Ensure oidc clients with defaultClientScopes declare 'basic' scope

See: adorsys/keycloak-config-cli#1073
thomasdarimont · Jun 25, 2024 · b0e049c · b0e049c
1 parent 90be702
commit b0e049c
Show file tree

Hide file tree

Showing 11 changed files with 36 additions and 0 deletions.
diff --git a/config/stage/dev/realms/acme-api.yaml b/config/stage/dev/realms/acme-api.yaml
@@ -87,6 +87,7 @@ clients:
     # this secret would be individual for each customer
     secret: "$(env:ACME_CLIENT_EXAMPLES_CLIENT_SECRET:-secret)"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
       - "roles"

diff --git a/config/stage/dev/realms/acme-apps.yaml b/config/stage/dev/realms/acme-apps.yaml
@@ -126,6 +126,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "roles"
       - "profile"
@@ -158,6 +159,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
     optionalClientScopes:
       - "phone"

diff --git a/config/stage/dev/realms/acme-client-examples.yaml b/config/stage/dev/realms/acme-client-examples.yaml
@@ -23,6 +23,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -41,6 +42,7 @@ clients:
     directAccessGrantsEnabled: true
     serviceAccountsEnabled: false
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -70,6 +72,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -89,6 +92,7 @@ clients:
     serviceAccountsEnabled: false
     secret: "$(env:ACME_CLIENT_EXAMPLES_CLIENT_SECRET:-secret)"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -126,6 +130,7 @@ clients:
     serviceAccountsEnabled: true
     secret: "$(env:ACME_CLIENT_EXAMPLES_CLIENT_SECRET:-secret)"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -148,6 +153,7 @@ clients:
       # Claimed URL
       - "https://mobile.acme.test/*"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -170,6 +176,7 @@ clients:
     redirectUris:
       - "http://localhost/*"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -194,6 +201,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -288,6 +296,7 @@ clients:
     serviceAccountsEnabled: true
     secret: "$(env:ACME_CLIENT_EXAMPLES_CLIENT_SECRET:-secret)"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
       - "roles"

diff --git a/config/stage/dev/realms/acme-demo.yaml b/config/stage/dev/realms/acme-demo.yaml
@@ -32,6 +32,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "roles"
       - "profile"

