diff --git a/.woodpecker.env b/.woodpecker.env index 22a3033cde..20e7233ba8 100644 --- a/.woodpecker.env +++ b/.woodpecker.env @@ -1,3 +1,3 @@ # The version of OpenCloud to use in pipelines -OPENCLOUD_COMMITID=69e25b840174e88cb86c5c2b004167f4c05e9c3e +OPENCLOUD_COMMITID=e62ff11a0ea114c3bd1aea42a704e683031a67a8 OPENCLOUD_BRANCH=main diff --git a/.woodpecker.star b/.woodpecker.star index c1727ce1b4..81437b7896 100644 --- a/.woodpecker.star +++ b/.woodpecker.star @@ -20,6 +20,7 @@ PLUGINS_S3 = "plugins/s3:1.5" PLUGINS_S3_CACHE = "plugins/s3-cache:1" PLUGINS_SLACK = "plugins/slack:1" POSTGRES_ALPINE = "postgres:alpine3.18" +OPENLDAP = "bitnami/openldap:2.6" READY_RELEASE_GO = "woodpeckerci/plugin-ready-release-go:latest" WEB_PUBLISH_NPM_PACKAGES = ["babel-preset", "design-system", "eslint-config", "extension-sdk", "prettier-config", "tsconfig", "web-client", "web-pkg", "web-test-helpers"] @@ -1418,6 +1419,39 @@ def postgresService(): }, ] +def ldapService(): + return [ + { + "name": "ldap-server", + "image": OPENLDAP, + "detach": True, + "environment": { + "BITNAMI_DEBUG": "true", + "LDAP_TLS_VERIFY_CLIENT": "never", + "LDAP_ENABLE_TLS": "yes", + "LDAP_TLS_CA_FILE": "/opt/bitnami/openldap/share/openldap.crt", + "LDAP_TLS_CERT_FILE": "/opt/bitnami/openldap/share/openldap.crt", + "LDAP_TLS_KEY_FILE": "/opt/bitnami/openldap/share/openldap.key", + "LDAP_ROOT": "dc=opencloud,dc=eu", + "LDAP_ADMIN_PASSWORD": "admin", + }, + "commands": [ + "mkdir -p /opt/bitnami/openldap/share", + "mkdir -p /tmp/custom-scripts", + "mkdir -p /tmp/ldif-files", + "cp tests/woodpecker/ldap/*.ldif /tmp/ldif-files/", + "cp tests/woodpecker/ldap/docker-entrypoint-override.sh /tmp/custom-scripts/", + "chmod +x /tmp/custom-scripts/docker-entrypoint-override.sh", + "/tmp/custom-scripts/docker-entrypoint-override.sh /opt/bitnami/scripts/openldap/run.sh", + ], + "backend_options": { + "docker": { + "user": "0:0", + }, + }, + }, + ] + waitForServices("ldap", ["ldap-server:1636", "ldap-server:1389"]) + def keycloakService(): return [{ "name": "generate-keycloak-certs", @@ -1425,7 +1459,7 @@ def keycloakService(): "commands": [ "mkdir -p keycloak-certs", "openssl req -x509 -newkey rsa:2048 -keyout keycloak-certs/keycloakkey.pem -out keycloak-certs/keycloakcrt.pem -nodes -days 365 -subj '/CN=keycloak'", - "chmod -R 777 keycloak-certs", + "chmod -R 755 keycloak-certs", ], }] + waitForServices("postgres", ["postgres:5432"]) + \ [{ @@ -1445,30 +1479,28 @@ def keycloakService(): "KEYCLOAK_ADMIN_PASSWORD": "admin", "KC_HTTPS_CERTIFICATE_FILE": "./keycloak-certs/keycloakcrt.pem", "KC_HTTPS_CERTIFICATE_KEY_FILE": "./keycloak-certs/keycloakkey.pem", + "LDAP_SERVER_URL": "ldaps://ldap-server:1636", + "LDAP_BIND_DN": "cn=admin,dc=opencloud,dc=eu", + "LDAP_BIND_PASSWORD": "admin", + "LDAP_USERS_DN": "ou=users,dc=opencloud,dc=eu", }, "commands": [ "mkdir -p /opt/keycloak/data/import", "cp tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json /opt/keycloak/data/import/opencloud-realm.json", "/opt/keycloak/bin/kc.sh start-dev --proxy-headers xforwarded --spi-connections-http-client-default-disable-trust-manager=true --import-realm --health-enabled=true", ], - }] + waitForServices("keycloack", ["keycloak:8443"]) + }] + waitForServices("keycloak", ["keycloak:8443"]) def e2eTestsOnKeycloak(ctx): e2e_Keycloak_tests = [ - "journeys", - "admin-settings/users.feature:20", - "admin-settings/users.feature:43", - "admin-settings/users.feature:106", - "admin-settings/users.feature:131", - "admin-settings/users.feature:185", - "admin-settings/spaces.feature", - "admin-settings/groups.feature", - "keycloak", + "admin-settings/spaces.feature:25", + "admin-settings/spaces.feature:60", ] steps = restoreBuildArtifactCache(ctx, "pnpm", ".pnpm-store") + \ installPnpm() + \ restoreBrowsersCache() + \ + ldapService() + \ keycloakService() + \ restoreBuildArtifactCache(ctx, "web-dist", "dist") if ctx.build.event == "cron": @@ -1476,20 +1508,39 @@ def e2eTestsOnKeycloak(ctx): else: steps += restoreOpenCloudCache() - # configs to setup opencloud with keycloak + # configs to setup opencloud with keycloak and ldap environment = { - "PROXY_AUTOPROVISION_ACCOUNTS": True, + "PROXY_AUTOPROVISION_ACCOUNTS": False, "PROXY_ROLE_ASSIGNMENT_DRIVER": "oidc", "OC_OIDC_ISSUER": "https://keycloak:8443/realms/openCloud", "PROXY_OIDC_REWRITE_WELLKNOWN": True, "WEB_OIDC_CLIENT_ID": "web", - "PROXY_USER_OIDC_CLAIM": "preferred_username", - "PROXY_USER_CS3_CLAIM": "username", + "PROXY_USER_OIDC_CLAIM": "uuid", + "PROXY_USER_CS3_CLAIM": "userid", "OC_ADMIN_USER_ID": "", - "OC_EXCLUDE_RUN_SERVICES": "idp", + "OC_EXCLUDE_RUN_SERVICES": "idp,idm", "GRAPH_ASSIGN_DEFAULT_USER_ROLE": False, + "SETTINGS_SETUP_DEFAULT_ASSIGNMENTS": False, "GRAPH_USERNAME_MATCH": "none", "KEYCLOAK_DOMAIN": "keycloak:8443", + "OC_LOG_LEVEL": "debug", + "OC_LDAP_URI": "ldaps://ldap-server:1636", + "OC_LDAP_INSECURE": True, + "OC_LDAP_BIND_DN": "cn=admin,dc=opencloud,dc=eu", + "OC_LDAP_BIND_PASSWORD": "admin", + + # LDAP configs + "OC_LDAP_GROUP_BASE_DN": "ou=groups,dc=opencloud,dc=eu", + "OC_LDAP_GROUP_SCHEMA_ID": "entryUUID", + "GRAPH_LDAP_GROUP_CREATE_BASE_DN": "ou=custom,ou=groups,dc=opencloud,dc=eu", + "GRAPH_LDAP_REFINT_ENABLED": True, + "OC_LDAP_USER_BASE_DN": "ou=users,dc=opencloud,dc=eu", + "OC_LDAP_USER_FILTER": "(objectclass=inetOrgPerson)", + "OC_LDAP_USER_SCHEMA_ID": "entryUUID", + "OC_LDAP_DISABLE_USER_MECHANISM": "none", + "GRAPH_LDAP_SERVER_UUID": "true", + "FRONTEND_READONLY_USER_ATTRIBUTES": "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments", + "OC_LDAP_SERVER_WRITE_ENABLED": False, } steps += openCloudService(environment) + \ diff --git a/tests/e2e/cucumber/environment/index.ts b/tests/e2e/cucumber/environment/index.ts index c13beb6767..8e20bd6757 100644 --- a/tests/e2e/cucumber/environment/index.ts +++ b/tests/e2e/cucumber/environment/index.ts @@ -67,7 +67,6 @@ Before(async function (this: World, { pickle }: ITestCaseHookParameter) { if (config.keycloak) { await api.keycloak.setAccessTokenForKeycloakOpenCloudUser(user) await api.keycloak.setAccessTokenForKeycloakUser(user) - await storeKeycloakGroups(user, this.usersEnvironment) } else { await api.token.setAccessAndRefreshToken(user) if (isOcm(pickle)) { @@ -245,17 +244,3 @@ const isOcm = (pickle): boolean => { } return false } - -/* - store group created from keycloak on store - */ -const storeKeycloakGroups = async (adminUser: User, usersEnvironment) => { - const groups = await api.graph.getGroups(adminUser) - - store.dummyKeycloakGroupStore.forEach((dummyGroup) => { - const matchingGroup = groups.find((group) => group.displayName === dummyGroup.displayName) - if (matchingGroup) { - usersEnvironment.storeCreatedGroup({ group: { ...dummyGroup, uuid: matchingGroup.id } }) - } - }) -} diff --git a/tests/e2e/cucumber/features/user-settings/pagination.feature b/tests/e2e/cucumber/features/user-settings/pagination.feature index 49be93ba03..ea26991e8d 100644 --- a/tests/e2e/cucumber/features/user-settings/pagination.feature +++ b/tests/e2e/cucumber/features/user-settings/pagination.feature @@ -51,7 +51,7 @@ Feature: check files pagination in personal and project spaces And following resources should not be displayed in the files list for user "Alice" | resource | | testfile1.txt | - And "Alice" should see the text "112 items with 48 kB in total (56 files, 56 folders)" at the footer of the page + And "Alice" should see the text "112 items with 12 kB in total (56 files, 56 folders)" at the footer of the page And "Alice" should see 12 resources in the project space files view When "Alice" disables the option to display the hidden file Then "Alice" should see 10 resources in the project space files view diff --git a/tests/e2e/support/api/graph/userManagement.ts b/tests/e2e/support/api/graph/userManagement.ts index 07d63a1d14..5ea1cc26a4 100644 --- a/tests/e2e/support/api/graph/userManagement.ts +++ b/tests/e2e/support/api/graph/userManagement.ts @@ -66,11 +66,9 @@ export const getUserId = async ({ user, admin }: { user: User; admin: User }): P path: join('graph', 'v1.0', 'users', user.username), user: admin }) - if (response.ok) { - const resBody = (await response.json()) as User - userId = resBody.id - } - return userId + + const resBody = (await response.json()) as User + return resBody.id } export const createGroup = async ({ diff --git a/tests/woodpecker/ldap/10_base.ldif b/tests/woodpecker/ldap/10_base.ldif new file mode 100644 index 0000000000..e1ce3d0d56 --- /dev/null +++ b/tests/woodpecker/ldap/10_base.ldif @@ -0,0 +1,20 @@ +dn: dc=opencloud,dc=eu +objectClass: organization +objectClass: dcObject +dc: opencloud +o: openCloud + +dn: ou=users,dc=opencloud,dc=eu +objectClass: organizationalUnit +ou: users + +dn: cn=admin,dc=opencloud,dc=eu +objectClass: inetOrgPerson +objectClass: person +cn: admin +sn: admin +uid: ldapadmin + +dn: ou=groups,dc=opencloud,dc=eu +objectClass: organizationalUnit +ou: groups diff --git a/tests/woodpecker/ldap/20_admin_user.ldif b/tests/woodpecker/ldap/20_admin_user.ldif new file mode 100644 index 0000000000..68655df461 --- /dev/null +++ b/tests/woodpecker/ldap/20_admin_user.ldif @@ -0,0 +1,13 @@ +dn: uid=admin,ou=users,dc=opencloud,dc=eu +objectClass: inetOrgPerson +objectClass: organizationalPerson +objectClass: person +objectClass: top +uid: admin +givenName: Admin +sn: Administrator +cn: admin +displayName: OpenCloud Administrator +description: Administrator for OpenCloud instance +mail: admin@example.org +userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo== diff --git a/tests/woodpecker/ldap/30_admin_groups.ldif b/tests/woodpecker/ldap/30_admin_groups.ldif new file mode 100644 index 0000000000..69f84f149b --- /dev/null +++ b/tests/woodpecker/ldap/30_admin_groups.ldif @@ -0,0 +1,13 @@ +dn: cn=admins,ou=groups,dc=opencloud,dc=eu +objectClass: groupOfNames +objectClass: top +cn: admins +description: System Administrators +member: uid=admin,ou=users,dc=opencloud,dc=eu + +dn: cn=users,ou=groups,dc=opencloud,dc=eu +objectClass: groupOfNames +objectClass: top +cn: users +description: All Users +member: uid=admin,ou=users,dc=opencloud,dc=eu diff --git a/tests/woodpecker/ldap/docker-entrypoint-override.sh b/tests/woodpecker/ldap/docker-entrypoint-override.sh new file mode 100644 index 0000000000..c500593ed7 --- /dev/null +++ b/tests/woodpecker/ldap/docker-entrypoint-override.sh @@ -0,0 +1,42 @@ +#!