From b0e049c7be599726a37e160e21cfb69849d9c6ce Mon Sep 17 00:00:00 2001 From: Thomas Darimont Date: Tue, 25 Jun 2024 19:39:45 +0200 Subject: [PATCH] Ensure oidc clients with defaultClientScopes declare 'basic' scope See: https://github.com/adorsys/keycloak-config-cli/issues/1073 --- config/stage/dev/realms/acme-api.yaml | 1 + config/stage/dev/realms/acme-apps.yaml | 2 ++ config/stage/dev/realms/acme-client-examples.yaml | 9 +++++++++ config/stage/dev/realms/acme-demo.yaml | 1 + config/stage/dev/realms/acme-internal.yaml | 13 +++++++++++++ config/stage/dev/realms/acme-ldap.yaml | 3 +++ config/stage/dev/realms/acme-ops.yaml | 2 ++ config/stage/dev/realms/acme-passwordless.yaml | 2 ++ config/stage/dev/realms/acme-stepup.yaml | 1 + config/stage/dev/realms/company-apps.yaml | 1 + config/stage/dev/realms/company-users.yaml | 1 + 11 files changed, 36 insertions(+) diff --git a/config/stage/dev/realms/acme-api.yaml b/config/stage/dev/realms/acme-api.yaml index bb3d04cb..58eb5a6a 100644 --- a/config/stage/dev/realms/acme-api.yaml +++ b/config/stage/dev/realms/acme-api.yaml @@ -87,6 +87,7 @@ clients: # this secret would be individual for each customer secret: "$(env:ACME_CLIENT_EXAMPLES_CLIENT_SECRET:-secret)" defaultClientScopes: + - "basic" - "email" - "profile" - "roles" diff --git a/config/stage/dev/realms/acme-apps.yaml b/config/stage/dev/realms/acme-apps.yaml index 82149a9b..f97491a9 100644 --- a/config/stage/dev/realms/acme-apps.yaml +++ b/config/stage/dev/realms/acme-apps.yaml @@ -126,6 +126,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "roles" - "profile" @@ -158,6 +159,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" optionalClientScopes: - "phone" diff --git a/config/stage/dev/realms/acme-client-examples.yaml b/config/stage/dev/realms/acme-client-examples.yaml index ac19c0b6..14c827e0 100644 --- a/config/stage/dev/realms/acme-client-examples.yaml +++ b/config/stage/dev/realms/acme-client-examples.yaml @@ -23,6 +23,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -41,6 +42,7 @@ clients: directAccessGrantsEnabled: true serviceAccountsEnabled: false defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -70,6 +72,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -89,6 +92,7 @@ clients: serviceAccountsEnabled: false secret: "$(env:ACME_CLIENT_EXAMPLES_CLIENT_SECRET:-secret)" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -126,6 +130,7 @@ clients: serviceAccountsEnabled: true secret: "$(env:ACME_CLIENT_EXAMPLES_CLIENT_SECRET:-secret)" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -148,6 +153,7 @@ clients: # Claimed URL - "https://mobile.acme.test/*" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -170,6 +176,7 @@ clients: redirectUris: - "http://localhost/*" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -194,6 +201,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -288,6 +296,7 @@ clients: serviceAccountsEnabled: true secret: "$(env:ACME_CLIENT_EXAMPLES_CLIENT_SECRET:-secret)" defaultClientScopes: + - "basic" - "email" - "profile" - "roles" diff --git a/config/stage/dev/realms/acme-demo.yaml b/config/stage/dev/realms/acme-demo.yaml index b15a7f64..def97c79 100644 --- a/config/stage/dev/realms/acme-demo.yaml +++ b/config/stage/dev/realms/acme-demo.yaml @@ -32,6 +32,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "roles" - "profile" diff --git a/config/stage/dev/realms/acme-internal.yaml b/config/stage/dev/realms/acme-internal.yaml index 8ff3e2a1..f93d8ce4 100644 --- a/config/stage/dev/realms/acme-internal.yaml +++ b/config/stage/dev/realms/acme-internal.yaml @@ -215,6 +215,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "roles" - "profile" @@ -246,6 +247,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" optionalClientScopes: - "phone" @@ -278,6 +280,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" optionalClientScopes: - "phone" @@ -303,6 +306,7 @@ clients: redirectUris: - "acme://app/callback/*" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -325,6 +329,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -350,6 +355,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" - "roles" @@ -373,6 +379,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -391,6 +398,7 @@ clients: serviceAccountsEnabled: true secret: "$(env:ACME_APPS_INTERNAL_IDP_BROKER_SECRET:-secret)" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -419,6 +427,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -437,6 +446,7 @@ clients: serviceAccountsEnabled: true secret: "$(env:ACME_APPS_DEMO_SERVICE_SECRET:-secret)" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -464,6 +474,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -492,6 +503,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -513,6 +525,7 @@ clients: "jwt.credential.certificate": "MIIFLzCCAxegAwIBAgIUDYnNAzTFZ6FNHbRn4evtZFluiuAwDQYJKoZIhvcNAQELBQAwJzElMCMGA1UEAwwcYWNtZS1zZXJ2aWNlLWNsaWVudC1qd3QtYXV0aDAeFw0yMjA0MTAxMTU5MjdaFw0yMzA0MTAxMTU5MjdaMCcxJTAjBgNVBAMMHGFjbWUtc2VydmljZS1jbGllbnQtand0LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCu91jwgkO/ZJoeIzclL+x7oBxsgjxGDLdCYs4QKEhitB8FFOobxtA67Yh48Bprd9Qji9IHvdxVLPa+SkgMvF/5MhDKUW/wLBpDL0sgvLT56FV9gl/hqtUvVKVNTQuEBk0QpTJH4uSg5jNIZARVcOnPRvBtQ0vpQ/1FsEJkSLXq7OAUQTgguXltR+/u2hH4wpOIRzpjeN7i/OHkiZS0K5otAVr1kCoMeZXo0qUfzG6FngVQhqZ3haMf3C+MSjLagvFzYK6NlJJDp7WIFvzkCriZlIyrSbO4vpHjmKuo31boIAbwn1EimHWGG1ExcXWLeqLfJt43tQIwzPe6PhnQ+2kw7zb6O6SrJhnaYNTVclAuj3TRtF0bxM9B9kEpHyypxGKwF8UAyqQkMnG1tJzvafruDLHrHpOAnV4bncWjbIP5vsS+mEALIs+CpRujdNut1NrJT7rMkNcXdhOfiLVA5FY91c5WC1uoJPmyFscsj2WmBe5AVQFpOiS0V5dIm1Gc3ctebX7Nqa8rxnEPVQhRWyacadlti+VNHgUUZIbU67vHx64w+Gh3XlxG2fBqf1YHHOOUlFHUAcJoANqyk0lD6eqn8RSpI0xB/VdQNnCmDblx94W0iTCxgEC3vrUsHzC3r37BX6dHo3aF7xaT6wwRCM8/FHj1eH/JBq+1Xt4y1P3aNQIDAQABo1MwUTAdBgNVHQ4EFgQUt+sggUSV+8cCNAvMMlBH1SBRAA0wHwYDVR0jBBgwFoAUt+sggUSV+8cCNAvMMlBH1SBRAA0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAPsthqWnfJFEjh7BV/Vg8hAgLme/cVDr/O1Ff0WVX+Mmtsu+vZyRGNXL67PXYqar9b+fZr5mGhbiZS4mBk/5N9sGRpDh2Keyy9j/CTaYUpszqur5NfYBvmtbk+u4BCPkMMme+R2RnZ3GnzOoGKlZ2jCfBvm/Jr+Ta05VVGb41LZfb19m8uYnMzLTZd1VSZQ4+vHa6OrPn1zaAPobHWLysLkUH6ngteZjVu2bPcf1UYmYRyMs/a4cIgsC3A5PIFu9DN87o0q8LN3qITt70/3FgKLUuPmvCZSnNZ+oLsUDs3RM5qyJth91UAaJL3LXglkSCzwmSqimel+Ga3e4ltmsUMB2HKc81NXfMmAV3gRYyfwLQSA1HyuMGOBRLbmsXr6Y6C4l3Wfsbv/MLL/BgDev6A6Hkq2Zc0Q4VJUhBsm75GMAy5vA6Pn+TSp8MeWJMAXJwcY/3ESyodfn29m0mGiHwef/ByQcK/8M9fRFIvIsKF/NPziWHiIV3QXB2qDIZF595/De4siUtaSW6H9ywZpVfTBoc/AEHKY4QZ1Pr8xj+YRQar7qmuVsSug6RWgXplZWOn9vx25FPwAXcOv9z/gP7zA8IYMiEUZ0MKFLetQ6ietCNPlvqgFC59+hjsh/MyNTePitxNPN1+MYUb7Xr/Ul+BREnNCVJM/ZCEbIhsVKMiCk=" "token.endpoint.auth.signing.alg": "RS256" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: diff --git a/config/stage/dev/realms/acme-ldap.yaml b/config/stage/dev/realms/acme-ldap.yaml index 8f405e33..e54bf2f3 100644 --- a/config/stage/dev/realms/acme-ldap.yaml +++ b/config/stage/dev/realms/acme-ldap.yaml @@ -61,6 +61,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -88,6 +89,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: @@ -108,6 +110,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: diff --git a/config/stage/dev/realms/acme-ops.yaml b/config/stage/dev/realms/acme-ops.yaml index 9a02b620..e0a4ed4a 100644 --- a/config/stage/dev/realms/acme-ops.yaml +++ b/config/stage/dev/realms/acme-ops.yaml @@ -41,6 +41,8 @@ clients: secret: acme-ops-grafana-secret fullScopeAllowed: false defaultClientScopes: + - "basic" + - "email" rootUrl: "https://ops.acme.test:3000/grafana" baseUrl: "/" adminUrl: "" diff --git a/config/stage/dev/realms/acme-passwordless.yaml b/config/stage/dev/realms/acme-passwordless.yaml index ea7edc64..123fc06c 100644 --- a/config/stage/dev/realms/acme-passwordless.yaml +++ b/config/stage/dev/realms/acme-passwordless.yaml @@ -78,6 +78,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "roles" - "profile" @@ -107,6 +108,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: diff --git a/config/stage/dev/realms/acme-stepup.yaml b/config/stage/dev/realms/acme-stepup.yaml index fe7d08e5..5e2654da 100644 --- a/config/stage/dev/realms/acme-stepup.yaml +++ b/config/stage/dev/realms/acme-stepup.yaml @@ -29,6 +29,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "roles" - "profile" diff --git a/config/stage/dev/realms/company-apps.yaml b/config/stage/dev/realms/company-apps.yaml index b7bffe7b..92c1ef6a 100644 --- a/config/stage/dev/realms/company-apps.yaml +++ b/config/stage/dev/realms/company-apps.yaml @@ -180,6 +180,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "roles" - "profile" diff --git a/config/stage/dev/realms/company-users.yaml b/config/stage/dev/realms/company-users.yaml index 66a697a6..e501f3f4 100644 --- a/config/stage/dev/realms/company-users.yaml +++ b/config/stage/dev/realms/company-users.yaml @@ -96,6 +96,7 @@ clients: webOrigins: - "+" defaultClientScopes: + - "basic" - "email" - "profile" optionalClientScopes: