diff --git a/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json b/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json index 13f4a76fa..424d26038 100644 --- a/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json +++ b/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json @@ -3,6 +3,7 @@ "realm": "oCIS", "displayName": "ownCloud Infinite Scale", "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", "revokeRefreshToken": false, "refreshTokenMaxReuse": 0, "accessTokenLifespan": 300, @@ -23,6 +24,8 @@ "accessCodeLifespanLogin": 1800, "actionTokenGeneratedByAdminLifespan": 43200, "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, "enabled": true, "sslRequired": "external", "registrationAllowed": false, @@ -60,6 +63,27 @@ "clientRole": false, "containerId": "ownCloud Infinite Scale Test", "attributes": {} + }, + { + "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", + "name": "default-roles-ocis", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test", + "attributes": {} } ], "client": { @@ -329,6 +353,15 @@ "containerId": "9850adad-7910-4b67-a790-da6444361618", "attributes": {} }, + { + "id": "2ffdf854-084b-467a-91c6-7f07844efc9a", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, { "id": "8c45ca71-32aa-4547-932d-412da5e371ed", "name": "view-profile", @@ -376,10 +409,14 @@ } }, "groups": [], - "defaultRoles": [ - "uma_authorization", - "offline_access" - ], + "defaultRole": { + "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", + "name": "default-roles-ocis", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test" + }, "requiredCredentials": [ "password" ], @@ -389,9 +426,10 @@ "otpPolicyDigits": 6, "otpPolicyLookAheadWindow": 1, "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, "otpSupportedApplications": [ - "FreeOTP", - "Google Authenticator" + "totpAppFreeOTPName", + "totpAppGoogleName" ], "webAuthnPolicyRpEntityName": "keycloak", "webAuthnPolicySignatureAlgorithms": [ @@ -602,7 +640,8 @@ { "client": "account-console", "roles": [ - "manage-account" + "manage-account", + "view-groups" ] } ] @@ -616,7 +655,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "bde4651e-faf6-4390-b58e-3e9e8e623d57", "redirectUris": [], "webOrigins": [], "notBefore": 0, @@ -629,13 +667,14 @@ "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", - "attributes": {}, + "attributes": { + "post.logout.redirect.uris": "+" + }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "role_list", "profile", "roles", "email" @@ -657,11 +696,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "1f414d17-2751-4fde-af10-a7c2deb3261f", - "defaultRoles": [ - "manage-account", - "view-profile" - ], "redirectUris": [ "/realms/oCIS/account/*" ], @@ -676,7 +710,9 @@ "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", - "attributes": {}, + "attributes": { + "post.logout.redirect.uris": "+" + }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, @@ -693,7 +729,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "f63c75e2-0902-4722-acd8-6a9e870be610", "redirectUris": [ "/realms/oCIS/account/*" ], @@ -709,6 +744,7 @@ "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { + "post.logout.redirect.uris": "+", "pkce.code.challenge.method": "S256" }, "authenticationFlowBindingOverrides": {}, @@ -735,7 +771,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "27a24954-b795-426e-ada4-96b1d5140997", "redirectUris": [], "webOrigins": [], "notBefore": 0, @@ -748,7 +783,9 @@ "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", - "attributes": {}, + "attributes": { + "post.logout.redirect.uris": "+" + }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, @@ -763,7 +800,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "d989c5d2-0d2c-4284-a761-62c9228dbc31", "redirectUris": [], "webOrigins": [], "notBefore": 0, @@ -776,7 +812,9 @@ "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", - "attributes": {}, + "attributes": { + "post.logout.redirect.uris": "+" + }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, @@ -811,6 +849,7 @@ "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", + "post.logout.redirect.uris": "+", "backchannel.logout.revoke.offline.tokens": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", @@ -829,7 +868,6 @@ "nodeReRegistrationTimeout": -1, "defaultClientScopes": [ "web-origins", - "role_list", "profile", "roles", "email" @@ -870,6 +908,7 @@ "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", + "post.logout.redirect.uris": "+", "backchannel.logout.revoke.offline.tokens": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", @@ -888,7 +927,6 @@ "nodeReRegistrationTimeout": -1, "defaultClientScopes": [ "web-origins", - "role_list", "profile", "roles", "email" @@ -908,7 +946,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "81a35a01-a005-4a8b-9ebc-4b0f4b874731", "redirectUris": [], "webOrigins": [], "notBefore": 0, @@ -921,7 +958,9 @@ "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", - "attributes": {}, + "attributes": { + "post.logout.redirect.uris": "+" + }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, @@ -938,7 +977,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "27ccdbd6-c1de-4f13-90f3-0461132f467d", "redirectUris": [ "/admin/oCIS/console/*" ], @@ -956,6 +994,7 @@ "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { + "post.logout.redirect.uris": "+", "pkce.code.challenge.method": "S256" }, "authenticationFlowBindingOverrides": {}, @@ -991,7 +1030,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "9cbeb996-67a8-4ade-a86a-d2b2f3bc2568", "redirectUris": [ "https://ocis.owncloud.test/*" ], @@ -1013,6 +1051,7 @@ "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", + "post.logout.redirect.uris": "+", "backchannel.logout.revoke.offline.tokens": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", @@ -1031,7 +1070,6 @@ "nodeReRegistrationTimeout": -1, "defaultClientScopes": [ "web-origins", - "role_list", "profile", "roles", "email" @@ -1072,6 +1110,7 @@ "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", + "post.logout.redirect.uris": "+", "backchannel.logout.revoke.offline.tokens": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", @@ -1090,7 +1129,6 @@ "nodeReRegistrationTimeout": -1, "defaultClientScopes": [ "web-origins", - "role_list", "profile", "roles", "email" @@ -1104,6 +1142,80 @@ } ], "clientScopes": [ + { + "id": "258e56a8-1eeb-49ea-957b-aff8df4656ba", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "068bcfb6-4a17-4c20-b083-ae542a7f76c8", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "c00d6c21-2fd1-435f-9ee9-87e011048cbe", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "b3e1e47e-3912-4b55-ba89-b0198e767682", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "876baab9-39d1-4845-abb4-561a58aa152d", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, { "id": "9cae7ced-e7d9-4f7b-8e54-7402125f6ead", "name": "offline_access", @@ -1358,80 +1470,6 @@ } ] }, - { - "id": "258e56a8-1eeb-49ea-957b-aff8df4656ba", - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "068bcfb6-4a17-4c20-b083-ae542a7f76c8", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "c00d6c21-2fd1-435f-9ee9-87e011048cbe", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "b3e1e47e-3912-4b55-ba89-b0198e767682", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "876baab9-39d1-4845-abb4-561a58aa152d", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, { "id": "79713daf-89ca-4ed4-ad97-a88b13ee9a18", "name": "phone", @@ -1545,6 +1583,29 @@ } ] }, + { + "id": "86883395-e439-4cab-9d8d-31d71389969c", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "b849b14b-7c9c-4b7b-9329-c56debefb47c", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, { "id": "bdb3e320-76c8-4ad7-9d0f-a08efc060101", "name": "microprofile-jwt", @@ -1594,7 +1655,8 @@ "profile", "email", "roles", - "web-origins" + "web-origins", + "acr" ], "defaultOptionalClientScopes": [ "offline_access", @@ -1651,14 +1713,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "saml-user-attribute-mapper", - "oidc-full-name-mapper", - "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper", - "oidc-address-mapper", + "saml-user-property-mapper", + "oidc-full-name-mapper", "oidc-usermodel-property-mapper", + "oidc-address-mapper", + "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", - "saml-user-property-mapper" + "saml-role-list-mapper" ] } }, @@ -1702,14 +1764,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-usermodel-attribute-mapper", - "oidc-address-mapper", - "saml-role-list-mapper", "saml-user-property-mapper", - "saml-user-attribute-mapper", + "oidc-address-mapper", + "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", - "oidc-full-name-mapper", - "oidc-usermodel-property-mapper" + "oidc-usermodel-attribute-mapper", + "saml-role-list-mapper", + "saml-user-attribute-mapper", + "oidc-full-name-mapper" ] } } @@ -1721,12 +1783,6 @@ "providerId": "rsa-generated", "subComponents": {}, "config": { - "privateKey": [ - "MIIEpAIBAAKCAQEAnmakcvYpYSHw5b+d9KRA3h3rZRvin749w7TveBHYQkgmWiKkiAtTVbV99CkXJPrgZtG+dB6LknnWKcojXYUzlRF/zm4vZ61beSt8ZXoafYPR91mfhkGjBdLdwS/LINaGyT/YNSztsz6fEdpo73NzVzLfDVx+8AHcZL05Tqtcb39vM/kVVPIdwKnxkka6y9cLa3d1QnK7A2LW4rnYaaK++19mYFMtWLl0kC2cGiSD9rtiJ9vNp3hvXXqLVE2z7cpe/LNfu50ISpNP/2XSh1WnPUfF1BJvd4H1knIU4yaMOiU3I2LCCAp97GIK+hLJJ+t0lFbCzTydiuWCb3mwjSxQ5wIDAQABAoIBADANQSviwxDFRBfeNiOlxEvdVbB5chk1k/UPqWmKOEl7K69CPRlMHj6s7QWphWzhcjueuyDstzh7H13UBUB0jP5WrafIwza3Xz111KnQDcMvvv1DQeJvfO3iVwUo430VtxPL+2G+PGmYwJag5B5nroCwXPvnqFZUqjAhOwZDc6oayhkc57oLLsawq0jbWueSQPCIgs4fiYrfxQfkY1a5UZw8jNR0+Mmi4HKGi5rf+z7BPF8LJMcBz3JyueTL4Lv8shzOVCZTWY+O1zq1bJL+neD9KpUlWlpuS5JcQe7jKMXzEJbvgc3pvPcWTf6WV458nGEHnPm8iNKSjA8Ot7rfW2ECgYEA55QyZ3nX5ZKPf9ozWStd94dIRj9cAmSyTG3xChT5SPCLsjXHIzfJf7bloEvz5XAEr/1w62ZjhRDC2YXCtxYqeuUyi4Ff/n8a1Lnirb2CNseHGI5FCYwec5CSHlYQ0YN8k2tu+435+kZT+sC+kwbBUxa3nNdjaPz3x79eq7hI65ECgYEArxrm+co462yZxL2eBuYvVvFQClgbz84sr35ijL+ofbWosezypnFlDii0SYKpOFc+h54lWjX5eCUoinL68WjauRPT5YnCCtN80t00Cfyb3Y5E5kKzLMaeG/o6dMdZsk29/rEdD6Lm8zoOJweiPewPKz4xCk9Ltbfm0bqxaFjsiPcCgYEA0TC063ZMSaxABo1ULyuWoaBJ8HMRqXPPAG2b/LB/k5z/hEdCERU25zCPc2LI+ixbf6LgmzSNl8lRSm+jOgJC82sRYqXG0j19PkaAdtOmydcpuUvjH0G8zEX/SHoUjT5KjVzSD1jsRGG9QNlWDbhfcLAnwv1qZo+FQKIlYdeBv5ECgYAHuA7gigqSTjpFEvrJYRJLKd4WZqXrNjKAFfkwLS63Q+/I0CIuNid3RVIVP35ILohiIBWTcXeq1TCBUepABBhIOliH8Net9H63KOsnWYxhaukcoWoWmjbUEubKyRLqKkUq2hHm4458wF1pWQvM4QAWLuqogrBatV2mdy1k5S6gJwKBgQC3IY2x11n4OOyPXu52znqRaQMExgwAPYWaze4wx7TFE+YHsmTde8yxpL95yYAf1bzHpD2I3s//U1EmW2n2IDUERueCJ9yka9kFK8LQyzj5sIjvNWOm/s2yysZNN2LUeIgc8A3tHCLtEJ1oVr3s1CiTkmKFgVnQ7HS8GhNY2qxq8g==" - ], - "certificate": [ - "MIICxzCCAa8CBgF3TRRx/zANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBxvd25DbG91ZCBJbmZpbml0ZSBTY2FsZSBUZXN0MB4XDTIxMDEyOTA3MzcwMVoXDTMxMDEyOTA3Mzg0MVowJzElMCMGA1UEAwwcb3duQ2xvdWQgSW5maW5pdGUgU2NhbGUgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ5mpHL2KWEh8OW/nfSkQN4d62Ub4p++PcO073gR2EJIJloipIgLU1W1ffQpFyT64GbRvnQei5J51inKI12FM5URf85uL2etW3krfGV6Gn2D0fdZn4ZBowXS3cEvyyDWhsk/2DUs7bM+nxHaaO9zc1cy3w1cfvAB3GS9OU6rXG9/bzP5FVTyHcCp8ZJGusvXC2t3dUJyuwNi1uK52GmivvtfZmBTLVi5dJAtnBokg/a7Yifbzad4b116i1RNs+3KXvyzX7udCEqTT/9l0odVpz1HxdQSb3eB9ZJyFOMmjDolNyNiwggKfexiCvoSySfrdJRWws08nYrlgm95sI0sUOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQfVVpSE+n2E2ckp2DV9DvHYZckuHGtKx9/yP4QtkcN+A6lIDK8LsNpOmcwiepseO1C+ngekN1U9pfQ3HOLg32ft38H8CrZdY9SpmK2fWM3f+18UqZaZvr26FK+GSX4lqa+WoVqMkyW6RynS/drRp1sRRQnKKDuS5Pcu5U03v7wQU9t5h83Lexh3ZhCO5YRywQ9+clc1RtAmBMu/E8g6/CZWRIRbaEyKo2KcBV1uU3gLwlbkj8wv4BhCS7JHS/+jnQqVIXeIcD/z4u0RElJHcNtZ+d4sgby2Rd1+wbKes9gFrZoucq9ghdsOi4Q5WBN4ZcRhPrw0v2mhEc1ADCmxzjQ==" - ], "priority": [ "100" ] @@ -1738,12 +1794,6 @@ "providerId": "hmac-generated", "subComponents": {}, "config": { - "kid": [ - "f1889839-fdb1-4c3a-98b6-13305f1b0f74" - ], - "secret": [ - "UVX0V-qlIGdVswACK-jwOsjn7EV5Uc12drTs7XCegEIlXkjtg_m2VGg2rJZgg12wxjCXm69kpTZ8lmfGxiuZdw" - ], "priority": [ "100" ], @@ -1758,12 +1808,6 @@ "providerId": "aes-generated", "subComponents": {}, "config": { - "kid": [ - "3fef4998-39b3-46d3-9803-c480f4105b0a" - ], - "secret": [ - "ZHHvfx76H3grDuKPGRtxCw" - ], "priority": [ "100" ] @@ -1775,7 +1819,7 @@ "supportedLocales": [], "authenticationFlows": [ { - "id": "1e83c21e-95cd-4690-96ca-b65bb5669658", + "id": "8964f931-b866-4a05-ab1c-89331a566887", "alias": "Account verification options", "description": "Method with which to verity the existing account", "providerId": "basic-flow", @@ -1784,22 +1828,24 @@ "authenticationExecutions": [ { "authenticator": "idp-email-verification", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 20, + "autheticatorFlow": true, "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "ad3efe78-b66b-4f53-afc1-082022a83ea5", + "id": "404d2769-f3ba-4b5e-b43f-1bca919334f2", "alias": "Authentication Options", "description": "Authentication options.", "providerId": "basic-flow", @@ -1808,29 +1854,32 @@ "authenticationExecutions": [ { "authenticator": "basic-auth", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "basic-auth-otp", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "auth-spnego", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 30, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] }, { - "id": "4efb4624-94a8-4eb6-b9cd-9eae0e355bc5", + "id": "123e5711-1ee5-4f7e-ac9c-64c644daaea9", "alias": "Browser - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1839,22 +1888,24 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "auth-otp-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] }, { - "id": "af0d79b5-adc0-4ef7-a8c2-c149f4cea9ec", + "id": "be73b7f5-9a66-487c-b7dd-80e0f7ac0c7c", "alias": "Direct Grant - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1863,22 +1914,24 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] }, { - "id": "e0b5c8fb-cc71-4653-9e01-92e4731bf11c", + "id": "597ca917-91fc-4898-a279-cd592af286e3", "alias": "First broker login - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1887,22 +1940,24 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "auth-otp-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] }, { - "id": "e3705c4a-d92f-4f22-9693-a5232fe31f69", + "id": "3daadb6b-4d63-4be1-a89e-ec8e41e72afa", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", @@ -1911,22 +1966,24 @@ "authenticationExecutions": [ { "authenticator": "idp-confirm-link", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 20, + "autheticatorFlow": true, "flowAlias": "Account verification options", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "794618ff-52f6-4fad-a5c6-4e8fab00dd17", + "id": "5942598c-d7e9-4941-b13e-4a8a75e2c2a3", "alias": "Reset - Conditional OTP", "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId": "basic-flow", @@ -1935,22 +1992,24 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "reset-otp", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] }, { - "id": "5ff78050-25cd-4895-8fef-7ec3631239c9", + "id": "6e4b336e-eb5f-423c-8d32-4ab94d1122e6", "alias": "User creation or linking", "description": "Flow for the existing/non-existing user alternatives", "providerId": "basic-flow", @@ -1960,22 +2019,24 @@ { "authenticatorConfig": "create unique user config", "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 20, + "autheticatorFlow": true, "flowAlias": "Handle Existing Account", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "5ddaf74c-25b8-4cc1-98fd-325219811525", + "id": "35ac1997-b6af-44ff-ab27-c34f9be32e56", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", @@ -1984,22 +2045,24 @@ "authenticationExecutions": [ { "authenticator": "idp-username-password-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 