diff --git a/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts b/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts index 35eeff6a..ed67d501 100644 --- a/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts +++ b/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts @@ -15,7 +15,6 @@ export type ParsedRealmJson = { id: string; email: string; username: string; - attributes: Record; credentials: { type: string /* "password" or something else */; }[]; @@ -59,7 +58,6 @@ const zParsedRealmJson = (() => { id: z.string(), email: z.string(), username: z.string(), - attributes: z.record(z.unknown()), credentials: z.array( z.object({ type: z.string() diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-18.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-18.json index a438eb64..7b46daf1 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-18.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-18.json @@ -73,7 +73,7 @@ "composites": { "realm": ["offline_access", "uma_authorization"], "client": { - "account": ["delete-account", "view-profile", "manage-account"] + "account": ["view-profile", "manage-account", "delete-account"] } }, "clientRole": false, @@ -398,6 +398,26 @@ "otpPolicyLookAheadWindow": 1, "otpPolicyPeriod": 30, "otpSupportedApplications": ["FreeOTP", "Google Authenticator"], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": ["ES256"], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], "users": [ { "id": "00a62e75-bcc1-419a-a292-63ee5d161ed3", @@ -422,30 +442,43 @@ "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": ["default-roles-myrealm"], + "clientRoles": { + "realm-management": [ + "create-client", + "view-identity-providers", + "manage-realm", + "query-groups", + "manage-clients", + "query-users", + "realm-admin", + "view-authorization", + "view-events", + "view-clients", + "view-realm", + "manage-events", + "query-realms", + "query-clients", + "manage-identity-providers", + "manage-users", + "view-users", + "impersonation", + "manage-authorization" + ], + "broker": ["read-token"], + "account": [ + "view-profile", + "manage-account-links", + "view-applications", + "manage-consent", + "delete-account", + "manage-account", + "view-consent" + ] + }, "notBefore": 0, "groups": [] } ], - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": ["ES256"], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], "scopeMappings": [ { "clientScope": "offline_access", @@ -505,8 +538,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/realms/myrealm/account/*"], - "webOrigins": [], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/realms/myrealm/account/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -518,6 +555,7 @@ "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { + "post.logout.redirect.uris": "+", "pkce.code.challenge.method": "S256" }, "authenticationFlowBindingOverrides": {}, @@ -636,7 +674,7 @@ "attributes": { "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", - "login_theme": "keycloakify-starter", + "post.logout.redirect.uris": "+", "display.on.consent.screen": "false", "oauth2.device.authorization.grant.enabled": "false", "backchannel.logout.revoke.offline.tokens": "false" @@ -694,8 +732,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/admin/myrealm/console/*"], - "webOrigins": ["+"], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/admin/myrealm/console/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -707,6 +749,7 @@ "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { + "post.logout.redirect.uris": "+", "pkce.code.challenge.method": "S256" }, "authenticationFlowBindingOverrides": {}, @@ -757,7 +800,8 @@ "consentRequired": false, "config": { "id.token.claim": "true", - "access.token.claim": "true" + "access.token.claim": "true", + "userinfo.token.claim": "true" } } ] @@ -1205,6 +1249,7 @@ "consentRequired": false, "config": { "multivalued": "true", + "userinfo.token.claim": "true", "user.attribute": "foo", "id.token.claim": "true", "access.token.claim": "true", @@ -1271,11 +1316,11 @@ }, "smtpServer": {}, "loginTheme": "keycloakify-starter", - "accountTheme": "keycloakify-starter", + "accountTheme": "", "adminTheme": "", "emailTheme": "", "eventsEnabled": false, - "eventsListeners": ["jboss-logging"], + "eventsListeners": ["keycloakify-logging", "jboss-logging"], "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, @@ -1291,14 +1336,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", - "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", - "saml-role-list-mapper", - "oidc-usermodel-property-mapper" + "saml-role-list-mapper" ] } }, @@ -1347,14 +1392,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-usermodel-property-mapper", - "oidc-address-mapper", "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", "saml-user-property-mapper", - "saml-user-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", - "saml-role-list-mapper" + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "oidc-address-mapper", + "saml-user-attribute-mapper" ] } }, @@ -1394,6 +1439,12 @@ "providerId": "rsa-generated", "subComponents": {}, "config": { + "privateKey": [ + "MIIEpAIBAAKCAQEA+VQAcuaRivrzLVI8H/tt8PKbtRznTQKmmxOdLRR37leY/ph7sFnEmZt6K02Rvut7R0dxUFtTdiEHUKxhyM8CADMznGUjDYj/EXQzLfZ3LEwbwmR39zp+fZL/H24UDO03zt23Ov9C8Aly0ufXZ1Ic1c33KW6UtUEK/3M52pU8Y0daWdjx7nBj1eRlzWfVG+BYotTTWEnFJuEoZPFQMiXqeA5ob1zZdXjL5JDuGEiBsYjtiiaKbKL5545+FmEBnoCmWXqGu0qWxI2TzvV2dohxfl5KjNzRoKt40ydraiVk5rtBpoNDpeEApuphbokH5dJVwJ5cvWu1CSTnYPW2jXeG4wIDAQABAoIBAQDHV6AcPbhz8/xlafBkabQXBwHzJi7QZaQrLN1n44uX5jWOqP+LmdoULjjZUmWKzd98t+QjKUFrmzCsEYcE9G1XF5jWHA6Qjc3ReKRKxVm28wrmu0knQ39KizKrQGmLhEYwgRg0dU5heExzz6VrGD2xu8E3QRBocp6GauwAlXz4qcnTPHOl8OBPeDHAc0RUdaL5+jRLgKQzf9nnnKB19imBKP++zwrwFrkOZti2ZPs1I7j/ym27mHUbi8TDI2VepDX4QwjjC5a+v3vTsVAGE+1tUAZtqpxpIP9hiUkLH3ajyvp3typhnmZHklqsSZdwtRcK94WiMzL3TkiY70y8abMhAoGBAP8I4EQRXxcKfBn23eaRw8Cd4PFrOouz4zFbYLrBODsvXfku/jnQOMFD0If4IzT6y0FGgBd+t/yqnFJi98oZOKm3P8w+NZBXTbFLH8rgmsElXyS0+9LVMjVa7+UlqZB1eRZbUeLREp03Fsz1y2rflnoWgUnpDIlyhmJqGhCsJdebAoGBAPpFmJ9P42mUTeDWpCyCxgg0zpp6rlpAP8StqZkcvr7kYjhbWrJfJuxrTXtzTTA1zZ59L9EvEAxuug/gl9BkuZ11Uzg8ZLOr4gSuAJZlAORaxJlcoylmNMYIL1fP/K0dxhdO0eHZOpPVpBmGctgev2HBtWp9ZwzQ3DddKimZfNZZAoGAfNOOWSKbhT6HgXnYIHtl8YgUynUuYaR5ZfYQwTfDWwyTFVzP5+IndUjI71Qff1XlWBy2o0lNqmijPJveJlfz6PWdT01/kBd7GnTnqbgHZtPw3pmKzCW3fm/1DRZDCUbGLpAh4z9rufF1wnnnx3aKQ1VykId1sGySo+bEvTZVC1MCgYAlv6uWk/ksKpdYi2d14z+1aymieVClAj3cD4meM4y9xDrgXz8d2mZHkKO+NBT3aZYbCqzUs3GLPoRH8stTPm4UxuaHe+yAgTN1Gz2xcYih6OLwct2VV/oryH5Dk3Z8Mhp314amtxozxCydQP8/g9vABfS0HDgX4cTlgOLkJWeD+QKBgQDuRtsstQ4Q3yK44himPi1JQMMvbYAqyGgRxWH8G1Kr41DV2sQ4wt9CbYxeh6RwMsE+YYNMkTAw1kksUTugWdcDnYpcSVG7xHLJk8WMti0WTqI/7KlkoRehXXv18WJNEXaCr5mJTtJL9wuQcd8nhkEDrrCZubZiJzX9IDnEqZc4Mg==" + ], + "certificate": [ + "MIICnTCCAYUCBgGTy58etTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdteXJlYWxtMB4XDTI0MTIxNTE4Mzg0M1oXDTM0MTIxNTE4NDAyM1owEjEQMA4GA1UEAwwHbXlyZWFsbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPlUAHLmkYr68y1SPB/7bfDym7Uc500CppsTnS0Ud+5XmP6Ye7BZxJmbeitNkb7re0dHcVBbU3YhB1CsYcjPAgAzM5xlIw2I/xF0My32dyxMG8Jkd/c6fn2S/x9uFAztN87dtzr/QvAJctLn12dSHNXN9ylulLVBCv9zOdqVPGNHWlnY8e5wY9XkZc1n1RvgWKLU01hJxSbhKGTxUDIl6ngOaG9c2XV4y+SQ7hhIgbGI7Yomimyi+eeOfhZhAZ6Apll6hrtKlsSNk871dnaIcX5eSozc0aCreNMna2olZOa7QaaDQ6XhAKbqYW6JB+XSVcCeXL1rtQkk52D1to13huMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAH/nsEi88hFiNPCWYvTB3lERZpeUCbpDzAXQT/4TONmOw8zi7Cd2OlX8BGBFqjh/fESHv+adlzsY1mUdMvpVaYgHr3gYi8sBSrq5TMUfSYaWp4WCD7utiXXGprG08GCdbye1lpyyNnniWp12Bgjao+rtGamL/M1d6+WZTC+XL+H30u4VHURAiFBsAEoX6tlGV8ynhYOr/b8B43jy0/R0JfrzLjwSKEcA6RfKM7ozbZ0QZuQDALULymPIesrV4mvZ2Qwg4YgpAKaki9Sse45yiIhsIY0p5RnuNZRZnCbukyeBzIyDJobEBGhpui/KT2dqXBlRgRuOhCUf7OGCcPVHKNQ==" + ], "priority": ["100"] } }, @@ -1403,6 +1454,12 @@ "providerId": "rsa-enc-generated", "subComponents": {}, "config": { + "privateKey": [ + "MIIEogIBAAKCAQEAn82AU+InXwYlE8u9lMwhQghZB7oQ71Hg3PdFqS9ICGzw1u1JcENooCsZse55V6nqptdYF1oZA8QrxnhHzCVCGIqFHtXSoPGHVtozO3Fe1cVIVFm1D9TNS3JHe1C8SBQQT4hGItO5cjDyfGdK3x09RkoAcelrzH5uQ78zd0FKHkzbsTMsP2V8V94c35+ViIUjyGhH2T2BpIyGRLignL+6d0wHbw463L1Ewj/J9z8BtNLCH9PaVLWiGQARjlWyL9vtWBig9XXL0Z9tZUuoLihjh4StkXt2lQ++DKxUklsAjyenRAG5d72T2rY8MO5a1Z2ZSt8+s86D5esrAEIFZc9mqwIDAQABAoIBAAmmCcqGzCPDpjd0xMSYMqXfBSkfReh9RBtzXqRhc3L2yO/hMd7yYv3QvGNu56qwWreqJup6CSqeDJqWJpef5EbBDlqXRHltO+O1lwROyxATMlPNes4y5hZZFxHOBSBA/d8fdkSiDf9kDzANuIqSJGH7E93M3zJgq92xTLU1nvkHR/VYJQv+j+Pjye7MWvjIePfhwFeBqEWlWPTlw/080Mpfp8Hhbl6JeKjx2inkSphp43v4wR1Wmp+E2JIHF4P4sVXPPuPf3JDwg5uGOrROw1ziloD3jTI+LnQ+kRm6R2EbqRqqVsehXT7mZy2puQNqVc4vVqWQdxIErMBazYEpZOECgYEA+8PEcDiIPr2PTYZk+/jErRVYwsxyLgDJexPak7onLxLBJRNRnp1Uk6b1LXM6af5qp+Y510kyAe1k+9xkQLx1gW8rMka9rvVsM+1A2ACvF99V23sRw29CVxeFV/zNn83MinYPX5biUl6MkOX2PvWUhdwRGhKByjiYcAeBOsXkz3ECgYEAon2yYXGzph8Vb8Fetv0wFFbjQOixuL02OjVp/nU1XVE8Aw9BJ7uzA6GQ7akPG0HsaUq7AEHP1uUOsJWQTNQ8WYD9LDuDOl/JFqkG+zrmdUdm0mAIYyH1/GBqgaTLvMq78qqosua8BBJojEyoXDz69UBHpu7cwtUgmzRNQSYqgdsCgYASvD3JEBvrd1XLsh2ftqKEMtt5G5e/nqVfuFmCts6lrSKcbLSdNh4OItWJ/VIygxFSz0osoDDNfeoO6Ba5zox8BlbTlfoVpAPaVWSG7n4ZK7CK9bybq5LnQkPVCWYP51O6VhDMz0CmWozhV4ucoc/cqkTHiOsJrm6Bn71ZL1LYsQKBgFNb8qgk4YnGhoPHiuSLbR/yFzGUbqAciXZBMrg0vwS5iPT03XMZytOBDk2uHi7YmgTGLrsKCCrxZaDXiaiwdKliD/+iJEdNHmc+nXNDGzltQOWKGKNqp7wqZllOBqs6wkLSpCrrTec03mejZ/ex3Pj2WgvcnGpjVg/pO/zBLKtjAoGACzGQNEF93fabHQJTsHmb/g+jO2iumjF6ZIWzdFh2KzQABONcoBvy1MJNASFQj3iVy/8kEo4SfmexvMWLBW9igi2z1pHeHY32EuImzuc4xnVDm6dkmDdsO43Ex6CFBx8lM40H4l27mXu+EZRzGClUY8TnmV/FBGmX+LPtOiiwT7s=" + ], + "certificate": [ + "MIICnTCCAYUCBgGTy58fHjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdteXJlYWxtMB4XDTI0MTIxNTE4Mzg0M1oXDTM0MTIxNTE4NDAyM1owEjEQMA4GA1UEAwwHbXlyZWFsbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ/NgFPiJ18GJRPLvZTMIUIIWQe6EO9R4Nz3RakvSAhs8NbtSXBDaKArGbHueVep6qbXWBdaGQPEK8Z4R8wlQhiKhR7V0qDxh1baMztxXtXFSFRZtQ/UzUtyR3tQvEgUEE+IRiLTuXIw8nxnSt8dPUZKAHHpa8x+bkO/M3dBSh5M27EzLD9lfFfeHN+flYiFI8hoR9k9gaSMhkS4oJy/undMB28OOty9RMI/yfc/AbTSwh/T2lS1ohkAEY5Vsi/b7VgYoPV1y9GfbWVLqC4oY4eErZF7dpUPvgysVJJbAI8np0QBuXe9k9q2PDDuWtWdmUrfPrPOg+XrKwBCBWXPZqsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEATwmKBzLiZiUjyB9BWUR4BCXh46DxsiM0BCublewlUFY6FBTn7ea6q3G+X3QP2WM6xa0oAmQz9dq1KChbIoC2WPbceAbwd5XZZfziWsRCv6+xPswtpHPIrsenz8TR4K4P73aeCC+vTVs/y+2tGPEVbnSkcNnOP71hRQGlt0LvjKlEetJSRyYz5depSdJOjl4F3ehpxQtTK/48xUVAytu9ZotJj6AUA7jWFlP5GHgoB+mPk6QTHNWddnc7BQx2FMvg151vxu722ywLh5Dh7WzgFhJNwkX4xpwzhfo0Q1gSygGTdZaJCGj5jfF+KwdiKpN04UxJ8OrRgJqklQgrSVnsgQ==" + ], "priority": ["100"], "algorithm": ["RSA-OAEP"] } @@ -1413,6 +1470,8 @@ "providerId": "aes-generated", "subComponents": {}, "config": { + "kid": ["132fb843-59e9-4f36-ad55-5ce2d3a13fb3"], + "secret": ["ETyyqapnrkUsNXLQ-tBVKw"], "priority": ["100"] } }, @@ -1422,6 +1481,10 @@ "providerId": "hmac-generated", "subComponents": {}, "config": { + "kid": ["5110d380-c930-49d9-b91b-87f338f6170b"], + "secret": [ + "uCpQrJvP5OBuTxXfDb4JRL0bCKpXUgfGn5vb8UvL-Sfs_sZ9rtvBmd6vuFWARqyezjJQtpoNlMv7sXgxkN-yxQ" + ], "priority": ["100"], "algorithm": ["HS256"] } @@ -1454,7 +1517,7 @@ "defaultLocale": "en", "authenticationFlows": [ { - "id": "f7f2b89b-43cb-491d-8e7c-f1814024a6da", + "id": "223ce532-2038-4f24-a606-2a5c73f7bd65", "alias": "Account verification options", "description": "Method with which to verity the existing account", "providerId": "basic-flow", @@ -1480,7 +1543,7 @@ ] }, { - "id": "17cdac6f-d2a3-4907-8d44-a42827610b63", + "id": "57e47732-79cc-4d60-bee7-4f0b8fd44540", "alias": "Authentication Options", "description": "Authentication options.", "providerId": "basic-flow", @@ -1514,7 +1577,7 @@ ] }, { - "id": "53a3e43f-9468-401f-8051-40f982d12f85", + "id": "c2735d89-60c0-45a4-9b3c-ae5df17df395", "alias": "Browser - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1540,7 +1603,7 @@ ] }, { - "id": "26286808-3b7b-43df-b32e-af55a37af2e9", + "id": "11a5a507-2b9a-443f-961b-dffd66f4318d", "alias": "Direct Grant - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1566,7 +1629,7 @@ ] }, { - "id": "8a6a752a-9a9a-4d38-b1f8-edf0a9433490", + "id": "963bd753-6ea7-4d93-ab56-30f9ab59d597", "alias": "First broker login - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1592,7 +1655,7 @@ ] }, { - "id": "a6f6804c-4160-4a84-8a1f-c2747a2d3f27", + "id": "1db6a489-a3b4-44c4-b480-1d1e8c123d20", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", @@ -1618,7 +1681,7 @@ ] }, { - "id": "740baa9e-8328-4035-9e1a-8fc1616d1f0f", + "id": "7a38f32d-4f34-450f-8f03-64802d7cb8f1", "alias": "Reset - Conditional OTP", "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId": "basic-flow", @@ -1644,7 +1707,7 @@ ] }, { - "id": "e60187a8-3e16-4a0c-9daa-f3a4a1fcfdba", + "id": "0df88739-3739-4d70-8893-47c546f19003", "alias": "User creation or linking", "description": "Flow for the existing/non-existing user alternatives", "providerId": "basic-flow", @@ -1671,7 +1734,7 @@ ] }, { - "id": "d959d0c2-4004-4633-b280-f80d6423f574", + "id": "35025424-e291-4c54-8a29-70aadba549ce", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", @@ -1697,7 +1760,7 @@ ] }, { - "id": "ba02689d-b9e8-4a4b-8fdd-0d1386b198fc", + "id": "1813b7f2-c3c2-4b92-8ffc-9ff2d12186c6", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", @@ -1739,7 +1802,7 @@ ] }, { - "id": "f09ac92a-e091-4e84-9cd1-cb905ca57b89", + "id": "954283ac-f1c2-40b6-a39f-bf23ff9f3ce8", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", @@ -1781,7 +1844,7 @@ ] }, { - "id": "aaf72b22-cec4-4714-93d6-f54d5a986ab8", + "id": "52a789ce-2cad-4f0f-93b2-295b7fd519f0", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", @@ -1815,7 +1878,7 @@ ] }, { - "id": "c4a54bb3-f009-4231-a82b-376c2515e07e", + "id": "5a6a71e1-9105-45b6-b5f0-52538461357b", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", @@ -1833,7 +1896,7 @@ ] }, { - "id": "f55ded54-683a-4f5a-a101-9cfbd7b96781", + "id": "8392b6e7-bdbf-4d7f-97b6-885761c200db", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", @@ -1860,7 +1923,7 @@ ] }, { - "id": "931d5a82-378f-4533-8c69-2239a4acd047", + "id": "52136d70-8d08-42ea-b04b-cf40ea2807aa", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", @@ -1886,7 +1949,7 @@ ] }, { - "id": "22b05374-f480-4ca8-aca8-9db8b6dd1729", + "id": "26bbc7e6-ef01-4cdb-9dba-520e2f3f8993", "alias": "http challenge", "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId": "basic-flow", @@ -1912,7 +1975,7 @@ ] }, { - "id": "c0371832-e4b7-485e-bf23-6babe4c6ac83", + "id": "f0887979-04eb-4033-8f19-0ffd8c8b7f6a", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", @@ -1931,7 +1994,7 @@ ] }, { - "id": "4d0445da-073e-465e-b25b-af522915c73f", + "id": "a3b7b94b-bfbf-4760-a8c9-7d9cd98d262e", "alias": "registration form", "description": "registration form", "providerId": "form-flow", @@ -1973,7 +2036,7 @@ ] }, { - "id": "740d467f-4203-425b-8203-9bfd3eed25ae", + "id": "dc68a665-2e51-4a22-aaad-bd693ddc77cc", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", @@ -2015,7 +2078,7 @@ ] }, { - "id": "cf1a9af9-dadd-4cb9-a26e-fbbba216f8e1", + "id": "ae6b73aa-1318-4ae8-a3d9-d01b5e7d957e", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", @@ -2035,14 +2098,14 @@ ], "authenticatorConfig": [ { - "id": "4e65eb4b-9f0a-4ab8-98b2-6daf50cd1bf8", + "id": "0c18de7f-0714-41f4-9a3f-ed4edd53ae9c", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { - "id": "5e8dc1c5-1489-4d39-bb75-9c499583b91b", + "id": "65b3c8bb-34a4-4d19-b578-245dc8ff53ea", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" @@ -2132,8 +2195,8 @@ "attributes": { "cibaBackchannelTokenDeliveryMode": "poll", "cibaAuthRequestedUserHint": "login_hint", - "oauth2DevicePollingInterval": "5", "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", "clientSessionIdleTimeout": "0", "userProfileEnabled": "true", "clientOfflineSessionIdleTimeout": "0", diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-19.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-19.json index e71ef276..136f1321 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-19.