From 7810a9d6862a26abfca26db985b1e2380235982a Mon Sep 17 00:00:00 2001 From: Domenico Francesco Bruscino Date: Sun, 26 Feb 2023 06:56:31 +0100 Subject: [PATCH] ARTEMIS-4179 Fix security-keycloak log errors --- .../jms/example/KeycloakSecurityExample.java | 19 +- .../artemis-keycloak-demo-realm.json | 1296 ++++++++++------- 2 files changed, 795 insertions(+), 520 deletions(-) diff --git a/examples/features/standard/security-keycloak/src/main/java/org/apache/activemq/artemis/jms/example/KeycloakSecurityExample.java b/examples/features/standard/security-keycloak/src/main/java/org/apache/activemq/artemis/jms/example/KeycloakSecurityExample.java index 36ac0afe9c..2fef778f10 100644 --- a/examples/features/standard/security-keycloak/src/main/java/org/apache/activemq/artemis/jms/example/KeycloakSecurityExample.java +++ b/examples/features/standard/security-keycloak/src/main/java/org/apache/activemq/artemis/jms/example/KeycloakSecurityExample.java @@ -25,18 +25,35 @@ import javax.jms.Session; import javax.jms.Queue; import javax.naming.InitialContext; +import java.net.HttpURLConnection; +import java.net.URL; import java.util.concurrent.TimeUnit; +import org.apache.activemq.artemis.utils.Waiter; + public class KeycloakSecurityExample { public static void main(final String[] args) throws Exception { - boolean result = true; Connection connection = null; InitialContext initialContext = null; try { + // Step 0. Wait for artemis-keycloak-demo + Waiter.waitFor(() -> { + int responseCode = 0; + try { + URL url = new URL("http://localhost:8080/realms/artemis-keycloak-demo/.well-known/openid-configuration"); + HttpURLConnection con = (HttpURLConnection) url.openConnection(); + responseCode = con.getResponseCode(); + con.disconnect(); + } catch (Exception expectedTillInfraStarted) { + System.out.println("---- expected error on startup till artemis-keycloak-demo starts: " + expectedTillInfraStarted + ", retry in 5s"); + } + return responseCode == 200; + }, TimeUnit.SECONDS, 30, TimeUnit.SECONDS, 5); + // Step 1. Create an initial context to perform the JNDI lookup. initialContext = new InitialContext(); diff --git a/examples/features/standard/security-keycloak/src/main/resources/artemis-keycloak-demo-realm.json b/examples/features/standard/security-keycloak/src/main/resources/artemis-keycloak-demo-realm.json index d7b9ca1f8c..c0a04f5ff9 100644 --- a/examples/features/standard/security-keycloak/src/main/resources/artemis-keycloak-demo-realm.json +++ b/examples/features/standard/security-keycloak/src/main/resources/artemis-keycloak-demo-realm.json @@ -2,6 +2,7 @@ "id" : "artemis-keycloak-demo", "realm" : "artemis-keycloak-demo", "notBefore" : 0, + "defaultSignatureAlgorithm" : "RS256", "revokeRefreshToken" : false, "refreshTokenMaxReuse" : 0, "accessTokenLifespan" : 300, @@ -22,6 +23,8 @@ "accessCodeLifespanLogin" : 1800, "actionTokenGeneratedByAdminLifespan" : 43200, "actionTokenGeneratedByUserLifespan" : 300, + "oauth2DeviceCodeLifespan" : 600, + "oauth2DevicePollingInterval" : 5, "enabled" : true, "sslRequired" : "external", "registrationAllowed" : false, @@ -57,6 +60,22 @@ "clientRole" : false, "containerId" : "artemis-keycloak-demo", "attributes" : { } + }, { + "id" : "c9f774ad-de13-4727-b2f4-07db4e51be6d", + "name" : "default-roles-artemis-keycloak-demo", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "artemis-broker" : [ "guest" ], + "artemis-console" : [ "guest" ], + "account" : [ "manage-account", "view-profile" ] + } + }, + "clientRole" : false, + "containerId" : "artemis-keycloak-demo", + "attributes" : { } } ], "client" : { "realm-management" : [ { @@ -315,6 +334,14 @@ "clientRole" : true, "containerId" : "f4fade80-b020-4a8f-8ec0-a20dd83b75d5", "attributes" : { } + }, { + "id" : "946657c4-1c88-43a8-b72e-e2f6333d822c", + "name" : "view-groups", + "description" : "${role_view-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "f4fade80-b020-4a8f-8ec0-a20dd83b75d5", + "attributes" : { } }, { "id" : "858adc6d-4951-4b20-9a2b-d6e2e96ff844", "name" : "manage-consent", @@ -332,7 +359,14 @@ } }, "groups" : [ ], - "defaultRoles" : [ "offline_access", "uma_authorization" ], + "defaultRole" : { + "id" : "c9f774ad-de13-4727-b2f4-07db4e51be6d", + "name" : "default-roles-artemis-keycloak-demo", + "description" : "${role_default-roles}", + "composite" : true, + "clientRole" : false, + "containerId" : "artemis-keycloak-demo" + }, "requiredCredentials" : [ "password" ], "otpPolicyType" : "totp", "otpPolicyAlgorithm" : "HmacSHA1", @@ -340,7 +374,8 @@ "otpPolicyDigits" : 6, "otpPolicyLookAheadWindow" : 1, "otpPolicyPeriod" : 30, - "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], + "otpPolicyCodeReusable" : false, + "otpSupportedApplications" : [ "totpAppMicrosoftAuthenticatorName", "totpAppFreeOTPName", "totpAppGoogleName" ], "webAuthnPolicyRpEntityName" : "keycloak", "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], "webAuthnPolicyRpId" : "", @@ -400,7 +435,7 @@ "id" : "c19263d2-c2fc-4cf0-b539-92478b8b6c86", "type" : "password", "createdDate" : 1615203229695, - "secretData" : "{\"value\":\"rzNO+t2+yVp1y5p8bVeLY5o/0mZjqVqmeKRVnsTUwkOVPld3UnTkdBYDvD9zUtO7zpelwJNK46yoN1hQUDLESw==\",\"salt\":\"5+8HEGa5IDebJ5MxqRD+/A==\",\"additionalParameters\":{}}", + "secretData" : "{\"value\":\"KMO2OT3x4Qjh8FVeQckagXfg1DuktazFPLnPU1loEfg=\",\"salt\":\"cGjYhYoChS9e5hEw+5WuLw==\",\"additionalParameters\":{}}", "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" } ], "disableableCredentialTypes" : [ ], @@ -417,7 +452,7 @@ "clientScopeMappings" : { "account" : [ { "client" : "account-console", - "roles" : [ "manage-account" ] + "roles" : [ "manage-account", "view-groups" ] } ] }, "clients" : [ { @@ -431,7 +466,6 @@ "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", "secret" : "**********", - "defaultRoles" : [ "manage-account", "view-profile" ], "redirectUris" : [ "/realms/artemis-keycloak-demo/account/*" ], "webOrigins" : [ ], "notBefore" : 0, @@ -444,11 +478,13 @@ "publicClient" : false, "frontchannelLogout" : false, "protocol" : "openid-connect", - "attributes" : { }, + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "f44cbfb0-8969-4dd7-b7b0-9a9a548ac5dd", @@ -474,6 +510,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "post.logout.redirect.uris" : "+", "pkce.code.challenge.method" : "S256" }, "authenticationFlowBindingOverrides" : { }, @@ -487,7 +524,7 @@ "consentRequired" : false, "config" : { } } ], - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "258eebbd-ff72-4d93-bd26-1f63e1b8853c", @@ -510,11 +547,13 @@ "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", - "attributes" : { }, + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "6874f01b-9f64-4f52-bd76-1cf0f66e4d7e", @@ -524,7 +563,6 @@ "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", "secret" : "9699685c-8a30-45cf-bf19-0d38bbac5fdc", - "defaultRoles" : [ "guest" ], "redirectUris" : [ ], "webOrigins" : [ ], "notBefore" : 0, @@ -542,6 +580,7 @@ "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", + "post.logout.redirect.uris" : "+", "backchannel.logout.revoke.offline.tokens" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", @@ -558,7 +597,7 @@ "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "75f83af0-f4f8-4a25-b6e5-bd331a3306c2", @@ -569,7 +608,6 @@ "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", "secret" : "**********", - "defaultRoles" : [ "guest" ], "redirectUris" : [ "http://localhost:8161/console/*" ], "webOrigins" : [ "+" ], "notBefore" : 0, @@ -587,6 +625,7 @@ "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", + "post.logout.redirect.uris" : "+", "backchannel.logout.revoke.offline.tokens" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", @@ -603,7 +642,7 @@ "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "faa915cf-c333-4211-b0e6-8d910143f440", @@ -626,11 +665,13 @@ "publicClient" : false, "frontchannelLogout" : false, "protocol" : "openid-connect", - "attributes" : { }, + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "8058e1ae-b137-4fc9-aec4-1a066723c146", @@ -653,11 +694,13 @@ "publicClient" : false, "frontchannelLogout" : false, "protocol" : "openid-connect", - "attributes" : { }, + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "c1d70871-976d-4bcf-940f-2d9bd1c84d78", @@ -683,6 +726,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "post.logout.redirect.uris" : "+", "pkce.code.challenge.method" : "S256" }, "authenticationFlowBindingOverrides" : { }, @@ -703,38 +747,10 @@ "jsonType.label" : "String" } } ], - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] } ], "clientScopes" : [ { - "id" : "740f094b-5d61-4590-a606-321af4d38628", - "name" : "address", - "description" : "OpenID Connect built-in scope: address", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${addressScopeConsentText}" - }, - "protocolMappers" : [ { - "id" : "3dc49dd4-fff1-42bd-9c59-842c1abba650", - "name" : "address", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-address-mapper", - "consentRequired" : false, - "config" : { - "user.attribute.formatted" : "formatted", - "user.attribute.country" : "country", - "user.attribute.postal_code" : "postal_code", - "userinfo.token.claim" : "true", - "user.attribute.street" : "street", - "id.token.claim" : "true", - "user.attribute.region" : "region", - "access.token.claim" : "true", - "user.attribute.locality" : "locality" - } - } ] - }, { "id" : "40eb9ce1-0b52-4bce-88cb-2a7b78e48f2b", "name" : "email", "description" : "OpenID Connect built-in scope: email", @@ -773,54 +789,6 @@ "jsonType.label" : "String" } } ] - }, { - "id" : "912850d8-6d0e-4b4f-b68b-1b2c7b377ac7", - "name" : "microprofile-jwt", - "description" : "Microprofile - JWT built-in scope", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "false" - }, - "protocolMappers" : [ { - "id" : "46e28353-6e20-46b0-b4df-5339522e5612", - "name" : "upn", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "username", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "upn", - "jsonType.label" : "String" - } - }, { - "id" : "2c833b5a-8f08-46bd-b017-29a6483031c9", - "name" : "groups", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-realm-role-mapper", - "consentRequired" : false, - "config" : { - "multivalued" : "true", - "userinfo.token.claim" : "true", - "user.attribute" : "foo", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "groups", - "jsonType.label" : "String" - } - } ] - }, { - "id" : "9eb9e8f4-7a40-4b90-ad2d-7b1e6fdcdb5c", - "name" : "offline_access", - "description" : "OpenID Connect built-in scope: offline_access", - "protocol" : "openid-connect", - "attributes" : { - "consent.screen.text" : "${offlineAccessScopeConsentText}", - "display.on.consent.screen" : "true" - } }, { "id" : "7a0fdcf8-abaa-4ecb-827b-b3d05a303cf3", "name" : "phone", @@ -860,6 +828,34 @@ "jsonType.label" : "boolean" } } ] + }, { + "id" : "740f094b-5d61-4590-a606-321af4d38628", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "3dc49dd4-fff1-42bd-9c59-842c1abba650", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] }, { "id" : "7b2d5b88-9c68-4c55-9c03-1c3e53ec9b52", "name" : "profile", @@ -1064,6 +1060,24 @@ "jsonType.label" : "String" } } ] + }, { + "id" : "322674b4-1e3c-4941-b482-1bf593cfaff8", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" + }, + "protocolMappers" : [ { + "id" : "42eac5b2-f1b1-4f1b-bdaf-98b26ddb0545", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] }, { "id" : "458ca4d1-7a8f-4c49-b92e-e59eb2a385c1", "name" : "role_list", @@ -1085,6 +1099,74 @@ "attribute.name" : "Role" } } ] + }, { + "id" : "0fec63da-7f89-456d-ae3d-76eef8d9428f", + "name" : "acr", + "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "ddb6f869-75c3-4fd1-9bc1-ebac5a473075", + "name" : "acr loa level", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-acr-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true" + } + } ] + }, { + "id" : "912850d8-6d0e-4b4f-b68b-1b2c7b377ac7", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "46e28353-6e20-46b0-b4df-5339522e5612", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + }, { + "id" : "2c833b5a-8f08-46bd-b017-29a6483031c9", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "9eb9e8f4-7a40-4b90-ad2d-7b1e6fdcdb5c", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } }, { "id" : "da5fd7af-acd4-4e69-b6ac-292109b1ed24", "name" : "roles", @@ -1129,26 +1211,8 @@ "multivalued" : "true" } } ] - }, { - "id" : "322674b4-1e3c-4941-b482-1bf593cfaff8", - "name" : "web-origins", - "description" : "OpenID Connect scope for add allowed web origins to the access token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "display.on.consent.screen" : "false", - "consent.screen.text" : "" - }, - "protocolMappers" : [ { - "id" : "42eac5b2-f1b1-4f1b-bdaf-98b26ddb0545", - "name" : "allowed web origins", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-allowed-origins-mapper", - "consentRequired" : false, - "config" : { } - } ] } ], - "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins" ], + "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins", "acr" ], "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], "browserSecurityHeaders" : { "contentSecurityPolicyReportOnly" : "", @@ -1200,7 +1264,7 @@ "subType" : "authenticated", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-address-mapper" ] + "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "saml-user-property-mapper" ] } }, { "id" : "83883c14-513b-4757-a565-715f6d23d166", @@ -1235,7 +1299,7 @@ "subType" : "anonymous", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper" ] + "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper" ] } } ], "org.keycloak.keys.KeyProvider" : [ { @@ -1274,7 +1338,7 @@ "internationalizationEnabled" : false, "supportedLocales" : [ ], "authenticationFlows" : [ { - "id" : "b3fc0281-a54f-41bd-b744-d06f38496f90", + "id" : "202ab63c-93b3-4b11-a9d7-58130a624c5f", "alias" : "Account verification options", "description" : "Method with which to verity the existing account", "providerId" : "basic-flow", @@ -1282,19 +1346,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "idp-email-verification", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "ALTERNATIVE", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Verify Existing Account by Re-authentication", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "90489d0b-d9d7-450b-a3ea-b0d70ce7ff36", + "id" : "d1107d3e-cb25-4d68-b672-623cf76e2a89", "alias" : "Authentication Options", "description" : "Authentication options.", "providerId" : "basic-flow", @@ -1302,25 +1368,28 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "basic-auth", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "basic-auth-otp", + "authenticatorFlow" : false, "requirement" : "DISABLED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "auth-spnego", + "authenticatorFlow" : false, "requirement" : "DISABLED", "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "8b42cb4d-a64d-410b-bba8-eb2f4f57d913", + "id" : "17d991e5-ecf1-49b1-a176-c9485b049efd", "alias" : "Browser - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -1328,19 +1397,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "88cfb2b3-eb8e-4160-8685-1e7daa552889", + "id" : "2be43b4b-111b-400c-9ad5-c918c53a7a53", "alias" : "Direct Grant - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -1348,19 +1419,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "direct-grant-validate-otp", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "af29d994-3b0e-4df0-8105-f4a25d48fae8", + "id" : "faf143c0-978e-49c1-a454-c3cd2d8e93fe", "alias" : "First broker login - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -1368,19 +1441,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "606ab046-8762-481e-8936-3e06ac1272cb", + "id" : "1fcff348-d9aa-4c6e-8238-047dad0c3a52", "alias" : "Handle Existing Account", "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId" : "basic-flow", @@ -1388,19 +1463,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "idp-confirm-link", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "REQUIRED", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Account verification options", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "799a2cec-a354-472f-ab97-cd1fd36b7841", + "id" : "2853067d-3960-483a-9d6b-05d88fc8317c", "alias" : "Reset - Conditional OTP", "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId" : "basic-flow", @@ -1408,19 +1485,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "reset-otp", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "1b5bb69b-34a5-43c8-8b5f-21822222aadd", + "id" : "b380fbf7-be74-459b-accc-47ac0b9c7091", "alias" : "User creation or linking", "description" : "Flow for the existing/non-existing user alternatives", "providerId" : "basic-flow", @@ -1429,19 +1508,21 @@ "authenticationExecutions" : [ { "authenticatorConfig" : "create unique user config", "authenticator" : "idp-create-user-if-unique", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "ALTERNATIVE", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Handle Existing Account", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "8facb553-2771-49b0-b170-46037de5e566", + "id" : "def098f6-f65c-4adc-ae58-e01b1218333d", "alias" : "Verify Existing Account by Re-authentication", "description" : "Reauthentication of existing account", "providerId" : "basic-flow", @@ -1449,19 +1530,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "idp-username-password-form", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "CONDITIONAL", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "First broker login - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "baae710a-592a-40ec-b44a-2be2918c3236", + "id" : "2f776c1b-3704-4fa5-a41a-0dfa6bb6ca39", "alias" : "browser", "description" : "browser based authentication", "providerId" : "basic-flow", @@ -1469,31 +1552,35 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "auth-cookie", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "auth-spnego", + "authenticatorFlow" : false, "requirement" : "DISABLED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "identity-provider-redirector", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 25, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "ALTERNATIVE", "priority" : 30, + "autheticatorFlow" : true, "flowAlias" : "forms", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "d1f2484b-9939-4a90-8540-eb53d941b44d", + "id" : "c26e6180-18b0-493e-b202-bdd347e108e7", "alias" : "clients", "description" : "Base authentication for clients", "providerId" : "client-flow", @@ -1501,31 +1588,35 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "client-secret", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "client-jwt", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "client-secret-jwt", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "client-x509", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 40, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "d14461b0-cf44-4d35-97d5-889db738be83", + "id" : "ecb65f66-6ba1-4f5e-9299-40dcc8c37ebf", "alias" : "direct grant", "description" : "OpenID Connect Resource Owner Grant", "providerId" : "basic-flow", @@ -1533,25 +1624,28 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "direct-grant-validate-username", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "direct-grant-validate-password", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "CONDITIONAL", "priority" : 30, + "autheticatorFlow" : true, "flowAlias" : "Direct Grant - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "44ac2d4b-7194-4661-8060-de9c0339c891", + "id" : "6fc3966f-77d1-4eea-a2cb-6fb46af47deb", "alias" : "docker auth", "description" : "Used by Docker clients to authenticate against the IDP", "providerId" : "basic-flow", @@ -1559,13 +1653,14 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "docker-http-basic-authenticator", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "28233fd4-c562-4c88-bf54-ad17aff4148d", + "id" : "36ac9643-6493-49e6-9841-7f43fcfba50e", "alias" : "first broker login", "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId" : "basic-flow", @@ -1574,19 +1669,21 @@ "authenticationExecutions" : [ { "authenticatorConfig" : "review profile config", "authenticator" : "idp-review-profile", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "REQUIRED", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "User creation or linking", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "54f0795e-23c5-4cc9-87d7-45b57215cce4", + "id" : "98e32cc2-58ce-4c9a-8d16-d93e1a62cc30", "alias" : "forms", "description" : "Username, password, otp and other auth forms.", "providerId" : "basic-flow", @@ -1594,19 +1691,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "auth-username-password-form", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "CONDITIONAL", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Browser - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "afd9b09a-015c-4f44-bd67-a23608e42215", + "id" : "90d40a53-c761-409b-8cf8-5c47a2127ca3", "alias" : "http challenge", "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId" : "basic-flow", @@ -1614,19 +1713,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "no-cookie-redirect", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "REQUIRED", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Authentication Options", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "5d5ab8ab-bf87-48f9-9d4b-35cc43c12763", + "id" : "5ed32f7b-0ef6-4132-8ad4-ab5717cdcc32", "alias" : "registration", "description" : "registration flow", "providerId" : "basic-flow", @@ -1634,14 +1735,15 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "registration-page-form", + "authenticatorFlow" : true, "requirement" : "REQUIRED", "priority" : 10, + "autheticatorFlow" : true, "flowAlias" : "registration form", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "de771f55-0d04-4bcd-b586-bfa234e09b8b", + "id" : "69cb8a4a-9066-479d-8a44-248896c00293", "alias" : "registration form", "description" : "registration form", "providerId" : "form-flow", @@ -1649,31 +1751,35 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "registration-user-creation", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "registration-profile-action", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 40, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "registration-password-action", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 50, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "registration-recaptcha-action", + "authenticatorFlow" : false, "requirement" : "DISABLED", "priority" : 60, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "06d7f08e-ee5a-472d-98e0-f6d49d6bdbbe", + "id" : "d71d79e5-9443-427d-9157-c38e5dd6e2ac", "alias" : "reset credentials", "description" : "Reset credentials for a user if they forgot their password or something", "providerId" : "basic-flow", @@ -1681,31 +1787,35 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "reset-credentials-choose-user", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "reset-credential-email", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "reset-password", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "CONDITIONAL", "priority" : 40, + "autheticatorFlow" : true, "flowAlias" : "Reset - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "e42b5356-bd45-47c9-998f-d64b82424d5c", + "id" : "f02d25cd-3d25-41b4-b167-09e05518e7dd", "alias" : "saml ecp", "description" : "SAML ECP Profile Authentication Flow", "providerId" : "basic-flow", @@ -1713,20 +1823,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "http-basic-authenticator", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] } ], "authenticatorConfig" : [ { - "id" : "bdf530ec-e51b-4c7b-9c85-7fd856d0acc8", + "id" : "3f77deec-7736-41e1-945c-b4d8b6a5e0c6", "alias" : "create unique user config", "config" : { "require.password.update.after.registration" : "false" } }, { - "id" : "936a360d-981a-4c1b-be9a-c81991a843f3", + "id" : "65b65c22-9324-4b67-b8bd-fcdf6a989b27", "alias" : "review profile