From c490ef90de6ab9c13a7d00c836e179a3ea215790 Mon Sep 17 00:00:00 2001 From: Jonas Plum Date: Mon, 3 Oct 2022 12:44:30 +0200 Subject: [PATCH] Add authelia dev deployment (#479) * Add authelia dev deployment --- .github/workflows/ci.yml | 30 +- dev/authelia/configuration.yml | 42 + dev/authelia/private.pem | 51 + dev/authelia/users_database.yml | 13 + dev/docker-compose-with-keycloak.yml | 52 - dev/docker-compose.yml | 16 +- dev/keycloak/realm.json | 1997 -------------------------- dev/nginx-with-keycloak.conf | 112 -- dev/nginx.conf | 23 + dev/start_dev.sh | 10 +- dev/start_dev_with_keycloak.sh | 20 - server.go | 14 +- test/test.go | 2 +- ui/cypress/support/e2e.js | 6 + ui/src/views/User.vue | 2 +- 15 files changed, 174 insertions(+), 2216 deletions(-) create mode 100644 dev/authelia/configuration.yml create mode 100644 dev/authelia/private.pem create mode 100644 dev/authelia/users_database.yml delete mode 100644 dev/docker-compose-with-keycloak.yml delete mode 100644 dev/keycloak/realm.json delete mode 100644 dev/nginx-with-keycloak.conf delete mode 100644 dev/start_dev_with_keycloak.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 91dece2..90f6ebb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: actions/setup-go@v3 - with: { go-version: '1.19', cache: true } + with: { go-version: '1.19' } - run: | mkdir -p ui/dist/img touch ui/dist/index.html ui/dist/favicon.ico ui/dist/manifest.json ui/dist/img/fake.png @@ -33,7 +33,7 @@ jobs: - run: | mkdir -p ui/dist/img touch ui/dist/index.html ui/dist/favicon.ico ui/dist/manifest.json ui/dist/img/fake.png - - run: docker compose -f docker-compose-with-keycloak.yml up --quiet-pull --detach + - run: docker compose up --quiet-pull --detach working-directory: dev - name: Install ArangoDB run: | @@ -49,7 +49,7 @@ jobs: strategy: matrix: test: [ tickets, templates, playbooks ] - auth: [ keycloak ] # simple + auth: [ authelia ] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -64,17 +64,12 @@ jobs: working-directory: ui - run: curl --head -X GET --retry 60 --retry-connrefused --retry-delay 10 http://localhost:8080 # run containers - - run: | - sed -i 's/host.docker.internal/172.17.0.1/g' dev/nginx.conf - sed -i 's/host.docker.internal/172.17.0.1/g' dev/nginx-with-keycloak.conf + - run: sed -i 's/host.docker.internal/172.17.0.1/g' dev/nginx.conf - run: docker compose up --quiet-pull --detach working-directory: dev - if: matrix.auth == 'simple' - - run: docker compose -f docker-compose-with-keycloak.yml up --quiet-pull --detach - working-directory: dev - if: matrix.auth == 'keycloak' - - run: curl --head -X GET --retry 60 --retry-connrefused --retry-delay 10 http://localhost:9002/auth/realms/catalyst - if: matrix.auth == 'keycloak' + if: matrix.auth == 'authelia' + - run: curl --head -X GET --retry 60 --retry-connrefused --retry-delay 10 http://localhost:8082 + if: matrix.auth == 'authelia' # run catalyst - run: | mkdir -p ui/dist/img @@ -82,10 +77,7 @@ jobs: - run: go mod download - run: bash start_dev.sh & working-directory: dev - if: matrix.auth == 'simple' - - run: bash start_dev_with_keycloak.sh & - working-directory: dev - if: matrix.auth == 'keycloak' + if: matrix.auth == 'authelia' - run: curl --head -X GET --retry 60 --retry-connrefused --retry-delay 10 http://localhost:8000 # run cypress - uses: cypress-io/github-action@v4 @@ -95,12 +87,6 @@ jobs: with: browser: chrome working-directory: ui - - uses: actions/upload-artifact@v3 - if: always() && matrix.auth == 'simple' - with: - name: cypress-videos - path: ui/cypress/videos - retention-days: 1 build-npm: name: Build npm diff --git a/dev/authelia/configuration.yml b/dev/authelia/configuration.yml new file mode 100644 index 0000000..cafc7aa --- /dev/null +++ b/dev/authelia/configuration.yml @@ -0,0 +1,42 @@ +--- +server: + host: 0.0.0.0 + port: 8082 +default_redirection_url: "http://localhost/auth/callback" + +log: + format: text + +authentication_backend: + file: + path: /config/users_database.yml + +access_control: + default_policy: one_factor + +session: + domain: localhost + +storage: + local: + path: /config/db.sqlite3 + +notifier: + filesystem: + filename: /config/notification.txt + +identity_providers: + oidc: + cors: + # allowed_origins_from_client_redirect_uris: true + allowed_origins: [ "*" ] + clients: + - id: "catalyst" + description: API + secret: "secret" + public: false + authorization_policy: one_factor + scopes: [ openid, email, profile ] + redirect_uris: + - "http://localhost/auth/callback" + userinfo_signing_algorithm: none diff --git a/dev/authelia/private.pem b/dev/authelia/private.pem new file mode 100644 index 0000000..ea61ba2 --- /dev/null +++ b/dev/authelia/private.