ocp-ing-ichp-materials/playbooks/roles/deploy-rhbk/templates/realm-import-template.yaml.j2

apiVersion: k8s.keycloak.org/v2alpha1
kind: KeycloakRealmImport
metadata:
  name: {{ rhbk.name | default('sso') }}-{{ rhbk.realm | default('sample-realm') }}-import
  namespace: {{ rhbk.namespace | default('keycloak') }}
spec:
  keycloakCRName: {{ rhbk.name | default('sso') }}
  realm:
    id: be41fdb1-be4d-431d-be3c-adb5ad3a071a
    realm: {{ rhbk.realm | default('sample-realm') }}
    notBefore: 0
    defaultSignatureAlgorithm: RS256
    revokeRefreshToken: false
    refreshTokenMaxReuse: 0
    accessTokenLifespan: 300
    accessTokenLifespanForImplicitFlow: 900
    ssoSessionIdleTimeout: 1800
    ssoSessionMaxLifespan: 36000
    ssoSessionIdleTimeoutRememberMe: 0
    ssoSessionMaxLifespanRememberMe: 0
    offlineSessionIdleTimeout: 2592000
    offlineSessionMaxLifespanEnabled: false
    offlineSessionMaxLifespan: 5184000
    clientSessionIdleTimeout: 0
    clientSessionMaxLifespan: 0
    clientOfflineSessionIdleTimeout: 0
    clientOfflineSessionMaxLifespan: 0
    accessCodeLifespan: 60
    accessCodeLifespanUserAction: 300
    accessCodeLifespanLogin: 1800
    actionTokenGeneratedByAdminLifespan: 43200
    actionTokenGeneratedByUserLifespan: 300
    oauth2DeviceCodeLifespan: 600
    oauth2DevicePollingInterval: 5
    enabled: true
    sslRequired: external
    registrationAllowed: false
    registrationEmailAsUsername: false
    rememberMe: false
    verifyEmail: false
    loginWithEmailAllowed: false
    duplicateEmailsAllowed: false
    resetPasswordAllowed: false
    editUsernameAllowed: false
    bruteForceProtected: false
    permanentLockout: false
    maxTemporaryLockouts: 0
    bruteForceStrategy: MULTIPLE
    maxFailureWaitSeconds: 900
    minimumQuickLoginWaitSeconds: 60
    waitIncrementSeconds: 60
    quickLoginCheckMilliSeconds: 1000
    maxDeltaTimeSeconds: 43200
    failureFactor: 30
    roles:
      realm:
        - id: e7d9d76c-bfa9-4aa3-b67c-652fe88b1a25
          name: offline_access
          description: ${role_offline-access}
          composite: false
          clientRole: false
          containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a
          attributes: {}
        - id: 07fabbc5-4576-4ccc-985e-c0e9ef48d5b9
          name: default-roles-ichp
          description: ${role_default-roles}
          composite: true
          composites:
            realm:
              - offline_access
              - uma_authorization
            client:
              account:
                - view-profile
                - manage-account
          clientRole: false
          containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a
          attributes: {}
        - id: 1e3afeb8-c039-4815-868c-33bbafed28f4
          name: uma_authorization
          description: ${role_uma_authorization}
          composite: false
          clientRole: false
          containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a
          attributes: {}
      client:
        realm-management:
          - id: 1f2346c9-4576-40ae-b1ab-0c7895d82776
            name: create-client
            description: ${role_create-client}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 72effb10-55aa-4ba6-9897-7b969878b4c2
            name: query-clients
            description: ${role_query-clients}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 5162b108-5ac3-43de-8a3c-b93ac6d833e1
            name: view-identity-providers
            description: ${role_view-identity-providers}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 4679477a-0e55-44b8-a795-f61c841dd7ea
            name: impersonation
            description: ${role_impersonation}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 158932a4-ec77-48ad-b967-15d3877b302b
            name: view-authorization
            description: ${role_view-authorization}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 4728cec2-0c01-45eb-9620-a71522ef9747
            name: view-realm
            description: ${role_view-realm}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: ce60989a-b977-4817-8add-06050e9e1539
            name: manage-clients
            description: ${role_manage-clients}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 837fe3ea-27b4-4167-a466-645e8f738f2e
            name: manage-users
            description: ${role_manage-users}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 574f9232-c48b-49fc-b24c-4f868f28ee49
            name: query-realms
            description: ${role_query-realms}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 952a7293-2733-4d64-a5ba-0b98d39f1a8c
            name: view-users
            description: ${role_view-users}
            composite: true
            composites:
              client:
                realm-management:
                  - query-groups
                  - query-users
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 58e37045-4a6a-4292-b849-b458fe15272e
            name: realm-admin
            description: ${role_realm-admin}
            composite: true
            composites:
              client:
                realm-management:
                  - create-client
                  - query-clients
                  - view-identity-providers
                  - impersonation
                  - view-authorization
                  - view-realm
                  - manage-users
                  - manage-clients
                  - query-realms
                  - view-users
                  - manage-realm
                  - manage-authorization
                  - query-groups
                  - manage-events
                  - manage-identity-providers
                  - view-clients
                  - view-events
                  - query-users
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 180792d6-17b5-4369-8d9f-5e9d7c1abecd
            name: manage-realm
            description: ${role_manage-realm}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 865608a3-b3c8-492d-a99f-35acbbc95df5
            name: manage-authorization
            description: ${role_manage-authorization}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: d67afc38-e298-48ae-883d-84b90e2acc87
            name: query-groups
            description: ${role_query-groups}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: aa372a48-8435-4923-b125-6bae2e735a75
            name: manage-events
            description: ${role_manage-events}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: ca44e368-d20a-445b-b5db-1a79f4551cf7
