apiVersion: k8s.keycloak.org/v2alpha1 kind: KeycloakRealmImport metadata: name: {{ rhbk.name | default('sso') }}-{{ rhbk.realm | default('sample-realm') }}-import namespace: {{ rhbk.namespace | default('keycloak') }} spec: keycloakCRName: {{ rhbk.name | default('sso') }} realm: id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }} realm: {{ rhbk.realm | default('sample-realm') }} notBefore: 0 defaultSignatureAlgorithm: RS256 revokeRefreshToken: false refreshTokenMaxReuse: 0 accessTokenLifespan: 300 accessTokenLifespanForImplicitFlow: 900 ssoSessionIdleTimeout: 1800 ssoSessionMaxLifespan: 36000 ssoSessionIdleTimeoutRememberMe: 0 ssoSessionMaxLifespanRememberMe: 0 offlineSessionIdleTimeout: 2592000 offlineSessionMaxLifespanEnabled: false offlineSessionMaxLifespan: 5184000 clientSessionIdleTimeout: 0 clientSessionMaxLifespan: 0 clientOfflineSessionIdleTimeout: 0 clientOfflineSessionMaxLifespan: 0 accessCodeLifespan: 60 accessCodeLifespanUserAction: 300 accessCodeLifespanLogin: 1800 actionTokenGeneratedByAdminLifespan: 43200 actionTokenGeneratedByUserLifespan: 300 oauth2DeviceCodeLifespan: 600 oauth2DevicePollingInterval: 5 enabled: true sslRequired: external registrationAllowed: false registrationEmailAsUsername: false rememberMe: false verifyEmail: false loginWithEmailAllowed: false duplicateEmailsAllowed: false resetPasswordAllowed: false editUsernameAllowed: false bruteForceProtected: false permanentLockout: false maxTemporaryLockouts: 0 bruteForceStrategy: MULTIPLE maxFailureWaitSeconds: 900 minimumQuickLoginWaitSeconds: 60 waitIncrementSeconds: 60 quickLoginCheckMilliSeconds: 1000 maxDeltaTimeSeconds: 43200 failureFactor: 30 roles: realm: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-rr-offline_access') | ansible.builtin.to_uuid }} name: offline_access description: ${role_offline-access} composite: false clientRole: false containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-rr-default-roles-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }} name: default-roles-{{ rhbk.realm | default('sample-realm') }} description: ${role_default-roles} composite: true composites: realm: - offline_access - uma_authorization client: account: - view-profile - manage-account clientRole: false containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-rr-uma_authorization') | ansible.builtin.to_uuid }} name: uma_authorization description: ${role_uma_authorization} composite: false clientRole: false containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }} attributes: {} client: realm-management: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-create-client') | ansible.builtin.to_uuid }} name: create-client description: ${role_create-client} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-query-clients') | ansible.builtin.to_uuid }} name: query-clients description: ${role_query-clients} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-identity-providers') | ansible.builtin.to_uuid }} name: view-identity-providers description: ${role_view-identity-providers} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-impersonation') | ansible.builtin.to_uuid }} name: impersonation description: ${role_impersonation} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-authorization') | ansible.builtin.to_uuid }} name: view-authorization description: ${role_view-authorization} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-realm') | ansible.builtin.to_uuid }} name: view-realm description: ${role_view-realm} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-clients') | ansible.builtin.to_uuid }} name: manage-clients description: ${role_manage-clients} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-users') | ansible.builtin.to_uuid }} name: manage-users description: ${role_manage-users} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-query-realms') | ansible.builtin.to_uuid }} name: query-realms description: ${role_query-realms} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-users') | ansible.builtin.to_uuid }} name: view-users description: ${role_view-users} composite: true composites: client: realm-management: - query-groups - query-users clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-realm-admin') | ansible.builtin.to_uuid }} name: realm-admin description: ${role_realm-admin} composite: true composites: client: realm-management: - create-client - query-clients - view-identity-providers - impersonation - view-authorization - view-realm - manage-users - manage-clients - query-realms - view-users - manage-realm - manage-authorization - query-groups - manage-events - manage-identity-providers - view-clients - view-events - query-users clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-realm') | ansible.builtin.to_uuid }} name: manage-realm description: ${role_manage-realm} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-authorization') | ansible.builtin.to_uuid }} name: manage-authorization description: ${role_manage-authorization} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-query-groups') | ansible.builtin.to_uuid }} name: query-groups description: ${role_query-groups} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-events') | ansible.builtin.to_uuid }} name: manage-events description: ${role_manage-events} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-identity-providers') | ansible.builtin.to_uuid }} name: manage-identity-providers description: ${role_manage-identity-providers} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-clients') | ansible.builtin.to_uuid }} name: view-clients description: ${role_view-clients} composite: true composites: client: realm-management: - query-clients clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-query-users') | ansible.builtin.to_uuid }} name: query-users description: ${role_query-users} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-events') | ansible.builtin.to_uuid }} name: view-events description: ${role_view-events} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} attributes: {} security-admin-console: [] {% for client in rhbk.clients %} {{ client.id }}: [] {% endfor %} admin-cli: [] account-console: [] broker: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-br-read-token') | ansible.builtin.to_uuid }} name: read-token description: ${role_read-token} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-broker') | ansible.builtin.to_uuid }} attributes: {} account: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-delete-account') | ansible.builtin.to_uuid }} name: delete-account description: ${role_delete-account} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-manage-consent') | ansible.builtin.to_uuid }} name: manage-consent description: ${role_manage-consent} composite: true composites: client: account: - view-consent clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-view-profile') | ansible.builtin.to_uuid }} name: view-profile description: ${role_view-profile} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-manage-account') | ansible.builtin.to_uuid }} name: manage-account description: ${role_manage-account} composite: true composites: client: account: - manage-account-links clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-manage-account-links') | ansible.builtin.to_uuid }} name: manage-account-links description: ${role_manage-account-links} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-view-applications') | ansible.builtin.to_uuid }} name: view-applications description: ${role_view-applications} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-view-groups') | ansible.builtin.to_uuid }} name: view-groups description: ${role_view-groups} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} attributes: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-view-consent') | ansible.builtin.to_uuid }} name: view-consent description: ${role_view-consent} composite: false clientRole: true containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} attributes: {} groups: [] defaultRole: id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-default-roles-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }} name: default-roles-{{ (rhbk.realm | default('sample-realm')) }} description: ${role_default-roles} composite: true clientRole: false containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }} requiredCredentials: - password otpPolicyType: totp otpPolicyAlgorithm: HmacSHA1 otpPolicyInitialCounter: 0 otpPolicyDigits: 6 otpPolicyLookAheadWindow: 1 otpPolicyPeriod: 30 otpPolicyCodeReusable: false otpSupportedApplications: - totpAppFreeOTPName - totpAppGoogleName - totpAppMicrosoftAuthenticatorName localizationTexts: {} webAuthnPolicyRpEntityName: keycloak webAuthnPolicySignatureAlgorithms: - ES256 - RS256 webAuthnPolicyRpId: "" webAuthnPolicyAttestationConveyancePreference: not specified webAuthnPolicyAuthenticatorAttachment: not specified webAuthnPolicyRequireResidentKey: not specified webAuthnPolicyUserVerificationRequirement: not specified webAuthnPolicyCreateTimeout: 0 webAuthnPolicyAvoidSameAuthenticatorRegister: false webAuthnPolicyAcceptableAaguids: [] webAuthnPolicyExtraOrigins: [] webAuthnPolicyPasswordlessRpEntityName: keycloak webAuthnPolicyPasswordlessSignatureAlgorithms: - ES256 - RS256 webAuthnPolicyPasswordlessRpId: "" webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified webAuthnPolicyPasswordlessRequireResidentKey: not specified webAuthnPolicyPasswordlessUserVerificationRequirement: not specified webAuthnPolicyPasswordlessCreateTimeout: 0 webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false webAuthnPolicyPasswordlessAcceptableAaguids: [] webAuthnPolicyPasswordlessExtraOrigins: [] scopeMappings: - clientScope: offline_access roles: - offline_access clientScopeMappings: account: - client: account-console roles: - manage-account - view-groups clients: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }} clientId: account name: ${client_account} rootUrl: ${authBaseUrl} baseUrl: /realms/{{ rhbk.realm | default('sample-realm') }}/account/ surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: - /realms/{{ rhbk.realm | default('sample-realm') }}/account/* webOrigins: [] notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: true frontchannelLogout: false protocol: openid-connect attributes: realm_client: "false" post.logout.redirect.uris: + authenticationFlowBindingOverrides: {} fullScopeAllowed: false nodeReRegistrationTimeout: 0 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account-console') | ansible.builtin.to_uuid }} clientId: account-console name: ${client_account-console} rootUrl: ${authBaseUrl} baseUrl: /realms/{{ rhbk.realm | default('sample-realm') }}/account/ surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: - /realms/{{ rhbk.realm | default('sample-realm') }}/account/* webOrigins: [] notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: true frontchannelLogout: false protocol: openid-connect attributes: realm_client: "false" post.logout.redirect.uris: + pkce.code.challenge.method: S256 authenticationFlowBindingOverrides: {} fullScopeAllowed: false nodeReRegistrationTimeout: 0 protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account-console-pm-audience-resolve') | ansible.builtin.to_uuid }} name: audience resolve protocol: openid-connect protocolMapper: oidc-audience-resolve-mapper consentRequired: false config: {} defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-admin-cli') | ansible.builtin.to_uuid }} clientId: admin-cli name: ${client_admin-cli} surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: [] webOrigins: [] notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: false implicitFlowEnabled: false directAccessGrantsEnabled: true