|
|
@@ -0,0 +1,1936 @@
|
|
|
+apiVersion: k8s.keycloak.org/v2alpha1
|
|
|
+kind: KeycloakRealmImport
|
|
|
+metadata:
|
|
|
+ name: {{ rhbk.name | default('sso') }}-{{ rhbk.realm | default('sample-realm') }}-import
|
|
|
+ namespace: {{ rhbk.namespace | default('keycloak') }}
|
|
|
+spec:
|
|
|
+ keycloakCRName: {{ rhbk.name | default('sso') }}
|
|
|
+ realm:
|
|
|
+ id: be41fdb1-be4d-431d-be3c-adb5ad3a071a
|
|
|
+ realm: {{ rhbk.realm | default('sample-realm') }}
|
|
|
+ notBefore: 0
|
|
|
+ defaultSignatureAlgorithm: RS256
|
|
|
+ revokeRefreshToken: false
|
|
|
+ refreshTokenMaxReuse: 0
|
|
|
+ accessTokenLifespan: 300
|
|
|
+ accessTokenLifespanForImplicitFlow: 900
|
|
|
+ ssoSessionIdleTimeout: 1800
|
|
|
+ ssoSessionMaxLifespan: 36000
|
|
|
+ ssoSessionIdleTimeoutRememberMe: 0
|
|
|
+ ssoSessionMaxLifespanRememberMe: 0
|
|
|
+ offlineSessionIdleTimeout: 2592000
|
|
|
+ offlineSessionMaxLifespanEnabled: false
|
|
|
+ offlineSessionMaxLifespan: 5184000
|
|
|
+ clientSessionIdleTimeout: 0
|
|
|
+ clientSessionMaxLifespan: 0
|
|
|
+ clientOfflineSessionIdleTimeout: 0
|
|
|
+ clientOfflineSessionMaxLifespan: 0
|
|
|
+ accessCodeLifespan: 60
|
|
|
+ accessCodeLifespanUserAction: 300
|
|
|
+ accessCodeLifespanLogin: 1800
|
|
|
+ actionTokenGeneratedByAdminLifespan: 43200
|
|
|
+ actionTokenGeneratedByUserLifespan: 300
|
|
|
+ oauth2DeviceCodeLifespan: 600
|
|
|
+ oauth2DevicePollingInterval: 5
|
|
|
+ enabled: true
|
|
|
+ sslRequired: external
|
|
|
+ registrationAllowed: false
|
|
|
+ registrationEmailAsUsername: false
|
|
|
+ rememberMe: false
|
|
|
+ verifyEmail: false
|
|
|
+ loginWithEmailAllowed: false
|
|
|
+ duplicateEmailsAllowed: false
|
|
|
+ resetPasswordAllowed: false
|
|
|
+ editUsernameAllowed: false
|
|
|
+ bruteForceProtected: false
|
|
|
+ permanentLockout: false
|
|
|
+ maxTemporaryLockouts: 0
|
|
|
+ bruteForceStrategy: MULTIPLE
|
|
|
+ maxFailureWaitSeconds: 900
|
|
|
+ minimumQuickLoginWaitSeconds: 60
|
|
|
+ waitIncrementSeconds: 60
|
|
|
+ quickLoginCheckMilliSeconds: 1000
|
|
|
+ maxDeltaTimeSeconds: 43200
|
|
|
+ failureFactor: 30
|
|
|
+ roles:
|
|
|
+ realm:
|
|
|
+ - id: e7d9d76c-bfa9-4aa3-b67c-652fe88b1a25
|
|
|
+ name: offline_access
|
|
|
+ description: ${role_offline-access}
|
|
|
+ composite: false
|
|
|
+ clientRole: false
|
|
|
+ containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a
|
|
|
+ attributes: {}
|
|
|
+ - id: 07fabbc5-4576-4ccc-985e-c0e9ef48d5b9
|
|
|
+ name: default-roles-ichp
|
|
|
+ description: ${role_default-roles}
|
|
|
+ composite: true
|
|
|
+ composites:
|
|
|
+ realm:
|
|
|
+ - offline_access
|
|
|
+ - uma_authorization
|
|
|
+ client:
|
|
|
+ account:
|
|
|
+ - view-profile
|
|
|
+ - manage-account
|
|
|
+ clientRole: false
|
|
|
+ containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a
|
|
|
+ attributes: {}
|
|
|
+ - id: 1e3afeb8-c039-4815-868c-33bbafed28f4
|
|
|
+ name: uma_authorization
|
|
|
+ description: ${role_uma_authorization}
|
|
|
+ composite: false
|
|
|
+ clientRole: false
|
|
|
+ containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a
|
|
|
+ attributes: {}
|
|
|
+ client:
|
|
|
+ realm-management:
|
|
|
+ - id: 1f2346c9-4576-40ae-b1ab-0c7895d82776
|
|
|
+ name: create-client
|
|
|
+ description: ${role_create-client}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 72effb10-55aa-4ba6-9897-7b969878b4c2
|
|
|
+ name: query-clients
|
|
|
+ description: ${role_query-clients}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 5162b108-5ac3-43de-8a3c-b93ac6d833e1
|
|
|
+ name: view-identity-providers
|
|
|
+ description: ${role_view-identity-providers}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 4679477a-0e55-44b8-a795-f61c841dd7ea
|
|
|
+ name: impersonation
|
|
|
+ description: ${role_impersonation}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 158932a4-ec77-48ad-b967-15d3877b302b
|
|
|
+ name: view-authorization
|
|
|
+ description: ${role_view-authorization}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 4728cec2-0c01-45eb-9620-a71522ef9747
|
|
|
+ name: view-realm
|
|
|
+ description: ${role_view-realm}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: ce60989a-b977-4817-8add-06050e9e1539
|
|
|
+ name: manage-clients
|
|
|
+ description: ${role_manage-clients}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 837fe3ea-27b4-4167-a466-645e8f738f2e
|
|
|
+ name: manage-users
|
|
|
+ description: ${role_manage-users}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 574f9232-c48b-49fc-b24c-4f868f28ee49
|
|
|
+ name: query-realms
|
|
|
+ description: ${role_query-realms}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 952a7293-2733-4d64-a5ba-0b98d39f1a8c
|
|
|
+ name: view-users
|
|
|
+ description: ${role_view-users}
|
|
|
+ composite: true
|
|
|
+ composites:
|
|
|
+ client:
|
|
|
+ realm-management:
|
|
|
+ - query-groups
|
|
|
+ - query-users
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 58e37045-4a6a-4292-b849-b458fe15272e
|
|
|
+ name: realm-admin
|
|
|
+ description: ${role_realm-admin}
|
|
|
+ composite: true
|
|
|
+ composites:
|
|
|
+ client:
|
|
|
+ realm-management:
|
|
|
+ - create-client
|
|
|
+ - query-clients
|
|
|
+ - view-identity-providers
|
|
|
+ - impersonation
|
|
|
+ - view-authorization
|
|
|
+ - view-realm
|
|
|
+ - manage-users
|
|
|
+ - manage-clients
|
|
|
+ - query-realms
|
|
|
+ - view-users
|
|
|
+ - manage-realm
|
|
|
+ - manage-authorization
|
|
|
+ - query-groups
|
|
|
+ - manage-events
|
|
|
+ - manage-identity-providers
|
|
|
+ - view-clients
|
|
|
+ - view-events
|
|
|
+ - query-users
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 180792d6-17b5-4369-8d9f-5e9d7c1abecd
|
|
|
+ name: manage-realm
|
|
|
+ description: ${role_manage-realm}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 865608a3-b3c8-492d-a99f-35acbbc95df5
|
|
|
+ name: manage-authorization
|
|
|
+ description: ${role_manage-authorization}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: d67afc38-e298-48ae-883d-84b90e2acc87
|
|
|
+ name: query-groups
|
|
|
+ description: ${role_query-groups}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: aa372a48-8435-4923-b125-6bae2e735a75
|
|
|
+ name: manage-events
|
|
|
+ description: ${role_manage-events}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: ca44e368-d20a-445b-b5db-1a79f4551cf7
|
|
|
+ name: manage-identity-providers
|
|
|
+ description: ${role_manage-identity-providers}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: 58dfbd59-c730-46ad-a0ce-e4712b130133
|
|
|
+ name: view-clients
|
|
|
+ description: ${role_view-clients}
|
|
|
+ composite: true
|
|
|
+ composites:
|
|
|
+ client:
|
|
|
+ realm-management:
|
|
|
+ - query-clients
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: e67476ef-5630-42d2-9ec7-9cda35a6ff03
