From 2733ba750d7a50dbff81e15d0eb0510dc18d69c0 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Fri, 5 Jul 2024 17:15:53 -0700 Subject: [PATCH 01/16] Initial import of shl component configurations from ltt-environments --- dev/deploy.sh | 31 +++++++++++++++++++++++++++++++ dev/docker-compose.yaml | 37 +++++++++++++++++++++++++++++++++++++ shl-creator.env.default | 5 +++++ shl-server.env.default | 2 ++ 4 files changed, 75 insertions(+) create mode 100644 dev/deploy.sh create mode 100644 shl-creator.env.default create mode 100644 shl-server.env.default diff --git a/dev/deploy.sh b/dev/deploy.sh new file mode 100644 index 0000000..df4dbec --- /dev/null +++ b/dev/deploy.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e + +repo_path="$(cd "$(dirname "$0")" && pwd)" +cmdname="$(basename "$0")" + +usage() { + cat << USAGE >&2 +Usage: + $cmdname + + Docker deployment script + Pull the latest docker image and recreate relevant containers + +USAGE + exit 1 +} + +if [ "$1" = -h ] || [ "$1" = --help ]; then + usage + exit 0 +fi + + +# docker-compose commands must be run in the same directory as docker-compose.yaml +cd "${repo_path}" + +echo "📦 Updating images..." +docker-compose pull + +echo "🚀 Deploying containers..." +docker-compose up --detach diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index 3b572c2..eee23af 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -66,8 +66,45 @@ services: aliases: - fhir-internal + shl-creator: + image: ghcr.io/uwcirg/shl-creator:${SHL_CREATOR_IMAGE_TAG:-latest} + environment: + VITE_API_BASE: https://shl-server.${BASE_DOMAIN}/api + VITE_BACK_URL: https://${BASE_DOMAIN}/pro_reports/clinic_report_inform + VITE_SOF_ISS: https://fhir-auth.${BASE_DOMAIN}/fhir + VITE_OIDC_SERVER_BASE: https://keycloak.${BASE_DOMAIN} + VITE_OIDC_LOGOUT_ENDPOINT: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/logout + VITE_OIDC_CHECK_SESSION_IFRAME: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/login-status-iframe.html + VITE_POST_LOGOUT_REDIRECT_URI: https://${BASE_DOMAIN}/users + env_file: + shl-creator.env + labels: + - traefik.enable=true + - traefik.http.routers.shl-creator-${COMPOSE_PROJECT_NAME}.rule=Host(`shl-creator.${BASE_DOMAIN}`) + - traefik.http.routers.shl-creator-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.shl-creator-${COMPOSE_PROJECT_NAME}.tls=true + - traefik.http.routers.shl-creator-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + networks: + - ingress + + shl-server: + image: ghcr.io/uwcirg/shl-ltt-server:${SHL_SERVER_IMAGE_TAG:-latest} + environment: + PUBLIC_URL: https://shl-server.${BASE_DOMAIN} + labels: + - traefik.enable=true + - traefik.http.routers.shl-server-${COMPOSE_PROJECT_NAME}.rule=Host(`shl-server.${BASE_DOMAIN}`) + - traefik.http.routers.shl-server-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.shl-server-${COMPOSE_PROJECT_NAME}.tls=true + - traefik.http.routers.shl-server-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + volumes: + - shl-server-data:/app/db + networks: + - ingress + volumes: db-data: {} + shl-server-data: {} networks: diff --git a/shl-creator.env.default b/shl-creator.env.default new file mode 100644 index 0000000..cc22d9b --- /dev/null +++ b/shl-creator.env.default @@ -0,0 +1,5 @@ +# Specific url of viewer to use, if not at the shl-creator domain +# VITE_VIEWER_BASE= + +# Client ID for SoF authentication +VITE_SOF_CLIENT_ID= diff --git a/shl-server.env.default b/shl-server.env.default new file mode 100644 index 0000000..2a4b129 --- /dev/null +++ b/shl-server.env.default @@ -0,0 +1,2 @@ +# The base url of the server +PUBLIC_URL \ No newline at end of file From 18a63e49949ac09adb241714fc3ce2e3f29eaab9 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 16 Sep 2024 11:35:10 -0700 Subject: [PATCH 02/16] Initial port of shl components from Let's Talk Tech --- .gitignore => dev/.gitignore | 0 dev/config/{hapi => fhir}/application.yaml | 0 dev/default.env | 9 ++++++--- dev/docker-compose.yaml | 7 +++---- shl-creator.env.default => dev/shl-creator.env.default | 0 shl-server.env.default => dev/shl-server.env.default | 0 6 files changed, 9 insertions(+), 7 deletions(-) rename .gitignore => dev/.gitignore (100%) rename dev/config/{hapi => fhir}/application.yaml (100%) rename shl-creator.env.default => dev/shl-creator.env.default (100%) rename shl-server.env.default => dev/shl-server.env.default (100%) diff --git a/.gitignore b/dev/.gitignore similarity index 100% rename from .gitignore rename to dev/.gitignore diff --git a/dev/config/hapi/application.yaml b/dev/config/fhir/application.yaml similarity index 100% rename from dev/config/hapi/application.yaml rename to dev/config/fhir/application.yaml diff --git a/dev/default.env b/dev/default.env index e3f968b..287af58 100644 --- a/dev/default.env +++ b/dev/default.env @@ -3,7 +3,7 @@ # https://docs.docker.com/compose/environment-variables/#the-env-file # environmental variables for interpolation in docker-compose YAML files -# BASE_DOMAIN=localtest.me +BASE_DOMAIN=localtest.me # https://docs.docker.com/compose/reference/envvars/#compose_project_name # Containers started with the below value will have their names prefixed with it @@ -11,6 +11,9 @@ # Choose something unique to the docker host, eg ${INSTANCE_ID}-dev-${USER} COMPOSE_PROJECT_NAME= - # docker image tag overrides; override default image tag with given image tag -#FHIR_IMAGE_TAG= +# POSTGRES_IMAGE_TAG=override-tag-name + +# SHL_CREATOR_IMAGE_TAG= +# SHL_SERVER_IMAGE_TAG= +# PROXY_IMAGE_TAG= \ No newline at end of file diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index eee23af..060d70c 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -57,7 +57,7 @@ services: # Hapi does not EXPOSE the ports it listens on, requiring explicit traefik configuration - "traefik.http.services.fhir-${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=8080" volumes: - - "./config/hapi/application.yaml:/opt/application.yaml:ro" + - "./config/fhir/application.yaml:/opt/application.yaml:ro" depends_on: - db networks: @@ -67,10 +67,9 @@ services: - fhir-internal shl-creator: - image: ghcr.io/uwcirg/shl-creator:${SHL_CREATOR_IMAGE_TAG:-latest} + image: ghcr.io/uwcirg/shl-ips:${SHL_IPS_IMAGE_TAG:-latest} environment: VITE_API_BASE: https://shl-server.${BASE_DOMAIN}/api - VITE_BACK_URL: https://${BASE_DOMAIN}/pro_reports/clinic_report_inform VITE_SOF_ISS: https://fhir-auth.${BASE_DOMAIN}/fhir VITE_OIDC_SERVER_BASE: https://keycloak.${BASE_DOMAIN} VITE_OIDC_LOGOUT_ENDPOINT: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/logout @@ -88,7 +87,7 @@ services: - ingress shl-server: - image: ghcr.io/uwcirg/shl-ltt-server:${SHL_SERVER_IMAGE_TAG:-latest} + image: ghcr.io/uwcirg/shl-server:${SHL_SERVER_IMAGE_TAG:-latest} environment: PUBLIC_URL: https://shl-server.${BASE_DOMAIN} labels: diff --git a/shl-creator.env.default b/dev/shl-creator.env.default similarity index 100% rename from shl-creator.env.default rename to dev/shl-creator.env.default diff --git a/shl-server.env.default b/dev/shl-server.env.default similarity index 100% rename from shl-server.env.default rename to dev/shl-server.env.default From 7aa84d847864de8a17bcce30e241c3e2a95d0ab9 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 16 Sep 2024 11:46:16 -0700 Subject: [PATCH 03/16] Add LTT keycloak and fhir-proxy components --- dev/config/keycloak/import/ltt-realm.json | 1600 ++++++++++++++++ dev/config/keycloak/import/ltt-users-0.json | 63 + dev/config/keycloak/import/master-realm.json | 1700 +++++++++++++++++ .../ltt/email/messages/messages_en.properties | 54 + .../themes/ltt/email/theme.properties | 2 + .../ltt/login/login-config-totp-text.ftl | 31 + .../ltt/login/login-update-password.ftl | 45 + .../themes/ltt/login/login-update-profile.ftl | 61 + .../themes/ltt/login/login-username.ftl | 60 + .../login/login-verify-email-code-text.ftl | 2 + .../themes/ltt/login/login-verify-email.ftl | 13 + .../keycloak/themes/ltt/login/login.ftl | 107 ++ .../ltt/login/messages/messages_en.properties | 442 +++++ .../ltt/login/register-user-profile.ftl | 74 + .../keycloak/themes/ltt/login/register.ftl | 88 + .../themes/ltt/login/resources/css/styles.css | 384 ++++ .../ltt/login/resources/img/favicon.ico | Bin 0 -> 4286 bytes .../img/feedback-error-arrow-down.png | Bin 0 -> 513 bytes .../resources/img/feedback-error-sign.png | Bin 0 -> 343 bytes .../img/feedback-success-arrow-down.png | Bin 0 -> 678 bytes .../resources/img/feedback-success-sign.png | Bin 0 -> 410 bytes .../img/feedback-warning-arrow-down.png | Bin 0 -> 513 bytes .../resources/img/feedback-warning-sign.png | Bin 0 -> 646 bytes .../themes/ltt/login/resources/img/logo.svg | 12 + .../themes/ltt/login/select-authenticator.ftl | 42 + .../keycloak/themes/ltt/login/template.ftl | 159 ++ .../themes/ltt/login/theme.properties | 6 + dev/docker-compose.yaml | 84 + dev/fhir-auth.env.default | 8 + dev/keycloak.env.default | 11 + 30 files changed, 5048 insertions(+) create mode 100644 dev/config/keycloak/import/ltt-realm.json create mode 100644 dev/config/keycloak/import/ltt-users-0.json create mode 100644 dev/config/keycloak/import/master-realm.json create mode 100644 dev/config/keycloak/themes/ltt/email/messages/messages_en.properties create mode 100644 dev/config/keycloak/themes/ltt/email/theme.properties create mode 100644 dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-update-password.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-update-profile.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-username.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-verify-email.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/messages/messages_en.properties create mode 100644 dev/config/keycloak/themes/ltt/login/register-user-profile.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/register.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/resources/css/styles.css create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-arrow-down.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/logo.svg create mode 100644 dev/config/keycloak/themes/ltt/login/select-authenticator.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/template.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/theme.properties create mode 100644 dev/fhir-auth.env.default create mode 100644 dev/keycloak.env.default diff --git a/dev/config/keycloak/import/ltt-realm.json b/dev/config/keycloak/import/ltt-realm.json new file mode 100644 index 0000000..b9bb5ac --- /dev/null +++ b/dev/config/keycloak/import/ltt-realm.json @@ -0,0 +1,1600 @@ +{ + "id": "25facb13-fdb5-46cd-b66d-fa9305652f1a", + "realm": "ltt", + "displayName": "Let's Talk Tech", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 14400, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": true, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": true, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "defaultRole": { + "id": "0f25599f-05d1-4859-895d-e097d2b8bc4d", + "name": "default-roles-ltt", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a" + }, + "roles": { + "realm": [ + { + "id": "5614c921-f5f1-44b8-a04a-fc3b06dec10f", + "name": "staff-realm-role", + "description": "realm-specific staff role", + "composite": false, + "clientRole": false, + "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a", + "attributes": {} + }, + { + "id": "5614c921-f5f1-44b8-a04a-fc3b06dec10g", + "name": "patient-realm-role", + "description": "realm-specific patient role", + "composite": false, + "clientRole": false, + "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a", + "attributes": {} + } + ] + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "passwordPolicy": "length(8) and upperCase(1) and lowerCase(1) and digits(1) and passwordHistory(3)", + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clients": [ + { + "id": "a9925af1-4dcb-4791-bb2d-0087758b8f18", + "clientId": "shl_creator", + "name": "SMART Health Links Creator", + "description": "", + "rootUrl": "${KEYCLOAK_SHL_CREATOR_BASE}", + "adminUrl": "", + "baseUrl": "${KEYCLOAK_SHL_CREATOR_BASE}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "${KEYCLOAK_SHL_CREATOR_BASE}/share" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false", + "frontchannel.logout.url": "${KEYCLOAK_SHL_CREATOR_BASE}/logout", + "backchannel.logout.url": "", + "post.logout.redirect.uris": "${KEYCLOAK_CPRO_LANDING_PAGE}" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "launch", + "offline_access", + "online_access", + "patient/*.read", + "microprofile-jwt" + ] + }, + { + "clientId": "ltt_cpro", + "name": "cPRO Let's Talk Tech", + "description": "cPRO configured as inform project", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "${KEYCLOAK_LTT_CPRO_CLIENT_SECRET}", + "redirectUris": [ + "*" + ], + "webOrigins": [ + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1703195110", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false", + "backchannel.logout.url": "${KEYCLOAK_CPRO_BACKCHANNEL_LOGOUT_URL}", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } + } + ], + "clientScopes": [ + { + "id": "a972497d-27bb-4896-9002-575a23aac264", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "784d5a9a-e4a4-4728-9ac5-473cee4e8f38", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "6233b1ca-1387-4c2b-ba15-08baca2e8526", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "9165efea-0c4c-4e59-a560-0ba79586acd3", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "54469bf3-8a4a-4d7f-ac15-567be2af871c", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "ffd6e8be-fa9c-45db-8c25-8286fa4d2c36", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "c65a2ce4-e983-4109-b9df-82f73552b737", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "b1a46bef-7912-4ea4-acd9-b06c07ee8b33", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "b1a46bef-7912-4ea4-acd9-b06c07ee8b34", + "name": "online_access", + "description": "OpenID Connect built-in scope: online_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${onlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "dbbeab4e-2685-4f20-bfba-c0472c46922b", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "d5d73b1e-bb7c-42f2-a3f4-de9f6893c974", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "4b636bf7-de44-44ac-99f2-5b29086cd7c1", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "18295a0a-daaf-448d-8793-cb39b36703cd", + "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", + "name": "patient/*.read", + "description": "SoF: Read all data for launch patient", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + } + }, + { + "id": "78ad99cd-c336-42ed-a55a-ddbe6119c928", + "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", + "name": "launch", + "description": "SoF: launch token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + } + }, + { + "id": "0e57bc1e-d2a9-4580-ad49-863c2ce868ac", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "df8de33c-3b45-461c-9f44-b59eff0d412d", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "d51c4fc8-1065-4f50-bfad-bfa5048077a2", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "88b4607d-87cf-41be-a66c-d34d20f4e12e", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "21cb6b13-08b7-4d36-b515-97c83d56ad96", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "76c736da-2c61-4444-b39f-349a64aee528", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "e0f6830b-794d-4166-a905-4e050cc8a4c1", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "dbecf4fa-47ac-49b4-b08f-a0794e40a5cc", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "7005f4a5-6e10-4591-af3d-9be8d22b692a", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "a45e6212-dbad-4e3e-845d-cff7d054b695", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "83fcc140-2b4b-4b1e-993e-4b088878bf94", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "3fed8da8-02ae-457f-9b98-95bc8ecc4497", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "85ba9aae-c581-4151-b22a-d71070937b31", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "6541f6c8-7719-4e05-b2ff-181548fda2cd", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "226be08d-3913-4b5e-89e6-d4a0ee0e57a4", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "da095466-4d1c-4fdf-a19c-8062a4e6081d", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "ea9b4c39-055d-494b-a6d2-2fa6d238ba94", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "db9c2c49-23e3-4b34-af26-e92e6afd00fa", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "679636f1-dc0c-4d22-8da0-88982a3aebbb", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "85417b6b-d5ce-465b-ae88-deb8c1270889", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "b70b144d-acd9-4a74-a2a2-5180c9915347", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "c5b05448-c849-4f0a-ab39-76c2d556e6df", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "7529440e-912d-460e-9acc-5e6d4ec8535a", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "d4d27f0d-0a90-4071-8d89-c40fee4c4d25", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "a56c6a78-77b3-4f5e-9a88-8890f00f5084", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "108d221e-418e-41e3-82e7-8f84a2c96e6c", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "online_access", + "launch", + "patient/*.read", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": { + "replyToDisplayName": "CIRG Support", + "starttls": "true", + "auth": "true", + "envelopeFrom": "support@cirg.washington.edu", + "ssl": "false", + "port": "587", + "host": "mail.cirg.washington.edu", + "replyTo": "cirghelp@uw.edu", + "from": "noreply@cirg.washington.edu", + "fromDisplayName": "CIRG Support", + "user": "${KEYCLOAK_EMAIL_USER}", + "password": "${KEYCLOAK_EMAIL_PASSWORD}" + }, + "loginTheme": "ltt", + "emailTheme": "ltt", + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "82a34186-fa1a-47bf-b7b8-114e7b59669e", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "4ac932e4-863f-4f8e-b46f-e2b0b50f6b13", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "92671c84-f260-4618-b5f5-240433465e02", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "83202741-1122-4207-85b6-c2f6af40ae30", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-full-name-mapper", + "saml-user-property-mapper", + "oidc-address-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper" + ] + } + }, + { + "id": "d636a75a-cdd0-4730-ae36-969ca632579c", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "58e0bbc1-8586-44f3-a29a-87d03272bbb8", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "6e5106ae-d399-41c7-ab1d-2b8aa411d6f5", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "1ce2a26b-d410-48eb-a23a-c571a2629b0f", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-property-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-user-attribute-mapper", + "oidc-full-name-mapper" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "6e11d956-96f6-4307-8ae5-818f43772fde", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "c7582004-92ce-467e-9434-6d78d453e673", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "bce684a7-4307-46d1-9066-e9e6a688e363", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "da6cf182-6241-4346-9747-85d31b2b71b5", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "299d32a1-8433-412c-a6cd-b2787543d2a5", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "requirement": "ALTERNATIVE", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "4062c512-4b86-43e1-8d09-91fed41f5aa4", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "bfa3f5d0-3679-4035-acad-75eb79fd8f10", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "574792e7-d619-4956-8273-a7ab11209c22", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "470d681a-0cd5-4d9b-914a-aa592fcebad5", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "1be37090-9ace-4f53-8821-834d8a3f7fa0", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "60ad8099-96de-49bc-abf7-68348b8e5cfd", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "requirement": "ALTERNATIVE", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "e91991e7-4e77-42a0-a4e6-b381745e8465", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "CONDITIONAL", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "5dfa29dd-926e-45e5-9c04-a03fe7411bc9", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "requirement": "ALTERNATIVE", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "requirement": "DISABLED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "requirement": "ALTERNATIVE", + "priority": 25, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 30, + "authenticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "f4ecdcf1-3bc2-4763-b1a1-ccff11b61b85", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "requirement": "ALTERNATIVE", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "requirement": "ALTERNATIVE", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "requirement": "ALTERNATIVE", + "priority": 30, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "requirement": "ALTERNATIVE", + "priority": 40, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "6ae32f11-e8af-4769-9da7-0121b714106b", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "CONDITIONAL", + "priority": 30, + "authenticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "3cac0a9c-51aa-470f-bee4-97790cd8320a", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "0cd46511-9781-491f-85f4-a76509925d86", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "01656bb2-3871-41e3-bc71-b6b0060d4a60", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "CONDITIONAL", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "2335a0d6-3f6b-4584-b88b-b0aaeeea218d", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "4c69f335-8ed1-464a-8665-df946a6178c3", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "requirement": "REQUIRED", + "priority": 40, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "requirement": "REQUIRED", + "priority": 50, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "requirement": "DISABLED", + "priority": 60, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "4ec56626-57b5-42d2-9903-97f65feb24d7", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "requirement": "REQUIRED", + "priority": 30, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "CONDITIONAL", + "priority": 40, + "authenticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "d3d0b313-b2de-4fba-88aa-8042681f7eb3", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "a7b3366e-488c-47a0-a6f4-0433e6ff820d", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "3033574d-ae62-456e-a325-aa6f7d026a1c", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "parRequestUriLifespan": "60", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "22.0.5", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} diff --git a/dev/config/keycloak/import/ltt-users-0.json b/dev/config/keycloak/import/ltt-users-0.json new file mode 100644 index 0000000..7a04804 --- /dev/null +++ b/dev/config/keycloak/import/ltt-users-0.json @@ -0,0 +1,63 @@ +{ + "realm": "ltt", + "users": [ + { + "id": "ltt-test-user", + "createdTimestamp": 1709134971000, + "username": "test", + "enabled": true, + "totp": false, + "emailVerified": true, + "firstName": "FirstName", + "lastName": "LastName", + "email": "test@test.test", + "credentials": [ + { + "id": "ltt-test-user-password", + "type": "password", + "createdDate": 1709134971000, + "secretData": "{\"value\":\"7Vmr6+Io+gJJrH+EOcmOJXshJ0tMI5x0rQ1wkCYgSCA=\",\"salt\":\"LR0DSOi5850zn9tNFYS1uw==\",\"additionalParameters\":{}}", + "userLabel": "test user password is set to \"test\"", + "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-ltt", + "patient-realm-role" + ], + "notBefore": 0, + "groups": [] + }, + { + "id": "ltt-staff-user", + "createdTimestamp": 1709134971000, + "username": "staff", + "enabled": true, + "totp": false, + "emailVerified": true, + "firstName": "Test", + "lastName": "Staff", + "email": "stafftest@test.test", + "credentials": [ + { + "id": "ltt-staff-user-password", + "type": "password", + "createdDate": 1709134971000, + "secretData" : "{\"value\":\"86AHPCF6rK9rndTfdST1Ijn4XQ6xC4/uoa3Q0S0O5nE=\",\"salt\":\"veo4rv2pmuiMhWcJgJmw7A==\",\"additionalParameters\":{}}", + "userLabel": "staff test user password is set to \"staff\"", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-ltt", + "staff-realm-role" + ], + "notBefore": 0, + "groups": [] + } + ] +} diff --git a/dev/config/keycloak/import/master-realm.json b/dev/config/keycloak/import/master-realm.json new file mode 100644 index 0000000..ca03b50 --- /dev/null +++ b/dev/config/keycloak/import/master-realm.json @@ -0,0 +1,1700 @@ +{ + "id" : "bf148246-082e-43e8-9e3b-c1e399823627", + "realm" : "master", + "displayName" : "Keycloak", + "displayNameHtml" : "
Keycloak
", + "notBefore" : 0, + "defaultSignatureAlgorithm" : "RS256", + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 60, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "oauth2DeviceCodeLifespan" : 600, + "oauth2DevicePollingInterval" : 5, + "enabled" : true, + "sslRequired" : "external", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "bd1c59d9-0ef0-4714-81da-65c297b27585", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + }, { + "id" : "b2d199f9-585c-4349-98cf-74ff70b46c6f", + "name" : "create-realm", + "description" : "${role_create-realm}", + "composite" : false, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + }, { + "id" : "c246e22b-e14a-436b-a855-9117d65e4134", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + }, { + "id" : "34b5994b-00c2-4101-bceb-b8cd19cfb04c", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "account" : [ "view-profile", "manage-account" ] + } + }, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + }, { + "id" : "ca023182-507f-40ab-a485-c370f86915a1", + "name" : "admin", + "description" : "${role_admin}", + "composite" : true, + "composites" : { + "realm" : [ "create-realm" ], + "client" : { + "master-realm" : [ "view-authorization", "manage-identity-providers", "manage-clients", "impersonation", "manage-events", "query-users", "view-users", "manage-authorization", "create-client", "view-events", "query-realms", "query-groups", "manage-realm", "view-clients", "view-identity-providers", "query-clients", "view-realm", "manage-users" ] + } + }, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + } ], + "client" : { + "security-admin-console" : [ ], + "admin-cli" : [ ], + "account-console" : [ ], + "broker" : [ { + "id" : "c0e46245-6010-4c00-9b73-d7145a20c5f3", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "932417da-7a72-4bb8-8836-e1c9b64526ce", + "attributes" : { } + } ], + "master-realm" : [ { + "id" : "0c17c557-54b8-44ef-99d7-3b2cc1245dc1", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "9ca1421f-434e-43f0-94fd-5da73bb0fa7f", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "1ce42525-c0a0-4dac-9bf0-3c947396b9aa", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "de99c1b3-1654-41e8-855f-33d94f593aaf", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "9c41db58-b380-4082-8dc7-14c3e3162073", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "68a54e9c-b03c-412e-8d24-9b82de3220fa", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "16df2f5c-9beb-42ed-ae98-b91ea739a492", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "878382c9-8ef1-4c76-a18a-89110574f193", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "master-realm" : [ "query-users", "query-groups" ] + } + }, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "a12398cf-2b41-4eef-ac16-5c04a1a6c157", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "da457643-aca5-492a-a878-05876ebc1032", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "a5b5a720-7e19-4378-b5ef-e60c67dea418", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "c9631788-9a30-4091-b19b-7b76ea1b588c", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "7daca9a3-ac85-4004-ba93-4c9477f54646", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "b53eea8b-f6b9-4a57-a81b-63ef2f8a5b0a", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "5f55e361-f85f-4e2f-afa7-d66c2545b6ac", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "master-realm" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "d296966c-3d65-49b8-aec0-8b078c6695c9", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "ac85b330-5453-429f-8b9c-81d57ceadd2e", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "99c14f45-e293-4692-9f95-96a5010f64b2", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + } ], + "account" : [ { + "id" : "35a871a2-1d72-4be0-988b-180a2bb22d56", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] + } + }, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "3b34c792-84be-4343-ba37-e65dcf959f59", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "08fcbd38-57ff-447e-a285-c3e8e9c4bb5c", + "name" : "view-applications", + "description" : "${role_view-applications}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "34de8823-81de-4eca-a5d9-2540f171adc3", + "name" : "view-consent", + "description" : "${role_view-consent}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "e5c327d6-14fe-45c2-9f22-b16058112efe", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "1746f760-af52-48ba-9857-c2d5069428c3", + "name" : "delete-account", + "description" : "${role_delete-account}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "4f8f8bcf-a4d9-4a2d-94d9-c3da1776d467", + "name" : "manage-consent", + "description" : "${role_manage-consent}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "view-consent" ] + } + }, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "9bc08f66-0b30-44aa-8a67-f85b7efaf797", + "name" : "view-groups", + "description" : "${role_view-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + } ] + } + }, + "groups" : [ ], + "defaultRole" : { + "id" : "34b5994b-00c2-4101-bceb-b8cd19cfb04c", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627" + }, + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpPolicyCodeReusable" : false, + "otpSupportedApplications" : [ "totpAppMicrosoftAuthenticatorName", "totpAppFreeOTPName", "totpAppGoogleName" ], + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "scopeMappings" : [ { + "clientScope" : "offline_access", + "roles" : [ "offline_access" ] + } ], + "clientScopeMappings" : { + "account" : [ { + "client" : "account-console", + "roles" : [ "manage-account", "view-groups" ] + } ] + }, + "clients" : [ { + "id" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "clientId" : "account", + "name" : "${client_account}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/master/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/realms/master/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "4bb6740c-a942-4ddc-9b0f-f4c3a0fe30fc", + "clientId" : "account-console", + "name" : "${client_account-console}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/master/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/realms/master/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+", + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "d5da2d64-c511-483d-9c73-95ead62d33fe", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "4a0396f1-4ae1-4307-82f8-de89cefe992f", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "932417da-7a72-4bb8-8836-e1c9b64526ce", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "clientId" : "master-realm", + "name" : "master Realm", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "bcd5bb30-f743-4eb8-894e-ee9e48415e55", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "rootUrl" : "${authAdminUrl}", + "baseUrl" : "/admin/master/console/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/admin/master/console/*" ], + "webOrigins" : [ "+" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+", + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "017bd632-74b3-4dad-8c39-8184a45c61c9", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "0f4694e1-0798-428d-afef-66036648df97", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${profileScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "c99595b0-0d51-43dc-bb15-d42a77132f45", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "38a5ff62-8d59-4918-b619-dd7a50997220", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "4abe1937-3cb8-4b89-a83c-44919bfeedd2", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "cc879427-c108-4a83-b208-8d3226eabb72", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "6fdecd5b-4729-41d1-b51c-a28ebe70ec15", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + }, { + "id" : "4b0c2789-0bc1-4df5-af71-5f1563e588b7", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + }, { + "id" : "bc3b7c18-b5ba-4a89-97fa-4e33674557f2", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "a373f791-6ab7-43f9-be30-bf190db98c6c", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + }, { + "id" : "efae57ce-94fc-41a2-bc41-17bff0435af3", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "long" + } + }, { + "id" : "a0e665eb-56d2-49a6-9e54-94569c4eb1a1", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + }, { + "id" : "409a253e-2696-49c1-91b0-bde8536b0ff4", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "0b93f4e5-688a-44d9-9a41-39f432b0f2e6", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + }, { + "id" : "7b50a0ba-33bb-4424-98a3-43a8c6fa3eda", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + }, { + "id" : "572a7648-22f9-48e2-87bb-7deb122b8541", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "42d5d185-c3f5-4ac5-a0b6-7d750a6748f6", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "359f4715-b8d6-4771-880f-fe4249c013db", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "5f6f70c0-d39d-4adb-9879-7ba30b569ac1", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "f49323fd-8161-4cf0-9729-2286a6746a30", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "0534d240-5b53-4a51-940b-c2aeb885297f", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "3e7beeab-156f-4dbb-a963-5964fc73482f", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" + }, + "protocolMappers" : [ { + "id" : "1de13c31-90a5-4d4e-85eb-e93421eff2c9", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] + }, { + "id" : "ca05c3e1-8674-4ecd-9f66-5143ca6ef5f9", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "40545239-bcd8-4a1e-9a3c-0cd336f2ecfb", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + }, { + "id" : "602b1e0f-2a99-4517-a8fd-dc97111f6ef4", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + } ] + }, { + "id" : "23990f3e-6474-4984-9247-33bfd3fcbbea", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "eefb83d6-9b37-44a4-aeaf-ba855166e250", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + }, { + "id" : "939caa01-d09a-4083-ad39-c45707dea6a8", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "d75a5924-d8fe-4b34-bca7-0d123f9c4ad6", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + }, { + "id" : "16c55806-2c14-427a-b787-28ac1b116f43", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "1db9fd9f-be4c-4ba3-a3dc-bad72d358b6f", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${rolesScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "845e4fe8-df0c-42b1-bf0c-add007afc5e6", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "47ebed48-8bdf-4c77-904d-8ce027f12303", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + }, { + "id" : "f728e24a-9b2a-406e-9315-2ef978f3544f", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + } ] + }, { + "id" : "e64f9146-80a9-41c6-a9db-a44772e658c6", + "name" : "acr", + "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "e36e62ec-9378-441f-86a0-1f9430d239e0", + "name" : "acr loa level", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-acr-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true" + } + } ] + }, { + "id" : "a6728259-d97f-4750-8710-0b9cdd134862", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } + } ], + "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins", "acr" ], + "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "referrerPolicy" : "no-referrer", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "xXSSProtection" : "1; mode=block", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "identityProviders" : [ ], + "identityProviderMappers" : [ ], + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "f831ad24-ba32-4212-bb42-dcf2aa4a061e", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "6fc363c0-c537-4a97-b87e-0c5f17e29325", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "e1254a51-a43f-433e-9c19-bee9b2c83e3b", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper" ] + } + }, { + "id" : "475ffb69-9f5f-461b-8fd9-af11271bb894", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "4ecdb43e-1b0c-40ec-870d-2aa6d7627902", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper" ] + } + }, { + "id" : "213685a6-8c19-48e0-bc5c-7969a89b7c76", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "0517c5e9-123e-4e79-8d76-dbe6f0403d64", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "a1659944-e504-4374-98df-d862ed413964", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "0844f18b-e205-4cbf-a9b0-b944ab642922", + "alias" : "Account verification options", + "description" : "Method with which to verity the existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-email-verification", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false + } ] + }, { + "id" : "c96aefb9-6b09-4e77-bcf1-b2b86859b24f", + "alias" : "Browser - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "85b37736-ddca-4105-9426-97e28d6c279a", + "alias" : "Direct Grant - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "b0fd75ae-8058-424a-8ae6-257a218d70f8", + "alias" : "First broker login - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "a4c1a42b-f752-4c9a-b31a-ec0b2d5f88c9", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Account verification options", + "userSetupAllowed" : false + } ] + }, { + "id" : "1c30eba9-62e2-4391-9be7-91d8dfc93def", + "alias" : "Reset - Conditional OTP", + "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "440589ea-dfb5-4fea-9751-aef382c9dfb7", + "alias" : "User creation or linking", + "description" : "Flow for the existing/non-existing user alternatives", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false + } ] + }, { + "id" : "8808520b-dd8f-4950-81f7-0b671ad21535", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "First broker login - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "1de66108-8963-4be0-a231-cb9e2e4e0ff7", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-spnego", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "identity-provider-redirector", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 25, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "forms", + "userSetupAllowed" : false + } ] + }, { + "id" : "325e7aa5-92a0-4700-bef3-765c260ca712", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-secret-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-x509", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 40, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "84eb8e43-4b56-4ea7-961e-a52b0adb0d18", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "Direct Grant - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "70756998-eb44-4793-8db5-56be066be5de", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "37af28b4-7de5-4e34-8def-cca8a88476a3", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "User creation or linking", + "userSetupAllowed" : false + } ] + }, { + "id" : "96617d21-366f-4932-95e4-bffdb6109ddd", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Browser - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "b6a26b71-1b86-4829-b1b1-7d8252bdeebb", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : true, + "flowAlias" : "registration form", + "userSetupAllowed" : false + } ] + }, { + "id" : "359fde7b-9820-4d06-b3aa-974aa631084d", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-profile-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 40, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-password-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 50, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-recaptcha-action", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 60, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-terms-and-conditions", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 70, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "007ce934-11d8-4696-b5da-50443fec2054", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-credential-email", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 40, + "autheticatorFlow" : true, + "flowAlias" : "Reset - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "157740bf-f12e-4481-8b68-94fd4939d43f", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "9f47e62a-4411-4afc-a7c3-a2670816579d", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "afc21bd5-4c36-4739-b592-a6c2e8963059", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" + } + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "TERMS_AND_CONDITIONS", + "name" : "Terms and Conditions", + "providerId" : "TERMS_AND_CONDITIONS", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + }, { + "alias" : "delete_account", + "name" : "Delete Account", + "providerId" : "delete_account", + "enabled" : false, + "defaultAction" : false, + "priority" : 60, + "config" : { } + }, { + "alias" : "webauthn-register", + "name" : "Webauthn Register", + "providerId" : "webauthn-register", + "enabled" : true, + "defaultAction" : false, + "priority" : 70, + "config" : { } + }, { + "alias" : "webauthn-register-passwordless", + "name" : "Webauthn Register Passwordless", + "providerId" : "webauthn-register-passwordless", + "enabled" : true, + "defaultAction" : false, + "priority" : 80, + "config" : { } + }, { + "alias" : "update_user_locale", + "name" : "Update User Locale", + "providerId" : "update_user_locale", + "enabled" : true, + "defaultAction" : false, + "priority" : 1000, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "attributes" : { + "cibaBackchannelTokenDeliveryMode" : "poll", + "cibaExpiresIn" : "120", + "cibaAuthRequestedUserHint" : "login_hint", + "parRequestUriLifespan" : "60", + "cibaInterval" : "5", + "realmReusableOtpCode" : "false" + }, + "keycloakVersion" : "22.0.5", + "userManagedAccessAllowed" : false, + "clientProfiles" : { + "profiles" : [ ] + }, + "clientPolicies" : { + "policies" : [ ] + } +} \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties b/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties new file mode 100644 index 0000000..7a7dacc --- /dev/null +++ b/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties @@ -0,0 +1,54 @@ +emailVerificationSubject=Verify email +emailVerificationBody=Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address\n\n{0}\n\nThis link will expire within {3}.\n\nIf you didn''t create this account, just ignore this message. +emailVerificationBodyHtml=

Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address

Link to e-mail address verification

This link will expire within {3}.

If you didn''t create this account, just ignore this message.

+emailUpdateConfirmationSubject=Verify new email +emailUpdateConfirmationBody=To update your {2} account with email address {1}, click the link below\n\n{0}\n\nThis link will expire within {3}.\n\nIf you don''t want to proceed with this modification, just ignore this message. +emailUpdateConfirmationBodyHtml=

To update your {2} account with email address {1}, click the link below

{0}

This link will expire within {3}.

If you don''t want to proceed with this modification, just ignore this message.

+emailTestSubject=[KEYCLOAK] - SMTP test message +emailTestBody=This is a test message. Test Only. +emailTestBodyHtml=

This is a test message

+identityProviderLinkSubject=Link {0} +identityProviderLinkBody=Someone wants to link your "{1}" account with "{0}" account of user {2} . If this was you, click the link below to link accounts\n\n{3}\n\nThis link will expire within {5}.\n\nIf you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}. +identityProviderLinkBodyHtml=

Someone wants to link your {1} account with {0} account of user {2}. If this was you, click the link below to link accounts

Link to confirm account linking

This link will expire within {5}.

If you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}.

+passwordResetSubject=Reset password +passwordResetBody=Someone just requested to change your {2} account''s password. If this was you, click on the link below to reset them.\n\n{0}\n\nThis link and code will expire within {3}.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed. +passwordResetBodyHtml=

Someone just requested to change your {2} account''s password. If this was you, click on the link below to reset them.

Link to reset password

This link will expire within {3}.

If you don''t want to reset your password, just ignore this message and nothing will be changed.

+executeActionsSubject=Update Your Account +executeActionsBody=Your administrator has just requested that you update your {2} account by performing the following action(s): {3}. Click on the link below to start this process.\n\n{0}\n\nThis link will expire within {4}.\n\nIf you are unaware that your administrator has requested this, just ignore this message and nothing will be changed. +executeActionsBodyHtml=

Your administrator has just requested that you update your {2} account by performing the following action(s): {3}. Click on the link below to start this process.

Link to account update

This link will expire within {4}.

If you are unaware that your administrator has requested this, just ignore this message and nothing will be changed.

+eventLoginErrorSubject=Login error +eventLoginErrorBody=A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an administrator. +eventLoginErrorBodyHtml=

A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an administrator.

+eventRemoveTotpSubject=Remove OTP +eventRemoveTotpBody=OTP was removed from your account on {0} from {1}. If this was not you, please contact an administrator. +eventRemoveTotpBodyHtml=

OTP was removed from your account on {0} from {1}. If this was not you, please contact an administrator.

+eventUpdatePasswordSubject=Update password +eventUpdatePasswordBody=Your password was changed on {0} from {1}. If this was not you, please contact an administrator. +eventUpdatePasswordBodyHtml=

Your password was changed on {0} from {1}. If this was not you, please contact an administrator.

+eventUpdateTotpSubject=Update OTP +eventUpdateTotpBody=OTP was updated for your account on {0} from {1}. If this was not you, please contact an administrator. +eventUpdateTotpBodyHtml=

OTP was updated for your account on {0} from {1}. If this was not you, please contact an administrator.

+ +requiredAction.CONFIGURE_TOTP=Configure OTP +requiredAction.TERMS_AND_CONDITIONS=Terms and Conditions +requiredAction.UPDATE_PASSWORD=Update Password +requiredAction.UPDATE_PROFILE=Update Profile +requiredAction.VERIFY_EMAIL=Verify Email +requiredAction.CONFIGURE_RECOVERY_AUTHN_CODES=Generate Recovery Codes + +# units for link expiration timeout formatting +# for languages which have more unit plural forms depending on the value (eg. Czech and other Slavic langs) you can override unit text for some other values like described in the Java choice format which is documented here. For Czech, it would be '{0,choice,0#minut|1#minuta|2#minuty|2Please verify your email address by entering in the following code.

{0}

+ diff --git a/dev/config/keycloak/themes/ltt/email/theme.properties b/dev/config/keycloak/themes/ltt/email/theme.properties new file mode 100644 index 0000000..93d3b28 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/email/theme.properties @@ -0,0 +1,2 @@ +parent=keycloak + diff --git a/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl b/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl new file mode 100644 index 0000000..d609182 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl @@ -0,0 +1,31 @@ +<#ftl output_format="plainText"> +${msg("loginTotpIntro")} + +${msg("loginTotpStep1")} + +<#list totp.policy.supportedApplications as app> +* ${app} + + +${msg("loginTotpManualStep2")} + + ${totp.totpSecretEncoded} + + +${msg("loginTotpManualStep3")} + +- ${msg("loginTotpType")}: ${msg("loginTotp." + totp.policy.type)} +- ${msg("loginTotpAlgorithm")}: ${totp.policy.getAlgorithmKey()} +- ${msg("loginTotpDigits")}: ${totp.policy.digits} +<#if totp.policy.type = "totp"> +- ${msg("loginTotpInterval")}: ${totp.policy.period} + +<#elseif totp.policy.type = "hotp"> +- ${msg("loginTotpCounter")}: ${totp.policy.initialCounter} + + + +Enter in your one time password so we can verify you have installed it correctly. + + + diff --git a/dev/config/keycloak/themes/ltt/login/login-update-password.ftl b/dev/config/keycloak/themes/ltt/login/login-update-password.ftl new file mode 100644 index 0000000..5c70fe0 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-update-password.ftl @@ -0,0 +1,45 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout displayInfo=true; section> + <#if section = "header"> + ${msg("updatePasswordTitle")} + <#elseif section = "form"> +
+ + + +
+
+ +
+
+ +
${kcSanitize(msg("passwordPolicy"))?no_esc}
+
+
+ +
+
+ +
+
+ +
+
+
+
+
+
+
+ +
+ <#if isAppInitiatedAction??> + + + <#else> + + +
+
+
+ + diff --git a/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl b/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl new file mode 100644 index 0000000..d87a90f --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl @@ -0,0 +1,61 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout; section> + <#if section = "header"> + ${msg("loginProfileTitle")} + <#elseif section = "form"> +
+ <#if user.editUsernameAllowed> +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+
+
+
+ +
+ <#if isAppInitiatedAction??> + + + <#else> + + +
+
+
+ + diff --git a/dev/config/keycloak/themes/ltt/login/login-username.ftl b/dev/config/keycloak/themes/ltt/login/login-username.ftl new file mode 100644 index 0000000..6d5737e --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-username.ftl @@ -0,0 +1,60 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout displayInfo=social.displayInfo displayWide=(realm.password && social.providers??); section> + <#if section = "header"> + ${msg("doLogIn")} + <#elseif section = "form"> +
class="${properties.kcContentWrapperClass!}"> +
class="${properties.kcFormSocialAccountContentClass!} ${properties.kcFormSocialAccountClass!}"> + <#if realm.password> +
+
+ + + <#if usernameEditDisabled??> + + <#else> + + +
+ +
+
+ <#if realm.rememberMe && !usernameEditDisabled??> +
+ +
+ +
+
+ +
+ +
+
+ +
+ <#if realm.password && social.providers??> +
+ +
+ +
+ <#elseif section = "info" > + <#if realm.password && realm.registrationAllowed && !usernameEditDisabled??> +
+ ${msg("noAccount")} ${msg("doRegister")} +
+ + + + diff --git a/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl b/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl new file mode 100644 index 0000000..87abcd7 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl @@ -0,0 +1,2 @@ +<#ftl output_format="plainText"> +${msg("console-verify-email",email, code)} \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl b/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl new file mode 100644 index 0000000..e69a9fe --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl @@ -0,0 +1,13 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout; section> + <#if section = "header"> + ${msg("emailVerifyTitle")} + <#elseif section = "form"> +

+ ${msg("emailVerifyInstruction1")} +

+

+ ${msg("emailVerifyInstruction2")} ${msg("doClickHere")} ${msg("emailVerifyInstruction3")} +

+ + \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/login.ftl b/dev/config/keycloak/themes/ltt/login/login.ftl new file mode 100644 index 0000000..c789a58 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login.ftl @@ -0,0 +1,107 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout displayMessage=!messagesPerField.existsError('username','password') displayInfo=realm.password && realm.registrationAllowed && !registrationDisabled??; section> + <#if section = "header"> + ${msg("loginAccountTitle")} + <#elseif section = "form"> +
+
+ <#if realm.password> +
+ <#if !usernameHidden??> +
+ + + + + <#if messagesPerField.existsError('username','password')> + + ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc} + + + +
+ + +
+ + + + + <#if usernameHidden?? && messagesPerField.existsError('username','password')> + + ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc} + + + +
+ +
+
+ <#if realm.rememberMe && !usernameHidden??> +
+ +
+ +
+
+ <#if realm.resetPasswordAllowed> + ${msg("doForgotPassword")} + +
+ +
+ +
+ value="${auth.selectedCredential}"/> + +
+
+ +
+ +
+ <#elseif section = "info" > + <#if realm.password && realm.registrationAllowed && !registrationDisabled??> +
+
+ ${msg("noAccount")} ${msg("doRegister")} +
+
+ + <#elseif section = "socialProviders" > + <#if realm.password && social.providers??> +
+
+