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEA0OYfHDBvLOMQHjGb2bZGZh6j+nfWihAVWAycCR5ZOGwaRQuW +Z0iFzkDlsj0ENG65H5DkRB1mu93LXi7yzLs7Iu4mNQDtLH2EPN1HzgmwxIevL+Ud +6H6wCZQrZxp9bah/BKjChfURDK7gmUzY0F/sbi1upI4uVuwUrMsYroKBS4R4crHm +mqH1ACY8pih/d/4tpsGTs0ruLkFd5dGh/Vopcx7U4iPBxTL8SvkcUQ3TYqTjcKaV +Zb8DoiKaGmVRUFEqYtiBPykC0MNRDK8DZTuIbwZPQM0c3OWCGm2JPR6qQfgCacyY +JirsuN9gCMxXVCjLcaxCgWiftvhnr9YpdOYkX4ROY9qo4JNGN6Pd8Q5qX5GvSwa9 +fdtMn0shCyv2MRgSq2SfZ5+DT3eUUrDQkNQoHOxxR9VPdYcPFDNLgAbydwnrlqwZ +X9rnaKuoRaJ6N4rOgJoaUR3LVXs8QrIGcJx9VRplm2NuElsDMm7fkAEEs2y/yAeW +qjkVnwITCKB9qoMSjpj8KpjHYdXWZqdTJWNLdKLK3iH/2lpp71utobSNLjdojifN +wmdQNzdVwAg56R7+YDDyCPEBsPO89s8b2E8SuYF2A9KRTD5Usd3k5aaMkaLrf4bu +igpW7MBWwE9HQjMSgX8HxHsBDl/TGhK/c/GsTBN9UlUD1MFi9yn5PmtL+lcCAwEA +AQKCAgBfm+NDOJu5lJbs6tGk3DruRDnSygRkHiZWrTbBKaW2ICwJy9rjnJq5IpS+ +dhS1lrOd0efXkQlTFJkemyg/MbZIL21HNwxWH4BlhvV1RJQl7t/scNW2cj1JtQoE +X2hmxwaTcFXPj7Fk96kOINDe1fhVGPAZ2oU0/UodJ7s9K7fXg2LJQ8kCnvuOPPHn +LoPgvHHSb6iVF8dZXkuGguK8HQb5jHPsqGboRYSZH9io9EX6UPNTvLqF3d3g2Ctl +x1dnBi77HJJTAQcr2yj+QB+ytoOkJOQjCX2bUGOyis2ULrPIC6W3HI/KcDz2BC5k ++HlDqIQsm6W4qtTmnlx+auuAeFDOnr2lpPt4hVlyq3jkkSUqrcYs9NBsPdXz+80K ++NzRnv9EytHsliZJd4hUxwyh6y0BEo9QqgrpjlTFxYmRTGzZUu9qtcSCcVg9saZy +vvJxFuzs5zDBqL44pMbNF/NB6fDYgkDEUOdAO6QVl6lPc3sYJcyQ0JNR2cWwlCq7 +EaamUJwTcCzUIT1ych/lYzVXqFF12urPavrqsaMbFHOQIRC9mjMgnm/eHZXB744e +nhe7YFL94fxvMD+Ekr+3tVFskVfYYUwuQnUOCwxprnZXQxSAiABhbANBg4LOzBqP +0yWSK7yrvjC0ktnt3q9NRtY8zRrZypric++zbhLddGdxydVCGQKCAQEA83f2WnZd +UdbP2XhDoY/hYoVm48mgn81neElxxwalom39BJ4meHGAeDq6XDOZtRn2tiiAh+HJ +JHU7twtHlHttkSjqP0a7zVCHbIostJZRLZRa1bAlu9hjynuHmMu3/7AcNJhYV1gH +cJTFo4w4EkFUT3zcuMrJpkWbJ+syDNa+x22Vx/YR0Wk7PPVE32lXzOYx4KYk8R8g +B7PvePJW3wPaWSC5sgPzmbpnbHTEP8pRN9N173IFF0S00wwV5Pea3ltOB5R2ALkZ +pkTo/ck5xmcEwEk8DZsybe/uE/gyBoSRhOEqCbgxb/qkq/guYaHo7lvjGRjhgF16 +3orwBStzjZCjNQKCAQEA26anyawLGKgIix2eQAXO7GxPmQToWdp5JGZr9u7bnGrp +Q5qJBe4gx26WgDa17zonAD9YgE7Fv5WV/zjqiI06wNSDostz6OayUsn5tttFWlVv +QlBWBspQu8alhCq4OgxMfhxXEGQtWrqc3TlJMebEsiTlrqP7bnvpGwADVGuhUyQ7 +t+L9oQ8SBgcJ+gGOc0P3GDPGni36itqxYNO/e1edkQAsdQh5TEsTsT1uNxPXOvv9 +PMK0QhP/jECBjjQ8MAuMnYalQl0y8WqqQPgGKUHlx20Aydy9IBUTWpG2t0Gxcike +WncXomBJSEXppp8uNiz5gqKqyq4ODFZa14FlbZ5s2wKCAQEA6zmdxGzTYHxgOEXf +Ybq3EQ6+B5oIHBzBuQ+MY7PiV3pYmBuMI5XVf1OONgKMoNJC8F9VPvM/+H9jgEff +km9lvnd/Sj82tvj0vkMJSjhomdbZo9cZvdElKL4Mle1NCjXGKnJ993VPStAR2x9g +FRMVN+70+XzDMmfRrdGoe4sGq3sO2TC+qko3N3/oWMlYUNiem+MpkeR2d7q6xWmt +0K3SSYY6ouj6dC4KOljeOptnuL4PFZZdoMt6wOTOSneHIwmn697d23j6dQ/i4z+F +GFDz4CthX+vv3xOOO7Dx9CYkyfMZQGa7LOtGKfgQJ7fcal5QnTDSvciTK2uk1fnT +HJT/eQKCAQABbl2Lf9Z2q6malm/QhPkrKy19lr2Y0EaXyR8M9dNyenPYn+oiosGN +6xeJ8FFRJLTaWI9QDrNVIzld91X328u1M+1Do0W3D8G7rls1KMqT4xidev6Efs71 +2j571PdsUWYyMCcVEUIGZE7fVh829wTzEDB66dCakK4dIevjoevkKclF0nHKmdmJ +NoSHH3l5IMk8XCIAJ9aJDxG2ysplmFWLe0/O12ZK6/ZN4lOUgkmVtcyZl78q6wxw +Mn9lmMuHmJuq7xSmkQri7cn8MGGB5U8E9J3bstd8nQaKQYbKPOBWGRR8jGgYA76W +fPYfwsu/SJ27jynDtkybIfjnjI1HoI+fAoIBAQCMrcRGmksweAgFs/fq24pYxV/K +oF98txTINrV7MJQamDfpzqlCML9Vo8WFk56BRGj9NqOU+kgvi3aTfRhN5kSeE6y/ +Kb/u89dVYhKpzr2zAy9/msup8yPKD9sT/c7S3DJRlNp5DXy48MSntz0+k710SaYe +1GXOwfch8WwkkVpgWY/08WRuNbRbD7Jmkqjz/PtcirkewljpWn+05kUSqAgEyBfy +kCahABRtdH0FAMQjzqb5kS/g0K4BEje9ie81wvtd3r2b89WSgBDFCno/Oq8hKEC0 +DP828OmbLWSiRvnYCcKxVaWnDvsgFTALySB89dQpTGEWFoHC1XbNJgnwg/9l +-----END RSA PRIVATE KEY----- diff --git a/dev/authelia/users_database.yml b/dev/authelia/users_database.yml new file mode 100644 index 0000000..9259941 --- /dev/null +++ b/dev/authelia/users_database.yml @@ -0,0 +1,13 @@ +users: + alice: + displayname: Alice + password: "$argon2id$v=19$m=65536,t=3,p=4$S3hTSS90U1QycjNEWURZTw$aJP1fI/byC/3A7NCz5lyrXR7NS+l+1YMnqj5qFopZRk" + email: alice@example.com + bob: + displayname: "Bob" + password: "$argon2id$v=19$m=65536,t=3,p=4$amxRcURFVUk4TlhPOXFmWg$sPRsvGg9rrqefRp0fFA7wQG3O8OcMnQhj4IckHYPEz8" + email: bob@example.com + admin: + displayname: "Admin" + password: "$argon2id$v=19$m=65536,t=3,p=4$SFBXa1BXblNZKytoZ1ZLYQ$JruWROu9opYmcPNw1cIiHms4k4466DqrKIPvJe94nfA" + email: admin@example.com \ No newline at end of file diff --git a/dev/docker-compose-with-keycloak.yml b/dev/docker-compose-with-keycloak.yml deleted file mode 100644 index c124d06..0000000 --- a/dev/docker-compose-with-keycloak.yml +++ /dev/null @@ -1,52 +0,0 @@ -version: '2.4' -services: - nginx: - image: nginx:1.23 - volumes: - - ./nginx-with-keycloak.conf:/etc/nginx/nginx.conf:ro - ports: [ "80:80", "8529:8529", "9000:9000", "9002:9002", "9003:9003" ] - networks: [ catalyst ] - - arangodb: - image: arangodb/arangodb:3.8.1 - environment: - ARANGO_ROOT_PASSWORD: foobar - networks: [ catalyst ] - - minio: - image: minio/minio:RELEASE.2021-12-10T23-03-39Z - environment: - MINIO_ROOT_USER: minio - MINIO_ROOT_PASSWORD: minio123 - command: server /data -console-address ":9003" - networks: [ catalyst ] - - postgres: - image: postgres:13 - environment: - POSTGRES_DB: keycloak - POSTGRES_USER: keycloak - POSTGRES_PASSWORD: password - networks: [ catalyst ] - - keycloak: - image: quay.io/keycloak/keycloak:14.0.0 - environment: - DB_VENDOR: POSTGRES - DB_ADDR: postgres - DB_DATABASE: keycloak - DB_USER: keycloak - DB_SCHEMA: public - DB_PASSWORD: password - KEYCLOAK_USER: admin - KEYCLOAK_PASSWORD: admin - KEYCLOAK_IMPORT: /tmp/realm.json - PROXY_ADDRESS_FORWARDING: "true" - volumes: - - ./keycloak/realm.json:/tmp/realm.json - depends_on: [ postgres ] - networks: [ catalyst ] - -networks: - catalyst: - name: catalyst diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml index 9b9292b..37dcbbd 100644 --- a/dev/docker-compose.yml +++ b/dev/docker-compose.yml @@ -4,7 +4,7 @@ services: image: nginx:1.23 volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro - ports: [ "80:80", "8529:8529", "9000:9000", "9003:9003" ] + ports: [ "80:80", "8529:8529", "9000:9000", "8082:8082", "9003:9003" ] networks: [ catalyst ] arangodb: @@ -21,6 +21,20 @@ services: command: server /data -console-address ":9003" networks: [ catalyst ] + authelia: + image: authelia/authelia:4 + environment: + AUTHELIA_JWT_SECRET: "AUTHELIA_JWT_SECRET" + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: "/config/private.pem" + AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "AUTHELIA_HMAC_SECRET" + AUTHELIA_STORAGE_ENCRYPTION_KEY: "AUTHELIA_STORAGE_ENCRYPTION_KEY" + AUTHELIA_SESSION_SECRET: "AUTHELIA_SESSION_SECRET" + volumes: + - ./authelia/configuration.yml:/config/configuration.yml + - ./authelia/users_database.yml:/config/users_database.yml + - ./authelia/private.pem:/config/private.pem + networks: [ catalyst ] + networks: catalyst: name: catalyst diff --git a/dev/keycloak/realm.json b/dev/keycloak/realm.json deleted file mode 100644 index e601195..0000000 --- a/dev/keycloak/realm.json +++ /dev/null @@ -1,1997 +0,0 @@ -{ - "id": "catalyst", - "realm": "catalyst", - "notBefore": 0, - "defaultSignatureAlgorithm": "RS256", - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 1800, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "enabled": true, - "sslRequired": "external", - "registrationAllowed": false, - "registrationEmailAsUsername": false, - "rememberMe": false, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": false, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "defaultRole": { - "id": "43c7a86b-0423-4699-bc4f-94979c8995c6", - "name": "default-roles-catalyst", - "description": "${role_default-roles}", - "composite": true, - "clientRole": false, - "containerId": "catalyst" - }, - "requiredCredentials": [ - "password" - ], - "otpPolicyType": "totp", - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyInitialCounter": 0, - "otpPolicyDigits": 6, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpSupportedApplications": [ - "FreeOTP", - "Google Authenticator" - ], - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "users": [ - { - "id": "2da488d4-f934-4cfc-92fe-16bfbfd693e2", - "createdTimestamp": 1625168814915, - "username": "service-account-reader", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "reader", - "disableableCredentialTypes": [], - "requiredActions": [], - "notBefore": 0 - }, - { - "username" : "alice", - "enabled": true, - "email" : "alice@example.org", - "firstName": "Alice", - "lastName": "Alert Analyst", - "credentials" : [ - { "type" : "password", "value" : "alice" } - ] - }, - { - "username" : "bob", - "enabled": true, - "email" : "bob@example.org", - "firstName": "Bob", - "lastName": "Incident Handler", - "credentials" : [ - { "type" : "password", "value" : "bob" } - ] - }, - { - "username" : "carol", - "enabled": true, - "email" : "carol@example.org", - "firstName": "Carol", - "lastName": "Forensicator", - "credentials" : [ - { "type" : "password", "value" : "carol" } - ] - }, - { - "username" : "dave", - "enabled": true, - "email" : "dave@example.org", - "firstName": "Dave", - "lastName": "Admin", - "credentials" : [ - { "type" : "password", "value" : "dave" } - ] - }, - { - "username" : "eve", - "enabled": true, - "email" : "eve@example.org", - "firstName": "Eve", - "lastName": "Team Lead", - "credentials" : [ - { "type" : "password", "value" : "eve" } - ] - } - ], - "scopeMappings": [ - { - "clientScope": "offline_access", - "roles": [ - "offline_access" - ] - } - ], - "clientScopeMappings": { - "account": [ - { - "client": "account-console", - "roles": [ - "manage-account" - ] - } - ] - }, - "clients": [ - { - "id": "86c72872-e504-4a19-89d6-5c3843a107c6", - "clientId": "account", - "name": "${client_account}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/catalyst/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/catalyst/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "50acde65-ed47-42ed-9447-0b4b43983cf9", - "clientId": "account-console", - "name": "${client_account-console}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/catalyst/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/catalyst/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "8f05de9b-20b0-4cb0-9885-c1f08b16494d", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "ce10e93d-9e15-4420-a8fd-c8fb8d262596", - "clientId": "admin-cli", - "name": "${client_admin-cli}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "ff18f8fb-27be-47c2-9a76-3ceb17ccccd8", - "clientId": "broker", - "name": "${client_broker}