diff --git a/keycloak_oauth/__init__.py b/keycloak_oauth/__init__.py index cd90d7a..d423558 100644 --- a/keycloak_oauth/__init__.py +++ b/keycloak_oauth/__init__.py @@ -1,8 +1,11 @@ +from pathlib import Path +import ssl from typing import Any import pydantic from authlib.common.security import generate_token from authlib.integrations.starlette_client import OAuth, StarletteOAuth2App from authlib.jose import JWTClaims, JsonWebToken, JsonWebKey +from authlib.oauth2.rfc7523 import PrivateKeyJWT from starlette import status from starlette.datastructures import URL @@ -23,7 +26,7 @@ class KeycloakOAuth2: def __init__( self, client_id: str, - client_secret: str, + client_secret: str | bytes | None, server_metadata_url: str, client_kwargs: dict[str, Any], base_url: str = "/", @@ -32,7 +35,14 @@ def __init__( self.code_verifier = generate_token(48) self._base_url = base_url self._logout_page = logout_target + oauth = OAuth() + + # HACK: load custom certificate including default certifi cacert chain + if verify := client_kwargs.get("verify"): + ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23, verify=verify) + client_kwargs["verify"] = ssl_context + oauth.register( name="keycloak", # client_id and client_secret are created in keycloak @@ -42,9 +52,30 @@ def __init__( client_kwargs=client_kwargs, code_challenge_method="S256", ) + assert isinstance(oauth.keycloak, StarletteOAuth2App) self.keycloak = oauth.keycloak + async def setup_signed_jwt(self, keypair: Path, public_key: Path) -> None: + """Setup client authentication for signed JWT. + + :param keypair: Path to keypair.pem, generated via `openssl genrsa - out keypair.pem 2048` + :param public_key: Path to publickey.crt, generated via `openssl rsa -in keypair.pem -pubout -out publickey.crt` + """ + self.keycloak.client_secret = keypair.read_bytes() + self.pub = JsonWebKey.import_key( + public_key.read_text(), {"kty": "RSA", "use": "sig"} + ).as_dict() + + metadata = await self.keycloak.load_server_metadata() + auth_method = PrivateKeyJWT(metadata["token_endpoint"]) + self.keycloak.client_auth_methods = [auth_method] + self.keycloak.client_kwargs.update( + { + "token_endpoint_auth_method": auth_method.name, + } + ) + def setup_fastapi_routes(self) -> None: """Create FastAPI router and register API endpoints.""" import fastapi @@ -53,6 +84,10 @@ def setup_fastapi_routes(self) -> None: self.router.add_api_route("/login", self.login_page) self.router.add_api_route("/callback", self.auth) self.router.add_api_route("/logout", self.logout) + self.router.add_api_route("/certs", self.public_keys) + + async def public_keys(self, request: Request) -> dict[str, Any]: + return {"keys": [self.pub]} async def login_page( self, request: Request, redirect_target: str | None = None diff --git a/keycloak_oauth/starlette_admin.py b/keycloak_oauth/starlette_admin.py index eaf9fbb..a1b9c5f 100644 --- a/keycloak_oauth/starlette_admin.py +++ b/keycloak_oauth/starlette_admin.py @@ -1,7 +1,7 @@ from typing import Sequence from starlette.exceptions import HTTPException from starlette.requests import Request -from starlette.responses import RedirectResponse +from starlette.responses import JSONResponse, RedirectResponse from starlette.routing import Route from starlette_admin.auth import AdminUser, AuthProvider, login_not_required from starlette_admin.base import BaseAdmin @@ -50,6 +50,11 @@ async def render_logout( async def handle_auth_callback(self, request: Request) -> RedirectResponse: return await self.keycloak.auth(request) + @login_not_required + async def public_keys(self, request: Request) -> JSONResponse: + keys = await self.keycloak.public_keys(request) + return JSONResponse(keys) + def setup_admin(self, admin: BaseAdmin) -> None: super().setup_admin(admin) """add custom authentication callback route""" @@ -61,3 +66,10 @@ def setup_admin(self, admin: BaseAdmin) -> None: name="authorize_keycloak", ) ) + admin.routes.append( + Route( + "/auth/certs", + self.public_keys, + methods=["GET"], + ) + ) diff --git a/poetry.lock b/poetry.lock index cef82b2..80a6ef7 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.8.0 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand. [[package]] name = "annotated-types" @@ -1002,6 +1002,24 @@ tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} [package.extras] testing = ["argcomplete", "attrs (>=19.2.0)", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"] +[[package]] +name = "pytest-asyncio" +version = "0.23.5.post1" +description = "Pytest support for asyncio" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pytest-asyncio-0.23.5.post1.tar.gz", hash = "sha256:b9a8806bea78c21276bc34321bbf234ba1b2ea5b30d9f0ce0f2dea45e4685813"}, + {file = "pytest_asyncio-0.23.5.post1-py3-none-any.whl", hash = "sha256:30f54d27774e79ac409778889880242b0403d09cabd65b727ce90fe92dd5d80e"}, +] + +[package.dependencies] +pytest = ">=7.0.0,<9" + +[package.extras] +docs = ["sphinx (>=5.3)", "sphinx-rtd-theme (>=1.0)"] +testing = ["coverage (>=6.2)", "hypothesis (>=5.7.1)"] + [[package]] name = "pytest-mock" version = "3.12.0" @@ -1499,4 +1517,4 @@ starlette-admin = ["starlette-admin"] [metadata] lock-version = "2.0" python-versions = "^3.10" -content-hash = "7c9078dcd88df54bcfab651f7003db74ba1830b739b98673c3078b935edd4450" +content-hash = "630493c00273131e0cbd33e01f97707911612e1740b3de469941f35e3f2000c6" diff --git a/pyproject.toml b/pyproject.toml index 62ae914..77500b1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -30,6 +30,7 @@ pyright = "^1.1.351" [tool.poetry.group.test.dependencies] pytest = "^8.0.1" +pytest-asyncio = "^0.23.5.post1" pytest-mock = "^3.12.0" python-keycloak = "^3.9.0" testcontainers-keycloak = { git = "https://github.com/TheForgottened/testcontainers-python", subdirectory = "keycloak" } # updated Keycloak container: https://github.com/testcontainers/testcontainers-python/pull/369 diff --git a/tests/resources/keycloak/keypair.pem b/tests/resources/keycloak/keypair.pem new file mode 100644 index 0000000..30d57d8 --- /dev/null +++ b/tests/resources/keycloak/keypair.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCw0/V2NNevVeIY +Id+DPp+R9+yNRb3+gXuTSyrnt1Z8udvmJs5IBbjZvJNhPt3+tmp9u7ibkiKYSx/7 +CRr70po06pmNAYQCUmxIo5xbOivXcgMYOYzMLA94qX7UrYUjcWl7uda2i6f3V0Y2 +P4SRADSP6vYEKE4iSuOh9VlpuNY85q/pZPbn9ZtIyDWT5DqUr1Y8Ia2i6oiHWmCM +1f5czitGtwrid1EnEYWb4QXFhTws9y9MmbrAzE+7NnJFi3f3xzQXGP+xIdHKpnho +kCpHSNkI4s5gB/fU+MTyBCWdh6TdXD64mpBIV/egQ2ok/9k3o9C8MA4MSovvFFrk +jBL5bmkVAgMBAAECggEAEOw4EZf9DEqr2KNlQKo9mzqe6OZDyJebu/z1njdtj4I6 +CUytcTca+buSXzwlArtydZYBlOHnbavC48N7UZ5WI7pP966tc4tv0YPW8uQeTgAb +S7Y2Q1P0JxgRi0kP9NRlw/GFGvNCn+k6TvbFORtL7HoQEVXKJH4GSvmwFO4bkrhY +L1qPAIMMoNKcAuMf426t9e1YWHWYz8ELGBH/nx+UJX2LU0SS1AjdAlyvROsBPGWt +/E9hgXe/sbPZ002C9phhl66NXAwCqkW6yA/jT8G0dVJbDLc0PR9HtZyL1zlyWpDU +i4l/1HYM9qgejxxQgoF/lXIARGWtwKok30QyYiq2AQKBgQDrReufZtYCF/1G24Jn +TIEdVjRH3VrZar2OOA9E/ju6vN1fzoP9qv4SMz8PZZhfREehX7vAQkRPVhx32fAB ++ThGACzcW13Crx3zvDXsqsh1VRlXnNKcRKB2ljGuLJ4JeTG5Kf3HI7aVvw7hiIhX +A+Oo7b93t9vlMVSBIKp9LnZbqwKBgQDAZ+71vxSc82+iFnVNyjK8oOT6bsnBLdfO +saEvhxgvBoQVfmdSevIaIlwErThd6bWpRcp5znrklKFYK07MB+QlmOAtWfRwKEB5 +qU4FdmtRyGgkg8T9/9/yE8/LiDT4nYFqRtsEAHjVmx7FDQCqvXbtZonSzaivoAoS +2bcRnV+OPwKBgQC3j2nyiA1YvNbDPehUKABknylTGIUVNI6IM3zWW3TGkSw2361j +cNGh6ZG9tYpYabFpWoPl0M3zCEBV0hfLsmIRW3mkwzQ3/ODllWaNLAISaT7IeHZp +rbF0VGKWfgEfaws8aGKzyE1gMBywIhIdsc8hsby87xoFi6Ney9m4qVN22QKBgQCj +eetDq3WVIRURb+l9DbZsJHxI98a+NvgsqynbmvoGQpAJPxwErWd0owryAkdpK8Bo +sV6mfbRW8J3hrvJFUtMayrh2b/7LKLgXZq1e4M2wcAlkNP00HqqlIQYl1XXEYvbp +WIiP7uK8Aw9yt2iAqXgZn0ys6oZPqjfE6mysL71XuwKBgH/Lc/QzN0hqRLX/Qgy8 +l2//pC2zosOSd3tzXPEbzrRc/xbD9KJECnSeQ1lyrSAzV1fuIoZ5q314aSIgnsO0 +IVVBPewRz83rycTGmThDDYp0TcSv/gwzY2prRkWETDoBZ+LPyrDtfsjOYTMjm1YP +baxbfQ3LrLw7ilH6Vrj35a78 +-----END PRIVATE KEY----- diff --git a/tests/resources/keycloak/publickey.crt b/tests/resources/keycloak/publickey.crt new file mode 100644 index 0000000..bb4d19a --- /dev/null +++ b/tests/resources/keycloak/publickey.crt @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsNP1djTXr1XiGCHfgz6f +kffsjUW9/oF7k0sq57dWfLnb5ibOSAW42byTYT7d/rZqfbu4m5IimEsf+wka+9Ka +NOqZjQGEAlJsSKOcWzor13IDGDmMzCwPeKl+1K2FI3Fpe7nWtoun91dGNj+EkQA0 +j+r2BChOIkrjofVZabjWPOav6WT25/WbSMg1k+Q6lK9WPCGtouqIh1pgjNX+XM4r +RrcK4ndRJxGFm+EFxYU8LPcvTJm6wMxPuzZyRYt398c0Fxj/sSHRyqZ4aJAqR0jZ +COLOYAf31PjE8gQlnYek3Vw+uJqQSFf3oENqJP/ZN6PQvDAODEqL7xRa5IwS+W5p +FQIDAQAB +-----END PUBLIC KEY----- diff --git a/tests/resources/keycloak/realm.json b/tests/resources/keycloak/realm_client_secret.json similarity index 100% rename from tests/resources/keycloak/realm.json rename to tests/resources/keycloak/realm_client_secret.json diff --git a/tests/resources/keycloak/realm_signed_jwt.json b/tests/resources/keycloak/realm_signed_jwt.json new file mode 100644 index 0000000..e590622 --- /dev/null +++ b/tests/resources/keycloak/realm_signed_jwt.json @@ -0,0 +1,2172 @@ +{ + "id": "5fdbaaf4-3a3d-43ae-b5d9-58ea0a41de2b", + "realm": "bakdata", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "ca3a9ab1-14a3-4fec-b50d-ccc923d5ce09", + "name": "default-roles-bakdata", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ] + }, + "clientRole": false, + "containerId": "5fdbaaf4-3a3d-43ae-b5d9-58ea0a41de2b", + "attributes": {} + }, + { + "id": "072480a1-c8aa-48fb-b38c-804b08729588", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "5fdbaaf4-3a3d-43ae-b5d9-58ea0a41de2b", + "attributes": {} + }, + { + "id": "f7f0d405-4c48-469d-b446-811a76b788b6", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "5fdbaaf4-3a3d-43ae-b5d9-58ea0a41de2b", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "d4ffe87d-59b2-4b40-88b1-12a123c8ef29", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "cab2e10d-0166-47b2-937b-3ffeefedbe98", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "998fe3d6-9374-49ae-bcbe-ecc296d706e9", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "a2cc14fd-d8cc-4a36-9cb9-7cac0dedc21b", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "view-identity-providers", + "query-realms", + "view-clients", + "view-realm", + "query-clients", + "view-users", + "manage-realm", + "query-users", + "impersonation", + "create-client", + "query-groups", + "view-authorization", + "manage-clients", + "manage-identity-providers", + "manage-users", + "view-events", + "manage-events", + "manage-authorization" + ] + } + }, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "44d52503-2e2f-40e1-8ac1-525938e195e8", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "9946d6f2-854f-4db9-8844-6d85cdab6cb8", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "7c3c9bd8-833d-4bc5-8abf-d270f7751a22", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "5dc913e9-fd3c-41f1-af39-9cd61189bb22", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-users", + "query-groups" + ] + } + }, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "de09c9f2-9605-4ae4-865c-6e97a2b974b0", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "b62fd8fa-fa7c-4a6b-a829-07a4020324e4", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "ad58ad68-6313-42b8-8160-119d1e180070", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "bb0eabfa-b8b5-437e-a006-a5179e2c81fb", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "f9083cd7-5eb5-4bd0-8047-f8f884ecbd85", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "af23e648-56d4-477c-b6ed-12fec09e7ea1", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "0378b344-4702-434c-92e3-e855de4a0c9d", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "d629249a-da78-48c0-a6bd-3f067434ab71", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "ddbd4dcb-73d4-4269-8b6a-82aadf192f4a", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "a9591ab9-2ab8-4889-b450-48630a71aa05", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + }, + { + "id": "75f83bd2-1310-42f3-92d6-7708b2a9c63a", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "test-client": [], + "account-console": [], + "broker": [], + "account": [ + { + "id": "f3aadb8a-f824-4055-8792-db0900ad2ec5", + "name": "manage-account", + "composite": false, + "clientRole": true, + "containerId": "7bd8ed16-dc97-41ce-814f-ff79cff69d80", + "attributes": {} + }, + { + "id": "120150e0-9ce0-4a14-a182-b522192c864a", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "7bd8ed16-dc97-41ce-814f-ff79cff69d80", + "attributes": {} + }, + { + "id": "e9ea7db7-322a-46ee-8be6-e380ef4551dd", + "name": "view-groups", + "composite": false, + "clientRole": true, + "containerId": "7bd8ed16-dc97-41ce-814f-ff79cff69d80", + "attributes": {} + } + ] + } + }, + "groups": [], + "defaultRole": { + "id": "ca3a9ab1-14a3-4fec-b50d-ccc923d5ce09", + "name": "default-roles-bakdata", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "5fdbaaf4-3a3d-43ae-b5d9-58ea0a41de2b" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "localizationTexts": {}, + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyExtraOrigins": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "webAuthnPolicyPasswordlessExtraOrigins": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "7bd8ed16-dc97-41ce-814f-ff79cff69d80", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/bakdata/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/bakdata/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "fb212a25-3e04-4412-854a-b262bd0d2b49", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/bakdata/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/bakdata/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "ce9c161e-c900-4cf5-9598-1935089775cd", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "d2d3be1d-9391-49c0-867e-cde0f9cdd09b", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "2dac6fe8-1dab-4c59-bfc3-6e24dd5f0917", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "f06b58d2-1f72-488e-8843-39abb4882ffd", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "ad82cd7d-ca62-419f-8d8a-294ef3519c32", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/bakdata/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/bakdata/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "953cc648-a29a-47fb-949c-5e4259ebb314", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "1d0b0e05-18f6-463f-bdd6-199b835d3db4", + "clientId": "test-client", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-jwt", + "secret": "**********", + "redirectUris": [ + "*", + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1708969439", + "backchannel.logout.session.required": "true", + "jwks.url": "http://testserver/auth/certs", + "jwt.credential.public.key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsNP1djTXr1XiGCHfgz6f\nkffsjUW9/oF7k0sq57dWfLnb5ibOSAW42byTYT7d/rZqfbu4m5IimEsf+wka+9Ka\nNOqZjQGEAlJsSKOcWzor13IDGDmMzCwPeKl+1K2FI3Fpe7nWtoun91dGNj+EkQA0\nj+r2BChOIkrjofVZabjWPOav6WT25/WbSMg1k+Q6lK9WPCGtouqIh1pgjNX+XM4r\nRrcK4ndRJxGFm+EFxYU8LPcvTJm6wMxPuzZyRYt398c0Fxj/sSHRyqZ4aJAqR0jZ\nCOLOYAf31PjE8gQlnYek3Vw+uJqQSFf3oENqJP/ZN6PQvDAODEqL7xRa5IwS+W5p\nFQIDAQAB\n-----END