diff --git a/stacks/keycloak-opa-poc/aas.yaml b/stacks/keycloak-opa-poc/aas.yaml new file mode 100644 index 00000000..6a251b58 --- /dev/null +++ b/stacks/keycloak-opa-poc/aas.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: auth-server + labels: + app: aas +spec: + ports: + - name: http + port: 9000 + targetPort: 9000 + selector: + app: aas + type: NodePort +--- +apiVersion: v1 +kind: Pod +metadata: + name: aas + labels: + app: aas +spec: + containers: + - name: aas + image: aas-service:current + ports: + - name: web + containerPort: 9000 + protocol: TCP + env: + - name: SPRING_PROFILES_ACTIVE + value: test + - name: SPRING_DATASOURCE_URL + value: jdbc:postgresql://postgresql-aas:5432/aas + - name: SPRING_DATASOURCE_USERNAME + value: aas + - name: SPRING_DATASOURCE_PASSWORD + value: aas + - name: AAS_IAM_BASEURI + value: http://key-server:8080 + # valueFrom: + # configMapKeyRef: + # name: keycloak + # key: KEYCLOAK_BASE_URI \ No newline at end of file diff --git a/stacks/keycloak-opa-poc/druid.yaml b/stacks/keycloak-opa-poc/druid.yaml index cedd9e35..775b07de 100644 --- a/stacks/keycloak-opa-poc/druid.yaml +++ b/stacks/keycloak-opa-poc/druid.yaml @@ -21,10 +21,6 @@ spec: user: druid password: druid zookeeperConfigMapName: druid-znode - authorization: - opa: - configMapName: opa - package: druid brokers: roleGroups: default: @@ -63,7 +59,6 @@ spec: "druid-datasketches", "prometheus-emitter", "druid-basic-security", - "druid-opa-authorizer", "druid-hdfs-storage", "druid-pac4j"] @@ -73,11 +68,9 @@ spec: druid.auth.authenticator.MyBasicMetadataAuthenticator.type: basic druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword: '${env:DRUID_SYSTEM_USER_PASSWORD}' # Default password for internal 'druid_system' user druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure: "true" # for any non system user, skip to the pac4j authenticator - druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName: OpaAuthorizer # pac4j authenticator druid.auth.authenticator.pac4j.type: pac4j - druid.auth.authenticator.pac4j.authorizerName: OpaAuthorizer # pac4j common config druid.auth.pac4j.cookiePassphrase: '${env:DRUID_COOKIE_PASSPHRASE}' # OIDC common config @@ -87,11 +80,6 @@ spec: # druid.auth.pac4j.oidc.oidcClaim: preferred_username # setting doesn't work, but should? druid.auth.authenticatorChain: '["MyBasicMetadataAuthenticator","pac4j"]' - - druid.escalator.type: basic - druid.escalator.internalClientUsername: druid_system - druid.escalator.internalClientPassword: '{"type":"environment","variable":"DRUID_SYSTEM_USER_PASSWORD"}' - druid.escalator.authorizerName: OpaAuthorizer coordinators: roleGroups: default: diff --git a/stacks/keycloak-opa-poc/keycloak.yaml b/stacks/keycloak-opa-poc/keycloak.yaml index 7455803e..7027604c 100644 --- a/stacks/keycloak-opa-poc/keycloak.yaml +++ b/stacks/keycloak-opa-poc/keycloak.yaml @@ -15,13 +15,17 @@ spec: labels: app: keycloak spec: + volumes: + - name: keycloak-import-dir + configMap: + name: keycloak-gaia-x-realm containers: - name: keycloak image: quay.io/keycloak/keycloak:22.0.3 # Keycloak is running in development mode: https://www.keycloak.org/server/configuration#_starting_keycloak # production mode disables HTTP and requires a TLS configuration, which is currently very difficult to configure # given that we're running on a NodePort - args: ["start-dev"] + args: ["start-dev", "--import-realm", "--hostname-url=http://key-server:8080"] env: - name: KEYCLOAK_ADMIN value: admin @@ -30,6 +34,9 @@ spec: secretKeyRef: name: keycloak-admin-credentials key: admin + volumeMounts: + - name: keycloak-import-dir + mountPath: /opt/keycloak/data/import ports: - name: http containerPort: 8080 @@ -41,7 +48,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: keycloak + name: key-server labels: app: keycloak spec: @@ -79,11 +86,14 @@ spec: - -c - | echo "Determining Keycloak public reachable address" - KEYCLOAK_ADDRESS=$(kubectl get svc keycloak -o json | jq -r --argfile endpoints <(kubectl get endpoints keycloak -o json) --argfile nodes <(kubectl get nodes -o json) '($nodes.items[] | select(.metadata.name == $endpoints.subsets[].addresses[].nodeName) | .status.addresses | map(select(.type == "ExternalIP" or .type == "InternalIP")) | min_by(.type) | .address | tostring) + ":" + (.spec.ports[] | select(.name == "http") | .nodePort | tostring)') + KEYCLOAK_ADDRESS=$(kubectl get svc key-server -o json | jq -r --argfile endpoints <(kubectl get endpoints key-server -o json) --argfile nodes <(kubectl get nodes -o json) '($nodes.items[] | select(.metadata.name == $endpoints.subsets[].addresses[].nodeName) | .status.addresses | map(select(.type == "ExternalIP" or .type == "InternalIP")) | min_by(.type) | .address | tostring) + ":" + (.spec.ports[] | select(.name == "http") | .nodePort | tostring)') echo "Found Keycloak running at $KEYCLOAK_ADDRESS" echo "Writing Keycloak address to ConfigMap keycloak" - kubectl create configmap keycloak --from-literal="KEYCLOAK=$KEYCLOAK_ADDRESS" --from-literal="KEYCLOAK_DISCOVERY_URL=http://$KEYCLOAK_ADDRESS/realms/master/.well-known/openid-configuration" -o yaml --dry-run | kubectl apply -f - + kubectl create configmap keycloak --from-literal="KEYCLOAK=key-server:8080" --from-literal="KEYCLOAK_BASE_URI=http://key-server:8080" --from-literal="KEYCLOAK_DISCOVERY_URL=http://key-server:8080/realms/gaia-x/.well-known/openid-configuration" -o yaml --dry-run | kubectl apply -f - serviceAccountName: demo-serviceaccount restartPolicy: OnFailure backoffLimit: 20 # give some time for the Keycloak to be available + + + # kubectl create configmap keycloak --from-literal="KEYCLOAK=$KEYCLOAK_ADDRESS" --from-literal="KEYCLOAK_BASE_URI=http://$KEYCLOAK_ADDRESS" --from-literal="KEYCLOAK_DISCOVERY_URL=http://$KEYCLOAK_ADDRESS/realms/gaia-x/.well-known/openid-configuration" -o yaml --dry-run | kubectl apply -f - diff --git a/stacks/keycloak-opa-poc/postgres-aas.yaml b/stacks/keycloak-opa-poc/postgres-aas.yaml new file mode 100644 index 00000000..79864fb9 --- /dev/null +++ b/stacks/keycloak-opa-poc/postgres-aas.yaml @@ -0,0 +1,11 @@ +releaseName: postgresql-aas +name: postgresql +repo: + name: bitnami + url: https://charts.bitnami.com/bitnami/ +version: 12.6.6 +options: + auth: + username: aas + password: aas + database: aas diff --git a/stacks/keycloak-opa-poc/realm.yaml b/stacks/keycloak-opa-poc/realm.yaml new file mode 100644 index 00000000..48643d0f --- /dev/null +++ b/stacks/keycloak-opa-poc/realm.yaml @@ -0,0 +1,2596 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: keycloak-gaia-x-realm +data: + gaia-x-realm.json: |- + { + "id": "gaia-x", + "realm": "gaia-x", + "displayName": "GAIA-X", + "notBefore": 1654094377, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "none", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "114aff6f-9cd0-43e4-b253-ecc8051b78be", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "gaia-x", + "attributes": {} + }, + { + "id": "f43e5019-48a3-4f69-9867-2ab167a22c44", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "gaia-x", + "attributes": {} + }, + { + "id": "8ee7d6f7-f168-4b62-ae34-1c18ffbf631a", + "name": "default-roles-gaia-x", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ] + }, + "clientRole": false, + "containerId": "gaia-x", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "5b9f2d0f-42a7-4840-b0d3-1a721ce966a2", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "e7b13600-8203-4f4a-b9ae-bb1ef1b3ffd0", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "b907922d-e3a9-4d2e-bc0a-98658e807412", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "78cab9dd-0779-4c56-aa81-4a2afda2bf29", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "40904ff5-ed33-4c11-ad98-84eeb6e983f9", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "03ec9856-cc25-42f8-9c73-4a3bd2a7e361", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "e78ea104-4b06-4958-ad5d-218b123c5a7d", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "d8ec8ec3-1537-4612-8f23-c60fca6a2216", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "956c9acd-018e-4c70-b4a0-7204333b3bb8", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "b94967f5-7929-4d6f-ade7-ef2d7db43cd7", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "8071f8be-e915-465c-ba7f-a84feda1769e", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "6fd195b9-bd1e-4b17-b37b-3557b66ce2b7", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "68ca7431-d90d-482a-8901-4bc35cbe6179", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "1f5f2ec2-8d41-4d5d-8dd4-f5f17bf914e9", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-users", + "query-groups" + ] + } + }, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "6ad820d9-8e67-4902-a91b-54a61d6204a9", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "7eaf080d-36ca-4c69-8f86-cb61b9bcbe5d", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "453d293d-ce02-42c8-9703-ed8a99c33214", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "create-client", + "impersonation", + "manage-realm", + "manage-events", + "view-clients", + "view-authorization", + "query-users", + "view-identity-providers", + "query-groups", + "manage-users", + "manage-authorization", + "view-realm", + "view-users", + "manage-clients", + "query-clients", + "query-realms", + "view-events", + "manage-identity-providers" + ] + } + }, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "2642b524-c1b7-4852-b37b-1a09678cb9bc", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + }, + { + "id": "74c6912a-b4d9-4897-9c66-c00f820791a2", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "aas-app": [ + { + "id": "dc9e6728-aceb-41a1-8088-132a9d792143", + "name": "uma_protection", + "composite": false, + "clientRole": true, + "containerId": "ed510a04-4e30-4ef5-baf3-30b42f0d58d5", + "attributes": {} + } + ], + "demo-app": [], + "account-console": [], + "cip-app": [ + { + "id": "8fa23743-5f3f-4cf1-865f-e7b732c6daca", + "name": "uma_protection", + "composite": false, + "clientRole": true, + "containerId": "e92a965c-9236-4ea7-953d-81d7bc021f9f", + "attributes": {} + } + ], + "broker": [], + "account": [ + { + "id": "26a2da99-679c-40e4-a29e-84dc0e87ce47", + "name": "manage-account", + "composite": false, + "clientRole": true, + "containerId": "98919336-c907-4361-9872-6466ca1bae7e", + "attributes": {} + }, + { + "id": "d4d32ec8-dff0-4a6c-8d77-2af81604a5d1", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "98919336-c907-4361-9872-6466ca1bae7e", + "attributes": {} + } + ] + } + }, + "groups": [], + "defaultRole": { + "id": "8ee7d6f7-f168-4b62-ae34-1c18ffbf631a", + "name": "default-roles-gaia-x", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "gaia-x" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpSupportedApplications": [ + "FreeOTP", + "Google Authenticator" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users": [ + { + "id": "b98712d1-7fca-4b73-bf20-f6b08315431b", + "createdTimestamp": 1647375741271, + "username": "service-account-aas-app", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "aas-app", + "disableableCredentialTypes": [], + "requiredActions": [], + "clientRoles": { + "aas-app": [ + "uma_protection" + ] + }, + "notBefore": 0, + "groups": [] + }, + { + "id": "86d1f3f9-d9f8-45da-b50d-eb4c9cabe49a", + "createdTimestamp": 1654093531829, + "username": "service-account-cip-app", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "cip-app", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-gaia-x" + ], + "clientRoles": { + "cip-app": [ + "uma_protection" + ] + }, + "notBefore": 0, + "groups": [] + } + ], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account" + ] + } + ] + }, + "clients": [ + { + "id": "ed510a04-4e30-4ef5-baf3-30b42f0d58d5", + "clientId": "aas-app", + "name": "Authentication & Authorization Service", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "false", + "client_credentials.use_refresh_token": "false", + "require.pushed.authorization.requests": "false", + "saml.client.signature": "false", + "id.token.as.detached.signature": "false", + "saml.assertion.signature": "false", + "saml.encrypt": "false", + "saml.server.signature": "false", + "exclude.session.state.from.auth.response": "false", + "saml.artifact.binding": "false", + "saml_force_name_id_format": "false", + "acr.loa.map": "{}", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "token.response.type.bearer.lower-case": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "59cbe9c0-83d8-4ac2-8607-b36c5164e214", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "431f91ae-519a-49e1-a4b2-9716af0be72b", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + }, + { + "id": "6b6e7198-4e9e-4dc7-a8f6-94af77d93652", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "98919336-c907-4361-9872-6466ca1bae7e", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/gaia-x/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/gaia-x/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "bd308877-0534-4ad0-a136-1e4a4bdaac6b", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/gaia-x/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/gaia-x/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "1ff4a2da-164b-4b21-9e10-f0600207f2e7", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "d0eb7727-06f1-491c-9d9a-aecabefdd4a9", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "096c1a58-a545-4089-8273-b320c016f076", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "e92a965c-9236-4ea7-953d-81d7bc021f9f", + "clientId": "cip-app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "http://test-server:8180/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "oauth2.device.authorization.grant.enabled": "true", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "false", + "client_credentials.use_refresh_token": "false", + "require.pushed.authorization.requests": "false", + "saml.client.signature": "false", + "id.token.as.detached.signature": "false", + "saml.assertion.signature": "false", + "saml.encrypt": "false", + "saml.server.signature": "false", + "exclude.session.state.from.auth.response": "false", + "saml.artifact.binding": "false", + "saml_force_name_id_format": "false", + "acr.loa.map": "{}", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "token.response.type.bearer.lower-case": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "30569955-7c45-46cb-b072-b5fb58731e74", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "b123576c-0777-42e8-acd9-aedc14abbc38", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "fa468176-d583-4fb4-80a5-a24a0a4345cb", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "roles" + ], + "optionalClientScopes": [ + "address", + "phone", + "profile", + "offline_access", + "microprofile-jwt", + "email" + ], + "authorizationSettings": { + "allowRemoteResourceManagement": false, + "policyEnforcementMode": "ENFORCING", + "resources": [ + { + "name": "Read Resource", + "ownerManagedAccess": false, + "displayName": "Read Resource", + "attributes": {}, + "_id": "c8f3e615-b1d1-453f-bcb0-b77e33ad4985", + "uris": [ + "/demo/read" + ] + }, + { + "name": "Write Resource", + "ownerManagedAccess": false, + "displayName": "Write Resource", + "attributes": {}, + "_id": "ebbf51b3-36ba-4bde-8c22-1cde8f32cdd5", + "uris": [ + "/demo/write" + ] + }, + { + "name": "Demo Resource", + "ownerManagedAccess": false, + "displayName": "Demo Resource", + "attributes": {}, + "_id": "95d2d0f4-87d3-4c03-b5cb-1a52394551c9", + "uris": [ + "/demo" + ] + } + ], + "policies": [ + { + "id": "13986fff-5832-4456-9171-0fdb425a77e8", + "name": "Default Permission", + "description": "A permission that applies to the default resource type", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "defaultResourceType": "urn:cip-app:resources:default", + "applyPolicies": "[]" + } + }, + { + "id": "bd546d36-fa89-4eda-a837-d9d0608533cf", + "name": "Read Permission", + "type": "resource", + "logic": "POSITIVE", + "decisionStrategy": "UNANIMOUS", + "config": { + "resources": "[\"Read Resource\"]", + "applyPolicies": "[]" + } + } + ], + "scopes": [], + "decisionStrategy": "UNANIMOUS" + } + }, + { + "id": "52c9c697-c860-4edd-bde4-5e03904fdb44", + "clientId": "demo-app", + "name": "SSI Demo Application", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "http://test-server:8990/*", + "http://key-server:8080/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "false", + "client_credentials.use_refresh_token": "false", + "require.pushed.authorization.requests": "false", + "saml.client.signature": "false", + "id.token.as.detached.signature": "false", + "saml.assertion.signature": "false", + "saml.encrypt": "false", + "saml.server.signature": "false", + "exclude.session.state.from.auth.response": "false", + "saml.artifact.binding": "false", + "saml_force_name_id_format": "false", + "acr.loa.map": "{}", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "token.response.type.bearer.lower-case": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "roles" + ], + "optionalClientScopes": [ + "address", + "phone", + "profile", + "offline_access", + "microprofile-jwt", + "email" + ] + }, + { + "id": "af3a57c9-da9c-47b6-81a0-f131b7637d08", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "12604a51-9ed5-4ec6-967d-373b185f15ec", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/gaia-x/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/gaia-x/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "7a55bf05-4bfa-4904-aa57-91e639f38e9b", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "8cdc0c1b-9349-4792-b8ec-f4d9bcf98d09", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "b0e96b4c-e790-43bb-bc4b-2bef7a9e1f6e", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "0eb18a29-bc6f-49ae-b83f-baa724db43b0", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "8fa06769-45df-4a8f-9826-28404e62bdf7", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "876ac006-7cde-4a7c-ab72-64e078c20b8b", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "ca02a41f-3128-41f5-9a53-b3b25b2adf7f", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "9a0da62f-6824-416e-8eb9-47afcc4fdda3", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "bb79af2b-a17d-4f11-8a94-dfeca9974d3e", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "e8ec0746-2d7f-4bc4-bec2-acf9eeda7493", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "af13725e-1468-4e72-a365-7f7c16f42fc7", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "b125d27b-4038-45d5-a40f-5c5c03507567", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "464f9c67-e95a-4136-ad93-22f5190e304d", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "752a4e76-b88b-4645-ac4e-1cc7133917a8", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "7872f01b-38e7-415a-874b-9004c71a3e88", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "853a6314-4305-4db4-94eb-22c994fe72e4", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "dc5d9dcd-0269-46e6-a289-615e8e9bd1e6", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "12de7cd4-1376-437d-9e6b-08d16c738f95", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "b4cdcbc2-f20b-42d6-923c-b438866d4403", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "8336ad4e-7183-4929-acec-ef1bfcbee46a", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "0aa713da-c832-47f4-bfa5-0395a9eed7e4", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "d653d614-21ea-43ec-bf52-7023064f02f6", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "0c83fef9-fc12-4c8d-912b-0c33705a5e51", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "8a765bf0-4b3c-4f3b-9dd9-7393c43302bb", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "f5dcdd7b-7855-4c8c-9552-43657eb39d49", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "String" + } + }, + { + "id": "c17817a3-570f-4aa5-8e77-5efb2aa3cc28", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "b8602ae1-9446-4c5a-a22b-06451e0e279e", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "85f9fe13-2366-463f-a67c-28cc7fcb0fe3", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "6a73807f-99d2-4d80-a249-b5f29384bdc6", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "f7585dfa-94f5-4792-aedf-a9f33cd66d3a", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "a2839b81-af82-434d-9ccb-31bc7f716d4d", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "3a0829e0-9a56-4af8-8561-995bfc4eaba2", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "110f237a-c47a-4116-b040-114f66026672", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "e5520b36-30d4-4187-915e-4a4e9f40d5de", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "115b221c-e4ad-4039-89be-71a23f458fbe", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "0f0d05d6-d959-4123-9efa-8fd6493b0b47", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "roles", + "web-origins" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt", + "email", + "profile" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "loginTheme": "gaia-x", + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [ + { + "alias": "ssi-oidc", + "displayName": "SSI OIDC Broker", + "internalId": "532c5037-eb4b-4f73-99df-cbe236279bb2", + "providerId": "oidc", + "enabled": true, + "updateProfileFirstLoginMode": "on", + "trustEmail": true, + "storeToken": false, + "addReadTokenRoleOnCreate": false, + "authenticateByDefault": false, + "linkOnly": false, + "firstBrokerLoginFlowAlias": "first broker