diff --git a/infrastructure/shared/docker-compose-tmp-keycloak.yml b/infrastructure/shared/docker-compose-tmp-keycloak.yml index 8ac65e41d3..6b479e9120 100644 --- a/infrastructure/shared/docker-compose-tmp-keycloak.yml +++ b/infrastructure/shared/docker-compose-tmp-keycloak.yml @@ -156,8 +156,8 @@ services: KEYCLOAK_ADMIN_PASSWORD: admin KEYCLOAK_DATABASE_VENDOR: dev-mem KEYCLOAK_EXTRA_ARGS: --import-realm + KEYCLOAK_EXTRA_ARGS_PREPENDED: --verbose volumes: - # - ./keycloak/init-script.sh:/docker-entrypoint-initdb.d/init-script.sh - ./keycloak/manage-realm.json:/opt/bitnami/keycloak/data/import/manage-realm.json volumes: diff --git a/infrastructure/shared/keycloak/manage-realm.json b/infrastructure/shared/keycloak/manage-realm.json index 7a2b5714ff..d187bb3e52 100644 --- a/infrastructure/shared/keycloak/manage-realm.json +++ b/infrastructure/shared/keycloak/manage-realm.json @@ -110,22 +110,22 @@ "client": { "realm-management": [ "query-clients", - "query-realms", "view-events", + "query-realms", "create-client", "view-identity-providers", "manage-users", "manage-realm", - "impersonation", "manage-identity-providers", + "impersonation", "view-realm", - "manage-authorization", "query-groups", + "manage-authorization", "manage-events", "view-clients", "view-authorization", - "manage-clients", "query-users", + "manage-clients", "view-users" ] } @@ -301,6 +301,16 @@ "security-admin-console": [], "admin-cli": [], "manage-frontend": [], + "prism-agent": [ + { + "id": "e8e1b3d7-9284-4936-b4ce-3833f00a1f46", + "name": "uma_protection", + "composite": false, + "clientRole": true, + "containerId": "5b7289d4-0e9f-4048-afa6-d952a8345843", + "attributes": {} + } + ], "account-console": [], "broker": [ { @@ -418,8 +428,8 @@ "otpPolicyPeriod": 30, "otpPolicyCodeReusable": false, "otpSupportedApplications": [ - "totpAppMicrosoftAuthenticatorName", "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName", "totpAppFreeOTPName" ], "webAuthnPolicyRpEntityName": "keycloak", @@ -442,6 +452,25 @@ "webAuthnPolicyPasswordlessCreateTimeout": 0, "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users": [ + { + "id": "592c7f9a-427e-4e17-a552-460b25ee39c1", + "createdTimestamp": 1696250936139, + "username": "service-account-prism-agent", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "prism-agent", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": ["default-roles-manage"], + "clientRoles": { + "prism-agent": ["uma_protection"] + }, + "notBefore": 0, + "groups": [] + } + ], "scopeMappings": [ { "clientScope": "offline_access", @@ -731,6 +760,100 @@ "microprofile-jwt" ] }, + { + "id": "5b7289d4-0e9f-4048-afa6-d952a8345843", + "clientId": "prism-agent", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": ["/*"], + "webOrigins": ["/*"], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1696250936", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "2be46b2c-0fff-4408-82c5-32124f75da51", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "98ac64f2-e0bf-48ea-8dba-4d98e6d428c5", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "11e191b0-9c9e-4a03-917f-b15c8a778f04", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, { "id": "60a61ba1-3a8b-4d8b-a7c0-59555b5cc67e", "clientId": "realm-management", @@ -1482,14 +1605,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ + "oidc-address-mapper", + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-usermodel-attribute-mapper", - "oidc-address-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-property-mapper", - "saml-role-list-mapper" + "oidc-usermodel-property-mapper" ] } }, @@ -1520,14 +1643,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-usermodel-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", + "oidc-address-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", "saml-user-attribute-mapper", + "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper", - "oidc-address-mapper", - "saml-role-list-mapper", - "saml-user-property-mapper" + "oidc-sha256-pairwise-sub-mapper" ] } }, @@ -2233,23 +2356,23 @@ "clientOfflineSessionMaxLifespan": "0", "oauth2DevicePollingInterval": "5", "clientSessionIdleTimeout": "0", + "actionTokenGeneratedByUserLifespan-execute-actions": "", "userProfileEnabled": "true", + "actionTokenGeneratedByUserLifespan-verify-email": "", "clientOfflineSessionIdleTimeout": "0", + "actionTokenGeneratedByUserLifespan-reset-credentials": "", "cibaInterval": "5", "realmReusableOtpCode": "false", "cibaExpiresIn": "120", "oauth2DeviceCodeLifespan": "600", + "actionTokenGeneratedByUserLifespan-idp-verify-account-via-email": "", "parRequestUriLifespan": "60", "clientSessionMaxLifespan": "0", "frontendUrl": "", "acr.loa.map": "{}", - "actionTokenGeneratedByUserLifespan-execute-actions": "", - "actionTokenGeneratedByUserLifespan-verify-email": "", - "actionTokenGeneratedByUserLifespan-reset-credentials": "", - "actionTokenGeneratedByUserLifespan-idp-verify-account-via-email": "", "shortVerificationUri": "" }, - "keycloakVersion": "22.0.1", + "keycloakVersion": "22.0.3", "userManagedAccessAllowed": false, "clientProfiles": { "profiles": []