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "43419de7-4beb-4401-9a7f-34aedf158305", - "clientId": "reader", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "id.token.as.detached.signature": "false", - "saml.multivalued.roles": "false", - "saml.force.post.binding": "false", - "saml.encrypt": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "saml.artifact.binding": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "8da9dcd5-8da3-4280-bdaa-24c4c61b46b2", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - }, - { - "id": "1e98ec8d-f131-4ef6-9363-a46930896cd3", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "id": "85483f67-1ed0-40d1-a67a-29817b99d2b9", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "groups", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "d2286137-1944-4a9b-b826-4d5a6f7cdf28", - "clientId": "catalyst", - "rootUrl": "http://catalyst.internal.com/", - "adminUrl": "http://catalyst.internal.com/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "d3ec0d91-b6ea-482d-8a4e-2f5a7ca0b4cb", - "redirectUris": [ - "http://catalyst.internal.com/*", - "http://localhost:8000/auth/callback", - "http://localhost/auth/callback" - ], - "webOrigins": [ - "http://catalyst.internal.com", - "http://localhost:8000", - "http://localhost", - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "id.token.as.detached.signature": "false", - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "use.refresh.tokens": "true", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "saml.artifact.binding": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "6cd83d64-0384-4e16-890d-2fa470b144ab", - "clientId": "realm-management", - "name": "${client_realm-management}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "31f01a93-e892-4874-92be-62e1ba4c49b5", - "clientId": "security-admin-console", - "name": "${client_security-admin-console}", - "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/catalyst/console/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/admin/catalyst/console/*" - ], - "webOrigins": [ - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "bff3e1b7-5125-419d-a97b-720622e79a81", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - } - ], - "clientScopes": [ - { - "id": "90b39bdb-75ff-4928-ba7a-085b2f735409", - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "8fbf5a86-4629-4b1a-b66d-d957c8158e77", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - }, - { - "id": "065c0856-09e2-4b2e-ae83-7ca0edc487ac", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "id": "2fca9b42-c6da-4d6a-94ee-c2c8b2731dfe", - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" - } - } - ] - }, - { - "id": "3b637bf5-80f8-4419-921f-334b2c4dd11f", - "name": "groups", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "0acdd906-0208-4afa-b33a-01e59b280fac", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "7afd7e91-0f50-42dc-bfd7-5898ee70b908", - "name": "profile", - "description": "OpenID Connect built-in scope: profile", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "975e3e1f-daca-4c91-b0ba-69242bbe0945", - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "middleName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String" - } - }, - { - "id": "fef97135-a66c-48d2-a942-6798e387be15", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - }, - { - "id": "b3c5f39f-a126-4840-9103-2ae574344049", - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "gender", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "gender", - "jsonType.label": "String" - } - }, - { - "id": "04a542fe-c6b1-4880-a0a9-e9a6934bf1f3", - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String" - } - }, - { - "id": "78d162f9-b23f-45ca-a671-f2f528229da2", - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "profile", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "profile", - "jsonType.label": "String" - } - }, - { - "id": "30aecb8d-36fc-465e-a141-dc2b58ff675f", - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "birthdate", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "birthdate", - "jsonType.label": "String" - } - }, - { - "id": "b20432db-d804-4821-989e-e48030d8b562", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - }, - { - "id": "842ee2fa-5ecb-47f6-a890-f8cbd1ee1eb0", - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - }, - { - "id": "7ca293bf-c6ba-45cc-b49d-a824ae1284b8", - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "lastName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "family_name", - "jsonType.label": "String" - } - }, - { - "id": "4d7f731d-0133-4501-8fd6-3a9918b7d7df", - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "nickname", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "nickname", - "jsonType.label": "String" - } - }, - { - "id": "68c7909b-e46d-421e-943d-0fc30d1fa0ab", - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "String" - } - }, - { - "id": "9f041128-9b6e-4013-af57-e3599ea30465", - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