config", "config" : { "update.profile.on.first.login" : "missing" @@ -1796,19 +1907,34 @@ "clientAuthenticationFlow" : "clients", "dockerAuthenticationFlow" : "docker auth", "attributes" : { + "cibaBackchannelTokenDeliveryMode" : "poll", + "cibaExpiresIn" : "120", + "cibaAuthRequestedUserHint" : "login_hint", + "oauth2DeviceCodeLifespan" : "600", "clientOfflineSessionMaxLifespan" : "0", + "oauth2DevicePollingInterval" : "5", "clientSessionIdleTimeout" : "0", + "parRequestUriLifespan" : "60", "clientSessionMaxLifespan" : "0", - "clientOfflineSessionIdleTimeout" : "0" + "clientOfflineSessionIdleTimeout" : "0", + "cibaInterval" : "5", + "realmReusableOtpCode" : "false" }, - "keycloakVersion" : "12.0.3", - "userManagedAccessAllowed" : false + "keycloakVersion" : "21.0.0", + "userManagedAccessAllowed" : false, + "clientProfiles" : { + "profiles" : [ ] + }, + "clientPolicies" : { + "policies" : [ ] + } }, { "id" : "master", "realm" : "master", "displayName" : "Keycloak", "displayNameHtml" : "
Keycloak
", "notBefore" : 0, + "defaultSignatureAlgorithm" : "RS256", "revokeRefreshToken" : false, "refreshTokenMaxReuse" : 0, "accessTokenLifespan" : 60, @@ -1829,6 +1955,8 @@ "accessCodeLifespanLogin" : 1800, "actionTokenGeneratedByAdminLifespan" : 43200, "actionTokenGeneratedByUserLifespan" : 300, + "oauth2DeviceCodeLifespan" : 600, + "oauth2DevicePollingInterval" : 5, "enabled" : true, "sslRequired" : "external", "registrationAllowed" : false, @@ -1887,6 +2015,20 @@ "clientRole" : false, "containerId" : "master", "attributes" : { } + }, { + "id" : "2b9dcd6f-de2c-4fe9-8c2b-0945e99c27b4", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "account" : [ "view-profile", "manage-account" ] + } + }, + "clientRole" : false, + "containerId" : "master", + "attributes" : { } } ], "client" : { "artemis-keycloak-demo-realm" : [ { @@ -2248,6 +2390,14 @@ "clientRole" : true, "containerId" : "01870061-242b-4b31-9ce1-42e586acda3e", "attributes" : { } + }, { + "id" : "7104a7de-b829-4758-99c3-8c1dab748bed", + "name" : "view-groups", + "description" : "${role_view-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "01870061-242b-4b31-9ce1-42e586acda3e", + "attributes" : { } }, { "id" : "fa876b15-3a0c-43f0-9df6-cc71da962c12", "name" : "view-applications", @@ -2281,7 +2431,14 @@ } }, "groups" : [ ], - "defaultRoles" : [ "uma_authorization", "offline_access" ], + "defaultRole" : { + "id" : "2b9dcd6f-de2c-4fe9-8c2b-0945e99c27b4", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "clientRole" : false, + "containerId" : "master" + }, "requiredCredentials" : [ "password" ], "otpPolicyType" : "totp", "otpPolicyAlgorithm" : "HmacSHA1", @@ -2289,7 +2446,8 @@ "otpPolicyDigits" : 6, "otpPolicyLookAheadWindow" : 1, "otpPolicyPeriod" : 30, - "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], + "otpPolicyCodeReusable" : false, + "otpSupportedApplications" : [ "totpAppMicrosoftAuthenticatorName", "totpAppFreeOTPName", "totpAppGoogleName" ], "webAuthnPolicyRpEntityName" : "keycloak", "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], "webAuthnPolicyRpId" : "", @@ -2340,7 +2498,7 @@ "clientScopeMappings" : { "account" : [ { "client" : "account-console", - "roles" : [ "manage-account" ] + "roles" : [ "manage-account", "view-groups" ] } ] }, "clients" : [ { @@ -2354,7 +2512,6 @@ "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", "secret" : "dd4e0fbc-8d02-40d8-8c1e-6ee71f9baf89", - "defaultRoles" : [ "view-profile", "manage-account" ], "redirectUris" : [ "/realms/master/account/*" ], "webOrigins" : [ ], "notBefore" : 0, @@ -2367,11 +2524,13 @@ "publicClient" : false, "frontchannelLogout" : false, "protocol" : "openid-connect", - "attributes" : { }, + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "d007d156-5b9c-444d-8841-5ec020f03dbb", @@ -2397,6 +2556,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "post.logout.redirect.uris" : "+", "pkce.code.challenge.method" : "S256" }, "authenticationFlowBindingOverrides" : { }, @@ -2410,7 +2570,7 @@ "consentRequired" : false, "config" : { } } ], - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "9f6c3650-3994-4957-8808-b2154b8c71b5", @@ -2433,11 +2593,13 @@ "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", - "attributes" : { }, + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "6f7c1789-8d4c-4b8f-a01c-efcca754204b", @@ -2459,11 +2621,14 @@ "serviceAccountsEnabled" : false, "publicClient" : false, "frontchannelLogout" : false, - "attributes" : { }, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "ab7b25e3-cafe-4e28-bb86-0a5aa8336748", @@ -2486,11 +2651,13 @@ "publicClient" : false, "frontchannelLogout" : false, "protocol" : "openid-connect", - "attributes" : { }, + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "59dbb061-956f-49f5-922e-19660f29c608", @@ -2512,11 +2679,14 @@ "serviceAccountsEnabled" : false, "publicClient" : false, "frontchannelLogout" : false, - "attributes" : { }, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+" + }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { "id" : "b4bba21a-4347-4625-8bda-567003ac2fe8", @@ -2542,6 +2712,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "post.logout.redirect.uris" : "+", "pkce.code.challenge.method" : "S256" }, "authenticationFlowBindingOverrides" : { }, @@ -2562,113 +2733,26 @@ "jsonType.label" : "String" } } ], - "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] } ], "clientScopes" : [ { - "id" : "0b32b7ca-77c7-439c-a488-50b210c99356", - "name" : "address", - "description" : "OpenID Connect built-in scope: address", + "id" : "959f7373-6350-4428-8b35-d0d5e85697ac", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", "protocol" : "openid-connect", "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${addressScopeConsentText}" + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" }, "protocolMappers" : [ { - "id" : "3fae9891-8756-4e6c-87e5-1aed666fdc63", - "name" : "address", + "id" : "50e19422-294d-4b66-963d-999d90695a49", + "name" : "allowed web