diff --git a/app/pom.xml b/app/pom.xml
index 381c98af9e..43b137b899 100644
--- a/app/pom.xml
+++ b/app/pom.xml
@@ -293,6 +293,11 @@
strimzi-test-container
test
+
+ com.github.dasniko
+ testcontainers-keycloak
+ test
+
io.zonky.test
embedded-postgres
diff --git a/app/src/test/java/io/apicurio/registry/auth/AuthTestAnonymousCredentials.java b/app/src/test/java/io/apicurio/registry/auth/AuthTestAnonymousCredentials.java
index 7a4db92952..75301f982f 100644
--- a/app/src/test/java/io/apicurio/registry/auth/AuthTestAnonymousCredentials.java
+++ b/app/src/test/java/io/apicurio/registry/auth/AuthTestAnonymousCredentials.java
@@ -9,13 +9,14 @@
import io.apicurio.registry.types.ContentTypes;
import io.apicurio.registry.utils.tests.ApicurioTestTags;
import io.apicurio.registry.utils.tests.AuthTestProfileAnonymousCredentials;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.kiota.http.vertx.VertXRequestAdapter;
import io.quarkus.test.junit.QuarkusTest;
import io.quarkus.test.junit.TestProfile;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
@@ -33,10 +34,15 @@ public class AuthTestAnonymousCredentials extends AbstractResourceTestBase {
final String groupId = getClass().getSimpleName() + "Group";
+ @BeforeEach
+ protected void beforeEach() throws Exception {
+ setupRestAssured();
+ }
+
@Test
public void testWrongCreds() throws Exception {
- var adapter = new VertXRequestAdapter(
- buildOIDCWebClient(vertx, authServerUrl, JWKSMockServer.WRONG_CREDS_CLIENT_ID, "test55"));
+ var adapter = new VertXRequestAdapter(buildOIDCWebClient(vertx, authServerUrl,
+ KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test55"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
@@ -44,7 +50,7 @@ public void testWrongCreds() throws Exception {
client.groups().byGroupId(groupId).artifacts().get();
});
- assertTrue(exception.getMessage().contains("Unauthorized"));
+ assertTrue(exception.getMessage().contains("unauthorized"));
}
@Test
diff --git a/app/src/test/java/io/apicurio/registry/auth/AuthTestAuthenticatedReadAccess.java b/app/src/test/java/io/apicurio/registry/auth/AuthTestAuthenticatedReadAccess.java
index ca6d52e50e..18943957ce 100644
--- a/app/src/test/java/io/apicurio/registry/auth/AuthTestAuthenticatedReadAccess.java
+++ b/app/src/test/java/io/apicurio/registry/auth/AuthTestAuthenticatedReadAccess.java
@@ -9,7 +9,7 @@
import io.apicurio.registry.types.ContentTypes;
import io.apicurio.registry.utils.tests.ApicurioTestTags;
import io.apicurio.registry.utils.tests.AuthTestProfileAuthenticatedReadAccess;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.kiota.http.vertx.VertXRequestAdapter;
import io.quarkus.test.junit.QuarkusTest;
@@ -34,7 +34,7 @@ public class AuthTestAuthenticatedReadAccess extends AbstractResourceTestBase {
@Override
protected RegistryClient createRestClientV3(Vertx vertx) {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx, authServerUrl,
- JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
return new RegistryClient(adapter);
}
@@ -43,7 +43,7 @@ protected RegistryClient createRestClientV3(Vertx vertx) {
public void testReadOperationWithNoRole() throws Exception {
// Read-only operation should work with credentials but no role.
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx, authServerUrl,
- JWKSMockServer.NO_ROLE_CLIENT_ID, "test1"));
+ KeycloakTestContainerManager.NO_ROLE_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
var results = client.search().artifacts().get(config -> config.queryParameters.groupId = groupId);
diff --git a/app/src/test/java/io/apicurio/registry/auth/AuthTestLocalRoles.java b/app/src/test/java/io/apicurio/registry/auth/AuthTestLocalRoles.java
index 1bc323dace..78d4d9897a 100644
--- a/app/src/test/java/io/apicurio/registry/auth/AuthTestLocalRoles.java
+++ b/app/src/test/java/io/apicurio/registry/auth/AuthTestLocalRoles.java
@@ -16,7 +16,7 @@
import io.apicurio.registry.types.ContentTypes;
import io.apicurio.registry.utils.tests.ApicurioTestTags;
import io.apicurio.registry.utils.tests.AuthTestProfileWithLocalRoles;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.kiota.http.vertx.VertXRequestAdapter;
import io.quarkus.test.junit.QuarkusTest;
@@ -49,8 +49,8 @@ public class AuthTestLocalRoles extends AbstractResourceTestBase {
@Override
protected RegistryClient createRestClientV3(Vertx vertx) {
- var adapter = new VertXRequestAdapter(
- buildOIDCWebClient(vertx, authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ var adapter = new VertXRequestAdapter(buildOIDCWebClient(vertx, authServerUrlConfigured,
+ KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
return new RegistryClient(adapter);
}
@@ -68,12 +68,12 @@ protected RegistryClient createRestClientV3(Vertx vertx) {
@Test
public void testLocalRoles() throws Exception {
var adapterAdmin = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapterAdmin.setBaseUrl(registryV3ApiUrl);
RegistryClient clientAdmin = new RegistryClient(adapterAdmin);
var adapterAuth = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.NO_ROLE_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.NO_ROLE_CLIENT_ID, "test1"));
adapterAuth.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapterAuth);
@@ -95,7 +95,7 @@ public void testLocalRoles() throws Exception {
// Now let's grant read-only access to the user.
var roMapping = new RoleMapping();
- roMapping.setPrincipalId(JWKSMockServer.NO_ROLE_CLIENT_ID);
+ roMapping.setPrincipalId(KeycloakTestContainerManager.NO_ROLE_CLIENT_ID);
roMapping.setRole(RoleType.READ_ONLY);
clientAdmin.admin().roleMappings().post(roMapping);
@@ -116,7 +116,8 @@ public void testLocalRoles() throws Exception {
var devMapping = new UpdateRole();
devMapping.setRole(RoleType.DEVELOPER);
- clientAdmin.admin().roleMappings().byPrincipalId(JWKSMockServer.NO_ROLE_CLIENT_ID).put(devMapping);
+ clientAdmin.admin().roleMappings().byPrincipalId(KeycloakTestContainerManager.NO_ROLE_CLIENT_ID)
+ .put(devMapping);
// Now the user can read and write but not admin
client.groups().byGroupId(GroupId.DEFAULT.getRawGroupIdWithDefaultString()).artifacts().get();
@@ -132,7 +133,8 @@ public void testLocalRoles() throws Exception {
var adminMapping = new UpdateRole();
adminMapping.setRole(RoleType.ADMIN);
- clientAdmin.admin().roleMappings().byPrincipalId(JWKSMockServer.NO_ROLE_CLIENT_ID).put(adminMapping);
+ clientAdmin.admin().roleMappings().byPrincipalId(KeycloakTestContainerManager.NO_ROLE_CLIENT_ID)
+ .put(adminMapping);
// Now the user can do everything
client.groups().byGroupId(GroupId.DEFAULT.getRawGroupIdWithDefaultString()).artifacts().get();
@@ -140,7 +142,8 @@ public void testLocalRoles() throws Exception {
client.admin().rules().post(createRule);
// Now delete the role mapping
- clientAdmin.admin().roleMappings().byPrincipalId(JWKSMockServer.NO_ROLE_CLIENT_ID).delete();
+ clientAdmin.admin().roleMappings().byPrincipalId(KeycloakTestContainerManager.NO_ROLE_CLIENT_ID)
+ .delete();
}
}
diff --git a/app/src/test/java/io/apicurio/registry/auth/AuthTestNoRoles.java b/app/src/test/java/io/apicurio/registry/auth/AuthTestNoRoles.java
index c37702ba02..16ab2f4575 100644
--- a/app/src/test/java/io/apicurio/registry/auth/AuthTestNoRoles.java
+++ b/app/src/test/java/io/apicurio/registry/auth/AuthTestNoRoles.java
@@ -15,7 +15,7 @@
import io.apicurio.registry.types.ContentTypes;
import io.apicurio.registry.utils.tests.ApicurioTestTags;
import io.apicurio.registry.utils.tests.AuthTestProfile;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.kiota.http.vertx.VertXRequestAdapter;
import io.quarkus.test.junit.QuarkusTest;
@@ -43,7 +43,7 @@ public class AuthTestNoRoles extends AbstractResourceTestBase {
@Override
protected RegistryClient createRestClientV3(Vertx vertx) {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
return new RegistryClient(adapter);
}
@@ -51,19 +51,19 @@ protected RegistryClient createRestClientV3(Vertx vertx) {
@Test
public void testWrongCreds() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.WRONG_CREDS_CLIENT_ID, "test55"));
+ authServerUrlConfigured, KeycloakTestContainerManager.WRONG_CREDS_CLIENT_ID, "test55"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
var exception = Assertions.assertThrows(Exception.class, () -> {
client.groups().byGroupId(groupId).artifacts().get();
});
- assertTrue(exception.getMessage().contains("Unauthorized"));
+ assertTrue(exception.getMessage().contains("unauthorized"));
}
@Test
public void testAdminRole() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
diff --git a/app/src/test/java/io/apicurio/registry/auth/AuthTestProfileBasicClientCredentials.java b/app/src/test/java/io/apicurio/registry/auth/AuthTestProfileBasicClientCredentials.java
index f035caf0cf..3c2b9689c3 100644
--- a/app/src/test/java/io/apicurio/registry/auth/AuthTestProfileBasicClientCredentials.java
+++ b/app/src/test/java/io/apicurio/registry/auth/AuthTestProfileBasicClientCredentials.java
@@ -14,7 +14,7 @@
import io.apicurio.registry.types.ContentTypes;
import io.apicurio.registry.utils.tests.ApicurioTestTags;
import io.apicurio.registry.utils.tests.AuthTestProfile;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.kiota.http.vertx.VertXRequestAdapter;
import io.quarkus.test.junit.QuarkusTest;
@@ -42,16 +42,16 @@ public class AuthTestProfileBasicClientCredentials extends AbstractResourceTestB
@Override
protected RegistryClient createRestClientV3(Vertx vertx) {
- var adapter = new VertXRequestAdapter(
- buildOIDCWebClient(vertx, authServerUrl, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ var adapter = new VertXRequestAdapter(buildOIDCWebClient(vertx, authServerUrl,
+ KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
return new RegistryClient(adapter);
}
@Test
public void testWrongCreds() throws Exception {
- var adapter = new VertXRequestAdapter(
- buildSimpleAuthWebClient(vertx, JWKSMockServer.WRONG_CREDS_CLIENT_ID, "test55"));
+ var adapter = new VertXRequestAdapter(buildSimpleAuthWebClient(vertx,
+ KeycloakTestContainerManager.WRONG_CREDS_CLIENT_ID, "test55"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
var exception = Assertions.assertThrows(Exception.class, () -> {
@@ -63,7 +63,7 @@ public void testWrongCreds() throws Exception {
@Test
public void testBasicAuthClientCredentials() throws Exception {
var adapter = new VertXRequestAdapter(
- buildSimpleAuthWebClient(vertx, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ buildSimpleAuthWebClient(vertx, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
diff --git a/app/src/test/java/io/apicurio/registry/auth/HeaderRoleSourceTest.java b/app/src/test/java/io/apicurio/registry/auth/HeaderRoleSourceTest.java
index 37b35dc2d3..5cfcf747a8 100644
--- a/app/src/test/java/io/apicurio/registry/auth/HeaderRoleSourceTest.java
+++ b/app/src/test/java/io/apicurio/registry/auth/HeaderRoleSourceTest.java
@@ -11,7 +11,7 @@
import io.apicurio.registry.types.ContentTypes;
import io.apicurio.registry.utils.tests.ApicurioTestTags;
import io.apicurio.registry.utils.tests.AuthTestProfileWithHeaderRoles;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.kiota.http.vertx.VertXRequestAdapter;
import io.quarkus.test.junit.QuarkusTest;
@@ -41,8 +41,8 @@ public class HeaderRoleSourceTest extends AbstractResourceTestBase {
@Override
protected RegistryClient createRestClientV3(Vertx vertx) {
- var adapter = new VertXRequestAdapter(
- buildOIDCWebClient(vertx, authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ var adapter = new VertXRequestAdapter(buildOIDCWebClient(vertx, authServerUrlConfigured,
+ KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
return new RegistryClient(adapter);
}
@@ -57,22 +57,22 @@ public void testLocalRoles() throws Exception {
rule.setRuleType(io.apicurio.registry.rest.client.models.RuleType.VALIDITY);
var noRoleAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.NO_ROLE_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.NO_ROLE_CLIENT_ID, "test1"));
noRoleAdapter.setBaseUrl(registryV3ApiUrl);
var noRoleClient = new RegistryClient(noRoleAdapter);
var readAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.READONLY_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.READONLY_CLIENT_ID, "test1"));
readAdapter.setBaseUrl(registryV3ApiUrl);