PUBLIC KEY-----\n", + "token.endpoint.auth.signing.alg": "RS256", + "post.logout.redirect.uris": "+", + "oauth2.device.authorization.grant.enabled": "true", + "display.on.consent.screen": "false", + "use.jwks.url": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "3a0bd62f-18c3-42c4-9858-e68c73f0f472", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "898d28b0-b4c8-477f-b8ad-b91e0fb58799", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "4690af13-c7b2-4a76-a773-c5b8cc852635", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "26ce3237-a102-4529-9a0d-09a5f17edc4a", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "ec274e48-8683-49c8-a556-df55b909f354", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String" + } + }, + { + "id": "ee0e6e08-4e24-4d05-be32-96ea2696d2b1", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String" + } + }, + { + "id": "d110b129-4a8f-4653-86e2-e595f80bc71e", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "0c83a92e-04ac-4fbb-828e-8c0eb319dfc5", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "c3477e32-c484-45a2-8032-1e70a2c9b8d0", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "62a0a95f-14df-4358-9549-bddfcf48f178", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "889b9e44-f0e4-4849-bf70-ea30f6152c26", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "9d73c822-3845-4210-a484-420687347d36", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "6e5127be-a370-46b4-81dc-187663461e94", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "24f4cd78-53ac-494c-a8d8-c08481d0cb81", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "13cfa3ab-8f79-4985-b5fe-7647335b407b", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "b22f83e9-703b-4ca1-ac64-0e9dc6f89916", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "57ea16d0-3181-4c41-b256-819a3bb52f1a", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "86ca969b-fd95-425a-9f02-234bc743c00c", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "e1b24bdd-1243-4533-b48b-5478f617a272", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "7a786f39-64cd-4592-8210-a0d0013ae92c", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "0e17303a-f107-4311-ae61-8dd9473215b2", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "a99f0fc2-c506-40bb-9c23-e750405f97fe", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "3a30b7ee-e030-4cf4-bc8f-ccd99de9634c", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "b4856630-d128-4c1f-9acd-0f8160543589", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "4221222c-4c6b-4693-b97d-cdc487c004aa", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "1fc46d56-7c11-47f5-8619-33bc192dd30e", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "4277c6d3-af36-42c1-91c4-811aab27c62b", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "324d0d68-7659-49d6-b596-0e96c8dd2632", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "4a00a0c1-38ff-44cc-a82f-fa7b0c7a922e", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "d07b5191-764c-4073-aec1-2ff3406c76b8", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "006ace3d-9595-4932-a734-bd1a29d29f63", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "4f623c9e-027b-4a20-bcf5-f49bba526562", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "dcf41f39-4f04-4637-bfbe-e8cd548354e1", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "9e94d686-bbc1-4cc6-913a-64fc4c6dafa5", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "7c725611-4ac9-47b8-a65a-de6955af6aa5", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "a0278be5-9d66-4aee-8443-c610f7e54481", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "944ca31c-0cf1-4cc1-b843-d8ca26a7fb70", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "41583c