serviceAccountsEnabled: false publicClient: true frontchannelLogout: false protocol: openid-connect attributes: realm_client: "false" client.use.lightweight.access.token.enabled: "true" authenticationFlowBindingOverrides: {} fullScopeAllowed: true nodeReRegistrationTimeout: 0 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-broker') | ansible.builtin.to_uuid }} clientId: broker name: ${client_broker} surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: [] webOrigins: [] notBefore: 0 bearerOnly: true consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: false frontchannelLogout: false protocol: openid-connect attributes: realm_client: "true" authenticationFlowBindingOverrides: {} fullScopeAllowed: false nodeReRegistrationTimeout: 0 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt {% for client in rhbk.clients %} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-' + client.id) | ansible.builtin.to_uuid }} clientId: {{ client.id }} name: "{{ client.name | default(client.id) }}" description: "" rootUrl: {{ client.base_url }} adminUrl: {{ client.base_url }} baseUrl: "" surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret {% if client.secret is defined %} secret: '{{ client.secret }}' {% endif %} redirectUris: - {{ client.base_url }}/* webOrigins: - {{ client.base_url }} notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: {{ client.direct_grants | default(true) | bool }} serviceAccountsEnabled: false publicClient: false frontchannelLogout: true protocol: openid-connect attributes: client.secret.creation.time: "1755544217" request.object.signature.alg: any request.object.encryption.alg: any client.introspection.response.allow.jwt.claim.enabled: "false" standard.token.exchange.enabled: "false" frontchannel.logout.session.required: "true" oauth2.device.authorization.grant.enabled: "false" use.jwks.url: "false" backchannel.logout.revoke.offline.tokens: "false" use.refresh.tokens: "true" realm_client: "false" oidc.ciba.grant.enabled: "false" client.use.lightweight.access.token.enabled: "false" backchannel.logout.session.required: "true" client_credentials.use_refresh_token: "false" request.object.required: not required access.token.header.type.rfc9068: "false" acr.loa.map: '{}' require.pushed.authorization.requests: "false" tls.client.certificate.bound.access.tokens: "false" display.on.consent.screen: "false" request.object.encryption.enc: any token.response.type.bearer.lower-case: "false" authenticationFlowBindingOverrides: {} fullScopeAllowed: true nodeReRegistrationTimeout: -1 {% if client.map_groups | default(true) %} protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-openshift-pm-groups') | ansible.builtin.to_uuid }} name: groups protocol: openid-connect protocolMapper: oidc-group-membership-mapper consentRequired: false config: claim.name: groups full.path: "false" id.token.claim: "true" access.token.claim: "true" userinfo.token.claim: "true" introspection.token.claim: "true" lightweight.claim: "false" multivalued: "true" {% endif %} defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt {% endfor %} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }} clientId: realm-management name: ${client_realm-management} surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: [] webOrigins: [] notBefore: 0 bearerOnly: true consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: false frontchannelLogout: false protocol: openid-connect attributes: realm_client: "true" authenticationFlowBindingOverrides: {} fullScopeAllowed: false nodeReRegistrationTimeout: 0 defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-security-admin-console') | ansible.builtin.to_uuid }} clientId: security-admin-console name: ${client_security-admin-console} rootUrl: ${authAdminUrl} baseUrl: /admin/{{ rhbk.realm | default('sample-realm') }}/console/ surrogateAuthRequired: false enabled: true alwaysDisplayInConsole: false clientAuthenticatorType: client-secret redirectUris: - /admin/{{ rhbk.realm | default('sample-realm') }}/console/* webOrigins: - + notBefore: 0 bearerOnly: false consentRequired: false standardFlowEnabled: true implicitFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: false publicClient: true frontchannelLogout: false protocol: openid-connect attributes: realm_client: "false" client.use.lightweight.access.token.enabled: "true" post.logout.redirect.uris: + pkce.code.challenge.method: S256 authenticationFlowBindingOverrides: {} fullScopeAllowed: true nodeReRegistrationTimeout: 0 protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-security-admin-console-pm-locale') | ansible.builtin.to_uuid }} name: locale protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: locale id.token.claim: "true" access.token.claim: "true" claim.name: locale jsonType.label: String defaultClientScopes: - web-origins - acr - roles - profile - basic - email optionalClientScopes: - address - phone - organization - offline_access - microprofile-jwt clientScopes: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-roles') | ansible.builtin.to_uuid }} name: roles description: OpenID Connect scope for add user roles to the access token protocol: openid-connect attributes: include.in.token.scope: "false" consent.screen.text: ${rolesScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-roles-pm-client-roles') | ansible.builtin.to_uuid }} name: client roles protocol: openid-connect protocolMapper: oidc-usermodel-client-role-mapper consentRequired: false config: user.attribute: foo introspection.token.claim: "true" access.token.claim: "true" claim.name: resource_access.