${msg("identity-provider-login-label")}

+ + +
+ + + + diff --git a/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties b/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties new file mode 100644 index 0000000..60405bb --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties @@ -0,0 +1,442 @@ +doLogIn=Sign In +doRegister=Register +doCancel=Cancel +doSubmit=Submit +doBack=Back +doYes=Yes +doNo=No +doContinue=Continue +doIgnore=Ignore +doAccept=Accept +doDecline=Decline +doForgotPassword=First time using, or forgot password? +doClickHere=Click here +doImpersonate=Impersonate +doTryAgain=Try again +doTryAnotherWay=Try Another Way +doConfirmDelete=Confirm deletion +errorDeletingAccount=Error happened while deleting account +deletingAccountForbidden=You do not have enough permissions to delete your own account, contact admin. +kerberosNotConfigured=Kerberos Not Configured +kerberosNotConfiguredTitle=Kerberos Not Configured +bypassKerberosDetail=Either you are not logged in by Kerberos or your browser is not set up for Kerberos login. Please click continue to login in through other means +kerberosNotSetUp=Kerberos is not set up. You cannot login. +registerTitle=Register +loginAccountTitle=Sign in to your account +loginTitle=Sign in to {0} +loginTitleHtml={0} +impersonateTitle={0} Impersonate User +impersonateTitleHtml={0} Impersonate User +realmChoice=Realm +unknownUser=Unknown user +loginTotpTitle=Mobile Authenticator Setup +loginProfileTitle=Update Account Information +loginIdpReviewProfileTitle=Update Account Information +loginTimeout=Your login attempt timed out. Login will start from the beginning. +oauthGrantTitle=Grant Access to {0} +oauthGrantTitleHtml={0} +errorTitle=We are sorry... +errorTitleHtml=We are sorry ... +emailVerifyTitle=Email verification +emailForgotTitle=First time using, or forgot password? +updatePasswordTitle=Update password +codeSuccessTitle=Success code +codeErrorTitle=Error code\: {0} +displayUnsupported=Requested display type unsupported +browserRequired=Browser required to login +browserContinue=Browser required to complete login +browserContinuePrompt=Open browser and continue login? [y/n]: +browserContinueAnswer=y + + +termsTitle=Terms and Conditions +termsText=

Terms and conditions to be defined

+termsPlainText=Terms and conditions to be defined. + +recaptchaFailed=Invalid Recaptcha +recaptchaNotConfigured=Recaptcha is required, but not configured +consentDenied=Consent denied. + +noAccount=New user? +username=Username +usernameOrEmail=Username or email +firstName=First name +givenName=Given name +fullName=Full name +lastName=Last name +familyName=Family name +email=Email +password=Password +passwordConfirm=Confirm password +passwordNew=New Password +passwordNewConfirm=New Password confirmation +passwordPolicy=

Password must:

  • Include at least one upper case letter, one lower case letter, and one number
  • Be at least 8 characters long
  • Have not been used recently
+rememberMe=Remember me +authenticatorCode=One-time code +address=Address +street=Street +locality=City or Locality +region=State, Province, or Region +postal_code=Zip or Postal code +country=Country +emailVerified=Email verified +website=Web page +phoneNumber=Phone number +phoneNumberVerified=Phone number verified +gender=Gender +birthday=Birthdate +zoneinfo=Time zone +gssDelegationCredential=GSS Delegation Credential +logoutOtherSessions=Sign out from other devices + +profileScopeConsentText=User profile +emailScopeConsentText=Email address +addressScopeConsentText=Address +phoneScopeConsentText=Phone number +offlineAccessScopeConsentText=Offline Access +samlRoleListScopeConsentText=My Roles +rolesScopeConsentText=User roles + +restartLoginTooltip=Restart login + +loginTotpIntro=You need to set up a One Time Password generator to access this account +loginTotpStep1=Install one of the following applications on your mobile: +loginTotpStep2=Open the application and scan the barcode: +loginTotpStep3=Enter the one-time code provided by the application and click Submit to finish the setup. +loginTotpStep3DeviceName=Provide a Device Name to help you manage your OTP devices. +loginTotpManualStep2=Open the application and enter the key: +loginTotpManualStep3=Use the following configuration values if the application allows setting them: +loginTotpUnableToScan=Unable to scan? +loginTotpScanBarcode=Scan barcode? +loginCredential=Credential +loginOtpOneTime=One-time code +loginTotpType=Type +loginTotpAlgorithm=Algorithm +loginTotpDigits=Digits +loginTotpInterval=Interval +loginTotpCounter=Counter +loginTotpDeviceName=Device Name + +loginTotp.totp=Time-based +loginTotp.hotp=Counter-based + +loginChooseAuthenticator=Select login method + +oauthGrantRequest=Do you grant these access privileges? +inResource=in + +oauth2DeviceVerificationTitle=Device Login +verifyOAuth2DeviceUserCode=Enter the code provided by your device and click Submit +oauth2DeviceInvalidUserCodeMessage=Invalid code, please try again. +oauth2DeviceExpiredUserCodeMessage=The code has expired. Please go back to your device and try connecting again. +oauth2DeviceVerificationCompleteHeader=Device Login Successful +oauth2DeviceVerificationCompleteMessage=You may close this browser window and go back to your device. +oauth2DeviceVerificationFailedHeader=Device Login Failed +oauth2DeviceVerificationFailedMessage=You may close this browser window and go back to your device and try connecting again. +oauth2DeviceConsentDeniedMessage=Consent denied for connecting the device. +oauth2DeviceAuthorizationGrantDisabledMessage=Client is not allowed to initiate OAuth 2.0 Device Authorization Grant. The flow is disabled for the client. + +emailVerifyInstruction1=An email with instructions to verify your email address has been sent to you. +emailVerifyInstruction2=Haven''t received a verification code in your email? +emailVerifyInstruction3=to re-send the email. + +emailLinkIdpTitle=Link {0} +emailLinkIdp1=An email with instructions to link {0} account {1} with your {2} account has been sent to you. +emailLinkIdp2=Haven''t received a verification code in your email? +emailLinkIdp3=to re-send the email. +emailLinkIdp4=If you already verified the email in different browser +emailLinkIdp5=to continue. + +backToLogin=« Back to Login + +emailInstruction=Enter your username or email address and we will send you instructions on how to create a new password. + +copyCodeInstruction=Please copy this code and paste it into your application: + +pageExpiredTitle=Page has expired +pageExpiredMsg1=To restart the login process +pageExpiredMsg2=To continue the login process + +personalInfo=Personal Info: +role_admin=Admin +role_realm-admin=Realm Admin +role_create-realm=Create realm +role_create-client=Create client +role_view-realm=View realm +role_view-users=View users +role_view-applications=View applications +role_view-clients=View clients +role_view-events=View events +role_view-identity-providers=View identity providers +role_manage-realm=Manage realm +role_manage-users=Manage users +role_manage-applications=Manage applications +role_manage-identity-providers=Manage identity providers +role_manage-clients=Manage clients +role_manage-events=Manage events +role_view-profile=View profile +role_manage-account=Manage account +role_manage-account-links=Manage account links +role_read-token=Read token +role_offline-access=Offline access +client_account=Account +client_account-console=Account Console +client_security-admin-console=Security Admin Console +client_admin-cli=Admin CLI +client_realm-management=Realm Management +client_broker=Broker + +requiredFields=Required fields + +invalidUserMessage=Invalid username or password. +invalidUsernameMessage=Invalid username. +invalidUsernameOrEmailMessage=Invalid username or email. +invalidPasswordMessage=Invalid password. +invalidEmailMessage=Invalid email address. +accountDisabledMessage=Account is disabled, contact your administrator. +accountTemporarilyDisabledMessage=Account is temporarily disabled; contact your administrator or retry later. +expiredCodeMessage=Login timeout. Please sign in again. +expiredActionMessage=Action expired. Please continue with login now. +expiredActionTokenNoSessionMessage=Action expired. +expiredActionTokenSessionExistsMessage=Action expired. Please start again. + +missingFirstNameMessage=Please specify first name. +missingLastNameMessage=Please specify last name. +missingEmailMessage=Please specify email. +missingUsernameMessage=Please specify username. +missingPasswordMessage=Please specify password. +missingTotpMessage=Please specify authenticator code. +missingTotpDeviceNameMessage=Please specify device name. +notMatchPasswordMessage=Passwords don''t match. + +error-invalid-value=Invalid value. +error-invalid-blank=Please specify value. +error-empty=Please specify value. +error-invalid-length=Length must be between {1} and {2}. +error-invalid-length-too-short=Minimal length is {1}. +error-invalid-length-too-long=Maximal length is {2}. +error-invalid-email=Invalid email address. +error-invalid-number=Invalid number. +error-number-out-of-range=Number must be between {1} and {2}. +error-number-out-of-range-too-small=Number must have minimal value of {1}. +error-number-out-of-range-too-big=Number must have maximal value of {2}. +error-pattern-no-match=Invalid value. +error-invalid-uri=Invalid URL. +error-invalid-uri-scheme=Invalid URL scheme. +error-invalid-uri-fragment=Invalid URL fragment. +error-user-attribute-required=Please specify this field. +error-invalid-date=Invalid date. +error-user-attribute-read-only=This field is read only. +error-username-invalid-character=Value contains invalid character. +error-person-name-invalid-character=Value contains invalid character. + +invalidPasswordExistingMessage=Invalid existing password. +invalidPasswordBlacklistedMessage=Invalid password: password is blacklisted. +invalidPasswordConfirmMessage=Password confirmation doesn''t match. +invalidTotpMessage=Invalid authenticator code. + +usernameExistsMessage=Username already exists. +emailExistsMessage=Email already exists. + +federatedIdentityExistsMessage=User with {0} {1} already exists. Please login to account management to link the account. +federatedIdentityUnavailableMessage=User {0} authenticated with identity provider {1} does not exists. Please contact your administrator. + +confirmLinkIdpTitle=Account already exists +federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How do you want to continue? +federatedIdentityConfirmReauthenticateMessage=Authenticate to link your account with {0} +nestedFirstBrokerFlowMessage=The {0} user {1} is not linked to any known user. +confirmLinkIdpReviewProfile=Review profile +confirmLinkIdpContinue=Add to existing account + +configureTotpMessage=You need to set up Mobile Authenticator to activate your account. +updateProfileMessage=You need to update your user profile to activate your account. +updatePasswordMessage=You need to change your password to activate your account. +resetPasswordMessage=You need to change your password. +verifyEmailMessage=You need to verify your email address to activate your account. +linkIdpMessage=You need to verify your email address to link your account with {0}. + +emailSentMessage=You should receive an email shortly with further instructions. +emailSendErrorMessage=Failed to send email, please try again later. + +accountUpdatedMessage=Your account has been updated. +accountPasswordUpdatedMessage=Your password has been updated. + +delegationCompleteHeader=Login Successful +delegationCompleteMessage=You may close this browser window and go back to your console application. +delegationFailedHeader=Login Failed +delegationFailedMessage=You may close this browser window and go back to your console application and try logging in again. + +noAccessMessage=No access + +invalidPasswordMinLengthMessage=Invalid password: minimum length {0}. +invalidPasswordMaxLengthMessage=Invalid password: maximum length {0}. +invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits. +invalidPasswordMinLowerCaseCharsMessage=Invalid password: must contain at least {0} lower case characters. +invalidPasswordMinUpperCaseCharsMessage=Invalid password: must contain at least {0} upper case characters. +invalidPasswordMinSpecialCharsMessage=Invalid password: must contain at least {0} special characters. +invalidPasswordNotUsernameMessage=Invalid password: must not be equal to the username. +invalidPasswordNotEmailMessage=Invalid password: must not be equal to the email. +invalidPasswordRegexPatternMessage=Invalid password: fails to match regex pattern(s). +invalidPasswordHistoryMessage=Invalid password: must not be equal to any of last {0} passwords. +invalidPasswordGenericMessage=Invalid password: new password doesn''t match password policies. + +failedToProcessResponseMessage=Failed to process response +httpsRequiredMessage=HTTPS required +realmNotEnabledMessage=Realm not enabled +invalidRequestMessage=Invalid Request +failedLogout=Logout failed +unknownLoginRequesterMessage=Unknown login requester +loginRequesterNotEnabledMessage=Login requester not enabled +bearerOnlyMessage=Bearer-only applications are not allowed to initiate browser login +standardFlowDisabledMessage=Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client. +implicitFlowDisabledMessage=Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client. +invalidRedirectUriMessage=Invalid redirect uri +unsupportedNameIdFormatMessage=Unsupported NameIDFormat +invalidRequesterMessage=Invalid requester +registrationNotAllowedMessage=Registration not allowed +resetCredentialNotAllowedMessage=Reset Credential not allowed + +permissionNotApprovedMessage=Permission not approved. +noRelayStateInResponseMessage=No relay state in response from identity provider. +insufficientPermissionMessage=Insufficient permissions to link identities. +couldNotProceedWithAuthenticationRequestMessage=Could not proceed with authentication request to identity provider. +couldNotObtainTokenMessage=Could not obtain token from identity provider. +unexpectedErrorRetrievingTokenMessage=Unexpected error when retrieving token from identity provider. +unexpectedErrorHandlingResponseMessage=Unexpected error when handling response from identity provider. +identityProviderAuthenticationFailedMessage=Authentication failed. Could not authenticate with identity provider. +couldNotSendAuthenticationRequestMessage=Could not send authentication request to identity provider. +unexpectedErrorHandlingRequestMessage=Unexpected error when handling authentication request to identity provider. +invalidAccessCodeMessage=Invalid access code. +sessionNotActiveMessage=Session not active. +invalidCodeMessage=An error occurred, please login again through your application. +identityProviderUnexpectedErrorMessage=Unexpected error when authenticating with identity provider +identityProviderMissingStateMessage=Missing state parameter in response from identity provider. +identityProviderNotFoundMessage=Could not find an identity provider with the identifier. +identityProviderLinkSuccess=You successfully verified your email. Please go back to your original browser and continue there with the login. +staleCodeMessage=This page is no longer valid, please go back to your application and sign in again +realmSupportsNoCredentialsMessage=Realm does not support any credential type. +credentialSetupRequired=Cannot login, credential setup required. +identityProviderNotUniqueMessage=Realm supports multiple identity providers. Could not determine which identity provider should be used to authenticate with. +emailVerifiedMessage=Your email address has been verified. +staleEmailVerificationLink=The link you clicked is an old stale link and is no longer valid. Maybe you have already verified your email. +identityProviderAlreadyLinkedMessage=Federated identity returned by {0} is already linked to another user. +confirmAccountLinking=Confirm linking the account {0} of identity provider {1} with your account. +confirmEmailAddressVerification=Confirm validity of e-mail address {0}. +confirmExecutionOfActions=Perform the following action(s) + +locale_ca=Catal\u00E0 +locale_cs=\u010Ce\u0161tina +locale_da=Dansk +locale_de=Deutsch +locale_en=English +locale_es=Espa\u00F1ol +locale_fr=Fran\u00E7ais +locale_hu=Magyar +locale_it=Italiano +locale_ja=\u65E5\u672C\u8A9E +locale_lt=Lietuvi\u0173 +locale_nl=Nederlands +locale_no=Norsk +locale_pl=Polski +locale_pt_BR=Portugu\u00EAs (Brasil) +locale_pt-BR=Portugu\u00EAs (Brasil) +locale_ru=\u0420\u0443\u0441\u0441\u043A\u0438\u0439 +locale_sk=Sloven\u010Dina +locale_sv=Svenska +locale_tr=T\u00FCrk\u00E7e +locale_zh-CN=\u4E2D\u6587\u7B80\u4F53 + +backToApplication=« Back to Application +missingParameterMessage=Missing parameters\: {0} +clientNotFoundMessage=Client not found. +clientDisabledMessage=Client disabled. +invalidParameterMessage=Invalid parameter\: {0} +alreadyLoggedIn=You are already logged in. +differentUserAuthenticated=You are already authenticated as different user ''{0}'' in this session. Please sign out first. +brokerLinkingSessionExpired=Requested broker account linking, but current session is no longer valid. +proceedWithAction=» Click here to proceed + +requiredAction.CONFIGURE_TOTP=Configure OTP +requiredAction.terms_and_conditions=Terms and Conditions +requiredAction.UPDATE_PASSWORD=Update Password +requiredAction.UPDATE_PROFILE=Update Profile +requiredAction.VERIFY_EMAIL=Verify Email + +doX509Login=You will be logged in as\: +clientCertificate=X509 client certificate\: +noCertificate=[No Certificate] + + +pageNotFound=Page not found +internalServerError=An internal server error has occurred + +console-username=Username: +console-password=Password: +console-otp=One Time Password: +console-new-password=New Password: +console-confirm-password=Confirm Password: +console-update-password=Update of your password is required. +console-verify-email=You need to verify your email address. We sent an email to {0} that contains a verification code. Please enter this code into the input below. +console-email-code=Email Code: +console-accept-terms=Accept Terms? [y/n]: +console-accept=y + +# Openshift messages +openshift.scope.user_info=User information +openshift.scope.user_check-access=User access information +openshift.scope.user_full=Full Access +openshift.scope.list-projects=List projects + +# SAML authentication +saml.post-form.title=Authentication Redirect +saml.post-form.message=Redirecting, please wait. +saml.post-form.js-disabled=JavaScript is disabled. We strongly recommend to enable it. Click the button below to continue. +saml.artifactResolutionServiceInvalidResponse=Unable to resolve artifact. + +#authenticators +otp-display-name=Authenticator Application +otp-help-text=Enter a verification code from authenticator application. +password-display-name=Password +password-help-text=Sign in by entering your password. +auth-username-form-display-name=Username +auth-username-form-help-text=Start sign in by entering your username +auth-username-password-form-display-name=Username and password +auth-username-password-form-help-text=Sign in by entering your username and password. + +# WebAuthn +webauthn-display-name=Security Key +webauthn-help-text=Use your security key to sign in. +webauthn-passwordless-display-name=Security Key +webauthn-passwordless-help-text=Use your security key for passwordless sign in. +webauthn-login-title=Security Key login +webauthn-registration-title=Security Key Registration +webauthn-available-authenticators=Available authenticators +webauthn-unsupported-browser-text=WebAuthn is not supported by this browser. Try another one or contact your administrator. +webauthn-doAuthenticate=Sign in with Security Key + +# WebAuthn Error +webauthn-error-title=Security Key Error +webauthn-error-registration=Failed to register your Security key.
{0} +webauthn-error-api-get=Failed to authenticate by the Security key.
{0} +webauthn-error-different-user=First authenticated user is not the one authenticated by the Security key. +webauthn-error-auth-verification=Security key authentication result is invalid.
{0} +webauthn-error-register-verification=Security key registration result is invalid.
{0} +webauthn-error-user-not-found=Unknown user authenticated by the Security key. + +# Identity provider +identity-provider-redirector=Connect with another Identity Provider +identity-provider-login-label=Or sign in with + +finalDeletionConfirmation=If you delete your account, it cannot be restored. To keep your account, click Cancel. +irreversibleAction=This action is irreversible +deleteAccountConfirm=Delete account confirmation + +deletingImplies=Deleting your account implies: +errasingData=Erasing all your data +loggingOutImmediately=Logging you out immediately +accountUnusable=Any subsequent use of the application will not be possible with this account +userDeletedSuccessfully=User deleted successfully + +access-denied=Access denied + +systemType={0} System diff --git a/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl b/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl new file mode 100644 index 0000000..e0d533b --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl @@ -0,0 +1,74 @@ +<#import "template.ftl" as layout> +<#import "user-profile-commons.ftl" as userProfileCommons> +<@layout.registrationLayout displayMessage=messagesPerField.exists('global') displayRequiredFields=true; section> + <#if section = "header"> + ${msg("registerTitle")} + <#elseif section = "form"> +
+ + <@userProfileCommons.userProfileFormFields; callback, attribute> + <#if callback = "afterField"> + <#-- render password fields just under the username or email (if used as username) --> + <#if passwordRequired?? && (attribute.name == 'username' || (attribute.name == 'email' && realm.registrationEmailAsUsername))> +
+
+ * +
+
+ + + <#if messagesPerField.existsError('password')> + + ${kcSanitize(messagesPerField.get('password'))?no_esc} + + +
+
+ +
+
+ * +
+
+ + + <#if messagesPerField.existsError('password-confirm')> + + ${kcSanitize(messagesPerField.get('password-confirm'))?no_esc} + + +
+
+ + + + + <#if recaptchaRequired??> +
+
+
+
+
+ + +
+ + +
+ +
+
+
+ + \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/register.ftl b/dev/config/keycloak/themes/ltt/login/register.ftl new file mode 100644 index 0000000..07829a0 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/register.ftl @@ -0,0 +1,88 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout; section> + <#if section = "header"> + ${msg("registerTitle")} + <#elseif section = "form"> +
+ <#-- +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ --> + +
+
+ +
+
+ +
+
+ + <#if !realm.registrationEmailAsUsername> +
+
+ +
+
+ +
+
+ + + <#if passwordRequired??> +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ + + <#if recaptchaRequired??> +
+
+
+
+
+ + +
+ + +
+ +
+
+
+ + diff --git a/dev/config/keycloak/themes/ltt/login/resources/css/styles.css b/dev/config/keycloak/themes/ltt/login/resources/css/styles.css new file mode 100644 index 0000000..7b94eb2 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/resources/css/styles.css @@ -0,0 +1,384 @@ +:root { + --body-bg-color: #325c33; + --primary-color: #325c33; + --primary-hover-color: #254325; + --section-border-color: #dcdfdc; + --button-primary-color: #af4507; + --button-primary-hover-color: #883505; + --title-color: #325c33; + --label-color: #71757b; + --link-color: #1994d0; + --link-hover-color: #126994; + --highlight-bg-color: #f9e4d3; + --text-default-color: #444; + --default-body-font-size: 16px; +} +body { + font-family: "Roboto", "Helvetica", "Arial", sans-serif; + font-size: var(--default-body-font-size); +} +.pf-c-alert__title { + font-size: var(--default-body-font-size); + line-height: 1.4; +} + +html.login-pf { + background: var(--body-bg-color); +} + +#header { + position: fixed; + z-index: 10000; + left: 0; + top: 0; + width: 100%; + background-color: var(--body-bg-color); + color: #fff; + line-height: 3em; + box-shadow: 0 0 0.15em 0 rgba(0, 0, 0, 0.1); + margin-bottom: 1em; + display: flex; + align-items: center; + height: 4em; +} + +#header img { + height: 2em; + padding-left: 1em; +} + +#kc-header { + margin-top: 4em; +} + +.login-pf-page { + background-color: var(--body-bg-color); + height: 100%; + padding-top: 4em; + padding-bottom: 24px; + background-color: var(--body-bg-color); +} +@media (min-width: 768px) { + .login-pf-page { + padding-top: 3em; + } +} + +h1, +h2, +h3, +h4, +h5, +h6 { + font-weight: 600; + color: inherit; + /* letter-spacing: -0.0325em; */ +} + +html, +body, +div, +span, +applet, +object, +iframe, +h1, +h2, +h3, +h4, +h5, +h6, +p, +blockquote, +pre, +a, +abbr, +acronym, +address, +big, +cite, +code, +del, +dfn, +em, +img, +ins, +kbd, +q, +s, +samp, +small, +strike, +strong, +sub, +sup, +tt, +var, +b, +u, +i, +center, +dl, +dt, +dd, +ol, +ul, +li, +fieldset, +form, +label, +legend, +table, +caption, +tbody, +tfoot, +thead, +tr, +th, +td, +article, +aside, +canvas, +details, +embed, +figure, +figcaption, +footer, +header, +hgroup, +menu, +nav, +output, +ruby, +section, +summary, +time, +mark, +audio, +video { + margin: 0; + padding: 0; + border: 0; + font-size: 100%; + font: inherit; + vertical-align: baseline; +} + +ul, p { + line-height: 1.4; +} + +.alert { + padding-left: 16px; + padding-right: 16px; +} +.alert-error { + color: #9b0202; +} +input[type="text"], +input[type="password"] { + display: block; + width: 100%; + height: 32px; + padding: 2px 6px; + font-size: var(--default-body-font-size); + line-height: 1.66666667; + color: #363636; + background-color: #fff; + background-image: none; + border: 1px solid #bbb; + border-top-color: rgb(187, 187, 187); + border-right-color: rgb(187, 187, 187); + border-bottom-color: rgb(187, 187, 187); + border-left-color: rgb(187, 187, 187); + border-radius: 0; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + transition: border-color ease-in-out 0.15s, box-shadow ease-in-out 0.15s; + margin-bottom: 24px; + box-sizing: border-box; +} +input[type="submit"] { + background-image: none; + background-color: var(--primary-color); + padding: 16px; + width: 100%; + font-size: var(--default-body-font-size); + color: #fff; + box-sizing: border-box; + box-shadow: none; + border: 0; + display: block; +} +input[type="submit"]:hover { + background-color: var(--primary-hover-color); +} +a { + color: var(--link-color); + text-decoration: none; +} +a:hover { + color: var(--link-hover-color); +} +[class*="pf-c-"], +[class*="pf-c-"]::before, +[class*="pf-c-"]::after { + padding: 4px 0; +} +label { + font-weight: 500; + display: inline-block; + font-size: 14px; + margin-bottom: 4px; + color: var(--label-color); +} +.btn { + border-radius: 8px; +} +.btn-primary, +.pf-c-button.pf-m-primary { + background-image: none; + background-color: var(--button-primary-color); + border: 0; + border-radius: 8px; +} +.btn-primary:hover, +.btn-primary:focus, +.btn-primary:active, +.pf-c-button.pf-m-primary:hover, +.pf-c-button.pf-m-primary:focus, +.pf-c-button.pf-m-primary:active { + background-color: var(--button-primary-hover-color); +} + +.login-pf body { + font-family: "Roboto", "Helvetica", "Arial", sans-serif; + background-color: var(--body-bg-color); + background-image: none; + font-size: var(--default-body-font-size); +} +.login-pf-page .card-pf { + margin-bottom: 32px; +} +@media (min-width: 768px) { + .login-pf-page .card-pf { + padding: 16px 32px 48px 32px; + } +} +.login-pf-page .card-pf p { + font-size: var(--default-body-font-size); + line-height: 1.4; +} +@media (min-width: 768px) { + .login-pf-page .login-pf-header { + margin-bottom: 10px; + } +} +@media (max-width: 767px) { + .login-pf-page .card-pf { + max-width: 100%; + margin-left: 16px; + margin-right: 16px; + padding: 4px 16px 24px; + } +} +.login-pf-page .login-pf-header h1 { + font-size: 1.75em; +} +#kc-info-wrapper { + background-color: transparent; + padding: 0; + text-align: left; + font-size: var(--default-body-font-size); + line-height: 1.4; +} +#kc-header-wrapper { + font-weight: 500; + text-transform: capitalize; + line-height: 1.5; + font-weight: 500; + display: flex; + flex-direction: column; + gap: 16px; + align-items: center; + justify-content: center; +} +@media (max-width: 767px) { + #kc-header-wrapper { + color: #fff; + padding: 0; + } +} +#kc-site-name, +#kc-system-type { + color: #fff; + text-align: center; + text-transform: capitalize; + font-size: 1.8rem; +} +#kc-login-info-message { + max-width: 100%; + margin: auto; + line-height: 1.55; + background: var(--highlight-bg-color); + color: var(--text-default-color); + padding: 16px; + font-size: 1rem; + font-weight: 500; +} +@media (min-width: 768px) { + #kc-login-info-message { + max-width: 60%; + margin: auto; + } +} +#kc-content-wrapper { + display: flex; + justify-content: center; + flex-direction: column; +} +#kc-header { + margin-top: 0; + margin-bottom: 24px; +} +#kc-page-title { + text-align: center; + font-weight: 600; + color: var(--title-color); + padding-bottom: 4px; + font-size: 1.75em; +} +h1#kc-page-title { + margin-top: 24px; +} +#kc-form { + width: 100%; +} +#kc-form-buttons { + margin-top: 24px; + text-align: center; +} +#kc-form-options .checkbox { + display: none; +} +#kc-info { + margin-top: 0; + margin-bottom: 8px; + margin-left: 0; + margin-right: 0; + color: #777; +} +.card-pf { + background: #fff; + margin: 0 auto; + margin-bottom: 0px; + padding: 0 20px; + max-width: 420px; + border-top: 0; + box-shadow: 0 0 0; + padding: 0 40px 40px; + margin-top: 28px; + margin-bottom: 32px; +} +.card-pf form.form-actions .btn { + margin-bottom: 16px; +} diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico b/dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..62de3a266ec8c9991463b5d4bf230679a4ee71c3 GIT binary patch literal 4286 zcmeH~K~BOz6oy9^ZcL0yf(C(Nv=LbdmMG#vU3mhdCgN2*j^Yhmz`|3wGwwYBBz64% z!fOXZfdZCIAs^FDJM+EwW(q;6CA;Re0Z`lVj-~;epb8foYfNr+DJ`Fz@_X4(n@8$u|fd#%m*xby!Gva#K zIJ2KIyn=xka6XBjZq~(|Pp1woojKjpxpRB4|L=Xlxx}zdZ-o41O$I!h@Y7wnuSAWZ z3BOkd#sMras{Y~rx~;1XM;}WJhzWCzL+T(g%EYb(;Cn89)**TfW<0}={rtJ-g^i-6v;F<&=igrko=Y9% z{%P8NO+0_Pva7STeVskCd(>=gUzfafALjS=U^o`UUrI BO-%p* literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png new file mode 100644 index 0000000000000000000000000000000000000000..6f2d9d2aeb1c1461767988a042aae50492d454bc GIT binary patch literal 513 zcmV+c0{;DpP)pbFH`>7=NJimT8HPR1b>!7GRq%%D)H?|Wo% zC@Pq9$n!u*^5*>k`A#3+kZfF(`zJ152&b=J2><{9!0hZbO_;oR8NR%F9kLkE@5Z(} z|9X+Rqj^|(^f2UQ`B&qbstQ}zSHs@7Mx_7%0O*T*Sywa1;J+C|`oj73Q8;qyTvEs3fk{(-JWjQ|4!;N?Hk9Wu}T8~06?E)T~0nO z$|9aN^E2gq`rLgk&kqde>9h9ceYG2J7l(CKD-8eu0DaQs4ti*V_8>1|L40001@p8^a34>6V-IeVqb00000NkvXXu0mjf D@HyfE literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png new file mode 100644 index 0000000000000000000000000000000000000000..0dd500445d7249ddd1b1dea7dc79d5e2f75cf223 GIT binary patch literal 343 zcmV-d0jU0oP)Rb^f-HfiA|a#ZS&BN>m{U!Bf9XBlP=AUsPhep z0;u>nQCxb~G6c;4tOM)aDVebC2LF?__!*$Y%|S5$e;ZcIdR+o#XrlC>L#@3RFZO+y z4ac0_$8S?_3L#)o1cV>wsb|~_2qr}-{Xy0sk1ddFrS2NjYBy!#lv@hhf%T~P1a2ls zg9cR!$Y8{U0euD81vt(&PyxuVl0?xy+oT=qfZ( zU<;qzo;L~X{8Dl*OuQ;g6C?jcvTY4MH)UgY@3N+I%Y&B-aM#Gmz4*K9-@h9B>+j#Q z@1I{-{^;BJ=zrF!cK!}Pr!g=bh|HcT>Z=m}wDHmbyC0nDaV#gVm&uycGotW zpv;r|b9e9Fzj)!!_FHF``Wx|qb*+1{*5LE=)%xG0rlsBtdT?-dwR{mlor@ArQ!T)1>sQ|BRGRy6pUXk5Eq%Jj zt#hDSUl#1`1Hp4rtdp{v4HrVu6{1-oD!M}vd literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png new file mode 100644 index 0000000000000000000000000000000000000000..640bd71cab7bdfc7a8adcf28ffaf6db736a1c008 GIT binary patch literal 410 zcmeAS@N?(olHy`uVBq!ia0vp^f*{Pn1|+R>-G2comSQK*5Dp-y;YjHK@;M7UB8!3Q zuY)k7lg8`{prB-lYeY$Kep*R+Vo@qXd3m{BW?pu2a$-TMUVc&f>~}U&3=E9oo-U3d z7QI&|@AYC16lmSQ(|nzi6W2vA0hQiX{shsj9%4*QVx6m7=T11}S0g4pTOrBJ(L2zj zqqUbmAu&;Tnwis)`FE;yFXbH4TM_-V#F%}bS9C7N)nccy^_%s?ydQOE$UA=bQASGdP zUS5*^?Y}eFBd=Y%8?p303zx;a-hVOO%tz8T)jmnDmV3_E#n4nO@i}MX#=5_=rbOm! z*!s=OFZw-8%CQyiuZC^?Jc-4l;#4*gQu&X%Q~loCIB2_ BsrLW? literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png new file mode 100644 index 0000000000000000000000000000000000000000..6f2d9d2aeb1c1461767988a042aae50492d454bc GIT binary patch literal 513 zcmV+c0{;DpP)pbFH`>7=NJimT8HPR1b>!7GRq%%D)H?|Wo% zC@Pq9$n!u*^5*>k`A#3+kZfF(`zJ152&b=J2><{9!0hZbO_;oR8NR%F9kLkE@5Z(} z|9X+Rqj^|(^f2UQ`B&qbstQ}zSHs@7Mx_7%0O*T*Sywa1;J+C|`oj73Q8;qyTvEs3fk{(-JWjQ|4!;N?Hk9Wu}T8~06?E)T~0nO z$|9aN^E2gq`rLgk&kqde>9h9ceYG2J7l(CKD-8eu0DaQs4ti*V_8>1|L40001@p8^a34>6V-IeVqb00000NkvXXu0mjf D@HyfE literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png new file mode 100644 index 0000000000000000000000000000000000000000..f9392a356fd3b383997c1ef289b48d02be96c351 GIT binary patch literal 646 zcmV;10(t$3P)5ebW)JIb`v2;&5sUEt7(pdR?_rqvF~(w z&wHPH?%{G}o6t%tD3-YcoIt#ZimsMn=fj5~SV}0ANdw)$JIs+vm8VEr5vY*RCc!0O zJeKiMnQmZjF~P}|ITC|_fPR3sChh|hh#}5v^?!j1No^OL5!{Yt{P|l#ojGW*>A`F% zG;=oe?E0{aNj(7$L<2hJOpDEg;c-0Uu3}QpfZdv9Yul(xOFAm{YCmuc7-<=Hz6#rb zwStWR%+Uk1dKH(KznaJbxtT_8h1rkY@F&AK;#}dXHiv>reL9ZVhZt;6c{&UPfawRU z3PX!QX+>?W8zy57-1{e1nf<%`Ip2$C{RJ2WP8EB!V*#i*Ll@AAxI)U6d9kg;Tft2N zvI|T#k_Ga${UDcC6K25hA)et;?S`pV)*0TbLbSFYPx%LC5OMf>LI(kYhG{MW?Gclt z?kz+j>;xV-pszlvScx&iWL1nHDUdjgc-@-yi~8Zf?-uKCu&$j zmGV@tHY^&3ufPQiVR|G&lMFKJqcV3b2BIPt0$RTQ1o3gEnU}InzE6h&(}7s>n+PkJ gT)C0w?I} + + + + + + + + + + + diff --git a/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl b/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl new file mode 100644 index 0000000..0225cf9 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl @@ -0,0 +1,42 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout displayInfo=true; section> + <#if section = "header" || section = "show-username"> + + <#if section = "header"> + ${msg("loginChooseAuthenticator")} + + <#elseif section = "form"> + +
+
+ <#list auth.authenticationSelections as authenticationSelection> +
+
+
+ +
+
+
+
+ ${msg('${authenticationSelection.displayName}')} +
+
+ ${msg('${authenticationSelection.helpText}')} +
+
+
+
+
+ + +
+
+ + + + diff --git a/dev/config/keycloak/themes/ltt/login/template.ftl b/dev/config/keycloak/themes/ltt/login/template.ftl new file mode 100644 index 0000000..042f887 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/template.ftl @@ -0,0 +1,159 @@ +<#macro registrationLayout bodyClass="" displayInfo=false displayMessage=true displayRequiredFields=false> + + lang="${locale.currentLanguageTag}"> + + + + + + + <#if properties.meta?has_content> + <#list properties.meta?split(' ') as meta> + + + + ${msg("loginTitle",(realm.displayName!''))} + + <#if properties.stylesCommon?has_content> + <#list properties.stylesCommon?split(' ') as style> + + + + <#if properties.styles?has_content> + <#list properties.styles?split(' ') as style> + + + + <#if properties.scripts?has_content> + <#list properties.scripts?split(' ') as script> + + + + <#if scripts??> + <#list scripts as script> + + + + + +
+ +
+
+ <#if properties.systemType?has_content> +
${kcSanitize(msg("systemType", properties.systemType))?no_esc}
+ + <#if properties.loginInfoMessage?has_content> +
${kcSanitize(properties.loginInfoMessage)?no_esc}
+ +
+
+
+ <#if realm.internationalizationEnabled && locale.supported?size gt 1> +
+
+
+ ${locale.current} +
    + <#list locale.supported as l> +
  • + ${l.label} +
    • + +
+
+
+
+ + <#if !(auth?has_content && auth.showUsername() && !auth.showResetCredentials())> + <#if displayRequiredFields> +
+
+ * ${msg("requiredFields")} +
+
+

<#nested "header">

+
+
+ <#else> +

<#nested "header">

+ + <#else> + <#if displayRequiredFields> +
+
+ * ${msg("requiredFields")} +
+
+ <#nested "show-username"> +
+ + + + +
+
+
+ <#else> + <#nested "show-username"> +
+ + + + +
+ + +
+
+ + <#-- App-initiated actions should not see warning messages about the need to complete the action --> + <#-- during login. --> + <#if displayMessage && message?has_content && (message.type != 'warning' || !isAppInitiatedAction??)> +
+
+ <#if message.type = 'success'> + <#if message.type = 'warning'> + <#if message.type = 'error'> + <#if message.type = 'info'> +
+ ${kcSanitize(message.summary)?no_esc} +
+ + + <#nested "form"> + + <#if auth?has_content && auth.showTryAnotherWayLink()> +
+
+ + ${msg("doTryAnotherWay")} +
+
+ + + <#nested "socialProviders"> + + <#if displayInfo> +
+
+ <#nested "info"> +
+
+ +
+
+
+
+ + + diff --git a/dev/config/keycloak/themes/ltt/login/theme.properties b/dev/config/keycloak/themes/ltt/login/theme.properties new file mode 100644 index 0000000..00fe026 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/theme.properties @@ -0,0 +1,6 @@ +parent=keycloak +import=common/keycloak +systemType=${env.__KEYCLOAK_SYSTEM_TYPE:} +loginInfoMessage=${env.__KEYCLOAK_LOGIN_INFO_MESSAGE:} +styles=css/login.css css/styles.css + diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index 060d70c..0aff0d3 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -66,6 +66,90 @@ services: aliases: - fhir-internal + keycloak: + # use tini as init + init: true + image: quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG:-22.0} + labels: + - traefik.enable=true + - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.rule=Host(`keycloak.${BASE_DOMAIN}`) + - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.tls=true + - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + command: + # https://www.keycloak.org/server/importExport#_importing_a_realm_during_startup + # recent Keycloak releases do not allow importing the master realm on startup; use old properties as workaround + # https://github.com/keycloak/keycloak/issues/12544#issuecomment-1191846726 + - -Dkeycloak.migration.action=import + - -Dkeycloak.migration.provider=dir + - -Dkeycloak.migration.dir=/opt/keycloak/data/import + - -Dkeycloak.migration.strategy=IGNORE_EXISTING + - -Dkeycloak.migration.replace-placeholders=true + - start + - --log-console-output=json + environment: + # https://www.keycloak.org/server/all-config + KC_DB: postgres + KC_DB_URL_HOST: db + KC_DB_USERNAME: postgres + KC_DB_PASSWORD: postgres + + # https://www.keycloak.org/server/reverseproxy + KC_PROXY: edge + # trust traefik Host header validation + KC_HOSTNAME_STRICT: "false" + + KEYCLOAK_ADMIN: admin + KEYCLOAK_ADMIN_PASSWORD: admin + + KEYCLOAK_CPRO_BACKCHANNEL_LOGOUT_URL: https://${BASE_DOMAIN}/auth/oidc/logoutCallback + KEYCLOAK_SHL_CREATOR_BASE: https://shl-creator.${BASE_DOMAIN} + KEYCLOAK_SHL_CREATOR_LOGOUT_REDIRECT_URL: https://${BASE_DOMAIN}/users + + env_file: + - keycloak.env + volumes: + - ./config/keycloak/import/:/opt/keycloak/data/import:ro + - ./config/keycloak/themes/:/opt/keycloak/themes:ro + depends_on: + - db + networks: + - ingress + - internal + + fhir-auth: + image: ghcr.io/uwcirg/jwt-proxy:${PROXY_IMAGE_TAG:-latest} + env_file: + fhir-auth.env + environment: + UPSTREAM_SERVER: http://fhir-internal:8080 + OIDC_AUTHORIZE_URL: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/auth + OIDC_TOKEN_URI: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/token + OIDC_TOKEN_INTROSPECTION_URI: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/token/introspect + JWKS_URL: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/certs + PATH_WHITELIST: /fhir/metadata,/fhir/.well-known/smart-configuration + labels: + - traefik.enable=true + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`fhir-auth.${BASE_DOMAIN}`) + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.tls=true + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + # TODO review if necessary for shl-creator service in same deploy + # add CORS middleware, configured to return `Access-Control-Allow-Origin: *` + # NB accessControlAllowOrigin is deprecated, but not noted in docs + # https://github.com/traefik/traefik/issues/8796 + - traefik.http.middlewares.fhir-auth-${COMPOSE_PROJECT_NAME}-cors.headers.accessControlAllowOriginList=* + # allow all verbs used by FHIR REST + - traefik.http.middlewares.fhir-auth-${COMPOSE_PROJECT_NAME}-cors.headers.accessControlAllowMethods=HEAD,GET,OPTIONS,PATCH,POST,PUT,DELETE + - traefik.http.middlewares.fhir-auth-${COMPOSE_PROJECT_NAME}-cors.headers.accessControlAllowHeaders=Authorization,Origin,Content-Type,Accept,Cache-Control + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.middlewares=fhir-auth-${COMPOSE_PROJECT_NAME}-cors + depends_on: + - fhir + networks: + - ingress + - internal + shl-creator: image: ghcr.io/uwcirg/shl-ips:${SHL_IPS_IMAGE_TAG:-latest} environment: diff --git a/dev/fhir-auth.env.default b/dev/fhir-auth.env.default new file mode 100644 index 0000000..c3602c3 --- /dev/null +++ b/dev/fhir-auth.env.default @@ -0,0 +1,8 @@ +# Example docker-compose environment file +# Copy to fhir-auth.env and modify as necessary +# https://docs.docker.com/compose/env-file/ + +# Variables defined in this file will only be available to containers/images +# ie not for interpolation in docker-compose YAML files + +SECRET_KEY= diff --git a/dev/keycloak.env.default b/dev/keycloak.env.default new file mode 100644 index 0000000..4bbffea --- /dev/null +++ b/dev/keycloak.env.default @@ -0,0 +1,11 @@ +# Example docker-compose environment file +# Copy to keycloak.env and modify as necessary +# https://docs.docker.com/compose/env-file/ + +# Variables defined in this file will only be available to containers/images +# ie not for interpolation in docker-compose YAML files + +# KEYCLOAK_EMAIL_USER= +# KEYCLOAK_EMAIL_PASSWORD= +# must match OIDC_CLIENT_SECRET in cpro.env +KEYCLOAK_LTT_CPRO_CLIENT_SECRET= From 9203f3df325dd8294603bc029063ee48f305eb58 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 16 Sep 2024 11:35:10 -0700 Subject: [PATCH 04/16] Initial port of shl components from Let's Talk Tech --- .gitignore => dev/.gitignore | 0 dev/config/{hapi => fhir}/application.yaml | 0 dev/default.env | 9 +++++---- dev/docker-compose.yaml | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) rename .gitignore => dev/.gitignore (100%) rename dev/config/{hapi => fhir}/application.yaml (100%) diff --git a/.gitignore b/dev/.gitignore similarity index 100% rename from .gitignore rename to dev/.gitignore diff --git a/dev/config/hapi/application.yaml b/dev/config/fhir/application.yaml similarity index 100% rename from dev/config/hapi/application.yaml rename to dev/config/fhir/application.yaml diff --git a/dev/default.env b/dev/default.env index 3fddcd1..868bf58 100644 --- a/dev/default.env +++ b/dev/default.env @@ -3,17 +3,18 @@ # https://docs.docker.com/compose/environment-variables/#the-env-file # environmental variables for interpolation in docker-compose YAML files -# BASE_DOMAIN=localtest.me +BASE_DOMAIN=localtest.me # https://docs.docker.com/compose/reference/envvars/#compose_project_name # Containers started with the below value will have their names prefixed with it # Required on shared infrastructure # Choose something unique to the docker host, eg ${INSTANCE_ID}-dev-${USER} -COMPOSE_PROJECT_NAME= +COMPOSE_PROJECT_NAME= # docker image tag overrides; override default image tag with given image tag - #FHIR_IMAGE_TAG= - #POSTGRES_IMAGE_TAG= +#SHL_CREATOR_IMAGE_TAG= +#SHL_SERVER_IMAGE_TAG= +#PROXY_IMAGE_TAG= diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index a5e7cb7..43f7b29 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -57,7 +57,7 @@ services: # Hapi does not EXPOSE the ports it listens on, requiring explicit traefik configuration - "traefik.http.services.fhir-${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=8080" volumes: - - "./config/hapi/application.yaml:/opt/application.yaml:ro" + - "./config/fhir/application.yaml:/opt/application.yaml:ro" depends_on: - db networks: From b5695f7d1af98f600d9cc496bef0893732a312c0 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 16 Sep 2024 11:46:16 -0700 Subject: [PATCH 05/16] Add LTT keycloak and fhir-proxy components --- dev/config/keycloak/import/ltt-realm.json | 1600 ++++++++++++++++ dev/config/keycloak/import/ltt-users-0.json | 63 + dev/config/keycloak/import/master-realm.json | 1700 +++++++++++++++++ .../ltt/email/messages/messages_en.properties | 54 + .../themes/ltt/email/theme.properties | 2 + .../ltt/login/login-config-totp-text.ftl | 31 + .../ltt/login/login-update-password.ftl | 45 + .../themes/ltt/login/login-update-profile.ftl | 61 + .../themes/ltt/login/login-username.ftl | 60 + .../login/login-verify-email-code-text.ftl | 2 + .../themes/ltt/login/login-verify-email.ftl | 13 + .../keycloak/themes/ltt/login/login.ftl | 107 ++ .../ltt/login/messages/messages_en.properties | 442 +++++ .../ltt/login/register-user-profile.ftl | 74 + .../keycloak/themes/ltt/login/register.ftl | 88 + .../themes/ltt/login/resources/css/styles.css | 384 ++++ .../ltt/login/resources/img/favicon.ico | Bin 0 -> 4286 bytes .../img/feedback-error-arrow-down.png | Bin 0 -> 513 bytes .../resources/img/feedback-error-sign.png | Bin 0 -> 343 bytes .../img/feedback-success-arrow-down.png | Bin 0 -> 678 bytes .../resources/img/feedback-success-sign.png | Bin 0 -> 410 bytes .../img/feedback-warning-arrow-down.png | Bin 0 -> 513 bytes .../resources/img/feedback-warning-sign.png | Bin 0 -> 646 bytes .../themes/ltt/login/resources/img/logo.svg | 12 + .../themes/ltt/login/select-authenticator.ftl | 42 + .../keycloak/themes/ltt/login/template.ftl | 159 ++ .../themes/ltt/login/theme.properties | 6 + dev/docker-compose.yaml | 84 + dev/fhir-auth.env.default | 8 + dev/keycloak.env.default | 11 + 30 files changed, 5048 insertions(+) create mode 100644 dev/config/keycloak/import/ltt-realm.json create mode 100644 dev/config/keycloak/import/ltt-users-0.json create mode 100644 dev/config/keycloak/import/master-realm.json create mode 100644 dev/config/keycloak/themes/ltt/email/messages/messages_en.properties create mode 100644 dev/config/keycloak/themes/ltt/email/theme.properties create mode 100644 dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-update-password.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-update-profile.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-username.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login-verify-email.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/login.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/messages/messages_en.properties create mode 100644 dev/config/keycloak/themes/ltt/login/register-user-profile.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/register.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/resources/css/styles.css create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-arrow-down.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png create mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/logo.svg create mode 100644 dev/config/keycloak/themes/ltt/login/select-authenticator.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/template.ftl create mode 100644 dev/config/keycloak/themes/ltt/login/theme.properties create mode 100644 dev/fhir-auth.env.default create mode 100644 dev/keycloak.env.default diff --git a/dev/config/keycloak/import/ltt-realm.json b/dev/config/keycloak/import/ltt-realm.json new file mode 100644 index 0000000..b9bb5ac --- /dev/null +++ b/dev/config/keycloak/import/ltt-realm.json @@ -0,0 +1,1600 @@ +{ + "id": "25facb13-fdb5-46cd-b66d-fa9305652f1a", + "realm": "ltt", + "displayName": "Let's Talk Tech", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 14400, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": true, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": true, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "defaultRole": { + "id": "0f25599f-05d1-4859-895d-e097d2b8bc4d", + "name": "default-roles-ltt", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a" + }, + "roles": { + "realm": [ + { + "id": "5614c921-f5f1-44b8-a04a-fc3b06dec10f", + "name": "staff-realm-role", + "description": "realm-specific staff role", + "composite": false, + "clientRole": false, + "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a", + "attributes": {} + }, + { + "id": "5614c921-f5f1-44b8-a04a-fc3b06dec10g", + "name": "patient-realm-role", + "description": "realm-specific patient role", + "composite": false, + "clientRole": false, + "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a", + "attributes": {} + } + ] + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "passwordPolicy": "length(8) and upperCase(1) and lowerCase(1) and digits(1) and passwordHistory(3)", + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clients": [ + { + "id": "a9925af1-4dcb-4791-bb2d-0087758b8f18", + "clientId": "shl_creator", + "name": "SMART Health Links Creator", + "description": "", + "rootUrl": "${KEYCLOAK_SHL_CREATOR_BASE}", + "adminUrl": "", + "baseUrl": "${KEYCLOAK_SHL_CREATOR_BASE}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "${KEYCLOAK_SHL_CREATOR_BASE}/share" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false", + "frontchannel.logout.url": "${KEYCLOAK_SHL_CREATOR_BASE}/logout", + "backchannel.logout.url": "", + "post.logout.redirect.uris": "${KEYCLOAK_CPRO_LANDING_PAGE}" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "launch", + "offline_access", + "online_access", + "patient/*.read", + "microprofile-jwt" + ] + }, + { + "clientId": "ltt_cpro", + "name": "cPRO Let's Talk Tech", + "description": "cPRO configured as inform project", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "${KEYCLOAK_LTT_CPRO_CLIENT_SECRET}", + "redirectUris": [ + "*" + ], + "webOrigins": [ + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1703195110", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false", + "backchannel.logout.url": "${KEYCLOAK_CPRO_BACKCHANNEL_LOGOUT_URL}", + "post.logout.redirect.uris": "+", + "display.on.consent.screen": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } + } + ], + "clientScopes": [ + { + "id": "a972497d-27bb-4896-9002-575a23aac264", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "784d5a9a-e4a4-4728-9ac5-473cee4e8f38", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "6233b1ca-1387-4c2b-ba15-08baca2e8526", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "9165efea-0c4c-4e59-a560-0ba79586acd3", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "54469bf3-8a4a-4d7f-ac15-567be2af871c", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "ffd6e8be-fa9c-45db-8c25-8286fa4d2c36", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "c65a2ce4-e983-4109-b9df-82f73552b737", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "b1a46bef-7912-4ea4-acd9-b06c07ee8b33", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "b1a46bef-7912-4ea4-acd9-b06c07ee8b34", + "name": "online_access", + "description": "OpenID Connect built-in scope: online_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${onlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "dbbeab4e-2685-4f20-bfba-c0472c46922b", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "d5d73b1e-bb7c-42f2-a3f4-de9f6893c974", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "4b636bf7-de44-44ac-99f2-5b29086cd7c1", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "18295a0a-daaf-448d-8793-cb39b36703cd", + "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", + "name": "patient/*.read", + "description": "SoF: Read all data for launch patient", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + } + }, + { + "id": "78ad99cd-c336-42ed-a55a-ddbe6119c928", + "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", + "name": "launch", + "description": "SoF: launch token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + } + }, + { + "id": "0e57bc1e-d2a9-4580-ad49-863c2ce868ac", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "df8de33c-3b45-461c-9f44-b59eff0d412d", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "d51c4fc8-1065-4f50-bfad-bfa5048077a2", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "88b4607d-87cf-41be-a66c-d34d20f4e12e", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "21cb6b13-08b7-4d36-b515-97c83d56ad96", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "76c736da-2c61-4444-b39f-349a64aee528", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "e0f6830b-794d-4166-a905-4e050cc8a4c1", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "dbecf4fa-47ac-49b4-b08f-a0794e40a5cc", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "7005f4a5-6e10-4591-af3d-9be8d22b692a", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "a45e6212-dbad-4e3e-845d-cff7d054b695", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "83fcc140-2b4b-4b1e-993e-4b088878bf94", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "3fed8da8-02ae-457f-9b98-95bc8ecc4497", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "85ba9aae-c581-4151-b22a-d71070937b31", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "6541f6c8-7719-4e05-b2ff-181548fda2cd", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "226be08d-3913-4b5e-89e6-d4a0ee0e57a4", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "da095466-4d1c-4fdf-a19c-8062a4e6081d", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "ea9b4c39-055d-494b-a6d2-2fa6d238ba94", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "db9c2c49-23e3-4b34-af26-e92e6afd00fa", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "679636f1-dc0c-4d22-8da0-88982a3aebbb", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "85417b6b-d5ce-465b-ae88-deb8c1270889", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "b70b144d-acd9-4a74-a2a2-5180c9915347", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "c5b05448-c849-4f0a-ab39-76c2d556e6df", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "7529440e-912d-460e-9acc-5e6d4ec8535a", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "d4d27f0d-0a90-4071-8d89-c40fee4c4d25", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "a56c6a78-77b3-4f5e-9a88-8890f00f5084", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "108d221e-418e-41e3-82e7-8f84a2c96e6c", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "online_access", + "launch", + "patient/*.read", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": { + "replyToDisplayName": "CIRG Support", + "starttls": "true", + "auth": "true", + "envelopeFrom": "support@cirg.washington.edu", + "ssl": "false", + "port": "587", + "host": "mail.cirg.washington.edu", + "replyTo": "cirghelp@uw.edu", + "from": "noreply@cirg.washington.edu", + "fromDisplayName": "CIRG Support", + "user": "${KEYCLOAK_EMAIL_USER}", + "password": "${KEYCLOAK_EMAIL_PASSWORD}" + }, + "loginTheme": "ltt", + "emailTheme": "ltt", + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "82a34186-fa1a-47bf-b7b8-114e7b59669e", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "4ac932e4-863f-4f8e-b46f-e2b0b50f6b13", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "92671c84-f260-4618-b5f5-240433465e02", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "83202741-1122-4207-85b6-c2f6af40ae30", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-full-name-mapper", + "saml-user-property-mapper", + "oidc-address-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper" + ] + } + }, + { + "id": "d636a75a-cdd0-4730-ae36-969ca632579c", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "58e0bbc1-8586-44f3-a29a-87d03272bbb8", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "6e5106ae-d399-41c7-ab1d-2b8aa411d6f5", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "1ce2a26b-d410-48eb-a23a-c571a2629b0f", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-property-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-user-attribute-mapper", + "oidc-full-name-mapper" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "6e11d956-96f6-4307-8ae5-818f43772fde", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "c7582004-92ce-467e-9434-6d78d453e673", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "bce684a7-4307-46d1-9066-e9e6a688e363", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "da6cf182-6241-4346-9747-85d31b2b71b5", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "299d32a1-8433-412c-a6cd-b2787543d2a5", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "requirement": "ALTERNATIVE", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "4062c512-4b86-43e1-8d09-91fed41f5aa4", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "bfa3f5d0-3679-4035-acad-75eb79fd8f10", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "574792e7-d619-4956-8273-a7ab11209c22", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "470d681a-0cd5-4d9b-914a-aa592fcebad5", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "1be37090-9ace-4f53-8821-834d8a3f7fa0", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "60ad8099-96de-49bc-abf7-68348b8e5cfd", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "requirement": "ALTERNATIVE", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "e91991e7-4e77-42a0-a4e6-b381745e8465", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "CONDITIONAL", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "5dfa29dd-926e-45e5-9c04-a03fe7411bc9", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "requirement": "ALTERNATIVE", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "requirement": "DISABLED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "requirement": "ALTERNATIVE", + "priority": 25, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "ALTERNATIVE", + "priority": 30, + "authenticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "f4ecdcf1-3bc2-4763-b1a1-ccff11b61b85", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "requirement": "ALTERNATIVE", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "requirement": "ALTERNATIVE", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "requirement": "ALTERNATIVE", + "priority": 30, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "requirement": "ALTERNATIVE", + "priority": 40, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "6ae32f11-e8af-4769-9da7-0121b714106b", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "CONDITIONAL", + "priority": 