20, + "autheticatorFlow": true, "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "6b77b935-9cb8-4ae8-b23e-4fe8f4c1f93b", + "id": "a3473070-fe69-4de1-a0b2-dd54b8a769d5", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", @@ -2008,36 +2071,40 @@ "authenticationExecutions": [ { "authenticator": "auth-cookie", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "auth-spnego", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 25, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 30, + "autheticatorFlow": true, "flowAlias": "forms", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "9dfc0dc9-da89-48f1-95ae-dd3dc5dcb60b", + "id": "cc714857-b114-4df6-9030-b464bbb3964d", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", @@ -2046,36 +2113,40 @@ "authenticationExecutions": [ { "authenticator": "client-secret", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "client-jwt", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "client-secret-jwt", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 30, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "client-x509", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 40, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] }, { - "id": "4f5c0c90-6a28-46bc-a4c2-b216b1a387ca", + "id": "0ebe891c-1a72-4842-bf29-a9abe9c2a4d2", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", @@ -2084,29 +2155,32 @@ "authenticationExecutions": [ { "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 30, + "autheticatorFlow": true, "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "11bf67b6-6fa8-4b04-abc0-1fffe293e9fe", + "id": "d97d5579-b3d4-49c4-a60e-0e1e6b1c9d79", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", @@ -2115,15 +2189,16 @@ "authenticationExecutions": [ { "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] }, { - "id": "06fe5c40-d285-432d-ba8f-16e64d5c192b", + "id": "009f7c28-0f41-4237-9911-9091c3d751b7", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", @@ -2133,22 +2208,24 @@ { "authenticatorConfig": "review profile config", "authenticator": "idp-review-profile", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 20, + "autheticatorFlow": true, "flowAlias": "User creation or linking", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "38963f42-3cf9-467b-be8f-a23af94783fe", + "id": "f9911022-b3cf-4d96-9a96-51bc53c437eb", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", @@ -2157,22 +2234,24 @@ "authenticationExecutions": [ { "authenticator": "auth-username-password-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 20, + "autheticatorFlow": true, "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "1ba1842f-5b89-41cd-a54e-9262f5fdb9be", + "id": "8f5fab27-9b06-444d-931b-d03be9e6d4af", "alias": "http challenge", "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId": "basic-flow", @@ -2181,22 +2260,24 @@ "authenticationExecutions": [ { "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 20, + "autheticatorFlow": true, "flowAlias": "Authentication Options", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "532769a0-01a2-472d-8a19-54ad730eb5cf", + "id": "c53eb19d-49e9-4252-8a10-4d5c6a12e61b", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", @@ -2205,16 +2286,17 @@ "authenticationExecutions": [ { "authenticator": "registration-page-form", + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 10, + "autheticatorFlow": true, "flowAlias": "registration form", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "1fedf0a2-d9a9-4060-8907-17ea2338d6f8", + "id": "3b4f48d3-1706-4630-80e0-e0542780a1f7", "alias": "registration form", "description": "registration form", "providerId": "form-flow", @@ -2223,36 +2305,40 @@ "authenticationExecutions": [ { "authenticator": "registration-user-creation", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "registration-profile-action", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 40, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "registration-password-action", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 50, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 60, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] }, { - "id": "86180e38-fb76-45ce-8778-3559cdf7d5c7", + "id": "5520aa89-cd76-438a-abae-7ccd3a2d7615", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", @@ -2261,36 +2347,40 @@ "authenticationExecutions": [ { "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "reset-credential-email", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { "authenticator": "reset-password", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 30, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 40, + "autheticatorFlow": true, "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false, - "authenticatorFlow": true + "userSetupAllowed": false } ] }, { - "id": "b2f6fc89-6970-464c-8854-e9d0c4187294", + "id": "cce548d6-9bef-4449-88ea-99b949488fe7", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", @@ -2299,24 +2389,25 @@ "authenticationExecutions": [ { "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "userSetupAllowed": false, - "authenticatorFlow": false + "autheticatorFlow": false, + "userSetupAllowed": false } ] } ], "authenticatorConfig": [ { - "id": "d85277e4-c918-46a7-8eee-0e831f2a1206", + "id": "0848606c-7510-4b09-ba0e-4dc2ef3d63f8", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { - "id": "db4882d3-772a-4855-ba52-8330d4052c01", + "id": "91a8dee7-c679-4202-866e-234eb4164cfd", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" @@ -2395,11 +2486,25 @@ "clientAuthenticationFlow": "clients", "dockerAuthenticationFlow": "docker auth", "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", "clientSessionIdleTimeout": "0", + "parRequestUriLifespan": "60", "clientSessionMaxLifespan": "0", - "clientOfflineSessionIdleTimeout": "0" + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5", + "realmReusableOtpCode": "false" }, - "keycloakVersion": "12.0.2", - "userManagedAccessAllowed": false + "keycloakVersion": "20.0.3", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } } diff --git a/deployments/examples/ocis_keycloak/keycloak-export.sh b/deployments/examples/ocis_keycloak/keycloak-export.sh deleted file mode 100644 index 28180c086..000000000 --- a/deployments/examples/ocis_keycloak/keycloak-export.sh +++ /dev/null @@ -1,10 +0,0 @@ -#! /bin/bash -docker-compose exec keycloak \ - sh -c "cd /opt/jboss/keycloak && \ - timeout 60 bin/standalone.sh \ - -Djboss.httin/standalone.sh \ - -Djboss.socket.binding.port-offset=100 \ - -Dkeycloak.migration.action=export \ - -Dkeycloak.migration.provider=singleFile \ - -Dkeycloak.migration.realmName=oCIS \ - -Dkeycloak.migration.file=ocis-realm.json" diff --git a/docs/ocis/deployment/continuous_deployment.md b/docs/ocis/deployment/continuous_deployment.md index ab5e66234..9b37cae0d 100644 --- a/docs/ocis/deployment/continuous_deployment.md +++ b/docs/ocis/deployment/continuous_deployment.md @@ -85,12 +85,14 @@ Credentials: ## Latest - oCIS: [ocis.ocis-keycloak.latest.owncloud.works](https://ocis.ocis-keycloak.latest.owncloud.works) -- Keycloak: [keycloak.ocis-keycloak.latest.owncloud.works](https://keycloak.ocis-keycloak.latest.owncloud.works) +- Keycloak admin access: [keycloak.ocis-keycloak.latest.owncloud.works](https://keycloak.ocis-keycloak.latest.owncloud.works) +- Keycloak account management: [keycloak.ocis-keycloak.latest.owncloud.works/realms/oCIS/account/#/](https://keycloak.ocis-keycloak.latest.owncloud.works/realms/oCIS/account/#/) ## Released - oCIS: [ocis.ocis-keycloak.released.owncloud.works](https://ocis.ocis-keycloak.released.owncloud.works) - Keycloak: [keycloak.ocis-keycloak.released.owncloud.works](https://keycloak.ocis-keycloak.released.owncloud.works) +- - Keycloak account management: [keycloak.ocis-keycloak.released.owncloud.works/realms/oCIS/account/#/](https://keycloak.ocis-keycloak.released.owncloud.works/realms/oCIS/account/#/) # Parallel deployment of oC10 and oCIS