var readClient = new RegistryClient(readAdapter);
var devAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
devAdapter.setBaseUrl(registryV3ApiUrl);
var devClient = new RegistryClient(devAdapter);
var adminAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adminAdapter.setBaseUrl(registryV3ApiUrl);
var adminClient = new RegistryClient(adminAdapter);
diff --git a/app/src/test/java/io/apicurio/registry/auth/MojoAuthTest.java b/app/src/test/java/io/apicurio/registry/auth/MojoAuthTest.java
index 5a9c837156..5fc2da5911 100644
--- a/app/src/test/java/io/apicurio/registry/auth/MojoAuthTest.java
+++ b/app/src/test/java/io/apicurio/registry/auth/MojoAuthTest.java
@@ -7,7 +7,7 @@
import io.apicurio.registry.rest.client.RegistryClient;
import io.apicurio.registry.utils.tests.ApicurioTestTags;
import io.apicurio.registry.utils.tests.AuthTestProfile;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.kiota.http.vertx.VertXRequestAdapter;
import io.quarkus.test.junit.QuarkusTest;
@@ -36,15 +36,15 @@ public class MojoAuthTest extends RegistryMojoTestBase {
String clientSecret = "test1";
- String clientScope = "testScope";
+ String clientScope = "openid";
- String testUsername = "sr-test-user";
- String testPassword = "sr-test-password";
+ String testUsername = "developer-client";
+ String testPassword = clientSecret;
@Override
protected RegistryClient createRestClientV3(Vertx vertx) {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
return new RegistryClient(adapter);
}
@@ -56,7 +56,7 @@ public void testRegister() throws IOException, MojoFailureException, MojoExecuti
RegisterRegistryMojo registerRegistryMojo = new RegisterRegistryMojo();
registerRegistryMojo.setRegistryUrl(TestUtils.getRegistryV3ApiUrl(testPort));
registerRegistryMojo.setAuthServerUrl(authServerUrlConfigured);
- registerRegistryMojo.setClientId(JWKSMockServer.ADMIN_CLIENT_ID);
+ registerRegistryMojo.setClientId(KeycloakTestContainerManager.ADMIN_CLIENT_ID);
registerRegistryMojo.setClientSecret(clientSecret);
registerRegistryMojo.setClientScope(clientScope);
diff --git a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java
index f20a071926..cdc80bf281 100644
--- a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java
+++ b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java
@@ -11,7 +11,7 @@
import io.apicurio.registry.types.ContentTypes;
import io.apicurio.registry.utils.tests.ApicurioTestTags;
import io.apicurio.registry.utils.tests.AuthTestProfile;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.kiota.http.vertx.VertXRequestAdapter;
import io.quarkus.test.junit.QuarkusTest;
@@ -24,6 +24,7 @@
import java.util.UUID;
+import static io.apicurio.registry.client.auth.VertXAuthFactory.buildOIDCWebClient;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -44,8 +45,10 @@ public class SimpleAuthTest extends AbstractResourceTestBase {
@Override
protected RegistryClient createRestClientV3(Vertx vertx) {
- var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ var auth = buildOIDCWebClient(vertx, authServerUrlConfigured,
+ KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1");
+
+ var adapter = new VertXRequestAdapter(auth);
adapter.setBaseUrl(registryV3ApiUrl);
return new RegistryClient(adapter);
}
@@ -73,13 +76,13 @@ protected void assertArtifactNotFound(Exception exception) {
@Test
public void testWrongCreds() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.WRONG_CREDS_CLIENT_ID, "test55"));
+ authServerUrlConfigured, KeycloakTestContainerManager.WRONG_CREDS_CLIENT_ID, "test55"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
var exception = Assertions.assertThrows(Exception.class, () -> {
client.groups().byGroupId(groupId).artifacts().get();
});
- assertTrue(exception.getMessage().contains("Unauthorized"));
+ assertTrue(exception.getMessage().contains("unauthorized"));
}
@Test
@@ -95,7 +98,7 @@ public void testNoCreds() throws Exception {
@Test
public void testReadOnly() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.READONLY_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.READONLY_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
@@ -119,7 +122,7 @@ public void testReadOnly() throws Exception {
});
var devAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
devAdapter.setBaseUrl(registryV3ApiUrl);
RegistryClient devClient = new RegistryClient(devAdapter);
@@ -143,7 +146,7 @@ public void testReadOnly() throws Exception {
@Test
public void testDevRole() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
@@ -182,7 +185,7 @@ public void testDevRole() throws Exception {
@Test
public void testAdminRole() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
@@ -202,8 +205,6 @@ public void testAdminRole() throws Exception {
createRule.setConfig(ValidityLevel.NONE.name());
client.groups().byGroupId(groupId).artifacts().byArtifactId(artifactId).rules().post(createRule);
- client.admin().rules().post(createRule);
-
UserInfo userInfo = client.users().me().get();
assertNotNull(userInfo);
Assertions.assertEquals("admin-client", userInfo.getUsername());
@@ -218,7 +219,7 @@ public void testAdminRole() throws Exception {
@Test
public void testAdminRoleBasicAuth() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildSimpleAuthWebClient(vertx,
- JWKSMockServer.BASIC_USER, JWKSMockServer.BASIC_PASSWORD));
+ KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
@@ -247,7 +248,7 @@ public void testAdminRoleBasicAuth() throws Exception {
@Test
public void testAdminRoleBasicAuthWrongCreds() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildSimpleAuthWebClient(vertx,
- JWKSMockServer.WRONG_CREDS_CLIENT_ID, UUID.randomUUID().toString()));
+ KeycloakTestContainerManager.WRONG_CREDS_CLIENT_ID, UUID.randomUUID().toString()));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
@@ -266,12 +267,12 @@ public void testAdminRoleBasicAuthWrongCreds() throws Exception {
@Test
public void testOwnerOnlyAuthorization() throws Exception {
var devAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
devAdapter.setBaseUrl(registryV3ApiUrl);
RegistryClient clientDev = new RegistryClient(devAdapter);
var adminAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adminAdapter.setBaseUrl(registryV3ApiUrl);
RegistryClient clientAdmin = new RegistryClient(adminAdapter);
@@ -319,7 +320,7 @@ public void testOwnerOnlyAuthorization() throws Exception {
@Test
public void testGetArtifactOwner() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
@@ -348,7 +349,7 @@ public void testGetArtifactOwner() throws Exception {
@Test
public void testUpdateArtifactOwner() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
adapter.setBaseUrl(registryV3ApiUrl);
RegistryClient client = new RegistryClient(adapter);
@@ -392,11 +393,11 @@ public void testUpdateArtifactOwner() throws Exception {
@Test
public void testUpdateArtifactOwnerOnlyByOwner() throws Exception {
var adapter_dev1 = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
adapter_dev1.setBaseUrl(registryV3ApiUrl);
RegistryClient client_dev1 = new RegistryClient(adapter_dev1);
var adapter_dev2 = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_2_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_2_CLIENT_ID, "test2"));
adapter_dev2.setBaseUrl(registryV3ApiUrl);
RegistryClient client_dev2 = new RegistryClient(adapter_dev2);
diff --git a/integration-tests/src/test/java/io/apicurio/tests/ApicurioRegistryBaseIT.java b/integration-tests/src/test/java/io/apicurio/tests/ApicurioRegistryBaseIT.java
index 483b0a5285..9a9ea28479 100644
--- a/integration-tests/src/test/java/io/apicurio/tests/ApicurioRegistryBaseIT.java
+++ b/integration-tests/src/test/java/io/apicurio/tests/ApicurioRegistryBaseIT.java
@@ -605,7 +605,8 @@ public Response artifactPostRequest(String artifactId, String contentType, Strin
protected void assertNotAuthorized(Exception exception) {
assertNotNull(exception);
Assertions.assertEquals(RuntimeException.class, exception.getClass());
- Assertions.assertTrue(exception.getMessage().contains("unauthorized_client: Invalid client secret"));
+ Assertions.assertTrue(exception.getMessage()
+ .contains("unauthorized_client: Invalid client or Invalid client credentials"));
}
protected void assertForbidden(Exception exception) {
diff --git a/integration-tests/src/test/java/io/apicurio/tests/auth/SimpleAuthIT.java b/integration-tests/src/test/java/io/apicurio/tests/auth/SimpleAuthIT.java
index 7342f76b29..7976a4dbce 100644
--- a/integration-tests/src/test/java/io/apicurio/tests/auth/SimpleAuthIT.java
+++ b/integration-tests/src/test/java/io/apicurio/tests/auth/SimpleAuthIT.java
@@ -8,7 +8,7 @@
import io.apicurio.registry.types.ArtifactType;
import io.apicurio.registry.types.ContentTypes;
import io.apicurio.registry.utils.tests.AuthTestProfile;
-import io.apicurio.registry.utils.tests.JWKSMockServer;
+import io.apicurio.registry.utils.tests.KeycloakTestContainerManager;
import io.apicurio.registry.utils.tests.TestUtils;
import io.apicurio.tests.ApicurioRegistryBaseIT;
import io.apicurio.tests.utils.Constants;
@@ -45,8 +45,8 @@ public class SimpleAuthIT extends ApicurioRegistryBaseIT {
@Override
protected RegistryClient createRegistryClient(Vertx vertx) {
- var auth = buildOIDCWebClient(vertx, authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID,
- "test1");
+ var auth = buildOIDCWebClient(vertx, authServerUrlConfigured,
+ KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1");
return createClient(auth);
}
@@ -58,8 +58,8 @@ private RegistryClient createClient(WebClient auth) {
@Test
public void testWrongCreds() throws Exception {
- var auth = buildOIDCWebClient(vertx, authServerUrlConfigured, JWKSMockServer.WRONG_CREDS_CLIENT_ID,
- "test55");
+ var auth = buildOIDCWebClient(vertx, authServerUrlConfigured,
+ KeycloakTestContainerManager.WRONG_CREDS_CLIENT_ID, "test55");
RegistryClient client = createClient(auth);
var exception = Assertions.assertThrows(Exception.class, () -> {
client.groups().byGroupId("foo").artifacts().get();
@@ -70,7 +70,7 @@ public void testWrongCreds() throws Exception {
@Test
public void testReadOnly() throws Exception {
var adapter = new VertXRequestAdapter(buildOIDCWebClient(vertx, authServerUrlConfigured,
- JWKSMockServer.READONLY_CLIENT_ID, "test1"));
+ KeycloakTestContainerManager.READONLY_CLIENT_ID, "test1"));
adapter.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
@@ -90,7 +90,7 @@ public void testReadOnly() throws Exception {
assertForbidden(exception3);
var devAdapter = new VertXRequestAdapter(buildOIDCWebClient(vertx, authServerUrlConfigured,
- JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
devAdapter.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient devClient = new RegistryClient(devAdapter);
@@ -113,7 +113,7 @@ public void testReadOnly() throws Exception {
@Test
public void testDevRole() throws Exception {
var adapter = new VertXRequestAdapter(buildOIDCWebClient(vertx, authServerUrlConfigured,
- JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
adapter.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
@@ -152,8 +152,8 @@ public void testDevRole() throws Exception {
@Test
public void testAdminRole() throws Exception {
- var adapter = new VertXRequestAdapter(
- buildOIDCWebClient(vertx, authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ var adapter = new VertXRequestAdapter(buildOIDCWebClient(vertx, authServerUrlConfigured,
+ KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adapter.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient client = new RegistryClient(adapter);
String artifactId = TestUtils.generateArtifactId();
@@ -190,12 +190,12 @@ public void testAdminRole() throws Exception {
@Test
public void testOwnerOnlyAuthorization() throws Exception {
var devAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
devAdapter.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient clientDev = new RegistryClient(devAdapter);
var adminAdapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.ADMIN_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.ADMIN_CLIENT_ID, "test1"));
adminAdapter.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient clientAdmin = new RegistryClient(adminAdapter);
@@ -243,7 +243,7 @@ public void testOwnerOnlyAuthorization() throws Exception {