String" - } - }, - { - "id": "6cfa184f-1163-4b6a-a4da-a96e4720cec6", - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "website", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String" - } - }, - { - "id": "8328b25a-9b10-4059-ac90-20ffa2d8d331", - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "zoneinfo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "bcac8ddc-27db-4734-99db-ab9f892ea1a6", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "272bbae0-68d0-4466-a756-742a26ad9e7d", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - }, - { - "id": "df5f04b5-544c-4cd4-8ea6-6ce101a72216", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "cda6829b-af33-462c-99d1-198bcfe1a648", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "834b65c6-72ac-4884-9fc6-d81e68d00e2e", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "1d6d57b3-4500-4888-8473-c10b5c91dbb6", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "ed16c65e-eede-4dfa-a1c7-332cd0d3d2b0", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "f6507f62-0e6b-4e46-8124-216eed351d9a", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "id": "22de1ea1-162c-4bca-a864-ce1c41a98984", - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "5bb8438c-d485-4134-bc7c-006337364a8c", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - }, - { - "id": "3914a22d-f4f2-4278-8df6-17b3a2d79c11", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - } - ] - }, - { - "id": "44eb06c1-1f84-4f20-9fe5-af2dd2652883", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "377fcde9-859d-4022-81e1-b08c523e9eea", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "9b141075-26c2-45d9-b4be-fd3c3cbb3c51", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "7cec2511-c0ef-4f79-842f-3c68573dc5a7", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "id": "40730fee-dab9-408b-934d-bc6eeea12ff8", - "name": "offline_access", - "description": "OpenID Connect built-in scope: offline_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - } - ], - "defaultDefaultClientScopes": [ - "role_list", - "profile", - "email", - "roles", - "web-origins" - ], - "defaultOptionalClientScopes": [ - "offline_access", - "address", - "phone", - "microprofile-jwt" - ], - "browserSecurityHeaders": { - "contentSecurityPolicyReportOnly": "", - "xContentTypeOptions": "nosniff", - "xRobotsTag": "none", - "xFrameOptions": "SAMEORIGIN", - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection": "1; mode=block", - "strictTransportSecurity": "max-age=31536000; includeSubDomains" - }, - "smtpServer": {}, - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "enabledEventTypes": [], - "adminEventsEnabled": false, - "adminEventsDetailsEnabled": false, - "identityProviders": [], - "identityProviderMappers": [], - "components": { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "id": "4b06a544-5815-47c4-8e21-e5e0c44af05b", - "name": "Trusted Hosts", - "providerId": "trusted-hosts", - "subType": "anonymous", - "subComponents": {}, - "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] - } - }, - { - "id": "b58228d2-64f7-4880-bdb4-b37902896176", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-address-mapper", - "oidc-full-name-mapper", - "saml-user-property-mapper", - "oidc-usermodel-property-mapper", - "saml-role-list-mapper", - "oidc-usermodel-attribute-mapper" - ] - } - }, - { - "id": "2122720d-ea69-4bfa-834e-f1dd12ad55df", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, - { - "id": "e1a99694-7f99-416d-8e80-2ab92c53034a", - "name": "Consent Required", - "providerId": "consent-required", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "83ae6ccc-24c1-47d5-9bae-59879a90e2a4", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "15dcc7e3-13a1-45d2-b95c-f92cb7b86471", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "c9f2eefd-43dd-49fb-b143-f61135c4fc9d", - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "ef9fa331-eaed-4408-999f-5c2e86e883ea", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-attribute-mapper", - "oidc-usermodel-property-mapper", - "oidc-address-mapper", - "saml-user-property-mapper", - "oidc-full-name-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-role-list-mapper" - ] - } - } - ], - "org.keycloak.keys.KeyProvider": [ - { - "id": "9681f0d2-cf07-481a-b51b-755824f4c848", - "name": "hmac-generated", - "providerId": "hmac-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ], - "algorithm": [ - "HS256" - ] - } - }, - { - "id": "b7310fea-0031-46be-a62d-bcfc363a6b38", - "name": "rsa-generated", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - }, - { - "id": "e462b05b-9e22-403c-b715-582c2c7d9d31", - "name": "aes-generated", - "providerId": "aes-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - } - ] - }, - "internationalizationEnabled": false, - "supportedLocales": [], - "authenticationFlows": [ - { - "id": "25cc92da-3b9c-420f-aed4-47fc9a862cf1", - "alias": "Account verification options", - "description": "Method with which to verity the existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "9a50d2e9-9b6c-43d4-9e96-5e0057b9989e", - "alias": "Authentication Options", - "description": "Authentication options.