/bin/bash +printenv + +if [ ! -f /opt/bitnami/openldap/share/openldap.key ] +then + openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/share/openldap.key -out /opt/bitnami/openldap/share/openldap.crt -sha256 -days 365 -batch -nodes +fi + +mkdir -p /opt/bitnami/openldap/ldifs + +if [ -d "/tmp/ldif-files" ]; then + cp /tmp/ldif-files/*.ldif /opt/bitnami/openldap/ldifs/ +fi + +/opt/bitnami/scripts/openldap/entrypoint.sh "$@" & +ENTRYPOINT_PID=$! + +echo "Waiting for LDAP server to start..." +while ! ldapsearch -x -H ldap://localhost:1389 -D "cn=admin,dc=opencloud,dc=eu" -w admin -b "dc=opencloud,dc=eu" > /dev/null 2>&1; do + sleep 2 +done + +echo "LDAP server is running, importing LDIF files..." + +if [ -f "/opt/bitnami/openldap/ldifs/10_base.ldif" ]; then + echo "Importing 10_base.ldif..." + ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=opencloud,dc=eu" -w admin -f /opt/bitnami/openldap/ldifs/10_base.ldif +fi + +if [ -f "/opt/bitnami/openldap/ldifs/20_admin_user.ldif" ]; then + echo "Importing 20_admin_user.ldif..." + ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=opencloud,dc=eu" -w admin -f /opt/bitnami/openldap/ldifs/20_admin_user.ldif +fi + +if [ -f "/opt/bitnami/openldap/ldifs/30_admin_groups.ldif" ]; then + echo "Importing 30_admin_groups.ldif..." + ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=opencloud,dc=eu" -w admin -f /opt/bitnami/openldap/ldifs/30_admin_groups.ldif +fi + +echo "LDIF import completed!" + +wait $ENTRYPOINT_PID \ No newline at end of file diff --git a/tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json b/tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json index f7546f9efb..0cd66cdadc 100644 --- a/tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json +++ b/tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json @@ -1,12 +1,12 @@ { - "id": "OpenCloud Test", + "id": "openCloud", "realm": "openCloud", "displayName": "OpenCloud", "notBefore": 0, "defaultSignatureAlgorithm": "RS256", "revokeRefreshToken": false, "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 600, + "accessTokenLifespan": 300, "accessTokenLifespanForImplicitFlow": 900, "ssoSessionIdleTimeout": 1800, "ssoSessionMaxLifespan": 36000, @@ -20,21 +20,21 @@ "clientOfflineSessionIdleTimeout": 0, "clientOfflineSessionMaxLifespan": 0, "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 600, + "accessCodeLifespanUserAction": 300, "accessCodeLifespanLogin": 1800, "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 600, + "actionTokenGeneratedByUserLifespan": 300, "oauth2DeviceCodeLifespan": 600, "oauth2DevicePollingInterval": 5, "enabled": true, "sslRequired": "external", "registrationAllowed": false, "registrationEmailAsUsername": false, - "rememberMe": false, + "rememberMe": true, "verifyEmail": false, "loginWithEmailAllowed": true, "duplicateEmailsAllowed": false, - "resetPasswordAllowed": false, + "resetPasswordAllowed": true, "editUsernameAllowed": false, "bruteForceProtected": true, "permanentLockout": false, @@ -48,39 +48,39 @@ "roles": { "realm": [ { - "id": "0bb40fa2-4490-4687-9159-b1d27ec7423a", - "name": "opencloudAdmin", - "description": "", + "id": "2d576514-4aae-46aa-9d9c-075f55f4d988", + "name": "uma_authorization", + "description": "${role_uma_authorization}", "composite": false, "clientRole": false, - "containerId": "OpenCloud Test", + "containerId": "openCloud", "attributes": {} }, { - "id": "2d576514-4aae-46aa-9d9c-075f55f4d988", - "name": "uma_authorization", - "description": "${role_uma_authorization}", + "id": "2aadd357-682c-406b-8874-293091995fdd", + "name": "opencloudSpaceAdmin", + "description": "", "composite": false, "clientRole": false, - "containerId": "OpenCloud Test", + "containerId": "openCloud", "attributes": {} }, { - "id": "8c79ff81-c256-48fd-b0b9-795c7941eedf", - "name": "opencloudUser", + "id": "38071a68-456a-4553-846a-fa67bf5596cc", + "name": "opencloudGuest", "description": "", "composite": false, "clientRole": false, - "containerId": "OpenCloud Test", + "containerId": "openCloud", "attributes": {} }, { - "id": "bd5f5012-48bb-4ea4-bfe6-0623e3ca0552", - "name": "opencloudSpaceAdmin", + "id": "71881883-1768-46bd-a24d-a356a2afdf7f", + "name": "opencloudAdmin", "description": "", "composite": false, "clientRole": false, - "containerId": "OpenCloud Test", + "containerId": "openCloud", "attributes": {} }, { @@ -89,35 +89,36 @@ "description": "${role_offline-access}", "composite": false, "clientRole": false, - "containerId": "OpenCloud Test", + "containerId": "openCloud", "attributes": {} }, { "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", - "name": "default-roles-open-cloud", + "name": "default-roles-opencloud", "description": "${role_default-roles}", "composite": true, "composites": { - "realm": ["offline_access", "uma_authorization"], + "realm": ["opencloudGuest", "offline_access", "uma_authorization"], "client": { "account": ["manage-account", "view-profile"] } }, "clientRole": false, - "containerId": "OpenCloud Test", + "containerId": "openCloud", "attributes": {} }, { - "id": "7eedfa6d-a2d9-4296-b6db-e75e4e9c0963", - "name": "opencloudGuest", + "id": "d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11", + "name": "opencloudUser", "description": "", "composite": false, "clientRole": false, - "containerId": "OpenCloud Test", + "containerId": "openCloud", "attributes": {} } ], "client": { + "_system": [], "realm-management": [ { "id": "979ce053-a671-4b50-81d5-da4bdf7404c9", @@ -325,9 +326,12 @@ "attributes": {} } ], + "OpenCloudDesktop": [], "web": [], "security-admin-console": [], + "OpenCloudIOS": [], "admin-cli": [], + "OpenCloudAndroid": [], "account-console": [], "broker": [ { @@ -428,18 +432,81 @@ }, "groups": [ { - "id": "8520544b-eb76-8375-8498-fbe0e1e62a97", - "name": "keycloak sales department", - "path": "/keycloak sales