANAGE_CLIENT_ID} +puris.dtr.idp.puris-client.secret=${CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET} +# edc.controlplane.key=${EDC_API_PW} edc.controlplane.management.url=http://customer-control-plane:8181/management edc.controlplane.protocol.url=http://customer-control-plane:8184/api/v1/dsp diff --git a/local/tractus-x-edc/config/supplier/puris-backend.properties b/local/tractus-x-edc/config/supplier/puris-backend.properties index 4c704874..8ea5874d 100644 --- a/local/tractus-x-edc/config/supplier/puris-backend.properties +++ b/local/tractus-x-edc/config/supplier/puris-backend.properties @@ -11,7 +11,14 @@ puris.frameworkagreement.credential=FrameworkAgreement.traceability puris.api.key=${SUPPLIER_BACKEND_API_KEY} puris.dtr.url=http://dtr-supplier:4243 puris.generatematerialcatenaxid=true - +# dtr client idp config +puris.dtr.idp.enabled=true +puris.dtr.idp.tokenurl=http://keycloak:8080/realms/Supplier/protocol/openid-connect/token +puris.dtr.idp.edc-client.id=${KC_READ_CLIENT_ID} +puris.dtr.idp.edc-client.secret.alias=${SUPPLIER_KC_DTR_EDC_CLIENT_ALIAS} +puris.dtr.idp.puris-client.id=${KC_MANAGE_CLIENT_ID} +puris.dtr.idp.puris-client.secret=${SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET} +# edc.controlplane.key=${EDC_API_PW} edc.controlplane.management.url=http://supplier-control-plane:9181/management edc.controlplane.protocol.url=http://supplier-control-plane:9184/api/v1/dsp diff --git a/local/vault/put-keys.sh b/local/vault/put-keys.sh index 5acb9004..5c4a8e6b 100644 --- a/local/vault/put-keys.sh +++ b/local/vault/put-keys.sh @@ -40,12 +40,16 @@ cat $VAULT_PUT_SECRETS_DIR/customer.key | vault kv put secret/customer-key conte cat $VAULT_PUT_SECRETS_DIR/customer.cert | vault kv put secret/customer-cert content=- cat $VAULT_PUT_SECRETS_DIR/customer-encryption.keys | vault kv put secret/customer-encryption-keys content=- cat $VAULT_PUT_SECRETS_DIR/customer.miw.secret | vault kv put secret/customer.miw.secret content=- +cat $VAULT_PUT_SECRETS_DIR/customer.dtr.edc-client.secret | vault kv put secret/customer.dtr.edc-client.secret content=- +cat $VAULT_PUT_SECRETS_DIR/customer.dtr.puris-client.secret | vault kv put secret/customer.dtr.puris-client.secret content=- echo "Adding supplier certificates" cat $VAULT_PUT_SECRETS_DIR/supplier.key | vault kv put secret/supplier-key content=- cat $VAULT_PUT_SECRETS_DIR/supplier.cert | vault kv put secret/supplier-cert content=- cat $VAULT_PUT_SECRETS_DIR/supplier-encryption.keys | vault kv put secret/supplier-encryption-keys content=- cat $VAULT_PUT_SECRETS_DIR/supplier.miw.secret | vault kv put secret/supplier.miw.secret content=- +cat $VAULT_PUT_SECRETS_DIR/supplier.dtr.edc-client.secret | vault kv put secret/supplier.dtr.edc-client.secret content=- +cat $VAULT_PUT_SECRETS_DIR/supplier.dtr.puris-client.secret | vault kv put secret/supplier.dtr.puris-client.secret content=- # and get the actual server process back to the foreground fg %1 From b41f04135dce64933b0e9e5ae584f3af5d78c4a3 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Sun, 12 May 2024 08:55:33 -0700 Subject: [PATCH 02/11] ci(helm-test): set secret for edc client as not defaulted --- .github/workflows/helm-test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml index 3300a7b7..2ff5f381 100644 --- a/.github/workflows/helm-test.yml +++ b/.github/workflows/helm-test.yml @@ -112,18 +112,21 @@ jobs: ct install --charts charts/puris --helm-extra-set-args "--set backend.image.repository=${{ env.REGISTRY }}/${{ env.APP_BACKEND_NAME}} --set backend.image.tag=${{ env.TAG }} --set frontend.image.repository=${{ env.REGISTRY }}/${{ env.APP_FRONTEND_NAME }} --set frontend.image.tag=${{ env.TAG }}" if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true' - - name: Generate random password (This password is only a placeholder for the next step and will not used). The postgresPassword/password will be set via postgres-init.yaml. + - name: Generate random password (This password is only a placeholder for the next step and will not used). id: generate-password run: | echo "PASSWORD=PLACEHOLDER_PW" >> $GITHUB_ENV # Upgrade the released chart version with the locally available chart # default value for event_name != workflow_dispatch + # Setting passwords during upgrade: + # - The postgresPassword/password will be set via postgres-init.yaml. + # - The dtr.idp.clients.edc.puris.secret is new and needs to be set during upgrade as not set in previous version - name: Run helm upgrade run: | helm repo add bitnami https://charts.bitnami.com/bitnami helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev helm install puris tractusx-dev/puris --version ${{ github.event.inputs.upgrade_from || '1.0.0' }} helm dependency update charts/puris - helm upgrade puris charts/puris --set backend.puris.datasource.password=$PASSWORD + helm upgrade puris charts/puris --set backend.puris.datasource.password=$PASSWORD --set backend.puris.dtr.idp.clients.puris.secret=$PASSWORD if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true' From 11f9e0e939ce4290520b39a1de695864f1984d07 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Fri, 17 May 2024 01:56:26 -0700 Subject: [PATCH 03/11] feat(local/docker-compose.yaml): updated local deployment to be activated by default --- local/docker-compose.yaml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/local/docker-compose.yaml b/local/docker-compose.yaml index 79d3d890..c9cde9a0 100644 --- a/local/docker-compose.yaml +++ b/local/docker-compose.yaml @@ -83,7 +83,8 @@ services: postgres-customer: condition: service_healthy healthcheck: - test: ["CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors"] + # as security is enabled by default and we don't provide a bearer accept auth issues + test: ["CMD-SHELL", "wget -q --spider http://dtr-customer:4243/actuator/health/readiness"] interval: 4s timeout: 3s retries: 15 @@ -94,8 +95,13 @@ services: SPRING_DATASOURCE_URL: jdbc:postgresql://customer-postgres:5432/dtr_database SPRING_DATASOURCE_USERNAME: ${PG_USER} SPRING_DATASOURCE_PASSWORD: ${PG_PW} - SPRING_PROFILES_ACTIVE: local + REGISTRY_IDM_OWNING_TENANT_ID: ${CUSTOMER_BPNL} + REGISTRY_USE_GRANULAR_ACCESS_CONTROL: false JAVA_TOOL_OPTIONS: "-Xms512m -Xmx1024m" + # deactivate oauth idp by commenting out SPRING_PROFILES_ACTIVE + # SPRING_PROFILES_ACTIVE: local + REGISTRY_IDM_PUBLIC_CLIENT_ID: ${KC_MANAGE_CLIENT_ID} + SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "http://keycloak:8080/realms/Customer" networks: - miw-net extra_hosts: @@ -227,7 +233,7 @@ services: postgres-supplier: condition: service_healthy healthcheck: - test: ["CMD", "wget", "-q", "--spider", "http://localhost:4243/api/v3.0/shell-descriptors"] + test: ["CMD-SHELL", "wget -q --spider http://dtr-supplier:4243/actuator/health/readiness"] interval: 4s timeout: 3s retries: 15 @@ -241,10 +247,10 @@ services: REGISTRY_IDM_OWNING_TENANT_ID: ${SUPPLIER_BPNL} REGISTRY_USE_GRANULAR_ACCESS_CONTROL: false JAVA_TOOL_OPTIONS: "-Xms512m -Xmx1024m" - # outcomment SPRING_PROFILES_ACTIVE if idp should be used - SPRING_PROFILES_ACTIVE: local - REGISTRY_IDM_PUBLIC_CLIENT_ID: ${KC_READ_CLIENT_ID} - SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "http://keycloak-supplier:10080/realms/Catena-X" + # deactivate oauth idp by commenting out SPRING_PROFILES_ACTIVE + # SPRING_PROFILES_ACTIVE: local + REGISTRY_IDM_PUBLIC_CLIENT_ID: ${KC_MANAGE_CLIENT_ID} + SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "http://keycloak:8080/realms/Supplier" networks: - miw-net extra_hosts: From e21e9ce0e4bc81f39312e924f89a5292dd11e321 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Fri, 17 May 2024 02:11:17 -0700 Subject: [PATCH 04/11] feat(local/docker-compose.yaml): updated deployment to just use one user with all permissions --- local/docker-compose.yaml | 6 ++++-- .../tractus-x-edc/config/customer/puris-backend.properties | 6 +++--- .../tractus-x-edc/config/supplier/puris-backend.properties | 6 +++--- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/local/docker-compose.yaml b/local/docker-compose.yaml index c9cde9a0..ce5a417d 100644 --- a/local/docker-compose.yaml +++ b/local/docker-compose.yaml @@ -99,7 +99,8 @@ services: REGISTRY_USE_GRANULAR_ACCESS_CONTROL: false JAVA_TOOL_OPTIONS: "-Xms512m -Xmx1024m" # deactivate oauth idp by commenting out SPRING_PROFILES_ACTIVE - # SPRING_PROFILES_ACTIVE: local + # SPRING_PROFILES_ACTIVE: local + # Note: Currently DTR only allows one client, thus manage client must be used for all. REGISTRY_IDM_PUBLIC_CLIENT_ID: ${KC_MANAGE_CLIENT_ID} SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "http://keycloak:8080/realms/Customer" networks: @@ -248,7 +249,8 @@ services: REGISTRY_USE_GRANULAR_ACCESS_CONTROL: false JAVA_TOOL_OPTIONS: "-Xms512m -Xmx1024m" # deactivate oauth idp by commenting out SPRING_PROFILES_ACTIVE - # SPRING_PROFILES_ACTIVE: local + # SPRING_PROFILES_ACTIVE: local + # Note: Currently DTR only allows one client, thus manage client must be used for all. REGISTRY_IDM_PUBLIC_CLIENT_ID: ${KC_MANAGE_CLIENT_ID} SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "http://keycloak:8080/realms/Supplier" networks: diff --git a/local/tractus-x-edc/config/customer/puris-backend.properties b/local/tractus-x-edc/config/customer/puris-backend.properties index 07f56a95..ba16aeff 100644 --- a/local/tractus-x-edc/config/customer/puris-backend.properties +++ b/local/tractus-x-edc/config/customer/puris-backend.properties @@ -14,8 +14,9 @@ puris.generatematerialcatenaxid=true # dtr client idp config puris.dtr.idp.enabled=true puris.dtr.idp.tokenurl=http://keycloak:8080/realms/Customer/protocol/openid-connect/token -puris.dtr.idp.edc-client.id=${KC_READ_CLIENT_ID} -puris.dtr.idp.edc-client.secret.alias=${CUSTOMER_KC_DTR_EDC_CLIENT_ALIAS} +# Note: Currently DTR only allows one client, thus manage client must be used for all. +puris.dtr.idp.edc-client.id=${KC_MANAGE_CLIENT_ID} +puris.dtr.idp.edc-client.secret.alias=${CUSTOMER_KC_PURIS_EDC_CLIENT_ALIAS} puris.dtr.idp.puris-client.id=${KC_MANAGE_CLIENT_ID} puris.dtr.idp.puris-client.secret=${CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET} # @@ -23,7 +24,6 @@ edc.controlplane.key=${EDC_API_PW} edc.controlplane.management.url=http://customer-control-plane:8181/management edc.controlplane.protocol.url=http://customer-control-plane:8184/api/v1/dsp edc.dataplane.public.url=http://customer-data-plane:8285/api/public/ - own.bpnl=BPNL4444444444XX own.name=Control Unit Creator Inc. own.bpns=BPNS4444444444XX diff --git a/local/tractus-x-edc/config/supplier/puris-backend.properties b/local/tractus-x-edc/config/supplier/puris-backend.properties index 