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-19.json @@ -73,7 +73,7 @@ "composites": { "realm": ["offline_access", "uma_authorization"], "client": { - "account": ["delete-account", "view-profile", "manage-account"] + "account": ["view-profile", "manage-account", "delete-account"] } }, "clientRole": false, @@ -435,13 +435,46 @@ "type": "password", "userLabel": "My password", "createdDate": 1716214710762, - "secretData": "{\"value\":\"OaI4sKqQn+NZtS6N/bcqoZ8Q+ucpBby1n4XmzVmioKw=\",\"salt\":\"temixVCSbpA7Genml2KTAw==\",\"additionalParameters\":{}}", + "secretData": "{\"value\":\"QzJjOdXU0L9Pdxdx1V5xUs7BY9beGlmN8NpR2qiWxbkjrQ434Q1GwSiJKekZQ/zrLDtNZ7sAbVu+SS+XIe9Zaw==\",\"salt\":\"x8cABpa0Hk/nJ2BPKdFXTg==\",\"additionalParameters\":{}}", "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" } ], "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": ["default-roles-myrealm"], + "clientRoles": { + "realm-management": [ + "create-client", + "view-identity-providers", + "manage-realm", + "query-groups", + "manage-clients", + "query-users", + "realm-admin", + "view-authorization", + "view-events", + "view-clients", + "view-realm", + "manage-events", + "query-realms", + "query-clients", + "manage-identity-providers", + "manage-users", + "view-users", + "impersonation", + "manage-authorization" + ], + "broker": ["read-token"], + "account": [ + "view-profile", + "manage-account-links", + "view-applications", + "manage-consent", + "delete-account", + "manage-account", + "view-consent" + ] + }, "notBefore": 0, "groups": [] } @@ -507,8 +540,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/realms/myrealm/account/*"], - "webOrigins": [], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/realms/myrealm/account/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -643,7 +680,6 @@ "attributes": { "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", - "login_theme": "keycloakify-starter", "post.logout.redirect.uris": "+", "display.on.consent.screen": "false", "oauth2.device.authorization.grant.enabled": "false", @@ -704,8 +740,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/admin/myrealm/console/*"], - "webOrigins": ["+"], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/admin/myrealm/console/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -1284,11 +1324,11 @@ }, "smtpServer": {}, "loginTheme": "keycloakify-starter", - "accountTheme": "keycloakify-starter", + "accountTheme": "", "adminTheme": "", "emailTheme": "", "eventsEnabled": false, - "eventsListeners": ["jboss-logging"], + "eventsListeners": ["keycloakify-logging", "jboss-logging"], "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, @@ -1304,14 +1344,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-full-name-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-property-mapper", - "oidc-address-mapper", "saml-user-property-mapper", - "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", - "saml-role-list-mapper" + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-address-mapper", + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper" ] } }, @@ -1360,14 +1400,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", - "saml-user-attribute-mapper", - "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", - "oidc-address-mapper", + "oidc-usermodel-property-mapper", "saml-role-list-mapper", - "oidc-usermodel-property-mapper" + "oidc-full-name-mapper", + "saml-user-property-mapper", + "oidc-address-mapper", + "saml-user-attribute-mapper" ] } }, @@ -1485,7 +1525,7 @@ "defaultLocale": "en", "authenticationFlows": [ { - "id": "e134634e-f219-4df4-867c-8110688d8e56", + "id": "1f4d4e13-1591-4751-8985-17886a8c98a9", "alias": "Account verification options", "description": "Method with which to verity the existing account", "providerId": "basic-flow", @@ -1511,7 +1551,7 @@ ] }, { - "id": "a611a8eb-9626-4aa4-8b54-ee565ea6e5dc", + "id": "126f07c3-1bcb-4a02-bf16-bb44674bf55d", "alias": "Authentication Options", "description": "Authentication options.", "providerId": "basic-flow", @@ -1545,7 +1585,7 @@ ] }, { - "id": "d87cbb31-5c69-45c8-888d-f9649ebbbf97", + "id": "eb3a08c8-5f99-49b6-b02b-16b62571f273", "alias": "Browser - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1571,7 +1611,7 @@ ] }, { - "id": "752ba282-a369-4592-92e8-b4287192dbbf", + "id": "3dc19838-5025-4bbb-b569-b574bd5a8d90", "alias": "Direct Grant - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1597,7 +1637,7 @@ ] }, { - "id": "2349282e-40ff-431a-984d-53911511e3d3", + "id": "70d6fd40-d740-4dae-b0e6-350f8e9d4a1c", "alias": "First broker login - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1623,7 +1663,7 @@ ] }, { - "id": "4ff5463d-26d9-4219-ba85-41464401098f", + "id": "6e24dcb3-5818-483c-8e44-883858171901", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", @@ -1649,7 +1689,7 @@ ] }, { - "id": "87bb6c6d-cca8-4832-b5ab-67ecb9454a42", + "id": "ac6254cd-403b-457b-b308-22a2a0e4f99d", "alias": "Reset - Conditional OTP", "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId": "basic-flow", @@ -1675,7 +1715,7 @@ ] }, { - "id": "1fc3d028-0e0a-43a4-aaf9-ba7f7d60b409", + "id": "485e74e6-9b3e-4b2c-a9b9-927802dc4f06", "alias": "User creation or linking", "description": "Flow for the existing/non-existing user alternatives", "providerId": "basic-flow", @@ -1702,7 +1742,7 @@ ] }, { - "id": "036aae59-641f-4799-9124-c7e5034af6c1", + "id": "ff9bb879-1d6a-4d1c-9836-1e4fab6f8997", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", @@ -1728,7 +1768,7 @@ ] }, { - "id": "2e8b9f28-93b8-4368-84b0-1a8326daafe0", + "id": "af8b2470-d581-401c-9984-762b966ebcc2", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", @@ -1770,7 +1810,7 @@ ] }, { - "id": "0b826105-8493-45ce-87b3-7d917d190b39", + "id": "414dbda4-eb3f-4baa-b23a-d3423af1eae6", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", @@ -1812,7 +1852,7 @@ ] }, { - "id": "bf6d9edd-48d8-4392-bbc8-4b17a6866074", + "id": "1cae0c4b-8dfb-4f5d-a781-e74d0a13c940", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", @@ -1846,7 +1886,7 @@ ] }, { - "id": "97e31722-dd11-42be-aa99-88788fa2dde6", + "id": "e798b655-7d85-4b6b-aee7-1448a3e1e0ea", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", @@ -1864,7 +1904,7 @@ ] }, { - "id": "3f45cf34-231f-4ea1-8e58-d636c451a76b", + "id": "eb94b723-1041-426a-87bf-f7b4bd2f485d", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", @@ -1891,7 +1931,7 @@ ] }, { - "id": "9bef2f7c-f989-4871-aaa7-18e2cfa73f22", + "id": "452d1d5f-7632-44d7-bc89-77ff2b209b3e", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", @@ -1917,7 +1957,7 @@ ] }, { - "id": "0bfaa325-acde-4443-8bd8-1dc2ae759c5f", + "id": "7c1b9e8f-6b57-49d1-a9a7-494862f93c0f", "alias": "http challenge", "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId": "basic-flow", @@ -1943,7 +1983,7 @@ ] }, { - "id": "37ddbe8c-abf3-4654-bd6d-ffabbeefbb98", + "id": "2b38f34a-1739-499e-bb24-1dff96f32009", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", @@ -1962,7 +2002,7 @@ ] }, { - "id": "5d7b4bc9-e93b-40da-aeb6-ba0c38392f1a", + "id": "d26ae72b-a933-44dc-9927-1c82757004b2", "alias": "registration form", "description": "registration form", "providerId": "form-flow", @@ -2004,7 +2044,7 @@ ] }, { - "id": "ee7a56e4-c827-4f24-8b8b-8476050b0b64", + "id": "222ee8d6-1892-4768-9ada-720274b6bf9a", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", @@ -2046,7 +2086,7 @@ ] }, { - "id": "360f0031-4c3b-4272-84ca-2172d430b4bc", + "id": "e8b4d92c-27c1-4a9b-9b16-7ceb810fa230", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", @@ -2066,14 +2106,14 @@ ], "authenticatorConfig": [ { - "id": "53630acd-a33a-40e3-8786-cf85464c6f9e", + "id": "e5847a0b-855d-4d93-85fd-94714be3ed92", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { - "id": "c0d2b6a0-caad-4e90-b040-17cacdaf70bb", + "id": "a2a18aa4-bd4c-4c2a-9286-e9d6c64f4812", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-20.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-20.json index 56d0c4c7..c30db8f6 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-20.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-20.json @@ -73,7 +73,7 @@ "composites": { "realm": ["offline_access", "uma_authorization"], "client": { - "account": ["delete-account", "view-profile", "manage-account"] + "account": ["view-profile", "manage-account", "delete-account"] } }, "clientRole": false, @@ -407,7 +407,7 @@ "otpPolicyLookAheadWindow": 1, "otpPolicyPeriod": 30, "otpPolicyCodeReusable": false, - "otpSupportedApplications": ["totpAppGoogleName", "totpAppFreeOTPName"], + "otpSupportedApplications": ["totpAppFreeOTPName", "totpAppGoogleName"], "webAuthnPolicyRpEntityName": "keycloak", "webAuthnPolicySignatureAlgorithms": ["ES256"], "webAuthnPolicyRpId": "", @@ -452,6 +452,40 @@ "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": ["default-roles-myrealm"], + "clientRoles": { + "realm-management": [ + "create-client", + "view-identity-providers", + "manage-realm", + "query-groups", + "manage-clients", + "query-users", + "realm-admin", + "view-authorization", + "view-events", + "view-clients", + "view-realm", + "manage-events", + "query-realms", + "query-clients", + "manage-identity-providers", + "manage-users", + "view-users", + "impersonation", + "manage-authorization" + ], + "broker": ["read-token"], + "account": [ + "view-profile", + "manage-account-links", + "view-applications", + "manage-consent", + "delete-account", + "manage-account", + "view-groups", + "view-consent" + ] + }, "notBefore": 0, "groups": [] } @@ -517,8 +551,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/realms/myrealm/account/*"], - "webOrigins": [], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/realms/myrealm/account/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -653,7 +691,6 @@ "attributes": { "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", - "login_theme": "keycloakify-starter", "post.logout.redirect.uris": "+", "display.on.consent.screen": "false", "oauth2.device.authorization.grant.enabled": "false", @@ -714,8 +751,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/admin/myrealm/console/*"], - "webOrigins": ["+"], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/admin/myrealm/console/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -1294,11 +1335,11 @@ }, "smtpServer": {}, "loginTheme": "keycloakify-starter", - "accountTheme": "keycloakify-starter", + "accountTheme": "", "adminTheme": "", "emailTheme": "", "eventsEnabled": false, - "eventsListeners": ["jboss-logging"], + "eventsListeners": ["keycloakify-logging", "jboss-logging"], "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, @@ -1314,14 +1355,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-attribute-mapper", - "saml-user-attribute-mapper", "oidc-address-mapper", - "saml-role-list-mapper", "oidc-full-name-mapper", - "oidc-usermodel-property-mapper" + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper", + "saml-user-attribute-mapper" ] } }, @@ -1370,14 +1411,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", - "oidc-address-mapper", - "saml-role-list-mapper", "saml-user-attribute-mapper", - "oidc-usermodel-attribute-mapper", + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper", "saml-user-property-mapper", - "oidc-usermodel-property-mapper" + "oidc-usermodel-attribute-mapper" ] } }, @@ -1495,7 +1536,7 @@ "defaultLocale": "en", "authenticationFlows": [ { - "id": "19317acb-fe8e-4c79-82bc-90e159273075", + "id": "c40791b4-4d59-4df2-bebd-2b71e793704f", "alias": "Account verification options", "description": "Method with which to verity the existing account", "providerId": "basic-flow", @@ -1521,7 +1562,7 @@ ] }, { - "id": "122857d2-33da-4086-8acb-cb0e303aaf1b", + "id": "8813b6d1-8b88-4672-b29b-8420ce3f3975", "alias": "Authentication Options", "description": "Authentication options.", "providerId": "basic-flow", @@ -1555,7 +1596,7 @@ ] }, { - "id": "abf5dd35-4791-4268-a10c-5f4b6a06b84a", + "id": "a9937c40-a1ee-4c57-adf7-ede0a9983953", "alias": "Browser - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1581,7 +1622,7 @@ ] }, { - "id": "a18daeec-a33c-4a43-b014-10c84ec69b81", + "id": "2d494b5a-eb73-40d0-94d3-a8d8024a7db4", "alias": "Direct Grant - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1607,7 +1648,7 @@ ] }, { - "id": "e9f032a7-32f7-457c-becf-011a1a35cc6a", + "id": "2e977f5a-8110-412b-b704-3e15164dbb1b", "alias": "First broker login - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1633,7 +1674,7 @@ ] }, { - "id": "9db65b7c-98ca-4003-beea-611038831ffe", + "id": "6f171b4b-8723-4e6d-bb1e-6b4293a7bb3f", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", @@ -1659,7 +1700,7 @@ ] }, { - "id": "7bd0854c-d7ae-43d7-a1ae-7b759a34cb1d", + "id": "2dbb7f27-757d-4178-8217-4a24fdb0163c", "alias": "Reset - Conditional OTP", "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId": "basic-flow", @@ -1685,7 +1726,7 @@ ] }, { - "id": "2de1a450-fe98-443a-9c6c-d24d8a7ebcb3", + "id": "7295aaf7-acf4-4b78-8186-d2415ea4ede0", "alias": "User creation or linking", "description": "Flow for the existing/non-existing user alternatives", "providerId": "basic-flow", @@ -1712,7 +1753,7 @@ ] }, { - "id": "7b3efad5-4b7d-4385-a41c-fecc73afdcc4", + "id": "e0d34d7c-7bbb-4847-8864-fbd97a1f3e89", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", @@ -1738,7 +1779,7 @@ ] }, { - "id": "de93418e-8f28-4099-b15e-ad36ec194796", + "id": "5f3d0fb0-d95e-4841-89d3-a27d0cdbbcb4", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", @@ -1780,7 +1821,7 @@ ] }, { - "id": "0dd3345c-6e82-4c3a-a39a-d49ae1f5c409", + "id": "c246380d-af25-4151-ab19-1f1e5b553008", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", @@ -1822,7 +1863,7 @@ ] }, { - "id": "87fb4dd0-5326-47a1-b670-982f4872ff89", + "id": "abacf398-0f1f-4f28-a310-8d306d588048", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", @@ -1856,7 +1897,7 @@ ] }, { - "id": "344723b3-4ab1-4999-abdd-32398e82327b", + "id": "a0f87683-619a-44d4-8b4f-4b053bba2346", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", @@ -1874,7 +1915,7 @@ ] }, { - "id": "f3341938-caf9-4c8a-9cd5-eb34609809ab", + "id": "e8820c7c-22a7-4618-beb7-3e09be72c00c", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", @@ -1901,7 +1942,7 @@ ] }, { - "id": "ba7b7357-e324-4b71-9bda-f8512a760e02", + "id": "cac00c38-ee44-44c9-b95e-cc755bab36ef", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", @@ -1927,7 +1968,7 @@ ] }, { - "id": "134971e6-bf63-432c-806e-74ca4fb09963", + "id": "688cde36-507e-4a68-afdf-18ec4ad626a7", "alias": "http challenge", "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId": "basic-flow", @@ -1953,7 +1994,7 @@ ] }, { - "id": "6ea9e2cf-5684-4c65-8c07-930d1cbb0b46", + "id": "e058697c-f450-4f14-ae64-04e9299fa24f", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", @@ -1972,7 +2013,7 @@ ] }, { - "id": "67e3c8c7-1b5e-4119-84a2-e90876293150", + "id": "ad768088-32c9-4979-90dd-61bf111fd72e", "alias": "registration form", "description": "registration form", "providerId": "form-flow", @@ -2014,7 +2055,7 @@ ] }, { - "id": "fc6d48ec-a1f1-41b1-9310-54f58861d5aa", + "id": "47d4b090-f965-4588-b5bc-029ccb59876f", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", @@ -2056,7 +2097,7 @@ ] }, { - "id": "80b1d464-c2ec-4eb1-82e8-32cbede779a8", + "id": "1f68feec-7f99-4c49-afe6-45d46684ca21", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", @@ -2076,14 +2117,14 @@ ], "authenticatorConfig": [ { - "id": "86b1d5fa-450c-40d8-899c-725861ac39fc", + "id": "bd7365c7-842b-4bc6-a4ca-498cf025c210", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { - "id": "ea724f02-029a-493d-b4d3-08972be21cfb", + "id": "b929192d-f650-4a09-9701-3d3216547552", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-21.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-21.json index adfc1e78..a4e9f84b 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-21.