30, + "authenticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "3cac0a9c-51aa-470f-bee4-97790cd8320a", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "0cd46511-9781-491f-85f4-a76509925d86", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "01656bb2-3871-41e3-bc71-b6b0060d4a60", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "CONDITIONAL", + "priority": 20, + "authenticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "2335a0d6-3f6b-4584-b88b-b0aaeeea218d", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "4c69f335-8ed1-464a-8665-df946a6178c3", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "requirement": "REQUIRED", + "priority": 40, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "requirement": "REQUIRED", + "priority": 50, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "requirement": "DISABLED", + "priority": 60, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "4ec56626-57b5-42d2-9903-97f65feb24d7", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "requirement": "REQUIRED", + "priority": 20, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "requirement": "REQUIRED", + "priority": 30, + "authenticatorFlow": false, + "userSetupAllowed": false + }, + { + "requirement": "CONDITIONAL", + "priority": 40, + "authenticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "d3d0b313-b2de-4fba-88aa-8042681f7eb3", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "requirement": "REQUIRED", + "priority": 10, + "authenticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "a7b3366e-488c-47a0-a6f4-0433e6ff820d", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "3033574d-ae62-456e-a325-aa6f7d026a1c", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "parRequestUriLifespan": "60", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "22.0.5", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} diff --git a/dev/config/keycloak/import/ltt-users-0.json b/dev/config/keycloak/import/ltt-users-0.json new file mode 100644 index 0000000..7a04804 --- /dev/null +++ b/dev/config/keycloak/import/ltt-users-0.json @@ -0,0 +1,63 @@ +{ + "realm": "ltt", + "users": [ + { + "id": "ltt-test-user", + "createdTimestamp": 1709134971000, + "username": "test", + "enabled": true, + "totp": false, + "emailVerified": true, + "firstName": "FirstName", + "lastName": "LastName", + "email": "test@test.test", + "credentials": [ + { + "id": "ltt-test-user-password", + "type": "password", + "createdDate": 1709134971000, + "secretData": "{\"value\":\"7Vmr6+Io+gJJrH+EOcmOJXshJ0tMI5x0rQ1wkCYgSCA=\",\"salt\":\"LR0DSOi5850zn9tNFYS1uw==\",\"additionalParameters\":{}}", + "userLabel": "test user password is set to \"test\"", + "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-ltt", + "patient-realm-role" + ], + "notBefore": 0, + "groups": [] + }, + { + "id": "ltt-staff-user", + "createdTimestamp": 1709134971000, + "username": "staff", + "enabled": true, + "totp": false, + "emailVerified": true, + "firstName": "Test", + "lastName": "Staff", + "email": "stafftest@test.test", + "credentials": [ + { + "id": "ltt-staff-user-password", + "type": "password", + "createdDate": 1709134971000, + "secretData" : "{\"value\":\"86AHPCF6rK9rndTfdST1Ijn4XQ6xC4/uoa3Q0S0O5nE=\",\"salt\":\"veo4rv2pmuiMhWcJgJmw7A==\",\"additionalParameters\":{}}", + "userLabel": "staff test user password is set to \"staff\"", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-ltt", + "staff-realm-role" + ], + "notBefore": 0, + "groups": [] + } + ] +} diff --git a/dev/config/keycloak/import/master-realm.json b/dev/config/keycloak/import/master-realm.json new file mode 100644 index 0000000..ca03b50 --- /dev/null +++ b/dev/config/keycloak/import/master-realm.json @@ -0,0 +1,1700 @@ +{ + "id" : "bf148246-082e-43e8-9e3b-c1e399823627", + "realm" : "master", + "displayName" : "Keycloak", + "displayNameHtml" : "
Keycloak
", + "notBefore" : 0, + "defaultSignatureAlgorithm" : "RS256", + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 60, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "oauth2DeviceCodeLifespan" : 600, + "oauth2DevicePollingInterval" : 5, + "enabled" : true, + "sslRequired" : "external", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "bd1c59d9-0ef0-4714-81da-65c297b27585", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + }, { + "id" : "b2d199f9-585c-4349-98cf-74ff70b46c6f", + "name" : "create-realm", + "description" : "${role_create-realm}", + "composite" : false, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + }, { + "id" : "c246e22b-e14a-436b-a855-9117d65e4134", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + }, { + "id" : "34b5994b-00c2-4101-bceb-b8cd19cfb04c", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "account" : [ "view-profile", "manage-account" ] + } + }, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + }, { + "id" : "ca023182-507f-40ab-a485-c370f86915a1", + "name" : "admin", + "description" : "${role_admin}", + "composite" : true, + "composites" : { + "realm" : [ "create-realm" ], + "client" : { + "master-realm" : [ "view-authorization", "manage-identity-providers", "manage-clients", "impersonation", "manage-events", "query-users", "view-users", "manage-authorization", "create-client", "view-events", "query-realms", "query-groups", "manage-realm", "view-clients", "view-identity-providers", "query-clients", "view-realm", "manage-users" ] + } + }, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627", + "attributes" : { } + } ], + "client" : { + "security-admin-console" : [ ], + "admin-cli" : [ ], + "account-console" : [ ], + "broker" : [ { + "id" : "c0e46245-6010-4c00-9b73-d7145a20c5f3", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "932417da-7a72-4bb8-8836-e1c9b64526ce", + "attributes" : { } + } ], + "master-realm" : [ { + "id" : "0c17c557-54b8-44ef-99d7-3b2cc1245dc1", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "9ca1421f-434e-43f0-94fd-5da73bb0fa7f", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "1ce42525-c0a0-4dac-9bf0-3c947396b9aa", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "de99c1b3-1654-41e8-855f-33d94f593aaf", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "9c41db58-b380-4082-8dc7-14c3e3162073", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "68a54e9c-b03c-412e-8d24-9b82de3220fa", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "16df2f5c-9beb-42ed-ae98-b91ea739a492", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "878382c9-8ef1-4c76-a18a-89110574f193", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "master-realm" : [ "query-users", "query-groups" ] + } + }, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "a12398cf-2b41-4eef-ac16-5c04a1a6c157", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "da457643-aca5-492a-a878-05876ebc1032", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "a5b5a720-7e19-4378-b5ef-e60c67dea418", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "c9631788-9a30-4091-b19b-7b76ea1b588c", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "7daca9a3-ac85-4004-ba93-4c9477f54646", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "b53eea8b-f6b9-4a57-a81b-63ef2f8a5b0a", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "5f55e361-f85f-4e2f-afa7-d66c2545b6ac", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "master-realm" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "d296966c-3d65-49b8-aec0-8b078c6695c9", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "ac85b330-5453-429f-8b9c-81d57ceadd2e", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + }, { + "id" : "99c14f45-e293-4692-9f95-96a5010f64b2", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "attributes" : { } + } ], + "account" : [ { + "id" : "35a871a2-1d72-4be0-988b-180a2bb22d56", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] + } + }, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "3b34c792-84be-4343-ba37-e65dcf959f59", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "08fcbd38-57ff-447e-a285-c3e8e9c4bb5c", + "name" : "view-applications", + "description" : "${role_view-applications}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "34de8823-81de-4eca-a5d9-2540f171adc3", + "name" : "view-consent", + "description" : "${role_view-consent}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "e5c327d6-14fe-45c2-9f22-b16058112efe", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "1746f760-af52-48ba-9857-c2d5069428c3", + "name" : "delete-account", + "description" : "${role_delete-account}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "4f8f8bcf-a4d9-4a2d-94d9-c3da1776d467", + "name" : "manage-consent", + "description" : "${role_manage-consent}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "view-consent" ] + } + }, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + }, { + "id" : "9bc08f66-0b30-44aa-8a67-f85b7efaf797", + "name" : "view-groups", + "description" : "${role_view-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "attributes" : { } + } ] + } + }, + "groups" : [ ], + "defaultRole" : { + "id" : "34b5994b-00c2-4101-bceb-b8cd19cfb04c", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "clientRole" : false, + "containerId" : "bf148246-082e-43e8-9e3b-c1e399823627" + }, + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpPolicyCodeReusable" : false, + "otpSupportedApplications" : [ "totpAppMicrosoftAuthenticatorName", "totpAppFreeOTPName", "totpAppGoogleName" ], + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "scopeMappings" : [ { + "clientScope" : "offline_access", + "roles" : [ "offline_access" ] + } ], + "clientScopeMappings" : { + "account" : [ { + "client" : "account-console", + "roles" : [ "manage-account", "view-groups" ] + } ] + }, + "clients" : [ { + "id" : "2ab02397-212e-4fda-b16e-64413f693fa5", + "clientId" : "account", + "name" : "${client_account}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/master/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/realms/master/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "4bb6740c-a942-4ddc-9b0f-f4c3a0fe30fc", + "clientId" : "account-console", + "name" : "${client_account-console}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/master/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/realms/master/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+", + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "d5da2d64-c511-483d-9c73-95ead62d33fe", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "4a0396f1-4ae1-4307-82f8-de89cefe992f", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "932417da-7a72-4bb8-8836-e1c9b64526ce", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "e527914b-d8b4-48c8-81dc-d2182950495d", + "clientId" : "master-realm", + "name" : "master Realm", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "bcd5bb30-f743-4eb8-894e-ee9e48415e55", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "rootUrl" : "${authAdminUrl}", + "baseUrl" : "/admin/master/console/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/admin/master/console/*" ], + "webOrigins" : [ "+" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+", + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "017bd632-74b3-4dad-8c39-8184a45c61c9", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "0f4694e1-0798-428d-afef-66036648df97", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${profileScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "c99595b0-0d51-43dc-bb15-d42a77132f45", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "38a5ff62-8d59-4918-b619-dd7a50997220", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "4abe1937-3cb8-4b89-a83c-44919bfeedd2", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "cc879427-c108-4a83-b208-8d3226eabb72", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "6fdecd5b-4729-41d1-b51c-a28ebe70ec15", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + }, { + "id" : "4b0c2789-0bc1-4df5-af71-5f1563e588b7", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + }, { + "id" : "bc3b7c18-b5ba-4a89-97fa-4e33674557f2", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "a373f791-6ab7-43f9-be30-bf190db98c6c", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + }, { + "id" : "efae57ce-94fc-41a2-bc41-17bff0435af3", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "long" + } + }, { + "id" : "a0e665eb-56d2-49a6-9e54-94569c4eb1a1", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + }, { + "id" : "409a253e-2696-49c1-91b0-bde8536b0ff4", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "0b93f4e5-688a-44d9-9a41-39f432b0f2e6", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + }, { + "id" : "7b50a0ba-33bb-4424-98a3-43a8c6fa3eda", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + }, { + "id" : "572a7648-22f9-48e2-87bb-7deb122b8541", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "42d5d185-c3f5-4ac5-a0b6-7d750a6748f6", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "359f4715-b8d6-4771-880f-fe4249c013db", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "5f6f70c0-d39d-4adb-9879-7ba30b569ac1", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "f49323fd-8161-4cf0-9729-2286a6746a30", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "0534d240-5b53-4a51-940b-c2aeb885297f", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "3e7beeab-156f-4dbb-a963-5964fc73482f", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" + }, + "protocolMappers" : [ { + "id" : "1de13c31-90a5-4d4e-85eb-e93421eff2c9", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] + }, { + "id" : "ca05c3e1-8674-4ecd-9f66-5143ca6ef5f9", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "40545239-bcd8-4a1e-9a3c-0cd336f2ecfb", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + }, { + "id" : "602b1e0f-2a99-4517-a8fd-dc97111f6ef4", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + } ] + }, { + "id" : "23990f3e-6474-4984-9247-33bfd3fcbbea", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "eefb83d6-9b37-44a4-aeaf-ba855166e250", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + }, { + "id" : "939caa01-d09a-4083-ad39-c45707dea6a8", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "d75a5924-d8fe-4b34-bca7-0d123f9c4ad6", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + }, { + "id" : "16c55806-2c14-427a-b787-28ac1b116f43", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "1db9fd9f-be4c-4ba3-a3dc-bad72d358b6f", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${rolesScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "845e4fe8-df0c-42b1-bf0c-add007afc5e6", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "47ebed48-8bdf-4c77-904d-8ce027f12303", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + }, { + "id" : "f728e24a-9b2a-406e-9315-2ef978f3544f", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + } ] + }, { + "id" : "e64f9146-80a9-41c6-a9db-a44772e658c6", + "name" : "acr", + "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "e36e62ec-9378-441f-86a0-1f9430d239e0", + "name" : "acr loa level", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-acr-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true" + } + } ] + }, { + "id" : "a6728259-d97f-4750-8710-0b9cdd134862", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } + } ], + "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins", "acr" ], + "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "referrerPolicy" : "no-referrer", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "xXSSProtection" : "1; mode=block", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "identityProviders" : [ ], + "identityProviderMappers" : [ ], + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "f831ad24-ba32-4212-bb42-dcf2aa4a061e", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "6fc363c0-c537-4a97-b87e-0c5f17e29325", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "e1254a51-a43f-433e-9c19-bee9b2c83e3b", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper" ] + } + }, { + "id" : "475ffb69-9f5f-461b-8fd9-af11271bb894", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "4ecdb43e-1b0c-40ec-870d-2aa6d7627902", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper" ] + } + }, { + "id" : "213685a6-8c19-48e0-bc5c-7969a89b7c76", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "0517c5e9-123e-4e79-8d76-dbe6f0403d64", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "a1659944-e504-4374-98df-d862ed413964", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "0844f18b-e205-4cbf-a9b0-b944ab642922", + "alias" : "Account verification options", + "description" : "Method with which to verity the existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-email-verification", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false + } ] + }, { + "id" : "c96aefb9-6b09-4e77-bcf1-b2b86859b24f", + "alias" : "Browser - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "85b37736-ddca-4105-9426-97e28d6c279a", + "alias" : "Direct Grant - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "b0fd75ae-8058-424a-8ae6-257a218d70f8", + "alias" : "First broker login - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "a4c1a42b-f752-4c9a-b31a-ec0b2d5f88c9", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Account verification options", + "userSetupAllowed" : false + } ] + }, { + "id" : "1c30eba9-62e2-4391-9be7-91d8dfc93def", + "alias" : "Reset - Conditional OTP", + "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "440589ea-dfb5-4fea-9751-aef382c9dfb7", + "alias" : "User creation or linking", + "description" : "Flow for the existing/non-existing user alternatives", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false + } ] + }, { + "id" : "8808520b-dd8f-4950-81f7-0b671ad21535", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "First broker login - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "1de66108-8963-4be0-a231-cb9e2e4e0ff7", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-spnego", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "identity-provider-redirector", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 25, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "forms", + "userSetupAllowed" : false + } ] + }, { + "id" : "325e7aa5-92a0-4700-bef3-765c260ca712", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-secret-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-x509", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 40, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "84eb8e43-4b56-4ea7-961e-a52b0adb0d18", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "Direct Grant - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "70756998-eb44-4793-8db5-56be066be5de", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "37af28b4-7de5-4e34-8def-cca8a88476a3", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "User creation or linking", + "userSetupAllowed" : false + } ] + }, { + "id" : "96617d21-366f-4932-95e4-bffdb6109ddd", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Browser - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "b6a26b71-1b86-4829-b1b1-7d8252bdeebb", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : true, + "flowAlias" : "registration form", + "userSetupAllowed" : false + } ] + }, { + "id" : "359fde7b-9820-4d06-b3aa-974aa631084d", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-profile-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 40, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-password-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 50, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-recaptcha-action", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 60, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-terms-and-conditions", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 70, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "007ce934-11d8-4696-b5da-50443fec2054", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-credential-email", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 40, + "autheticatorFlow" : true, + "flowAlias" : "Reset - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "157740bf-f12e-4481-8b68-94fd4939d43f", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "9f47e62a-4411-4afc-a7c3-a2670816579d", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "afc21bd5-4c36-4739-b592-a6c2e8963059", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" + } + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "TERMS_AND_CONDITIONS", + "name" : "Terms and Conditions", + "providerId" : "TERMS_AND_CONDITIONS", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + }, { + "alias" : "delete_account", + "name" : "Delete Account", + "providerId" : "delete_account", + "enabled" : false, + "defaultAction" : false, + "priority" : 60, + "config" : { } + }, { + "alias" : "webauthn-register", + "name" : "Webauthn Register", + "providerId" : "webauthn-register", + "enabled" : true, + "defaultAction" : false, + "priority" : 70, + "config" : { } + }, { + "alias" : "webauthn-register-passwordless", + "name" : "Webauthn Register Passwordless", + "providerId" : "webauthn-register-passwordless", + "enabled" : true, + "defaultAction" : false, + "priority" : 80, + "config" : { } + }, { + "alias" : "update_user_locale", + "name" : "Update User Locale", + "providerId" : "update_user_locale", + "enabled" : true, + "defaultAction" : false, + "priority" : 1000, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "attributes" : { + "cibaBackchannelTokenDeliveryMode" : "poll", + "cibaExpiresIn" : "120", + "cibaAuthRequestedUserHint" : "login_hint", + "parRequestUriLifespan" : "60", + "cibaInterval" : "5", + "realmReusableOtpCode" : "false" + }, + "keycloakVersion" : "22.0.5", + "userManagedAccessAllowed" : false, + "clientProfiles" : { + "profiles" : [ ] + }, + "clientPolicies" : { + "policies" : [ ] + } +} \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties b/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties new file mode 100644 index 0000000..7a7dacc --- /dev/null +++ b/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties @@ -0,0 +1,54 @@ +emailVerificationSubject=Verify email +emailVerificationBody=Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address\n\n{0}\n\nThis link will expire within {3}.\n\nIf you didn''t create this account, just ignore this message. +emailVerificationBodyHtml=

Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address

Link to e-mail address verification

This link will expire within {3}.

If you didn''t create this account, just ignore this message.

+emailUpdateConfirmationSubject=Verify new email +emailUpdateConfirmationBody=To update your {2} account with email address {1}, click the link below\n\n{0}\n\nThis link will expire within {3}.\n\nIf you don''t want to proceed with this modification, just ignore this message. +emailUpdateConfirmationBodyHtml=

To update your {2} account with email address {1}, click the link below

{0}

This link will expire within {3}.

If you don''t want to proceed with this modification, just ignore this message.

+emailTestSubject=[KEYCLOAK] - SMTP test message +emailTestBody=This is a test message. Test Only. +emailTestBodyHtml=

This is a test message

+identityProviderLinkSubject=Link {0} +identityProviderLinkBody=Someone wants to link your "{1}" account with "{0}" account of user {2} . If this was you, click the link below to link accounts\n\n{3}\n\nThis link will expire within {5}.\n\nIf you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}. +identityProviderLinkBodyHtml=

Someone wants to link your {1} account with {0} account of user {2}. If this was you, click the link below to link accounts

Link to confirm account linking

This link will expire within {5}.

If you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}.

+passwordResetSubject=Reset password +passwordResetBody=Someone just requested to change your {2} account''s password. If this was you, click on the link below to reset them.\n\n{0}\n\nThis link and code will expire within {3}.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed. +passwordResetBodyHtml=

Someone just requested to change your {2} account''s password. If this was you, click on the link below to reset them.

Link to reset password

This link will expire within {3}.

If you don''t want to reset your password, just ignore this message and nothing will be changed.

+executeActionsSubject=Update Your Account +executeActionsBody=Your administrator has just requested that you update your {2} account by performing the following action(s): {3}. Click on the link below to start this process.\n\n{0}\n\nThis link will expire within {4}.\n\nIf you are unaware that your administrator has requested this, just ignore this message and nothing will be changed. +executeActionsBodyHtml=

Your administrator has just requested that you update your {2} account by performing the following action(s): {3}. Click on the link below to start this process.

Link to account update

This link will expire within {4}.

If you are unaware that your administrator has requested this, just ignore this message and nothing will be changed.

+eventLoginErrorSubject=Login error +eventLoginErrorBody=A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an administrator. +eventLoginErrorBodyHtml=

A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an administrator.

+eventRemoveTotpSubject=Remove OTP +eventRemoveTotpBody=OTP was removed from your account on {0} from {1}. If this was not you, please contact an administrator. +eventRemoveTotpBodyHtml=

OTP was removed from your account on {0} from {1}. If this was not you, please contact an administrator.

+eventUpdatePasswordSubject=Update password +eventUpdatePasswordBody=Your password was changed on {0} from {1}. If this was not you, please contact an administrator. +eventUpdatePasswordBodyHtml=

Your password was changed on {0} from {1}. If this was not you, please contact an administrator.

+eventUpdateTotpSubject=Update OTP +eventUpdateTotpBody=OTP was updated for your account on {0} from {1}. If this was not you, please contact an administrator. +eventUpdateTotpBodyHtml=

OTP was updated for your account on {0} from {1}. If this was not you, please contact an administrator.

+ +requiredAction.CONFIGURE_TOTP=Configure OTP +requiredAction.TERMS_AND_CONDITIONS=Terms and Conditions +requiredAction.UPDATE_PASSWORD=Update Password +requiredAction.UPDATE_PROFILE=Update Profile +requiredAction.VERIFY_EMAIL=Verify Email +requiredAction.CONFIGURE_RECOVERY_AUTHN_CODES=Generate Recovery Codes + +# units for link expiration timeout formatting +# for languages which have more unit plural forms depending on the value (eg. Czech and other Slavic langs) you can override unit text for some other values like described in the Java choice format which is documented here. For Czech, it would be '{0,choice,0#minut|1#minuta|2#minuty|2Please verify your email address by entering in the following code.

{0}

+ diff --git a/dev/config/keycloak/themes/ltt/email/theme.properties b/dev/config/keycloak/themes/ltt/email/theme.properties new file mode 100644 index 0000000..93d3b28 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/email/theme.properties @@ -0,0 +1,2 @@ +parent=keycloak + diff --git a/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl b/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl new file mode 100644 index 0000000..d609182 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl @@ -0,0 +1,31 @@ +<#ftl output_format="plainText"> +${msg("loginTotpIntro")} + +${msg("loginTotpStep1")} + +<#list totp.policy.supportedApplications as app> +* ${app} + + +${msg("loginTotpManualStep2")} + + ${totp.totpSecretEncoded} + + +${msg("loginTotpManualStep3")} + +- ${msg("loginTotpType")}: ${msg("loginTotp." + totp.policy.type)} +- ${msg("loginTotpAlgorithm")}: ${totp.policy.getAlgorithmKey()} +- ${msg("loginTotpDigits")}: ${totp.policy.digits} +<#if totp.policy.type = "totp"> +- ${msg("loginTotpInterval")}: ${totp.policy.period} + +<#elseif totp.policy.type = "hotp"> +- ${msg("loginTotpCounter")}: ${totp.policy.initialCounter} + + + +Enter in your one time password so we can verify you have installed it correctly. + + + diff --git a/dev/config/keycloak/themes/ltt/login/login-update-password.ftl b/dev/config/keycloak/themes/ltt/login/login-update-password.ftl new file mode 100644 index 0000000..5c70fe0 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-update-password.ftl @@ -0,0 +1,45 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout displayInfo=true; section> + <#if section = "header"> + ${msg("updatePasswordTitle")} + <#elseif section = "form"> +
+ + + +
+
+ +
+
+ +
${kcSanitize(msg("passwordPolicy"))?no_esc}
+
+
+ +
+
+ +
+
+ +
+
+
+
+
+
+
+ +
+ <#if isAppInitiatedAction??> + + + <#else> + + +
+
+
+ + diff --git a/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl b/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl new file mode 100644 index 0000000..d87a90f --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl @@ -0,0 +1,61 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout; section> + <#if section = "header"> + ${msg("loginProfileTitle")} + <#elseif section = "form"> +
+ <#if user.editUsernameAllowed> +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+
+
+
+ +
+ <#if isAppInitiatedAction??> + + + <#else> + + +
+
+
+ + diff --git a/dev/config/keycloak/themes/ltt/login/login-username.ftl b/dev/config/keycloak/themes/ltt/login/login-username.ftl new file mode 100644 index 0000000..6d5737e --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-username.ftl @@ -0,0 +1,60 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout displayInfo=social.displayInfo displayWide=(realm.password && social.providers??); section> + <#if section = "header"> + ${msg("doLogIn")} + <#elseif section = "form"> +
class="${properties.kcContentWrapperClass!}"> +
class="${properties.kcFormSocialAccountContentClass!} ${properties.kcFormSocialAccountClass!}"> + <#if realm.password> +
+
+ + + <#if usernameEditDisabled??> + + <#else> + + +
+ +
+
+ <#if realm.rememberMe && !usernameEditDisabled??> +
+ +
+ +
+
+ +
+ +
+
+ +
+ <#if realm.password && social.providers??> +
+ +
+ +
+ <#elseif section = "info" > + <#if realm.password && realm.registrationAllowed && !usernameEditDisabled??> +
+ ${msg("noAccount")} ${msg("doRegister")} +
+ + + + diff --git a/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl b/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl new file mode 100644 index 0000000..87abcd7 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl @@ -0,0 +1,2 @@ +<#ftl output_format="plainText"> +${msg("console-verify-email",email, code)} \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl b/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl new file mode 100644 index 0000000..e69a9fe --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl @@ -0,0 +1,13 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout; section> + <#if section = "header"> + ${msg("emailVerifyTitle")} + <#elseif section = "form"> +

+ ${msg("emailVerifyInstruction1")} +

+

+ ${msg("emailVerifyInstruction2")} ${msg("doClickHere")} ${msg("emailVerifyInstruction3")} +

+ + \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/login.ftl b/dev/config/keycloak/themes/ltt/login/login.ftl new file mode 100644 index 0000000..c789a58 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/login.ftl @@ -0,0 +1,107 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout displayMessage=!messagesPerField.existsError('username','password') displayInfo=realm.password && realm.registrationAllowed && !registrationDisabled??; section> + <#if section = "header"> + ${msg("loginAccountTitle")} + <#elseif section = "form"> +
+
+ <#if realm.password> +
+ <#if !usernameHidden??> +
+ + + + + <#if messagesPerField.existsError('username','password')> + + ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc} + + + +
+ + +
+ + + + + <#if usernameHidden?? && messagesPerField.existsError('username','password')> + + ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc} + + + +
+ +
+
+ <#if realm.rememberMe && !usernameHidden??> +
+ +
+ +
+
+ <#if realm.resetPasswordAllowed> + ${msg("doForgotPassword")} + +
+ +
+ +
+ value="${auth.selectedCredential}"/> + +
+
+ +
+ +
+ <#elseif section = "info" > + <#if realm.password && realm.registrationAllowed && !registrationDisabled??> +
+
+ ${msg("noAccount")} ${msg("doRegister")} +
+
+ + <#elseif section = "socialProviders" > + <#if realm.password && social.providers??> +
+
+

${msg("identity-provider-login-label")}

+ + +
+ + + + diff --git a/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties b/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties new file mode 100644 index 0000000..60405bb --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties @@ -0,0 +1,442 @@ +doLogIn=Sign In +doRegister=Register +doCancel=Cancel +doSubmit=Submit +doBack=Back +doYes=Yes +doNo=No +doContinue=Continue +doIgnore=Ignore +doAccept=Accept +doDecline=Decline +doForgotPassword=First time using, or forgot password? +doClickHere=Click here +doImpersonate=Impersonate +doTryAgain=Try again +doTryAnotherWay=Try Another Way +doConfirmDelete=Confirm deletion +errorDeletingAccount=Error happened while deleting account +deletingAccountForbidden=You do not have enough permissions to delete your own account, contact admin. +kerberosNotConfigured=Kerberos Not Configured +kerberosNotConfiguredTitle=Kerberos Not Configured +bypassKerberosDetail=Either you are not logged in by Kerberos or your browser is not set up for Kerberos login. Please click continue to login in through other means +kerberosNotSetUp=Kerberos is not set up. You cannot login. +registerTitle=Register +loginAccountTitle=Sign in to your account +loginTitle=Sign in to {0} +loginTitleHtml={0} +impersonateTitle={0} Impersonate User +impersonateTitleHtml={0} Impersonate User +realmChoice=Realm +unknownUser=Unknown user +loginTotpTitle=Mobile Authenticator Setup +loginProfileTitle=Update Account Information +loginIdpReviewProfileTitle=Update Account Information +loginTimeout=Your login attempt timed out. Login will start from the beginning. +oauthGrantTitle=Grant Access to {0} +oauthGrantTitleHtml={0} +errorTitle=We are sorry... +errorTitleHtml=We are sorry ... +emailVerifyTitle=Email verification +emailForgotTitle=First time using, or forgot password? +updatePasswordTitle=Update password +codeSuccessTitle=Success code +codeErrorTitle=Error code\: {0} +displayUnsupported=Requested display type unsupported +browserRequired=Browser required to login +browserContinue=Browser required to complete login +browserContinuePrompt=Open browser and continue login? [y/n]: +browserContinueAnswer=y + + +termsTitle=Terms and Conditions +termsText=

Terms and conditions to be defined

+termsPlainText=Terms and conditions to be defined. + +recaptchaFailed=Invalid Recaptcha +recaptchaNotConfigured=Recaptcha is required, but not configured +consentDenied=Consent denied. + +noAccount=New user? +username=Username +usernameOrEmail=Username or email +firstName=First name +givenName=Given name +fullName=Full name +lastName=Last name +familyName=Family name +email=Email +password=Password +passwordConfirm=Confirm password +passwordNew=New Password +passwordNewConfirm=New Password confirmation +passwordPolicy=

Password must:

  • Include at least one upper case letter, one lower case letter, and one number
  • Be at least 8 characters long
  • Have not been used recently
+rememberMe=Remember me +authenticatorCode=One-time code +address=Address +street=Street +locality=City or Locality +region=State, Province, or Region +postal_code=Zip or Postal code +country=Country +emailVerified=Email verified +website=Web page +phoneNumber=Phone number +phoneNumberVerified=Phone number verified +gender=Gender +birthday=Birthdate +zoneinfo=Time zone +gssDelegationCredential=GSS Delegation Credential +logoutOtherSessions=Sign out from other devices + +profileScopeConsentText=User profile +emailScopeConsentText=Email address +addressScopeConsentText=Address +phoneScopeConsentText=Phone number +offlineAccessScopeConsentText=Offline Access +samlRoleListScopeConsentText=My Roles +rolesScopeConsentText=User roles + +restartLoginTooltip=Restart login + +loginTotpIntro=You need to set up a One Time Password generator to access this account +loginTotpStep1=Install one of the following applications on your mobile: +loginTotpStep2=Open the application and scan the barcode: +loginTotpStep3=Enter the one-time code provided by the application and click Submit to finish the setup. +loginTotpStep3DeviceName=Provide a Device Name to help you manage your OTP devices. +loginTotpManualStep2=Open the application and enter the key: +loginTotpManualStep3=Use the following configuration values if the application allows setting them: +loginTotpUnableToScan=Unable to scan? +loginTotpScanBarcode=Scan barcode? +loginCredential=Credential +loginOtpOneTime=One-time code +loginTotpType=Type +loginTotpAlgorithm=Algorithm +loginTotpDigits=Digits +loginTotpInterval=Interval +loginTotpCounter=Counter +loginTotpDeviceName=Device Name + +loginTotp.totp=Time-based +loginTotp.hotp=Counter-based + +loginChooseAuthenticator=Select login method + +oauthGrantRequest=Do you grant these access privileges? +inResource=in + +oauth2DeviceVerificationTitle=Device Login +verifyOAuth2DeviceUserCode=Enter the code provided by your device and click Submit +oauth2DeviceInvalidUserCodeMessage=Invalid code, please try again. +oauth2DeviceExpiredUserCodeMessage=The code has expired. Please go back to your device and try connecting again. +oauth2DeviceVerificationCompleteHeader=Device Login Successful +oauth2DeviceVerificationCompleteMessage=You may close this browser window and go back to your device. +oauth2DeviceVerificationFailedHeader=Device Login Failed +oauth2DeviceVerificationFailedMessage=You may close this browser window and go back to your device and try connecting again. +oauth2DeviceConsentDeniedMessage=Consent denied for connecting the device. +oauth2DeviceAuthorizationGrantDisabledMessage=Client is not allowed to initiate OAuth 2.0 Device Authorization Grant. The flow is disabled for the client. + +emailVerifyInstruction1=An email with instructions to verify your email address has been sent to you. +emailVerifyInstruction2=Haven''t received a verification code in your email? +emailVerifyInstruction3=to re-send the email. + +emailLinkIdpTitle=Link {0} +emailLinkIdp1=An email with instructions to link {0} account {1} with your {2} account has been sent to you. +emailLinkIdp2=Haven''t received a verification code in your email? +emailLinkIdp3=to re-send the email. +emailLinkIdp4=If you already verified the email in different browser +emailLinkIdp5=to continue. + +backToLogin=« Back to Login + +emailInstruction=Enter your username or email address and we will send you instructions on how to create a new password. + +copyCodeInstruction=Please copy this code and paste it into your application: + +pageExpiredTitle=Page has expired +pageExpiredMsg1=To restart the login process +pageExpiredMsg2=To continue the login process + +personalInfo=Personal Info: +role_admin=Admin +role_realm-admin=Realm Admin +role_create-realm=Create realm +role_create-client=Create client +role_view-realm=View realm +role_view-users=View users +role_view-applications=View applications +role_view-clients=View clients +role_view-events=View events +role_view-identity-providers=View identity providers +role_manage-realm=Manage realm +role_manage-users=Manage users +role_manage-applications=Manage applications +role_manage-identity-providers=Manage identity providers +role_manage-clients=Manage clients +role_manage-events=Manage events +role_view-profile=View profile +role_manage-account=Manage account +role_manage-account-links=Manage account links +role_read-token=Read token +role_offline-access=Offline access +client_account=Account +client_account-console=Account Console +client_security-admin-console=Security Admin Console +client_admin-cli=Admin CLI +client_realm-management=Realm Management +client_broker=Broker + +requiredFields=Required fields + +invalidUserMessage=Invalid username or password. +invalidUsernameMessage=Invalid username. +invalidUsernameOrEmailMessage=Invalid username or email. +invalidPasswordMessage=Invalid password. +invalidEmailMessage=Invalid email address. +accountDisabledMessage=Account is disabled, contact your administrator. +accountTemporarilyDisabledMessage=Account is temporarily disabled; contact your administrator or retry later. +expiredCodeMessage=Login timeout. Please sign in again. +expiredActionMessage=Action expired. Please continue with login now. +expiredActionTokenNoSessionMessage=Action expired. +expiredActionTokenSessionExistsMessage=Action expired. Please start again. + +missingFirstNameMessage=Please specify first name. +missingLastNameMessage=Please specify last name. +missingEmailMessage=Please specify email. +missingUsernameMessage=Please specify username. +missingPasswordMessage=Please specify password. +missingTotpMessage=Please specify authenticator code. +missingTotpDeviceNameMessage=Please specify device name. +notMatchPasswordMessage=Passwords don''t match. + +error-invalid-value=Invalid value. +error-invalid-blank=Please specify value. +error-empty=Please specify value. +error-invalid-length=Length must be between {1} and {2}. +error-invalid-length-too-short=Minimal length is {1}. +error-invalid-length-too-long=Maximal length is {2}. +error-invalid-email=Invalid email address. +error-invalid-number=Invalid number. +error-number-out-of-range=Number must be between {1} and {2}. +error-number-out-of-range-too-small=Number must have minimal value of {1}. +error-number-out-of-range-too-big=Number must have maximal value of {2}. +error-pattern-no-match=Invalid value. +error-invalid-uri=Invalid URL. +error-invalid-uri-scheme=Invalid URL scheme. +error-invalid-uri-fragment=Invalid URL fragment. +error-user-attribute-required=Please specify this field. +error-invalid-date=Invalid date. +error-user-attribute-read-only=This field is read only. +error-username-invalid-character=Value contains invalid character. +error-person-name-invalid-character=Value contains invalid character. + +invalidPasswordExistingMessage=Invalid existing password. +invalidPasswordBlacklistedMessage=Invalid password: password is blacklisted. +invalidPasswordConfirmMessage=Password confirmation doesn''t match. +invalidTotpMessage=Invalid authenticator code. + +usernameExistsMessage=Username already exists. +emailExistsMessage=Email already exists. + +federatedIdentityExistsMessage=User with {0} {1} already exists. Please login to account management to link the account. +federatedIdentityUnavailableMessage=User {0} authenticated with identity provider {1} does not exists. Please contact your administrator. + +confirmLinkIdpTitle=Account already exists +federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How do you want to continue? +federatedIdentityConfirmReauthenticateMessage=Authenticate to link your account with {0} +nestedFirstBrokerFlowMessage=The {0} user {1} is not linked to any known user. +confirmLinkIdpReviewProfile=Review profile +confirmLinkIdpContinue=Add to existing account + +configureTotpMessage=You need to set up Mobile Authenticator to activate your account. +updateProfileMessage=You need to update your user profile to activate your account. +updatePasswordMessage=You need to change your password to activate your account. +resetPasswordMessage=You need to change your password. +verifyEmailMessage=You need to verify your email address to activate your account. +linkIdpMessage=You need to verify your email address to link your account with {0}. + +emailSentMessage=You should receive an email shortly with further instructions. +emailSendErrorMessage=Failed to send email, please try again later. + +accountUpdatedMessage=Your account has been updated. +accountPasswordUpdatedMessage=Your password has been updated. + +delegationCompleteHeader=Login Successful +delegationCompleteMessage=You may close this browser window and go back to your console application. +delegationFailedHeader=Login Failed +delegationFailedMessage=You may close this browser window and go back to your console application and try logging in again. + +noAccessMessage=No access + +invalidPasswordMinLengthMessage=Invalid password: minimum length {0}. +invalidPasswordMaxLengthMessage=Invalid password: maximum length {0}. +invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits. +invalidPasswordMinLowerCaseCharsMessage=Invalid password: must contain at least {0} lower case characters. +invalidPasswordMinUpperCaseCharsMessage=Invalid password: must contain at least {0} upper case characters. +invalidPasswordMinSpecialCharsMessage=Invalid password: must contain at least {0} special characters. +invalidPasswordNotUsernameMessage=Invalid password: must not be equal to the username. +invalidPasswordNotEmailMessage=Invalid password: must not be equal to the email. +invalidPasswordRegexPatternMessage=Invalid password: fails to match regex pattern(s). +invalidPasswordHistoryMessage=Invalid password: must not be equal to any of last {0} passwords. +invalidPasswordGenericMessage=Invalid password: new password doesn''t match password policies. + +failedToProcessResponseMessage=Failed to process response +httpsRequiredMessage=HTTPS required +realmNotEnabledMessage=Realm not enabled +invalidRequestMessage=Invalid Request +failedLogout=Logout failed +unknownLoginRequesterMessage=Unknown login requester +loginRequesterNotEnabledMessage=Login requester not enabled +bearerOnlyMessage=Bearer-only applications are not allowed to initiate browser login +standardFlowDisabledMessage=Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client. +implicitFlowDisabledMessage=Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client. +invalidRedirectUriMessage=Invalid redirect uri +unsupportedNameIdFormatMessage=Unsupported NameIDFormat +invalidRequesterMessage=Invalid requester +registrationNotAllowedMessage=Registration not allowed +resetCredentialNotAllowedMessage=Reset Credential not allowed + +permissionNotApprovedMessage=Permission not approved. +noRelayStateInResponseMessage=No relay state in response from identity provider. +insufficientPermissionMessage=Insufficient permissions to link identities. +couldNotProceedWithAuthenticationRequestMessage=Could not proceed with authentication request to identity provider. +couldNotObtainTokenMessage=Could not obtain token from identity provider. +unexpectedErrorRetrievingTokenMessage=Unexpected error when retrieving token from identity provider. +unexpectedErrorHandlingResponseMessage=Unexpected error when handling response from identity provider. +identityProviderAuthenticationFailedMessage=Authentication failed. Could not authenticate with identity provider. +couldNotSendAuthenticationRequestMessage=Could not send authentication request to identity provider. +unexpectedErrorHandlingRequestMessage=Unexpected error when handling authentication request to identity provider. +invalidAccessCodeMessage=Invalid access code. +sessionNotActiveMessage=Session not active. +invalidCodeMessage=An error occurred, please login again through your application. +identityProviderUnexpectedErrorMessage=Unexpected error when authenticating with identity provider +identityProviderMissingStateMessage=Missing state parameter in response from identity provider. +identityProviderNotFoundMessage=Could not find an identity provider with the identifier. +identityProviderLinkSuccess=You successfully verified your email. Please go back to your original browser and continue there with the login. +staleCodeMessage=This page is no longer valid, please go back to your application and sign in again +realmSupportsNoCredentialsMessage=Realm does not support any credential type. +credentialSetupRequired=Cannot login, credential setup required. +identityProviderNotUniqueMessage=Realm supports multiple identity providers. Could not determine which identity provider should be used to authenticate with. +emailVerifiedMessage=Your email address has been verified. +staleEmailVerificationLink=The link you clicked is an old stale link and is no longer valid. Maybe you have already verified your email. +identityProviderAlreadyLinkedMessage=Federated identity returned by {0} is already linked to another user. +confirmAccountLinking=Confirm linking the account {0} of identity provider {1} with your account. +confirmEmailAddressVerification=Confirm validity of e-mail address {0}. +confirmExecutionOfActions=Perform the following action(s) + +locale_ca=Catal\u00E0 +locale_cs=\u010Ce\u0161tina +locale_da=Dansk +locale_de=Deutsch +locale_en=English +locale_es=Espa\u00F1ol +locale_fr=Fran\u00E7ais +locale_hu=Magyar +locale_it=Italiano +locale_ja=\u65E5\u672C\u8A9E +locale_lt=Lietuvi\u0173 +locale_nl=Nederlands +locale_no=Norsk +locale_pl=Polski +locale_pt_BR=Portugu\u00EAs (Brasil) +locale_pt-BR=Portugu\u00EAs (Brasil) +locale_ru=\u0420\u0443\u0441\u0441\u043A\u0438\u0439 +locale_sk=Sloven\u010Dina +locale_sv=Svenska +locale_tr=T\u00FCrk\u00E7e +locale_zh-CN=\u4E2D\u6587\u7B80\u4F53 + +backToApplication=« Back to Application +missingParameterMessage=Missing parameters\: {0} +clientNotFoundMessage=Client not found. +clientDisabledMessage=Client disabled. +invalidParameterMessage=Invalid parameter\: {0} +alreadyLoggedIn=You are already logged in. +differentUserAuthenticated=You are already authenticated as different user ''{0}'' in this session. Please sign out first. +brokerLinkingSessionExpired=Requested broker account linking, but current session is no longer valid. +proceedWithAction=» Click here to proceed + +requiredAction.CONFIGURE_TOTP=Configure OTP +requiredAction.terms_and_conditions=Terms and Conditions +requiredAction.UPDATE_PASSWORD=Update Password +requiredAction.UPDATE_PROFILE=Update Profile +requiredAction.VERIFY_EMAIL=Verify Email + +doX509Login=You will be logged in as\: +clientCertificate=X509 client certificate\: +noCertificate=[No Certificate] + + +pageNotFound=Page not found +internalServerError=An internal server error has occurred + +console-username=Username: +console-password=Password: +console-otp=One Time Password: +console-new-password=New Password: +console-confirm-password=Confirm Password: +console-update-password=Update of your password is required. +console-verify-email=You need to verify your email address. We sent an email to {0} that contains a verification code. Please enter this code into the input below. +console-email-code=Email Code: +console-accept-terms=Accept Terms? [y/n]: +console-accept=y + +# Openshift messages +openshift.scope.user_info=User information +openshift.scope.user_check-access=User access information +openshift.scope.user_full=Full Access +openshift.scope.list-projects=List projects + +# SAML authentication +saml.post-form.title=Authentication Redirect +saml.post-form.message=Redirecting, please wait. +saml.post-form.js-disabled=JavaScript is disabled. We strongly recommend to enable it. Click the button below to continue. +saml.artifactResolutionServiceInvalidResponse=Unable to resolve artifact. + +#authenticators +otp-display-name=Authenticator Application +otp-help-text=Enter a verification code from authenticator application. +password-display-name=Password +password-help-text=Sign in by entering your password. +auth-username-form-display-name=Username +auth-username-form-help-text=Start sign in by entering your username +auth-username-password-form-display-name=Username and password +auth-username-password-form-help-text=Sign in by entering your username and password. + +# WebAuthn +webauthn-display-name=Security Key +webauthn-help-text=Use your security key to sign in. +webauthn-passwordless-display-name=Security Key +webauthn-passwordless-help-text=Use your security key for passwordless sign in. +webauthn-login-title=Security Key login +webauthn-registration-title=Security Key Registration +webauthn-available-authenticators=Available authenticators +webauthn-unsupported-browser-text=WebAuthn is not supported by this browser. Try another one or contact your administrator. +webauthn-doAuthenticate=Sign in with Security Key + +# WebAuthn Error +webauthn-error-title=Security Key Error +webauthn-error-registration=Failed to register your Security key.
{0} +webauthn-error-api-get=Failed to authenticate by the Security key.
{0} +webauthn-error-different-user=First authenticated user is not the one authenticated by the Security key. +webauthn-error-auth-verification=Security key authentication result is invalid.
{0} +webauthn-error-register-verification=Security key registration result is invalid.
{0} +webauthn-error-user-not-found=Unknown user authenticated by the Security key. + +# Identity provider +identity-provider-redirector=Connect with another Identity Provider +identity-provider-login-label=Or sign in with + +finalDeletionConfirmation=If you delete your account, it cannot be restored. To keep your account, click Cancel. +irreversibleAction=This action is irreversible +deleteAccountConfirm=Delete account confirmation + +deletingImplies=Deleting your account implies: +errasingData=Erasing all your data +loggingOutImmediately=Logging you out immediately +accountUnusable=Any subsequent use of the application will not be possible with this account +userDeletedSuccessfully=User deleted successfully + +access-denied=Access denied + +systemType={0} System diff --git a/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl b/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl new file mode 100644 index 0000000..e0d533b --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl @@ -0,0 +1,74 @@ +<#import "template.ftl" as layout> +<#import "user-profile-commons.ftl" as userProfileCommons> +<@layout.registrationLayout displayMessage=messagesPerField.exists('global') displayRequiredFields=true; section> + <#if section = "header"> + ${msg("registerTitle")} + <#elseif section = "form"> +
+ + <@userProfileCommons.userProfileFormFields; callback, attribute> + <#if callback = "afterField"> + <#-- render password fields just under the username or email (if used as username) --> + <#if passwordRequired?? && (attribute.name == 'username' || (attribute.name == 'email' && realm.registrationEmailAsUsername))> +
+
+ * +
+
+ + + <#if messagesPerField.existsError('password')> + + ${kcSanitize(messagesPerField.get('password'))?no_esc} + + +
+
+ +
+
+ * +
+
+ + + <#if messagesPerField.existsError('password-confirm')> + + ${kcSanitize(messagesPerField.get('password-confirm'))?no_esc} + + +
+
+ + + + + <#if recaptchaRequired??> +
+
+
+
+
+ + +
+ + +
+ +
+
+
+ + \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/register.ftl b/dev/config/keycloak/themes/ltt/login/register.ftl new file mode 100644 index 0000000..07829a0 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/register.ftl @@ -0,0 +1,88 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout; section> + <#if section = "header"> + ${msg("registerTitle")} + <#elseif section = "form"> +
+ <#-- +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ --> + +
+
+ +
+
+ +
+
+ + <#if !realm.registrationEmailAsUsername> +
+
+ +
+
+ +
+
+ + + <#if passwordRequired??> +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+ + + <#if recaptchaRequired??> +
+
+
+
+
+ + +
+ + +
+ +
+
+
+ + diff --git a/dev/config/keycloak/themes/ltt/login/resources/css/styles.css b/dev/config/keycloak/themes/ltt/login/resources/css/styles.css new file mode 100644 index 0000000..7b94eb2 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/resources/css/styles.css @@ -0,0 +1,384 @@ +:root { + --body-bg-color: #325c33; + --primary-color: #325c33; + --primary-hover-color: #254325; + --section-border-color: #dcdfdc; + --button-primary-color: #af4507; + --button-primary-hover-color: #883505; + --title-color: #325c33; + --label-color: #71757b; + --link-color: #1994d0; + --link-hover-color: #126994; + --highlight-bg-color: #f9e4d3; + --text-default-color: #444; + --default-body-font-size: 16px; +} +body { + font-family: "Roboto", "Helvetica", "Arial", sans-serif; + font-size: var(--default-body-font-size); +} +.pf-c-alert__title { + font-size: var(--default-body-font-size); + line-height: 1.4; +} + +html.login-pf { + background: var(--body-bg-color); +} + +#header { + position: fixed; + z-index: 10000; + left: 0; + top: 0; + width: 100%; + background-color: var(--body-bg-color); + color: #fff; + line-height: 3em; + box-shadow: 0 0 0.15em 0 rgba(0, 0, 0, 0.1); + margin-bottom: 1em; + display: flex; + align-items: center; + height: 4em; +} + +#header img { + height: 2em; + padding-left: 1em; +} + +#kc-header { + margin-top: 4em; +} + +.login-pf-page { + background-color: var(--body-bg-color); + height: 100%; + padding-top: 4em; + padding-bottom: 24px; + background-color: var(--body-bg-color); +} +@media (min-width: 768px) { + .login-pf-page { + padding-top: 3em; + } +} + +h1, +h2, +h3, +h4, +h5, +h6 { + font-weight: 600; + color: inherit; + /* letter-spacing: -0.0325em; */ +} + +html, +body, +div, +span, +applet, +object, +iframe, +h1, +h2, +h3, +h4, +h5, +h6, +p, +blockquote, +pre, +a, +abbr, +acronym, +address, +big, +cite, +code, +del, +dfn, +em, +img, +ins, +kbd, +q, +s, +samp, +small, +strike, +strong, +sub, +sup, +tt, +var, +b, +u, +i, +center, +dl, +dt, +dd, +ol, +ul, +li, +fieldset, +form, +label, +legend, +table, +caption, +tbody, +tfoot, +thead, +tr, +th, +td, +article, +aside, +canvas, +details, +embed, +figure, +figcaption, +footer, +header, +hgroup, +menu, +nav, +output, +ruby, +section, +summary, +time, +mark, +audio, +video { + margin: 0; + padding: 0; + border: 0; + font-size: 100%; + font: inherit; + vertical-align: baseline; +} + +ul, p { + line-height: 1.4; +} + +.alert { + padding-left: 16px; + padding-right: 16px; +} +.alert-error { + color: #9b0202; +} +input[type="text"], +input[type="password"] { + display: block; + width: 100%; + height: 32px; + padding: 2px 6px; + font-size: var(--default-body-font-size); + line-height: 1.66666667; + color: #363636; + background-color: #fff; + background-image: none; + border: 1px solid #bbb; + border-top-color: rgb(187, 187, 187); + border-right-color: rgb(187, 187, 187); + border-bottom-color: rgb(187, 187, 187); + border-left-color: rgb(187, 187, 187); + border-radius: 0; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + transition: border-color ease-in-out 0.15s, box-shadow ease-in-out 0.15s; + margin-bottom: 24px; + box-sizing: border-box; +} +input[type="submit"] { + background-image: none; + background-color: var(--primary-color); + padding: 16px; + width: 100%; + font-size: var(--default-body-font-size); + color: #fff; + box-sizing: border-box; + box-shadow: none; + border: 0; + display: block; +} +input[type="submit"]:hover { + background-color: var(--primary-hover-color); +} +a { + color: var(--link-color); + text-decoration: none; +} +a:hover { + color: var(--link-hover-color); +} +[class*="pf-c-"], +[class*="pf-c-"]::before, +[class*="pf-c-"]::after { + padding: 4px 0; +} +label { + font-weight: 500; + display: inline-block; + font-size: 14px; + margin-bottom: 4px; + color: var(--label-color); +} +.btn { + border-radius: 8px; +} +.btn-primary, +.pf-c-button.pf-m-primary { + background-image: none; + background-color: var(--button-primary-color); + border: 0; + border-radius: 8px; +} +.btn-primary:hover, +.btn-primary:focus, +.btn-primary:active, +.pf-c-button.pf-m-primary:hover, +.pf-c-button.pf-m-primary:focus, +.pf-c-button.pf-m-primary:active { + background-color: var(--button-primary-hover-color); +} + +.login-pf body { + font-family: "Roboto", "Helvetica", "Arial", sans-serif; + background-color: var(--body-bg-color); + background-image: none; + font-size: var(--default-body-font-size); +} +.login-pf-page .card-pf { + margin-bottom: 32px; +} +@media (min-width: 768px) { + .login-pf-page .card-pf { + padding: 16px 32px 48px 32px; + } +} +.login-pf-page .card-pf p { + font-size: var(--default-body-font-size); + line-height: 1.4; +} +@media (min-width: 768px) { + .login-pf-page .login-pf-header { + margin-bottom: 10px; + } +} +@media (max-width: 767px) { + .login-pf-page .card-pf { + max-width: 100%; + margin-left: 16px; + margin-right: 16px; + padding: 4px 16px 24px; + } +} +.login-pf-page .login-pf-header h1 { + font-size: 1.75em; +} +#kc-info-wrapper { + background-color: transparent; + padding: 0; + text-align: left; + font-size: var(--default-body-font-size); + line-height: 1.4; +} +#kc-header-wrapper { + font-weight: 500; + text-transform: capitalize; + line-height: 1.5; + font-weight: 500; + display: flex; + flex-direction: column; + gap: 16px; + align-items: center; + justify-content: center; +} +@media (max-width: 767px) { + #kc-header-wrapper { + color: #fff; + padding: 0; + } +} +#kc-site-name, +#kc-system-type { + color: #fff; + text-align: center; + text-transform: capitalize; + font-size: 1.8rem; +} +#kc-login-info-message { + max-width: 100%; + margin: auto; + line-height: 1.55; + background: var(--highlight-bg-color); + color: var(--text-default-color); + padding: 16px; + font-size: 1rem; + font-weight: 500; +} +@media (min-width: 768px) { + #kc-login-info-message { + max-width: 60%; + margin: auto; + } +} +#kc-content-wrapper { + display: flex; + justify-content: center; + flex-direction: column; +} +#kc-header { + margin-top: 0; + margin-bottom: 24px; +} +#kc-page-title { + text-align: center; + font-weight: 600; + color: var(--title-color); + padding-bottom: 4px; + font-size: 1.75em; +} +h1#kc-page-title { + margin-top: 24px; +} +#kc-form { + width: 100%; +} +#kc-form-buttons { + margin-top: 24px; + text-align: center; +} +#kc-form-options .checkbox { + display: none; +} +#kc-info { + margin-top: 0; + margin-bottom: 8px; + margin-left: 0; + margin-right: 0; + color: #777; +} +.card-pf { + background: #fff; + margin: 0 auto; + margin-bottom: 0px; + padding: 0 20px; + max-width: 420px; + border-top: 0; + box-shadow: 0 0 0; + padding: 0 40px 40px; + margin-top: 28px; + margin-bottom: 32px; +} +.card-pf form.form-actions .btn { + margin-bottom: 16px; +} diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico b/dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..62de3a266ec8c9991463b5d4bf230679a4ee71c3 GIT binary patch literal 4286 zcmeH~K~BOz6oy9^ZcL0yf(C(Nv=LbdmMG#vU3mhdCgN2*j^Yhmz`|3wGwwYBBz64% z!fOXZfdZCIAs^FDJM+EwW(q;6CA;Re0Z`lVj-~;epb8foYfNr+DJ`Fz@_X4(n@8$u|fd#%m*xby!Gva#K zIJ2KIyn=xka6XBjZq~(|Pp1woojKjpxpRB4|L=Xlxx}zdZ-o41O$I!h@Y7wnuSAWZ z3BOkd#sMras{Y~rx~;1XM;}WJhzWCzL+T(g%EYb(;Cn89)**TfW<0}={rtJ-g^i-6v;F<&=igrko=Y9% z{%P8NO+0_Pva7STeVskCd(>=gUzfafALjS=U^o`UUrI BO-%p* literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png new file mode 100644 index 0000000000000000000000000000000000000000..6f2d9d2aeb1c1461767988a042aae50492d454bc GIT binary patch literal 513 zcmV+c0{;DpP)pbFH`>7=NJimT8HPR1b>!7GRq%%D)H?|Wo% zC@Pq9$n!u*^5*>k`A#3+kZfF(`zJ152&b=J2><{9!0hZbO_;oR8NR%F9kLkE@5Z(} z|9X+Rqj^|(^f2UQ`B&qbstQ}zSHs@7Mx_7%0O*T*Sywa1;J+C|`oj73Q8;qyTvEs3fk{(-JWjQ|4!;N?Hk9Wu}T8~06?E)T~0nO z$|9aN^E2gq`rLgk&kqde>9h9ceYG2J7l(CKD-8eu0DaQs4ti*V_8>1|L40001@p8^a34>6V-IeVqb00000NkvXXu0mjf D@HyfE literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png new file mode 100644 index 0000000000000000000000000000000000000000..0dd500445d7249ddd1b1dea7dc79d5e2f75cf223 GIT binary patch literal 343 zcmV-d0jU0oP)Rb^f-HfiA|a#ZS&BN>m{U!Bf9XBlP=AUsPhep z0;u>nQCxb~G6c;4tOM)aDVebC2LF?__!*$Y%|S5$e;ZcIdR+o#XrlC>L#@3RFZO+y z4ac0_$8S?_3L#)o1cV>wsb|~_2qr}-{Xy0sk1ddFrS2NjYBy!#lv@hhf%T~P1a2ls zg9cR!$Y8{U0euD81vt(&PyxuVl0?xy+oT=qfZ( zU<;qzo;L~X{8Dl*OuQ;g6C?jcvTY4MH)UgY@3N+I%Y&B-aM#Gmz4*K9-@h9B>+j#Q z@1I{-{^;BJ=zrF!cK!}Pr!g=bh|HcT>Z=m}wDHmbyC0nDaV#gVm&uycGotW zpv;r|b9e9Fzj)!!_FHF``Wx|qb*+1{*5LE=)%xG0rlsBtdT?-dwR{mlor@ArQ!T)1>sQ|BRGRy6pUXk5Eq%Jj zt#hDSUl#1`1Hp4rtdp{v4HrVu6{1-oD!M}vd literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png new file mode 100644 index 0000000000000000000000000000000000000000..640bd71cab7bdfc7a8adcf28ffaf6db736a1c008 GIT binary patch literal 410 zcmeAS@N?(olHy`uVBq!ia0vp^f*{Pn1|+R>-G2comSQK*5Dp-y;YjHK@;M7UB8!3Q zuY)k7lg8`{prB-lYeY$Kep*R+Vo@qXd3m{BW?pu2a$-TMUVc&f>~}U&3=E9oo-U3d z7QI&|@AYC16lmSQ(|nzi6W2vA0hQiX{shsj9%4*QVx6m7=T11}S0g4pTOrBJ(L2zj zqqUbmAu&;Tnwis)`FE;yFXbH4TM_-V#F%}bS9C7N)nccy^_%s?ydQOE$UA=bQASGdP zUS5*^?Y}eFBd=Y%8?p303zx;a-hVOO%tz8T)jmnDmV3_E#n4nO@i}MX#=5_=rbOm! z*!s=OFZw-8%CQyiuZC^?Jc-4l;#4*gQu&X%Q~loCIB2_ BsrLW? literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png new file mode 100644 index 0000000000000000000000000000000000000000..6f2d9d2aeb1c1461767988a042aae50492d454bc GIT binary patch literal 513 zcmV+c0{;DpP)pbFH`>7=NJimT8HPR1b>!7GRq%%D)H?|Wo% zC@Pq9$n!u*^5*>k`A#3+kZfF(`zJ152&b=J2><{9!0hZbO_;oR8NR%F9kLkE@5Z(} z|9X+Rqj^|(^f2UQ`B&qbstQ}zSHs@7Mx_7%0O*T*Sywa1;J+C|`oj73Q8;qyTvEs3fk{(-JWjQ|4!;N?Hk9Wu}T8~06?E)T~0nO z$|9aN^E2gq`rLgk&kqde>9h9ceYG2J7l(CKD-8eu0DaQs4ti*V_8>1|L40001@p8^a34>6V-IeVqb00000NkvXXu0mjf D@HyfE literal 0 HcmV?d00001 diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png new file mode 100644 index 0000000000000000000000000000000000000000..f9392a356fd3b383997c1ef289b48d02be96c351 GIT binary patch literal 646 zcmV;10(t$3P)5ebW)JIb`v2;&5sUEt7(pdR?_rqvF~(w z&wHPH?%{G}o6t%tD3-YcoIt#ZimsMn=fj5~SV}0ANdw)$JIs+vm8VEr5vY*RCc!0O zJeKiMnQmZjF~P}|ITC|_fPR3sChh|hh#}5v^?!j1No^OL5!{Yt{P|l#ojGW*>A`F% zG;=oe?E0{aNj(7$L<2hJOpDEg;c-0Uu3}QpfZdv9Yul(xOFAm{YCmuc7-<=Hz6#rb zwStWR%+Uk1dKH(KznaJbxtT_8h1rkY@F&AK;#}dXHiv>reL9ZVhZt;6c{&UPfawRU z3PX!QX+>?W8zy57-1{e1nf<%`Ip2$C{RJ2WP8EB!V*#i*Ll@AAxI)U6d9kg;Tft2N zvI|T#k_Ga${UDcC6K25hA)et;?S`pV)*0TbLbSFYPx%LC5OMf>LI(kYhG{MW?Gclt z?kz+j>;xV-pszlvScx&iWL1nHDUdjgc-@-yi~8Zf?-uKCu&$j zmGV@tHY^&3ufPQiVR|G&lMFKJqcV3b2BIPt0$RTQ1o3gEnU}InzE6h&(}7s>n+PkJ gT)C0w?I} + + + + + + + + + + + diff --git a/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl b/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl new file mode 100644 index 0000000..0225cf9 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl @@ -0,0 +1,42 @@ +<#import "template.ftl" as layout> +<@layout.registrationLayout displayInfo=true; section> + <#if section = "header" || section = "show-username"> + + <#if section = "header"> + ${msg("loginChooseAuthenticator")} + + <#elseif section = "form"> + +
+
+ <#list auth.authenticationSelections as authenticationSelection> +
+
+
+ +
+
+
+
+ ${msg('${authenticationSelection.displayName}')} +
+
+ ${msg('${authenticationSelection.helpText}')} +
+
+
+
+
+ + +
+
+ + + + diff --git a/dev/config/keycloak/themes/ltt/login/template.ftl b/dev/config/keycloak/themes/ltt/login/template.ftl new file mode 100644 index 0000000..042f887 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/template.ftl @@ -0,0 +1,159 @@ +<#macro registrationLayout bodyClass="" displayInfo=false displayMessage=true displayRequiredFields=false> + + lang="${locale.currentLanguageTag}"> + + + + + + + <#if properties.meta?has_content> + <#list properties.meta?split(' ') as meta> + + + + ${msg("loginTitle",(realm.displayName!''))} + + <#if properties.stylesCommon?has_content> + <#list properties.stylesCommon?split(' ') as style> + + + + <#if properties.styles?has_content> + <#list properties.styles?split(' ') as style> + + + + <#if properties.scripts?has_content> + <#list properties.scripts?split(' ') as script> + + + + <#if scripts??> + <#list scripts as script> + + + + + +
+ +
+
+ <#if properties.systemType?has_content> +
${kcSanitize(msg("systemType", properties.systemType))?no_esc}
+ + <#if properties.loginInfoMessage?has_content> +
${kcSanitize(properties.loginInfoMessage)?no_esc}
+ +
+
+
+ <#if realm.internationalizationEnabled && locale.supported?size gt 1> +
+
+
+ ${locale.current} +
    + <#list locale.supported as l> +
  • + ${l.label} +
    • + +
+
+
+
+ + <#if !(auth?has_content && auth.showUsername() && !auth.showResetCredentials())> + <#if displayRequiredFields> +
+
+ * ${msg("requiredFields")} +
+
+