8ea5874d..bf9a7dd2 100644 --- a/local/tractus-x-edc/config/supplier/puris-backend.properties +++ b/local/tractus-x-edc/config/supplier/puris-backend.properties @@ -14,8 +14,9 @@ puris.generatematerialcatenaxid=true # dtr client idp config puris.dtr.idp.enabled=true puris.dtr.idp.tokenurl=http://keycloak:8080/realms/Supplier/protocol/openid-connect/token -puris.dtr.idp.edc-client.id=${KC_READ_CLIENT_ID} -puris.dtr.idp.edc-client.secret.alias=${SUPPLIER_KC_DTR_EDC_CLIENT_ALIAS} +# Note: Currently DTR only allows one client, thus manage client must be used for all. +puris.dtr.idp.edc-client.id=${KC_MANAGE_CLIENT_ID} +puris.dtr.idp.edc-client.secret.alias=${SUPPLIER_KC_DTR_PURIS_CLIENT_ALIAS} puris.dtr.idp.puris-client.id=${KC_MANAGE_CLIENT_ID} puris.dtr.idp.puris-client.secret=${SUPPLIER_KC_DTR_PURIS_CLIENT_SECRET} # @@ -23,7 +24,6 @@ edc.controlplane.key=${EDC_API_PW} edc.controlplane.management.url=http://supplier-control-plane:9181/management edc.controlplane.protocol.url=http://supplier-control-plane:9184/api/v1/dsp edc.dataplane.public.url=http://supplier-data-plane:9285/api/public/ - own.bpnl=BPNL1234567890ZZ own.name=Semiconductor Supplier Inc. own.bpns=BPNS1234567890ZZ From 17ae9b98585c62094ab8c86b6ff57774c844f903 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Fri, 17 May 2024 02:32:52 -0700 Subject: [PATCH 05/11] fix(local/docker-compose.yaml): use customer specific alias for dtr idp --- local/tractus-x-edc/config/customer/puris-backend.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local/tractus-x-edc/config/customer/puris-backend.properties b/local/tractus-x-edc/config/customer/puris-backend.properties index ba16aeff..f42d6ed6 100644 --- a/local/tractus-x-edc/config/customer/puris-backend.properties +++ b/local/tractus-x-edc/config/customer/puris-backend.properties @@ -16,7 +16,7 @@ puris.dtr.idp.enabled=true puris.dtr.idp.tokenurl=http://keycloak:8080/realms/Customer/protocol/openid-connect/token # Note: Currently DTR only allows one client, thus manage client must be used for all. puris.dtr.idp.edc-client.id=${KC_MANAGE_CLIENT_ID} -puris.dtr.idp.edc-client.secret.alias=${CUSTOMER_KC_PURIS_EDC_CLIENT_ALIAS} +puris.dtr.idp.edc-client.secret.alias=${CUSTOMER_KC_DTR_PURIS_CLIENT_ALIAS} puris.dtr.idp.puris-client.id=${KC_MANAGE_CLIENT_ID} puris.dtr.idp.puris-client.secret=${CUSTOMER_KC_DTR_PURIS_CLIENT_SECRET} # From 8102f13936946e3e10d6fd30be728e1f57c495d1 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Fri, 17 May 2024 02:33:17 -0700 Subject: [PATCH 06/11] chore(helm): version bump after merge --- charts/puris/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/puris/Chart.yaml b/charts/puris/Chart.yaml index 06142577..694945f8 100644 --- a/charts/puris/Chart.yaml +++ b/charts/puris/Chart.yaml @@ -35,7 +35,7 @@ dependencies: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.3.0 +version: 2.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 8d605aae36d51ebc853fd282135c25dbdceb5f4a Mon Sep 17 00:00:00 2001 From: --show-origin Date: Fri, 17 May 2024 07:20:44 -0700 Subject: [PATCH 07/11] refactor: incorporated review --- .../backend/common/ddtr/logic/DtrAdapterService.java | 2 +- .../common/security/DtrSecurityConfiguration.java | 10 +++++----- local/cleanup.sh | 1 - local/docker-compose.yaml | 1 - 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java index 26cf13ea..10348574 100644 --- a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/ddtr/logic/DtrAdapterService.java @@ -21,6 +21,7 @@ package org.eclipse.tractusx.puris.backend.common.ddtr.logic; import com.fasterxml.jackson.databind.JsonNode; +import jakarta.annotation.Nullable; import lombok.extern.slf4j.Slf4j; import okhttp3.