From b57504696bd701511e48b481b651f3a0996b15f8 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Wed, 8 Mar 2023 12:11:21 +0100
Subject: [PATCH] ocis_keycloak: Add ocis roles as realm roles (#5750)

* ocis_keycloak: Add ocis roles as realm roles

This adds the roles ocisAdmin, ocisSpaceAdmin, ocisUser and ocisGuest as realm roles
to the the oCIS realm. It also assigns those roles to the demo users.

Additionally the missing demo user "Katherine Johnson" is added with the role of
"ocisSpaceAdmin".

* Expose realm_roles in "roles" claim of id tokens and userinfo
---
 .../config/keycloak/ocis-realm.dist.json      | 75 ++++++++++++++++++-
 1 file changed, 73 insertions(+), 2 deletions(-)

diff --git a/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json b/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json
index 3aff85b5e..180d243ab 100644
--- a/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json
+++ b/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json
@@ -46,6 +46,15 @@
   "failureFactor": 30,
   "roles": {
     "realm": [
+      {
+        "id": "0bb40fa2-4490-4687-9159-b1d27ec7423a",
+        "name": "ocisAdmin",
+        "description": "",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "ownCloud Infinite Scale Test",
+        "attributes": {}
+      },
       {
         "id": "2d576514-4aae-46aa-9d9c-075f55f4d988",
         "name": "uma_authorization",
@@ -55,6 +64,24 @@
         "containerId": "ownCloud Infinite Scale Test",
         "attributes": {}
       },
+      {
+        "id": "8c79ff81-c256-48fd-b0b9-795c7941eedf",
+        "name": "ocisUser",
+        "description": "",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "ownCloud Infinite Scale Test",
+        "attributes": {}
+      },
+      {
+        "id": "bd5f5012-48bb-4ea4-bfe6-0623e3ca0552",
+        "name": "ocisSpaceAdmin",
+        "description": "",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "ownCloud Infinite Scale Test",
+        "attributes": {}
+      },
       {
         "id": "e2145b30-bf6f-49fb-af3f-1b40168bfcef",
         "name": "offline_access",
@@ -84,6 +111,15 @@
         "clientRole": false,
         "containerId": "ownCloud Infinite Scale Test",
         "attributes": {}
+      },
+      {
+        "id": "7eedfa6d-a2d9-4296-b6db-e75e4e9c0963",
+        "name": "ocisGuest",
+        "description": "",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "ownCloud Infinite Scale Test",
+        "attributes": {}
       }
     ],
     "client": {
@@ -479,6 +515,7 @@
       "requiredActions": [],
       "realmRoles": [
         "uma_authorization",
+        "ocisAdmin",
         "offline_access"
       ],
       "clientRoles": {
@@ -513,6 +550,7 @@
       "requiredActions": [],
       "realmRoles": [
         "uma_authorization",
+        "ocisUser",
         "offline_access"
       ],
       "clientRoles": {
@@ -524,6 +562,35 @@
       "notBefore": 0,
       "groups": []
     },
+    {
+      "id": "b44a81e2-e3ed-4241-a9ce-44604f7ac9eb",
+      "createdTimestamp": 1678101111607,
+      "username": "katherine",
+      "enabled": true,
+      "totp": false,
+      "emailVerified": true,
+      "firstName": "Katherine",
+      "lastName": "Johnson",
+      "email": "katherine@example.org",
+      "credentials": [
+        {
+          "id": "be18ccc9-b80f-4895-bf06-8e8e4605c634",
+          "type": "password",
+          "userLabel": "My password",
+          "createdDate": 1678101159924,
+          "secretData": "{\"value\":\"/E/1yfcgM8deq6V544gEsTfsXZuUnzaofmM+AK+MpAsvRoNRtEyRN1pajhIpGDtEuPa/KVBDbcALE7WMbFhO1w==\",\"salt\":\"TXapvlOYBWqabQRo+fINFQ==\",\"additionalParameters\":{}}",
+          "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+        }
+      ],
+      "disableableCredentialTypes": [],
+      "requiredActions": [],
+      "realmRoles": [
+        "ocisSpaceAdmin",
+        "default-roles-ocis"
+      ],
+      "notBefore": 0,
+      "groups": []
+    },
     {
       "id": "48016357-346a-443e-bf7a-945c9448a99b",
       "createdTimestamp": 1611912241951,
@@ -547,6 +614,7 @@
       "requiredActions": [],
       "realmRoles": [
         "uma_authorization",
+        "ocisUser",
         "offline_access"
       ],
       "clientRoles": {
@@ -581,6 +649,7 @@
       "requiredActions": [],
       "realmRoles": [
         "uma_authorization",
+        "ocisAdmin",
         "offline_access"
       ],
       "clientRoles": {
@@ -615,6 +684,7 @@
       "requiredActions": [],
       "realmRoles": [
         "uma_authorization",
+        "ocisUser",
         "offline_access"
       ],
       "clientRoles": {
@@ -1564,9 +1634,10 @@
           "protocolMapper": "oidc-usermodel-realm-role-mapper",
           "consentRequired": false,
           "config": {
-            "user.attribute": "foo",
             "access.token.claim": "true",
-            "claim.name": "realm_access.roles",
+            "claim.name": "roles",
+            "userinfo.token.claim": "true",
+            "id.token.claim": "true",
             "jsonType.label": "String",
             "multivalued": "true"
           }