origins", "protocol" : "openid-connect", - "protocolMapper" : "oidc-address-mapper", + "protocolMapper" : "oidc-allowed-origins-mapper", "consentRequired" : false, - "config" : { - "user.attribute.formatted" : "formatted", - "user.attribute.country" : "country", - "user.attribute.postal_code" : "postal_code", - "userinfo.token.claim" : "true", - "user.attribute.street" : "street", - "id.token.claim" : "true", - "user.attribute.region" : "region", - "access.token.claim" : "true", - "user.attribute.locality" : "locality" - } - } ] - }, { - "id" : "d9ee8146-9f43-4f32-be94-537e594edeee", - "name" : "email", - "description" : "OpenID Connect built-in scope: email", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${emailScopeConsentText}" - }, - "protocolMappers" : [ { - "id" : "b73f8051-c286-4eef-9da7-fbdca988a267", - "name" : "email", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "email", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "email", - "jsonType.label" : "String" - } - }, { - "id" : "d494b4a5-3f95-4ad8-85fb-6ab14c2aba98", - "name" : "email verified", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "emailVerified", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "email_verified", - "jsonType.label" : "boolean" - } - } ] - }, { - "id" : "73d67ab8-8c2a-4877-bfab-e3f92ea70fc0", - "name" : "microprofile-jwt", - "description" : "Microprofile - JWT built-in scope", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "false" - }, - "protocolMappers" : [ { - "id" : "caab6c80-219e-49a7-b261-623c9dfc39b3", - "name" : "upn", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "username", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "upn", - "jsonType.label" : "String" - } - }, { - "id" : "2657b7c8-acf5-4a00-8f91-e4481e1a2ef9", - "name" : "groups", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-realm-role-mapper", - "consentRequired" : false, - "config" : { - "multivalued" : "true", - "user.attribute" : "foo", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "groups", - "jsonType.label" : "String" - } + "config" : { } } ] }, { "id" : "1b1ec0af-50de-4805-b92e-8517f8ae1ce2", @@ -2679,45 +2763,6 @@ "consent.screen.text" : "${offlineAccessScopeConsentText}", "display.on.consent.screen" : "true" } - }, { - "id" : "c0a3fa2d-cbfd-4aed-b784-b2f1d0082e3c", - "name" : "phone", - "description" : "OpenID Connect built-in scope: phone", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${phoneScopeConsentText}" - }, - "protocolMappers" : [ { - "id" : "22bc4dae-8f6f-4f6b-9c89-122caf10d2d6", - "name" : "phone number verified", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "phoneNumberVerified", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "phone_number_verified", - "jsonType.label" : "boolean" - } - }, { - "id" : "c25dbd18-e59d-4e4a-a7df-7ee7dfe1508b", - "name" : "phone number", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "phoneNumber", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "phone_number", - "jsonType.label" : "String" - } - } ] }, { "id" : "ab056ba3-d42c-4344-bc44-b7b9f8923882", "name" : "profile", @@ -2922,6 +2967,45 @@ "jsonType.label" : "String" } } ] + }, { + "id" : "c0a3fa2d-cbfd-4aed-b784-b2f1d0082e3c", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "22bc4dae-8f6f-4f6b-9c89-122caf10d2d6", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "c25dbd18-e59d-4e4a-a7df-7ee7dfe1508b", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + } ] }, { "id" : "2d955805-8c91-4862-a799-9a35f18c121a", "name" : "role_list", @@ -2943,6 +3027,73 @@ "attribute.name" : "Role" } } ] + }, { + "id" : "d9ee8146-9f43-4f32-be94-537e594edeee", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "b73f8051-c286-4eef-9da7-fbdca988a267", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + }, { + "id" : "d494b4a5-3f95-4ad8-85fb-6ab14c2aba98", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + } ] + }, { + "id" : "0b32b7ca-77c7-439c-a488-50b210c99356", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "3fae9891-8756-4e6c-87e5-1aed666fdc63", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] }, { "id" : "c6bf08bb-081c-4d9a-9fb1-2fc97bcf37f9", "name" : "roles", @@ -2988,33 +3139,74 @@ } } ] }, { - "id" : "959f7373-6350-4428-8b35-d0d5e85697ac", - "name" : "web-origins", - "description" : "OpenID Connect scope for add allowed web origins to the access token", + "id" : "73d67ab8-8c2a-4877-bfab-e3f92ea70fc0", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "caab6c80-219e-49a7-b261-623c9dfc39b3", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + }, { + "id" : "2657b7c8-acf5-4a00-8f91-e4481e1a2ef9", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "1e255b41-327e-4797-9a19-0806078a2469", + "name" : "acr", + "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", "protocol" : "openid-connect", "attributes" : { "include.in.token.scope" : "false", - "display.on.consent.screen" : "false", - "consent.screen.text" : "" + "display.on.consent.screen" : "false" }, "protocolMappers" : [ { - "id" : "50e19422-294d-4b66-963d-999d90695a49", - "name" : "allowed web origins", + "id" : "fadc519b-db6f-488c-8df2-7c310b69d581", + "name" : "acr loa level", "protocol" : "openid-connect", - "protocolMapper" : "oidc-allowed-origins-mapper", + "protocolMapper" : "oidc-acr-mapper", "consentRequired" : false, - "config" : { } + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true" + } } ] } ], - "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins" ], + "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins", "acr" ], "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], "browserSecurityHeaders" : { "contentSecurityPolicyReportOnly" : "", "xContentTypeOptions" : "nosniff", "xRobotsTag" : "none", "xFrameOptions" : "SAMEORIGIN", - "xXSSProtection" : "1; mode=block", "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection" : "1; mode=block", "strictTransportSecurity" : "max-age=31536000; includeSubDomains" }, "smtpServer" : { }, @@ -3051,7 +3243,7 @@ "subType" : "authenticated", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper" ] + "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper" ] } }, { "id" : "68af6607-ca19-4dd7-839b-705e073e218f", @@ -3067,7 +3259,7 @@ "subType" : "anonymous", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper" ] + "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper" ] } }, { "id" : "502222e9-8a6b-494d-95af-297ef1a02339", @@ -3123,7 +3315,7 @@ "internationalizationEnabled" : false, "supportedLocales" : [ ], "authenticationFlows" : [ { - "id" : "2feb4193-fb1c-472a-bd11-ed98747dfa0c", + "id" : "ec53cf3f-6bf9-4864-8c3b-d3b53a72e545", "alias" : "Account verification options", "description" : "Method with which to verity the existing account", "providerId" : "basic-flow", @@ -3131,19 +3323,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "idp-email-verification", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "ALTERNATIVE", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Verify Existing Account by Re-authentication", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "366c73d4-99bf-4db2-90ef-8d80829ff5a8", + "id" : "20078057-ea06-4868-aaca-f263414df6c6", "alias" : "Authentication Options", "description" : "Authentication options.", "providerId" : "basic-flow", @@ -3151,25 +3345,28 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "basic-auth", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "basic-auth-otp", + "authenticatorFlow" : false, "requirement" : "DISABLED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "auth-spnego", + "authenticatorFlow" : false, "requirement" : "DISABLED", "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "03a9b720-5c0b-4f53-aa1f-985b3788213a", + "id" : "a3f45098-aaf2-4a57-8756-5575ae68e699", "alias" : "Browser - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -3177,19 +3374,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "71786079-7567-483d-b513-4c37b8b5e1f6", + "id" : "7479683d-ef8f-40ad-b0e2-6d9a3a29b422", "alias" : "Direct Grant - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -3197,19 +3396,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "direct-grant-validate-otp", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "7c590f5e-5d41-43d0-a69f-6b3f55086f0a", + "id" : "00083072-d0ed-473c-b716-99a62bfab165", "alias" : "First broker login - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -3217,19 +3418,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "18ea43be-bf8d-457d-a256-a857ab1cae0f", + "id" : "bb3fbf82-b962-41ba-aec7-b5468e3370a3", "alias" : "Handle Existing Account", "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId" : "basic-flow", @@ -3237,19 +3440,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "idp-confirm-link", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "REQUIRED", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Account verification options", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "895a63f7-2f2b-4f69-b1a3-5e136480b4df", + "id" : "49d11517-9770-47dc-afa9-a7c77ef2d938", "alias" : "Reset - Conditional OTP", "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId" : "basic-flow", @@ -3257,19 +3462,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "reset-otp", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "5dd8e673-fa4d-49b7-884f-a2514049afaf", + "id" : "13f152b3-81cb-483a-a947-a058f0c8e4ea", "alias" : "User creation or linking", "description" : "Flow for the existing/non-existing user alternatives", "providerId" : "basic-flow", @@ -3278,19 +3485,21 @@ "authenticationExecutions" : [ { "authenticatorConfig" : "create unique user config", "authenticator" : "idp-create-user-if-unique", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "ALTERNATIVE", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Handle Existing Account", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "501763ae-f35f-47f1-9eac-a5ddbed60b89", + "id" : "5850251d-b590-4b05-9802-bde0b81d33c3", "alias" : "Verify Existing Account by Re-authentication", "description" : "Reauthentication of existing account", "providerId" : "basic-flow", @@ -3298,19 +3507,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "idp-username-password-form", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "CONDITIONAL", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "First broker login - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "ef7d1a6b-c9c2-4f73-bb8a-0213ef0b0a2a", + "id" : "fb2043a4-6985-47f3-a996-c194f6c9e506", "alias" : "browser", "description" : "browser based authentication", "providerId" : "basic-flow", @@ -3318,31 +3529,35 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "auth-cookie", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "auth-spnego", + "authenticatorFlow" : false, "requirement" : "DISABLED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "identity-provider-redirector", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 25, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "ALTERNATIVE", "priority" : 30, + "autheticatorFlow" : true, "flowAlias" : "forms", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "8752635d-ddcc-46c7-a3bc-769dc507e620", + "id" : "65d9cbb3-ab2b-48f6-9743-8591cb7b7ada", "alias" : "clients", "description" : "Base authentication for clients", "providerId" : "client-flow", @@ -3350,31 +3565,35 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "client-secret", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "client-jwt", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "client-secret-jwt", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "client-x509", + "authenticatorFlow" : false, "requirement" : "ALTERNATIVE", "priority" : 40, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "8f425a62-e76e-48c8-a8ce-954aadc986f7", + "id" : "693be46d-26fa-4077-bdc0-6c954f15aab1", "alias" : "direct grant", "description" : "OpenID Connect Resource Owner Grant", "providerId" : "basic-flow", @@ -3382,25 +3601,28 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "direct-grant-validate-username", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "direct-grant-validate-password", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "CONDITIONAL", "priority" : 