apiVersion: k8s.keycloak.org/v2alpha1 kind: KeycloakRealmImport metadata: name: {{ rhbk.name | default('sso') }}-{{ rhbk.realm | default('sample-realm') }}-import namespace: {{ rhbk.namespace | default('keycloak') }} spec: keycloakCRName: {{ rhbk.name | default('sso') }} realm: id: be41fdb1-be4d-431d-be3c-adb5ad3a071a realm: {{ rhbk.realm | default('sample-realm') }} notBefore: 0 defaultSignatureAlgorithm: RS256 revokeRefreshToken: false refreshTokenMaxReuse: 0 accessTokenLifespan: 300 accessTokenLifespanForImplicitFlow: 900 ssoSessionIdleTimeout: 1800 ssoSessionMaxLifespan: 36000 ssoSessionIdleTimeoutRememberMe: 0 ssoSessionMaxLifespanRememberMe: 0 offlineSessionIdleTimeout: 2592000 offlineSessionMaxLifespanEnabled: false offlineSessionMaxLifespan: 5184000 clientSessionIdleTimeout: 0 clientSessionMaxLifespan: 0 clientOfflineSessionIdleTimeout: 0 clientOfflineSessionMaxLifespan: 0 accessCodeLifespan: 60 accessCodeLifespanUserAction: 300 accessCodeLifespanLogin: 1800 actionTokenGeneratedByAdminLifespan: 43200 actionTokenGeneratedByUserLifespan: 300 oauth2DeviceCodeLifespan: 600 oauth2DevicePollingInterval: 5 enabled: true sslRequired: external registrationAllowed: false registrationEmailAsUsername: false rememberMe: false verifyEmail: false loginWithEmailAllowed: false duplicateEmailsAllowed: false resetPasswordAllowed: false editUsernameAllowed: false bruteForceProtected: false permanentLockout: false maxTemporaryLockouts: 0 bruteForceStrategy: MULTIPLE maxFailureWaitSeconds: 900 minimumQuickLoginWaitSeconds: 60 waitIncrementSeconds: 60 quickLoginCheckMilliSeconds: 1000 maxDeltaTimeSeconds: 43200 failureFactor: 30 roles: realm: - id: e7d9d76c-bfa9-4aa3-b67c-652fe88b1a25 name: offline_access description: ${role_offline-access} composite: false clientRole: false containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a attributes: {} - id: 07fabbc5-4576-4ccc-985e-c0e9ef48d5b9 name: default-roles-ichp description: ${role_default-roles} composite: true composites: realm: - offline_access - uma_authorization client: account: - view-profile - manage-account clientRole: false containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a attributes: {} - id: 1e3afeb8-c039-4815-868c-33bbafed28f4 name: uma_authorization description: ${role_uma_authorization} composite: false clientRole: false containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a attributes: {} client: realm-management: - id: 1f2346c9-4576-40ae-b1ab-0c7895d82776 name: create-client description: ${role_create-client} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 72effb10-55aa-4ba6-9897-7b969878b4c2 name: query-clients description: ${role_query-clients} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 5162b108-5ac3-43de-8a3c-b93ac6d833e1 name: view-identity-providers description: ${role_view-identity-providers} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 4679477a-0e55-44b8-a795-f61c841dd7ea name: impersonation description: ${role_impersonation} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 158932a4-ec77-48ad-b967-15d3877b302b name: view-authorization description: ${role_view-authorization} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 4728cec2-0c01-45eb-9620-a71522ef9747 name: view-realm description: ${role_view-realm} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: ce60989a-b977-4817-8add-06050e9e1539 name: manage-clients description: ${role_manage-clients} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 837fe3ea-27b4-4167-a466-645e8f738f2e name: manage-users description: ${role_manage-users} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 574f9232-c48b-49fc-b24c-4f868f28ee49 name: query-realms description: ${role_query-realms} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 952a7293-2733-4d64-a5ba-0b98d39f1a8c name: view-users description: ${role_view-users} composite: true composites: client: realm-management: - query-groups - query-users clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 58e37045-4a6a-4292-b849-b458fe15272e name: realm-admin description: ${role_realm-admin} composite: true composites: client: realm-management: - create-client - query-clients - view-identity-providers - impersonation - view-authorization - view-realm - manage-users - manage-clients - query-realms - view-users - manage-realm - manage-authorization - query-groups - manage-events - manage-identity-providers - view-clients - view-events - query-users clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 180792d6-17b5-4369-8d9f-5e9d7c1abecd name: manage-realm description: ${role_manage-realm} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 865608a3-b3c8-492d-a99f-35acbbc95df5 name: manage-authorization description: ${role_manage-authorization} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: d67afc38-e298-48ae-883d-84b90e2acc87 name: query-groups description: ${role_query-groups} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: aa372a48-8435-4923-b125-6bae2e735a75 name: manage-events description: ${role_manage-events} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: ca44e368-d20a-445b-b5db-1a79f4551cf7 name: manage-identity-providers description: ${role_manage-identity-providers} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: 58dfbd59-c730-46ad-a0ce-e4712b130133 name: view-clients description: ${role_view-clients} composite: true composites: client: realm-management: - query-clients clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: e67476ef-5630-42d2-9ec7-9cda35a6ff03 name: query-users description: ${role_query-users} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} - id: edb64667-b054-4f32-80b3-19cb8dab52a4 name: view-events description: ${role_view-events} composite: false clientRole: true containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9 attributes: {} security-admin-console: [] openshift: [] admin-cli: [] account-console: [] broker: - id: cfa9110f-d928-43e5-b71f-0970206dc7c7 name: read-token description: ${role_read-token} composite: false clientRole: true containerId: a18de74b-25e5-4225-bbab-743752fc2f77 attributes: {} account: - id: 0a363300-38e4-4477-b0eb-b29f58506d81 name: delete-account description: ${role_delete-account} composite: false clientRole: true containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 attributes: {} - id: 2c2d6b40-bd69-4561-802d-97b8dcf08a9d name: manage-consent description: ${role_manage-consent} composite: true composites: client: account: - view-consent clientRole: true containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 attributes: {} - id: 7b66ea32-a92c-4152-9435-b36d5c998bf4 name: view-profile description: ${role_view-profile} composite: false clientRole: true containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 attributes: {} - id: 26cc6356-b198-498a-8fd5-b6c55266044e name: manage-account description: ${role_manage-account} composite: true composites: client: account: - manage-account-links clientRole: true containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 attributes: {} - id: 7d07a1ab-7994-47d8-88ad-5c91ea422722 name: manage-account-links description: ${role_manage-account-links} composite: false clientRole: true containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 attributes: {} - id: ecc23404-4281-4c90-aed4-375fd0fc0d37 name: view-applications description: ${role_view-applications} composite: false clientRole: true containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 attributes: {} - id: 1f3da55f-0458-496b-b9f2-f10496d28ab5 name: view-groups description: ${role_view-groups} composite: false clientRole: true containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 attributes: {} - id: 5aaab517-1ce9-465d-abc8-936cffca1bc3 name: view-consent description: ${role_view-consent} composite: false clientRole: true containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 attributes: {} groups: [] defaultRole: id: 07fabbc5-4576-4ccc-985e-c0e9ef48d5b9 name: default-roles-ichp description: ${role_default-roles} composite: true clientRole: false containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a requiredCredentials: - password otpPolicyType: totp otpPolicyAlgorithm: HmacSHA1 otpPolicyInitialCounter: 0 otpPolicyDigits: 6 otpPolicyLookAheadWindow: 1 otpPolicyPeriod: 30 otpPolicyCodeReusable: false otpSupportedApplications: - totpAppFreeOTPName - totpAppGoogleName - totpAppMicrosoftAuthenticatorName localizationTexts: {} webAuthnPolicyRpEntityName: keycloak webAuthnPolicySignatureAlgorithms: - ES256 - RS256 webAuthnPolicyRpId: "" webAuthnPolicyAttestationConveyancePreference: not specified webAuthnPolicyAuthenticatorAttachment: not specified webAuthnPolicyRequireResidentKey: not specified webAuthnPolicyUserVerificationRequirement: not specified webAuthnPolicyCreateTimeout: 0 webAuthnPolicyAvoidSameAuthenticatorRegister: false webAuthnPolicyAcceptableAaguids: [] webAuthnPolicyExtraOrigins: [] webAuthnPolicyPasswordlessRpEntityName: keycloak webAuthnPolicyPasswordlessSignatureAlgorithms: - ES256 - RS256 webAuthnPolicyPasswordlessRpId: "" webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified webAuthnPolicyPasswordlessRequireResidentKey: not specified webAuthnPolicyPasswordlessUserVerificationRequirement: not specified webAuthnPolicyPasswordlessCreateTimeout: 0 webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false webAuthnPolicyPasswordlessAcceptableAaguids: [] webAuthnPolicyPasswordlessExtraOrigins: [] scopeMappings: - clientScope: offline_access roles: - offline_access clientScopeMappings: account: - client: account-console roles: - manage-account - view-groups clients: - id: 310611db-29b6-4df6-806f-2ffb8ec6d1d0 clientId: account name: ${client_account} rootUrl: ${authBaseUrl} baseUrl: /realms/ichp/account/ surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: - /realms/ichp/account/* webOrigins: [] notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: true frontchannelLogout: false protocol: openid-connect attributes: realm_client: "false" post.logout.redirect.uris: + authenticationFlowBindingOverrides: {} fullScopeAllowed: false nodeReRegistrationTimeout: 0 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: 26ee53a2-3acc-4f86-bb03-8ef53f4c4619 clientId: account-console name: ${client_account-console} rootUrl: ${authBaseUrl} baseUrl: /realms/ichp/account/ surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: - /realms/ichp/account/* webOrigins: [] notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: true frontchannelLogout: false protocol: openid-connect attributes: realm_client: "false" post.logout.redirect.uris: + pkce.code.challenge.method: S256 authenticationFlowBindingOverrides: {} fullScopeAllowed: false nodeReRegistrationTimeout: 0 protocolMappers: - id: d5f30f3a-684a-41ec-b423-70179bcb7550 name: audience resolve protocol: openid-connect protocolMapper: oidc-audience-resolve-mapper consentRequired: false config: {} defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: de8c83c0-f8d4-4ea4-9243-3c8eb8e3320b clientId: admin-cli name: ${client_admin-cli} surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: [] webOrigins: [] notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: false implicitFlowEnabled: false directAccessGrantsEnabled: true serviceAccountsEnabled: false publicClient: true frontchannelLogout: false protocol: openid-connect attributes: realm_client: "false" client.use.lightweight.access.token.enabled: "true" authenticationFlowBindingOverrides: {} fullScopeAllowed: true nodeReRegistrationTimeout: 0 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: a18de74b-25e5-4225-bbab-743752fc2f77 clientId: broker name: ${client_broker} surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: [] webOrigins: [] notBefore: 0 bearerOnly: true consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: false frontchannelLogout: false protocol: openid-connect attributes: realm_client: "true" authenticationFlowBindingOverrides: {} fullScopeAllowed: false nodeReRegistrationTimeout: 0 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: 95b6c1c6-3787-4442-b512-527ff51d2670 clientId: openshift name: "OpenShift OIDC Client" description: "" rootUrl: https://oauth-openshift.apps.ocp4.example.com adminUrl: https://oauth-openshift.apps.ocp4.example.com baseUrl: "" surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret secret: 'verysecret' redirectUris: - https://oauth-openshift.apps.ocp4.example.com/* webOrigins: - https://oauth-openshift.apps.ocp4.example.com notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: true serviceAccountsEnabled: false publicClient: false frontchannelLogout: true protocol: openid-connect attributes: client.secret.creation.time: "1755544217" request.object.signature.alg: any request.object.encryption.alg: any client.introspection.response.allow.jwt.claim.enabled: "false" standard.token.exchange.enabled: "false" frontchannel.logout.session.required: "true" oauth2.device.authorization.grant.enabled: "false" use.jwks.url: "false" backchannel.logout.revoke.offline.tokens: "false" use.refresh.tokens: "true" realm_client: "false" oidc.ciba.grant.enabled: "false" client.use.lightweight.access.token.enabled: "false" backchannel.logout.session.required: "true" client_credentials.use_refresh_token: "false" request.object.required: not required access.token.header.type.rfc9068: "false" acr.loa.map: '{}' require.pushed.authorization.requests: "false" tls.client.certificate.bound.access.tokens: "false" display.on.consent.screen: "false" request.object.encryption.enc: any token.response.type.bearer.lower-case: "false" authenticationFlowBindingOverrides: {} fullScopeAllowed: true nodeReRegistrationTimeout: -1 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: 1544ec14-3f4a-4601-8f98-a3698afb78c9 clientId: realm-management name: ${client_realm-management} surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: [] webOrigins: [] notBefore: 0 bearerOnly: true consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: false frontchannelLogout: false protocol: openid-connect attributes: realm_client: "true" authenticationFlowBindingOverrides: {} fullScopeAllowed: false nodeReRegistrationTimeout: 0 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: 64228e4f-5e45-43e2-840d-3ea67fbb1356 clientId: security-admin-console name: ${client_security-admin-console} rootUrl: ${authAdminUrl} baseUrl: /admin/ichp/console/ surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: - /admin/ichp/console/* webOrigins: - + notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: true frontchannelLogout: false protocol: openid-connect attributes: realm_client: "false" client.use.lightweight.access.token.enabled: "true" post.logout.redirect.uris: + pkce.code.challenge.method: S256 authenticationFlowBindingOverrides: {} fullScopeAllowed: true nodeReRegistrationTimeout: 0 protocolMappers: - id: 05393481-79e3-4c5d-be72-b21fa1b2cf6f name: locale protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: locale id.token.claim: "true" access.token.claim: "true" claim.name: locale jsonType.label: String defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt clientScopes: - id: da242fab-a8d0-4aa0-9e10-8212440b4b3b name: roles description: OpenID Connect scope for add user roles to the access token protocol: openid-connect attributes: include.in.token.scope: "false" consent.screen.text: ${rolesScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: 8ae03c9d-7b0b-4c41-baaa-54327e15d4fe name: client roles protocol: openid-connect protocolMapper: oidc-usermodel-client-role-mapper consentRequired: false config: user.attribute: foo introspection.token.claim: "true" access.token.claim: "true" claim.name: resource_access.${client_id}.roles jsonType.label: String multivalued: "true" - id: 7ed4a8f3-73ef-4c76-a68c-2abdb7111505 name: realm roles protocol: openid-connect protocolMapper: oidc-usermodel-realm-role-mapper consentRequired: false config: user.attribute: foo introspection.token.claim: "true" access.token.claim: "true" claim.name: realm_access.roles jsonType.label: String multivalued: "true" - id: a354f9c9-579d-44f3-9d90-6fbbe5739c50 name: audience resolve protocol: openid-connect protocolMapper: oidc-audience-resolve-mapper consentRequired: false config: introspection.token.claim: "true" access.token.claim: "true" - id: 4a60daed-92f6-4646-80bc-78e8bb5097a5 name: service_account description: Specific scope for a client enabled for service accounts protocol: openid-connect attributes: include.in.token.scope: "false" display.on.consent.screen: "false" protocolMappers: - id: c6ba4bf2-70c9-429d-8f11-7e7a94b6072c name: Client Host protocol: openid-connect protocolMapper: oidc-usersessionmodel-note-mapper consentRequired: false config: user.session.note: clientHost id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: clientHost jsonType.label: String - id: 8afd36a6-b5e9-42a8-96be-d64cd70ecc1e name: Client IP Address protocol: openid-connect protocolMapper: oidc-usersessionmodel-note-mapper consentRequired: false config: user.session.note: clientAddress id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: clientAddress jsonType.label: String - id: aba0ce6b-a46a-4beb-9f24-364fbc2d7f72 name: Client ID protocol: openid-connect protocolMapper: oidc-usersessionmodel-note-mapper consentRequired: false config: user.session.note: client_id id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: client_id jsonType.label: String - id: 308782b7-ab41-49ff-9e1a-de9a22b252df name: organization description: Additional claims about the organization a subject belongs to protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${organizationScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: a49de63c-2c91-45b7-9f87-6646ee2a8560 name: organization protocol: openid-connect protocolMapper: oidc-organization-membership-mapper consentRequired: false config: id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: organization jsonType.label: String multivalued: "true" - id: ddc162b7-ae46-469a-88da-8e6fd882fef2 name: microprofile-jwt description: Microprofile - JWT built-in scope protocol: openid-connect attributes: include.in.token.scope: "true" display.on.consent.screen: "false" protocolMappers: - id: 0aceceda-de29-4dfd-b282-79c1a4b1f01e name: upn protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: username id.token.claim: "true" access.token.claim: "true" claim.name: upn jsonType.label: String - id: bbacf398-7509-43c2-a6a2-f72b7a151dde name: groups protocol: openid-connect protocolMapper: oidc-usermodel-realm-role-mapper consentRequired: false config: introspection.token.claim: "true" multivalued: "true" user.attribute: foo id.token.claim: "true" access.token.claim: "true" claim.name: groups jsonType.label: String - id: 52d6d297-de58-47a4-8272-858cb1957dc5 name: saml_organization description: Organization Membership protocol: saml attributes: display.on.consent.screen: "false" protocolMappers: - id: 53757c9d-732c-4274-95ff-fb36bcb68612 name: organization protocol: saml protocolMapper: saml-organization-membership-mapper consentRequired: false config: {} - id: b0f1af41-d217-47e2-ad46-90d333fc933c name: acr description: OpenID Connect scope for add acr (authentication context class reference) to the token protocol: openid-connect attributes: include.in.token.scope: "false" display.on.consent.screen: "false" protocolMappers: - id: f511c418-885e-4def-a61c-46a2036ea16d name: acr loa level protocol: openid-connect protocolMapper: oidc-acr-mapper consentRequired: false config: id.token.claim: "true" access.token.claim: "true" introspection.token.claim: "true" - id: 3d18a857-3e55-46f8-85e8-ff9757288d6a name: email description: 'OpenID Connect built-in scope: email' protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${emailScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: 30275ad3-3d25-4e8a-a5ed-696135bb4aa3 name: email verified protocol: openid-connect protocolMapper: oidc-usermodel-property-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: emailVerified id.token.claim: "true" access.token.claim: "true" claim.name: email_verified jsonType.label: boolean - id: b57b56af-774b-4529-880d-15cff8fc2d89 name: email protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: email id.token.claim: "true" access.token.claim: "true" claim.name: email jsonType.label: String - id: b368511f-a4c6-431b-a8f9-3c807fe5864c name: role_list description: SAML role list protocol: saml attributes: consent.screen.text: ${samlRoleListScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: 8acaaa00-bfce-43aa-b07b-35eb598c5c08 name: role list protocol: saml protocolMapper: saml-role-list-mapper consentRequired: false config: single: "false" attribute.nameformat: Basic attribute.name: Role - id: 65b918f8-4285-4874-8887-55abd5e48815 name: phone description: 'OpenID Connect built-in scope: phone' protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${phoneScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: 2817b50a-9e0a-4333-b9cb-8bd7347bde4c name: phone number protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: phoneNumber id.token.claim: "true" access.token.claim: "true" claim.name: phone_number jsonType.label: String - id: 51c1fe54-8aa6-40ef-9dcf-8296698aef28 name: phone number verified protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: phoneNumberVerified id.token.claim: "true" access.token.claim: "true" claim.name: phone_number_verified jsonType.label: boolean - id: cbeecdb8-59d2-4ef0-8f5b-b26485b61184 name: address description: 'OpenID Connect built-in scope: address' protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${addressScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: a2ccf3d2-08f6-4874-b731-eb71c505d083 name: address protocol: openid-connect protocolMapper: oidc-address-mapper consentRequired: false config: user.attribute.formatted: formatted user.attribute.country: country introspection.token.claim: "true" user.attribute.postal_code: postal_code userinfo.token.claim: "true" user.attribute.street: street id.token.claim: "true" user.attribute.region: region access.token.claim: "true" user.attribute.locality: locality - id: 2a6f8645-780c-4a18-b462-fb5ccab2c111 name: basic description: OpenID Connect scope for add all basic claims to the token protocol: openid-connect attributes: include.in.token.scope: "false" display.on.consent.screen: "false" protocolMappers: - id: 68f5e45f-6ca8-465e-9a5c-f0964b464636 name: sub protocol: openid-connect protocolMapper: oidc-sub-mapper consentRequired: false config: introspection.token.claim: "true" access.token.claim: "true" - id: e5b82ee8-7491-4a6c-b236-313f4f1b62f9 name: auth_time protocol: openid-connect protocolMapper: oidc-usersessionmodel-note-mapper consentRequired: false config: user.session.note: AUTH_TIME id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: auth_time jsonType.label: long - id: e6cbf632-eba3-4658-a241-d8caf53e1a8c name: offline_access description: 'OpenID Connect built-in scope: offline_access' protocol: openid-connect attributes: consent.screen.text: ${offlineAccessScopeConsentText} display.on.consent.screen: "true" - id: 8decc1d1-d9e0-4011-b4a4-24d0e82ca51f name: web-origins description: OpenID Connect scope for add allowed web origins to the access token protocol: openid-connect attributes: include.in.token.scope: "false" consent.screen.text: "" display.on.consent.screen: "false" protocolMappers: - id: 5bec22c6-4887-4332-8a1e-314a6d27e7da name: allowed web origins protocol: openid-connect protocolMapper: oidc-allowed-origins-mapper consentRequired: false config: access.token.claim: "true" introspection.token.claim: "true" - id: c43c0a6a-7f94-4e09-a953-3fa44ebe3040 name: profile description: 'OpenID Connect built-in scope: profile' protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${profileScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: b6bf723a-1ae6-45e4-a722-2f9d4e9e5903 name: website protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: website id.token.claim: "true" access.token.claim: "true" claim.name: website jsonType.label: String - id: 8a16228a-05fd-4707-b5bb-0e25b64d8958 name: full name protocol: openid-connect protocolMapper: oidc-full-name-mapper consentRequired: false config: id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" userinfo.token.claim: "true" - id: 37a167d2-747d-4f5d-9f58-204028f56b7d name: locale protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: locale id.token.claim: "true" access.token.claim: "true" claim.name: locale jsonType.label: String - id: 8271c267-970e-4091-a010-45521b955c01 name: picture protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: picture id.token.claim: "true" access.token.claim: "true" claim.name: picture jsonType.label: String - id: 723390b8-7670-43b5-84c9-b67c82703fce name: given name protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: firstName id.token.claim: "true" access.token.claim: "true" claim.name: given_name jsonType.label: String - id: cdff8fc1-bc4a-47da-84a5-85fb12c53461 name: profile protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: profile id.token.claim: "true" access.token.claim: "true" claim.name: profile jsonType.label: String - id: 312ee990-1e0c-4481-88f4-f85fb4ff15f4 name: birthdate protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: birthdate id.token.claim: "true" access.token.claim: "true" claim.name: birthdate jsonType.label: String - id: 745656de-2692-4e59-80fe-fb59479ea17e name: zoneinfo protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: zoneinfo id.token.claim: "true" access.token.claim: "true" claim.name: zoneinfo jsonType.label: String - id: fb78c202-dade-4f93-a5f7-5e5f0d98ef9e name: family name protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: lastName id.token.claim: "true" access.token.claim: "true" claim.name: family_name jsonType.label: String - id: a89512e1-d227-4286-86ed-f736bdbb1a4d name: username protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: username id.token.claim: "true" access.token.claim: "true" claim.name: preferred_username jsonType.label: String - id: ab4ffdc5-6497-471a-b737-b6c3c712e168 name: nickname protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: nickname id.token.claim: "true" access.token.claim: "true" claim.name: nickname jsonType.label: String - id: fa71f97d-38b6-413d-898a-57db48cac373 name: middle name protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: middleName id.token.claim: "true" access.token.claim: "true" claim.name: middle_name jsonType.label: String - id: fb1dce92-54c9-4b16-bcd3-50a49e17264c name: gender protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: gender id.token.claim: "true" access.token.claim: "true" claim.name: gender jsonType.label: String - id: aedd6129-df66-4a0b-bc6b-aa25ae7289f7 name: updated at protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: updatedAt id.token.claim: "true" access.token.claim: "true" claim.name: updated_at jsonType.label: long defaultDefaultClientScopes: - role_list - saml_organization - profile - email - roles - web-origins - acr - basic defaultOptionalClientScopes: - offline_access - address - phone - microprofile-jwt - organization browserSecurityHeaders: contentSecurityPolicyReportOnly: "" xContentTypeOptions: nosniff referrerPolicy: no-referrer xRobotsTag: none xFrameOptions: SAMEORIGIN contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; strictTransportSecurity: max-age=31536000; includeSubDomains smtpServer: {} eventsEnabled: false eventsListeners: - jboss-logging enabledEventTypes: [] adminEventsEnabled: false adminEventsDetailsEnabled: false identityProviders: [] identityProviderMappers: [] components: org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy: - id: ba4ccc2d-b4af-4661-b02e-6730f779575f name: Max Clients Limit providerId: max-clients subType: anonymous subComponents: {} config: max-clients: - "200" - id: b85a6a84-7340-424e-81dc-6f3547aa22e1 name: Full Scope Disabled providerId: scope subType: anonymous subComponents: {} config: {} - id: 4c301a96-61e9-4786-89cb-4eaf2677028f name: Allowed Protocol Mapper Types providerId: allowed-protocol-mappers subType: anonymous subComponents: {} config: allowed-protocol-mapper-types: - oidc-sha256-pairwise-sub-mapper - saml-user-attribute-mapper - saml-user-property-mapper - oidc-address-mapper - oidc-usermodel-property-mapper - oidc-full-name-mapper - saml-role-list-mapper - oidc-usermodel-attribute-mapper - id: e3f990bf-5977-4b35-a3dd-b8ac9b26061c name: Trusted Hosts providerId: trusted-hosts subType: anonymous subComponents: {} config: host-sending-registration-request-must-match: - "true" client-uris-must-match: - "true" - id: d2ebfe03-3f09-42b7-8c3c-1ca5caba76ff name: Allowed Protocol Mapper Types providerId: allowed-protocol-mappers subType: authenticated subComponents: {} config: allowed-protocol-mapper-types: - saml-user-attribute-mapper - saml-user-property-mapper - oidc-sha256-pairwise-sub-mapper - saml-role-list-mapper - oidc-address-mapper - oidc-usermodel-attribute-mapper - oidc-full-name-mapper - oidc-usermodel-property-mapper - id: f00c2333-6f60-4c51-8f31-2a1a14cc1a18 name: Consent Required providerId: consent-required subType: anonymous subComponents: {} config: {} - id: a5188a3a-9351-4098-bb13-14b8b56c9370 name: Allowed Client Scopes providerId: allowed-client-templates subType: anonymous subComponents: {} config: allow-default-scopes: - "true" - id: 40489ce4-34f4-41ad-8dfd-6bd20eef0b3a name: Allowed Client Scopes providerId: allowed-client-templates subType: authenticated subComponents: {} config: allow-default-scopes: - "true" org.keycloak.keys.KeyProvider: - id: e75ab818-8af9-45e1-955d-858008455ee1 name: hmac-generated-hs512 providerId: hmac-generated subComponents: {} config: priority: - "100" algorithm: - HS512 - id: a8107baf-ac14-4170-9f5f-d88e7e8641ac name: aes-generated providerId: aes-generated subComponents: {} config: priority: - "100" - id: 708c706a-6c14-4735-8ce0-184e4d45f20d name: rsa-enc-generated providerId: rsa-enc-generated subComponents: {} config: priority: - "100" algorithm: - RSA-OAEP - id: 0a770315-2818-4f3f-b6cf-2da39c98ea08 name: rsa-generated providerId: rsa-generated subComponents: {} config: priority: - "100" internationalizationEnabled: false supportedLocales: [] authenticationFlows: - id: fcd55c8d-af04-4f3a-8d95-f2b8822d9419 alias: Account verification options description: Method with which to verity the existing account providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: idp-email-verification authenticatorFlow: false requirement: ALTERNATIVE priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: ALTERNATIVE priority: 20 autheticatorFlow: true flowAlias: Verify Existing Account by Re-authentication userSetupAllowed: false - id: d9aa6da8-f0e1-4382-ae72-db059f0a0432 alias: Browser - Conditional OTP description: Flow to determine if the OTP is required for the authentication providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: auth-otp-form authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: 45e1dbb4-03ea-4215-b0fc-1a3d4055735d alias: Browser - Conditional Organization description: Flow to determine if the organization identity-first login is to be used providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: organization authenticatorFlow: false requirement: ALTERNATIVE priority: 20 autheticatorFlow: false userSetupAllowed: false - id: a242ecf3-51cf-4ebc-bbca-09afa132ddb9 alias: Direct Grant - Conditional OTP description: Flow to determine if the OTP is required for the authentication providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: direct-grant-validate-otp authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: 9d666bad-2193-49a8-a001-9fd24459368f alias: First Broker Login - Conditional Organization description: Flow to determine if the authenticator that adds organization members is to be used providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: idp-add-organization-member authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: 75bacb96-eff3-45e4-a730-bb787812c644 alias: First broker login - Conditional OTP description: Flow to determine if the OTP is required for the authentication providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: auth-otp-form authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: 5c1a2783-f6d3-4411-a70b-aff534388222 alias: Handle Existing Account description: Handle what to do if there is existing account with same email/username like authenticated identity provider providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: idp-confirm-link authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: REQUIRED priority: 20 autheticatorFlow: true flowAlias: Account verification options userSetupAllowed: false - id: 981a45fd-33b4-4e8b-b565-f0f0c21fce1a alias: Organization providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticatorFlow: true requirement: CONDITIONAL priority: 10 autheticatorFlow: true flowAlias: Browser - Conditional Organization userSetupAllowed: false - id: cc33ee5d-58d1-49f4-9084-67a443b9bddc alias: Reset - Conditional OTP description: Flow to determine if the OTP should be reset or not. Set to REQUIRED to force. providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: reset-otp authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: f4b9279a-08f0-4b22-a2e1-abfafec02de6 alias: User creation or linking description: Flow for the existing/non-existing user alternatives providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticatorConfig: create unique user config authenticator: idp-create-user-if-unique authenticatorFlow: false requirement: ALTERNATIVE priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: ALTERNATIVE priority: 20 autheticatorFlow: true flowAlias: Handle Existing Account userSetupAllowed: false - id: 91cc2815-09c5-4f82-a1fc-62a2fc32327d alias: Verify Existing Account by Re-authentication description: Reauthentication of existing account providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: idp-username-password-form authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 20 autheticatorFlow: true flowAlias: First broker login - Conditional OTP userSetupAllowed: false - id: 0455fc78-3bd3-4fa1-a73a-f1c9a80e7293 alias: browser description: Browser based authentication providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: auth-cookie authenticatorFlow: false requirement: ALTERNATIVE priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: auth-spnego authenticatorFlow: false requirement: DISABLED priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticator: identity-provider-redirector authenticatorFlow: false requirement: ALTERNATIVE priority: 25 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: ALTERNATIVE priority: 26 autheticatorFlow: true flowAlias: Organization userSetupAllowed: false - authenticatorFlow: true requirement: ALTERNATIVE priority: 30 autheticatorFlow: true flowAlias: forms userSetupAllowed: false - id: 78bc6381-5d50-4220-a7b5-a0a2e697cd5e alias: clients description: Base authentication for clients providerId: client-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: client-secret authenticatorFlow: false requirement: ALTERNATIVE priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: client-jwt authenticatorFlow: false requirement: ALTERNATIVE priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticator: client-secret-jwt authenticatorFlow: false requirement: ALTERNATIVE priority: 30 autheticatorFlow: false userSetupAllowed: false - authenticator: client-x509 authenticatorFlow: false requirement: ALTERNATIVE priority: 40 autheticatorFlow: false userSetupAllowed: false - id: 0fd8e9bd-1616-4810-8a2c-2862ecc62312 alias: direct grant description: OpenID Connect Resource Owner Grant providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: direct-grant-validate-username authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: direct-grant-validate-password authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 30 autheticatorFlow: true flowAlias: Direct Grant - Conditional OTP userSetupAllowed: false - id: 03035827-7537-4b94-831f-3184d98d6d26 alias: docker auth description: Used by Docker clients to authenticate against the IDP providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: docker-http-basic-authenticator authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - id: 1a9fdcb1-591e-412b-a8ee-37de4ec78191 alias: first broker login description: Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticatorConfig: review profile config authenticator: idp-review-profile authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: REQUIRED priority: 20 autheticatorFlow: true flowAlias: User creation or linking userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 50 autheticatorFlow: true flowAlias: First Broker Login - Conditional Organization userSetupAllowed: false - id: 63b86089-a556-42cb-8e25-71913e1bd9cd alias: forms description: Username, password, otp and other auth forms. providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: auth-username-password-form authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 20 autheticatorFlow: true flowAlias: Browser - Conditional OTP userSetupAllowed: false - id: 0b1d0824-a9f2-4819-8049-28dc559c66a0 alias: registration description: Registration flow providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: registration-page-form authenticatorFlow: true requirement: REQUIRED priority: 10 autheticatorFlow: true flowAlias: registration form userSetupAllowed: false - id: a5fa008b-f069-404e-8767-a2ed5687262f alias: registration form description: Registration form providerId: form-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: registration-user-creation authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticator: registration-password-action authenticatorFlow: false requirement: REQUIRED priority: 50 autheticatorFlow: false userSetupAllowed: false - authenticator: registration-recaptcha-action authenticatorFlow: false requirement: DISABLED priority: 60 autheticatorFlow: false userSetupAllowed: false - authenticator: registration-terms-and-conditions authenticatorFlow: false requirement: DISABLED priority: 70 autheticatorFlow: false userSetupAllowed: false - id: fef3d2a2-bbc2-4c5f-834f-f4014f6a699c alias: reset credentials description: Reset credentials for a user if they forgot their password or something providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: reset-credentials-choose-user authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: reset-credential-email authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticator: reset-password authenticatorFlow: false requirement: REQUIRED priority: 30 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 40 autheticatorFlow: true flowAlias: Reset - Conditional OTP userSetupAllowed: false - id: 52cd82c9-fd89-44f3-9c2c-34b103872607 alias: saml ecp description: SAML ECP Profile Authentication Flow providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: http-basic-authenticator authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false authenticatorConfig: - id: 99ecab09-1a65-49e2-9e9a-61962bd969ee alias: create unique user config config: require.password.update.after.registration: "false" - id: 25245a79-e0b9-4038-9723-3a918dea2a9d alias: review profile config config: update.profile.on.first.login: missing requiredActions: - alias: CONFIGURE_TOTP name: Configure OTP providerId: CONFIGURE_TOTP enabled: true defaultAction: false priority: 10 config: {} - alias: TERMS_AND_CONDITIONS name: Terms and Conditions providerId: TERMS_AND_CONDITIONS enabled: false defaultAction: false priority: 20 config: {} - alias: UPDATE_PASSWORD name: Update Password providerId: UPDATE_PASSWORD enabled: true defaultAction: false priority: 30 config: {} - alias: UPDATE_PROFILE name: Update Profile providerId: UPDATE_PROFILE enabled: true defaultAction: false priority: 40 config: {} - alias: VERIFY_EMAIL name: Verify Email providerId: VERIFY_EMAIL enabled: true defaultAction: false priority: 50 config: {} - alias: delete_account name: Delete Account providerId: delete_account enabled: false defaultAction: false priority: 60 config: {} - alias: webauthn-register name: Webauthn Register providerId: webauthn-register enabled: true defaultAction: false priority: 70 config: {} - alias: webauthn-register-passwordless name: Webauthn Register Passwordless providerId: webauthn-register-passwordless enabled: true defaultAction: false priority: 80 config: {} - alias: VERIFY_PROFILE name: Verify Profile providerId: VERIFY_PROFILE enabled: true defaultAction: false priority: 90 config: {} - alias: delete_credential name: Delete Credential providerId: delete_credential enabled: true defaultAction: false priority: 100 config: {} - alias: update_user_locale name: Update User Locale providerId: update_user_locale enabled: true defaultAction: false priority: 1000 config: {} browserFlow: browser registrationFlow: registration directGrantFlow: direct grant resetCredentialsFlow: reset credentials clientAuthenticationFlow: clients dockerAuthenticationFlow: docker auth firstBrokerLoginFlow: first broker login attributes: cibaBackchannelTokenDeliveryMode: poll cibaExpiresIn: "120" cibaAuthRequestedUserHint: login_hint oauth2DeviceCodeLifespan: "600" oauth2DevicePollingInterval: "5" parRequestUriLifespan: "60" cibaInterval: "5" realmReusableOtpCode: "false" keycloakVersion: 26.2.7.redhat-00001 userManagedAccessAllowed: false organizationsEnabled: false verifiableCredentialsEnabled: false adminPermissionsEnabled: false clientProfiles: profiles: [] clientPolicies: policies: []