login", + "config": { + "userInfoUrl": "http://auth-server:9000/userinfo", + "clientId": "aas-app-oidc", + "tokenUrl": "http://auth-server:9000/oauth2/token", + "uiLocales": "false", + "issuer": "http://auth-server:9000", + "useJwksUrl": "true", + "loginHint": "false", + "authorizationUrl": "http://auth-server:9000/oauth2/authorize", + "clientAuthMethod": "client_secret_post", + "syncMode": "IMPORT", + "clientSecret": "secret", + "defaultScope": "openid profile email" + } + }, + { + "alias": "ssi-siop", + "displayName": "SSI SIOP Broker", + "internalId": "a6fc3365-616b-4432-8b9e-e8beb7a63324", + "providerId": "oidc", + "enabled": true, + "updateProfileFirstLoginMode": "on", + "trustEmail": true, + "storeToken": false, + "addReadTokenRoleOnCreate": false, + "authenticateByDefault": false, + "linkOnly": false, + "firstBrokerLoginFlowAlias": "first broker login", + "config": { + "loginHint": "false", + "userInfoUrl": "http://auth-server:9000/userinfo", + "clientId": "aas-app-siop", + "tokenUrl": "http://auth-server:9000/oauth2/token", + "authorizationUrl": "http://auth-server:9000/oauth2/authorize", + "clientAuthMethod": "client_secret_basic", + "syncMode": "IMPORT", + "clientSecret": "secret2", + "defaultScope": "openid profile email", + "issuer": "http://auth-server:9000", + "useJwksUrl": "true" + } + } + ], + "identityProviderMappers": [ + { + "id": "0a72e8ca-1fdb-4d48-8ca9-62f8e56a45e1", + "name": "last name", + "identityProviderAlias": "ssi-oidc", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "INHERIT", + "claim": "family_name", + "user.attribute": "lastName" + } + }, + { + "id": "8cdc7471-8a9f-4886-8618-af1034c37f70", + "name": "user name", + "identityProviderAlias": "ssi-siop", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "INHERIT", + "claim": "preferred_username", + "user.attribute": "username" + } + }, + { + "id": "9d6787c8-468c-4d17-b64b-9dad58289730", + "name": "email", + "identityProviderAlias": "ssi-oidc", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "INHERIT", + "claim": "email", + "user.attribute": "email" + } + }, + { + "id": "bc81f4b8-e19a-4ed0-b509-799f3f2bf138", + "name": "last name", + "identityProviderAlias": "ssi-siop", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "INHERIT", + "claim": "family_name", + "user.attribute": "lastName" + } + }, + { + "id": "17b28568-7b84-431d-b27e-acfc09ddcc87", + "name": "first name", + "identityProviderAlias": "ssi-oidc", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "INHERIT", + "claim": "name", + "user.attribute": "firstName" + } + }, + { + "id": "ef7007c4-a38f-4e2d-90da-c904961b1788", + "name": "first name", + "identityProviderAlias": "ssi-siop", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "INHERIT", + "claim": "name", + "user.attribute": "firstName" + } + }, + { + "id": "5f10f9a8-0ac4-4ef1-99f8-799f9ef11749", + "name": "user name", + "identityProviderAlias": "ssi-oidc", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "INHERIT", + "claim": "preferred_username", + "user.attribute": "username" + } + }, + { + "id": "5cc712cd-af22-45dc-b394-4188f3e745bf", + "name": "email", + "identityProviderAlias": "ssi-siop", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "INHERIT", + "claim": "email", + "user.attribute": "email" + } + } + ], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "b0d0db1f-6ae7-4856-8ce2-7b770d1bc61f", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "9329cb81-3e46-47d6-b350-5d8087e87cf5", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "ec1b1ee9-270a-498f-b9ef-feff690aba87", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-address-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper" + ] + } + }, + { + "id": "f78e90a8-7c92-4ddc-8c6b-4f2363ab1b1e", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "b5d35367-a334-43b3-94d4-6633861c12df", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-property-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "saml-user-attribute-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper" + ] + } + }, + { + "id": "b69bd178-95a4-488a-ab0b-df7e032b9666", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "2188e132-b7cc-41bc-b967-06b954761f2a", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "a8f92145-2d2e-43e4-9f12-963c0579cc8c", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + } + ], + "org.keycloak.userprofile.UserProfileProvider": [ + { + "id": "eccc20ef-ccc4-4e54-b385-245cd6239bc3", + "providerId": "declarative-user-profile", + "subComponents": {}, + "config": {} + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "4dbacd4a-e98d-4479-86d5-e17bcff5e14f", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "445b8478-0710-49b0-9462-b07a5844bbe6", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "8a29592d-3aaf-48d5-b520-5a9a7d5ae630", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "d9b0da75-ef91-4d12-ab9b-a5078b157865", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "f6df262e-b866-4b74-bde0-0dd2a8936cbf", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "1ddba671-9a1e-47ff-aea0-9dac2a4e4b68", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "52a63bb0-6747-4f22-8014-c7322be546ad", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "c7f1ca27-8e9f-425c-9c05-003416222cdd", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "a4e67553-8bed-49d1-a546-cbd901d56471", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "d376b86b-b1ee-4272-ad93-e66743bf7259", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "2b2131b4-2834-44c5-bd04-c426ddfda894", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "19a88868-3f6e-47ed-9a7c-e5199ae0e0c2", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "c10f1f1b-9548-4f38-afd3-3819561b38bc", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "3d2f1527-a794-4890-b8b7-8bcb31535b6b", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "86503421-8411-4cd0-a251-bbe4926d7a41", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "a1463c49-24b7-4fae-98d6-d9d2bd2d3a98", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "99ae0da5-f4ce-477a-a621-ca043ff32f8c", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "e170404d-8bd3-4153-bcd0-ae84e720fef1", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "67b18d58-6567-48ba-8994-aee92bbfb79b", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "6c8fb550-3983-4558-8998-65433730be96", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Authentication Options", + "userSetupAllowed": false + } + ] + }, + { + "id": "756b055c-15e7-4e07-961c-352bf1db5cf0", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "003b074b-cc91-4aa5-b8d4-eba39940fb57", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "d9692df4-0f49-4d26-9dc0-a0dc0d3d4e1e", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "75864193-c008-4490-abcb-92b1189a396b", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "b2eb64da-3f09-4e63-826e-206aa807f19a", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "814e8014-03e6-4a52-83dd-e50caae6a78b", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "terms_and_conditions", + "name": "Terms and Conditions", + "providerId": "terms_and_conditions", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", + "userProfileEnabled": "false", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5" + }, + "keycloakVersion": "17.0.0", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } + } diff --git a/stacks/keycloak-opa-poc/setup-keycloak.yaml b/stacks/keycloak-opa-poc/setup-keycloak.yaml index 09456d1d..8e1ae39e 100644 --- a/stacks/keycloak-opa-poc/setup-keycloak.yaml +++ b/stacks/keycloak-opa-poc/setup-keycloak.yaml @@ -71,17 +71,17 @@ spec: curl -LO https://github.com/keycloak/keycloak/releases/download/22.0.3/keycloak-22.0.3.zip unzip keycloak-22.0.3.zip cd keycloak-22.0.3/bin - ./kcadm.sh config credentials --config kcadm.conf --server http://keycloak:8080/ --realm master --user admin --password "$KEYCLOAK_ADMIN_PASSWORD" + ./kcadm.sh config credentials --config kcadm.conf --server http://key-server:8080/ --realm master --user admin --password "$KEYCLOAK_ADMIN_PASSWORD" ./kcadm.sh create users --config kcadm.conf -s username=alice -s enabled=true || true ./kcadm.sh create users --config kcadm.conf -s username=bob -s enabled=true || true ./kcadm.sh set-password --config kcadm.conf --username alice --new-password "$ALICE_PASSWORD" ./kcadm.sh set-password --config kcadm.conf --username bob --new-password "$BOB_PASSWORD" - ./kcadm.sh create clients --config kcadm.conf -f - << EOF || true + ./kcadm.sh create clients -r gaia-x --config kcadm.conf -f - << EOF || true { - "clientId": "superset", + "clientId": "trino", "enabled": true, "clientAuthenticatorType": "client-secret", - "secret": "$SUPERSET_CLIENT_SECRET", + "secret": "$TRINO_CLIENT_SECRET", "redirectUris": [ "*" ], @@ -92,12 +92,12 @@ spec: "protocol": "openid-connect" } EOF - ./kcadm.sh