30, + "autheticatorFlow" : true, "flowAlias" : "Direct Grant - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "edb4ef4f-5d5f-4055-b61c-fb5d4ad6a880", + "id" : "2e5a3d54-597c-4f63-adf4-8ba4378f293c", "alias" : "docker auth", "description" : "Used by Docker clients to authenticate against the IDP", "providerId" : "basic-flow", @@ -3408,13 +3630,14 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "docker-http-basic-authenticator", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "ca33f659-d4dd-49d8-b8e3-1267ef1c15a5", + "id" : "ab7f8c26-acd6-4943-948a-14b3b730eba4", "alias" : "first broker login", "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId" : "basic-flow", @@ -3423,19 +3646,21 @@ "authenticationExecutions" : [ { "authenticatorConfig" : "review profile config", "authenticator" : "idp-review-profile", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "REQUIRED", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "User creation or linking", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "a9731fb0-7fcd-45fc-bbbe-66bf16981e59", + "id" : "28d0db1d-ccb0-4f9c-a23c-fb264d4ef78d", "alias" : "forms", "description" : "Username, password, otp and other auth forms.", "providerId" : "basic-flow", @@ -3443,19 +3668,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "auth-username-password-form", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "CONDITIONAL", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Browser - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "de046637-9c0b-4e03-b7fa-4d39cd926787", + "id" : "d91cd2d5-9c80-437a-a26e-e4d14232a5e0", "alias" : "http challenge", "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId" : "basic-flow", @@ -3463,19 +3690,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "no-cookie-redirect", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "REQUIRED", "priority" : 20, + "autheticatorFlow" : true, "flowAlias" : "Authentication Options", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "7507f444-e671-4e8e-a3df-d5414634452d", + "id" : "fe659681-a597-4225-8093-0a66a1c8bbb7", "alias" : "registration", "description" : "registration flow", "providerId" : "basic-flow", @@ -3483,14 +3712,15 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "registration-page-form", + "authenticatorFlow" : true, "requirement" : "REQUIRED", "priority" : 10, + "autheticatorFlow" : true, "flowAlias" : "registration form", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "767b0c27-0fed-4a56-b398-ca85a9358cfa", + "id" : "f9b8e0b9-0530-411d-95db-d2fef37bd6c2", "alias" : "registration form", "description" : "registration form", "providerId" : "form-flow", @@ -3498,31 +3728,35 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "registration-user-creation", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "registration-profile-action", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 40, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "registration-password-action", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 50, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "registration-recaptcha-action", + "authenticatorFlow" : false, "requirement" : "DISABLED", "priority" : 60, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] }, { - "id" : "02643bf6-ce97-4d66-80e3-fdc24609a709", + "id" : "46e4ab2c-d660-45e6-99f0-62001b73fe1a", "alias" : "reset credentials", "description" : "Reset credentials for a user if they forgot their password or something", "providerId" : "basic-flow", @@ -3530,31 +3764,35 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "reset-credentials-choose-user", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "reset-credential-email", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { "authenticator" : "reset-password", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false }, { + "authenticatorFlow" : true, "requirement" : "CONDITIONAL", "priority" : 40, + "autheticatorFlow" : true, "flowAlias" : "Reset - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true + "userSetupAllowed" : false } ] }, { - "id" : "c5344f6b-282f-4385-95c7-63a0e29a9bf3", + "id" : "1f2ce665-b5a5-4e99-a64f-b5506cc542da", "alias" : "saml ecp", "description" : "SAML ECP Profile Authentication Flow", "providerId" : "basic-flow", @@ -3562,20 +3800,21 @@ "builtIn" : true, "authenticationExecutions" : [ { "authenticator" : "http-basic-authenticator", + "authenticatorFlow" : false, "requirement" : "REQUIRED", "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false + "autheticatorFlow" : false, + "userSetupAllowed" : false } ] } ], "authenticatorConfig" : [ { - "id" : "c7f52758-50a8-45e5-8acf-ff8559f446b6", + "id" : "395afb8f-575b-45b8-a34c-23c0d3533848", "alias" : "create unique user config", "config" : { "require.password.update.after.registration" : "false" } }, { - "id" : "2037d5f1-7f3e-4cf6-b5b3-7c37a70d3956", + "id" : "efea6a5f-d66c-41e9-90fd-4aae49540245", "alias" : "review profile config", "config" : { "update.profile.on.first.login" : "missing" @@ -3644,7 +3883,26 @@ "resetCredentialsFlow" : "reset credentials", "clientAuthenticationFlow" : "clients", "dockerAuthenticationFlow" : "docker auth", - "attributes" : { }, - "keycloakVersion" : "12.0.3", - "userManagedAccessAllowed" : false + "attributes" : { + "cibaBackchannelTokenDeliveryMode" : "poll", + "cibaExpiresIn" : "120", + "cibaAuthRequestedUserHint" : "login_hint", + "oauth2DeviceCodeLifespan" : "600", + "clientOfflineSessionMaxLifespan" : "0", + "oauth2DevicePollingInterval" : "5", + "clientSessionIdleTimeout" : "0", + "parRequestUriLifespan" : "60", + "clientSessionMaxLifespan" : "0", + "clientOfflineSessionIdleTimeout" : "0", + "cibaInterval" : "5", + "realmReusableOtpCode" : "false" + }, + "keycloakVersion" : "21.0.0", + "userManagedAccessAllowed" : false, + "clientProfiles" : { + "profiles" : [ ] + }, + "clientPolicies" : { + "policies" : [ ] + } } ] \ No newline at end of file