@Test
public void testGetArtifactOwner() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
adapter.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient client = new RegistryClient(adapter);
@@ -272,7 +272,7 @@ public void testGetArtifactOwner() throws Exception {
@Test
public void testUpdateArtifactOwner() throws Exception {
var adapter = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
adapter.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient client = new RegistryClient(adapter);
@@ -316,11 +316,11 @@ public void testUpdateArtifactOwner() throws Exception {
@Test
public void testUpdateArtifactOwnerOnlyByOwner() throws Exception {
var adapter_dev1 = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_CLIENT_ID, "test1"));
adapter_dev1.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient client_dev1 = new RegistryClient(adapter_dev1);
var adapter_dev2 = new VertXRequestAdapter(VertXAuthFactory.buildOIDCWebClient(vertx,
- authServerUrlConfigured, JWKSMockServer.DEVELOPER_2_CLIENT_ID, "test1"));
+ authServerUrlConfigured, KeycloakTestContainerManager.DEVELOPER_2_CLIENT_ID, "test2"));
adapter_dev2.setBaseUrl(getRegistryV3ApiUrl());
RegistryClient client_dev2 = new RegistryClient(adapter_dev2);
diff --git a/integration-tests/src/test/resources/infra/auth/keycloak.yml b/integration-tests/src/test/resources/infra/auth/keycloak.yml
index d793a192b1..07b7fe5924 100644
--- a/integration-tests/src/test/resources/infra/auth/keycloak.yml
+++ b/integration-tests/src/test/resources/infra/auth/keycloak.yml
@@ -527,31 +527,31 @@ data:
"groups": []
},
{
- "id": "0f1d31e8-a358-4f05-90cc-3374453b7088",
- "createdTimestamp": 1608543288931,
- "username": "service-account-wrong-client",
- "enabled": true,
- "totp": false,
- "emailVerified": false,
- "serviceAccountClientId": "wrong-client",
- "disableableCredentialTypes": [],
- "requiredActions": [],
- "realmRoles": [
- "offline_access",
- "uma_authorization",
- "sr-developer",
- "User"
- ],
- "clientRoles": {
- "account": [
- "view-applications",
- "view-profile",
- "manage-account"
- ]
- },
- "notBefore": 0,
- "groups": []
- },
+ "id": "0f1d31e8-a358-4f05-90cc-3374453b7088",
+ "createdTimestamp": 1608543288931,
+ "username": "service-account-wrong-client",
+ "enabled": true,
+ "totp": false,
+ "emailVerified": false,
+ "serviceAccountClientId": "wrong-client",
+ "disableableCredentialTypes": [],
+ "requiredActions": [],
+ "realmRoles": [
+ "offline_access",
+ "uma_authorization",
+ "sr-developer",
+ "User"
+ ],
+ "clientRoles": {
+ "account": [
+ "view-applications",
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ "notBefore": 0,
+ "groups": []
+ },
{
"id": "06fec980-2e11-4c7f-a8fb-3d285f30b0b0",
"createdTimestamp": 1608543552621,
@@ -1084,124 +1084,358 @@ data:
]
},
{
- "id": "af889034-77c2-41le-a368-67d5789f4b87",
- "clientId": "wrong-client",
- "rootUrl": "",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "test1",
- "redirectUris": [
- "*"
- ],
- "webOrigins": [
- "*"
- ],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": true,
- "directAccessGrantsEnabled": true,
- "serviceAccountsEnabled": true,
- "publicClient": false,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {
- "saml.force.post.binding": "false",
- "saml.multivalued.roles": "false",
- "frontchannel.logout.session.required": "false",
- "oauth2.device.authorization.grant.enabled": "false",
- "backchannel.logout.revoke.offline.tokens": "false",
- "saml.server.signature.keyinfo.ext": "false",
- "use.refresh.tokens": "true",
- "oidc.ciba.grant.enabled": "false",
- "backchannel.logout.session.required": "false",
- "client_credentials.use_refresh_token": "false",
- "require.pushed.authorization.requests": "false",
- "saml.client.signature": "false",
- "saml.allow.ecp.flow": "false",
- "id.token.as.detached.signature": "false",
- "saml.assertion.signature": "false",
- "saml.encrypt": "false",
- "login_theme": "keycloak",
- "saml.server.signature": "false",
- "exclude.session.state.from.auth.response": "false",
- "saml.artifact.binding": "false",
- "saml_force_name_id_format": "false",
- "acr.loa.map": "{}",
- "tls.client.certificate.bound.access.tokens": "false",
- "saml.authnstatement": "false",
- "display.on.consent.screen": "false",
- "token.response.type.bearer.lower-case": "false",
- "saml.onetimeuse.condition": "false"
- },
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": true,
- "nodeReRegistrationTimeout": -1,
- "protocolMappers": [
- {
- "id": "ytb67b03-0yyd-432c-a329-0a04363e974a",
- "name": "Client ID",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usersessionmodel-note-mapper",
- "consentRequired": false,
- "config": {
- "user.session.note": "clientId",
- "userinfo.token.claim": "true",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "clientId",
- "jsonType.label": "String"
- }
- },
- {
- "id": "4c29a235-d731-4b5b-84fe-d9cf9f6b7ba1",
- "name": "Client IP Address",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usersessionmodel-note-mapper",
- "consentRequired": false,
- "config": {
- "user.session.note": "clientAddress",
- "userinfo.token.claim": "true",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "clientAddress",
- "jsonType.label": "String"
- }
- },
- {
- "id": "d2bda3a3-e2cc-498e-838e-60a7840hhod5",
- "name": "Client Host",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usersessionmodel-note-mapper",
- "consentRequired": false,
- "config": {
- "user.session.note": "clientHost",
- "userinfo.token.claim": "true",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "clientHost",
- "jsonType.label": "String"
- }
- }
- ],
- "defaultClientScopes": [
- "web-origins",
- "roles",
- "profile",
- "email"
- ],
- "optionalClientScopes": [
- "address",
- "phone",
- "offline_access",
- "microprofile-jwt"
- ]
- },
+ "id": "af779833-76c2-41ae-a368-67d5789f4b87",
+ "clientId": "developer-2-client",
+ "rootUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test2",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "aeb67a03-0bbd-432c-a329-0a04363e974a",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "7c28a433-d724-4b5b-86fe-d9cf9f6b7ba1",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2bda474-e2cc-498e-838e-60a7840ccad9",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "af669833-76c2-41ae-a368-67d5789f4b87",
+ "clientId": "no-role-client",
+ "rootUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "aeb67c03-0bbd-432c-a329-0a04363e974a",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "7c27a433-d724-4b5b-86fe-d9cf9f6b7ba1",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2bda374-e2cc-498e-838e-60a7840ccad9",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "af774034-77c2-41le-a368-67d5789f4b87",
+ "clientId": "wrong-client",
+ "rootUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "ytb67b03-0yyi-432c-a329-0a04363e974a",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "4c29a234-d731-4b5b-84fe-d9cf9f6b7ba1",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2bda9a3-e2cc-498e-838e-60a7840hhod5",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
{
- "id": "57e89899-9c1a-498d-96fd-c9bcbd3f3121",
+ "id": "57e9899-9c1a-498d-96fd-c9bcbd3f3121",
"clientId": "readonly-client",
"surrogateAuthRequired": false,
"enabled": true,
diff --git a/pom.xml b/pom.xml
index 616595788f..3d034a576e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -275,8 +275,7 @@
1.20.2
- 1.9.0
- 21.1.2
+ 3.4.0
2.0.7
0.105.0
2.35.2
@@ -824,11 +823,6 @@
testcontainers-keycloak
${keycloak.testcontainers.version}
-
- org.keycloak
- keycloak-admin-client-jakarta
- ${keycloak-admin-client.version}
-
com.github.tomakehurst
wiremock-jre8
diff --git a/utils/tests/pom.xml b/utils/tests/pom.xml
index f9c74f5089..110451a325 100644
--- a/utils/tests/pom.xml
+++ b/utils/tests/pom.xml
@@ -63,22 +63,14 @@
- com.github.dasniko
- testcontainers-keycloak
- provided
-
-
-
-
- org.keycloak
- keycloak-admin-client-jakarta
+ io.zonky.test
+ embedded-postgres
provided
- io.zonky.test
- embedded-postgres
- provided
+ com.github.dasniko
+ testcontainers-keycloak
diff --git a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfile.java b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfile.java
index c5969c7cee..dea7a4752e 100644
--- a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfile.java
+++ b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfile.java
@@ -15,14 +15,13 @@ public Map getConfigOverrides() {
props.put("apicurio.rest.deletion.group.enabled", "true");
props.put("apicurio.rest.deletion.artifact.enabled", "true");
props.put("apicurio.rest.deletion.artifact-version.enabled", "true");
- props.put("smallrye.jwt.sign.key.location", "privateKey.jwk");
return props;
}
@Override
public List testResources() {
if (!Boolean.parseBoolean(System.getProperty("cluster.tests"))) {
- return List.of(new TestResourceEntry(JWKSMockServer.class));
+ return List.of(new TestResourceEntry(KeycloakTestContainerManager.class));
} else {
return Collections.emptyList();
}
diff --git a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAnonymousCredentials.java b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAnonymousCredentials.java
index f56cc98543..9148a91619 100644
--- a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAnonymousCredentials.java
+++ b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAnonymousCredentials.java
@@ -10,12 +10,11 @@ public class AuthTestProfileAnonymousCredentials implements QuarkusTestProfile {
@Override
public Map getConfigOverrides() {
- return Map.of("apicurio.auth.anonymous-read-access.enabled", "true", "smallrye.jwt.sign.key.location",
- "privateKey.jwk");
+ return Map.of("apicurio.auth.anonymous-read-access.enabled", "true");
}
@Override
public List testResources() {
- return Collections.singletonList(new TestResourceEntry(JWKSMockServer.class));
+ return Collections.singletonList(new TestResourceEntry(KeycloakTestContainerManager.class));
}
}
diff --git a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAuthenticatedReadAccess.java b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAuthenticatedReadAccess.java
index 7922d7306e..cc9f21b74f 100644
--- a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAuthenticatedReadAccess.java
+++ b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileAuthenticatedReadAccess.java
@@ -10,12 +10,11 @@ public class AuthTestProfileAuthenticatedReadAccess implements QuarkusTestProfil
@Override
public Map getConfigOverrides() {
- return Map.of("apicurio.auth.authenticated-read-access.enabled", "true",
- "smallrye.jwt.sign.key.location", "privateKey.jwk");
+ return Map.of("apicurio.auth.authenticated-read-access.enabled", "true");
}
@Override
public List testResources() {
- return Collections.singletonList(new TestResourceEntry(JWKSMockServer.class));
+ return Collections.singletonList(new TestResourceEntry(KeycloakTestContainerManager.class));
}
}
diff --git a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileWithHeaderRoles.java b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileWithHeaderRoles.java
index 86c30f6d9b..9e948b605e 100644
--- a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileWithHeaderRoles.java
+++ b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileWithHeaderRoles.java
@@ -10,12 +10,12 @@ public class AuthTestProfileWithHeaderRoles implements QuarkusTestProfile {
@Override
public Map getConfigOverrides() {
- return Map.of("smallrye.jwt.sign.key.location", "privateKey.jwk", "apicurio.auth.role-source",
- "header");
+ return Map.of("apicurio.auth.role-source", "header");
}
@Override
public List testResources() {
- return Collections.singletonList(new QuarkusTestProfile.TestResourceEntry(JWKSMockServer.class));
+ return Collections
+ .singletonList(new QuarkusTestProfile.TestResourceEntry(KeycloakTestContainerManager.class));
}
}
diff --git a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileWithLocalRoles.java b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileWithLocalRoles.java
index 7f0b95b597..d3985ed4df 100644
--- a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileWithLocalRoles.java
+++ b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/AuthTestProfileWithLocalRoles.java