55-1288-4939-bbdf-389f9ed2fe08", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "5c63fb05-72e3-4c83-93dd-2f30f809fc0c", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "8b2dff1b-b2b8-4735-97fe-5200bd2d0148", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "introspection.token.claim": "true", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "e532cd76-0df2-4a6a-8224-5a244f258a32", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "saml-role-list-mapper", + "saml-user-property-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-attribute-mapper" + ] + } + }, + { + "id": "0879bc4e-b93b-457f-8111-5d47b64447da", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "a07a5f1e-3de3-440e-be0a-6d235cbf3f47", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "d8217bd8-7cd5-4f7f-adae-3205987cc3ed", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "041ba6de-421a-419e-8b4b-e6b8f95a3143", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "801bbe3d-99dc-4595-984b-fc9b10504718", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "f335c021-addc-429c-9ba2-b94b7966b621", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "saml-role-list-mapper", + "oidc-address-mapper", + "saml-user-property-mapper", + "saml-user-attribute-mapper" + ] + } + }, + { + "id": "796cc6d5-f5df-443f-99ff-b8b216ea2231", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "224aad65-4a03-4fb7-8d29-c57840d95845", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "8cdcb4f0-a9c1-46f4-bba7-e1f91a591e9c", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "9e81936c-047f-4d1e-be88-009b01c02af8", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "973bb9ab-d86c-4c4d-87be-6e81e337d9ef", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "c22c62a8-38ef-49bc-b0e2-e09e7cc7d74d", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "7314091f-ce2d-4c4e-a334-dd2c4e6451d3", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "7f99f8db-6d61-4a95-bcc1-810409405db5", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "39c3e768-48b6-4398-a84b-5fbf96f79e70", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "a54ecda0-ecbf-45b7-99f4-676218c53004", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "6ad18145-2b52-4400-9b77-6f5bcda97912", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "33e28083-3234-467e-8d80-4c64141d9ba4", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "af942a72-fef0-4a44-9ef7-79a1d360c89a", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "3362199c-8912-483e-ab19-f93077edd0fa", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "ab094fd9-9b0c-4592-b4d4-c8e7b940dc34", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "8cdb0b83-5793-4187-a231-8ae32e5a8bbb", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "a12f7fd3-e8ed-4571-8a75-fbfda4beeaac", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "28e9432f-9adf-4515-aaed-9c25c8959ebc", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "0667ecc5-2c0f-49bf-96f3-4821916d5194", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "84c5fea5-76a8-4d59-b68e-eb8f6abf29d2", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "5ec466bf-ed28-4534-bff2-501c22b49659", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "b9dca3eb-26b6-4464-9e92-8f75e7af3407", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "76628cbe-9fec-4b8b-a767-053948e2c16d", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "9817df6f-0e9e-4327-963d-b3df99673dbe", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "9ff1c59f-0e63-47ed-9cbf-5ac5b44819f3", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "23.0.7", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} \ No newline at end of file diff --git a/tests/test_oauth.py b/tests/test_oauth_client_secret.py