            name: manage-identity-providers
            description: ${role_manage-identity-providers}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: 58dfbd59-c730-46ad-a0ce-e4712b130133
            name: view-clients
            description: ${role_view-clients}
            composite: true
            composites:
              client:
                realm-management:
                  - query-clients
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: e67476ef-5630-42d2-9ec7-9cda35a6ff03
            name: query-users
            description: ${role_query-users}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
          - id: edb64667-b054-4f32-80b3-19cb8dab52a4
            name: view-events
            description: ${role_view-events}
            composite: false
            clientRole: true
            containerId: 1544ec14-3f4a-4601-8f98-a3698afb78c9
            attributes: {}
        security-admin-console: []
        openshift: []
        admin-cli: []
        account-console: []
        broker:
          - id: cfa9110f-d928-43e5-b71f-0970206dc7c7
            name: read-token
            description: ${role_read-token}
            composite: false
            clientRole: true
            containerId: a18de74b-25e5-4225-bbab-743752fc2f77
            attributes: {}
        account:
          - id: 0a363300-38e4-4477-b0eb-b29f58506d81
            name: delete-account
            description: ${role_delete-account}
            composite: false
            clientRole: true
            containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
            attributes: {}
          - id: 2c2d6b40-bd69-4561-802d-97b8dcf08a9d
            name: manage-consent
            description: ${role_manage-consent}
            composite: true
            composites:
              client:
                account:
                  - view-consent
            clientRole: true
            containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
            attributes: {}
          - id: 7b66ea32-a92c-4152-9435-b36d5c998bf4
            name: view-profile
            description: ${role_view-profile}
            composite: false
            clientRole: true
            containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
            attributes: {}
          - id: 26cc6356-b198-498a-8fd5-b6c55266044e
            name: manage-account
            description: ${role_manage-account}
            composite: true
            composites:
              client:
                account:
                  - manage-account-links
            clientRole: true
            containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
            attributes: {}
          - id: 7d07a1ab-7994-47d8-88ad-5c91ea422722
            name: manage-account-links
            description: ${role_manage-account-links}
            composite: false
            clientRole: true
            containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
            attributes: {}
          - id: ecc23404-4281-4c90-aed4-375fd0fc0d37
            name: view-applications
            description: ${role_view-applications}
            composite: false
            clientRole: true
            containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
            attributes: {}
          - id: 1f3da55f-0458-496b-b9f2-f10496d28ab5
            name: view-groups
            description: ${role_view-groups}
            composite: false
            clientRole: true
            containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
            attributes: {}
          - id: 5aaab517-1ce9-465d-abc8-936cffca1bc3
            name: view-consent
            description: ${role_view-consent}
            composite: false
            clientRole: true
            containerId: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
            attributes: {}
    groups: []
    defaultRole:
      id: 07fabbc5-4576-4ccc-985e-c0e9ef48d5b9
      name: default-roles-ichp
      description: ${role_default-roles}
      composite: true
      clientRole: false
      containerId: be41fdb1-be4d-431d-be3c-adb5ad3a071a
    requiredCredentials:
      - password
    otpPolicyType: totp
    otpPolicyAlgorithm: HmacSHA1
    otpPolicyInitialCounter: 0
    otpPolicyDigits: 6
    otpPolicyLookAheadWindow: 1
    otpPolicyPeriod: 30
    otpPolicyCodeReusable: false
    otpSupportedApplications:
      - totpAppFreeOTPName
      - totpAppGoogleName
      - totpAppMicrosoftAuthenticatorName
    localizationTexts: {}
    webAuthnPolicyRpEntityName: keycloak
    webAuthnPolicySignatureAlgorithms:
      - ES256
      - RS256
    webAuthnPolicyRpId: ""
    webAuthnPolicyAttestationConveyancePreference: not specified
    webAuthnPolicyAuthenticatorAttachment: not specified
    webAuthnPolicyRequireResidentKey: not specified
    webAuthnPolicyUserVerificationRequirement: not specified
    webAuthnPolicyCreateTimeout: 0
    webAuthnPolicyAvoidSameAuthenticatorRegister: false
    webAuthnPolicyAcceptableAaguids: []
    webAuthnPolicyExtraOrigins: []
    webAuthnPolicyPasswordlessRpEntityName: keycloak
    webAuthnPolicyPasswordlessSignatureAlgorithms:
      - ES256
      - RS256
    webAuthnPolicyPasswordlessRpId: ""
    webAuthnPolicyPasswordlessAttestationConveyancePreference: not specified
    webAuthnPolicyPasswordlessAuthenticatorAttachment: not specified
    webAuthnPolicyPasswordlessRequireResidentKey: not specified
    webAuthnPolicyPasswordlessUserVerificationRequirement: not specified
    webAuthnPolicyPasswordlessCreateTimeout: 0
    webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister: false
    webAuthnPolicyPasswordlessAcceptableAaguids: []
    webAuthnPolicyPasswordlessExtraOrigins: []
    scopeMappings:
      - clientScope: offline_access
        roles:
          - offline_access
    clientScopeMappings:
      account:
        - client: account-console
          roles:
            - manage-account
            - view-groups
    clients:
      - id: 310611db-29b6-4df6-806f-2ffb8ec6d1d0
        clientId: account
        name: ${client_account}
        rootUrl: ${authBaseUrl}
        baseUrl: /realms/ichp/account/
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris:
          - /realms/ichp/account/*
        webOrigins: []
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: true
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "false"
          post.logout.redirect.uris: +
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: false