@@ -10,12 +10,11 @@ public class AuthTestProfileWithLocalRoles implements QuarkusTestProfile {
@Override
public Map getConfigOverrides() {
- return Map.of("smallrye.jwt.sign.key.location", "privateKey.jwk", "apicurio.auth.role-source",
- "application");
+ return Map.of("apicurio.auth.role-source", "application");
}
@Override
public List testResources() {
- return Collections.singletonList(new TestResourceEntry(JWKSMockServer.class));
+ return Collections.singletonList(new TestResourceEntry(KeycloakTestContainerManager.class));
}
}
\ No newline at end of file
diff --git a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/JWKSMockServer.java b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/JWKSMockServer.java
deleted file mode 100644
index f3aa435ab8..0000000000
--- a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/JWKSMockServer.java
+++ /dev/null
@@ -1,230 +0,0 @@
-package io.apicurio.registry.utils.tests;
-
-import com.github.tomakehurst.wiremock.WireMockServer;
-import com.github.tomakehurst.wiremock.client.ResponseDefinitionBuilder;
-import com.github.tomakehurst.wiremock.client.WireMock;
-import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
-import io.smallrye.jwt.build.Jwt;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
-import java.util.Map;
-
-import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
-import static com.github.tomakehurst.wiremock.client.WireMock.get;
-import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
-import static com.github.tomakehurst.wiremock.client.WireMock.urlMatching;
-import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
-import static io.vertx.ext.auth.impl.Codec.base64Encode;
-
-public class JWKSMockServer implements QuarkusTestResourceLifecycleManager {
-
- static final Logger LOGGER = LoggerFactory.getLogger(JWKSMockServer.class);
-
- private WireMockServer server;
-
- public String authServerUrl;
- public String realm = "registry";
- public String tokenEndpoint;
-
- public static String ADMIN_CLIENT_ID = "admin-client";
- public static String DEVELOPER_CLIENT_ID = "developer-client";
- public static String DEVELOPER_2_CLIENT_ID = "developer-2-client";
- public static String READONLY_CLIENT_ID = "readonly-client";
-
- public static String NO_ROLE_CLIENT_ID = "no-role-client";
- public static String WRONG_CREDS_CLIENT_ID = "wrong-client";
-
- public static String BASIC_USER = "sr-test-user";
- public static String BASIC_PASSWORD = "sr-test-password";
-
- public static String BASIC_USER_A = "sr-test-user-a";
- public static String BASIC_USER_B = "sr-test-user-b";
-
- @Override
- public Map start() {
-
- server = new WireMockServer(wireMockConfig().dynamicPort());
- server.start();
-
- server.stubFor(get(urlMatching("/auth/realms/" + realm + "/.well-known/uma2-configuration"))
- .willReturn(wellKnownResponse()));
- server.stubFor(get(urlMatching("/auth/realms/" + realm + "/.well-known/openid-configuration"))
- .willReturn(wellKnownResponse()));
-
- server.stubFor(get(urlEqualTo("/auth/realms/" + realm + "/protocol/openid-connect/certs")).willReturn(
- aResponse().withHeader("Content-Type", "application/json").withBody("{\n" + " \"keys\" : [\n"
- + " {\n" + " \"kid\": \"1\",\n" + " \"kty\":\"RSA\",\n"
- + " \"n\":\"iJw33l1eVAsGoRlSyo-FCimeOc-AaZbzQ2iESA3Nkuo3TFb1zIkmt0kzlnWVGt48dkaIl13Vdefh9hqw_r9yNF8xZqX1fp0PnCWc5M_TX_ht5fm9y0TpbiVmsjeRMWZn4jr3DsFouxQ9aBXUJiu26V0vd2vrECeeAreFT4mtoHY13D2WVeJvboc5mEJcp50JNhxRCJ5UkY8jR_wfUk2Tzz4-fAj5xQaBccXnqJMu_1C6MjoCEiB7G1d13bVPReIeAGRKVJIF6ogoCN8JbrOhc_48lT4uyjbgnd24beatuKWodmWYhactFobRGYo5551cgMe8BoxpVQ4to30cGA0qjQ\",\n"
- + " \"e\":\"AQAB\"\n" + " }\n" + " ]\n" + "}")));
-
- // Admin user stub
- stubForClient(ADMIN_CLIENT_ID);
- // Stub for clients with credentials as header
- stubForClient(ADMIN_CLIENT_ID, "test1");
- // Developer user stub
- stubForClient(DEVELOPER_CLIENT_ID, "test1");
- stubForClient(DEVELOPER_2_CLIENT_ID, "test1");
- stubForClient(DEVELOPER_CLIENT_ID, "test1");
- stubForClient(DEVELOPER_2_CLIENT_ID, "test1");
- // Read only user stub
- stubForClient(READONLY_CLIENT_ID, "test1");
- stubForClient(READONLY_CLIENT_ID, "test1");
-
- // Token without roles stub
- stubForClient(NO_ROLE_CLIENT_ID, "test1");
- stubForClient(NO_ROLE_CLIENT_ID, "test1");
-
- stubForClient(BASIC_USER, BASIC_PASSWORD);
- stubForBasicUser(BASIC_USER, BASIC_PASSWORD);
- stubForBasicUser(BASIC_USER_A, BASIC_PASSWORD);
- stubForBasicUser(BASIC_USER_B, BASIC_PASSWORD);
- stubForClientWithWrongCreds(WRONG_CREDS_CLIENT_ID, "test55");
-
- this.authServerUrl = server.baseUrl() + "/auth" + "/realms/" + realm;
- LOGGER.info("Keycloak started in mock mode: {}", authServerUrl);
- this.tokenEndpoint = server.baseUrl() + "/auth" + "/realms/" + realm
- + "/protocol/openid-connect/token/";
-
- Map props = new HashMap<>();
-
- // Set registry properties
- props.put("quarkus.oidc.auth-server-url", authServerUrl);
- props.put("quarkus.oidc.token-path", tokenEndpoint);
- props.put("quarkus.oidc.tenant-enabled", "true");
- props.put("apicurio.auth.role-based-authorization", "true");
- props.put("apicurio.auth.owner-only-authorization", "true");
- props.put("apicurio.auth.admin-override.enabled", "true");
- props.put("apicurio.authn.basic-client-credentials.enabled", "true");
-
- return props;
- }
-
- private ResponseDefinitionBuilder wellKnownResponse() {
- return aResponse().withHeader("Content-Type", "application/json")
- .withBody("{\n" + " \"jwks_uri\": \"" + server.baseUrl() + "/auth/realms/" + realm
- + "/protocol/openid-connect/certs\",\n" + " \"token_endpoint\": \"" + server.baseUrl()
- + "/auth/realms/" + realm + "/protocol/openid-connect/token/\" " + "}");
- }
-
- private String generateJwtToken(String userName, String orgId) {
- var b = Jwt.preferredUserName(userName);
-
- if (userName.equals(ADMIN_CLIENT_ID)) {
- b.claim("groups", "sr-admin");
- } else if (userName.equals(DEVELOPER_CLIENT_ID)) {
- b.claim("groups", "sr-developer");
- } else if (userName.equals(DEVELOPER_2_CLIENT_ID)) {
- b.claim("groups", "sr-developer");
- } else if (userName.equals(READONLY_CLIENT_ID)) {
- b.claim("groups", "sr-readonly");
- }
-
- if (orgId != null) {
- b.claim("rh-org-id", orgId);
- }
-
- return b.jws().keyId("1").sign();
- }
-
- private void stubForBasicUser(String username, String password) {
- // TODO:carnalca this will be revisited with the auth refactor
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token")
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .withRequestBody(WireMock.containing("client_id=" + username))
- .withRequestBody(WireMock.containing("client_secret=" + password))
- .willReturn(WireMock.aResponse().withHeader("Content-Type", "application/json")
- .withBody("{\n" + " \"access_token\": \"" + generateJwtToken(ADMIN_CLIENT_ID, null)
- + "\",\n" + " \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n"
- + " \"token_type\": \"bearer\"\n" + "}")));
-
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token/")
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .withRequestBody(WireMock.containing("client_id=" + BASIC_USER))
- .withRequestBody(WireMock.containing("client_secret=" + BASIC_PASSWORD))
- .willReturn(WireMock.aResponse().withHeader("Content-Type", "application/json")
- .withBody("{\n" + " \"access_token\": \"" + generateJwtToken(ADMIN_CLIENT_ID, null)
- + "\",\n" + " \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n"
- + " \"token_type\": \"bearer\"\n" + "}")));
- }
-
- private void stubForClient(String client) {
- // TODO:carnalca this will be revisited with the auth refactor
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token")
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .withRequestBody(WireMock.containing("client_id=" + client))
- .willReturn(WireMock.aResponse().withHeader("Content-Type", "application/json")
- .withBody("{\n" + " \"access_token\": \"" + generateJwtToken(client, null) + "\",\n"
- + " \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n"
- + " \"token_type\": \"bearer\"\n" + "}")));
-
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token/")
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .withRequestBody(WireMock.containing("client_id=" + client))
- .willReturn(WireMock.aResponse().withHeader("Content-Type", "application/json")
- .withBody("{\n" + " \"access_token\": \"" + generateJwtToken(client, null) + "\",\n"
- + " \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n"
- + " \"token_type\": \"bearer\"\n" + "}")));
- }
-
- private void stubForClient(String client, String clientSecret) {
- // TODO:carnalca this will be revisited with the auth refactor
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token")
- .withHeader("Authorization", WireMock.containing(buildBasicAuthHeader(client, clientSecret)))
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .willReturn(WireMock.aResponse().withHeader("Content-Type", "application/json")
- .withBody("{\n" + " \"access_token\": \"" + generateJwtToken(client, null) + "\",\n"
- + " \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n"
- + " \"token_type\": \"bearer\"\n" + "}")));
-
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token/")
- .withHeader("Authorization", WireMock.containing(buildBasicAuthHeader(client, clientSecret)))
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .willReturn(WireMock.aResponse().withHeader("Content-Type", "application/json")
- .withBody("{\n" + " \"access_token\": \"" + generateJwtToken(client, null) + "\",\n"
- + " \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n"
- + " \"token_type\": \"bearer\"\n" + "}")));
- }
-
- private void stubForClientWithWrongCreds(String client, String clientSecret) {
- // TODO:carnalca this will be revisited with the auth refactor
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token")
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .withHeader("Authorization", WireMock.containing(buildBasicAuthHeader(client, clientSecret)))
- .willReturn(
- WireMock.aResponse().withHeader("Content-Type", "application/json").withStatus(401)));
-
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token/")
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .withHeader("Authorization", WireMock.containing(buildBasicAuthHeader(client, clientSecret)))
- .willReturn(
- WireMock.aResponse().withHeader("Content-Type", "application/json").withStatus(401)));
-
- // Wrong credentials stub
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token")
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .withRequestBody(WireMock.containing("client_id=" + WRONG_CREDS_CLIENT_ID)).willReturn(
- WireMock.aResponse().withHeader("Content-Type", "application/json").withStatus(401)));
-
- // Wrong credentials stub
- server.stubFor(WireMock.post("/auth/realms/" + realm + "/protocol/openid-connect/token/")
- .withRequestBody(WireMock.containing("grant_type=client_credentials"))
- .withRequestBody(WireMock.containing("client_id=" + WRONG_CREDS_CLIENT_ID)).willReturn(
- WireMock.aResponse().withHeader("Content-Type", "application/json").withStatus(401)));
- }
-
- private String buildBasicAuthHeader(String username, String password) {
- String basic = username + ":" + password;
- return "Basic " + base64Encode(basic.getBytes(StandardCharsets.UTF_8));
- }
-
- public synchronized void stop() {
- if (server != null) {
- server.stop();
- LOGGER.info("Keycloak was shut down");
- server = null;
- }
- }
-}
diff --git a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/KafkasqlAuthTestProfile.java b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/KafkasqlAuthTestProfile.java
index 65523b4750..03178014b1 100644
--- a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/KafkasqlAuthTestProfile.java
+++ b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/KafkasqlAuthTestProfile.java
@@ -12,15 +12,14 @@ public class KafkasqlAuthTestProfile implements QuarkusTestProfile {
public Map getConfigOverrides() {
return Map.of("apicurio.storage.kind", "kafkasql", "apicurio.rest.deletion.group.enabled", "true",
"apicurio.rest.deletion.artifact.enabled", "true",
- "apicurio.rest.deletion.artifact-version.enabled", "true", "smallrye.jwt.sign.key.location",