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "basic-auth", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "basic-auth-otp", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "9c08f7ff-0ae1-4917-acde-a86918c21392", - "alias": "Browser - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "cc263684-5287-48c3-b36f-cf0307e5866f", - "alias": "Direct Grant - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "direct-grant-validate-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "2d1b3b73-d844-48e6-9564-ebb612eb1ecd", - "alias": "First broker login - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "05ead699-855a-4a82-a040-93fccf6ddc91", - "alias": "Handle Existing Account", - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Account verification options", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "2c0e2ddf-4de7-44ff-8e3c-7d547e6cc52b", - "alias": "Reset - Conditional OTP", - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "9ce700a0-743c-42f9-be51-83e11beb1521", - "alias": "User creation or linking", - "description": "Flow for the existing/non-existing user alternatives", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "create unique user config", - "authenticator": "idp-create-user-if-unique", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "flowAlias": "Handle Existing Account", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "f2454788-daaa-4c04-ad4f-b3d686727665", - "alias": "Verify Existing Account by Re-authentication", - "description": "Reauthentication of existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "fd57d3fe-8353-4d51-ab6b-531f1b6484d0", - "alias": "browser", - "description": "browser based authentication", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "identity-provider-redirector", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 25, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 30, - "flowAlias": "forms", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "0895ae02-6132-41aa-8e2a-ae7ef8a1a090", - "alias": "clients", - "description": "Base authentication for clients", - "providerId": "client-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-secret-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-x509", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 40, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "f1cd5fb9-4201-4645-a4f7-72e2404f9b5f", - "alias": "direct grant", - "description": "OpenID Connect Resource Owner Grant", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "direct-grant-validate-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 30, - "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "34571ce1-2cc9-4ee6-be67-88761c35fb1e", - "alias": "docker auth", - "description": "Used by Docker clients to authenticate against the IDP", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "708e0448-2e55-4e93-8d27-2bcb30fb484e", - "alias": "first broker login", - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "review profile config", - "authenticator": "idp-review-profile", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "User creation or linking", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "4e1d40ab-f072-4deb-ba28-3938d306a5e2", - "alias": "forms", - "description": "Username, password, otp and other auth forms.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "fad42d83-0a6b-441a-a217-73ea14f7460d", - "alias": "http challenge", - "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "no-cookie-redirect", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Authentication Options", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "f44f939f-75c5-4080-880b-00ccb4a7496e", - "alias": "registration", - "description": "registration flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 10, - "flowAlias": "registration form", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "e7350e5b-1f96-4b34-94ac-0fd465f1d7a9", - "alias": "registration form", - "description": "registration form", - "providerId": "form-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-profile-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 40, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-password-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 50, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-recaptcha-action", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 60, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "34cc3df0-1908-4a02-89df-08560e2a3e6c", - "alias": "reset credentials", - "description": "Reset credentials for a user if they forgot their password or something", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-credential-email", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 