|
|
|
+ name: query-users
|
|
|
+ description: ${role_query-users}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ - id: edb64667-b054-4f32-80b3-19cb8dab52a4
|
|
|
+ name: view-events
|
|
|
+ description: ${role_view-events}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ attributes: {}
|
|
|
+ security-admin-console: []
|
|
|
+ openshift: []
|
|
|
+ admin-cli: []
|
|
|
+ account-console: []
|
|
|
+ broker:
|
|
|
+ - id: cfa9110f-d928-43e5-b71f-0970206dc7c7
|
|
|
+ name: read-token
|
|
|
+ description: ${role_read-token}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: a18de74b-25e5-4225-bbab-743752fc2f77
|
|
|
+ attributes: {}
|
|
|
+ account:
|
|
|
+ - id: 0a363300-38e4-4477-b0eb-b29f58506d81
|
|
|
+ name: delete-account
|
|
|
+ description: ${role_delete-account}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ attributes: {}
|
|
|
+ - id: 2c2d6b40-bd69-4561-802d-97b8dcf08a9d
|
|
|
+ name: manage-consent
|
|
|
+ description: ${role_manage-consent}
|
|
|
+ composite: true
|
|
|
+ composites:
|
|
|
+ client:
|
|
|
+ account:
|
|
|
+ - view-consent
|
|
|
+ clientRole: true
|
|
|
+ containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ attributes: {}
|
|
|
+ - id: 7b66ea32-a92c-4152-9435-b36d5c998bf4
|
|
|
+ name: view-profile
|
|
|
+ description: ${role_view-profile}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ attributes: {}
|
|
|
+ - id: 26cc6356-b198-498a-8fd5-b6c55266044e
|
|
|
+ name: manage-account
|
|
|
+ description: ${role_manage-account}
|
|
|
+ composite: true
|
|
|
+ composites:
|
|
|
+ client:
|
|
|
+ account:
|
|
|
+ - manage-account-links
|
|
|
+ clientRole: true
|
|
|
+ containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ attributes: {}
|
|
|
+ - id: 7d07a1ab-7994-47d8-88ad-5c91ea422722
|
|
|
+ name: manage-account-links
|
|
|
+ description: ${role_manage-account-links}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ attributes: {}
|
|
|
+ - id: ecc23404-4281-4c90-aed4-375fd0fc0d37
|
|
|
+ name: view-applications
|
|
|
+ description: ${role_view-applications}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ attributes: {}
|
|
|
+ - id: 1f3da55f-0458-496b-b9f2-f10496d28ab5
|
|
|
+ name: view-groups
|
|
|
+ description: ${role_view-groups}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ attributes: {}
|
|
|
+ - id: 5aaab517-1ce9-465d-abc8-936cffca1bc3
|
|
|
+ name: view-consent
|
|
|
+ description: ${role_view-consent}
|
|
|
+ composite: false
|
|
|
+ clientRole: true
|
|
|
+ containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ attributes: {}
|
|
|
+ groups: []
|
|
|
+ defaultRole:
|
|
|
+ id: 07fabbc5-4576-4ccc-985e-c0e9ef48d5b9
|
|
|
+ name: default-roles-ichp
|
|
|
+ description: ${role_default-roles}
|
|
|
+ composite: true
|
|
|
+ clientRole: false
|
|
|
+ containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a
|
|
|
+ requiredCredentials:
|
|
|
+ - password
|
|
|
+ otpPolicyType: totp
|
|
|
+ otpPolicyAlgorithm: HmacSHA1
|
|
|
+ otpPolicyInitialCounter: 0
|
|
|
+ otpPolicyDigits: 6
|
|
|
+ otpPolicyLookAheadWindow: 1
|
|
|
+ otpPolicyPeriod: 30
|
|
|
+ otpPolicyCodeReusable: false
|
|
|
+ otpSupportedApplications:
|
|
|
+ - totpAppFreeOTPName
|
|
|
+ - totpAppGoogleName
|
|
|
+ - totpAppMicrosoftAuthenticatorName
|
|
|
+ localizationTexts: {}
|
|
|
+ webAuthnPolicyRpEntityName: keycloak
|
|
|
+ webAuthnPolicySignatureAlgorithms:
|
|
|
+ - ES256
|
|
|
+ - RS256
|
|
|
+ webAuthnPolicyRpId: ""
|
|
|
+ webAuthnPolicyAttestationConveyancePreference: not specified
|
|
|
+ webAuthnPolicyAuthenticatorAttachment: not specified
|
|
|
+ webAuthnPolicyRequireResidentKey: not specified
|
|
|
+ webAuthnPolicyUserVerificationRequirement: not specified
|
|
|
+ webAuthnPolicyCreateTimeout: 0
|
|
|
+ webAuthnPolicyAvoidSameAuthenticatorRegister: false
|
|
|
+ webAuthnPolicyAcceptableAaguids: []
|
|
|
+ webAuthnPolicyExtraOrigins: []
|
|
|
+ webAuthnPolicyPasswordlessRpEntityName: keycloak
|
|
|
+ webAuthnPolicyPasswordlessSignatureAlgorithms:
|
|
|
+ - ES256
|
|
|
+ - RS256
|
|
|
+ webAuthnPolicyPasswordlessRpId: ""
|
|
|
+ webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified
|
|
|
+ webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified
|
|
|
+ webAuthnPolicyPasswordlessRequireResidentKey: not specified
|
|
|
+ webAuthnPolicyPasswordlessUserVerificationRequirement: not specified
|
|
|
+ webAuthnPolicyPasswordlessCreateTimeout: 0
|
|
|
+ webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false
|
|
|
+ webAuthnPolicyPasswordlessAcceptableAaguids: []
|
|
|
+ webAuthnPolicyPasswordlessExtraOrigins: []
|
|
|
+ scopeMappings:
|
|
|
+ - clientScope: offline_access
|
|
|
+ roles:
|
|
|
+ - offline_access
|
|
|
+ clientScopeMappings:
|
|
|
+ account:
|
|
|
+ - client: account-console
|
|
|
+ roles:
|
|
|
+ - manage-account
|
|
|
+ - view-groups
|
|
|
+ clients:
|
|
|
+ - id: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
|
|
|
+ clientId: account
|
|
|
+ name: ${client_account}
|
|
|
+ rootUrl: ${authBaseUrl}
|
|
|
+ baseUrl: /realms/ichp/account/
|
|
|
+ surrogateAuthRequired: false
|
|
|
+ enabled: true
|
|
|
+ alwaysDisplayInConsole: false
|
|
|
+ clientAuthenticatorType: client-secret
|
|
|
+ redirectUris:
|
|
|
+ - /realms/ichp/account/*
|
|
|
+ webOrigins: []
|
|
|
+ notBefore: 0
|
|
|
+ bearerOnly: false
|
|
|
+ consentRequired: false
|
|
|
+ standardFlowEnabled: true
|
|
|
+ implicitFlowEnabled: false
|
|
|
+ directAccessGrantsEnabled: false
|
|
|
+ serviceAccountsEnabled: false
|
|
|
+ publicClient: true
|
|
|
+ frontchannelLogout: false
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ realm_client: "false"
|
|
|
+ post.logout.redirect.uris: +
|
|
|
+ authenticationFlowBindingOverrides: {}
|
|
|
+ fullScopeAllowed: false
|
|
|
+ nodeReRegistrationTimeout: 0
|
|
|
+ defaultClientScopes:
|
|
|
+ - web-origins
|
|
|
+ - acr
|
|
|
+ - roles
|
|
|
+ - profile
|
|
|
+ - basic
|
|
|
+ - email
|
|
|
+ optionalClientScopes:
|
|
|
+ - address
|
|
|
+ - phone
|
|
|
+ - organization
|
|
|
+ - offline_access
|
|
|
+ - microprofile-jwt
|
|
|
+ - id: 26ee53a2-3acc-4f86-bb03-8ef53f4c4619
|
|
|
+ clientId: account-console
|
|
|
+ name: ${client_account-console}
|
|
|
+ rootUrl: ${authBaseUrl}
|
|
|
+ baseUrl: /realms/ichp/account/
|
|
|
+ surrogateAuthRequired: false
|
|
|
+ enabled: true
|
|
|
+ alwaysDisplayInConsole: false
|
|
|
+ clientAuthenticatorType: client-secret
|
|
|
+ redirectUris:
|
|
|
+ - /realms/ichp/account/*
|
|
|
+ webOrigins: []
|
|
|
+ notBefore: 0
|
|
|
+ bearerOnly: false
|
|
|
+ consentRequired: false
|
|
|
+ standardFlowEnabled: true
|
|
|
+ implicitFlowEnabled: false
|
|
|
+ directAccessGrantsEnabled: false
|
|
|
+ serviceAccountsEnabled: false
|
|
|
+ publicClient: true
|
|
|
+ frontchannelLogout: false