        nodeReRegistrationTimeout: 0
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: 26ee53a2-3acc-4f86-bb03-8ef53f4c4619
        clientId: account-console
        name: ${client_account-console}
        rootUrl: ${authBaseUrl}
        baseUrl: /realms/ichp/account/
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris:
          - /realms/ichp/account/*
        webOrigins: []
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: true
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "false"
          post.logout.redirect.uris: +
          pkce.code.challenge.method: S256
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: false
        nodeReRegistrationTimeout: 0
        protocolMappers:
          - id: d5f30f3a-684a-41ec-b423-70179bcb7550
            name: audience resolve
            protocol: openid-connect
            protocolMapper: oidc-audience-resolve-mapper
            consentRequired: false
            config: {}
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: de8c83c0-f8d4-4ea4-9243-3c8eb8e3320b
        clientId: admin-cli
        name: ${client_admin-cli}
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris: []
        webOrigins: []
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: false
        implicitFlowEnabled: false
        directAccessGrantsEnabled: true
        serviceAccountsEnabled: false
        publicClient: true
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "false"
          client.use.lightweight.access.token.enabled: "true"
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: true
        nodeReRegistrationTimeout: 0
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: a18de74b-25e5-4225-bbab-743752fc2f77
        clientId: broker
        name: ${client_broker}
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris: []
        webOrigins: []
        notBefore: 0
        bearerOnly: true
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: false
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "true"
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: false
        nodeReRegistrationTimeout: 0
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: 95b6c1c6-3787-4442-b512-527ff51d2670
        clientId: openshift
        name: "OpenShift OIDC Client"
        description: ""
        rootUrl: https://oauth-openshift.apps.ocp4.example.com
        adminUrl: https://oauth-openshift.apps.ocp4.example.com
        baseUrl: ""
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        secret: 'verysecret'
        redirectUris:
          - https://oauth-openshift.apps.ocp4.example.com/*
        webOrigins:
          - https://oauth-openshift.apps.ocp4.example.com
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: true
        serviceAccountsEnabled: false
        publicClient: false
        frontchannelLogout: true
        protocol: openid-connect
        attributes:
          client.secret.creation.time: "1755544217"
          request.object.signature.alg: any
          request.object.encryption.alg: any
          client.introspection.response.allow.jwt.claim.enabled: "false"
          standard.token.exchange.enabled: "false"
          frontchannel.logout.session.required: "true"
          oauth2.device.authorization.grant.enabled: "false"
          use.jwks.url: "false"
          backchannel.logout.revoke.offline.tokens: "false"
          use.refresh.tokens: "true"
          realm_client: "false"
          oidc.ciba.grant.enabled: "false"
          client.use.lightweight.access.token.enabled: "false"
          backchannel.logout.session.required: "true"
          client_credentials.use_refresh_token: "false"
          request.object.required: not required
          access.token.header.type.rfc9068: "false"
          acr.loa.map: '{}'
          require.pushed.authorization.requests: "false"
          tls.client.certificate.bound.access.tokens: "false"
          display.on.consent.screen: "false"
          request.object.encryption.enc: any
          token.response.type.bearer.lower-case: "false"
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: true
        nodeReRegistrationTimeout: -1
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: 1544ec14-3f4a-4601-8f98-a3698afb78c9
        clientId: realm-management
        name: ${client_realm-management}
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris: []
        webOrigins: []
        notBefore: 0
        bearerOnly: true
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: false
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "true"
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: false
        nodeReRegistrationTimeout: 0
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
      - id: 64228e4f-5e45-43e2-840d-3ea67fbb1356
        clientId: security-admin-console
        name: ${client_security-admin-console}
        rootUrl: ${authAdminUrl}
        baseUrl: /admin/ichp/console/
        surrogateAuthRequired: false
        enabled: true
        alwaysDisplayInConsole: false
        clientAuthenticatorType: client-secret
        redirectUris:
          - /admin/ichp/console/*
        webOrigins:
          - +
        notBefore: 0
        bearerOnly: false
        consentRequired: false
        standardFlowEnabled: true
        implicitFlowEnabled: false
        directAccessGrantsEnabled: false
        serviceAccountsEnabled: false
        publicClient: true
        frontchannelLogout: false
        protocol: openid-connect
        attributes:
          realm_client: "false"
          client.use.lightweight.access.token.enabled: "true"
          post.logout.redirect.uris: +
          pkce.code.challenge.method: S256
        authenticationFlowBindingOverrides: {}
        fullScopeAllowed: true
        nodeReRegistrationTimeout: 0
        protocolMappers:
          - id: 05393481-79e3-4c5d-be72-b21fa1b2cf6f
            name: locale
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: locale
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: locale
              jsonType.label: String
        defaultClientScopes:
          - web-origins
          - acr
          - roles
          - profile
          - basic
          - email
        optionalClientScopes:
          - address
          - phone
          - organization
          - offline_access
          - microprofile-jwt
    clientScopes:
      - id: da242fab-a8d0-4aa0-9e10-8212440b4b3b
        name: roles
        description: OpenID Connect scope for add user roles to the access token
