From fa8363d4c1103f9a0f147fb7f997d7c380a42ac0 Mon Sep 17 00:00:00 2001 From: Mirko Mollik Date: Sat, 27 Apr 2024 12:21:56 +0200 Subject: [PATCH] fix: improve keycloak realm Signed-off-by: Mirko Mollik --- config/keycloak/realm-export.json | 332 +++++++++--------------------- docs/development.md | 2 +- 2 files changed, 98 insertions(+), 236 deletions(-) diff --git a/config/keycloak/realm-export.json b/config/keycloak/realm-export.json index 4baa0b77..fb247d43 100644 --- a/config/keycloak/realm-export.json +++ b/config/keycloak/realm-export.json @@ -1,7 +1,7 @@ { "id": "7ac032fc-5768-4183-bf84-99485903808c", "realm": "wallet", - "displayName": "", + "displayName": "Cloud wallet", "displayNameHtml": "", "notBefore": 0, "defaultSignatureAlgorithm": "RS256", @@ -30,7 +30,7 @@ "enabled": true, "sslRequired": "external", "registrationAllowed": true, - "registrationEmailAsUsername": false, + "registrationEmailAsUsername": true, "rememberMe": true, "verifyEmail": false, "loginWithEmailAllowed": true, @@ -54,9 +54,7 @@ "clientRole": false, "containerId": "7ac032fc-5768-4183-bf84-99485903808c" }, - "requiredCredentials": [ - "password" - ], + "requiredCredentials": ["password"], "otpPolicyType": "totp", "otpPolicyAlgorithm": "HmacSHA1", "otpPolicyInitialCounter": 0, @@ -71,9 +69,7 @@ ], "localizationTexts": {}, "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], + "webAuthnPolicySignatureAlgorithms": ["ES256"], "webAuthnPolicyRpId": "", "webAuthnPolicyAttestationConveyancePreference": "not specified", "webAuthnPolicyAuthenticatorAttachment": "not specified", @@ -84,9 +80,7 @@ "webAuthnPolicyAcceptableAaguids": [], "webAuthnPolicyExtraOrigins": [], "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], + "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"], "webAuthnPolicyPasswordlessRpId": "", "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", @@ -99,25 +93,20 @@ "scopeMappings": [ { "clientScope": "offline_access", - "roles": [ - "offline_access" - ] + "roles": ["offline_access"] } ], "clientScopeMappings": { "account": [ { "client": "account-console", - "roles": [ - "manage-account", - "view-groups" - ] + "roles": ["manage-account", "view-groups"] } ] }, "clients": [ { - "id": "85d3d35f-e814-4dcc-ad07-1d39caf89aa0", + "id": "c8458e33-5fb5-4abd-9353-0de7a5f0343f", "clientId": "account", "name": "${client_account}", "rootUrl": "${authBaseUrl}", @@ -126,9 +115,7 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/wallet/account/*" - ], + "redirectUris": ["/realms/wallet/account/*"], "webOrigins": [], "notBefore": 0, "bearerOnly": false, @@ -146,22 +133,11 @@ "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] + "defaultClientScopes": [], + "optionalClientScopes": [] }, { - "id": "64b5037d-482b-42d1-8239-0f5b60f153b8", + "id": "b7adf5da-c4d9-41a4-9440-6240928ee6cc", "clientId": "account-console", "name": "${client_account-console}", "rootUrl": "${authBaseUrl}", @@ -170,9 +146,7 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/wallet/account/*" - ], + "redirectUris": ["/realms/wallet/account/*"], "webOrigins": [], "notBefore": 0, "bearerOnly": false, @@ -193,7 +167,7 @@ "nodeReRegistrationTimeout": 0, "protocolMappers": [ { - "id": "a26c3b69-e864-462f-a94c-8cab7847e7de", + "id": "b2ba445b-4ec2-49aa-9f48-3f12839971bf", "name": "audience resolve", "protocol": "openid-connect", "protocolMapper": "oidc-audience-resolve-mapper", @@ -201,22 +175,11 @@ "config": {} } ], - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] + "defaultClientScopes": [], + "optionalClientScopes": [] }, { - "id": "3a4d4f33-ab1d-4730-b962-a74da33b983a", + "id": "466983a1-c38d-4ec0-b291-89726dbddc46", "clientId": "admin-cli", "name": "${client_admin-cli}", "surrogateAuthRequired": false, @@ -235,26 +198,17 @@ "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", - "attributes": {}, + "attributes": { + "post.logout.redirect.uris": "+" + }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] + "defaultClientScopes": [], + "optionalClientScopes": [] }, { - "id": "5363189f-2e28-4f74-ba91-80d90b81d99d", + "id": "33ea3a24-a931-414f-aaff-9e79e034a2a3", "clientId": "broker", "name": "${client_broker}", "surrogateAuthRequired": false, @@ -273,29 +227,20 @@ "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", - "attributes": {}, + "attributes": { + "post.logout.redirect.uris": "+" + }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] + "defaultClientScopes": [], + "optionalClientScopes": [] }, { - "id": "febd37ea-7f53-4327-969a-d761836ef4c7", + "id": "4f4c9646-9c80-48c3-9164-71092d0a1a67", "clientId": "browser", "name": "", - "description": "", + "description": "a client to connect to the cloud wallet", "rootUrl": "", "adminUrl": "", "baseUrl": "", @@ -303,12 +248,8 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], + "redirectUris": ["*"], + "webOrigins": ["*"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -320,12 +261,20 @@ "frontchannelLogout": true, "protocol": "openid-connect", "attributes": { + "post.logout.redirect.uris": "*", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "use.refresh.tokens": "true", "oidc.ciba.grant.enabled": "false", + "client.use.lightweight.access.token.enabled": "false", "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "*", + "client_credentials.use_refresh_token": "false", + "acr.loa.map": "{}", + "require.pushed.authorization.requests": "false", + "tls.client.certificate.bound.access.tokens": "false", "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" + "token.response.type.bearer.lower-case": "false", + "dpop.bound.access.tokens": "false" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, @@ -345,7 +294,7 @@ ] }, { - "id": "d86ed0c5-097e-402d-afeb-9944e5919b00", + "id": "6ea21baf-3662-437d-a62f-59cef33fb2a4", "clientId": "realm-management", "name": "${client_realm-management}", "surrogateAuthRequired": false, @@ -364,26 +313,17 @@ "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", - "attributes": {}, + "attributes": { + "post.logout.redirect.uris": "+" + }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] + "defaultClientScopes": [], + "optionalClientScopes": [] }, { - "id": "c36f2bf2-234b-413e-a9be-47cbb08e1ade", + "id": "66e15e63-a7fe-421f-a369-e917f0b9026a", "clientId": "security-admin-console", "name": "${client_security-admin-console}", "rootUrl": "${authAdminUrl}", @@ -392,12 +332,8 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/admin/wallet/console/*" - ], - "webOrigins": [ - "+" - ], + "redirectUris": ["/admin/wallet/console/*"], + "webOrigins": ["+"], "notBefore": 0, "bearerOnly": false, "consentRequired": false, @@ -417,7 +353,7 @@ "nodeReRegistrationTimeout": 0, "protocolMappers": [ { - "id": "6fdbaf7d-8acc-4396-aa92-aa28001ecb65", + "id": "c28e3b23-993d-42de-93a7-8e446e05d7c1", "name": "locale", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", @@ -433,72 +369,8 @@ } } ], - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "17772908-1b4c-40e5-a0d5-f08417aa7a33", - "clientId": "swagger", - "name": "", - "description": "", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "*", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] + "defaultClientScopes": [], + "optionalClientScopes": [] } ], "clientScopes": [ @@ -520,8 +392,8 @@ "protocolMapper": "oidc-audience-resolve-mapper", "consentRequired": false, "config": { - "introspection.token.claim": "true", - "access.token.claim": "true" + "access.token.claim": "true", + "introspection.token.claim": "true" } }, { @@ -599,6 +471,7 @@ "config": { "introspection.token.claim": "true", "multivalued": "true", + "userinfo.token.claim": "true", "user.attribute": "foo", "id.token.claim": "true", "access.token.claim": "true", @@ -642,8 +515,9 @@ "consentRequired": false, "config": { "id.token.claim": "true", + "access.token.claim": "true", "introspection.token.claim": "true", - "access.token.claim": "true" + "userinfo.token.claim": "true" } } ] @@ -677,8 +551,8 @@ "consentRequired": false, "config": { "id.token.claim": "true", - "introspection.token.claim": "true", "access.token.claim": "true", + "introspection.token.claim": "true", "userinfo.token.claim": "true" } }, @@ -987,8 +861,8 @@ "protocolMapper": "oidc-allowed-origins-mapper", "consentRequired": false, "config": { - "introspection.token.claim": "true", - "access.token.claim": "true" + "access.token.claim": "true", + "introspection.token.claim": "true" } } ] @@ -1065,9 +939,7 @@ }, "smtpServer": {}, "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], + "eventsListeners": ["jboss-logging"], "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, @@ -1092,12 +964,12 @@ "config": { "allowed-protocol-mapper-types": [ "oidc-address-mapper", - "saml-user-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", + "oidc-full-name-mapper", "saml-user-property-mapper", - "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", - "oidc-full-name-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-attribute-mapper", "saml-role-list-mapper" ] } @@ -1117,9 +989,7 @@ "subType": "anonymous", "subComponents": {}, "config": { - "max-clients": [ - "200" - ] + "max-clients": ["200"] } }, { @@ -1129,12 +999,8 @@ "subType": "anonymous", "subComponents": {}, "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] + "host-sending-registration-request-must-match": ["true"], + "client-uris-must-match": ["true"] } }, { @@ -1144,9 +1010,7 @@ "subType": "anonymous", "subComponents": {}, "config": { - "allow-default-scopes": [ - "true" - ] + "allow-default-scopes": ["true"] } }, { @@ -1157,14 +1021,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-full-name-mapper", - "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-property-mapper", + "oidc-address-mapper", "oidc-usermodel-attribute-mapper", - "saml-user-property-mapper", + "saml-user-attribute-mapper", "saml-role-list-mapper", - "saml-user-attribute-mapper" + "oidc-usermodel-property-mapper", + "saml-user-property-mapper", + "oidc-full-name-mapper" ] } }, @@ -1175,8 +1039,18 @@ "subType": "authenticated", "subComponents": {}, "config": { - "allow-default-scopes": [ - "true" + "allow-default-scopes": ["true"] + } + } + ], + "org.keycloak.userprofile.UserProfileProvider": [ + { + "id": "fd4ae334-721b-491c-9804-d0611d017551", + "providerId": "declarative-user-profile", + "subComponents": {}, + "config": { + "kc.user.profile.config": [ + "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}" ] } } @@ -1188,9 +1062,7 @@ "providerId": "aes-generated", "subComponents": {}, "config": { - "priority": [ - "100" - ] + "priority": ["100"] } }, { @@ -1199,9 +1071,7 @@ "providerId": "rsa-generated", "subComponents": {}, "config": { - "priority": [ - "100" - ] + "priority": ["100"] } }, { @@ -1210,12 +1080,8 @@ "providerId": "hmac-generated", "subComponents": {}, "config": { - "priority": [ - "100" - ], - "algorithm": [ - "HS512" - ] + "priority": ["100"], + "algorithm": ["HS512"] } }, { @@ -1224,12 +1090,8 @@ "providerId": "rsa-enc-generated", "subComponents": {}, "config": { - "priority": [ - "100" - ], - "algorithm": [ - "RSA-OAEP" - ] + "priority": ["100"], + "algorithm": ["RSA-OAEP"] } } ] @@ -1893,8 +1755,8 @@ "attributes": { "cibaBackchannelTokenDeliveryMode": "poll", "cibaAuthRequestedUserHint": "login_hint", - "oauth2DevicePollingInterval": "5", "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", "clientSessionIdleTimeout": "0", "clientOfflineSessionIdleTimeout": "0", "cibaInterval": "5", @@ -1914,4 +1776,4 @@ "clientPolicies": { "policies": [] } -} \ No newline at end of file +} diff --git a/docs/development.md b/docs/development.md index 1c8e7544..07735a11 100644 --- a/docs/development.md +++ b/docs/development.md @@ -7,7 +7,7 @@ ### Keycloak (OIDC provider) -to manage the user accounts from the cloud wallet, an OIDC provider is required. This repository offers a self hosted keycloak instance that you can use. It's a basic setup without a customized registration flow, so the user needs to input information like his name or mail address. +to manage the user accounts from the cloud wallet, an OIDC provider is required. This repository offers a self hosted keycloak instance that you can use. It's a basic setup without a customized registration flow, so the user registers only with an email and password. The realm is located in the `config/keycloak/realm-export.json` file. In case you want to use another keycloak instance, you can import the realm there. It should also be possible to use any other OIDC system.