${client_id}.roles jsonType.label: String multivalued: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-roles-pm-realm-roles') | ansible.builtin.to_uuid }} name: realm roles protocol: openid-connect protocolMapper: oidc-usermodel-realm-role-mapper consentRequired: false config: user.attribute: foo introspection.token.claim: "true" access.token.claim: "true" claim.name: realm_access.roles jsonType.label: String multivalued: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-roles-pm-audience-resolve') | ansible.builtin.to_uuid }} name: audience resolve protocol: openid-connect protocolMapper: oidc-audience-resolve-mapper consentRequired: false config: introspection.token.claim: "true" access.token.claim: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-service-account') | ansible.builtin.to_uuid }} name: service_account description: Specific scope for a client enabled for service accounts protocol: openid-connect attributes: include.in.token.scope: "false" display.on.consent.screen: "false" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-service-account-pm-client-host') | ansible.builtin.to_uuid }} name: Client Host protocol: openid-connect protocolMapper: oidc-usersessionmodel-note-mapper consentRequired: false config: user.session.note: clientHost id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: clientHost jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-service-account-pm-client-ip') | ansible.builtin.to_uuid }} name: Client IP Address protocol: openid-connect protocolMapper: oidc-usersessionmodel-note-mapper consentRequired: false config: user.session.note: clientAddress id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: clientAddress jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-service-account-pm-client-id') | ansible.builtin.to_uuid }} name: Client ID protocol: openid-connect protocolMapper: oidc-usersessionmodel-note-mapper consentRequired: false config: user.session.note: client_id id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: client_id jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-organization') | ansible.builtin.to_uuid }} name: organization description: Additional claims about the organization a subject belongs to protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${organizationScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-organization-pm-organization') | ansible.builtin.to_uuid }} name: organization protocol: openid-connect protocolMapper: oidc-organization-membership-mapper consentRequired: false config: id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: organization jsonType.label: String multivalued: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-mprof-jwt') | ansible.builtin.to_uuid }} name: microprofile-jwt description: Microprofile - JWT built-in scope protocol: openid-connect attributes: include.in.token.scope: "true" display.on.consent.screen: "false" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-mprof-jwt-pm-upn') | ansible.builtin.to_uuid }} name: upn protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: username id.token.claim: "true" access.token.claim: "true" claim.name: upn jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-mprof-jwt-pm-groups') | ansible.builtin.to_uuid }} name: groups protocol: openid-connect protocolMapper: oidc-usermodel-realm-role-mapper consentRequired: false config: introspection.token.claim: "true" multivalued: "true" user.attribute: foo id.token.claim: "true" access.token.claim: "true" claim.name: groups jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-saml-org') | ansible.builtin.to_uuid }} name: saml_organization description: Organization Membership protocol: saml attributes: display.on.consent.screen: "false" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-saml-org-pm-organization') | ansible.builtin.to_uuid }} name: organization protocol: saml protocolMapper: saml-organization-membership-mapper consentRequired: false config: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-oidc') | ansible.builtin.to_uuid }} name: acr description: OpenID Connect scope for add acr (authentication context class reference) to the token protocol: openid-connect attributes: include.in.token.scope: "false" display.on.consent.screen: "false" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-oidc-pm-acr-loa-level') | ansible.builtin.to_uuid }} name: acr loa level protocol: openid-connect protocolMapper: oidc-acr-mapper consentRequired: false config: id.token.claim: "true" access.token.claim: "true" introspection.token.claim: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-email') | ansible.builtin.to_uuid }} name: email description: 'OpenID Connect built-in scope: email' protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${emailScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-email-pm-email-vrfd') | ansible.builtin.to_uuid }} name: email verified protocol: openid-connect protocolMapper: oidc-usermodel-property-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: emailVerified id.token.claim: "true" access.token.claim: "true" claim.name: email_verified jsonType.label: boolean - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-email-pm-email') | ansible.builtin.to_uuid }} name: email protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: email id.token.claim: "true" access.token.claim: "true" claim.name: email jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-role-list') | ansible.builtin.to_uuid }} name: role_list description: SAML role list protocol: saml attributes: consent.screen.text: ${samlRoleListScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-role-list-pm-role-list') | ansible.builtin.to_uuid }} name: role list protocol: saml protocolMapper: saml-role-list-mapper consentRequired: false config: single: "false" attribute.nameformat: Basic attribute.name: Role - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-phone') | ansible.builtin.to_uuid }} name: phone description: 'OpenID Connect built-in scope: phone' protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${phoneScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-phone-pm-phnum') | ansible.builtin.to_uuid }} name: phone number protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: phoneNumber id.token.claim: "true" access.token.claim: "true" claim.name: phone_number jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-phone-pm-phnum-vrfd') | ansible.builtin.to_uuid }} name: phone number verified protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: phoneNumberVerified id.token.claim: "true" access.token.claim: "true" claim.name: phone_number_verified jsonType.label: boolean - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-address') | ansible.builtin.to_uuid }} name: address description: 'OpenID Connect built-in scope: address' protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${addressScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-address-pm-address') | ansible.builtin.to_uuid }} name: address protocol: openid-connect protocolMapper: oidc-address-mapper consentRequired: false config: user.attribute.formatted: formatted user.attribute.country: country introspection.token.claim: "true" user.attribute.postal_code: postal_code userinfo.token.claim: "true" user.attribute.street: street id.token.claim: "true" user.attribute.region: region access.token.claim: "true" user.attribute.locality: locality - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-basic') | ansible.builtin.to_uuid }} name: basic description: OpenID Connect scope for add all basic claims to the token protocol: openid-connect attributes: include.in.token.scope: "false" display.on.consent.screen: "false" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-basic-pm-sub') | ansible.builtin.to_uuid }} name: sub protocol: openid-connect protocolMapper: oidc-sub-mapper consentRequired: false config: introspection.token.claim: "true" access.token.claim: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-basic-pm-auth-time') | ansible.builtin.to_uuid }} name: auth_time protocol: openid-connect protocolMapper: oidc-usersessionmodel-note-mapper consentRequired: false config: user.session.note: AUTH_TIME id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" claim.name: auth_time jsonType.label: long - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-offline') | ansible.builtin.to_uuid }} name: offline_access description: 'OpenID Connect built-in scope: offline_access' protocol: openid-connect attributes: consent.screen.text: ${offlineAccessScopeConsentText} display.on.consent.screen: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-web-origins') | ansible.builtin.to_uuid }} name: web-origins description: OpenID Connect scope for add allowed web origins to the access token protocol: openid-connect attributes: include.in.token.scope: "false" consent.screen.text: "" display.on.consent.screen: "false" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-web-origins-pm-allowed-origins') | ansible.builtin.to_uuid }} name: allowed web origins protocol: openid-connect protocolMapper: oidc-allowed-origins-mapper consentRequired: false config: access.token.claim: "true" introspection.token.claim: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile') | ansible.builtin.to_uuid }} name: profile description: 'OpenID Connect built-in scope: profile' protocol: openid-connect attributes: include.in.token.scope: "true" consent.screen.text: ${profileScopeConsentText} display.on.consent.screen: "true" protocolMappers: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-website') | ansible.builtin.to_uuid }} name: website protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: website id.token.claim: "true" access.token.claim: "true" claim.name: website jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-full-name') | ansible.builtin.to_uuid }} name: full name protocol: openid-connect protocolMapper: oidc-full-name-mapper consentRequired: false config: id.token.claim: "true" introspection.token.claim: "true" access.token.claim: "true" userinfo.token.claim: "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-locale') | ansible.builtin.to_uuid }} name: locale protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: locale id.token.claim: "true" access.token.claim: "true" claim.name: locale jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-picture') | ansible.builtin.to_uuid }} name: picture protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: picture id.token.claim: "true" access.token.claim: "true" claim.name: picture jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-given-name') | ansible.builtin.to_uuid }} name: given name protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: firstName id.token.claim: "true" access.token.claim: "true" claim.name: given_name jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-profile') | ansible.builtin.to_uuid }} name: profile protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: profile id.token.claim: "true" access.token.claim: "true" claim.name: profile jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-birthdate') | ansible.builtin.to_uuid }} name: birthdate protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: birthdate id.token.claim: "true" access.token.claim: "true" claim.name: birthdate jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-zoneinfo') | ansible.builtin.to_uuid }} name: zoneinfo protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: zoneinfo id.token.claim: "true" access.token.claim: "true" claim.name: zoneinfo jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-family-name') | ansible.builtin.to_uuid }} name: family name protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: lastName id.token.claim: "true" access.token.claim: "true" claim.name: family_name jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-username') | ansible.builtin.to_uuid }} name: username protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: username id.token.claim: "true" access.token.claim: "true" claim.name: preferred_username jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-nickname') | ansible.builtin.to_uuid }} name: nickname protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: nickname id.token.claim: "true" access.token.claim: "true" claim.name: nickname jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-middle-name') | ansible.builtin.to_uuid }} name: middle name protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: middleName id.token.claim: "true" access.token.claim: "true" claim.name: middle_name jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-gender') | ansible.builtin.to_uuid }} name: gender protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: gender id.token.claim: "true" access.token.claim: "true" claim.name: gender jsonType.label: String - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-updated-at') | ansible.builtin.to_uuid }} name: updated at protocol: openid-connect protocolMapper: oidc-usermodel-attribute-mapper consentRequired: false config: introspection.token.claim: "true" userinfo.token.claim: "true" user.attribute: updatedAt id.token.claim: "true" access.token.claim: "true" claim.name: updated_at jsonType.label: long defaultDefaultClientScopes: - role_list - saml_organization - profile - email - roles - web-origins - acr - basic defaultOptionalClientScopes: - offline_access - address - phone - microprofile-jwt - organization browserSecurityHeaders: contentSecurityPolicyReportOnly: "" xContentTypeOptions: nosniff referrerPolicy: no-referrer xRobotsTag: none xFrameOptions: SAMEORIGIN contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; strictTransportSecurity: max-age=31536000; includeSubDomains smtpServer: {} eventsEnabled: false eventsListeners: - jboss-logging enabledEventTypes: [] adminEventsEnabled: false adminEventsDetailsEnabled: false identityProviders: [] identityProviderMappers: [] components: org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-max-clients') | ansible.builtin.to_uuid }} name: Max Clients Limit providerId: max-clients subType: anonymous subComponents: {} config: max-clients: - "200" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-fullscope') | ansible.builtin.to_uuid }} name: Full Scope Disabled providerId: scope subType: anonymous subComponents: {} config: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-allowed-protomap-anon') | ansible.builtin.to_uuid }} name: Allowed Protocol Mapper Types providerId: allowed-protocol-mappers subType: anonymous subComponents: {} config: allowed-protocol-mapper-types: - oidc-sha256-pairwise-sub-mapper - saml-user-attribute-mapper - saml-user-property-mapper - oidc-address-mapper - oidc-usermodel-property-mapper - oidc-full-name-mapper - saml-role-list-mapper - oidc-usermodel-attribute-mapper - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-trusted-hosts') | ansible.builtin.to_uuid }} name: Trusted Hosts providerId: trusted-hosts subType: anonymous subComponents: {} config: host-sending-registration-request-must-match: - "true" client-uris-must-match: - "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-allowed-protomap-auth') | ansible.builtin.to_uuid }} name: Allowed Protocol Mapper Types providerId: allowed-protocol-mappers subType: authenticated subComponents: {} config: allowed-protocol-mapper-types: - saml-user-attribute-mapper - saml-user-property-mapper - oidc-sha256-pairwise-sub-mapper - saml-role-list-mapper - oidc-address-mapper - oidc-usermodel-attribute-mapper - oidc-full-name-mapper - oidc-usermodel-property-mapper - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-consentreq') | ansible.builtin.to_uuid }} name: Consent Required providerId: consent-required subType: anonymous subComponents: {} config: {} - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-allowed-cliscope-anon') | ansible.builtin.to_uuid }} name: Allowed Client Scopes providerId: allowed-client-templates subType: anonymous subComponents: {} config: allow-default-scopes: - "true" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-allowed-cliscope-auth') | ansible.builtin.to_uuid }} name: Allowed Client Scopes providerId: allowed-client-templates subType: authenticated subComponents: {} config: allow-default-scopes: - "true" org.keycloak.keys.KeyProvider: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-keyprov-hs512') | ansible.builtin.to_uuid }} name: hmac-generated-hs512 providerId: hmac-generated subComponents: {} config: priority: - "100" algorithm: - HS512 - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-keyprov-aesgen') | ansible.builtin.to_uuid }} name: aes-generated providerId: aes-generated subComponents: {} config: priority: - "100" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-keyprov-rsaencgen') | ansible.builtin.to_uuid }} name: rsa-enc-generated providerId: rsa-enc-generated subComponents: {} config: priority: - "100" algorithm: - RSA-OAEP - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-keyprov-rsagen') | ansible.builtin.to_uuid }} name: rsa-generated providerId: rsa-generated subComponents: {} config: priority: - "100" internationalizationEnabled: false supportedLocales: [] authenticationFlows: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-acct-vrfy-opt') | ansible.builtin.to_uuid }} alias: Account verification options description: Method with which to verity the existing account providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: idp-email-verification authenticatorFlow: false requirement: ALTERNATIVE priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: ALTERNATIVE priority: 20 autheticatorFlow: true flowAlias: Verify Existing Account by Re-authentication userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-brws-cond-otp') | ansible.builtin.to_uuid }} alias: Browser - Conditional OTP description: Flow to determine if the