40, - "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "d92671ab-6873-4eac-863a-becb6cdaa9f4", - "alias": "saml ecp", - "description": "SAML ECP Profile Authentication Flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - } - ], - "authenticatorConfig": [ - { - "id": "d73bbeaf-a93d-4b97-8c6b-d01b015f2861", - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" - } - }, - { - "id": "a459ffde-e6fc-41d8-9ab8-c7b65b4384c3", - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" - } - } - ], - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "name": "Configure OTP", - "providerId": "CONFIGURE_TOTP", - "enabled": true, - "defaultAction": false, - "priority": 10, - "config": {} - }, - { - "alias": "terms_and_conditions", - "name": "Terms and Conditions", - "providerId": "terms_and_conditions", - "enabled": false, - "defaultAction": false, - "priority": 20, - "config": {} - }, - { - "alias": "UPDATE_PASSWORD", - "name": "Update Password", - "providerId": "UPDATE_PASSWORD", - "enabled": true, - "defaultAction": false, - "priority": 30, - "config": {} - }, - { - "alias": "UPDATE_PROFILE", - "name": "Update Profile", - "providerId": "UPDATE_PROFILE", - "enabled": true, - "defaultAction": false, - "priority": 40, - "config": {} - }, - { - "alias": "VERIFY_EMAIL", - "name": "Verify Email", - "providerId": "VERIFY_EMAIL", - "enabled": true, - "defaultAction": false, - "priority": 50, - "config": {} - }, - { - "alias": "delete_account", - "name": "Delete Account", - "providerId": "delete_account", - "enabled": false, - "defaultAction": false, - "priority": 60, - "config": {} - }, - { - "alias": "update_user_locale", - "name": "Update User Locale", - "providerId": "update_user_locale", - "enabled": true, - "defaultAction": false, - "priority": 1000, - "config": {} - } - ], - "browserFlow": "browser", - "registrationFlow": "registration", - "directGrantFlow": "direct grant", - "resetCredentialsFlow": "reset credentials", - "clientAuthenticationFlow": "clients", - "dockerAuthenticationFlow": "docker auth", - "attributes": { - "cibaBackchannelTokenDeliveryMode": "poll", - "cibaExpiresIn": "120", - "cibaAuthRequestedUserHint": "login_hint", - "oauth2DeviceCodeLifespan": "600", - "clientOfflineSessionMaxLifespan": "0", - "oauth2DevicePollingInterval": "5", - "clientSessionIdleTimeout": "0", - "clientSessionMaxLifespan": "0", - "clientOfflineSessionIdleTimeout": "0", - "cibaInterval": "5" - }, - "keycloakVersion": "14.0.0", - "userManagedAccessAllowed": false, - "clientProfiles": { - "profiles": [] - }, - "clientPolicies": { - "policies": [] - } -} diff --git a/dev/nginx-with-keycloak.conf b/dev/nginx-with-keycloak.conf deleted file mode 100644 index 51d76c9..0000000 --- a/dev/nginx-with-keycloak.conf +++ /dev/null @@ -1,112 +0,0 @@ -user www-data; -worker_processes 5; -error_log /var/log/nginx/error.log; - -events { - worker_connections 4096; -} - -http { - include mime.types; - index index.html index.htm; - - log_format main '$remote_addr - $remote_user [$time_local] $status ' - '"$request" $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; - - server { - listen 80 default_server; - server_name _; - - location / { - resolver 127.0.0.11 valid=30s; - set $upstream_catalyst host.docker.internal; - proxy_pass http://$upstream_catalyst:8000; - } - - location /wss { - resolver 127.0.0.11 valid=30s; - set $upstream_catalyst host.docker.internal; - proxy_pass http://$upstream_catalyst:8000; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - } - - server { - listen 8529 default_server; - server_name _; - - location / { - resolver 127.0.0.11 valid=30s; - set $upstream_arangodb arangodb; - proxy_pass http://$upstream_arangodb:8529; - } - } - - server { - listen 9000 default_server; - server_name _; - - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - - proxy_connect_timeout 300; - # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 - proxy_http_version 1.1; - proxy_set_header Connection ""; - chunked_transfer_encoding off; - - resolver 127.0.0.11 valid=30s; - set $upstream_minio minio; - proxy_pass http://$upstream_minio:9000; - } - } - - server { - listen 9002 default_server; - server_name _; - - location / { - resolver 127.0.0.11 valid=30s; - set $upstream_keycloak keycloak; - proxy_pass http://$upstream_keycloak:8080; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - } - } - - server { - listen 9003 default_server; - server_name _; - - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - - proxy_connect_timeout 300; - # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 - proxy_http_version 1.1; - proxy_set_header Connection ""; - chunked_transfer_encoding off; - - resolver 127.0.0.11 valid=30s; - set $upstream_minio minio; - proxy_pass http://$upstream_minio:9003; - } - } -} diff --git a/dev/nginx.conf b/dev/nginx.conf index 3d7f930..e28e93c 100644 --- a/dev/nginx.conf +++ b/dev/nginx.conf @@ -70,6 +70,29 @@ http { } } + server { + listen 8082 default_server; + server_name _; + + location / { + resolver 127.0.0.11 valid=30s; + set $upstream_authelia authelia; + proxy_pass http://$upstream_authelia:8082; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + } + } + server { listen 9003 default_server; server_name _; diff --git a/dev/start_dev.sh b/dev/start_dev.sh index 15f3fae..4a09db6 100644 --- a/dev/start_dev.sh +++ b/dev/start_dev.sh @@ -1,8 +1,12 @@ +#!