- "privateKey.jwk");
+ "apicurio.rest.deletion.artifact-version.enabled", "true");
}
@Override
public List testResources() {
if (!Boolean.parseBoolean(System.getProperty("cluster.tests"))) {
return List.of(new TestResourceEntry(KafkaTestContainerManager.class),
- new TestResourceEntry(JWKSMockServer.class));
+ new TestResourceEntry(KeycloakTestContainerManager.class));
} else {
return Collections.emptyList();
}
diff --git a/utils/tests/src/main/java/io/apicurio/registry/utils/tests/KeycloakTestContainerManager.java b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/KeycloakTestContainerManager.java
new file mode 100644
index 0000000000..7b9d384b92
--- /dev/null
+++ b/utils/tests/src/main/java/io/apicurio/registry/utils/tests/KeycloakTestContainerManager.java
@@ -0,0 +1,59 @@
+package io.apicurio.registry.utils.tests;
+
+import dasniko.testcontainers.keycloak.KeycloakContainer;
+import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.testcontainers.containers.Network;
+import org.testcontainers.containers.wait.strategy.Wait;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class KeycloakTestContainerManager implements QuarkusTestResourceLifecycleManager {
+
+ static final Logger LOGGER = LoggerFactory.getLogger(KeycloakTestContainerManager.class);
+ private KeycloakContainer server;
+ public static String ADMIN_CLIENT_ID = "admin-client";
+ public static String DEVELOPER_CLIENT_ID = "developer-client";
+ public static String DEVELOPER_2_CLIENT_ID = "developer-2-client";
+ public static String READONLY_CLIENT_ID = "readonly-client";
+
+ public static String NO_ROLE_CLIENT_ID = "no-role-client";
+ public static String WRONG_CREDS_CLIENT_ID = "wrong-client";
+
+ @Override
+ public Map start() {
+
+ server = new KeycloakContainer().withNetwork(Network.SHARED).withRealmImportFile("/realm.json");
+ server.start();
+
+ server.waitingFor(Wait.forLogMessage(
+ ".*[org.keycloak.quarkus.runtime.KeycloakMain] (main) Running the server in development mode.*",
+ 1));
+
+ Map props = new HashMap<>();
+
+ String authUrl = server.getAuthServerUrl() + "/realms/registry";
+ String tokenUrl = authUrl + "/protocol/openid-connect/token/";
+
+ props.put("quarkus.oidc.auth-server-url", authUrl);
+ props.put("quarkus.oidc.token-path", tokenUrl);
+ props.put("quarkus.oidc.tenant-enabled", "true");
+ props.put("apicurio.auth.role-based-authorization", "true");
+ props.put("apicurio.auth.owner-only-authorization", "true");
+ props.put("apicurio.auth.admin-override.enabled", "true");
+ props.put("apicurio.authn.basic-client-credentials.enabled", "true");
+
+ return props;
+ }
+
+ @Override
+ public synchronized void stop() {
+ if (server != null) {
+ server.stop();
+ LOGGER.info("Keycloak was shut down");
+ server = null;
+ }
+ }
+}
diff --git a/utils/tests/src/main/resources/privateKey.jwk b/utils/tests/src/main/resources/privateKey.jwk
deleted file mode 100644
index fd33492b39..0000000000
--- a/utils/tests/src/main/resources/privateKey.jwk
+++ /dev/null
@@ -1,11 +0,0 @@
-{
- "kty":"RSA",
- "n":"iJw33l1eVAsGoRlSyo-FCimeOc-AaZbzQ2iESA3Nkuo3TFb1zIkmt0kzlnWVGt48dkaIl13Vdefh9hqw_r9yNF8xZqX1fp0PnCWc5M_TX_ht5fm9y0TpbiVmsjeRMWZn4jr3DsFouxQ9aBXUJiu26V0vd2vrECeeAreFT4mtoHY13D2WVeJvboc5mEJcp50JNhxRCJ5UkY8jR_wfUk2Tzz4-fAj5xQaBccXnqJMu_1C6MjoCEiB7G1d13bVPReIeAGRKVJIF6ogoCN8JbrOhc_48lT4uyjbgnd24beatuKWodmWYhactFobRGYo5551cgMe8BoxpVQ4to30cGA0qjQ",
- "e":"AQAB",
- "d":"AvIDTlsK_priQLTwEQf5IVf2Xl638Q7dHdXyDC-oAAPmv1GcqRVH7Wm5oAPW_CZQfWhV55WRVaJzP8AhksyD5NcslH79hQZT4NT6xgApGYecrvmseuZ4dfR-e1cxXTRNBxaoXvwSiv4LuOPHmC8XGX712AhOoCGKiZp1WFqqkKwTpkgJEApJFVb-XRIKQa0YaRKpJsJ534pLMwTh7LoPLM4BCaBVbRfHzH2H5L3TSJP718kyCuxg3z2p9Y7zIOLTmgFdeR0_kd_xKUFZ2ByN3SKlC0IWlLUSiMPsGYExRpZTMZHKyD939gv-2_Z-bOYfKlYNIvAmQH_8CcX2I039LQ",
- "p":"104AjPaxZoi_BiMBODlChnZOvRJT071PdkeZ283uyrdW8qqKD9q8FTMgUXzKoboHtUiHbJbLOobPmPDh93839rq7dTdCNzNVOuLmE-V3_bmaShdzvxEIazwPf6AvjbEZAc-zu2RS4SNkp1LbzgSl9nINSlF7t6Lkl6T28PYULys",
- "q":"om5ooyzxa4ZJ-dU0ODsEb-Bmz6xwb27xF9aEhBYJprHeoNs2QM1D64_A39weD9MYwBux4-ivshCJ0dVKEbDujJRLnzf-ssrasA6CFyaaCT4DKtq1oWb9rcG-2LQd5Bm9PttrUrSUNqitr085IYikaLEz7UU6gtXPoC8UOcJ4cSc",
- "dp":"DeWE95Q8oweUfMrpmz1m49LjBiUWsAX6CQJaFevWy9LFk-gZ_Sf7F8sy_M93LLUbJkJGK2YYO_DTmWWC0Dyv2gb3bntglLuFdsWKYCJhekjugnW9DMoGpxU7Utt99kFGAe3sBd5V0x47sukQMt3t8FgwL2nO-G1VH8yP-8GGT_0",
- "dq":"TGBeE1wuqMCcSD1YMJiPnYuGzF_o_nzMIMldxj4Wi6tXY4uwFwhtx3Xw21JFUGuSV8KuAtyGwNPF-kSwb2Eiyjdw140c1jVMXzxzLy-XfoEKPDxa62niHrHba0pGQ9tWgRfrfxgqGQl3odc-peX6aL_qCsdim-KtnkSE3iPzPkE",
- "qi":"Jzp5KnT24y0wOoPUn_11S3ZcYl0i03dkaH4c5zR02G1MJG9K017juurx2aXVTctOzrj7O226EUiL1Qbq3QtnWFDDGY6vNZuqzJM7AMXsvp1djq_6fEVhxCIOgfJbmhb3mkG82rxn4et9o_TNr6mvEmHzG15sHbvZbAnn4GeqToY"
-}
\ No newline at end of file
diff --git a/utils/tests/src/main/resources/realm.json b/utils/tests/src/main/resources/realm.json
new file mode 100644
index 0000000000..10b44b2c90
--- /dev/null
+++ b/utils/tests/src/main/resources/realm.json
@@ -0,0 +1,3139 @@
+{
+ "id": "registry",
+ "realm": "registry",
+ "notBefore": 1600933598,
+ "defaultSignatureAlgorithm": "RS256",
+ "revokeRefreshToken": false,
+ "refreshTokenMaxReuse": 0,
+ "accessTokenLifespan": 300,
+ "accessTokenLifespanForImplicitFlow": 900,
+ "ssoSessionIdleTimeout": 1800,
+ "ssoSessionMaxLifespan": 36000,
+ "ssoSessionIdleTimeoutRememberMe": 0,
+ "ssoSessionMaxLifespanRememberMe": 0,
+ "offlineSessionIdleTimeout": 2592000,
+ "offlineSessionMaxLifespanEnabled": false,
+ "offlineSessionMaxLifespan": 5184000,
+ "clientSessionIdleTimeout": 0,
+ "clientSessionMaxLifespan": 0,
+ "clientOfflineSessionIdleTimeout": 0,
+ "clientOfflineSessionMaxLifespan": 0,
+ "accessCodeLifespan": 60,
+ "accessCodeLifespanUserAction": 300,
+ "accessCodeLifespanLogin": 1800,
+ "actionTokenGeneratedByAdminLifespan": 43200,
+ "actionTokenGeneratedByUserLifespan": 300,
+ "oauth2DeviceCodeLifespan": 600,
+ "oauth2DevicePollingInterval": 5,
+ "enabled": true,
+ "sslRequired": "external",
+ "registrationAllowed": true,
+ "registrationEmailAsUsername": false,
+ "rememberMe": true,
+ "verifyEmail": false,
+ "loginWithEmailAllowed": true,
+ "duplicateEmailsAllowed": false,
+ "resetPasswordAllowed": true,
+ "editUsernameAllowed": false,
+ "bruteForceProtected": false,
+ "permanentLockout": false,
+ "maxFailureWaitSeconds": 900,
+ "minimumQuickLoginWaitSeconds": 60,
+ "waitIncrementSeconds": 60,
+ "quickLoginCheckMilliSeconds": 1000,
+ "maxDeltaTimeSeconds": 43200,
+ "failureFactor": 30,
+ "roles": {
+ "realm": [
+ {
+ "id": "91363f21-2a57-4d65-954b-b3cd45d9f69c",
+ "name": "sr-admin",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "registry",
+ "attributes": {}
+ },
+ {
+ "id": "b2a0eee7-c761-49a1-9426-441d467f3f98",
+ "name": "offline_access",
+ "description": "${role_offline-access}",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "registry",
+ "attributes": {}
+ },
+ {
+ "id": "2c0937ba-7b1f-424c-927c-33cd2ccfdc62",
+ "name": "sr-developer",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "registry",
+ "attributes": {}
+ },
+ {
+ "id": "1ffdda65-2476-4ad5-b1e8-9f8af44a897b",
+ "name": "uma_authorization",
+ "description": "${role_uma_authorization}",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "registry",
+ "attributes": {}
+ },
+ {
+ "id": "a06b0184-e5bc-44c2-ae5b-4315754405f1",
+ "name": "sr-readonly",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "registry",
+ "attributes": {}
+ },
+ {
+ "id": "33a21208-808d-444f-9aa7-fdf3dc9536ce",
+ "name": "default-roles-registry",
+ "description": "${role_default-roles}",
+ "composite": true,
+ "composites": {
+ "realm": [
+ "User",
+ "offline_access",
+ "uma_authorization"
+ ],
+ "client": {
+ "account": [
+ "view-applications",
+ "view-profile",
+ "manage-account"
+ ]
+ }
+ },
+ "clientRole": false,
+ "containerId": "registry",
+ "attributes": {}
+ },
+ {
+ "id": "43dd3a54-4447-4703-ad0e-cd558f78c803",
+ "name": "User",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "registry",
+ "attributes": {}
+ }
+ ],
+ "client": {
+ "admin-client": [],
+ "realm-management": [
+ {
+ "id": "dcd9e6f5-3158-4e90-ba06-e5e80e0fa05c",
+ "name": "query-users",
+ "description": "${role_query-users}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "0b4d5891-c2d9-409d-b4bd-b5daa11e059e",
+ "name": "view-identity-providers",
+ "description": "${role_view-identity-providers}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "2fee03d5-f4da-418f-843e-0a70cba351c7",
+ "name": "view-clients",
+ "description": "${role_view-clients}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "realm-management": [
+ "query-clients"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "82e5542a-8ec4-4e76-aa2f-75c0eb707aad",
+ "name": "manage-realm",
+ "description": "${role_manage-realm}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "4d0d41a7-ac3f-47c6-a227-de0dc1c861de",
+ "name": "query-groups",
+ "description": "${role_query-groups}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "4d69772c-08d4-4735-954c-4115788cecbc",
+ "name": "view-events",
+ "description": "${role_view-events}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "8a79c5f9-2d14-44e4-b2bc-7e4cb955b721",
+ "name": "query-realms",
+ "description": "${role_query-realms}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "0b54c521-9672-49b5-89ab-603fe4da9693",
+ "name": "manage-events",
+ "description": "${role_manage-events}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "3fa4a674-d449-4576-b207-f89e556ba617",
+ "name": "manage-authorization",
+ "description": "${role_manage-authorization}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "7a9c60b9-f2e6-4fec-ac85-7b3633a0f116",
+ "name": "realm-admin",
+ "description": "${role_realm-admin}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "realm-management": [
+ "query-users",
+ "view-identity-providers",
+ "view-clients",
+ "manage-realm",
+ "query-groups",
+ "view-events",
+ "query-realms",
+ "manage-events",
+ "manage-authorization",
+ "view-users",
+ "view-authorization",
+ "manage-identity-providers",
+ "impersonation",
+ "query-clients",
+ "manage-clients",
+ "view-realm",
+ "create-client",
+ "manage-users"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "f7c5550f-8233-4347-967d-4905cbd36cec",
+ "name": "view-users",
+ "description": "${role_view-users}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "realm-management": [
+ "query-users",
+ "query-groups"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "05c8c44f-8554-4a91-b9cb-be6995144040",
+ "name": "view-authorization",
+ "description": "${role_view-authorization}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "e91f859e-d5c3-48d6-b0b0-5ff2710db3c9",
+ "name": "impersonation",
+ "description": "${role_impersonation}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "a0c6b281-3915-45c2-9af7-d7d4f669419a",
+ "name": "manage-identity-providers",
+ "description": "${role_manage-identity-providers}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "e6e6d63d-d161-444f-a58d-30875b076d16",
+ "name": "query-clients",
+ "description": "${role_query-clients}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "4c592e93-ba00-4661-af7d-bc50b800c060",
+ "name": "manage-clients",
+ "description": "${role_manage-clients}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "e50b557e-c79e-4e5a-92ee-a56b9c3925e1",
+ "name": "view-realm",
+ "description": "${role_view-realm}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "34b1cafe-ee16-42d0-9ec1-c6829e01f78c",
+ "name": "create-client",
+ "description": "${role_create-client}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ },
+ {
+ "id": "7d1d9c1e-6c1c-41eb-b8d9-6460e4d243f0",
+ "name": "manage-users",
+ "description": "${role_manage-users}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "attributes": {}
+ }
+ ],
+ "apicurio-registry": [],
+ "readonly-client": [],
+ "security-admin-console": [],
+ "admin-cli": [],
+ "account-console": [],
+ "developer-client": [],
+ "wrong-client": [],
+ "broker": [
+ {
+ "id": "1ec1b34a-682d-44e7-b1fb-1d235b27b9d0",
+ "name": "read-token",
+ "description": "${role_read-token}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "717c272b-ed48-4d5a-a3cb-da5d3d3ba528",
+ "attributes": {}
+ }
+ ],
+ "account": [
+ {
+ "id": "e81eb004-b1ac-49a7-84ab-d2b86228c89d",
