ocp-ing-ichp-materials/playbooks/roles/deploy-rhbk/templates/realm-import-template.yaml.j2

apiVersion: k8s.keycloak.org/v2alpha1
kind: KeycloakRealmImport
metadata:
  name: {{ rhbk.name | default('sso') }}-{{ rhbk.realm | default('sample-realm') }}-import
  namespace: {{ rhbk.namespace | default('keycloak') }}
spec:
  keycloakCRName: {{ rhbk.name | default('sso') }}
  realm:
    id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }}
    realm: {{ rhbk.realm | default('sample-realm') }}
    notBefore: 0
    defaultSignatureAlgorithm: RS256
    revokeRefreshToken: false
    refreshTokenMaxReuse: 0
    accessTokenLifespan: 300
    accessTokenLifespanForImplicitFlow: 900
    ssoSessionIdleTimeout: 1800
    ssoSessionMaxLifespan: 36000
    ssoSessionIdleTimeoutRememberMe: 0
    ssoSessionMaxLifespanRememberMe: 0
    offlineSessionIdleTimeout: 2592000
    offlineSessionMaxLifespanEnabled: false
    offlineSessionMaxLifespan: 5184000
    clientSessionIdleTimeout: 0
    clientSessionMaxLifespan: 0
    clientOfflineSessionIdleTimeout: 0
    clientOfflineSessionMaxLifespan: 0
    accessCodeLifespan: 60
    accessCodeLifespanUserAction: 300
    accessCodeLifespanLogin: 1800
    actionTokenGeneratedByAdminLifespan: 43200
    actionTokenGeneratedByUserLifespan: 300
    oauth2DeviceCodeLifespan: 600
    oauth2DevicePollingInterval: 5
    enabled: true
    sslRequired: external
    registrationAllowed: false
    registrationEmailAsUsername: false
    rememberMe: false
    verifyEmail: false
    loginWithEmailAllowed: false
    duplicateEmailsAllowed: false
    resetPasswordAllowed: false
    editUsernameAllowed: false
    bruteForceProtected: false
    permanentLockout: false
    maxTemporaryLockouts: 0
    bruteForceStrategy: MULTIPLE
    maxFailureWaitSeconds: 900
    minimumQuickLoginWaitSeconds: 60
    waitIncrementSeconds: 60
    quickLoginCheckMilliSeconds: 1000
    maxDeltaTimeSeconds: 43200
    failureFactor: 30
    roles:
      realm:
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-rr-offline_access') | ansible.builtin.to_uuid }}
          name: offline_access
          description: ${role_offline-access}
          composite: false
          clientRole: false
          containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }}
          attributes: {}
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-rr-default-roles-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }}
          name: default-roles-{{ rhbk.realm | default('sample-realm') }}
          description: ${role_default-roles}
          composite: true
          composites:
            realm:
              - offline_access
              - uma_authorization
            client:
              account:
                - view-profile
                - manage-account
          clientRole: false
          containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }}
          attributes: {}
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-rr-uma_authorization') | ansible.builtin.to_uuid }}
          name: uma_authorization
          description: ${role_uma_authorization}
          composite: false
          clientRole: false
          containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }}
          attributes: {}
      client:
        realm-management:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-create-client') | ansible.builtin.to_uuid }}
            name: create-client
            description: ${role_create-client}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-query-clients') | ansible.builtin.to_uuid }}
            name: query-clients
            description: ${role_query-clients}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-identity-providers') | ansible.builtin.to_uuid }}
            name: view-identity-providers
            description: ${role_view-identity-providers}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-impersonation') | ansible.builtin.to_uuid }}
            name: impersonation
            description: ${role_impersonation}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-authorization') | ansible.builtin.to_uuid }}
            name: view-authorization
            description: ${role_view-authorization}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-realm') | ansible.builtin.to_uuid }}
            name: view-realm
            description: ${role_view-realm}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-clients') | ansible.builtin.to_uuid }}
            name: manage-clients
            description: ${role_manage-clients}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-users') | ansible.builtin.to_uuid }}
            name: manage-users
            description: ${role_manage-users}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-query-realms') | ansible.builtin.to_uuid }}
            name: query-realms
            description: ${role_query-realms}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-users') | ansible.builtin.to_uuid }}
            name: view-users
            description: ${role_view-users}
            composite: true
            composites:
              client:
                realm-management:
                  - query-groups
                  - query-users
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-realm-admin') | ansible.builtin.to_uuid }}
            name: realm-admin
            description: ${role_realm-admin}
            composite: true
            composites:
              client:
                realm-management:
                  - create-client
                  - query-clients
                  - view-identity-providers
                  - impersonation
                  - view-authorization
                  - view-realm
                  - manage-users
                  - manage-clients
                  - query-realms
                  - view-users
                  - manage-realm
                  - manage-authorization
                  - query-groups
                  - manage-events
                  - manage-identity-providers
                  - view-clients
                  - view-events
                  - query-users
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-realm') | ansible.builtin.to_uuid }}
            name: manage-realm
            description: ${role_manage-realm}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-authorization') | ansible.builtin.to_uuid }}
            name: manage-authorization
            description: ${role_manage-authorization}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-query-groups') | ansible.builtin.to_uuid }}
            name: query-groups
            description: ${role_query-groups}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-events') | ansible.builtin.to_uuid }}
            name: manage-events