*; import org.eclipse.tractusx.puris.backend.common.ddtr.logic.util.DtrRequestBodyBuilder; @@ -29,7 +30,6 @@ import org.eclipse.tractusx.puris.backend.masterdata.domain.model.Material; import org.eclipse.tractusx.puris.backend.masterdata.domain.model.MaterialPartnerRelation; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.lang.Nullable; import org.springframework.stereotype.Service; import java.io.IOException; diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java index 3fdd45a2..56691d22 100644 --- a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java @@ -44,17 +44,17 @@ public class DtrSecurityConfiguration { * token url of the OAuth2 identity provider **/ @Value("${puris.dtr.idp.tokenurl}") - String tokenUrl; + private String tokenUrl; /** * client id of the puris client with write access for DTR **/ @Value("${puris.dtr.idp.puris-client.id}") - String purisClientId; + private String purisClientId; /** * client secret of the puris client with write access for DTR **/ @Value("${puris.dtr.idp.puris-client.secret}") - String purisClientSecret; + private String purisClientSecret; /** * grant_type. Currently only client_credentials is supported **/ @@ -64,10 +64,10 @@ public class DtrSecurityConfiguration { * client id of the edc client with read access for DTR **/ @Value("${puris.dtr.idp.edc-client.id}") - String edcClientId; + private String edcClientId; /** * vault alias for the client secret of the edc client with read access for DTR **/ @Value("${puris.dtr.idp.edc-client.secret.alias}") - String edcClientSecretAlias; + private String edcClientSecretAlias; } diff --git a/local/cleanup.sh b/local/cleanup.sh index 681e70a9..c769c67d 100644 --- a/local/cleanup.sh +++ b/local/cleanup.sh @@ -22,7 +22,6 @@ docker compose down -v docker compose -f docker-compose-infrastructure.yaml down -v -docker compose -f docker-compose-idp.yaml down -v docker image rm local-vault rm .env rm ./vault/secrets -r diff --git a/local/docker-compose.yaml b/local/docker-compose.yaml index 742a65e2..322b7337 100644 --- a/local/docker-compose.yaml +++ b/local/docker-compose.yaml @@ -84,7 +84,6 @@ services: postgres-customer: condition: service_healthy healthcheck: - # as security is enabled by default and we don't provide a bearer accept auth issues test: ["CMD-SHELL", "wget -q --spider http://dtr-customer:4243/actuator/health/readiness"] interval: 4s timeout: 3s From 131941a8110e540cbb7dff6ea552bbaa4b05d3ae Mon Sep 17 00:00:00 2001 From: --show-origin Date: Tue, 21 May 2024 00:03:09 -0700 Subject: [PATCH 08/11] refactor(DtrSecurityConfiguration): made grant_type a private field --- .../puris/backend/common/security/DtrSecurityConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java index 56691d22..6dc4de20 100644 --- a/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java +++ b/backend/src/main/java/org/eclipse/tractusx/puris/backend/common/security/DtrSecurityConfiguration.java @@ -58,7 +58,7 @@ public class DtrSecurityConfiguration { /** * grant_type. Currently only client_credentials is supported **/ - final String grant_type = "client_credentials"; + private final String grant_type = "client_credentials"; /** * client id of the edc client with read access for DTR From e84f5005b30ada7004fb74b51f81d70b39abc17b Mon Sep 17 00:00:00 2001 From: --show-origin Date: Tue, 21 May 2024 01:58:00 -0700 Subject: [PATCH 09/11] feat(helm): removed framework credential use