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ realm_client: "false"
|
|
|
+ post.logout.redirect.uris: +
|
|
|
+ pkce.code.challenge.method: S256
|
|
|
+ authenticationFlowBindingOverrides: {}
|
|
|
+ fullScopeAllowed: false
|
|
|
+ nodeReRegistrationTimeout: 0
|
|
|
+ protocolMappers:
|
|
|
+ - id: d5f30f3a-684a-41ec-b423-70179bcb7550
|
|
|
+ name: audience resolve
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-audience-resolve-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config: {}
|
|
|
+ defaultClientScopes:
|
|
|
+ - web-origins
|
|
|
+ - acr
|
|
|
+ - roles
|
|
|
+ - profile
|
|
|
+ - basic
|
|
|
+ - email
|
|
|
+ optionalClientScopes:
|
|
|
+ - address
|
|
|
+ - phone
|
|
|
+ - organization
|
|
|
+ - offline_access
|
|
|
+ - microprofile-jwt
|
|
|
+ - id: de8c83c0-f8d4-4ea4-9243-3c8eb8e3320b
|
|
|
+ clientId: admin-cli
|
|
|
+ name: ${client_admin-cli}
|
|
|
+ surrogateAuthRequired: false
|
|
|
+ enabled: true
|
|
|
+ alwaysDisplayInConsole: false
|
|
|
+ clientAuthenticatorType: client-secret
|
|
|
+ redirectUris: []
|
|
|
+ webOrigins: []
|
|
|
+ notBefore: 0
|
|
|
+ bearerOnly: false
|
|
|
+ consentRequired: false
|
|
|
+ standardFlowEnabled: false
|
|
|
+ implicitFlowEnabled: false
|
|
|
+ directAccessGrantsEnabled: true
|
|
|
+ serviceAccountsEnabled: false
|
|
|
+ publicClient: true
|
|
|
+ frontchannelLogout: false
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ realm_client: "false"
|
|
|
+ client.use.lightweight.access.token.enabled: "true"
|
|
|
+ authenticationFlowBindingOverrides: {}
|
|
|
+ fullScopeAllowed: true
|
|
|
+ nodeReRegistrationTimeout: 0
|
|
|
+ defaultClientScopes:
|
|
|
+ - web-origins
|
|
|
+ - acr
|
|
|
+ - roles
|
|
|
+ - profile
|
|
|
+ - basic
|
|
|
+ - email
|
|
|
+ optionalClientScopes:
|
|
|
+ - address
|
|
|
+ - phone
|
|
|
+ - organization
|
|
|
+ - offline_access
|
|
|
+ - microprofile-jwt
|
|
|
+ - id: a18de74b-25e5-4225-bbab-743752fc2f77
|
|
|
+ clientId: broker
|
|
|
+ name: ${client_broker}
|
|
|
+ surrogateAuthRequired: false
|
|
|
+ enabled: true
|
|
|
+ alwaysDisplayInConsole: false
|
|
|
+ clientAuthenticatorType: client-secret
|
|
|
+ redirectUris: []
|
|
|
+ webOrigins: []
|
|
|
+ notBefore: 0
|
|
|
+ bearerOnly: true
|
|
|
+ consentRequired: false
|
|
|
+ standardFlowEnabled: true
|
|
|
+ implicitFlowEnabled: false
|
|
|
+ directAccessGrantsEnabled: false
|
|
|
+ serviceAccountsEnabled: false
|
|
|
+ publicClient: false
|
|
|
+ frontchannelLogout: false
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ realm_client: "true"
|
|
|
+ authenticationFlowBindingOverrides: {}
|
|
|
+ fullScopeAllowed: false
|
|
|
+ nodeReRegistrationTimeout: 0
|
|
|
+ defaultClientScopes:
|
|
|
+ - web-origins
|
|
|
+ - acr
|
|
|
+ - roles
|
|
|
+ - profile
|
|
|
+ - basic
|
|
|
+ - email
|
|
|
+ optionalClientScopes:
|
|
|
+ - address
|
|
|
+ - phone
|
|
|
+ - organization
|
|
|
+ - offline_access
|
|
|
+ - microprofile-jwt
|
|
|
+ - id: 95b6c1c6-3787-4442-b512-527ff51d2670
|
|
|
+ clientId: openshift
|
|
|
+ name: "OpenShift OIDC Client"
|
|
|
+ description: ""
|
|
|
+ rootUrl: https://oauth-openshift.apps.ocp4.example.com
|
|
|
+ adminUrl: https://oauth-openshift.apps.ocp4.example.com
|
|
|
+ baseUrl: ""
|
|
|
+ surrogateAuthRequired: false
|
|
|
+ enabled: true
|
|
|
+ alwaysDisplayInConsole: false
|
|
|
+ clientAuthenticatorType: client-secret
|
|
|
+ secret: 'verysecret'
|
|
|
+ redirectUris:
|
|
|
+ - https://oauth-openshift.apps.ocp4.example.com/*
|
|
|
+ webOrigins:
|
|
|
+ - https://oauth-openshift.apps.ocp4.example.com
|
|
|
+ notBefore: 0
|
|
|
+ bearerOnly: false
|
|
|
+ consentRequired: false
|
|
|
+ standardFlowEnabled: true
|
|
|
+ implicitFlowEnabled: false
|
|
|
+ directAccessGrantsEnabled: true
|
|
|
+ serviceAccountsEnabled: false
|
|
|
+ publicClient: false
|
|
|
+ frontchannelLogout: true
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ client.secret.creation.time: "1755544217"
|
|
|
+ request.object.signature.alg: any
|
|
|
+ request.object.encryption.alg: any
|
|
|
+ client.introspection.response.allow.jwt.claim.enabled: "false"
|
|
|
+ standard.token.exchange.enabled: "false"
|
|
|
+ frontchannel.logout.session.required: "true"
|
|
|
+ oauth2.device.authorization.grant.enabled: "false"
|
|
|
+ use.jwks.url: "false"
|
|
|
+ backchannel.logout.revoke.offline.tokens: "false"
|
|
|
+ use.refresh.tokens: "true"
|
|
|
+ realm_client: "false"
|
|
|
+ oidc.ciba.grant.enabled: "false"
|
|
|
+ client.use.lightweight.access.token.enabled: "false"
|
|
|
+ backchannel.logout.session.required: "true"
|
|
|
+ client_credentials.use_refresh_token: "false"
|
|
|
+ request.object.required: not required
|
|
|
+ access.token.header.type.rfc9068: "false"
|
|
|
+ acr.loa.map: '{}'
|
|
|
+ require.pushed.authorization.requests: "false"
|
|
|
+ tls.client.certificate.bound.access.tokens: "false"
|
|
|
+ display.on.consent.screen: "false"
|
|
|
+ request.object.encryption.enc: any
|
|
|
+ token.response.type.bearer.lower-case: "false"
|
|
|
+ authenticationFlowBindingOverrides: {}
|
|
|
+ fullScopeAllowed: true
|
|
|
+ nodeReRegistrationTimeout: -1
|
|
|
+ defaultClientScopes:
|
|
|
+ - web-origins
|
|
|
+ - acr
|
|
|
+ - roles
|
|
|
+ - profile
|
|
|
+ - basic
|
|
|
+ - email
|
|
|
+ optionalClientScopes:
|
|
|
+ - address
|
|
|
+ - phone
|
|
|
+ - organization
|
|
|
+ - offline_access
|
|
|
+ - microprofile-jwt
|
|
|
+ - id: 1544ec14-3f4a-4601-8f98-a3698afb78c9
|
|
|
+ clientId: realm-management
|
|
|
+ name: ${client_realm-management}
|
|
|
+ surrogateAuthRequired: false
|
|
|
+ enabled: true
|
|
|
+ alwaysDisplayInConsole: false
|
|
|
+ clientAuthenticatorType: client-secret
|
|
|
+ redirectUris: []
|
|
|
+ webOrigins: []
|
|
|
+ notBefore: 0
|
|
|
+ bearerOnly: true
|
|
|
+ consentRequired: false
|
|
|
+ standardFlowEnabled: true
|
|
|
+ implicitFlowEnabled: false
|
|
|
+ directAccessGrantsEnabled: false
|
|
|
+ serviceAccountsEnabled: false
|
|
|
+ publicClient: false
|
|
|
+ frontchannelLogout: false
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ realm_client: "true"
|
|
|
+ authenticationFlowBindingOverrides: {}
|
|
|
+ fullScopeAllowed: false
|
|
|
+ nodeReRegistrationTimeout: 0
|
|
|
+ defaultClientScopes:
|
|
|
+ - web-origins
|
|
|
+ - acr
|
|
|
+ - roles
|
|
|
+ - profile
|
|
|
+ - basic
|
|
|
+ - email
|
|
|
+ optionalClientScopes:
|
|
|
+ - address
|
|
|
+ - phone
|
|
|
+ - organization
|
|
|
+ - offline_access
|
|
|
+ - microprofile-jwt
|
|
|
+ - id: 64228e4f-5e45-43e2-840d-3ea67fbb1356
|
|
|
+ clientId: security-admin-console
|
|
|
+ name: ${client_security-admin-console}
|
|
|
+ rootUrl: ${authAdminUrl}
|
|
|
+ baseUrl: /admin/ichp/console/
|
|
|
+ surrogateAuthRequired: false
|
|
|
+ enabled: true
|
|
|
+ alwaysDisplayInConsole: false
|
|
|