            description: ${role_manage-events}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-manage-identity-providers') | ansible.builtin.to_uuid }}
            name: manage-identity-providers
            description: ${role_manage-identity-providers}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-clients') | ansible.builtin.to_uuid }}
            name: view-clients
            description: ${role_view-clients}
            composite: true
            composites:
              client:
                realm-management:
                  - query-clients
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-query-users') | ansible.builtin.to_uuid }}
            name: query-users
            description: ${role_query-users}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cr-view-events') | ansible.builtin.to_uuid }}
            name: view-events
            description: ${role_view-events}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
            attributes: {}
        security-admin-console: []
{% for client in rhbk.clients %}
        {{ client.id }}: []
{% endfor %}
        admin-cli: []
        account-console: []
        broker:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-br-read-token') | ansible.builtin.to_uuid }}
            name: read-token
            description: ${role_read-token}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-broker') | ansible.builtin.to_uuid }}
            attributes: {}
        account:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-delete-account') | ansible.builtin.to_uuid }}
            name: delete-account
            description: ${role_delete-account}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-manage-consent') | ansible.builtin.to_uuid }}
            name: manage-consent
            description: ${role_manage-consent}
            composite: true
            composites:
              client:
                account:
                  - view-consent
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-view-profile') | ansible.builtin.to_uuid }}
            name: view-profile
            description: ${role_view-profile}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-manage-account') | ansible.builtin.to_uuid }}
            name: manage-account
            description: ${role_manage-account}
            composite: true
            composites:
              client:
                account:
                  - manage-account-links
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-manage-account-links') | ansible.builtin.to_uuid }}
            name: manage-account-links
            description: ${role_manage-account-links}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-view-applications') | ansible.builtin.to_uuid }}
            name: view-applications
            description: ${role_view-applications}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-view-groups') | ansible.builtin.to_uuid }}
            name: view-groups
            description: ${role_view-groups}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
            attributes: {}
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-ar-view-consent') | ansible.builtin.to_uuid }}
            name: view-consent
            description: ${role_view-consent}
            composite: false
            clientRole: true
            containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
            attributes: {}
    groups: []
    defaultRole:
      id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-default-roles-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }}
      name: default-roles-{{ (rhbk.realm | default('sample-realm')) }}
      description: ${role_default-roles}
      composite: true
      clientRole: false
      containerId: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm'))) | ansible.builtin.to_uuid }}
    requiredCredentials:
      - password
    otpPolicyType: totp
    otpPolicyAlgorithm: HmacSHA1
    otpPolicyInitialCounter: 0
    otpPolicyDigits: 6
    otpPolicyLookAheadWindow: 1
    otpPolicyPeriod: 30
    otpPolicyCodeReusable: false
    otpSupportedApplications:
      - totpAppFreeOTPName
      - totpAppGoogleName
      - totpAppMicrosoftAuthenticatorName
    localizationTexts: {}
    webAuthnPolicyRpEntityName: keycloak
    webAuthnPolicySignatureAlgorithms:
      - ES256
      - RS256
    webAuthnPolicyRpId: ""
    webAuthnPolicyAttestationConveyancePreference: not specified
    webAuthnPolicyAuthenticatorAttachment: not specified
    webAuthnPolicyRequireResidentKey: not specified
    webAuthnPolicyUserVerificationRequirement: not specified
    webAuthnPolicyCreateTimeout: 0
    webAuthnPolicyAvoidSameAuthenticatorRegister: false
    webAuthnPolicyAcceptableAaguids: []
    webAuthnPolicyExtraOrigins: []
    webAuthnPolicyPasswordlessRpEntityName: keycloak
    webAuthnPolicyPasswordlessSignatureAlgorithms:
      - ES256
      - RS256
    webAuthnPolicyPasswordlessRpId: ""
    webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified
    webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified
    webAuthnPolicyPasswordlessRequireResidentKey: not specified
    webAuthnPolicyPasswordlessUserVerificationRequirement: not specified
    webAuthnPolicyPasswordlessCreateTimeout: 0
    webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false
    webAuthnPolicyPasswordlessAcceptableAaguids: []
    webAuthnPolicyPasswordlessExtraOrigins: []
    scopeMappings:
      - clientScope: offline_access
        roles:
          - offline_access
    clientScopeMappings:
      account:
        - client: account-console
          roles:
            - manage-account
            - view-groups
    clients:
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account') | ansible.builtin.to_uuid }}
        clientId: account
        name: ${client_account}
        rootUrl: ${authBaseUrl}
        baseUrl: /realms/{{ rhbk.realm | default('sample-realm') }}/account/
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris:
          - /realms/{{ rhbk.realm | default('sample-realm') }}/account/*
        webOrigins: []
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: true
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "false"
          post.logout.redirect.uris: +
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: false
        nodeReRegistrationTimeout: 0
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account-console') | ansible.builtin.to_uuid }}
        clientId: account-console
        name: ${client_account-console}
        rootUrl: ${authBaseUrl}
        baseUrl: /realms/{{ rhbk.realm | default('sample-realm') }}/account/
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris:
          - /realms/{{ rhbk.realm | default('sample-realm') }}/account/*
        webOrigins: []
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: true