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          consent.screen.text: ${rolesScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: 8ae03c9d-7b0b-4c41-baaa-54327e15d4fe
            name: client roles
            protocol: openid-connect
            protocolMapper: oidc-usermodel-client-role-mapper
            consentRequired: false
            config:
              user.attribute: foo
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: resource_access.${client_id}.roles
              jsonType.label: String
              multivalued: "true"
          - id: 7ed4a8f3-73ef-4c76-a68c-2abdb7111505
            name: realm roles
            protocol: openid-connect
            protocolMapper: oidc-usermodel-realm-role-mapper
            consentRequired: false
            config:
              user.attribute: foo
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: realm_access.roles
              jsonType.label: String
              multivalued: "true"
          - id: a354f9c9-579d-44f3-9d90-6fbbe5739c50
            name: audience resolve
            protocol: openid-connect
            protocolMapper: oidc-audience-resolve-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              access.token.claim: "true"
      - id: 4a60daed-92f6-4646-80bc-78e8bb5097a5
        name: service_account
        description: Specific scope for a client enabled for service accounts
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          display.on.consent.screen: "false"
        protocolMappers:
          - id: c6ba4bf2-70c9-429d-8f11-7e7a94b6072c
            name: Client Host
            protocol: openid-connect
            protocolMapper: oidc-usersessionmodel-note-mapper
            consentRequired: false
            config:
              user.session.note: clientHost
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: clientHost
              jsonType.label: String
          - id: 8afd36a6-b5e9-42a8-96be-d64cd70ecc1e
            name: Client IP Address
            protocol: openid-connect
            protocolMapper: oidc-usersessionmodel-note-mapper
            consentRequired: false
            config:
              user.session.note: clientAddress
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: clientAddress
              jsonType.label: String
          - id: aba0ce6b-a46a-4beb-9f24-364fbc2d7f72
            name: Client ID
            protocol: openid-connect
            protocolMapper: oidc-usersessionmodel-note-mapper
            consentRequired: false
            config:
              user.session.note: client_id
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: client_id
              jsonType.label: String
      - id: 308782b7-ab41-49ff-9e1a-de9a22b252df
        name: organization
        description: Additional claims about the organization a subject belongs to
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${organizationScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: a49de63c-2c91-45b7-9f87-6646ee2a8560
            name: organization
            protocol: openid-connect
            protocolMapper: oidc-organization-membership-mapper
            consentRequired: false
            config:
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: organization
              jsonType.label: String
              multivalued: "true"
      - id: ddc162b7-ae46-469a-88da-8e6fd882fef2
        name: microprofile-jwt
        description: Microprofile - JWT built-in scope
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          display.on.consent.screen: "false"
        protocolMappers:
          - id: 0aceceda-de29-4dfd-b282-79c1a4b1f01e
            name: upn
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: username
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: upn
              jsonType.label: String
          - id: bbacf398-7509-43c2-a6a2-f72b7a151dde
            name: groups
            protocol: openid-connect
            protocolMapper: oidc-usermodel-realm-role-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              multivalued: "true"
              user.attribute: foo
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: groups
              jsonType.label: String
      - id: 52d6d297-de58-47a4-8272-858cb1957dc5
        name: saml_organization
        description: Organization Membership
        protocol: saml
        attributes:
          display.on.consent.screen: "false"
        protocolMappers:
          - id: 53757c9d-732c-4274-95ff-fb36bcb68612
            name: organization
            protocol: saml
            protocolMapper: saml-organization-membership-mapper
            consentRequired: false
            config: {}
      - id: b0f1af41-d217-47e2-ad46-90d333fc933c
        name: acr
        description: OpenID Connect scope for add acr (authentication context class reference) to the token
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          display.on.consent.screen: "false"
        protocolMappers:
          - id: f511c418-885e-4def-a61c-46a2036ea16d
            name: acr loa level
            protocol: openid-connect
            protocolMapper: oidc-acr-mapper
            consentRequired: false
            config:
              id.token.claim: "true"
              access.token.claim: "true"
              introspection.token.claim: "true"
      - id: 3d18a857-3e55-46f8-85e8-ff9757288d6a
        name: email
        description: 'OpenID Connect built-in scope: email'
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${emailScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: 30275ad3-3d25-4e8a-a5ed-696135bb4aa3
            name: email verified
            protocol: openid-connect
            protocolMapper: oidc-usermodel-property-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: emailVerified
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: email_verified
              jsonType.label: boolean
          - id: b57b56af-774b-4529-880d-15cff8fc2d89
            name: email
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: email
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: email
              jsonType.label: String
      - id: b368511f-a4c6-431b-a8f9-3c807fe5864c
        name: role_list
        description: SAML role list
        protocol: saml
        attributes:
          consent.screen.text: ${samlRoleListScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: 8acaaa00-bfce-43aa-b07b-35eb598c5c08
            name: role list
            protocol: saml