+ clientAuthenticatorType: client-secret
|
|
|
+ redirectUris:
|
|
|
+ - /admin/ichp/console/*
|
|
|
+ webOrigins:
|
|
|
+ - +
|
|
|
+ notBefore: 0
|
|
|
+ bearerOnly: false
|
|
|
+ consentRequired: false
|
|
|
+ standardFlowEnabled: true
|
|
|
+ implicitFlowEnabled: false
|
|
|
+ directAccessGrantsEnabled: false
|
|
|
+ serviceAccountsEnabled: false
|
|
|
+ publicClient: true
|
|
|
+ frontchannelLogout: false
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ realm_client: "false"
|
|
|
+ client.use.lightweight.access.token.enabled: "true"
|
|
|
+ post.logout.redirect.uris: +
|
|
|
+ pkce.code.challenge.method: S256
|
|
|
+ authenticationFlowBindingOverrides: {}
|
|
|
+ fullScopeAllowed: true
|
|
|
+ nodeReRegistrationTimeout: 0
|
|
|
+ protocolMappers:
|
|
|
+ - id: 05393481-79e3-4c5d-be72-b21fa1b2cf6f
|
|
|
+ name: locale
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: locale
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: locale
|
|
|
+ jsonType.label: String
|
|
|
+ defaultClientScopes:
|
|
|
+ - web-origins
|
|
|
+ - acr
|
|
|
+ - roles
|
|
|
+ - profile
|
|
|
+ - basic
|
|
|
+ - email
|
|
|
+ optionalClientScopes:
|
|
|
+ - address
|
|
|
+ - phone
|
|
|
+ - organization
|
|
|
+ - offline_access
|
|
|
+ - microprofile-jwt
|
|
|
+ clientScopes:
|
|
|
+ - id: da242fab-a8d0-4aa0-9e10-8212440b4b3b
|
|
|
+ name: roles
|
|
|
+ description: OpenID Connect scope for add user roles to the access token
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "false"
|
|
|
+ consent.screen.text: ${rolesScopeConsentText}
|
|
|
+ display.on.consent.screen: "true"
|
|
|
+ protocolMappers:
|
|
|
+ - id: 8ae03c9d-7b0b-4c41-baaa-54327e15d4fe
|
|
|
+ name: client roles
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-client-role-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ user.attribute: foo
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: resource_access.${client_id}.roles
|
|
|
+ jsonType.label: String
|
|
|
+ multivalued: "true"
|
|
|
+ - id: 7ed4a8f3-73ef-4c76-a68c-2abdb7111505
|
|
|
+ name: realm roles
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-realm-role-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ user.attribute: foo
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: realm_access.roles
|
|
|
+ jsonType.label: String
|
|
|
+ multivalued: "true"
|
|
|
+ - id: a354f9c9-579d-44f3-9d90-6fbbe5739c50
|
|
|
+ name: audience resolve
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-audience-resolve-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ - id: 4a60daed-92f6-4646-80bc-78e8bb5097a5
|
|
|
+ name: service_account
|
|
|
+ description: Specific scope for a client enabled for service accounts
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "false"
|
|
|
+ display.on.consent.screen: "false"
|
|
|
+ protocolMappers:
|
|
|
+ - id: c6ba4bf2-70c9-429d-8f11-7e7a94b6072c
|
|
|
+ name: Client Host
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usersessionmodel-note-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ user.session.note: clientHost
|
|
|
+ id.token.claim: "true"
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: clientHost
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 8afd36a6-b5e9-42a8-96be-d64cd70ecc1e
|
|
|
+ name: Client IP Address
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usersessionmodel-note-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ user.session.note: clientAddress
|
|
|
+ id.token.claim: "true"
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: clientAddress
|
|
|
+ jsonType.label: String
|
|
|
+ - id: aba0ce6b-a46a-4beb-9f24-364fbc2d7f72
|
|
|
+ name: Client ID
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usersessionmodel-note-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ user.session.note: client_id
|
|
|
+ id.token.claim: "true"
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: client_id
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 308782b7-ab41-49ff-9e1a-de9a22b252df
|
|
|
+ name: organization
|
|
|
+ description: Additional claims about the organization a subject belongs to
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "true"
|
|
|
+ consent.screen.text: ${organizationScopeConsentText}
|
|
|
+ display.on.consent.screen: "true"
|
|
|
+ protocolMappers:
|
|
|
+ - id: a49de63c-2c91-45b7-9f87-6646ee2a8560
|
|
|
+ name: organization
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-organization-membership-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ id.token.claim: "true"
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: organization
|
|
|
+ jsonType.label: String
|
|
|
+ multivalued: "true"
|
|
|
+ - id: ddc162b7-ae46-469a-88da-8e6fd882fef2
|
|
|
+ name: microprofile-jwt
|
|
|
+ description: Microprofile - JWT built-in scope
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "true"
|
|
|
+ display.on.consent.screen: "false"
|
|
|
+ protocolMappers:
|
|
|
+ - id: 0aceceda-de29-4dfd-b282-79c1a4b1f01e
|
|
|
+ name: upn
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: username
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: upn
|
|
|
+ jsonType.label: String
|
|
|
+ - id: bbacf398-7509-43c2-a6a2-f72b7a151dde
|
|
|
+ name: groups
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-realm-role-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ multivalued: "true"
|
|
|
+ user.attribute: foo
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: groups
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 52d6d297-de58-47a4-8272-858cb1957dc5
|
|
|
+ name: saml_organization
|
|
|
+ description: Organization Membership
|
|
|
+ protocol: saml
|
|
|
+ attributes:
|
|
|
+ display.on.consent.screen: "false"
|
|
|
+ protocolMappers:
|
|
|
+ - id: 53757c9d-732c-4274-95ff-fb36bcb68612
|
|
|
+ name: organization
|
|
|
+ protocol: saml
|
|
|
+ protocolMapper: saml-organization-membership-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config: {}
|
|
|
+ - id: b0f1af41-d217-47e2-ad46-90d333fc933c
|
|
|
+ name: acr
|
|
|
+ description: OpenID Connect scope for add acr (authentication context class reference) to the token
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "false"
|
|
|
+ display.on.consent.screen: "false"
|
|
|
+ protocolMappers:
|
|
|
+ - id: f511c418-885e-4def-a61c-46a2036ea16d
|
|
|
+ name: acr loa level
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-acr-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ - id: 3d18a857-3e55-46f8-85e8-ff9757288d6a
|
|
|
+ name: email
|
|
|
+ description: 'OpenID Connect built-in scope: email'
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "true"
|
|
|
+ consent.screen.text: ${emailScopeConsentText}
|
|
|
+ display.on.consent.screen: "true"
|
|
|
+ protocolMappers:
|
|
|