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "false"
          post.logout.redirect.uris: +
          pkce.code.challenge.method: S256
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: false
        nodeReRegistrationTimeout: 0
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-account-console-pm-audience-resolve') | ansible.builtin.to_uuid }}
            name: audience resolve
            protocol: openid-connect
            protocolMapper: oidc-audience-resolve-mapper
            consentRequired: false
            config: {}
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-admin-cli') | ansible.builtin.to_uuid }}
        clientId: admin-cli
        name: ${client_admin-cli}
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris: []
        webOrigins: []
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: false
        implicitFlowEnabled: false
        directAccessGrantsEnabled: true
        serviceAccountsEnabled: false
        publicClient: true
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "false"
          client.use.lightweight.access.token.enabled: "true"
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: true
        nodeReRegistrationTimeout: 0
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-broker') | ansible.builtin.to_uuid }}
        clientId: broker
        name: ${client_broker}
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris: []
        webOrigins: []
        notBefore: 0
        bearerOnly: true
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: false
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "true"
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: false
        nodeReRegistrationTimeout: 0
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
{% for client in rhbk.clients %}
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-' + client.id) | ansible.builtin.to_uuid }}
        clientId: {{ client.id }}
        name: "{{ client.name | default(client.id) }}"
        description: ""
        rootUrl: {{ client.base_url }}
        adminUrl: {{ client.base_url }}
        baseUrl: ""
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
{% if client.secret is defined %}
        secret: '{{ client.secret }}'
{% endif %}
        redirectUris:
          - {{ client.base_url }}/*
        webOrigins:
          - {{ client.base_url }}
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: {{ client.direct_grants | default(true) | bool }}
        serviceAccountsEnabled: false
        publicClient: false
        frontchannelLogout: true
        protocol: openid-connect
        attributes:
          client.secret.creation.time: "1755544217"
          request.object.signature.alg: any
          request.object.encryption.alg: any
          client.introspection.response.allow.jwt.claim.enabled: "false"
          standard.token.exchange.enabled: "false"
          frontchannel.logout.session.required: "true"
          oauth2.device.authorization.grant.enabled: "false"
          use.jwks.url: "false"
          backchannel.logout.revoke.offline.tokens: "false"
          use.refresh.tokens: "true"
          realm_client: "false"
          oidc.ciba.grant.enabled: "false"
          client.use.lightweight.access.token.enabled: "false"
          backchannel.logout.session.required: "true"
          client_credentials.use_refresh_token: "false"
          request.object.required: not required
          access.token.header.type.rfc9068: "false"
          acr.loa.map: '{}'
          require.pushed.authorization.requests: "false"
          tls.client.certificate.bound.access.tokens: "false"
          display.on.consent.screen: "false"
          request.object.encryption.enc: any
          token.response.type.bearer.lower-case: "false"
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: true
        nodeReRegistrationTimeout: -1
{% if client.map_groups | default(true) %}
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-openshift-pm-groups') | ansible.builtin.to_uuid }}
            name: groups
            protocol: openid-connect
            protocolMapper: oidc-group-membership-mapper
            consentRequired: false
            config:
              claim.name: groups
              full.path: "false"
              id.token.claim: "true"
              access.token.claim: "true"
              userinfo.token.claim: "true"
              introspection.token.claim: "true"
              lightweight.claim: "false"
              multivalued: "true"
{% endif %}
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
{% endfor %}
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-realm-management') | ansible.builtin.to_uuid }}
        clientId: realm-management
        name: ${client_realm-management}
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris: []
        webOrigins: []
        notBefore: 0
        bearerOnly: true
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: false
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "true"
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: false
        nodeReRegistrationTimeout: 0
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-security-admin-console') | ansible.builtin.to_uuid }}
        clientId: security-admin-console
        name: ${client_security-admin-console}
        rootUrl: ${authAdminUrl}
        baseUrl: /admin/{{ rhbk.realm | default('sample-realm') }}/console/
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris:
          - /admin/{{ rhbk.realm | default('sample-realm') }}/console/*
        webOrigins:
          - +
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: true
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "false"
          client.use.lightweight.access.token.enabled: "true"
          post.logout.redirect.uris: +
          pkce.code.challenge.method: S256
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: true
        nodeReRegistrationTimeout: 0
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-security-admin-console-pm-locale') | ansible.builtin.to_uuid }}
            name: locale
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: locale
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: locale
              jsonType.label: String
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
    clientScopes:
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-roles') | ansible.builtin.to_uuid }}
        name: roles
        description: OpenID Connect scope for add user roles to the access token
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          consent.screen.text: ${rolesScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-roles-pm-client-roles') | ansible.builtin.to_uuid }}
            name: client roles
            protocol: openid-connect