diff --git a/config/stage/dev/realms/acme-internal.yaml b/config/stage/dev/realms/acme-internal.yaml
@@ -215,6 +215,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "roles"
       - "profile"
@@ -246,6 +247,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
     optionalClientScopes:
       - "phone"
@@ -278,6 +280,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
     optionalClientScopes:
       - "phone"
@@ -303,6 +306,7 @@ clients:
     redirectUris:
       - "acme://app/callback/*"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -325,6 +329,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -350,6 +355,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
       - "roles"
@@ -373,6 +379,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -391,6 +398,7 @@ clients:
     serviceAccountsEnabled: true
     secret: "$(env:ACME_APPS_INTERNAL_IDP_BROKER_SECRET:-secret)"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -419,6 +427,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -437,6 +446,7 @@ clients:
     serviceAccountsEnabled: true
     secret: "$(env:ACME_APPS_DEMO_SERVICE_SECRET:-secret)"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -464,6 +474,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -492,6 +503,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -513,6 +525,7 @@ clients:
       "jwt.credential.certificate": "MIIFLzCCAxegAwIBAgIUDYnNAzTFZ6FNHbRn4evtZFluiuAwDQYJKoZIhvcNAQELBQAwJzElMCMGA1UEAwwcYWNtZS1zZXJ2aWNlLWNsaWVudC1qd3QtYXV0aDAeFw0yMjA0MTAxMTU5MjdaFw0yMzA0MTAxMTU5MjdaMCcxJTAjBgNVBAMMHGFjbWUtc2VydmljZS1jbGllbnQtand0LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCu91jwgkO/ZJoeIzclL+x7oBxsgjxGDLdCYs4QKEhitB8FFOobxtA67Yh48Bprd9Qji9IHvdxVLPa+SkgMvF/5MhDKUW/wLBpDL0sgvLT56FV9gl/hqtUvVKVNTQuEBk0QpTJH4uSg5jNIZARVcOnPRvBtQ0vpQ/1FsEJkSLXq7OAUQTgguXltR+/u2hH4wpOIRzpjeN7i/OHkiZS0K5otAVr1kCoMeZXo0qUfzG6FngVQhqZ3haMf3C+MSjLagvFzYK6NlJJDp7WIFvzkCriZlIyrSbO4vpHjmKuo31boIAbwn1EimHWGG1ExcXWLeqLfJt43tQIwzPe6PhnQ+2kw7zb6O6SrJhnaYNTVclAuj3TRtF0bxM9B9kEpHyypxGKwF8UAyqQkMnG1tJzvafruDLHrHpOAnV4bncWjbIP5vsS+mEALIs+CpRujdNut1NrJT7rMkNcXdhOfiLVA5FY91c5WC1uoJPmyFscsj2WmBe5AVQFpOiS0V5dIm1Gc3ctebX7Nqa8rxnEPVQhRWyacadlti+VNHgUUZIbU67vHx64w+Gh3XlxG2fBqf1YHHOOUlFHUAcJoANqyk0lD6eqn8RSpI0xB/VdQNnCmDblx94W0iTCxgEC3vrUsHzC3r37BX6dHo3aF7xaT6wwRCM8/FHj1eH/JBq+1Xt4y1P3aNQIDAQABo1MwUTAdBgNVHQ4EFgQUt+sggUSV+8cCNAvMMlBH1SBRAA0wHwYDVR0jBBgwFoAUt+sggUSV+8cCNAvMMlBH1SBRAA0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAPsthqWnfJFEjh7BV/Vg8hAgLme/cVDr/O1Ff0WVX+Mmtsu+vZyRGNXL67PXYqar9b+fZr5mGhbiZS4mBk/5N9sGRpDh2Keyy9j/CTaYUpszqur5NfYBvmtbk+u4BCPkMMme+R2RnZ3GnzOoGKlZ2jCfBvm/Jr+Ta05VVGb41LZfb19m8uYnMzLTZd1VSZQ4+vHa6OrPn1zaAPobHWLysLkUH6ngteZjVu2bPcf1UYmYRyMs/a4cIgsC3A5PIFu9DN87o0q8LN3qITt70/3FgKLUuPmvCZSnNZ+oLsUDs3RM5qyJth91UAaJL3LXglkSCzwmSqimel+Ga3e4ltmsUMB2HKc81NXfMmAV3gRYyfwLQSA1HyuMGOBRLbmsXr6Y6C4l3Wfsbv/MLL/BgDev6A6Hkq2Zc0Q4VJUhBsm75GMAy5vA6Pn+TSp8MeWJMAXJwcY/3ESyodfn29m0mGiHwef/ByQcK/8M9fRFIvIsKF/NPziWHiIV3QXB2qDIZF595/De4siUtaSW6H9ywZpVfTBoc/AEHKY4QZ1Pr8xj+YRQar7qmuVsSug6RWgXplZWOn9vx25FPwAXcOv9z/gP7zA8IYMiEUZ0MKFLetQ6ietCNPlvqgFC59+hjsh/MyNTePitxNPN1+MYUb7Xr/Ul+BREnNCVJM/ZCEbIhsVKMiCk="
       "token.endpoint.auth.signing.alg": "RS256"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:

diff --git a/config/stage/dev/realms/acme-ldap.yaml b/config/stage/dev/realms/acme-ldap.yaml
@@ -61,6 +61,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -88,6 +89,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
@@ -108,6 +110,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:

diff --git a/config/stage/dev/realms/acme-ops.yaml b/config/stage/dev/realms/acme-ops.yaml
@@ -41,6 +41,8 @@ clients:
     secret: acme-ops-grafana-secret
     fullScopeAllowed: false
     defaultClientScopes:
+      - "basic"
+      - "email"
     rootUrl: "https://ops.acme.test:3000/grafana"
     baseUrl: "/"
     adminUrl: ""

diff --git a/config/stage/dev/realms/acme-passwordless.yaml b/config/stage/dev/realms/acme-passwordless.yaml
@@ -78,6 +78,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "roles"
       - "profile"
@@ -107,6 +108,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:

diff --git a/config/stage/dev/realms/acme-stepup.yaml b/config/stage/dev/realms/acme-stepup.yaml
@@ -29,6 +29,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "roles"
       - "profile"

diff --git a/config/stage/dev/realms/company-apps.yaml b/config/stage/dev/realms/company-apps.yaml
@@ -180,6 +180,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "roles"
       - "profile"

diff --git a/config/stage/dev/realms/company-users.yaml b/config/stage/dev/realms/company-users.yaml
@@ -96,6 +96,7 @@ clients:
     webOrigins:
       - "+"
     defaultClientScopes:
+      - "basic"
       - "email"
       - "profile"
     optionalClientScopes:
-Original file line number
+Diff line change
@@ Expand Up / @@ -32,6 +32,7 @@ clients: @@
         webOrigins:
           - "+"
         defaultClientScopes:
+          - "basic"
           - "email"
           - "roles"
           - "profile"
@@ Expand Down @@