+ - id: 30275ad3-3d25-4e8a-a5ed-696135bb4aa3
|
|
|
+ name: email verified
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-property-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: emailVerified
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: email_verified
|
|
|
+ jsonType.label: boolean
|
|
|
+ - id: b57b56af-774b-4529-880d-15cff8fc2d89
|
|
|
+ name: email
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: email
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: email
|
|
|
+ jsonType.label: String
|
|
|
+ - id: b368511f-a4c6-431b-a8f9-3c807fe5864c
|
|
|
+ name: role_list
|
|
|
+ description: SAML role list
|
|
|
+ protocol: saml
|
|
|
+ attributes:
|
|
|
+ consent.screen.text: ${samlRoleListScopeConsentText}
|
|
|
+ display.on.consent.screen: "true"
|
|
|
+ protocolMappers:
|
|
|
+ - id: 8acaaa00-bfce-43aa-b07b-35eb598c5c08
|
|
|
+ name: role list
|
|
|
+ protocol: saml
|
|
|
+ protocolMapper: saml-role-list-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ single: "false"
|
|
|
+ attribute.nameformat: Basic
|
|
|
+ attribute.name: Role
|
|
|
+ - id: 65b918f8-4285-4874-8887-55abd5e48815
|
|
|
+ name: phone
|
|
|
+ description: 'OpenID Connect built-in scope: phone'
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "true"
|
|
|
+ consent.screen.text: ${phoneScopeConsentText}
|
|
|
+ display.on.consent.screen: "true"
|
|
|
+ protocolMappers:
|
|
|
+ - id: 2817b50a-9e0a-4333-b9cb-8bd7347bde4c
|
|
|
+ name: phone number
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: phoneNumber
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: phone_number
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 51c1fe54-8aa6-40ef-9dcf-8296698aef28
|
|
|
+ name: phone number verified
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: phoneNumberVerified
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: phone_number_verified
|
|
|
+ jsonType.label: boolean
|
|
|
+ - id: cbeecdb8-59d2-4ef0-8f5b-b26485b61184
|
|
|
+ name: address
|
|
|
+ description: 'OpenID Connect built-in scope: address'
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "true"
|
|
|
+ consent.screen.text: ${addressScopeConsentText}
|
|
|
+ display.on.consent.screen: "true"
|
|
|
+ protocolMappers:
|
|
|
+ - id: a2ccf3d2-08f6-4874-b731-eb71c505d083
|
|
|
+ name: address
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-address-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ user.attribute.formatted: formatted
|
|
|
+ user.attribute.country: country
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ user.attribute.postal_code: postal_code
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute.street: street
|
|
|
+ id.token.claim: "true"
|
|
|
+ user.attribute.region: region
|
|
|
+ access.token.claim: "true"
|
|
|
+ user.attribute.locality: locality
|
|
|
+ - id: 2a6f8645-780c-4a18-b462-fb5ccab2c111
|
|
|
+ name: basic
|
|
|
+ description: OpenID Connect scope for add all basic claims to the token
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "false"
|
|
|
+ display.on.consent.screen: "false"
|
|
|
+ protocolMappers:
|
|
|
+ - id: 68f5e45f-6ca8-465e-9a5c-f0964b464636
|
|
|
+ name: sub
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-sub-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ - id: e5b82ee8-7491-4a6c-b236-313f4f1b62f9
|
|
|
+ name: auth_time
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usersessionmodel-note-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ user.session.note: AUTH_TIME
|
|
|
+ id.token.claim: "true"
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: auth_time
|
|
|
+ jsonType.label: long
|
|
|
+ - id: e6cbf632-eba3-4658-a241-d8caf53e1a8c
|
|
|
+ name: offline_access
|
|
|
+ description: 'OpenID Connect built-in scope: offline_access'
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ consent.screen.text: ${offlineAccessScopeConsentText}
|
|
|
+ display.on.consent.screen: "true"
|
|
|
+ - id: 8decc1d1-d9e0-4011-b4a4-24d0e82ca51f
|
|
|
+ name: web-origins
|
|
|
+ description: OpenID Connect scope for add allowed web origins to the access token
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "false"
|
|
|
+ consent.screen.text: ""
|
|
|
+ display.on.consent.screen: "false"
|
|
|
+ protocolMappers:
|
|
|
+ - id: 5bec22c6-4887-4332-8a1e-314a6d27e7da
|
|
|
+ name: allowed web origins
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-allowed-origins-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ access.token.claim: "true"
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ - id: c43c0a6a-7f94-4e09-a953-3fa44ebe3040
|
|
|
+ name: profile
|
|
|
+ description: 'OpenID Connect built-in scope: profile'
|
|
|
+ protocol: openid-connect
|
|
|
+ attributes:
|
|
|
+ include.in.token.scope: "true"
|
|
|
+ consent.screen.text: ${profileScopeConsentText}
|
|
|
+ display.on.consent.screen: "true"
|
|
|
+ protocolMappers:
|
|
|
+ - id: b6bf723a-1ae6-45e4-a722-2f9d4e9e5903
|
|
|
+ name: website
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: website
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: website
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 8a16228a-05fd-4707-b5bb-0e25b64d8958
|
|
|
+ name: full name
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-full-name-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ id.token.claim: "true"
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ - id: 37a167d2-747d-4f5d-9f58-204028f56b7d
|
|
|
+ name: locale
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: locale
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: locale
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 8271c267-970e-4091-a010-45521b955c01
|
|
|
+ name: picture
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: picture
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: picture
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 723390b8-7670-43b5-84c9-b67c82703fce
|
|
|
+ name: given name
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: firstName
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: given_name
|
|
|
+ jsonType.label: String
|
|
|
+ - id: cdff8fc1-bc4a-47da-84a5-85fb12c53461
|
|
|
+ name: profile
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: profile
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: profile
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 312ee990-1e0c-4481-88f4-f85fb4ff15f4
|
|
|
+ name: birthdate
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: birthdate
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: birthdate
|
|
|
+ jsonType.label: String
|
|
|
+ - id: 745656de-2692-4e59-80fe-fb59479ea17e
|
|
|
+ name: zoneinfo
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: zoneinfo
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: zoneinfo