create clients --config kcadm.conf -f - << EOF || true + ./kcadm.sh create clients -r gaia-x --config kcadm.conf -f - << EOF || true { - "clientId": "trino", + "clientId": "superset", "enabled": true, "clientAuthenticatorType": "client-secret", - "secret": "$TRINO_CLIENT_SECRET", + "secret": "$SUPERSET_CLIENT_SECRET", "redirectUris": [ "*" ], @@ -108,7 +108,7 @@ spec: "protocol": "openid-connect" } EOF - ./kcadm.sh create clients --config kcadm.conf -f - << EOF || true + ./kcadm.sh create clients -r gaia-x --config kcadm.conf -f - << EOF || true { "clientId": "druid", "enabled": true, @@ -124,8 +124,8 @@ spec: "protocol": "openid-connect" } EOF - ADMIN_ID=$(./kcadm.sh get users --config kcadm.conf -r master -q username=admin | sed -ne 's/^ "id" : \(.*\),$/\1/p') - ALICE_ID=$(./kcadm.sh get users --config kcadm.conf -r master -q username=alice | sed -ne 's/^ "id" : \(.*\),$/\1/p') + ADMIN_ID=$(./kcadm.sh get users --config kcadm.conf -r gaia-x -q username=admin | sed -ne 's/^ "id" : \(.*\),$/\1/p') + ALICE_ID=$(./kcadm.sh get users --config kcadm.conf -r gaia-x -q username=alice | sed -ne 's/^ "id" : \(.*\),$/\1/p') echo "Writing Keycloak address to ConfigMap keycloak" kubectl create configmap opagroups --from-literal="data.json={\"admins\": [$ADMIN_ID, $ALICE_ID]}" -o yaml --dry-run | kubectl apply -f - kubectl label configmap opagroups opa.stackable.tech/bundle=true diff --git a/stacks/keycloak-opa-poc/superset.yaml b/stacks/keycloak-opa-poc/superset.yaml index 24ad482e..a047d40c 100644 --- a/stacks/keycloak-opa-poc/superset.yaml +++ b/stacks/keycloak-opa-poc/superset.yaml @@ -41,12 +41,12 @@ spec: 'remote_app': { 'client_id': 'superset', 'client_secret': f'{os.environ.get("SUPERSET_CLIENT_SECRET")}', - 'api_base_url': f'http://{os.environ.get("KEYCLOAK_ADDRESS")}/realms/master/protocol/openid-connect', + 'api_base_url': f'http://{os.environ.get("KEYCLOAK_ADDRESS")}/realms/gaia-x/protocol/openid-connect', 'client_kwargs': { 'scope': 'email profile openid' }, - 'access_token_url': f'http://{os.environ.get("KEYCLOAK_ADDRESS")}/realms/master/protocol/openid-connect/token', - 'authorize_url': f'http://{os.environ.get("KEYCLOAK_ADDRESS")}/realms/master/protocol/openid-connect/auth', + 'access_token_url': f'http://{os.environ.get("KEYCLOAK_ADDRESS")}/realms/gaia-x/protocol/openid-connect/token', + 'authorize_url': f'http://{os.environ.get("KEYCLOAK_ADDRESS")}/realms/gaia-x/protocol/openid-connect/auth', 'request_token_url': None, }, } diff --git a/stacks/keycloak-opa-poc/trino.yaml b/stacks/keycloak-opa-poc/trino.yaml index 5851bb9d..35b690f6 100644 --- a/stacks/keycloak-opa-poc/trino.yaml +++ b/stacks/keycloak-opa-poc/trino.yaml @@ -14,10 +14,6 @@ spec: catalogLabelSelector: matchLabels: trino: trino - authorization: - opa: - configMapName: opa - package: trino coordinators: podOverrides: spec: @@ -39,8 +35,8 @@ spec: http-server.authentication.type: oauth2 http-server.authentication.oauth2.client-id: trino http-server.authentication.oauth2.client-secret: ${ENV:TRINO_CLIENT_SECRET} - http-server.authentication.oauth2.issuer: http://${ENV:KEYCLOAK_ADDRESS}/realms/master - http-server.authentication.oauth2.principal-field: preferred_username + http-server.authentication.oauth2.issuer: http://${ENV:KEYCLOAK_ADDRESS}/realms/gaia-x + http-server.authentication.oauth2.principal-field: sub roleGroups: default: replicas: 1 diff --git a/stacks/stacks-v2.yaml b/stacks/stacks-v2.yaml index 48a2e1ff..72bcd18e 100644 --- a/stacks/stacks-v2.yaml +++ b/stacks/stacks-v2.yaml @@ -452,10 +452,12 @@ stacks: manifests: - helmChart: https://raw.githubusercontent.com/stackabletech/stackablectl/main/stacks/_templates/postgresql-superset.yaml - helmChart: https://raw.githubusercontent.com/stackabletech/stackablectl/main/stacks/_templates/postgresql-druid.yaml + - helmChart: stacks/keycloak-opa-poc/postgres-aas.yaml - plainYaml: stacks/keycloak-opa-poc/serviceaccount.yaml + - plainYaml: stacks/keycloak-opa-poc/realm.yaml - plainYaml: stacks/keycloak-opa-poc/keycloak.yaml - plainYaml: stacks/keycloak-opa-poc/setup-keycloak.yaml - - plainYaml: stacks/keycloak-opa-poc/opa.yaml + - plainYaml: stacks/keycloak-opa-poc/aas.yaml - plainYaml: stacks/keycloak-opa-poc/policies.yaml - plainYaml: stacks/keycloak-opa-poc/zookeeper.yaml - plainYaml: stacks/keycloak-opa-poc/hdfs.yaml