similarity index 97% rename from tests/test_oauth.py rename to tests/test_oauth_client_secret.py index adc172d..54480ae 100644 --- a/tests/test_oauth.py +++ b/tests/test_oauth_client_secret.py @@ -14,10 +14,10 @@ from twill.commands import form_value -class TestKeycloakOAuth2: +class TestKeycloakOAuth2ClientSecret: RESOURCES_PATH = Path(__file__).parent.absolute() / "resources/keycloak" - @pytest.fixture(scope="session") + @pytest.fixture(scope="class") def keycloak(self) -> Generator[KeycloakAdmin, None, None]: container = ( KeycloakContainer() @@ -36,7 +36,9 @@ def keycloak(self) -> Generator[KeycloakAdmin, None, None]: assert keycloak.connection.base_url == container.get_base_api_url() + "/" keycloak.import_realm( - json.loads(Path(self.RESOURCES_PATH / "realm.json").read_bytes()) + json.loads( + Path(self.RESOURCES_PATH / "realm_client_secret.json").read_bytes() + ) ) keycloak.change_current_realm("bakdata") diff --git a/tests/test_oauth_signed_jwt.py b/tests/test_oauth_signed_jwt.py new file mode 100644 index 0000000..f7c2a8d --- /dev/null +++ b/tests/test_oauth_signed_jwt.py @@ -0,0 +1,185 @@ +import json +from pathlib import Path +from typing import Annotated, Generator +from fastapi import Depends, FastAPI, Request, status +import httpx +import pytest_asyncio +from starlette.middleware.sessions import SessionMiddleware +from keycloak import KeycloakAdmin +import pytest +from testcontainers.core.waiting_utils import wait_for_logs +from keycloak_oauth import KeycloakOAuth2, User +from testcontainers.keycloak import KeycloakContainer +from fastapi.testclient import TestClient +from twill import browser +from twill.commands import form_value + + +class TestKeycloakOAuth2SignedJWT: + RESOURCES_PATH = Path(__file__).parent.absolute() / "resources/keycloak" + + @pytest.fixture(scope="class") + def keycloak(self) -> Generator[KeycloakAdmin, None, None]: + container = ( + KeycloakContainer() + .with_name("keycloak") + .with_volume_mapping( + str(self.RESOURCES_PATH), + "/opt/keycloak/data/import", + ) + ) + assert isinstance( + container, KeycloakContainer + ) # HACK: wrong type annotation in testcontainers `with_command` + container.with_bind_ports(container.port, container.port).start() + wait_for_logs(container, "Running the server in development mode.") + keycloak = container.get_client() + + assert keycloak.connection.base_url == container.get_base_api_url() + "/" + keycloak.import_realm( + json.loads(Path(self.RESOURCES_PATH / "realm_signed_jwt.json").read_bytes()) + ) + keycloak.change_current_realm("bakdata") + + user_id = keycloak.create_user({"username": keycloak.connection.username}) + keycloak.set_user_password( + user_id, keycloak.connection.password, temporary=False + ) + keycloak.enable_user(user_id) + + yield keycloak + + container.stop() + + @pytest.fixture() + def app(self) -> FastAPI: + return FastAPI() + + @pytest_asyncio.fixture() + async def client(self, app: FastAPI, keycloak: KeycloakAdmin) -> TestClient: + keycloak_oauth = KeycloakOAuth2( + client_id="test-client", + client_secret=None, + server_metadata_url=f"{keycloak.connection.base_url}/realms/bakdata/.well-known/openid-configuration", + client_kwargs={ + "scope": "openid profile email", + }, + ) + await keycloak_oauth.setup_signed_jwt( + self.RESOURCES_PATH / "keypair.pem", self.RESOURCES_PATH / "publickey.crt" + ) + keycloak_oauth.setup_fastapi_routes() + app.include_router(keycloak_oauth.router, prefix="/auth") + app.add_middleware(SessionMiddleware, secret_key="!secret") + + @app.get("/") + def root( + request: Request, user: Annotated[User, Depends(KeycloakOAuth2.get_user)] + ) -> str: + return f"Hello {user.name}" + + @app.get("/foo") + def foo( + request: Request, user: Annotated[User, Depends(KeycloakOAuth2.get_user)] + ) -> str: + return "foo" + + @app.get("/bar") + def bar( + request: Request, user: Annotated[User, Depends(KeycloakOAuth2.get_user)] + ) -> str: + return "bar" + + return TestClient(app) + + def test_keycloak_setup(self, keycloak: KeycloakAdmin): + assert keycloak.connection.realm_name == "bakdata" + + @pytest.mark.asyncio + async def test_public_keys_endpoint(self, client: TestClient): + assert client.get("/auth/certs").json()["keys"] + + @pytest.mark.asyncio + @pytest.mark.parametrize("endpoint", ["/", "/foo", "/bar"]) + async def test_protected_endpoint(self, client: TestClient, endpoint: str): + response = client.get(endpoint) + assert response.status_code == status.HTTP_401_UNAUTHORIZED + + @pytest.mark.asyncio + @pytest.mark.parametrize( + "query_params", + [ + None, + httpx.QueryParams({"next": "/foo"}), + httpx.QueryParams({"next": "/bar", "unrelated": "should be hidden"}), + ], + ) + async def test_login_redirect( + self, + client: TestClient, + keycloak: KeycloakAdmin, + query_params: httpx.QueryParams | None, + ): + response = client.get("/auth/login", params=query_params) + keycloak_base_url = httpx.URL(keycloak.connection.base_url) + assert response.url.host == keycloak_base_url.host + assert response.url.port == keycloak_base_url.port + assert response.url.path == "/realms/bakdata/protocol/openid-connect/auth" + assert response.url.params["client_id"] == "test-client" + redirect_uri = httpx.URL(response.url.params["redirect_uri"]) + assert redirect_uri.host == client.base_url.host + assert redirect_uri.path == "/auth/callback" + if query_params: + assert set(redirect_uri.params.keys()) == {"next"} + assert redirect_uri.params["next"] == query_params["next"] + else: + assert not redirect_uri.params + + @pytest.mark.asyncio + async def test_logout_redirect(self, client: TestClient): + response = client.get("/auth/logout", follow_redirects=False) + assert response.status_code == status.HTTP_307_TEMPORARY_REDIRECT + assert response.headers["location"] == "/" + + @pytest.mark.asyncio + async def test_auth_flow(self, client: TestClient, keycloak: KeycloakAdmin): + # try accessing protected endpoint + response = client.get("/", follow_redirects=False) + assert response.status_code == status.HTTP_401_UNAUTHORIZED + + # let's login, should redirect to Keycloak login page + response = client.get("/auth/login", follow_redirects=False) + assert response.is_redirect + redirect_target = response.headers["location"] + assert "/realms/bakdata/protocol/openid-connect/auth" in redirect_target + + # open Keycloak login form in browser and login + browser.go(redirect_target) + assert browser.title == "Sign in to bakdata" + browser.show_forms() + assert keycloak.connection.username # HACK: fix wrong type annotation + assert keycloak.connection.password + form_value("1", "username", keycloak.connection.username) + form_value("1", "password", keycloak.connection.password) + with pytest.raises(httpx.ConnectError) as exc: + browser.submit("0") + assert exc.value.request.url.host == client.base_url.host + assert exc.value.request.url.path == "/auth/callback" + + # first check the redirect + response = client.get(exc.value.request.url, follow_redirects=False) + assert response.is_redirect + assert response.headers["location"] == "/" + + # now follow the redirect + response = client.get(response.headers["location"]) + assert response.is_success + assert response.read() == b'"Hello test"' + + # logout user + response = client.get("/auth/logout", follow_redirects=False) + assert response.is_redirect + + # check that endpoint is inaccessible again + response = client.get("/") + assert response.status_code == status.HTTP_401_UNAUTHORIZED