+ "name": "delete-account",
+ "description": "${role_delete-account}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b",
+ "attributes": {}
+ },
+ {
+ "id": "a49e7c09-b2df-4468-96f0-65b8591774ad",
+ "name": "manage-account-links",
+ "description": "${role_manage-account-links}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b",
+ "attributes": {}
+ },
+ {
+ "id": "b6e07306-8781-4538-800b-32b2ffc5d57c",
+ "name": "view-applications",
+ "description": "${role_view-applications}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b",
+ "attributes": {}
+ },
+ {
+ "id": "aa763dea-9699-4899-95bc-f2cef6692b1d",
+ "name": "manage-consent",
+ "description": "${role_manage-consent}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "account": [
+ "view-consent"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b",
+ "attributes": {}
+ },
+ {
+ "id": "6b67af9e-5c96-4944-8189-7d6c7ecc1f80",
+ "name": "view-consent",
+ "description": "${role_view-consent}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b",
+ "attributes": {}
+ },
+ {
+ "id": "aad246c6-eb26-4cfd-b840-e113021f5b9b",
+ "name": "view-profile",
+ "description": "${role_view-profile}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b",
+ "attributes": {}
+ },
+ {
+ "id": "de065b56-c31c-41df-b110-186a798d7f17",
+ "name": "manage-account",
+ "description": "${role_manage-account}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "account": [
+ "manage-account-links"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b",
+ "attributes": {}
+ }
+ ],
+ "registry-api": []
+ }
+ },
+ "groups": [],
+ "defaultRole": {
+ "id": "33a21208-808d-444f-9aa7-fdf3dc9536ce",
+ "name": "default-roles-registry",
+ "description": "${role_default-roles}",
+ "composite": true,
+ "clientRole": false,
+ "containerId": "registry"
+ },
+ "requiredCredentials": [
+ "password"
+ ],
+ "otpPolicyType": "totp",
+ "otpPolicyAlgorithm": "HmacSHA1",
+ "otpPolicyInitialCounter": 0,
+ "otpPolicyDigits": 6,
+ "otpPolicyLookAheadWindow": 1,
+ "otpPolicyPeriod": 30,
+ "otpSupportedApplications": [
+ "FreeOTP",
+ "Google Authenticator"
+ ],
+ "webAuthnPolicyRpEntityName": "keycloak",
+ "webAuthnPolicySignatureAlgorithms": [
+ "ES256"
+ ],
+ "webAuthnPolicyRpId": "",
+ "webAuthnPolicyAttestationConveyancePreference": "not specified",
+ "webAuthnPolicyAuthenticatorAttachment": "not specified",
+ "webAuthnPolicyRequireResidentKey": "not specified",
+ "webAuthnPolicyUserVerificationRequirement": "not specified",
+ "webAuthnPolicyCreateTimeout": 0,
+ "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
+ "webAuthnPolicyAcceptableAaguids": [],
+ "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
+ "webAuthnPolicyPasswordlessSignatureAlgorithms": [
+ "ES256"
+ ],
+ "webAuthnPolicyPasswordlessRpId": "",
+ "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
+ "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
+ "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+ "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
+ "webAuthnPolicyPasswordlessCreateTimeout": 0,
+ "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
+ "webAuthnPolicyPasswordlessAcceptableAaguids": [],
+ "users": [
+ {
+ "id": "5d3833aa-2aba-4fc4-a546-00dfe1d56bb5",
+ "createdTimestamp": 1687335757025,
+ "username": "admin-client",
+ "enabled": true,
+ "totp": false,
+ "emailVerified": false,
+ "serviceAccountClientId": "admin-client",
+ "disableableCredentialTypes": [],
+ "requiredActions": [],
+ "realmRoles": [
+ "sr-admin",
+ "default-roles-registry"
+ ],
+ "notBefore": 0,
+ "groups": []
+ },
+ {
+ "id": "0f1c31e8-a357-4f05-90cc-3374973b6088",
+ "createdTimestamp": 1608543288931,
+ "username": "developer-client",
+ "enabled": true,
+ "totp": false,
+ "emailVerified": false,
+ "serviceAccountClientId": "developer-client",
+ "disableableCredentialTypes": [],
+ "requiredActions": [],
+ "realmRoles": [
+ "offline_access",
+ "uma_authorization",
+ "sr-developer",
+ "User"
+ ],
+ "clientRoles": {
+ "account": [
+ "view-applications",
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ "notBefore": 0,
+ "groups": []
+ },
+ {
+ "id": "0f1d31e8-a358-4f05-90cc-3374453b7088",
+ "createdTimestamp": 1608543288931,
+ "username": "service-account-wrong-client",
+ "enabled": true,
+ "totp": false,
+ "emailVerified": false,
+ "serviceAccountClientId": "wrong-client",
+ "disableableCredentialTypes": [],
+ "requiredActions": [],
+ "realmRoles": [
+ "offline_access",
+ "uma_authorization",
+ "sr-developer",
+ "User"
+ ],
+ "clientRoles": {
+ "account": [
+ "view-applications",
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ "notBefore": 0,
+ "groups": []
+ },
+ {
+ "id": "06fec980-2e11-4c7f-a8fb-3d285f30b0b0",
+ "createdTimestamp": 1608543552621,
+ "username": "readonly-client",
+ "enabled": true,
+ "totp": false,
+ "emailVerified": false,
+ "serviceAccountClientId": "readonly-client",
+ "disableableCredentialTypes": [],
+ "requiredActions": [],
+ "realmRoles": [
+ "offline_access",
+ "uma_authorization",
+ "sr-readonly",
+ "User"
+ ],
+ "clientRoles": {
+ "account": [
+ "view-applications",
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ "notBefore": 0,
+ "groups": []
+ },
+ {
+ "id": "70dbaf4a-fcef-449c-9184-121b6cedb115",
+ "createdTimestamp": 1607594319706,
+ "username": "service-account-registry-api",
+ "enabled": true,
+ "totp": false,
+ "emailVerified": false,
+ "serviceAccountClientId": "registry-api",
+ "disableableCredentialTypes": [],
+ "requiredActions": [],
+ "realmRoles": [
+ "sr-admin",
+ "offline_access",
+ "uma_authorization",
+ "User"
+ ],
+ "clientRoles": {
+ "account": [
+ "view-applications",
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ "notBefore": 0,
+ "groups": []
+ }
+ ],
+ "scopeMappings": [
+ {
+ "clientScope": "offline_access",
+ "roles": [
+ "offline_access"
+ ]
+ }
+ ],
+ "clientScopeMappings": {
+ "account": [
+ {
+ "client": "account-console",
+ "roles": [
+ "manage-account"
+ ]
+ }
+ ]
+ },
+ "clients": [
+ {
+ "id": "d7c9d8ec-d826-4979-970e-4d5c4d9e358b",
+ "clientId": "account",
+ "name": "${client_account}",
+ "rootUrl": "${authBaseUrl}",
+ "baseUrl": "/realms/registry/account/",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "/realms/registry/account/*"
+ ],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "ae8d8aa5-5991-42a1-8ca8-eec12b6717f7",
+ "clientId": "account-console",
+ "name": "${client_account-console}",
+ "rootUrl": "${authBaseUrl}",
+ "baseUrl": "/realms/registry/account/",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "/realms/registry/account/*"
+ ],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "pkce.code.challenge.method": "S256"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "protocolMappers": [
+ {
+ "id": "b852b0a0-768e-4f42-badd-14cf7d2d227a",
+ "name": "audience resolve",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-audience-resolve-mapper",
+ "consentRequired": false,
+ "config": {}
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "80b79538-8665-4188-921d-f4d0ad1f3113",
+ "clientId": "admin-cli",
+ "name": "${client_admin-cli}",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": false,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "21c5668a-4fba-46e9-8ac3-831e5d907eb6",
+ "clientId": "admin-client",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "true",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "client.secret.creation.time": "1687335786",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "ef8fe948-b172-4d59-bffe-4ba46d0c0b09",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "7e443600-bf35-49df-b0ea-5b5c51f9c590",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "605d578d-5532-4f83-bd97-fe6bf72c5fee",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "1fa15256-6427-47fa-a144-b0b784e834c6",
+ "clientId": "apicurio-registry",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.assertion.signature": "false",
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "saml.encrypt": "false",
+ "saml.server.signature": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml_force_name_id_format": "false",
+ "saml.client.signature": "false",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "717c272b-ed48-4d5a-a3cb-da5d3d3ba528",
+ "clientId": "broker",
+ "name": "${client_broker}",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "af889033-76c2-41ae-a368-67d5789f4b87",
+ "clientId": "developer-client",
+ "rootUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "aeb67b03-0bbd-432c-a329-0a04363e974a",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "7c29a433-d724-4b5b-86fe-d9cf9f6b7ba1",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2bda4a4-e2cc-498e-838e-60a7840ccad9",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "af779833-76c2-41ae-a368-67d5789f4b87",
+ "clientId": "developer-2-client",
+ "rootUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test2",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "aeb67a03-0bbd-432c-a329-0a04363e974a",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "7c28a433-d724-4b5b-86fe-d9cf9f6b7ba1",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2bda474-e2cc-498e-838e-60a7840ccad9",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "af669833-76c2-41ae-a368-67d5789f4b87",
+ "clientId": "no-role-client",
+ "rootUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "aeb67c03-0bbd-432c-a329-0a04363e974a",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "7c27a433-d724-4b5b-86fe-d9cf9f6b7ba1",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2bda374-e2cc-498e-838e-60a7840ccad9",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "af774034-77c2-41le-a368-67d5789f4b87",
+ "clientId": "wrong-client",
+ "rootUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "ytb67b03-0yyi-432c-a329-0a04363e974a",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "4c29a234-d731-4b5b-84fe-d9cf9f6b7ba1",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2bda9a3-e2cc-498e-838e-60a7840hhod5",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "57e9899-9c1a-498d-96fd-c9bcbd3f3121",
+ "clientId": "readonly-client",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.assertion.signature": "false",
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml_force_name_id_format": "false",
+ "saml.client.signature": "false",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "574cef06-3ccf-4ed0-9001-edd83606ff57",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "eae693c7-5b00-4c10-bf8c-c8959925659a",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "c1861851-a5ae-4da0-9110-469abc9bd64d",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "ff7205a6-6580-4cc3-9e97-7c4a39c7562e",
+ "clientId": "realm-management",
+ "name": "${client_realm-management}",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": true,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "69afe60b-7329-440a-9b4c-0ebec33d8902",
+ "clientId": "registry-api",
+ "rootUrl": "",
+ "adminUrl": "http://localhost:8080",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": true,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "frontchannel.logout.session.required": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "backchannel.logout.revoke.offline.tokens": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "use.refresh.tokens": "true",
+ "oidc.ciba.grant.enabled": "false",
+ "backchannel.logout.session.required": "false",
+ "client_credentials.use_refresh_token": "false",
+ "require.pushed.authorization.requests": "false",
+ "saml.client.signature": "false",
+ "saml.allow.ecp.flow": "false",
+ "id.token.as.detached.signature": "false",
+ "saml.assertion.signature": "false",
+ "saml.encrypt": "false",
+ "login_theme": "keycloak",
+ "saml.server.signature": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml.artifact.binding": "false",
+ "saml_force_name_id_format": "false",
+ "acr.loa.map": "{}",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "token.response.type.bearer.lower-case": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "protocolMappers": [
+ {
+ "id": "83a4a269-207b-4818-bbbb-a04abebb2997",