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-21.json @@ -73,7 +73,7 @@ "composites": { "realm": ["offline_access", "uma_authorization"], "client": { - "account": ["delete-account", "view-profile", "manage-account"] + "account": ["view-profile", "manage-account", "delete-account"] } }, "clientRole": false, @@ -456,6 +456,40 @@ "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": ["default-roles-myrealm"], + "clientRoles": { + "realm-management": [ + "create-client", + "view-identity-providers", + "manage-realm", + "query-groups", + "manage-clients", + "query-users", + "realm-admin", + "view-authorization", + "view-events", + "view-clients", + "view-realm", + "manage-events", + "query-realms", + "query-clients", + "manage-identity-providers", + "manage-users", + "view-users", + "impersonation", + "manage-authorization" + ], + "broker": ["read-token"], + "account": [ + "view-profile", + "manage-account-links", + "view-applications", + "manage-consent", + "delete-account", + "manage-account", + "view-groups", + "view-consent" + ] + }, "notBefore": 0, "groups": [] } @@ -521,8 +555,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/realms/myrealm/account/*"], - "webOrigins": [], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/realms/myrealm/account/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -657,7 +695,6 @@ "attributes": { "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", - "login_theme": "keycloakify-starter", "post.logout.redirect.uris": "+", "display.on.consent.screen": "false", "oauth2.device.authorization.grant.enabled": "false", @@ -718,8 +755,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/admin/myrealm/console/*"], - "webOrigins": ["+"], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/admin/myrealm/console/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -1298,11 +1339,11 @@ }, "smtpServer": {}, "loginTheme": "keycloakify-starter", - "accountTheme": "keycloakify-starter", + "accountTheme": "", "adminTheme": "", "emailTheme": "", "eventsEnabled": false, - "eventsListeners": ["jboss-logging"], + "eventsListeners": ["keycloakify-logging", "jboss-logging"], "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, @@ -1318,13 +1359,13 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-usermodel-property-mapper", + "saml-user-attribute-mapper", + "saml-user-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", - "saml-user-property-mapper", - "saml-role-list-mapper", - "saml-user-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", "oidc-address-mapper" ] } @@ -1374,14 +1415,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", - "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", - "saml-user-attribute-mapper", + "oidc-full-name-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-user-property-mapper", "saml-role-list-mapper", - "saml-user-property-mapper" + "saml-user-attribute-mapper" ] } }, diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-23.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-23.json index 6b498de1..8e720d31 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-23.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-23.json @@ -55,7 +55,7 @@ "composites": { "realm": ["offline_access", "uma_authorization"], "client": { - "account": ["delete-account", "view-profile", "manage-account"] + "account": ["view-profile", "delete-account", "manage-account"] } }, "clientRole": false, @@ -459,6 +459,40 @@ "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": ["default-roles-myrealm"], + "clientRoles": { + "realm-management": [ + "query-clients", + "manage-identity-providers", + "create-client", + "view-users", + "query-groups", + "view-realm", + "manage-authorization", + "view-authorization", + "query-users", + "impersonation", + "realm-admin", + "manage-users", + "view-identity-providers", + "manage-realm", + "manage-clients", + "query-realms", + "view-events", + "manage-events", + "view-clients" + ], + "broker": ["read-token"], + "account": [ + "manage-account", + "view-consent", + "view-groups", + "delete-account", + "view-applications", + "manage-account-links", + "view-profile", + "manage-consent" + ] + }, "notBefore": 0, "groups": [] } @@ -505,7 +539,6 @@ "attributes": { "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", - "login_theme": "keycloakify-starter", "post.logout.redirect.uris": "+", "oauth2.device.authorization.grant.enabled": "false", "display.on.consent.screen": "false", @@ -532,8 +565,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/realms/myrealm/account/*"], - "webOrigins": [], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/realms/myrealm/account/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -649,7 +686,11 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["https://my-theme.keycloakify.dev/*", "http://localhost*"], + "redirectUris": [ + "https://my-theme.keycloakify.dev/*", + "http://localhost*", + "http://127.0.0.1*" + ], "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, @@ -664,8 +705,7 @@ "attributes": { "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", - "login_theme": "keycloakify-starter", - "post.logout.redirect.uris": "https://my-theme.keycloakify.dev/*", + "post.logout.redirect.uris": "+", "oauth2.device.authorization.grant.enabled": "false", "display.on.consent.screen": "false", "backchannel.logout.revoke.offline.tokens": "false" @@ -725,8 +765,12 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["/admin/myrealm/console/*"], - "webOrigins": ["+"], + "redirectUris": [ + "http://localhost*", + "http://127.0.0.1*", + "/admin/myrealm/console/*" + ], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -1336,12 +1380,12 @@ "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, "smtpServer": {}, - "loginTheme": "", - "accountTheme": "keycloakify-starter", + "loginTheme": "keycloakify-starter", + "accountTheme": "", "adminTheme": "", "emailTheme": "", "eventsEnabled": false, - "eventsListeners": ["jboss-logging"], + "eventsListeners": ["keycloakify-logging", "jboss-logging"], "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, @@ -1357,13 +1401,13 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", - "saml-user-property-mapper", - "oidc-address-mapper", - "oidc-full-name-mapper", "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", + "oidc-full-name-mapper", + "oidc-address-mapper", + "saml-user-property-mapper", "oidc-usermodel-property-mapper" ] } @@ -1433,13 +1477,13 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "saml-role-list-mapper", - "oidc-full-name-mapper", - "oidc-address-mapper", "saml-user-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", + "oidc-address-mapper", "saml-user-property-mapper", + "oidc-full-name-mapper", + "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper" ] } diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-24.