            protocolMapper: saml-role-list-mapper
            consentRequired: false
            config:
              single: "false"
              attribute.nameformat: Basic
              attribute.name: Role
      - id: 65b918f8-4285-4874-8887-55abd5e48815
        name: phone
        description: 'OpenID Connect built-in scope: phone'
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${phoneScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: 2817b50a-9e0a-4333-b9cb-8bd7347bde4c
            name: phone number
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: phoneNumber
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: phone_number
              jsonType.label: String
          - id: 51c1fe54-8aa6-40ef-9dcf-8296698aef28
            name: phone number verified
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: phoneNumberVerified
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: phone_number_verified
              jsonType.label: boolean
      - id: cbeecdb8-59d2-4ef0-8f5b-b26485b61184
        name: address
        description: 'OpenID Connect built-in scope: address'
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${addressScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: a2ccf3d2-08f6-4874-b731-eb71c505d083
            name: address
            protocol: openid-connect
            protocolMapper: oidc-address-mapper
            consentRequired: false
            config:
              user.attribute.formatted: formatted
              user.attribute.country: country
              introspection.token.claim: "true"
              user.attribute.postal_code: postal_code
              userinfo.token.claim: "true"
              user.attribute.street: street
              id.token.claim: "true"
              user.attribute.region: region
              access.token.claim: "true"
              user.attribute.locality: locality
      - id: 2a6f8645-780c-4a18-b462-fb5ccab2c111
        name: basic
        description: OpenID Connect scope for add all basic claims to the token
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          display.on.consent.screen: "false"
        protocolMappers:
          - id: 68f5e45f-6ca8-465e-9a5c-f0964b464636
            name: sub
            protocol: openid-connect
            protocolMapper: oidc-sub-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              access.token.claim: "true"
          - id: e5b82ee8-7491-4a6c-b236-313f4f1b62f9
            name: auth_time
            protocol: openid-connect
            protocolMapper: oidc-usersessionmodel-note-mapper
            consentRequired: false
            config:
              user.session.note: AUTH_TIME
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              claim.name: auth_time
              jsonType.label: long
      - id: e6cbf632-eba3-4658-a241-d8caf53e1a8c
        name: offline_access
        description: 'OpenID Connect built-in scope: offline_access'
        protocol: openid-connect
        attributes:
          consent.screen.text: ${offlineAccessScopeConsentText}
          display.on.consent.screen: "true"
      - id: 8decc1d1-d9e0-4011-b4a4-24d0e82ca51f
        name: web-origins
        description: OpenID Connect scope for add allowed web origins to the access token
        protocol: openid-connect
        attributes:
          include.in.token.scope: "false"
          consent.screen.text: ""
          display.on.consent.screen: "false"
        protocolMappers:
          - id: 5bec22c6-4887-4332-8a1e-314a6d27e7da
            name: allowed web origins
            protocol: openid-connect
            protocolMapper: oidc-allowed-origins-mapper
            consentRequired: false
            config:
              access.token.claim: "true"
              introspection.token.claim: "true"
      - id: c43c0a6a-7f94-4e09-a953-3fa44ebe3040
        name: profile
        description: 'OpenID Connect built-in scope: profile'
        protocol: openid-connect
        attributes:
          include.in.token.scope: "true"
          consent.screen.text: ${profileScopeConsentText}
          display.on.consent.screen: "true"
        protocolMappers:
          - id: b6bf723a-1ae6-45e4-a722-2f9d4e9e5903
            name: website
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: website
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: website
              jsonType.label: String
          - id: 8a16228a-05fd-4707-b5bb-0e25b64d8958
            name: full name
            protocol: openid-connect
            protocolMapper: oidc-full-name-mapper
            consentRequired: false
            config:
              id.token.claim: "true"
              introspection.token.claim: "true"
              access.token.claim: "true"
              userinfo.token.claim: "true"
          - id: 37a167d2-747d-4f5d-9f58-204028f56b7d
            name: locale
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: locale
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: locale
              jsonType.label: String
          - id: 8271c267-970e-4091-a010-45521b955c01
            name: picture
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: picture
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: picture
              jsonType.label: String
          - id: 723390b8-7670-43b5-84c9-b67c82703fce
            name: given name
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: firstName
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: given_name
              jsonType.label: String
          - id: cdff8fc1-bc4a-47da-84a5-85fb12c53461
            name: profile
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: profile
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: profile
              jsonType.label: String
          - id: 312ee990-1e0c-4481-88f4-f85fb4ff15f4
            name: birthdate
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: birthdate
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: birthdate
              jsonType.label: String
          - id: 745656de-2692-4e59-80fe-fb59479ea17e
            name: zoneinfo
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: zoneinfo
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: zoneinfo
              jsonType.label: String
          - id: fb78c202-dade-4f93-a5f7-5e5f0d98ef9e
            name: family name
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: lastName
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: family_name
              jsonType.label: String
          - id: a89512e1-d227-4286-86ed-f736bdbb1a4d