|
|
|
+ jsonType.label: String
|
|
|
+ - id: fb78c202-dade-4f93-a5f7-5e5f0d98ef9e
|
|
|
+ name: family name
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: lastName
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: family_name
|
|
|
+ jsonType.label: String
|
|
|
+ - id: a89512e1-d227-4286-86ed-f736bdbb1a4d
|
|
|
+ name: username
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: username
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: preferred_username
|
|
|
+ jsonType.label: String
|
|
|
+ - id: ab4ffdc5-6497-471a-b737-b6c3c712e168
|
|
|
+ name: nickname
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: nickname
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: nickname
|
|
|
+ jsonType.label: String
|
|
|
+ - id: fa71f97d-38b6-413d-898a-57db48cac373
|
|
|
+ name: middle name
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: middleName
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: middle_name
|
|
|
+ jsonType.label: String
|
|
|
+ - id: fb1dce92-54c9-4b16-bcd3-50a49e17264c
|
|
|
+ name: gender
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: gender
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: gender
|
|
|
+ jsonType.label: String
|
|
|
+ - id: aedd6129-df66-4a0b-bc6b-aa25ae7289f7
|
|
|
+ name: updated at
|
|
|
+ protocol: openid-connect
|
|
|
+ protocolMapper: oidc-usermodel-attribute-mapper
|
|
|
+ consentRequired: false
|
|
|
+ config:
|
|
|
+ introspection.token.claim: "true"
|
|
|
+ userinfo.token.claim: "true"
|
|
|
+ user.attribute: updatedAt
|
|
|
+ id.token.claim: "true"
|
|
|
+ access.token.claim: "true"
|
|
|
+ claim.name: updated_at
|
|
|
+ jsonType.label: long
|
|
|
+ defaultDefaultClientScopes:
|
|
|
+ - role_list
|
|
|
+ - saml_organization
|
|
|
+ - profile
|
|
|
+ - email
|
|
|
+ - roles
|
|
|
+ - web-origins
|
|
|
+ - acr
|
|
|
+ - basic
|
|
|
+ defaultOptionalClientScopes:
|
|
|
+ - offline_access
|
|
|
+ - address
|
|
|
+ - phone
|
|
|
+ - microprofile-jwt
|
|
|
+ - organization
|
|
|
+ browserSecurityHeaders:
|
|
|
+ contentSecurityPolicyReportOnly: ""
|
|
|
+ xContentTypeOptions: nosniff
|
|
|
+ referrerPolicy: no-referrer
|
|
|
+ xRobotsTag: none
|
|
|
+ xFrameOptions: SAMEORIGIN
|
|
|
+ contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
|
|
|
+ strictTransportSecurity: max-age=31536000; includeSubDomains
|
|
|
+ smtpServer: {}
|
|
|
+ eventsEnabled: false
|
|
|
+ eventsListeners:
|
|
|
+ - jboss-logging
|
|
|
+ enabledEventTypes: []
|
|
|
+ adminEventsEnabled: false
|
|
|
+ adminEventsDetailsEnabled: false
|
|
|
+ identityProviders: []
|
|
|
+ identityProviderMappers: []
|
|
|
+ components:
|
|
|
+ org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy:
|
|
|
+ - id: ba4ccc2d-b4af-4661-b02e-6730f779575f
|
|
|
+ name: Max Clients Limit
|
|
|
+ providerId: max-clients
|
|
|
+ subType: anonymous
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ max-clients:
|
|
|
+ - "200"
|
|
|
+ - id: b85a6a84-7340-424e-81dc-6f3547aa22e1
|
|
|
+ name: Full Scope Disabled
|
|
|
+ providerId: scope
|
|
|
+ subType: anonymous
|
|
|
+ subComponents: {}
|
|
|
+ config: {}
|
|
|
+ - id: 4c301a96-61e9-4786-89cb-4eaf2677028f
|
|
|
+ name: Allowed Protocol Mapper Types
|
|
|
+ providerId: allowed-protocol-mappers
|
|
|
+ subType: anonymous
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ allowed-protocol-mapper-types:
|
|
|
+ - oidc-sha256-pairwise-sub-mapper
|
|
|
+ - saml-user-attribute-mapper
|
|
|
+ - saml-user-property-mapper
|
|
|
+ - oidc-address-mapper
|
|
|
+ - oidc-usermodel-property-mapper
|
|
|
+ - oidc-full-name-mapper
|
|
|
+ - saml-role-list-mapper
|
|
|
+ - oidc-usermodel-attribute-mapper
|
|
|
+ - id: e3f990bf-5977-4b35-a3dd-b8ac9b26061c
|
|
|
+ name: Trusted Hosts
|
|
|
+ providerId: trusted-hosts
|
|
|
+ subType: anonymous
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ host-sending-registration-request-must-match:
|
|
|
+ - "true"
|
|
|
+ client-uris-must-match:
|
|
|
+ - "true"
|
|
|
+ - id: d2ebfe03-3f09-42b7-8c3c-1ca5caba76ff
|
|
|
+ name: Allowed Protocol Mapper Types
|
|
|
+ providerId: allowed-protocol-mappers
|
|
|
+ subType: authenticated
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ allowed-protocol-mapper-types:
|
|
|
+ - saml-user-attribute-mapper
|
|
|
+ - saml-user-property-mapper
|
|
|
+ - oidc-sha256-pairwise-sub-mapper
|
|
|
+ - saml-role-list-mapper
|
|
|
+ - oidc-address-mapper
|
|
|
+ - oidc-usermodel-attribute-mapper
|
|
|
+ - oidc-full-name-mapper
|
|
|
+ - oidc-usermodel-property-mapper
|
|
|
+ - id: f00c2333-6f60-4c51-8f31-2a1a14cc1a18
|
|
|
+ name: Consent Required
|
|
|
+ providerId: consent-required
|
|
|
+ subType: anonymous
|
|
|
+ subComponents: {}
|
|
|
+ config: {}
|
|
|
+ - id: a5188a3a-9351-4098-bb13-14b8b56c9370
|
|
|
+ name: Allowed Client Scopes
|
|
|
+ providerId: allowed-client-templates
|
|
|
+ subType: anonymous
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ allow-default-scopes:
|
|
|
+ - "true"
|
|
|
+ - id: 40489ce4-34f4-41ad-8dfd-6bd20eef0b3a
|
|
|
+ name: Allowed Client Scopes
|
|
|
+ providerId: allowed-client-templates
|
|
|
+ subType: authenticated
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ allow-default-scopes:
|
|
|
+ - "true"
|
|
|
+ org.keycloak.keys.KeyProvider:
|
|
|
+ - id: e75ab818-8af9-45e1-955d-858008455ee1
|
|
|
+ name: hmac-generated-hs512
|
|
|
+ providerId: hmac-generated
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ priority:
|
|
|
+ - "100"
|
|
|
+ algorithm:
|
|
|
+ - HS512
|
|
|
+ - id: a8107baf-ac14-4170-9f5f-d88e7e8641ac
|
|
|
+ name: aes-generated
|
|
|
+ providerId: aes-generated
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ priority:
|
|
|
+ - "100"
|
|
|
+ - id: 708c706a-6c14-4735-8ce0-184e4d45f20d
|
|
|
+ name: rsa-enc-generated
|
|
|
+ providerId: rsa-enc-generated
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ priority:
|
|
|
+ - "100"
|
|
|
+ algorithm:
|
|
|
+ - RSA-OAEP
|
|
|
+ - id: 0a770315-2818-4f3f-b6cf-2da39c98ea08
|
|
|
+ name: rsa-generated
|
|
|
+ providerId: rsa-generated
|
|
|
+ subComponents: {}
|
|
|
+ config:
|
|
|
+ priority:
|
|
|
+ - "100"
|
|
|
+ internationalizationEnabled: false
|
|
|
+ supportedLocales: []
|
|
|
+ authenticationFlows:
|
|
|
+ - id: fcd55c8d-af04-4f3a-8d95-f2b8822d9419
|
|
|
+ alias: Account verification options
|
|
|
+ description: Method with which to verity the existing account
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: idp-email-verification
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: Verify Existing Account by Re-authentication
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: d9aa6da8-f0e1-4382-ae72-db059f0a0432
|
|
|
+ alias: Browser - Conditional OTP
|
|
|
+ description: Flow to determine if the OTP is required for the authentication