            protocolMapper: oidc-usermodel-client-role-mapper
            consentRequired: false
            config:
              user.attribute: foo
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: resource_access.${client_id}.roles
              jsonType.label: String
              multivalued: "true"
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-roles-pm-realm-roles') | ansible.builtin.to_uuid }}
            name: realm roles
            protocol: openid-connect
            protocolMapper: oidc-usermodel-realm-role-mapper
            consentRequired: false
            config:
              user.attribute: foo
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: realm_access.roles
              jsonType.label: String
              multivalued: "true"
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-roles-pm-audience-resolve') | ansible.builtin.to_uuid }}
            name: audience resolve
            protocol: openid-connect
            protocolMapper: oidc-audience-resolve-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              access.token.claim: "true"
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-service-account') | ansible.builtin.to_uuid }}
        name: service_account
        description: Specific scope for a client enabled for service accounts
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          display.on.consent.screen: "false"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-service-account-pm-client-host') | ansible.builtin.to_uuid }}
            name: Client Host
            protocol: openid-connect
            protocolMapper: oidc-usersessionmodel-note-mapper
            consentRequired: false
            config:
              user.session.note: clientHost
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: clientHost
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-service-account-pm-client-ip') | ansible.builtin.to_uuid }}
            name: Client IP Address
            protocol: openid-connect
            protocolMapper: oidc-usersessionmodel-note-mapper
            consentRequired: false
            config:
              user.session.note: clientAddress
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: clientAddress
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-service-account-pm-client-id') | ansible.builtin.to_uuid }}
            name: Client ID
            protocol: openid-connect
            protocolMapper: oidc-usersessionmodel-note-mapper
            consentRequired: false
            config:
              user.session.note: client_id
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: client_id
              jsonType.label: String
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-organization') | ansible.builtin.to_uuid }}
        name: organization
        description: Additional claims about the organization a subject belongs to
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${organizationScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-organization-pm-organization') | ansible.builtin.to_uuid }}
            name: organization
            protocol: openid-connect
            protocolMapper: oidc-organization-membership-mapper
            consentRequired: false
            config:
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: organization
              jsonType.label: String
              multivalued: "true"
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-mprof-jwt') | ansible.builtin.to_uuid }}
        name: microprofile-jwt
        description: Microprofile - JWT built-in scope
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          display.on.consent.screen: "false"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-mprof-jwt-pm-upn') | ansible.builtin.to_uuid }}
            name: upn
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: username
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: upn
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-mprof-jwt-pm-groups') | ansible.builtin.to_uuid }}
            name: groups
            protocol: openid-connect
            protocolMapper: oidc-usermodel-realm-role-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              multivalued: "true"
              user.attribute: foo
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: groups
              jsonType.label: String
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-saml-org') | ansible.builtin.to_uuid }}
        name: saml_organization
        description: Organization Membership
        protocol: saml
        attributes:
          display.on.consent.screen: "false"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-saml-org-pm-organization') | ansible.builtin.to_uuid }}
            name: organization
            protocol: saml
            protocolMapper: saml-organization-membership-mapper
            consentRequired: false
            config: {}
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-oidc') | ansible.builtin.to_uuid }}
        name: acr
        description: OpenID Connect scope for add acr (authentication context class reference) to the token
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          display.on.consent.screen: "false"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-oidc-pm-acr-loa-level') | ansible.builtin.to_uuid }}
            name: acr loa level
            protocol: openid-connect
            protocolMapper: oidc-acr-mapper
            consentRequired: false
            config:
              id.token.claim: "true"
              access.token.claim: "true"
              introspection.token.claim: "true"
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-email') | ansible.builtin.to_uuid }}
        name: email
        description: 'OpenID Connect built-in scope: email'
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${emailScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-email-pm-email-vrfd') | ansible.builtin.to_uuid }}
            name: email verified
            protocol: openid-connect
            protocolMapper: oidc-usermodel-property-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: emailVerified
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: email_verified
              jsonType.label: boolean
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-email-pm-email') | ansible.builtin.to_uuid }}
            name: email
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: email
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: email
              jsonType.label: String
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-role-list') | ansible.builtin.to_uuid }}
        name: role_list
        description: SAML role list
        protocol: saml
        attributes:
          consent.screen.text: ${samlRoleListScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-role-list-pm-role-list') | ansible.builtin.to_uuid }}
            name: role list
            protocol: saml
            protocolMapper: saml-role-list-mapper
            consentRequired: false
            config:
              single: "false"
              attribute.nameformat: Basic
              attribute.name: Role
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-phone') | ansible.builtin.to_uuid }}
        name: phone
        description: 'OpenID Connect built-in scope: phone'
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${phoneScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-phone-pm-phnum') | ansible.builtin.to_uuid }}
            name: phone number
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: phoneNumber
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: phone_number
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-phone-pm-phnum-vrfd') | ansible.builtin.to_uuid }}
            name: phone number verified
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: phoneNumberVerified
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: phone_number_verified
              jsonType.label: boolean
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-address') | ansible.builtin.to_uuid }}
        name: address
        description: 'OpenID Connect built-in scope: address'
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${addressScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-address-pm-address') | ansible.builtin.to_uuid }}
            name: address
            protocol: openid-connect
            protocolMapper: oidc-address-mapper
            consentRequired: false
            config:
              user.attribute.formatted: formatted
              user.attribute.country: country
              introspection.token.claim: "true"
              user.attribute.postal_code: postal_code
              userinfo.token.claim: "true"
              user.attribute.street: street
              id.token.claim: "true"
              user.attribute.region: region
              access.token.claim: "true"
              user.attribute.locality: locality
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-basic') | ansible.builtin.to_uuid }}
        name: basic
        description: OpenID Connect scope for add all basic claims to the token
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          display.on.consent.screen: "false"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-basic-pm-sub') | ansible.builtin.to_uuid }}
            name: sub
            protocol: openid-connect
            protocolMapper: oidc-sub-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              access.token.claim: "true"
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-basic-pm-auth-time') | ansible.builtin.to_uuid }}
            name: auth_time
            protocol: openid-connect
            protocolMapper: oidc-usersessionmodel-note-mapper
            consentRequired: false
            config:
              user.session.note: AUTH_TIME
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: auth_time
              jsonType.label: long
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-offline') | ansible.builtin.to_uuid }}
        name: offline_access
        description: 'OpenID Connect built-in scope: offline_access'
        protocol: openid-connect
        attributes:
          consent.screen.text: ${offlineAccessScopeConsentText}
          display.on.consent.screen: "true"
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-web-origins') | ansible.builtin.to_uuid }}
        name: web-origins
        description: OpenID Connect scope for add allowed web origins to the access token
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          consent.screen.text: ""
          display.on.consent.screen: "false"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-web-origins-pm-allowed-origins') | ansible.builtin.to_uuid }}
            name: allowed web origins
            protocol: openid-connect
            protocolMapper: oidc-allowed-origins-mapper
            consentRequired: false
            config:
              access.token.claim: "true"
              introspection.token.claim: "true"
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile') | ansible.builtin.to_uuid }}
        name: profile
        description: 'OpenID Connect built-in scope: profile'
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${profileScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-website') | ansible.builtin.to_uuid }}
            name: website
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: website
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: website
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-full-name') | ansible.builtin.to_uuid }}
            name: full name
            protocol: openid-connect
            protocolMapper: oidc-full-name-mapper
            consentRequired: false
            config:
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              userinfo.token.claim: "true"
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-locale') | ansible.builtin.to_uuid }}
            name: locale
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: locale
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: locale
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-picture') | ansible.builtin.to_uuid }}
            name: picture
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: picture
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: picture
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-given-name') | ansible.builtin.to_uuid }}
            name: given name
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: firstName
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: given_name
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-profile') | ansible.builtin.to_uuid }}
            name: profile
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: profile
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: profile
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-birthdate') | ansible.builtin.to_uuid }}
            name: birthdate
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: birthdate
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: birthdate
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-zoneinfo') | ansible.builtin.to_uuid }}
            name: zoneinfo
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: zoneinfo
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: zoneinfo
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-family-name') | ansible.builtin.to_uuid }}
            name: family name
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: lastName
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: family_name
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-username') | ansible.builtin.to_uuid }}
            name: username
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: username
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: preferred_username
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-nickname') | ansible.builtin.to_uuid }}
            name: nickname
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: nickname
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: nickname
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-middle-name') | ansible.builtin.to_uuid }}
            name: middle name
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: middleName
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: middle_name
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-gender') | ansible.builtin.to_uuid }}
            name: gender
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: gender
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: gender
              jsonType.label: String
          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-cscope-profile-pm-updated-at') | ansible.builtin.to_uuid }}
            name: updated at
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: updatedAt
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: updated_at
              jsonType.label: long
    defaultDefaultClientScopes:
      - role_list
      - saml_organization
      - profile
      - email
      - roles
      - web-origins
      - acr
      - basic
    defaultOptionalClientScopes:
      - offline_access
      - address
      - phone
      - microprofile-jwt
      - organization
    browserSecurityHeaders:
      contentSecurityPolicyReportOnly: ""
      xContentTypeOptions: nosniff
      referrerPolicy: no-referrer
      xRobotsTag: none
      xFrameOptions: SAMEORIGIN
      contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
      strictTransportSecurity: max-age=31536000; includeSubDomains
    smtpServer: {}
    eventsEnabled: false
    eventsListeners:
      - jboss-logging
    enabledEventTypes: []
    adminEventsEnabled: false
    adminEventsDetailsEnabled: false
    identityProviders: []
    identityProviderMappers: []
    components:
      org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy:
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-max-clients') | ansible.builtin.to_uuid }}
          name: Max Clients Limit
          providerId: max-clients
          subType: anonymous
          subComponents: {}
          config:
            max-clients:
              - "200"
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-fullscope') | ansible.builtin.to_uuid }}
          name: Full Scope Disabled
          providerId: scope
          subType: anonymous
          subComponents: {}
          config: {}
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-allowed-protomap-anon') | ansible.builtin.to_uuid }}
          name: Allowed Protocol Mapper Types
          providerId: allowed-protocol-mappers
          subType: anonymous
          subComponents: {}
          config:
            allowed-protocol-mapper-types:
              - oidc-sha256-pairwise-sub-mapper
              - saml-user-attribute-mapper
              - saml-user-property-mapper
              - oidc-address-mapper
              - oidc-usermodel-property-mapper
              - oidc-full-name-mapper
              - saml-role-list-mapper
              - oidc-usermodel-attribute-mapper
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-trusted-hosts') | ansible.builtin.to_uuid }}
          name: Trusted Hosts
          providerId: trusted-hosts
          subType: anonymous
          subComponents: {}
          config:
            host-sending-registration-request-must-match:
              - "true"
            client-uris-must-match:
              - "true"
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-allowed-protomap-auth') | ansible.builtin.to_uuid }}
          name: Allowed Protocol Mapper Types
          providerId: allowed-protocol-mappers
          subType: authenticated
          subComponents: {}
          config:
            allowed-protocol-mapper-types:
              - saml-user-attribute-mapper
              - saml-user-property-mapper
              - oidc-sha256-pairwise-sub-mapper
              - saml-role-list-mapper
              - oidc-address-mapper
              - oidc-usermodel-attribute-mapper
              - oidc-full-name-mapper
              - oidc-usermodel-property-mapper
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-consentreq') | ansible.builtin.to_uuid }}
          name: Consent Required
          providerId: consent-required
          subType: anonymous
          subComponents: {}
          config: {}
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-allowed-cliscope-anon') | ansible.builtin.to_uuid }}
          name: Allowed Client Scopes
          providerId: allowed-client-templates
          subType: anonymous
          subComponents: {}
          config:
            allow-default-scopes:
              - "true"
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-regpol-allowed-cliscope-auth') | ansible.builtin.to_uuid }}
          name: Allowed Client Scopes
          providerId: allowed-client-templates
          subType: authenticated
          subComponents: {}
          config:
            allow-default-scopes:
              - "true"
      org.keycloak.keys.KeyProvider:
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-keyprov-hs512') | ansible.builtin.to_uuid }}
          name: hmac-generated-hs512
          providerId: hmac-generated
          subComponents: {}
          config:
            priority:
              - "100"
            algorithm:
              - HS512
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-keyprov-aesgen') | ansible.builtin.to_uuid }}
          name: aes-generated
          providerId: aes-generated
          subComponents: {}
          config:
            priority:
              - "100"
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-keyprov-rsaencgen') | ansible.builtin.to_uuid }}
          name: rsa-enc-generated
          providerId: rsa-enc-generated
          subComponents: {}
          config:
            priority:
              - "100"
            algorithm:
              - RSA-OAEP
        - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-keyprov-rsagen') | ansible.builtin.to_uuid }}
          name: rsa-generated
          providerId: rsa-generated
          subComponents: {}
          config:
            priority:
              - "100"
    internationalizationEnabled: false
    supportedLocales: []
    authenticationFlows:
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-acct-vrfy-opt') | ansible.builtin.to_uuid }}
        alias: Account verification options
        description: Method with which to verity the existing account
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: idp-email-verification
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: ALTERNATIVE
            priority: 20
            autheticatorFlow: true
            flowAlias: Verify Existing Account by Re-authentication
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-brws-cond-otp') | ansible.builtin.to_uuid }}
        alias: Browser - Conditional OTP
        description: Flow to determine if the OTP is required for the authentication
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: auth-otp-form
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-brws-cond-org') | ansible.builtin.to_uuid }}
        alias: Browser - Conditional Organization
        description: Flow to determine if the organization identity-first login is to be used
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: organization
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-dg-cond-otp') | ansible.builtin.to_uuid }}
        alias: Direct Grant - Conditional OTP
        description: Flow to determine if the OTP is required for the authentication
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: direct-grant-validate-otp
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-fbrok-login-cond-org') | ansible.builtin.to_uuid }}
        alias: First Broker Login - Conditional Organization
        description: Flow to determine if the authenticator that adds organization members is to be used
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: idp-add-organization-member
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-fbrok-login-cond-otp') | ansible.builtin.to_uuid }}
        alias: First broker login - Conditional OTP
        description: Flow to determine if the OTP is required for the authentication
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: auth-otp-form
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-handle-existing') | ansible.builtin.to_uuid }}
        alias: Handle Existing Account
        description: Handle what to do if there is existing account with same email/username like authenticated identity provider
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: idp-confirm-link
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: true
            flowAlias: Account verification options
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-org') | ansible.builtin.to_uuid }}
        alias: Organization
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 10
            autheticatorFlow: true
            flowAlias: Browser - Conditional Organization
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-cond-otp') | ansible.builtin.to_uuid }}
        alias: Reset - Conditional OTP
        description: Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: reset-otp
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-ucreat-or-link') | ansible.builtin.to_uuid }}
        alias: User creation or linking
        description: Flow for the existing/non-existing user alternatives
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticatorConfig: create unique user config
            authenticator: idp-create-user-if-unique
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: ALTERNATIVE
            priority: 20
            autheticatorFlow: true
            flowAlias: Handle Existing Account
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-vrfy-existing-reauth') | ansible.builtin.to_uuid }}
        alias: Verify Existing Account by Re-authentication
        description: Reauthentication of existing account
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: idp-username-password-form
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 20
            autheticatorFlow: true
            flowAlias: First broker login - Conditional OTP
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-brws-based-auth') | ansible.builtin.to_uuid }}
        alias: browser
        description: Browser based authentication
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: auth-cookie
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: auth-spnego
            authenticatorFlow: false
            requirement: DISABLED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: identity-provider-redirector
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 25
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: ALTERNATIVE
            priority: 26
            autheticatorFlow: true
            flowAlias: Organization
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: ALTERNATIVE
            priority: 30
            autheticatorFlow: true
            flowAlias: forms
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-base-client-auth') | ansible.builtin.to_uuid }}
        alias: clients
        description: Base authentication for clients
        providerId: client-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: client-secret
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: client-jwt
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: client-secret-jwt
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 30
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: client-x509
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 40
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-dgrant-oidc-owner') | ansible.builtin.to_uuid }}
        alias: direct grant
        description: OpenID Connect Resource Owner Grant
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: direct-grant-validate-username
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: direct-grant-validate-password
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 30
            autheticatorFlow: true
            flowAlias: Direct Grant - Conditional OTP
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-docker-auth') | ansible.builtin.to_uuid }}
        alias: docker auth
        description: Used by Docker clients to authenticate against the IDP
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: docker-http-basic-authenticator
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-fbrok-login') | ansible.builtin.to_uuid }}
        alias: first broker login
        description: Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticatorConfig: review profile config
            authenticator: idp-review-profile
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: true
            flowAlias: User creation or linking
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 50
            autheticatorFlow: true
            flowAlias: First Broker Login - Conditional Organization
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-forms') | ansible.builtin.to_uuid }}
        alias: forms
        description: Username, password, otp and other auth forms.