            name: username
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: username
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: preferred_username
              jsonType.label: String
          - id: ab4ffdc5-6497-471a-b737-b6c3c712e168
            name: nickname
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: nickname
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: nickname
              jsonType.label: String
          - id: fa71f97d-38b6-413d-898a-57db48cac373
            name: middle name
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: middleName
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: middle_name
              jsonType.label: String
          - id: fb1dce92-54c9-4b16-bcd3-50a49e17264c
            name: gender
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: gender
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: gender
              jsonType.label: String
          - id: aedd6129-df66-4a0b-bc6b-aa25ae7289f7
            name: updated at
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
            consentRequired: false
            config:
              introspection.token.claim: "true"
              userinfo.token.claim: "true"
              user.attribute: updatedAt
              id.token.claim: "true"
              access.token.claim: "true"
              claim.name: updated_at
              jsonType.label: long
    defaultDefaultClientScopes:
      - role_list
      - saml_organization
      - profile
      - email
      - roles
      - web-origins
      - acr
      - basic
    defaultOptionalClientScopes:
      - offline_access
      - address
      - phone
      - microprofile-jwt
      - organization
    browserSecurityHeaders:
      contentSecurityPolicyReportOnly: ""
      xContentTypeOptions: nosniff
      referrerPolicy: no-referrer
      xRobotsTag: none
      xFrameOptions: SAMEORIGIN
      contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
      strictTransportSecurity: max-age=31536000; includeSubDomains
    smtpServer: {}
    eventsEnabled: false
    eventsListeners:
      - jboss-logging
    enabledEventTypes: []
    adminEventsEnabled: false
    adminEventsDetailsEnabled: false
    identityProviders: []
    identityProviderMappers: []
    components:
      org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy:
        - id: ba4ccc2d-b4af-4661-b02e-6730f779575f
          name: Max Clients Limit
          providerId: max-clients
          subType: anonymous
          subComponents: {}
          config:
            max-clients:
              - "200"
        - id: b85a6a84-7340-424e-81dc-6f3547aa22e1
          name: Full Scope Disabled
          providerId: scope
          subType: anonymous
          subComponents: {}
          config: {}
        - id: 4c301a96-61e9-4786-89cb-4eaf2677028f
          name: Allowed Protocol Mapper Types
          providerId: allowed-protocol-mappers
          subType: anonymous
          subComponents: {}
          config:
            allowed-protocol-mapper-types:
              - oidc-sha256-pairwise-sub-mapper
              - saml-user-attribute-mapper
              - saml-user-property-mapper
              - oidc-address-mapper
              - oidc-usermodel-property-mapper
              - oidc-full-name-mapper
              - saml-role-list-mapper
              - oidc-usermodel-attribute-mapper
        - id: e3f990bf-5977-4b35-a3dd-b8ac9b26061c
          name: Trusted Hosts
          providerId: trusted-hosts
          subType: anonymous
          subComponents: {}
          config:
            host-sending-registration-request-must-match:
              - "true"
            client-uris-must-match:
              - "true"
        - id: d2ebfe03-3f09-42b7-8c3c-1ca5caba76ff
          name: Allowed Protocol Mapper Types
          providerId: allowed-protocol-mappers
          subType: authenticated
          subComponents: {}
          config:
            allowed-protocol-mapper-types:
              - saml-user-attribute-mapper
              - saml-user-property-mapper
              - oidc-sha256-pairwise-sub-mapper
              - saml-role-list-mapper
              - oidc-address-mapper
              - oidc-usermodel-attribute-mapper
              - oidc-full-name-mapper
              - oidc-usermodel-property-mapper
        - id: f00c2333-6f60-4c51-8f31-2a1a14cc1a18
          name: Consent Required
          providerId: consent-required
          subType: anonymous
          subComponents: {}
          config: {}
        - id: a5188a3a-9351-4098-bb13-14b8b56c9370
          name: Allowed Client Scopes
          providerId: allowed-client-templates
          subType: anonymous
          subComponents: {}
          config:
            allow-default-scopes:
              - "true"
        - id: 40489ce4-34f4-41ad-8dfd-6bd20eef0b3a
          name: Allowed Client Scopes
          providerId: allowed-client-templates
          subType: authenticated
          subComponents: {}
          config:
            allow-default-scopes:
              - "true"
      org.keycloak.keys.KeyProvider:
        - id: e75ab818-8af9-45e1-955d-858008455ee1
          name: hmac-generated-hs512
          providerId: hmac-generated
          subComponents: {}
          config:
            priority:
              - "100"
            algorithm:
              - HS512
        - id: a8107baf-ac14-4170-9f5f-d88e7e8641ac
          name: aes-generated
          providerId: aes-generated
          subComponents: {}
          config:
            priority:
              - "100"
        - id: 708c706a-6c14-4735-8ce0-184e4d45f20d
          name: rsa-enc-generated
          providerId: rsa-enc-generated
          subComponents: {}
          config:
            priority:
              - "100"
            algorithm:
              - RSA-OAEP
        - id: 0a770315-2818-4f3f-b6cf-2da39c98ea08
          name: rsa-generated
          providerId: rsa-generated
          subComponents: {}
          config:
            priority:
              - "100"
    internationalizationEnabled: false
    supportedLocales: []
    authenticationFlows:
      - id: fcd55c8d-af04-4f3a-8d95-f2b8822d9419
        alias: Account verification options
        description: Method with which to verity the existing account
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: idp-email-verification
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: ALTERNATIVE
            priority: 20
            autheticatorFlow: true
