✨(keycloak) add ralph client for generating access tokens

[wilbrdt]

Add a ralph client to fun-mooc realm.

The ralph client has been configured with the specific audience http://localhost:8100 but it can be changed through the Keycloak interface.
Two users have been created for this client:

• ralph_admin:funfunfun with the scope all
• ralph_learner:moocmooc with the scope statements/read/mine

To get the access token, you can use the following command:

curl -X POST -d "grant_type=password" -d "client_id=ralph" -d "client_secret=bcef3562-730d-4575-9e39-63e185f99bca" -d "username=ralph_admin" -d "password=funfunfun" http://localhost:8080/auth/realms/fun-mooc/protocol/openid-connect/token

[quitterie-lcs]

SGTM!

[SergioSim]

Nice!
Have only one question regarding the role-to-scope mapping.

[SergioSim]

Do we want a one-to-one role to scope relationship?
If yes, and if we want to support all supported Ralph scopes - could we add the remaining roles?
state
state/write
state/read
define
profile/write
profile/read

Also, it seems that Keycloak doesn't automatically add scopes to the user access_token based on his assigned roles.
One (manual) approach might be to add something like:

# Create Client Scopes
kcadm.sh create client-scopes -r fun-mooc -s name=all -s protocol=openid-connect
kcadm.sh create client-scopes -r fun-mooc -s name=statements/read/mine -s protocol=openid-connect
# etc...

# Get Client Scope IDs
# Note: Unfortunately, it seems `get client-scopes` doesn't support the `-q/--query` option
# See https://github.com/keycloak/keycloak/issues/22609
ALL_SCOPE_ID=$(kcadm.sh get client-scopes -r fun-mooc --fields id,name --format csv | grep \"all\" | cut -d "," -f1 | sed 's/"//g')
STATEMENTS_READ_MINE_SCOPE_ID=$(kcadm.sh get client-scopes -r fun-mooc --fields id,name --format csv | grep \"statements/read/mine\" | cut -d "," -f1 | sed 's/"//g')

# Set Client Scopes as Default Client Scopes
# Note: this is useful if we want to set available scopes in the `access_token` by default.
# If omitted, the scopes are only added to the token if requested.
kcadm.sh update "clients/${client_uuid}/default-client-scopes/${ALL_SCOPE_ID}" -r fun-mooc
kcadm.sh update "clients/${client_uuid}/default-client-scopes/${STATEMENTS_READ_MINE_SCOPE_ID}" -r fun-mooc

# Create role to client-scope mappings
ROLES=$(kcadm.sh get "clients/${client_uuid}/roles" -r fun-mooc --fields=id,name --format csv)
ALL_ROLE_ID=$(echo "${ROLES}" | grep \"all\" | cut -d "," -f1 | sed 's/"//g')
STATEMENTS_READ_MINE_ROLE_ID=$(echo "${ROLES}" | grep \"statements/read/mine\" | cut -d "," -f1 | sed 's/"//g')
kcadm.sh create "client-scopes/${ALL_SCOPE_ID}/scope-mappings/clients/${client_uuid}" \
    -r fun-mooc \
    -f - << EOF
[
    {
        "id": "${ALL_ROLE_ID}",
        "name": "all",
        "composite": false,
        "clientRole": true,
        "containerId": "${client_uuid}"
    }
]
EOF

kcadm.sh create "client-scopes/${STATEMENTS_READ_MINE_SCOPE_ID}/scope-mappings/clients/${client_uuid}" \
    -r fun-mooc \
    -f - << EOF
[
    {
        "id": "${STATEMENTS_READ_MINE_ROLE_ID}",
        "name": "statements/read/mine",
        "composite": false,
        "clientRole": true,
        "containerId": "${client_uuid}"
    }
]
EOF

However, I'm new to Keycloak; thus, maybe there is a better/automatic solution to add the scopes to the access_token/map roles to scopes?