/bin/bash +set -e + export SECRET=4ef5b29539b70233dd40c02a1799d25079595565e05a193b09da2c3e60ada1cd -# export OIDC_ENABLE=true -export OIDC_ISSUER=http://localhost:9002/auth/realms/catalyst -export OIDC_CLIENT_SECRET=d3ec0d91-b6ea-482d-8a4e-2f5a7ca0b4cb +export SIMPLE_AUTH_ENABLE=false +export OIDC_ENABLE=true +export OIDC_ISSUER=http://localhost:8082 +export OIDC_CLIENT_SECRET=secret export ARANGO_DB_HOST=http://localhost:8529 export ARANGO_DB_PASSWORD=foobar diff --git a/dev/start_dev_with_keycloak.sh b/dev/start_dev_with_keycloak.sh deleted file mode 100644 index 659fd95..0000000 --- a/dev/start_dev_with_keycloak.sh +++ /dev/null @@ -1,20 +0,0 @@ -export SECRET=4ef5b29539b70233dd40c02a1799d25079595565e05a193b09da2c3e60ada1cd - -export SIMPLE_AUTH_ENABLE=false -export OIDC_ENABLE=true -export OIDC_ISSUER=http://localhost:9002/auth/realms/catalyst -export OIDC_CLIENT_SECRET=d3ec0d91-b6ea-482d-8a4e-2f5a7ca0b4cb - -export ARANGO_DB_HOST=http://localhost:8529 -export ARANGO_DB_PASSWORD=foobar -export S3_HOST=http://localhost:9000 -export S3_PASSWORD=minio123 - -export AUTH_BLOCK_NEW=false -export AUTH_DEFAULT_ROLES=analyst,admin - -export EXTERNAL_ADDRESS=http://localhost -export CATALYST_ADDRESS=http://host.docker.internal -export INITIAL_API_KEY=d0169af94c40981eb4452a42fae536b6caa9be3a - -go run ../cmd/catalyst-dev/*.go diff --git a/server.go b/server.go index 4c43e26..c5767f0 100644 --- a/server.go +++ b/server.go @@ -2,6 +2,7 @@ package catalyst import ( "context" + "fmt" "net/http" "time" @@ -46,36 +47,36 @@ func New(hooks *hooks.Hooks, config *Config) (*Server, error) { catalystStorage, err := storage.New(config.Storage) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create storage: %w", err) } catalystIndex, err := index.New(config.IndexPath) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create index: %w", err) } catalystBus := bus.New() catalystDatabase, err := database.New(ctx, catalystIndex, catalystBus, hooks, config.DB) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create database: %w", err) } busservice.New(config.InternalAddress+"/api", config.Auth.InitialAPIKey, config.Network, catalystBus, catalystDatabase) catalystService, err := service.New(catalystBus, catalystDatabase, catalystStorage, GetVersion()) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create service: %w", err) } authenticator, err := maut.NewAuthenticator(ctx, config.Auth, newCatalystResolver(catalystDatabase)) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create authenticator: %w", err) } apiServer, err := setupAPI(authenticator, catalystService, catalystStorage, catalystDatabase, config.DB, catalystBus, config) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create api server: %w", err) } return &Server{ @@ -132,7 +133,6 @@ func fileServer(authenticator *maut.Authenticator, catalystDatabase *database.Da func backupServer(authenticator *maut.Authenticator, catalystStorage *storage.Storage, catalystDatabase *database.Database, dbConfig *database.Config) *chi.Mux { server := chi.NewRouter() - // TODO: add test server.With(authenticator.AuthorizePermission("backup:create")).Get("/create", backupHandler(catalystStorage, dbConfig)) server.With(authenticator.AuthorizePermission("backup:restore")).Post("/restore", restoreHandler(catalystStorage, catalystDatabase, dbConfig)) diff --git a/test/test.go b/test/test.go index 8f901c0..f7913fc 100644 --- a/test/test.go +++ b/test/test.go @@ -50,7 +50,7 @@ func Config(ctx context.Context) (*catalyst.Config, error) { SimpleAuthEnable: true, APIKeyAuthEnable: true, OIDCAuthEnable: true, - OIDCIssuer: "http://localhost:9002/auth/realms/catalyst", + OIDCIssuer: "http://localhost:8082", OAuth2: &oauth2.Config{ ClientID: "catalyst", ClientSecret: "13d4a081-7395-4f71-a911-bc098d8d3c45", diff --git a/ui/cypress/support/e2e.js b/ui/cypress/support/e2e.js index f8ea1a3..3e98811 100644 --- a/ui/cypress/support/e2e.js +++ b/ui/cypress/support/e2e.js @@ -24,5 +24,11 @@ Cypress.Commands.add('login', (options = {}) => { cy.get("#username").type("bob"); cy.get("#password").type("bob"); cy.get("#kc-login").click(); + } else if (Cypress.env('AUTH') === 'authelia') { + cy.contains("Login with OIDC").should('be.visible').click(); + cy.get("#username-textfield").should('be.visible').type("bob"); + cy.get("#password-textfield").type("bob"); + cy.get("#sign-in-button").click(); + cy.get("#accept-button").should('be.visible').click(); } }) diff --git a/ui/src/views/User.vue b/ui/src/views/User.vue index 5e2b8e3..3296011 100644 --- a/ui/src/views/User.vue +++ b/ui/src/views/User.vue @@ -61,7 +61,7 @@ - +
{{ role }}