+ "name": "Client IP Address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientAddress",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientAddress",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "20241caf-ebb6-467f-acae-7543b143c289",
+ "name": "Client ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientId",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientId",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "eb3a14a2-5c4c-4dd7-99dc-e2734c8c5d98",
+ "name": "Client Host",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "clientHost",
+ "userinfo.token.claim": "true",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "clientHost",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "f1beca1a-0756-4dc6-9719-9234cd9b779f",
+ "clientId": "security-admin-console",
+ "name": "${client_security-admin-console}",
+ "rootUrl": "${authAdminUrl}",
+ "baseUrl": "/admin/registry/console/",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "test1",
+ "redirectUris": [
+ "/admin/registry/console/*"
+ ],
+ "webOrigins": [
+ "+"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "pkce.code.challenge.method": "S256"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "protocolMappers": [
+ {
+ "id": "cb9b9e1a-63a0-460e-a42f-14d1ace49da3",
+ "name": "locale",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "locale",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "locale",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ }
+ ],
+ "clientScopes": [
+ {
+ "id": "db64f4f6-e562-4e43-9f17-255b8a21c5ca",
+ "name": "roles",
+ "description": "OpenID Connect scope for add user roles to the access token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${rolesScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "bfdfc98c-59eb-4a05-9a74-dd1bb4dea691",
+ "name": "client roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-client-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "resource_access.${client_id}.roles",
+ "jsonType.label": "String",
+ "multivalued": "true"
+ }
+ },
+ {
+ "id": "e285b5a4-2854-46d8-bd06-6ca2911dde8a",
+ "name": "realm roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "realm_access.roles",
+ "jsonType.label": "String",
+ "multivalued": "true"
+ }
+ },
+ {
+ "id": "c6da4bb5-fc32-4e34-88ac-72ca671afd3f",
+ "name": "audience resolve",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-audience-resolve-mapper",
+ "consentRequired": false,
+ "config": {}
+ }
+ ]
+ },
+ {
+ "id": "5539a2b5-6e75-4533-aaaa-800101d0df4d",
+ "name": "address",
+ "description": "OpenID Connect built-in scope: address",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${addressScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "f7c31e38-1dda-4dcc-82b6-c7d958416962",
+ "name": "address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-address-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute.formatted": "formatted",
+ "user.attribute.country": "country",
+ "user.attribute.postal_code": "postal_code",
+ "userinfo.token.claim": "true",
+ "user.attribute.street": "street",
+ "id.token.claim": "true",
+ "user.attribute.region": "region",
+ "access.token.claim": "true",
+ "user.attribute.locality": "locality"
+ }
+ }
+ ]
+ },
+ {
+ "id": "ab66a766-4d9d-40ac-bcc9-264cd5471b92",
+ "name": "web-origins",
+ "description": "OpenID Connect scope for add allowed web origins to the access token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "false",
+ "consent.screen.text": ""
+ },
+ "protocolMappers": [
+ {
+ "id": "1b1867ba-1a17-412d-ab97-0ae88963d5b5",
+ "name": "allowed web origins",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-allowed-origins-mapper",
+ "consentRequired": false,
+ "config": {}
+ }
+ ]
+ },
+ {
+ "id": "a2766301-ac7f-42f4-bfbe-87d2fdcef382",
+ "name": "email",
+ "description": "OpenID Connect built-in scope: email",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${emailScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "35bbe3f0-d5a3-4785-b3dc-d187330b699d",
+ "name": "email",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "email",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d439a3d1-c6da-4138-87df-c1b851e7b9c8",
+ "name": "email verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "emailVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email_verified",
+ "jsonType.label": "boolean"
+ }
+ }
+ ]
+ },
+ {
+ "id": "90c61a9b-39ac-4dbd-af49-9123739f98f9",
+ "name": "phone",
+ "description": "OpenID Connect built-in scope: phone",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${phoneScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "9170cc7f-5624-4a15-b50d-cd1b9a0ffb6f",
+ "name": "phone number verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumberVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number_verified",
+ "jsonType.label": "boolean"
+ }
+ },
+ {
+ "id": "f2d44f21-de2f-47d8-b0d5-4e46f9de581b",
+ "name": "phone number",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumber",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "9f0f742e-6202-4543-80e3-80fb2fbfc042",
+ "name": "profile",
+ "description": "OpenID Connect built-in scope: profile",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${profileScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "033dab17-488c-400d-b603-f75ebe1949b7",
+ "name": "family name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "lastName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "family_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "c87aca2f-23dd-4fc7-b79f-a9b061c165e4",
+ "name": "nickname",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "nickname",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "nickname",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "4361eae6-7021-49e1-a387-3d8bc4f50247",
+ "name": "birthdate",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "birthdate",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "birthdate",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "35c03d95-ce9d-4fd2-823b-23e896dbb105",
+ "name": "gender",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "gender",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "gender",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "0ff4cd3c-6567-4935-bbe8-0191a9bcdd72",
+ "name": "locale",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "locale",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "locale",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "8e087dfd-2978-4ea5-9ed2-32efca9a98c5",
+ "name": "given name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "firstName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "given_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "31a3c477-3aab-46cd-81e3-2b76b2c8c21c",
+ "name": "profile",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "profile",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "profile",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "a3606512-379b-4bcb-999d-29cf17812012",
+ "name": "website",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "website",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "website",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "2f535da7-ea99-4f8d-acbe-988a3691034b",
+ "name": "username",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "preferred_username",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "2fbfe26c-b175-4b16-97ea-edea4072181a",
+ "name": "picture",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "picture",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "picture",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "17e5a7d4-2e77-4ff4-8c71-b93e41e4e1bb",
+ "name": "full name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-full-name-mapper",
+ "consentRequired": false,
+ "config": {
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "userinfo.token.claim": "true"
+ }
+ },
+ {
+ "id": "ca64060a-1d26-43ca-aae7-23c62ed805d4",
+ "name": "zoneinfo",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "zoneinfo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "zoneinfo",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "beaddf45-8040-42cd-9236-55fe2134f5df",
+ "name": "middle name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "middleName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "middle_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "043c162e-e0ba-418b-b965-157f6a52db46",
+ "name": "updated at",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "updatedAt",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "updated_at",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "5074f873-23f3-4d03-9b75-6c6af91fb7ed",
+ "name": "role_list",
+ "description": "SAML role list",
+ "protocol": "saml",
+ "attributes": {
+ "consent.screen.text": "${samlRoleListScopeConsentText}",
+ "display.on.consent.screen": "true"
+ },
+ "protocolMappers": [
+ {
+ "id": "ab3d0106-d086-4813-930b-5a27ddfe038b",
+ "name": "role list",
+ "protocol": "saml",
+ "protocolMapper": "saml-role-list-mapper",
+ "consentRequired": false,
+ "config": {
+ "single": "false",
+ "attribute.nameformat": "Basic",
+ "attribute.name": "Role"
+ }
+ }
+ ]
+ },
+ {
+ "id": "65eabc09-c5a1-4a0e-830c-44a430c129f0",
+ "name": "offline_access",
+ "description": "OpenID Connect built-in scope: offline_access",
+ "protocol": "openid-connect",
+ "attributes": {
+ "consent.screen.text": "${offlineAccessScopeConsentText}",
+ "display.on.consent.screen": "true"
+ }
+ },
+ {
+ "id": "f25b9036-55b3-4cc3-bc37-bc0be5405432",
+ "name": "acr",
+ "description": "OpenID Connect scope for add acr (authentication context class reference) to the token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "false"
+ },
+ "protocolMappers": [
+ {
+ "id": "e5051472-d2aa-4658-9d95-01064efcca13",
+ "name": "acr loa level",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-acr-mapper",
+ "consentRequired": false,
+ "config": {
+ "id.token.claim": "true",
+ "access.token.claim": "true"
+ }
+ }
+ ]
+ },
+ {
+ "id": "d6f896d6-b31b-487e-b4a8-af921d3d04eb",
+ "name": "microprofile-jwt",
+ "description": "Microprofile - JWT built-in scope",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "false"
+ },
+ "protocolMappers": [
+ {
+ "id": "c7831e59-070e-4d77-8382-d5ef4f60ddd4",
+ "name": "upn",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "upn",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "3456b5e1-4852-48ac-8420-79568ffd9a89",
+ "name": "groups",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "true",
+ "userinfo.token.claim": "true",
+ "user.attribute": "foo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "groups",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ }
+ ],
+ "defaultDefaultClientScopes": [
+ "role_list",
+ "profile",
+ "email",
+ "web-origins",
+ "roles",
+ "acr"
+ ],
+ "defaultOptionalClientScopes": [
+ "address",
+ "offline_access",
+ "phone",
+ "microprofile-jwt"
+ ],
+ "browserSecurityHeaders": {
+ "contentSecurityPolicyReportOnly": "",
+ "xContentTypeOptions": "nosniff",
+ "xRobotsTag": "none",
+ "xFrameOptions": "SAMEORIGIN",
+ "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+ "xXSSProtection": "1; mode=block",
+ "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+ },
+ "smtpServer": {},
+ "loginTheme": "keycloak",
+ "accountTheme": "keycloak",
+ "adminTheme": "keycloak",
+ "emailTheme": "keycloak",
+ "eventsEnabled": false,
+ "eventsListeners": [
+ "jboss-logging"
+ ],
+ "enabledEventTypes": [],
+ "adminEventsEnabled": false,
+ "adminEventsDetailsEnabled": false,
+ "identityProviders": [],
+ "identityProviderMappers": [],
+ "components": {
+ "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
+ {
+ "id": "6b7d0997-665b-4567-b955-f41029b1f7c6",
+ "name": "Allowed Client Scopes",
+ "providerId": "allowed-client-templates",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "allow-default-scopes": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "b2062994-7819-4b5b-bcaf-bd565e0261f7",
+ "name": "Trusted Hosts",
+ "providerId": "trusted-hosts",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "host-sending-registration-request-must-match": [
+ "true"
+ ],
+ "client-uris-must-match": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "e28102af-287e-40d3-a64d-636f9d0af6c0",