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-24.json index 9b1de90a..73793582 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-24.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-24.json @@ -1496,7 +1496,7 @@ }, "smtpServer": {}, "loginTheme": "keycloakify-starter", - "accountTheme": "keycloakify-starter", + "accountTheme": "", "adminTheme": "", "emailTheme": "", "eventsEnabled": false, diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-25.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-25.json index 9a4e83be..969f3bc9 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-25.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-25.json @@ -1588,7 +1588,7 @@ }, "smtpServer": {}, "loginTheme": "keycloakify-starter", - "accountTheme": "keycloakify-starter", + "accountTheme": "", "adminTheme": "", "emailTheme": "", "eventsEnabled": false, diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json index 10ca6d51..1ae0dcd7 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json @@ -1614,99 +1614,7 @@ "emailTheme": "", "eventsEnabled": false, "eventsListeners": ["keycloakify-logging", "jboss-logging"], - "enabledEventTypes": [ - "SEND_RESET_PASSWORD", - "UPDATE_CONSENT_ERROR", - "GRANT_CONSENT", - "VERIFY_PROFILE_ERROR", - "REMOVE_TOTP", - "REVOKE_GRANT", - "UPDATE_TOTP", - "LOGIN_ERROR", - "CLIENT_LOGIN", - "RESET_PASSWORD_ERROR", - "UPDATE_CREDENTIAL", - "IMPERSONATE_ERROR", - "CODE_TO_TOKEN_ERROR", - "CUSTOM_REQUIRED_ACTION", - "OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR", - "RESTART_AUTHENTICATION", - "IMPERSONATE", - "UPDATE_PROFILE_ERROR", - "LOGIN", - "OAUTH2_DEVICE_VERIFY_USER_CODE", - "UPDATE_PASSWORD_ERROR", - "CLIENT_INITIATED_ACCOUNT_LINKING", - "OAUTH2_EXTENSION_GRANT", - "USER_DISABLED_BY_PERMANENT_LOCKOUT", - "REMOVE_CREDENTIAL_ERROR", - "TOKEN_EXCHANGE", - "AUTHREQID_TO_TOKEN", - "LOGOUT", - "REGISTER", - "DELETE_ACCOUNT_ERROR", - "CLIENT_REGISTER", - "IDENTITY_PROVIDER_LINK_ACCOUNT", - "USER_DISABLED_BY_TEMPORARY_LOCKOUT", - "DELETE_ACCOUNT", - "UPDATE_PASSWORD", - "CLIENT_DELETE", - "FEDERATED_IDENTITY_LINK_ERROR", - "IDENTITY_PROVIDER_FIRST_LOGIN", - "CLIENT_DELETE_ERROR", - "VERIFY_EMAIL", - "CLIENT_LOGIN_ERROR", - "RESTART_AUTHENTICATION_ERROR", - "EXECUTE_ACTIONS", - "REMOVE_FEDERATED_IDENTITY_ERROR", - "TOKEN_EXCHANGE_ERROR", - "PERMISSION_TOKEN", - "FEDERATED_IDENTITY_OVERRIDE_LINK", - "SEND_IDENTITY_PROVIDER_LINK_ERROR", - "UPDATE_CREDENTIAL_ERROR", - "EXECUTE_ACTION_TOKEN_ERROR", - "OAUTH2_EXTENSION_GRANT_ERROR", - "SEND_VERIFY_EMAIL", - "OAUTH2_DEVICE_AUTH", - "EXECUTE_ACTIONS_ERROR", - "REMOVE_FEDERATED_IDENTITY", - "OAUTH2_DEVICE_CODE_TO_TOKEN", - "IDENTITY_PROVIDER_POST_LOGIN", - "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", - "FEDERATED_IDENTITY_OVERRIDE_LINK_ERROR", - "OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR", - "UPDATE_EMAIL", - "REGISTER_ERROR", - "REVOKE_GRANT_ERROR", - "EXECUTE_ACTION_TOKEN", - "LOGOUT_ERROR", - "UPDATE_EMAIL_ERROR", - "CLIENT_UPDATE_ERROR", - "AUTHREQID_TO_TOKEN_ERROR", - "INVITE_ORG_ERROR", - "UPDATE_PROFILE", - "CLIENT_REGISTER_ERROR", - "FEDERATED_IDENTITY_LINK", - "INVITE_ORG", - "SEND_IDENTITY_PROVIDER_LINK", - "SEND_VERIFY_EMAIL_ERROR", - "RESET_PASSWORD", - "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", - "OAUTH2_DEVICE_AUTH_ERROR", - "REMOVE_CREDENTIAL", - "UPDATE_CONSENT", - "REMOVE_TOTP_ERROR", - "VERIFY_EMAIL_ERROR", - "SEND_RESET_PASSWORD_ERROR", - "CLIENT_UPDATE", - "CUSTOM_REQUIRED_ACTION_ERROR", - "IDENTITY_PROVIDER_POST_LOGIN_ERROR", - "UPDATE_TOTP_ERROR", - "CODE_TO_TOKEN", - "VERIFY_PROFILE", - "GRANT_CONSENT_ERROR", - "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" - ], + "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, "identityProviders": [], diff --git a/src/bin/start-keycloak/start-keycloak.ts b/src/bin/start-keycloak/start-keycloak.ts index 5794e74f..a4b88a58 100644 --- a/src/bin/start-keycloak/start-keycloak.ts +++ b/src/bin/start-keycloak/start-keycloak.ts @@ -253,13 +253,22 @@ export async function command(params: { assert(jarFilePath !== undefined); const extensionJarFilePaths = [ - pathJoin( - getThisCodebaseRootDirPath(), - "src", - "bin", - "start-keycloak", - KEYCLOAKIFY_LOGIN_JAR_BASENAME - ), + ...(keycloakMajorVersionNumber <= 20 + ? (console.log( + chalk.yellow( + "WARNING: With older version of keycloak your changes to the realm configuration are not persisted" + ) + ), + []) + : [ + pathJoin( + getThisCodebaseRootDirPath(), + "src", + "bin", + "start-keycloak", + KEYCLOAKIFY_LOGIN_JAR_BASENAME + ) + ]), ...(await Promise.all( buildContext.startKeycloakOptions.extensionJars.map(async extensionJar => { switch (extensionJar.type) {