from backend deployment --- charts/puris/README.md | 14 ++++++++++++-- charts/puris/templates/backend-deployment.yaml | 2 -- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/charts/puris/README.md b/charts/puris/README.md index 45e2c4d3..779ff1aa 100644 --- a/charts/puris/README.md +++ b/charts/puris/README.md @@ -7,10 +7,12 @@ A helm chart for Kubernetes deployment of PURIS **Homepage:** ## Prerequisites + - Kubernetes 1.19+ - Helm 3.2.0+ ## TL;DR + ```shell $ helm install puris --namespace puris --create-namespace . ``` @@ -21,8 +23,8 @@ $ helm install puris --namespace puris --create-namespace . ## Requirements -| Repository | Name | Version | -|------------|------|---------| +| Repository | Name | Version | +|------------------------------------|------------|---------| | https://charts.bitnami.com/bitnami | postgresql | 12.12.x | ## Values @@ -200,3 +202,11 @@ $ helm install puris --namespace puris --create-namespace . | postgresql.enabled | bool | `true` | Enable postgres by default, set to false to use existing postgres. Make sure to set backend.puris.jpa.hibernate.ddl-auto accordingly (by default database is created using hibernate ddl from backend). | | postgresql.fullnameOverride | string | `"backend-postgresql"` | Possibility to override the fullname | | postgresql.service.ports.postgresql | int | `5432` | Port of postgres database. | + +## NOTICE + +This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0). + +- SPDX-License-Identifier: Apache-2.0 +- SPDX-FileCopyrightText: 2024 Contributors to the Eclipse Foundation +- Source URL: https://github.com/eclipse-tractusx/puris diff --git a/charts/puris/templates/backend-deployment.yaml b/charts/puris/templates/backend-deployment.yaml index 546b3f58..1082e98f 100644 --- a/charts/puris/templates/backend-deployment.yaml +++ b/charts/puris/templates/backend-deployment.yaml @@ -145,8 +145,6 @@ spec: value: "{{ .Values.backend.puris.demandsubmodel.apiassetid }}" - name: PURIS_DELIVERYSUBMODEL_APIASSETID value: "{{ .Values.backend.puris.deliverysubmodel.apiassetid }}" - - name: PURIS_FRAMEWORKAGREEMENT_USE - value: "{{ .Values.backend.puris.frameworkagreement.use }}" - name: PURIS_FRAMEWORKAGREEMENT_CREDENTIAL value: "{{ .Values.backend.puris.frameworkagreement.credential }}" - name: PURIS_FRAMEWORKAGREEMENT_VERSION From bdca1159bfe08c571bc0a28ad4b4a80365130143 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Tue, 21 May 2024 02:08:07 -0700 Subject: [PATCH 10/11] fix(local/docker-compose): updated healthcheck to use correct database --- local/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local/docker-compose.yaml b/local/docker-compose.yaml index 38e2cd6f..e681c6c7 100644 --- a/local/docker-compose.yaml +++ b/local/docker-compose.yaml @@ -118,7 +118,7 @@ services: ports: - "127.0.0.1:5433:5432" healthcheck: - test: ["CMD-SHELL", "pg_isready -d puris-customer -U ${PG_USER}"] + test: ["CMD-SHELL", "pg_isready -d puris_customer -U ${PG_USER}"] interval: 4s timeout: 3s retries: 15 From d8b53ac1f14b105f59c31d3b0c011d1583b854cf Mon Sep 17 00:00:00 2001 From: --show-origin Date: Tue, 21 May 2024 02:13:52 -0700 Subject: [PATCH 11/11] chore(helm): bump chart version --- charts/puris/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/puris/Chart.yaml b/charts/puris/Chart.yaml index 694945f8..d6ad5595 100644 --- a/charts/puris/Chart.yaml +++ b/charts/puris/Chart.yaml @@ -35,7 +35,7 @@ dependencies: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.4.0 +version: 2.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to