+ "name": "Consent Required",
+ "providerId": "consent-required",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {}
+ },
+ {
+ "id": "7ea991c6-db4b-4989-87c1-2cf0b2e2b371",
+ "name": "Allowed Client Scopes",
+ "providerId": "allowed-client-templates",
+ "subType": "authenticated",
+ "subComponents": {},
+ "config": {
+ "allow-default-scopes": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "c2aa0c17-6405-441a-96d8-7174001b1f6e",
+ "name": "Allowed Protocol Mapper Types",
+ "providerId": "allowed-protocol-mappers",
+ "subType": "authenticated",
+ "subComponents": {},
+ "config": {
+ "allowed-protocol-mapper-types": [
+ "oidc-usermodel-property-mapper",
+ "oidc-address-mapper",
+ "oidc-full-name-mapper",
+ "saml-user-property-mapper",
+ "oidc-usermodel-attribute-mapper",
+ "oidc-sha256-pairwise-sub-mapper",
+ "saml-user-attribute-mapper",
+ "saml-role-list-mapper"
+ ]
+ }
+ },
+ {
+ "id": "f1d9cee9-fa10-451a-a96f-486c1abc9184",
+ "name": "Full Scope Disabled",
+ "providerId": "scope",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {}
+ },
+ {
+ "id": "398d86a9-4247-4923-b3bf-a94ef18974f2",
+ "name": "Max Clients Limit",
+ "providerId": "max-clients",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "max-clients": [
+ "200"
+ ]
+ }
+ },
+ {
+ "id": "fd8139d0-82ee-453e-a9aa-0bbd10538eff",
+ "name": "Allowed Protocol Mapper Types",
+ "providerId": "allowed-protocol-mappers",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "allowed-protocol-mapper-types": [
+ "oidc-sha256-pairwise-sub-mapper",
+ "saml-user-attribute-mapper",
+ "saml-user-property-mapper",
+ "oidc-usermodel-property-mapper",
+ "oidc-full-name-mapper",
+ "oidc-address-mapper",
+ "saml-role-list-mapper",
+ "oidc-usermodel-attribute-mapper"
+ ]
+ }
+ }
+ ],
+ "org.keycloak.keys.KeyProvider": [
+ {
+ "id": "9ec415cf-5494-4823-a83d-cc38441b088c",
+ "name": "aes-generated",
+ "providerId": "aes-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ]
+ }
+ },
+ {
+ "id": "cd2dc9b1-a252-4f70-93c0-5bdb51532236",
+ "name": "hmac-generated",
+ "providerId": "hmac-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ],
+ "algorithm": [
+ "HS256"
+ ]
+ }
+ },
+ {
+ "id": "2dc91aa5-3084-4ceb-973e-24d78e78777a",
+ "name": "rsa-generated",
+ "providerId": "rsa-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ]
+ }
+ }
+ ]
+ },
+ "internationalizationEnabled": false,
+ "supportedLocales": [
+ ""
+ ],
+ "authenticationFlows": [
+ {
+ "id": "e5691b91-7a97-482c-9ba4-fef8933be469",
+ "alias": "Account verification options",
+ "description": "Method with which to verity the existing account",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-email-verification",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Verify Existing Account by Re-authentication",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "c6f47ebc-143a-471b-9f93-0b7faf267717",
+ "alias": "Authentication Options",
+ "description": "Authentication options.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "basic-auth",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "basic-auth-otp",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "auth-spnego",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 30,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "09cbd3e3-0784-4af0-a279-4fd95216a37f",
+ "alias": "Browser - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "auth-otp-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "016d5ed7-b797-4d0c-8a2a-da422a1c0b07",
+ "alias": "Direct Grant - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "direct-grant-validate-otp",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "2122d0ae-d429-43ca-82aa-b2a8ebf265f4",
+ "alias": "First broker login - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "auth-otp-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "7dcbbd10-cfcb-4146-a080-d829ed4bbda8",
+ "alias": "Handle Existing Account",
+ "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-confirm-link",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Account verification options",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "f575338f-7ff4-4f6c-9230-2d5a93c01d8e",
+ "alias": "Reset - Conditional OTP",
+ "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "reset-otp",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "8b96e8ee-9bd6-44a5-9ce6-e12bcb1fca11",
+ "alias": "User creation or linking",
+ "description": "Flow for the existing/non-existing user alternatives",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticatorConfig": "create unique user config",
+ "authenticator": "idp-create-user-if-unique",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Handle Existing Account",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "20339a98-7cbd-4a95-8d8f-f5b60f512524",
+ "alias": "Verify Existing Account by Re-authentication",
+ "description": "Reauthentication of existing account",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-username-password-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "First broker login - Conditional OTP",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "43e87d99-f6c4-495b-a175-35fec32291c4",
+ "alias": "browser",
+ "description": "browser based authentication",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "auth-cookie",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "auth-spnego",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "identity-provider-redirector",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 25,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "autheticatorFlow": true,
+ "flowAlias": "forms",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "09f61a35-e173-40a8-9bbf-4554586112f0",
+ "alias": "clients",
+ "description": "Base authentication for clients",
+ "providerId": "client-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "client-secret",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "client-jwt",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "client-secret-jwt",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "client-x509",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 40,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "30361549-be4b-4a06-ae79-b60cb3d6ac68",
+ "alias": "direct grant",
+ "description": "OpenID Connect Resource Owner Grant",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "direct-grant-validate-username",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "direct-grant-validate-password",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 30,
+ "autheticatorFlow": true,
+ "flowAlias": "Direct Grant - Conditional OTP",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "ba07e315-0671-4691-af1e-beed84da42ab",
+ "alias": "docker auth",
+ "description": "Used by Docker clients to authenticate against the IDP",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "docker-http-basic-authenticator",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "3ff3f29e-260a-43df-b71b-75a945b220b1",
+ "alias": "first broker login",
+ "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticatorConfig": "review profile config",
+ "authenticator": "idp-review-profile",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "User creation or linking",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "11efa214-3d69-470c-92e1-2ea6cd2f1133",
+ "alias": "forms",
+ "description": "Username, password, otp and other auth forms.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "auth-username-password-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Browser - Conditional OTP",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "b1ee124e-1648-42c2-a268-2db3251b3e44",
+ "alias": "http challenge",
+ "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "no-cookie-redirect",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Authentication Options",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "e5c21eef-7736-42bf-83f7-219f11579be9",
+ "alias": "registration",
+ "description": "registration flow",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "registration-page-form",
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": true,
+ "flowAlias": "registration form",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "51b02897-de8e-47d9-872b-ee06ff1ffd8f",
+ "alias": "registration form",
+ "description": "registration form",
+ "providerId": "form-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "registration-user-creation",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "registration-profile-action",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 40,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "registration-password-action",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 50,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "registration-recaptcha-action",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 60,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "f3d3919d-e759-49c4-8eb9-e85c16f314a5",
+ "alias": "reset credentials",
+ "description": "Reset credentials for a user if they forgot their password or something",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "reset-credentials-choose-user",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "reset-credential-email",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "reset-password",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 30,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 40,
+ "autheticatorFlow": true,
+ "flowAlias": "Reset - Conditional OTP",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "84316c99-bba7-42d5-aeeb-2f56b4ce657d",
+ "alias": "saml ecp",
+ "description": "SAML ECP Profile Authentication Flow",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "http-basic-authenticator",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ }
+ ],
+ "authenticatorConfig": [
+ {
+ "id": "43cf7bce-acd0-4c1f-a08e-cac4a1f32a6c",
+ "alias": "create unique user config",
+ "config": {
+ "require.password.update.after.registration": "false"
+ }
+ },
+ {
+ "id": "6c176502-376d-46fc-835f-0e0352158326",
+ "alias": "review profile config",
+ "config": {
+ "update.profile.on.first.login": "missing"
+ }
+ }
+ ],
+ "requiredActions": [
+ {
+ "alias": "CONFIGURE_TOTP",
+ "name": "Configure OTP",
+ "providerId": "CONFIGURE_TOTP",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 10,
+ "config": {}
+ },
+ {
+ "alias": "terms_and_conditions",
+ "name": "Terms and Conditions",
+ "providerId": "terms_and_conditions",
+ "enabled": false,
+ "defaultAction": false,
+ "priority": 20,
+ "config": {}
+ },
+ {
+ "alias": "UPDATE_PASSWORD",
+ "name": "Update Password",
+ "providerId": "UPDATE_PASSWORD",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 30,
+ "config": {}
+ },
+ {
+ "alias": "UPDATE_PROFILE",
+ "name": "Update Profile",
+ "providerId": "UPDATE_PROFILE",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 40,
+ "config": {}
+ },
+ {
+ "alias": "VERIFY_EMAIL",
+ "name": "Verify Email",
+ "providerId": "VERIFY_EMAIL",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 50,
+ "config": {}
+ },
+ {
+ "alias": "delete_account",
+ "name": "Delete Account",
+ "providerId": "delete_account",
+ "enabled": false,
+ "defaultAction": false,
+ "priority": 60,
+ "config": {}
+ },
+ {
+ "alias": "update_user_locale",
+ "name": "Update User Locale",
+ "providerId": "update_user_locale",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 1000,
+ "config": {}
+ }
+ ],
+ "browserFlow": "browser",
+ "registrationFlow": "registration",
+ "directGrantFlow": "direct grant",
+ "resetCredentialsFlow": "reset credentials",
+ "clientAuthenticationFlow": "clients",
+ "dockerAuthenticationFlow": "docker auth",
+ "attributes": {
+ "cibaBackchannelTokenDeliveryMode": "poll",
+ "cibaExpiresIn": "120",
+ "cibaAuthRequestedUserHint": "login_hint",
+ "oauth2DeviceCodeLifespan": "600",
+ "oauth2DevicePollingInterval": "5",
+ "clientSessionIdleTimeout": "0",
+ "parRequestUriLifespan": "60",
+ "clientSessionMaxLifespan": "0",
+ "cibaInterval": "5"
+ },
+ "keycloakVersion": "18.0.1",
+ "userManagedAccessAllowed": true,
+ "clientProfiles": {
+ "profiles": []
+ },
+ "clientPolicies": {
+ "policies": []
+ }
+}
\ No newline at end of file