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: auth-username-password-form
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 20
            autheticatorFlow: true
            flowAlias: Browser - Conditional OTP
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-reg-flow') | ansible.builtin.to_uuid }}
        alias: registration
        description: Registration flow
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: registration-page-form
            authenticatorFlow: true
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: true
            flowAlias: registration form
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-reg-form') | ansible.builtin.to_uuid }}
        alias: registration form
        description: Registration form
        providerId: form-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: registration-user-creation
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: registration-password-action
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 50
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: registration-recaptcha-action
            authenticatorFlow: false
            requirement: DISABLED
            priority: 60
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: registration-terms-and-conditions
            authenticatorFlow: false
            requirement: DISABLED
            priority: 70
            autheticatorFlow: false
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-reset-creds') | ansible.builtin.to_uuid }}
        alias: reset credentials
        description: Reset credentials for a user if they forgot their password or something
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: reset-credentials-choose-user
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: reset-credential-email
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: reset-password
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 30
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 40
            autheticatorFlow: true
            flowAlias: Reset - Conditional OTP
            userSetupAllowed: false
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authflow-saml-ecp') | ansible.builtin.to_uuid }}
        alias: saml ecp
        description: SAML ECP Profile Authentication Flow
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: http-basic-authenticator
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
    authenticatorConfig:
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authconfig-unique-user') | ansible.builtin.to_uuid }}
        alias: create unique user config
        config:
          require.password.update.after.registration: "false"
      - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-authconfig-review-profile-') | ansible.builtin.to_uuid }}
        alias: review profile config
        config:
          update.profile.on.first.login: missing
    requiredActions:
      - alias: CONFIGURE_TOTP
        name: Configure OTP
        providerId: CONFIGURE_TOTP
        enabled: true
        defaultAction: false
        priority: 10
        config: {}
      - alias: TERMS_AND_CONDITIONS
        name: Terms and Conditions
        providerId: TERMS_AND_CONDITIONS
        enabled: false
        defaultAction: false
        priority: 20
        config: {}
      - alias: UPDATE_PASSWORD
        name: Update Password
        providerId: UPDATE_PASSWORD
        enabled: true
        defaultAction: false
        priority: 30
        config: {}
      - alias: UPDATE_PROFILE
        name: Update Profile
        providerId: UPDATE_PROFILE
        enabled: true
        defaultAction: false
        priority: 40
        config: {}
      - alias: VERIFY_EMAIL
        name: Verify Email
        providerId: VERIFY_EMAIL
        enabled: true
        defaultAction: false
        priority: 50
        config: {}
      - alias: delete_account
        name: Delete Account
        providerId: delete_account
        enabled: false
        defaultAction: false
        priority: 60
        config: {}
      - alias: webauthn-register
        name: Webauthn Register
        providerId: webauthn-register
        enabled: true
        defaultAction: false
        priority: 70
        config: {}
      - alias: webauthn-register-passwordless
        name: Webauthn Register Passwordless
        providerId: webauthn-register-passwordless
        enabled: true
        defaultAction: false
        priority: 80
        config: {}
      - alias: VERIFY_PROFILE
        name: Verify Profile
        providerId: VERIFY_PROFILE
        enabled: true
        defaultAction: false
        priority: 90
        config: {}
      - alias: delete_credential
        name: Delete Credential
        providerId: delete_credential
        enabled: true
        defaultAction: false
        priority: 100
        config: {}
      - alias: update_user_locale
        name: Update User Locale
        providerId: update_user_locale
        enabled: true
        defaultAction: false
        priority: 1000
        config: {}
    browserFlow: browser
    registrationFlow: registration
    directGrantFlow: direct grant
    resetCredentialsFlow: reset credentials
    clientAuthenticationFlow: clients
    dockerAuthenticationFlow: docker auth
    firstBrokerLoginFlow: first broker login
    attributes:
      cibaBackchannelTokenDeliveryMode: poll
      cibaExpiresIn: "120"
      cibaAuthRequestedUserHint: login_hint
      oauth2DeviceCodeLifespan: "600"
      oauth2DevicePollingInterval: "5"
      parRequestUriLifespan: "60"
      cibaInterval: "5"
      realmReusableOtpCode: "false"
    keycloakVersion: 26.2.7.redhat-00001
    userManagedAccessAllowed: false
    organizationsEnabled: false
    verifiableCredentialsEnabled: false
    adminPermissionsEnabled: false
    clientProfiles:
      profiles: []
    clientPolicies:
      policies: []