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: conditional-user-configured
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: auth-otp-form
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 45e1dbb4-03ea-4215-b0fc-1a3d4055735d
|
|
|
+ alias: Browser - Conditional Organization
|
|
|
+ description: Flow to determine if the organization identity-first login is to be used
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: conditional-user-configured
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: organization
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: a242ecf3-51cf-4ebc-bbca-09afa132ddb9
|
|
|
+ alias: Direct Grant - Conditional OTP
|
|
|
+ description: Flow to determine if the OTP is required for the authentication
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: conditional-user-configured
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: direct-grant-validate-otp
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 9d666bad-2193-49a8-a001-9fd24459368f
|
|
|
+ alias: First Broker Login - Conditional Organization
|
|
|
+ description: Flow to determine if the authenticator that adds organization members is to be used
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: conditional-user-configured
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: idp-add-organization-member
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 75bacb96-eff3-45e4-a730-bb787812c644
|
|
|
+ alias: First broker login - Conditional OTP
|
|
|
+ description: Flow to determine if the OTP is required for the authentication
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: conditional-user-configured
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: auth-otp-form
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 5c1a2783-f6d3-4411-a70b-aff534388222
|
|
|
+ alias: Handle Existing Account
|
|
|
+ description: Handle what to do if there is existing account with same email/username like authenticated identity provider
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: idp-confirm-link
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: Account verification options
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 981a45fd-33b4-4e8b-b565-f0f0c21fce1a
|
|
|
+ alias: Organization
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: CONDITIONAL
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: Browser - Conditional Organization
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: cc33ee5d-58d1-49f4-9084-67a443b9bddc
|
|
|
+ alias: Reset - Conditional OTP
|
|
|
+ description: Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: conditional-user-configured
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: reset-otp
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: f4b9279a-08f0-4b22-a2e1-abfafec02de6
|
|
|
+ alias: User creation or linking
|
|
|
+ description: Flow for the existing/non-existing user alternatives
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticatorConfig: create unique user config
|
|
|
+ authenticator: idp-create-user-if-unique
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: Handle Existing Account
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 91cc2815-09c5-4f82-a1fc-62a2fc32327d
|
|
|
+ alias: Verify Existing Account by Re-authentication
|
|
|
+ description: Reauthentication of existing account
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: idp-username-password-form
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: CONDITIONAL
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: First broker login - Conditional OTP
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 0455fc78-3bd3-4fa1-a73a-f1c9a80e7293
|
|
|
+ alias: browser
|
|
|
+ description: Browser based authentication
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: true
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: auth-cookie
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: auth-spnego
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: DISABLED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: identity-provider-redirector
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 25
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 26
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: Organization
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 30
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: forms
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 78bc6381-5d50-4220-a7b5-a0a2e697cd5e
|
|
|
+ alias: clients
|
|
|
+ description: Base authentication for clients
|
|
|
+ providerId: client-flow
|
|
|
+ topLevel: true
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: client-secret
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: client-jwt
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: client-secret-jwt
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 30
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: client-x509
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: ALTERNATIVE
|
|
|
+ priority: 40
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 0fd8e9bd-1616-4810-8a2c-2862ecc62312
|
|
|
+ alias: direct grant
|
|
|
+ description: OpenID Connect Resource Owner Grant
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: true
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: direct-grant-validate-username
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: direct-grant-validate-password
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: CONDITIONAL
|
|
|
+ priority: 30
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: Direct Grant - Conditional OTP
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 03035827-7537-4b94-831f-3184d98d6d26
|
|
|
+ alias: docker auth
|
|
|
+ description: Used by Docker clients to authenticate against the IDP
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: true
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: docker-http-basic-authenticator
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 1a9fdcb1-591e-412b-a8ee-37de4ec78191
|
|
|
+ alias: first broker login
|
|
|
+ description: Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: true
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticatorConfig: review profile config
|
|
|
+ authenticator: idp-review-profile
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: User creation or linking
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: CONDITIONAL
|
|
|
+ priority: 50
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: First Broker Login - Conditional Organization
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 63b86089-a556-42cb-8e25-71913e1bd9cd
|
|
|
+ alias: forms
|
|
|
+ description: Username, password, otp and other auth forms.
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: auth-username-password-form
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: CONDITIONAL
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: Browser - Conditional OTP
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 0b1d0824-a9f2-4819-8049-28dc559c66a0
|
|
|
+ alias: registration
|
|
|
+ description: Registration flow
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: true
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: registration-page-form
|
|
|
+ authenticatorFlow: true
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: registration form
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: a5fa008b-f069-404e-8767-a2ed5687262f
|
|
|
+ alias: registration form
|
|
|
+ description: Registration form
|
|
|
+ providerId: form-flow
|
|
|
+ topLevel: false
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: registration-user-creation
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: registration-password-action
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 50
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: registration-recaptcha-action
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: DISABLED
|
|
|
+ priority: 60
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: registration-terms-and-conditions
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: DISABLED
|
|
|
+ priority: 70
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: fef3d2a2-bbc2-4c5f-834f-f4014f6a699c
|
|
|
+ alias: reset credentials
|
|
|
+ description: Reset credentials for a user if they forgot their password or something
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: true
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: reset-credentials-choose-user
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: reset-credential-email
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 20
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticator: reset-password
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 30
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ - authenticatorFlow: true
|
|
|
+ requirement: CONDITIONAL
|
|
|
+ priority: 40
|
|
|
+ autheticatorFlow: true
|
|
|
+ flowAlias: Reset - Conditional OTP
|
|
|
+ userSetupAllowed: false
|
|
|
+ - id: 52cd82c9-fd89-44f3-9c2c-34b103872607
|
|
|
+ alias: saml ecp
|
|
|
+ description: SAML ECP Profile Authentication Flow
|
|
|
+ providerId: basic-flow
|
|
|
+ topLevel: true
|
|
|
+ builtIn: true
|
|
|
+ authenticationExecutions:
|
|
|
+ - authenticator: http-basic-authenticator
|
|
|
+ authenticatorFlow: false
|
|
|
+ requirement: REQUIRED
|
|
|
+ priority: 10
|
|
|
+ autheticatorFlow: false
|
|
|
+ userSetupAllowed: false
|
|
|
+ authenticatorConfig:
|
|
|
+ - id: 99ecab09-1a65-49e2-9e9a-61962bd969ee
|
|
|
+ alias: create unique user config
|
|
|
+ config:
|
|
|
+ require.password.update.after.registration: "false"
|
|
|
+ - id: 25245a79-e0b9-4038-9723-3a918dea2a9d
|
|
|
+ alias: review profile config
|
|
|
+ config:
|
|
|
+ update.profile.on.first.login: missing
|
|
|
+ requiredActions:
|
|
|
+ - alias: CONFIGURE_TOTP
|
|
|
+ name: Configure OTP
|
|
|
+ providerId: CONFIGURE_TOTP
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 10
|
|
|
+ config: {}
|
|
|
+ - alias: TERMS_AND_CONDITIONS
|
|
|
+ name: Terms and Conditions
|
|
|
+ providerId: TERMS_AND_CONDITIONS
|
|
|
+ enabled: false
|
|
|
+ defaultAction: false
|
|
|
+ priority: 20
|
|
|
+ config: {}
|
|
|
+ - alias: UPDATE_PASSWORD
|
|
|
+ name: Update Password
|
|
|
+ providerId: UPDATE_PASSWORD
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 30
|
|
|
+ config: {}
|
|
|
+ - alias: UPDATE_PROFILE
|
|
|
+ name: Update Profile
|
|
|
+ providerId: UPDATE_PROFILE
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 40
|
|
|
+ config: {}
|
|
|
+ - alias: VERIFY_EMAIL
|
|
|
+ name: Verify Email
|
|
|
+ providerId: VERIFY_EMAIL
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 50
|
|
|
+ config: {}
|
|
|
+ - alias: delete_account
|
|
|
+ name: Delete Account
|
|
|
+ providerId: delete_account
|
|
|
+ enabled: false
|
|
|
+ defaultAction: false
|
|
|
+ priority: 60
|
|
|
+ config: {}
|
|
|
+ - alias: webauthn-register
|
|
|
+ name: Webauthn Register
|
|
|
+ providerId: webauthn-register
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 70
|
|
|
+ config: {}
|
|
|
+ - alias: webauthn-register-passwordless
|
|
|
+ name: Webauthn Register Passwordless
|
|
|
+ providerId: webauthn-register-passwordless
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 80
|
|
|
+ config: {}
|
|
|
+ - alias: VERIFY_PROFILE
|
|
|
+ name: Verify Profile
|
|
|
+ providerId: VERIFY_PROFILE
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 90
|
|
|
+ config: {}
|
|
|
+ - alias: delete_credential
|
|
|
+ name: Delete Credential
|
|
|
+ providerId: delete_credential
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 100
|
|
|
+ config: {}
|
|
|
+ - alias: update_user_locale
|
|
|
+ name: Update User Locale
|
|
|
+ providerId: update_user_locale
|
|
|
+ enabled: true
|
|
|
+ defaultAction: false
|
|
|
+ priority: 1000
|
|
|
+ config: {}
|
|
|
+ browserFlow: browser
|
|
|
+ registrationFlow: registration
|
|
|
+ directGrantFlow: direct grant
|
|
|
+ resetCredentialsFlow: reset credentials
|
|
|
+ clientAuthenticationFlow: clients
|
|
|
+ dockerAuthenticationFlow: docker auth
|
|
|
+ firstBrokerLoginFlow: first broker login
|
|
|
+ attributes:
|
|
|
+ cibaBackchannelTokenDeliveryMode: poll
|
|
|
+ cibaExpiresIn: "120"
|
|
|
+ cibaAuthRequestedUserHint: login_hint
|
|
|
+ oauth2DeviceCodeLifespan: "600"
|
|
|
+ oauth2DevicePollingInterval: "5"
|
|
|
+ parRequestUriLifespan: "60"
|
|
|
+ cibaInterval: "5"
|
|
|
+ realmReusableOtpCode: "false"
|
|
|
+ keycloakVersion: 26.2.7.redhat-00001
|
|
|
+ userManagedAccessAllowed: false
|
|
|
+ organizationsEnabled: false
|
|
|
+ verifiableCredentialsEnabled: false
|
|
|
+ adminPermissionsEnabled: false
|
|
|
+ clientProfiles:
|
|
|
+ profiles: []
|
|
|
+ clientPolicies:
|
|
|
+ policies: []
|