OTP is required for the authentication providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: auth-otp-form authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-brws-cond-org') | ansible.builtin.to_uuid }} alias: Browser - Conditional Organization description: Flow to determine if the organization identity-first login is to be used providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: organization authenticatorFlow: false requirement: ALTERNATIVE priority: 20 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-dg-cond-otp') | ansible.builtin.to_uuid }} alias: Direct Grant - Conditional OTP description: Flow to determine if the OTP is required for the authentication providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: direct-grant-validate-otp authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-fbrok-login-cond-org') | ansible.builtin.to_uuid }} alias: First Broker Login - Conditional Organization description: Flow to determine if the authenticator that adds organization members is to be used providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: idp-add-organization-member authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-fbrok-login-cond-otp') | ansible.builtin.to_uuid }} alias: First broker login - Conditional OTP description: Flow to determine if the OTP is required for the authentication providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: auth-otp-form authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-handle-existing') | ansible.builtin.to_uuid }} alias: Handle Existing Account description: Handle what to do if there is existing account with same email/username like authenticated identity provider providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: idp-confirm-link authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: REQUIRED priority: 20 autheticatorFlow: true flowAlias: Account verification options userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-org') | ansible.builtin.to_uuid }} alias: Organization providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticatorFlow: true requirement: CONDITIONAL priority: 10 autheticatorFlow: true flowAlias: Browser - Conditional Organization userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-cond-otp') | ansible.builtin.to_uuid }} alias: Reset - Conditional OTP description: Flow to determine if the OTP should be reset or not. Set to REQUIRED to force. providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: conditional-user-configured authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: reset-otp authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-ucreat-or-link') | ansible.builtin.to_uuid }} alias: User creation or linking description: Flow for the existing/non-existing user alternatives providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticatorConfig: create unique user config authenticator: idp-create-user-if-unique authenticatorFlow: false requirement: ALTERNATIVE priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: ALTERNATIVE priority: 20 autheticatorFlow: true flowAlias: Handle Existing Account userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-vrfy-existing-reauth') | ansible.builtin.to_uuid }} alias: Verify Existing Account by Re-authentication description: Reauthentication of existing account providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: idp-username-password-form authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 20 autheticatorFlow: true flowAlias: First broker login - Conditional OTP userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-brws-based-auth') | ansible.builtin.to_uuid }} alias: browser description: Browser based authentication providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: auth-cookie authenticatorFlow: false requirement: ALTERNATIVE priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: auth-spnego authenticatorFlow: false requirement: DISABLED priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticator: identity-provider-redirector authenticatorFlow: false requirement: ALTERNATIVE priority: 25 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: ALTERNATIVE priority: 26 autheticatorFlow: true flowAlias: Organization userSetupAllowed: false - authenticatorFlow: true requirement: ALTERNATIVE priority: 30 autheticatorFlow: true flowAlias: forms userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-base-client-auth') | ansible.builtin.to_uuid }} alias: clients description: Base authentication for clients providerId: client-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: client-secret authenticatorFlow: false requirement: ALTERNATIVE priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: client-jwt authenticatorFlow: false requirement: ALTERNATIVE priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticator: client-secret-jwt authenticatorFlow: false requirement: ALTERNATIVE priority: 30 autheticatorFlow: false userSetupAllowed: false - authenticator: client-x509 authenticatorFlow: false requirement: ALTERNATIVE priority: 40 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-dgrant-oidc-owner') | ansible.builtin.to_uuid }} alias: direct grant description: OpenID Connect Resource Owner Grant providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: direct-grant-validate-username authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: direct-grant-validate-password authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 30 autheticatorFlow: true flowAlias: Direct Grant - Conditional OTP userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-docker-auth') | ansible.builtin.to_uuid }} alias: docker auth description: Used by Docker clients to authenticate against the IDP providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: docker-http-basic-authenticator authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-fbrok-login') | ansible.builtin.to_uuid }} alias: first broker login description: Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticatorConfig: review profile config authenticator: idp-review-profile authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: REQUIRED priority: 20 autheticatorFlow: true flowAlias: User creation or linking userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 50 autheticatorFlow: true flowAlias: First Broker Login - Conditional Organization userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-forms') | ansible.builtin.to_uuid }} alias: forms description: Username, password, otp and other auth forms. providerId: basic-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: auth-username-password-form authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 20 autheticatorFlow: true flowAlias: Browser - Conditional OTP userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-reg-flow') | ansible.builtin.to_uuid }} alias: registration description: Registration flow providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: registration-page-form authenticatorFlow: true requirement: REQUIRED priority: 10 autheticatorFlow: true flowAlias: registration form userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-reg-form') | ansible.builtin.to_uuid }} alias: registration form description: Registration form providerId: form-flow topLevel: false builtIn: true authenticationExecutions: - authenticator: registration-user-creation authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticator: registration-password-action authenticatorFlow: false requirement: REQUIRED priority: 50 autheticatorFlow: false userSetupAllowed: false - authenticator: registration-recaptcha-action authenticatorFlow: false requirement: DISABLED priority: 60 autheticatorFlow: false userSetupAllowed: false - authenticator: registration-terms-and-conditions authenticatorFlow: false requirement: DISABLED priority: 70 autheticatorFlow: false userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-reset-creds') | ansible.builtin.to_uuid }} alias: reset credentials description: Reset credentials for a user if they forgot their password or something providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: reset-credentials-choose-user authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false - authenticator: reset-credential-email authenticatorFlow: false requirement: REQUIRED priority: 20 autheticatorFlow: false userSetupAllowed: false - authenticator: reset-password authenticatorFlow: false requirement: REQUIRED priority: 30 autheticatorFlow: false userSetupAllowed: false - authenticatorFlow: true requirement: CONDITIONAL priority: 40 autheticatorFlow: true flowAlias: Reset - Conditional OTP userSetupAllowed: false - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-saml-ecp') | ansible.builtin.to_uuid }} alias: saml ecp description: SAML ECP Profile Authentication Flow providerId: basic-flow topLevel: true builtIn: true authenticationExecutions: - authenticator: http-basic-authenticator authenticatorFlow: false requirement: REQUIRED priority: 10 autheticatorFlow: false userSetupAllowed: false authenticatorConfig: - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authconfig-unique-user') | ansible.builtin.to_uuid }} alias: create unique user config config: require.password.update.after.registration: "false" - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authconfig-review-profile-') | ansible.builtin.to_uuid }} alias: review profile config config: update.profile.on.first.login: missing requiredActions: - alias: CONFIGURE_TOTP name: Configure OTP providerId: CONFIGURE_TOTP enabled: true defaultAction: false priority: 10 config: {} - alias: TERMS_AND_CONDITIONS name: Terms and Conditions providerId: TERMS_AND_CONDITIONS enabled: false defaultAction: false priority: 20 config: {} - alias: UPDATE_PASSWORD name: Update Password providerId: UPDATE_PASSWORD enabled: true defaultAction: false priority: 30 config: {} - alias: UPDATE_PROFILE name: Update Profile providerId: UPDATE_PROFILE enabled: true defaultAction: false priority: 40 config: {} - alias: VERIFY_EMAIL name: Verify Email providerId: VERIFY_EMAIL enabled: true defaultAction: false priority: 50 config: {} - alias: delete_account name: Delete Account providerId: delete_account enabled: false defaultAction: false priority: 60 config: {} - alias: webauthn-register name: Webauthn Register providerId: webauthn-register enabled: true defaultAction: false priority: 70 config: {} - alias: webauthn-register-passwordless name: Webauthn Register Passwordless providerId: webauthn-register-passwordless enabled: true defaultAction: false priority: 80 config: {} - alias: VERIFY_PROFILE name: Verify Profile providerId: VERIFY_PROFILE enabled: true defaultAction: false priority: 90 config: {} - alias: delete_credential name: Delete Credential providerId: delete_credential enabled: true defaultAction: false priority: 100 config: {} - alias: update_user_locale name: Update User Locale providerId: update_user_locale enabled: true defaultAction: false priority: 1000 config: {} browserFlow: browser registrationFlow: registration directGrantFlow: direct grant resetCredentialsFlow: reset credentials clientAuthenticationFlow: clients dockerAuthenticationFlow: docker auth firstBrokerLoginFlow: first broker login attributes: cibaBackchannelTokenDeliveryMode: poll cibaExpiresIn: "120" cibaAuthRequestedUserHint: login_hint oauth2DeviceCodeLifespan: "600" oauth2DevicePollingInterval: "5" parRequestUriLifespan: "60" cibaInterval: "5" realmReusableOtpCode: "false" keycloakVersion: 26.2.7.redhat-00001 userManagedAccessAllowed: false organizationsEnabled: false verifiableCredentialsEnabled: false adminPermissionsEnabled: false clientProfiles: profiles: [] clientPolicies: policies: []