department", + "id": "1bf1a677-302d-4c28-ac53-e83c87372a81", + "name": "apollos", + "path": "/apollos", + "subGroups": [], + "attributes": {}, + "realmRoles": ["opencloudSpaceAdmin"], + "clientRoles": {} + }, + { + "id": "12611514-517a-4fe6-a85d-41a018e98598", + "name": "basic-haters", + "path": "/basic-haters", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "7a56c37d-3b86-487e-abe5-144452678255", + "name": "bible-readers", + "path": "/bible-readers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "03a5d51c-5e55-40ab-b8c8-5b796f77ab34", + "name": "chess-lovers", + "path": "/chess-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "255c4aea-a3c6-41f5-bca5-0dec59cca3ee", + "name": "machine-lovers", + "path": "/machine-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "d1d0f574-6a8e-49da-981b-bd0f667ec650", + "name": "programmers", + "path": "/programmers", "subGroups": [], "attributes": {}, "realmRoles": [], "clientRoles": {} }, { - "id": "d0a10993-e532-8498-b2b4-009f9b31d43a", - "name": "keycloak finance department", - "path": "/keycloak finance department", + "id": "f8ab7ab3-e44b-445b-86a7-26d61259a6a6", + "name": "unix-lovers", + "path": "/unix-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": ["opencloudAdmin"], + "clientRoles": {} + }, + { + "id": "c3e5bec3-a125-4043-b872-5c38dc659a13", + "name": "users", + "path": "/users", + "subGroups": [], + "attributes": {}, + "realmRoles": ["opencloudUser"], + "clientRoles": {} + }, + { + "id": "ed1c5f92-4938-494f-83d3-a73be393a270", + "name": "vlsi-lovers", + "path": "/vlsi-lovers", "subGroups": [], "attributes": {}, "realmRoles": [], @@ -448,11 +515,11 @@ ], "defaultRole": { "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", - "name": "default-roles-open-cloud", + "name": "default-roles-opencloud", "description": "${role_default-roles}", "composite": true, "clientRole": false, - "containerId": "OpenCloud Test" + "containerId": "openCloud" }, "requiredCredentials": ["password"], "otpPolicyType": "totp", @@ -490,36 +557,6 @@ "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, "webAuthnPolicyPasswordlessAcceptableAaguids": [], "webAuthnPolicyPasswordlessExtraOrigins": [], - "users": [ - { - "id": "389845cd-65b9-47fc-b723-ba75940bcbd7", - "username": "admin", - "firstName": "Admin", - "lastName": "Admin", - "email": "admin@example.org", - "emailVerified": true, - "createdTimestamp": 1611912383386, - "enabled": true, - "totp": false, - "credentials": [ - { - "id": "499e0fbe-1c10-4588-9db4-e8a1012b9246", - "type": "password", - "createdDate": 1611912393787, - "secretData": "{\"value\":\"WUdGHYxGqrEBqg8Y3v+CKCzkzXkboMI6VmpWAYqvD7pIcP9z1zzDTqwlXrVFytoZMpcceT3Xm1hAGh7CZcSoHQ==\",\"salt\":\"pxP1MdkG//50Lv81WsQ5FA==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": ["uma_authorization", "opencloudAdmin", "offline_access"], - "clientRoles": { - "account": ["manage-account", "view-profile"] - }, - "notBefore": 0, - "groups": ["/keycloak finance department", "/keycloak sales department"] - } - ], "scopeMappings": [ { "clientScope": "offline_access", @@ -527,7 +564,7 @@ }, { "clientScope": "roles", - "roles": ["opencloudSpaceAdmin", "opencloudGuest", "opencloudUser", "opencloudAdmin"] + "roles": ["opencloudGuest", "opencloudAdmin", "opencloudSpaceAdmin", "opencloudUser"] } ], "clientScopeMappings": { @@ -539,6 +576,188 @@ ] }, "clients": [ + { + "id": "c8367556-1d13-4979-b4f6-5e2cff1f82ae", + "clientId": "OpenCloudAndroid", + "name": "OpenCloud Android App", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": ["oc://android.opencloud.eu"], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "oc://android.opencloud.eu", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": ["web-origins", "profile", "roles", "groups", "basic", "email"], + "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"] + }, + { + "id": "fc7d8a8e-cb92-4cb0-b404-d723c07d8d4f", + "clientId": "OpenCloudDesktop", + "name": "OpenCloud Desktop Client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": ["http://127.0.0.1", "http://localhost"], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "OpenCloudUnique_ID", + "basic", + "email" + ], + "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"] + }, + { + "id": "6ae0e3da-38ff-47a4-a76e-b59eec0a2de9", + "clientId": "OpenCloudIOS", + "name": "OpenCloud iOS App", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": ["oc://ios.opencloud.eu"], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "oc://ios.opencloud.eu", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "OpenCloudUnique_ID", + "basic", + "email" + ], + "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"] + }, + { + "id": "294b6cf4-b646-4f6c-bab2-616546ec3167", + "clientId": "_system", + "name": "_system", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1718778122", + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": ["web-origins", "profile", "roles", "basic", "email"], + "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"] + }, { "id": "9850adad-7910-4b67-a790-da6444361618", "clientId": "account", @@ -549,6 +768,7 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", + "secret": "**********", "redirectUris": ["/realms/openCloud/account/*"], "webOrigins": [], "notBefore": 0, @@ -562,6 +782,7 @@ "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { + "client.secret.creation.time": "1718778122", "post.logout.redirect.uris": "+" }, "authenticationFlowBindingOverrides": {}, @@ -649,7 +870,7 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "3mksmxreyii6xcc6N2JRGLT4fehwE1HT", + "secret": "**********", "redirectUris": [], "webOrigins": [], "notBefore": 0, @@ -738,12 +959,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "locale", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "locale", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } } ], @@ -753,7 +974,7 @@ { "id": "54b18eca-cf79-4263-9db9-2d79f8a1c831", "clientId": "web", - "name": "", + "name": "OpenCloud Web App", "description": "", "rootUrl": "https://opencloud:9200", "adminUrl": "https://opencloud:9200", @@ -762,7 +983,11 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "redirectUris": ["https://opencloud:9200/*"], + "redirectUris": [ + "https://opencloud:9200/", + "https://opencloud:9200/oidc-silent-redirect.html", + "https://opencloud:9200/oidc-callback.html" + ], "webOrigins": ["https://opencloud:9200"], "notBefore": 0, "bearerOnly": false, @@ -786,8 +1011,8 @@ "saml.server.signature.keyinfo.ext": "false", "exclude.session.state.from.auth.response": "false", "oidc.ciba.grant.enabled": "false", - "backchannel.logout.url": "https://opencloud:9200/backchannel_logout", "backchannel.logout.session.required": "true", + "backchannel.logout.url": "https://opencloud:9200/backchannel_logout", "client_credentials.use_refresh_token": "false", "saml_force_name_id_format": "false", "saml.client.signature": "false", @@ -799,7 +1024,15 @@ "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, "nodeReRegistrationTimeout": -1, - "defaultClientScopes": ["web-origins", "profile", "roles", "groups", "basic", "email"], + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "OpenCloudUnique_ID", + "basic", + "email" + ], "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"] } ], @@ -811,8 +1044,8 @@ "protocol": "openid-connect", "attributes": { "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" + "consent.screen.text": "${emailScopeConsentText}", + "display.on.consent.screen": "true" }, "protocolMappers": [ { @@ -822,12 +1055,12 @@ "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "emailVerified", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "email_verified", - "jsonType.label": "boolean" + "jsonType.label": "boolean", + "userinfo.token.claim": "true" } }, { @@ -837,12 +1070,12 @@ "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "email", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "email", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } } ] @@ -854,8 +1087,8 @@ "protocol": "openid-connect", "attributes": { "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" + "consent.screen.text": "${addressScopeConsentText}", + "display.on.consent.screen": "true" }, "protocolMappers": [ { @@ -888,6 +1121,144 @@ "display.on.consent.screen": "true" } }, + { + "id": "79713daf-89ca-4ed4-ad97-a88b13ee9a18", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${phoneScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "b5f4f5ed-1008-42ba-8b3b-7d8851a2a680", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "08a246f1-2b4c-4def-af5c-aefc31b4820d", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "5ce87358-3bca-4874-a6f0-6dccae6209a8", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "consent.screen.text": "", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "bbd23c51-918d-4ea6-9ac0-db68b512fb0a", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "bdb3e320-76c8-4ad7-9d0f-a08efc060101", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "1d08316c-493b-42ab-afa3-66f621860661", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "52061d2d-7a41-4f1d-ba1b-3c4a53e739e4", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "d68b434c-c589-45d4-ada1-5370b7e65cae", + "name": "OpenCloudUnique_ID", + "description": "Id to be used in OpenCloud and Keycloak", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "d84f29ea-54d4-477e-9b36-cf5d7bec8f0c", + "name": "Unique ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "uuid", + "id.token.claim": "true", + "lightweight.claim": "true", + "access.token.claim": "true", + "claim.name": "uuid", + "jsonType.label": "String" + } + } + ] + }, { "id": "8eb1f69b-b941-4185-bca1-f916953f7cf5", "name": "role_list", @@ -919,8 +1290,8 @@ "protocol": "openid-connect", "attributes": { "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" + "consent.screen.text": "${profileScopeConsentText}", + "display.on.consent.screen": "true" }, "protocolMappers": [ { @@ -930,12 +1301,12 @@ "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "lastName", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "family_name", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -945,12 +1316,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "middleName", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "middle_name", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -960,12 +1331,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "picture", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "picture", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -975,12 +1346,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "locale", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "locale", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -990,12 +1361,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "profile", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "profile", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -1005,12 +1376,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "website", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "website", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -1032,12 +1403,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "nickname", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "nickname", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -1047,12 +1418,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "updatedAt", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "updated_at", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -1062,12 +1433,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "gender", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "gender", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -1077,12 +1448,12 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "birthdate", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "birthdate", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { @@ -1092,85 +1463,42 @@ "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", "user.attribute": "zoneinfo", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "zoneinfo", - "jsonType.label": "String" + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { "id": "ed10983b-8700-415e-933e-226ce3f397a6", "name": "given name", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String" - } - }, - { - "id": "8205ccd0-1266-4060-b5df-3a6eb229d91e", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "79713daf-89ca-4ed4-ad97-a88b13ee9a18", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "b5f4f5ed-1008-42ba-8b3b-7d8851a2a680", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", + "user.attribute": "firstName", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" + "claim.name": "given_name", + "jsonType.label": "String", + "userinfo.token.claim": "true" } }, { - "id": "08a246f1-2b4c-4def-af5c-aefc31b4820d", - "name": "phone number verified", + "id": "8205ccd0-1266-4060-b5df-3a6eb229d91e", + "name": "username", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", + "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", + "user.attribute": "username", "id.token.claim": "true", "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" + "claim.name": "preferred_username", + "jsonType.label": "String", + "userinfo.token.claim": "true" } } ] @@ -1221,8 +1549,8 @@ "protocol": "openid-connect", "attributes": { "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" + "consent.screen.text": "${rolesScopeConsentText}", + "display.on.consent.screen": "true" }, "protocolMappers": [ { @@ -1254,11 +1582,11 @@ "protocolMapper": "oidc-usermodel-realm-role-mapper", "consentRequired": false, "config": { + "id.token.claim": "true", "access.token.claim": "true", "claim.name": "roles", - "userinfo.token.claim": "true", - "id.token.claim": "true", "jsonType.label": "String", + "userinfo.token.claim": "true", "multivalued": "true" } } @@ -1285,6 +1613,7 @@ "config": { "full.path": "false", "introspection.token.claim": "true", + "multivalued": "true", "userinfo.token.claim": "true", "id.token.claim": "true", "lightweight.claim": "false", @@ -1294,27 +1623,6 @@ } ] }, - { - "id": "5ce87358-3bca-4874-a6f0-6dccae6209a8", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "bbd23c51-918d-4ea6-9ac0-db68b512fb0a", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, { "id": "86883395-e439-4cab-9d8d-31d71389969c", "name": "acr", @@ -1338,49 +1646,6 @@ } } ] - }, - { - "id": "bdb3e320-76c8-4ad7-9d0f-a08efc060101", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "1d08316c-493b-42ab-afa3-66f621860661", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - }, - { - "id": "52061d2d-7a41-4f1d-ba1b-3c4a53e739e4", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - } - ] } ], "defaultDefaultClientScopes": [ @@ -1391,7 +1656,8 @@ "web-origins", "acr", "basic", - "groups" + "groups", + "OpenCloudUnique_ID" ], "defaultOptionalClientScopes": ["offline_access", "address", "phone", "microprofile-jwt"], "browserSecurityHeaders": { @@ -1407,7 +1673,95 @@ "smtpServer": {}, "eventsEnabled": false, "eventsListeners": ["jboss-logging"], - "enabledEventTypes": [], + "enabledEventTypes": [ + "SEND_RESET_PASSWORD", + "UPDATE_CONSENT_ERROR", + "GRANT_CONSENT", + "VERIFY_PROFILE_ERROR", + "REMOVE_TOTP", + "REVOKE_GRANT", + "UPDATE_TOTP", + "LOGIN_ERROR", + "CLIENT_LOGIN", + "RESET_PASSWORD_ERROR", + "IMPERSONATE_ERROR", + "CODE_TO_TOKEN_ERROR", + "CUSTOM_REQUIRED_ACTION", + "OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR", + "RESTART_AUTHENTICATION", + "IMPERSONATE", + "UPDATE_PROFILE_ERROR", + "LOGIN", + "OAUTH2_DEVICE_VERIFY_USER_CODE", + "UPDATE_PASSWORD_ERROR", + "CLIENT_INITIATED_ACCOUNT_LINKING", + "OAUTH2_EXTENSION_GRANT", + "USER_DISABLED_BY_PERMANENT_LOCKOUT", + "TOKEN_EXCHANGE", + "AUTHREQID_TO_TOKEN", + "LOGOUT", + "REGISTER", + "DELETE_ACCOUNT_ERROR", + "CLIENT_REGISTER", + "IDENTITY_PROVIDER_LINK_ACCOUNT", + "USER_DISABLED_BY_TEMPORARY_LOCKOUT", + "DELETE_ACCOUNT", + "UPDATE_PASSWORD", + "CLIENT_DELETE", + "FEDERATED_IDENTITY_LINK_ERROR", + "IDENTITY_PROVIDER_FIRST_LOGIN", + "CLIENT_DELETE_ERROR", + "VERIFY_EMAIL", + "CLIENT_LOGIN_ERROR", + "RESTART_AUTHENTICATION_ERROR", + "EXECUTE_ACTIONS", + "REMOVE_FEDERATED_IDENTITY_ERROR", + "TOKEN_EXCHANGE_ERROR", + "PERMISSION_TOKEN", + "FEDERATED_IDENTITY_OVERRIDE_LINK", + "SEND_IDENTITY_PROVIDER_LINK_ERROR", + "EXECUTE_ACTION_TOKEN_ERROR", + "OAUTH2_EXTENSION_GRANT_ERROR", + "SEND_VERIFY_EMAIL", + "OAUTH2_DEVICE_AUTH", + "EXECUTE_ACTIONS_ERROR", + "REMOVE_FEDERATED_IDENTITY", + "OAUTH2_DEVICE_CODE_TO_TOKEN", + "IDENTITY_PROVIDER_POST_LOGIN", + "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", + "FEDERATED_IDENTITY_OVERRIDE_LINK_ERROR", + "OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR", + "UPDATE_EMAIL", + "REGISTER_ERROR", + "REVOKE_GRANT_ERROR", + "EXECUTE_ACTION_TOKEN", + "LOGOUT_ERROR", + "UPDATE_EMAIL_ERROR", + "CLIENT_UPDATE_ERROR", + "AUTHREQID_TO_TOKEN_ERROR", + "INVITE_ORG_ERROR", + "UPDATE_PROFILE", + "CLIENT_REGISTER_ERROR", + "FEDERATED_IDENTITY_LINK", + "INVITE_ORG", + "SEND_IDENTITY_PROVIDER_LINK", + "SEND_VERIFY_EMAIL_ERROR", + "RESET_PASSWORD", + "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", + "OAUTH2_DEVICE_AUTH_ERROR", + "UPDATE_CONSENT", + "REMOVE_TOTP_ERROR", + "VERIFY_EMAIL_ERROR", + "SEND_RESET_PASSWORD_ERROR", + "CLIENT_UPDATE", + "CUSTOM_REQUIRED_ACTION_ERROR", + "IDENTITY_PROVIDER_POST_LOGIN_ERROR", + "UPDATE_TOTP_ERROR", + "CODE_TO_TOKEN", + "VERIFY_PROFILE", + "GRANT_CONSENT_ERROR", + "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" + ], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, "identityProviders": [], @@ -1415,22 +1769,51 @@ "components": { "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ { - "id": "6fc7d765-7da8-4985-ba0b-e83827b04bd3", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", + "id": "4682fe74-f3a9-445a-a7ab-557fb532fe6b", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "c46009e5-c8b5-4051-bf7f-7b1481a9aa86", + "name": "Max Clients Limit", + "providerId": "max-clients", "subType": "anonymous", "subComponents": {}, "config": { - "allow-default-scopes": ["true"] + "max-clients": ["200"] } }, { - "id": "4682fe74-f3a9-445a-a7ab-557fb532fe6b", - "name": "Consent Required", - "providerId": "consent-required", + "id": "43edf979-28d2-46c8-9f93-48b3de185570", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", "subType": "anonymous", "subComponents": {}, - "config": {} + "config": { + "allowed-protocol-mapper-types": [ + "oidc-full-name-mapper", + "saml-user-attribute-mapper", + "oidc-usermodel-property-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper" + ] + } + }, + { + "id": "6fc7d765-7da8-4985-ba0b-e83827b04bd3", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": ["true"] + } }, { "id": "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6", @@ -1440,14 +1823,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", - "saml-user-property-mapper", "oidc-full-name-mapper", - "oidc-usermodel-property-mapper", + "saml-user-property-mapper", + "saml-role-list-mapper", "oidc-address-mapper", - "saml-user-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", - "saml-role-list-mapper" + "saml-user-attribute-mapper" ] } }, @@ -1461,16 +1844,6 @@ "allow-default-scopes": ["true"] } }, - { - "id": "c46009e5-c8b5-4051-bf7f-7b1481a9aa86", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": ["200"] - } - }, { "id": "c788e6bf-2f57-4a82-b32e-ac8d48a4f676", "name": "Full Scope Disabled", @@ -1478,24 +1851,176 @@ "subType": "anonymous", "subComponents": {}, "config": {} - }, + } + ], + "org.keycloak.userprofile.UserProfileProvider": [ { - "id": "43edf979-28d2-46c8-9f93-48b3de185570", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", + "id": "28d6b4ce-33d4-40c0-adef-b27e35b7e122", + "providerId": "declarative-user-profile", "subComponents": {}, "config": { - "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", - "oidc-address-mapper", - "oidc-usermodel-property-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-attribute-mapper", - "saml-role-list-mapper", - "saml-user-attribute-mapper", - "oidc-full-name-mapper" + "kc.user.profile.config": [ + "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"uuid\",\"displayName\":\"Unique LDAP ID\",\"validations\":{},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}" + ] + } + } + ], + "org.keycloak.storage.UserStorageProvider": [ + { + "id": "91da1f3b-b9f4-4759-aed4-50124d9b9f3e", + "name": "ldap", + "providerId": "ldap", + "subComponents": { + "org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [ + { + "id": "5ce17b39-efb7-45a2-b600-55c57d3a3021", + "name": "email", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": ["mail"], + "is.mandatory.in.ldap": ["false"], + "always.read.value.from.ldap": ["false"], + "read.only": ["false"], + "user.model.attribute": ["email"] + } + }, + { + "id": "7bf4374a-10d6-4192-9fb5-119ebf87f9f6", + "name": "modify date", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": ["modifyTimestamp"], + "is.mandatory.in.ldap": ["false"], + "always.read.value.from.ldap": ["true"], + "read.only": ["true"], + "user.model.attribute": ["modifyTimestamp"] + } + }, + { + "id": "9fe968b5-c338-4419-93c4-f339cbad5ef8", + "name": "username", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": ["uid"], + "is.mandatory.in.ldap": ["true"], + "read.only": ["false"], + "always.read.value.from.ldap": ["false"], + "user.model.attribute": ["username"] + } + }, + { + "id": "330d06e9-3e12-492e-af5e-53b1b950a122", + "name": "uuid", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": ["entryUUID"], + "attribute.force.default": ["false"], + "is.mandatory.in.ldap": ["false"], + "is.binary.attribute": ["false"], + "always.read.value.from.ldap": ["true"], + "read.only": ["true"], + "user.model.attribute": ["uuid"] + } + }, + { + "id": "79e83df0-9406-4609-b78f-b27de957bc41", + "name": "last name", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": ["sn"], + "is.mandatory.in.ldap": ["true"], + "read.only": ["false"], + "always.read.value.from.ldap": ["true"], + "user.model.attribute": ["lastName"] + } + }, + { + "id": "f75541bb-4819-424f-bc81-b6dc600dd730", + "name": "ldap-groups", + "providerId": "group-ldap-mapper", + "subComponents": {}, + "config": { + "mode": ["LDAP_ONLY"], + "membership.attribute.type": ["DN"], + "user.roles.retrieve.strategy": ["LOAD_GROUPS_BY_MEMBER_ATTRIBUTE"], + "group.name.ldap.attribute": ["cn"], + "membership.ldap.attribute": ["member"], + "preserve.group.inheritance": ["true"], + "ignore.missing.groups": ["false"], + "membership.user.ldap.attribute": ["uid"], + "groups.dn": ["ou=groups,dc=opencloud,dc=eu"], + "memberof.ldap.attribute": ["memberOf"], + "group.object.classes": ["groupOfNames"], + "groups.path": ["/"], + "drop.non.existing.groups.during.sync": ["true"] + } + }, + { + "id": "cab8b569-0f50-4e13-b2a5-d24ee513cd8b", + "name": "first name", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": ["cn"], + "is.mandatory.in.ldap": ["true"], + "read.only": ["false"], + "always.read.value.from.ldap": ["true"], + "user.model.attribute": ["firstName"] + } + }, + { + "id": "30cec76e-539e-4ac4-9816-8a0ae4a49798", + "name": "creation date", + "providerId": "user-attribute-ldap-mapper", + "subComponents": {}, + "config": { + "ldap.attribute": ["createTimestamp"], + "is.mandatory.in.ldap": ["false"], + "read.only": ["true"], + "always.read.value.from.ldap": ["true"], + "user.model.attribute": ["createTimestamp"] + } + } ] + }, + "config": { + "fullSyncPeriod": ["86400"], + "pagination": ["false"], + "startTls": ["false"], + "connectionPooling": ["false"], + "usersDn": ["ou=users,dc=opencloud,dc=eu"], + "cachePolicy": ["EVICT_DAILY"], + "evictionHour": ["0"], + "useKerberosForPasswordAuthentication": ["false"], + "importEnabled": ["true"], + "enabled": ["true"], + "bindCredential": ["admin"], + "bindDn": ["cn=admin,dc=opencloud,dc=eu"], + "usernameLDAPAttribute": ["uid"], + "changedSyncPeriod": ["3600"], + "lastSync": ["1745440869"], + "vendor": ["other"], + "uuidLDAPAttribute": ["entryUUID"], + "connectionUrl": ["ldap://ldap-server:1389"], + "allowKerberosAuthentication": ["false"], + "syncRegistrations": ["true"], + "authType": ["simple"], + "krbPrincipalAttribute": ["krb5PrincipalName"], + "customUserSearchFilter": ["(objectclass=inetOrgPerson)"], + "searchScope": ["1"], + "useTruststoreSpi": ["always"], + "usePasswordModifyExtendedOp": ["false"], + "trustEmail": ["false"], + "userObjectClasses": ["top,person,organizationalPerson,inetOrgPerson"], + "evictionMinute": ["0"], + "rdnLDAPAttribute": ["uid"], + "editMode": ["WRITABLE"], + "validatePasswordPolicy": ["false"] } } ], @@ -1519,6 +2044,16 @@ "algorithm": ["HS256"] } }, + { + "id": "a137a686-5876-4faf-8d1e-e3a59f55095e", + "name": "hmac-generated-hs512", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": ["100"], + "algorithm": ["HS512"] + } + }, { "id": "992dcc80-dc41-4b00-bab8-6ec1c839f3a4", "name": "aes-generated", @@ -1559,40 +2094,6 @@ } ] }, - { - "id": "404d2769-f3ba-4b5e-b43f-1bca919334f2", - "alias": "Authentication Options", - "description": "Authentication options.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "basic-auth", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "basic-auth-otp", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, { "id": "123e5711-1ee5-4f7e-ac9c-64c644daaea9", "alias": "Browser - Conditional OTP", @@ -1965,32 +2466,6 @@ } ] }, - { - "id": "8f5fab27-9b06-444d-931b-d03be9e6d4af", - "alias": "http challenge", - "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "no-cookie-redirect", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Authentication Options", - "userSetupAllowed": false - } - ] - }, { "id": "c53eb19d-49e9-4252-8a10-4d5c6a12e61b", "alias": "registration", @@ -2026,14 +2501,6 @@ "autheticatorFlow": false, "userSetupAllowed": false }, - { - "authenticator": "registration-profile-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 40, - "autheticatorFlow": false, - "userSetupAllowed": false - }, { "authenticator": "registration-password-action", "authenticatorFlow": false, @@ -2140,9 +2607,9 @@ "config": {} }, { - "alias": "terms_and_conditions", + "alias": "TERMS_AND_CONDITIONS", "name": "Terms and Conditions", - "providerId": "terms_and_conditions", + "providerId": "TERMS_AND_CONDITIONS", "enabled": false, "defaultAction": false, "priority": 20, @@ -2184,6 +2651,15 @@ "priority": 60, "config": {} }, + { + "alias": "delete_credential", + "name": "Delete Credential", + "providerId": "delete_credential", + "enabled": true, + "defaultAction": false, + "priority": 100, + "config": {} + }, { "alias": "update_user_locale", "name": "Update User Locale", @@ -2200,19 +2676,21 @@ "resetCredentialsFlow": "reset credentials", "clientAuthenticationFlow": "clients", "dockerAuthenticationFlow": "docker auth", + "firstBrokerLoginFlow": "first broker login", "attributes": { "cibaBackchannelTokenDeliveryMode": "poll", - "cibaExpiresIn": "120", "cibaAuthRequestedUserHint": "login_hint", - "oauth2DeviceCodeLifespan": "600", "clientOfflineSessionMaxLifespan": "0", "oauth2DevicePollingInterval": "5", "clientSessionIdleTimeout": "0", - "parRequestUriLifespan": "60", - "clientSessionMaxLifespan": "0", "clientOfflineSessionIdleTimeout": "0", "cibaInterval": "5", - "realmReusableOtpCode": "false" + "realmReusableOtpCode": "false", + "cibaExpiresIn": "120", + "oauth2DeviceCodeLifespan": "600", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "organizationsEnabled": "false" }, "keycloakVersion": "25.0.0", "userManagedAccessAllowed": false,