            flowAlias: Verify Existing Account by Re-authentication
            userSetupAllowed: false
      - id: d9aa6da8-f0e1-4382-ae72-db059f0a0432
        alias: Browser - Conditional OTP
        description: Flow to determine if the OTP is required for the authentication
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: auth-otp-form
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: 45e1dbb4-03ea-4215-b0fc-1a3d4055735d
        alias: Browser - Conditional Organization
        description: Flow to determine if the organization identity-first login is to be used
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: organization
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: a242ecf3-51cf-4ebc-bbca-09afa132ddb9
        alias: Direct Grant - Conditional OTP
        description: Flow to determine if the OTP is required for the authentication
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: direct-grant-validate-otp
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: 9d666bad-2193-49a8-a001-9fd24459368f
        alias: First Broker Login - Conditional Organization
        description: Flow to determine if the authenticator that adds organization members is to be used
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: idp-add-organization-member
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: 75bacb96-eff3-45e4-a730-bb787812c644
        alias: First broker login - Conditional OTP
        description: Flow to determine if the OTP is required for the authentication
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: auth-otp-form
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: 5c1a2783-f6d3-4411-a70b-aff534388222
        alias: Handle Existing Account
        description: Handle what to do if there is existing account with same email/username like authenticated identity provider
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: idp-confirm-link
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: true
            flowAlias: Account verification options
            userSetupAllowed: false
      - id: 981a45fd-33b4-4e8b-b565-f0f0c21fce1a
        alias: Organization
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 10
            autheticatorFlow: true
            flowAlias: Browser - Conditional Organization
            userSetupAllowed: false
      - id: cc33ee5d-58d1-49f4-9084-67a443b9bddc
        alias: Reset - Conditional OTP
        description: Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: conditional-user-configured
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: reset-otp
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
      - id: f4b9279a-08f0-4b22-a2e1-abfafec02de6
        alias: User creation or linking
        description: Flow for the existing/non-existing user alternatives
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticatorConfig: create unique user config
            authenticator: idp-create-user-if-unique
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: ALTERNATIVE
            priority: 20
            autheticatorFlow: true
            flowAlias: Handle Existing Account
            userSetupAllowed: false
      - id: 91cc2815-09c5-4f82-a1fc-62a2fc32327d
        alias: Verify Existing Account by Re-authentication
        description: Reauthentication of existing account
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: idp-username-password-form
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 20
            autheticatorFlow: true
            flowAlias: First broker login - Conditional OTP
            userSetupAllowed: false
      - id: 0455fc78-3bd3-4fa1-a73a-f1c9a80e7293
        alias: browser
        description: Browser based authentication
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: auth-cookie
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: auth-spnego
            authenticatorFlow: false
            requirement: DISABLED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: identity-provider-redirector
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 25
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: ALTERNATIVE
            priority: 26
            autheticatorFlow: true
            flowAlias: Organization
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: ALTERNATIVE
            priority: 30
            autheticatorFlow: true
            flowAlias: forms
            userSetupAllowed: false
      - id: 78bc6381-5d50-4220-a7b5-a0a2e697cd5e
        alias: clients
        description: Base authentication for clients
        providerId: client-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: client-secret
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: client-jwt
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: client-secret-jwt
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 30
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: client-x509
            authenticatorFlow: false
            requirement: ALTERNATIVE
            priority: 40
            autheticatorFlow: false
            userSetupAllowed: false
      - id: 0fd8e9bd-1616-4810-8a2c-2862ecc62312
        alias: direct grant
        description: OpenID Connect Resource Owner Grant
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: direct-grant-validate-username
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: direct-grant-validate-password
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 30
            autheticatorFlow: true
            flowAlias: Direct Grant - Conditional OTP
            userSetupAllowed: false
      - id: 03035827-7537-4b94-831f-3184d98d6d26
        alias: docker auth
        description: Used by Docker clients to authenticate against the IDP
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: docker-http-basic-authenticator
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
      - id: 1a9fdcb1-591e-412b-a8ee-37de4ec78191
        alias: first broker login
        description: Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticatorConfig: review profile config
            authenticator: idp-review-profile
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: true
            flowAlias: User creation or linking
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 50
            autheticatorFlow: true
            flowAlias: First Broker Login - Conditional Organization
            userSetupAllowed: false
      - id: 63b86089-a556-42cb-8e25-71913e1bd9cd
        alias: forms
        description: Username, password, otp and other auth forms.
        providerId: basic-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: auth-username-password-form
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 20
            autheticatorFlow: true
            flowAlias: Browser - Conditional OTP
            userSetupAllowed: false
      - id: 0b1d0824-a9f2-4819-8049-28dc559c66a0
        alias: registration
        description: Registration flow
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: registration-page-form
            authenticatorFlow: true
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: true
            flowAlias: registration form
            userSetupAllowed: false
      - id: a5fa008b-f069-404e-8767-a2ed5687262f
        alias: registration form
        description: Registration form
        providerId: form-flow
        topLevel: false
        builtIn: true
        authenticationExecutions:
          - authenticator: registration-user-creation
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: registration-password-action
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 50
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: registration-recaptcha-action
            authenticatorFlow: false
            requirement: DISABLED
            priority: 60
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: registration-terms-and-conditions
            authenticatorFlow: false
            requirement: DISABLED
            priority: 70
            autheticatorFlow: false
            userSetupAllowed: false
      - id: fef3d2a2-bbc2-4c5f-834f-f4014f6a699c
        alias: reset credentials
        description: Reset credentials for a user if they forgot their password or something
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: reset-credentials-choose-user
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: reset-credential-email
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 20
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticator: reset-password
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 30
            autheticatorFlow: false
            userSetupAllowed: false
          - authenticatorFlow: true
            requirement: CONDITIONAL
            priority: 40
            autheticatorFlow: true
            flowAlias: Reset - Conditional OTP
            userSetupAllowed: false
      - id: 52cd82c9-fd89-44f3-9c2c-34b103872607
        alias: saml ecp
        description: SAML ECP Profile Authentication Flow
        providerId: basic-flow
        topLevel: true
        builtIn: true
        authenticationExecutions:
          - authenticator: http-basic-authenticator
            authenticatorFlow: false
            requirement: REQUIRED
            priority: 10
            autheticatorFlow: false
            userSetupAllowed: false
    authenticatorConfig:
      - id: 99ecab09-1a65-49e2-9e9a-61962bd969ee
        alias: create unique user config
        config:
          require.password.update.after.registration: "false"
      - id: 25245a79-e0b9-4038-9723-3a918dea2a9d
        alias: review profile config
        config:
          update.profile.on.first.login: missing
    requiredActions:
      - alias: CONFIGURE_TOTP
        name: Configure OTP
        providerId: CONFIGURE_TOTP
        enabled: true
        defaultAction: false
        priority: 10
        config: {}
      - alias: TERMS_AND_CONDITIONS
        name: Terms and Conditions
        providerId: TERMS_AND_CONDITIONS
        enabled: false
        defaultAction: false
        priority: 20
        config: {}
      - alias: UPDATE_PASSWORD
        name: Update Password
        providerId: UPDATE_PASSWORD
        enabled: true
        defaultAction: false
        priority: 30
        config: {}
      - alias: UPDATE_PROFILE
        name: Update Profile
        providerId: UPDATE_PROFILE
        enabled: true
        defaultAction: false
        priority: 40
        config: {}
      - alias: VERIFY_EMAIL
        name: Verify Email
        providerId: VERIFY_EMAIL
        enabled: true
        defaultAction: false
        priority: 50
        config: {}
      - alias: delete_account
        name: Delete Account
        providerId: delete_account
        enabled: false
        defaultAction: false
        priority: 60
        config: {}
      - alias: webauthn-register
        name: Webauthn Register
        providerId: webauthn-register
        enabled: true
        defaultAction: false
        priority: 70
        config: {}
      - alias: webauthn-register-passwordless
        name: Webauthn Register Passwordless
        providerId: webauthn-register-passwordless
        enabled: true
        defaultAction: false
        priority: 80
        config: {}
      - alias: VERIFY_PROFILE
        name: Verify Profile
        providerId: VERIFY_PROFILE
        enabled: true
        defaultAction: false
        priority: 90
        config: {}
      - alias: delete_credential
        name: Delete Credential
        providerId: delete_credential
        enabled: true
        defaultAction: false
        priority: 100
        config: {}
      - alias: update_user_locale
        name: Update User Locale
        providerId: update_user_locale
        enabled: true
        defaultAction: false
        priority: 1000
        config: {}
    browserFlow: browser
    registrationFlow: registration
    directGrantFlow: direct grant
    resetCredentialsFlow: reset credentials
    clientAuthenticationFlow: clients
    dockerAuthenticationFlow: docker auth
    firstBrokerLoginFlow: first broker login
    attributes:
      cibaBackchannelTokenDeliveryMode: poll
      cibaExpiresIn: "120"
      cibaAuthRequestedUserHint: login_hint
      oauth2DeviceCodeLifespan: "600"
      oauth2DevicePollingInterval: "5"
      parRequestUriLifespan: "60"
      cibaInterval: "5"
      realmReusableOtpCode: "false"
    keycloakVersion: 26.2.7.redhat-00001
    userManagedAccessAllowed: false
    organizationsEnabled: false
    verifiableCredentialsEnabled: false
    adminPermissionsEnabled: false
    clientProfiles:
      profiles: []
    clientPolicies:
      policies: []