<#nested "header">

+
+
+ <#else> +

<#nested "header">

+ + <#else> + <#if displayRequiredFields> +
+
+ * ${msg("requiredFields")} +
+
+ <#nested "show-username"> +
+ + + + +
+
+
+ <#else> + <#nested "show-username"> +
+ + + + +
+ + +
+
+ + <#-- App-initiated actions should not see warning messages about the need to complete the action --> + <#-- during login. --> + <#if displayMessage && message?has_content && (message.type != 'warning' || !isAppInitiatedAction??)> +
+
+ <#if message.type = 'success'> + <#if message.type = 'warning'> + <#if message.type = 'error'> + <#if message.type = 'info'> +
+ ${kcSanitize(message.summary)?no_esc} +
+ + + <#nested "form"> + + <#if auth?has_content && auth.showTryAnotherWayLink()> +
+
+ + ${msg("doTryAnotherWay")} +
+
+ + + <#nested "socialProviders"> + + <#if displayInfo> +
+
+ <#nested "info"> +
+
+ +
+
+
+
+ + + diff --git a/dev/config/keycloak/themes/ltt/login/theme.properties b/dev/config/keycloak/themes/ltt/login/theme.properties new file mode 100644 index 0000000..00fe026 --- /dev/null +++ b/dev/config/keycloak/themes/ltt/login/theme.properties @@ -0,0 +1,6 @@ +parent=keycloak +import=common/keycloak +systemType=${env.__KEYCLOAK_SYSTEM_TYPE:} +loginInfoMessage=${env.__KEYCLOAK_LOGIN_INFO_MESSAGE:} +styles=css/login.css css/styles.css + diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index 43f7b29..8278ae9 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -66,6 +66,90 @@ services: aliases: - fhir-internal + keycloak: + # use tini as init + init: true + image: quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG:-22.0} + labels: + - traefik.enable=true + - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.rule=Host(`keycloak.${BASE_DOMAIN}`) + - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.tls=true + - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + command: + # https://www.keycloak.org/server/importExport#_importing_a_realm_during_startup + # recent Keycloak releases do not allow importing the master realm on startup; use old properties as workaround + # https://github.com/keycloak/keycloak/issues/12544#issuecomment-1191846726 + - -Dkeycloak.migration.action=import + - -Dkeycloak.migration.provider=dir + - -Dkeycloak.migration.dir=/opt/keycloak/data/import + - -Dkeycloak.migration.strategy=IGNORE_EXISTING + - -Dkeycloak.migration.replace-placeholders=true + - start + - --log-console-output=json + environment: + # https://www.keycloak.org/server/all-config + KC_DB: postgres + KC_DB_URL_HOST: db + KC_DB_USERNAME: postgres + KC_DB_PASSWORD: postgres + + # https://www.keycloak.org/server/reverseproxy + KC_PROXY: edge + # trust traefik Host header validation + KC_HOSTNAME_STRICT: "false" + + KEYCLOAK_ADMIN: admin + KEYCLOAK_ADMIN_PASSWORD: admin + + KEYCLOAK_CPRO_BACKCHANNEL_LOGOUT_URL: https://${BASE_DOMAIN}/auth/oidc/logoutCallback + KEYCLOAK_SHL_CREATOR_BASE: https://shl-creator.${BASE_DOMAIN} + KEYCLOAK_SHL_CREATOR_LOGOUT_REDIRECT_URL: https://${BASE_DOMAIN}/users + + env_file: + - keycloak.env + volumes: + - ./config/keycloak/import/:/opt/keycloak/data/import:ro + - ./config/keycloak/themes/:/opt/keycloak/themes:ro + depends_on: + - db + networks: + - ingress + - internal + + fhir-auth: + image: ghcr.io/uwcirg/jwt-proxy:${PROXY_IMAGE_TAG:-latest} + env_file: + fhir-auth.env + environment: + UPSTREAM_SERVER: http://fhir-internal:8080 + OIDC_AUTHORIZE_URL: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/auth + OIDC_TOKEN_URI: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/token + OIDC_TOKEN_INTROSPECTION_URI: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/token/introspect + JWKS_URL: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/certs + PATH_WHITELIST: /fhir/metadata,/fhir/.well-known/smart-configuration + labels: + - traefik.enable=true + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`fhir-auth.${BASE_DOMAIN}`) + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.tls=true + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + # TODO review if necessary for shl-creator service in same deploy + # add CORS middleware, configured to return `Access-Control-Allow-Origin: *` + # NB accessControlAllowOrigin is deprecated, but not noted in docs + # https://github.com/traefik/traefik/issues/8796 + - traefik.http.middlewares.fhir-auth-${COMPOSE_PROJECT_NAME}-cors.headers.accessControlAllowOriginList=* + # allow all verbs used by FHIR REST + - traefik.http.middlewares.fhir-auth-${COMPOSE_PROJECT_NAME}-cors.headers.accessControlAllowMethods=HEAD,GET,OPTIONS,PATCH,POST,PUT,DELETE + - traefik.http.middlewares.fhir-auth-${COMPOSE_PROJECT_NAME}-cors.headers.accessControlAllowHeaders=Authorization,Origin,Content-Type,Accept,Cache-Control + - traefik.http.routers.fhir-auth-${COMPOSE_PROJECT_NAME}.middlewares=fhir-auth-${COMPOSE_PROJECT_NAME}-cors + depends_on: + - fhir + networks: + - ingress + - internal + shl-creator: image: ghcr.io/uwcirg/shl-ips:${SHL_CREATOR_IMAGE_TAG:-latest} environment: diff --git a/dev/fhir-auth.env.default b/dev/fhir-auth.env.default new file mode 100644 index 0000000..c3602c3 --- /dev/null +++ b/dev/fhir-auth.env.default @@ -0,0 +1,8 @@ +# Example docker-compose environment file +# Copy to fhir-auth.env and modify as necessary +# https://docs.docker.com/compose/env-file/ + +# Variables defined in this file will only be available to containers/images +# ie not for interpolation in docker-compose YAML files + +SECRET_KEY= diff --git a/dev/keycloak.env.default b/dev/keycloak.env.default new file mode 100644 index 0000000..4bbffea --- /dev/null +++ b/dev/keycloak.env.default @@ -0,0 +1,11 @@ +# Example docker-compose environment file +# Copy to keycloak.env and modify as necessary +# https://docs.docker.com/compose/env-file/ + +# Variables defined in this file will only be available to containers/images +# ie not for interpolation in docker-compose YAML files + +# KEYCLOAK_EMAIL_USER= +# KEYCLOAK_EMAIL_PASSWORD= +# must match OIDC_CLIENT_SECRET in cpro.env +KEYCLOAK_LTT_CPRO_CLIENT_SECRET= From e1887f0bc340ba97d5d0e9e2f90486a19ced62cc Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Wed, 23 Oct 2024 15:22:49 -0700 Subject: [PATCH 06/16] Remove leftover cpro envvar --- dev/keycloak.env.default | 2 -- 1 file changed, 2 deletions(-) diff --git a/dev/keycloak.env.default b/dev/keycloak.env.default index 4bbffea..7838b0f 100644 --- a/dev/keycloak.env.default +++ b/dev/keycloak.env.default @@ -7,5 +7,3 @@ # KEYCLOAK_EMAIL_USER= # KEYCLOAK_EMAIL_PASSWORD= -# must match OIDC_CLIENT_SECRET in cpro.env -KEYCLOAK_LTT_CPRO_CLIENT_SECRET= From a466564416f2a4bf119b5963fe7f9cbfbf7b8287 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Wed, 23 Oct 2024 15:23:10 -0700 Subject: [PATCH 07/16] Add keycloak image tag envvar --- dev/default.env | 1 + 1 file changed, 1 insertion(+) diff --git a/dev/default.env b/dev/default.env index 868bf58..5e987db 100644 --- a/dev/default.env +++ b/dev/default.env @@ -14,6 +14,7 @@ COMPOSE_PROJECT_NAME= # docker image tag overrides; override default image tag with given image tag #FHIR_IMAGE_TAG= +#KEYCLOAK_IMAGE_TAG= #POSTGRES_IMAGE_TAG= #SHL_CREATOR_IMAGE_TAG= #SHL_SERVER_IMAGE_TAG= From 7e5bbf12c5b0ffc1715324598877f4ea34e90fe2 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Thu, 24 Oct 2024 13:33:56 -0700 Subject: [PATCH 08/16] Change "ltt" to "ips" and update default shl_creator redirect url in KC --- .../import/{ltt-realm.json => ips-realm.json} | 73 ++---------------- .../{ltt-users-0.json => ips-users-0.json} | 14 ++-- .../email/messages/messages_en.properties | 0 .../{ltt => ips}/email/theme.properties | 0 .../login/login-config-totp-text.ftl | 0 .../login/login-update-password.ftl | 0 .../login/login-update-profile.ftl | 0 .../{ltt => ips}/login/login-username.ftl | 0 .../login/login-verify-email-code-text.ftl | 0 .../{ltt => ips}/login/login-verify-email.ftl | 0 .../themes/{ltt => ips}/login/login.ftl | 0 .../login/messages/messages_en.properties | 0 .../login/register-user-profile.ftl | 0 .../themes/{ltt => ips}/login/register.ftl | 0 .../login/resources/css/styles.css | 0 .../login/resources/img/favicon.ico | Bin .../img/feedback-error-arrow-down.png | Bin .../resources/img/feedback-error-sign.png | Bin .../img/feedback-success-arrow-down.png | Bin .../resources/img/feedback-success-sign.png | Bin .../img/feedback-warning-arrow-down.png | Bin .../resources/img/feedback-warning-sign.png | Bin .../{ltt => ips}/login/resources/img/logo.svg | 0 .../login/select-authenticator.ftl | 0 .../themes/{ltt => ips}/login/template.ftl | 0 .../{ltt => ips}/login/theme.properties | 0 dev/docker-compose.yaml | 12 +-- 27 files changed, 20 insertions(+), 79 deletions(-) rename dev/config/keycloak/import/{ltt-realm.json => ips-realm.json} (95%) rename dev/config/keycloak/import/{ltt-users-0.json => ips-users-0.json} (88%) rename dev/config/keycloak/themes/{ltt => ips}/email/messages/messages_en.properties (100%) rename dev/config/keycloak/themes/{ltt => ips}/email/theme.properties (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/login-config-totp-text.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/login-update-password.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/login-update-profile.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/login-username.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/login-verify-email-code-text.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/login-verify-email.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/login.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/messages/messages_en.properties (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/register-user-profile.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/register.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/css/styles.css (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/img/favicon.ico (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/img/feedback-error-arrow-down.png (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/img/feedback-error-sign.png (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/img/feedback-success-arrow-down.png (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/img/feedback-success-sign.png (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/img/feedback-warning-arrow-down.png (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/img/feedback-warning-sign.png (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/resources/img/logo.svg (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/select-authenticator.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/template.ftl (100%) rename dev/config/keycloak/themes/{ltt => ips}/login/theme.properties (100%) diff --git a/dev/config/keycloak/import/ltt-realm.json b/dev/config/keycloak/import/ips-realm.json similarity index 95% rename from dev/config/keycloak/import/ltt-realm.json rename to dev/config/keycloak/import/ips-realm.json index b9bb5ac..7bd319b 100644 --- a/dev/config/keycloak/import/ltt-realm.json +++ b/dev/config/keycloak/import/ips-realm.json @@ -1,7 +1,7 @@ { "id": "25facb13-fdb5-46cd-b66d-fa9305652f1a", - "realm": "ltt", - "displayName": "Let's Talk Tech", + "realm": "ips", + "displayName": "International Patient Summary", "notBefore": 0, "defaultSignatureAlgorithm": "RS256", "revokeRefreshToken": false, @@ -46,7 +46,7 @@ "failureFactor": 30, "defaultRole": { "id": "0f25599f-05d1-4859-895d-e097d2b8bc4d", - "name": "default-roles-ltt", + "name": "default-roles-ips", "description": "${role_default-roles}", "composite": true, "clientRole": false, @@ -136,7 +136,7 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "${KEYCLOAK_SHL_CREATOR_BASE}/share" + "${KEYCLOAK_SHL_CREATOR_BASE}/create" ], "webOrigins": [ "*" @@ -158,7 +158,7 @@ "backchannel.logout.revoke.offline.tokens": "false", "frontchannel.logout.url": "${KEYCLOAK_SHL_CREATOR_BASE}/logout", "backchannel.logout.url": "", - "post.logout.redirect.uris": "${KEYCLOAK_CPRO_LANDING_PAGE}" + "post.logout.redirect.uris": "${KEYCLOAK_SHL_CREATOR_BASE}" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, @@ -179,65 +179,6 @@ "patient/*.read", "microprofile-jwt" ] - }, - { - "clientId": "ltt_cpro", - "name": "cPRO Let's Talk Tech", - "description": "cPRO configured as inform project", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "${KEYCLOAK_LTT_CPRO_CLIENT_SECRET}", - "redirectUris": [ - "*" - ], - "webOrigins": [ - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "client.secret.creation.time": "1703195110", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false", - "backchannel.logout.url": "${KEYCLOAK_CPRO_BACKCHANNEL_LOGOUT_URL}", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } } ], "clientScopes": [ @@ -821,8 +762,8 @@ "user": "${KEYCLOAK_EMAIL_USER}", "password": "${KEYCLOAK_EMAIL_PASSWORD}" }, - "loginTheme": "ltt", - "emailTheme": "ltt", + "loginTheme": "ips", + "emailTheme": "ips", "eventsEnabled": false, "eventsListeners": [ "jboss-logging" diff --git a/dev/config/keycloak/import/ltt-users-0.json b/dev/config/keycloak/import/ips-users-0.json similarity index 88% rename from dev/config/keycloak/import/ltt-users-0.json rename to dev/config/keycloak/import/ips-users-0.json index 7a04804..d92a3a2 100644 --- a/dev/config/keycloak/import/ltt-users-0.json +++ b/dev/config/keycloak/import/ips-users-0.json @@ -1,8 +1,8 @@ { - "realm": "ltt", + "realm": "ips", "users": [ { - "id": "ltt-test-user", + "id": "ips-test-user", "createdTimestamp": 1709134971000, "username": "test", "enabled": true, @@ -13,7 +13,7 @@ "email": "test@test.test", "credentials": [ { - "id": "ltt-test-user-password", + "id": "ips-test-user-password", "type": "password", "createdDate": 1709134971000, "secretData": "{\"value\":\"7Vmr6+Io+gJJrH+EOcmOJXshJ0tMI5x0rQ1wkCYgSCA=\",\"salt\":\"LR0DSOi5850zn9tNFYS1uw==\",\"additionalParameters\":{}}", @@ -24,14 +24,14 @@ "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": [ - "default-roles-ltt", + "default-roles-ips", "patient-realm-role" ], "notBefore": 0, "groups": [] }, { - "id": "ltt-staff-user", + "id": "ips-staff-user", "createdTimestamp": 1709134971000, "username": "staff", "enabled": true, @@ -42,7 +42,7 @@ "email": "stafftest@test.test", "credentials": [ { - "id": "ltt-staff-user-password", + "id": "ips-staff-user-password", "type": "password", "createdDate": 1709134971000, "secretData" : "{\"value\":\"86AHPCF6rK9rndTfdST1Ijn4XQ6xC4/uoa3Q0S0O5nE=\",\"salt\":\"veo4rv2pmuiMhWcJgJmw7A==\",\"additionalParameters\":{}}", @@ -53,7 +53,7 @@ "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": [ - "default-roles-ltt", + "default-roles-ips", "staff-realm-role" ], "notBefore": 0, diff --git a/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties b/dev/config/keycloak/themes/ips/email/messages/messages_en.properties similarity index 100% rename from dev/config/keycloak/themes/ltt/email/messages/messages_en.properties rename to dev/config/keycloak/themes/ips/email/messages/messages_en.properties diff --git a/dev/config/keycloak/themes/ltt/email/theme.properties b/dev/config/keycloak/themes/ips/email/theme.properties similarity index 100% rename from dev/config/keycloak/themes/ltt/email/theme.properties rename to dev/config/keycloak/themes/ips/email/theme.properties diff --git a/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl b/dev/config/keycloak/themes/ips/login/login-config-totp-text.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl rename to dev/config/keycloak/themes/ips/login/login-config-totp-text.ftl diff --git a/dev/config/keycloak/themes/ltt/login/login-update-password.ftl b/dev/config/keycloak/themes/ips/login/login-update-password.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/login-update-password.ftl rename to dev/config/keycloak/themes/ips/login/login-update-password.ftl diff --git a/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl b/dev/config/keycloak/themes/ips/login/login-update-profile.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/login-update-profile.ftl rename to dev/config/keycloak/themes/ips/login/login-update-profile.ftl diff --git a/dev/config/keycloak/themes/ltt/login/login-username.ftl b/dev/config/keycloak/themes/ips/login/login-username.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/login-username.ftl rename to dev/config/keycloak/themes/ips/login/login-username.ftl diff --git a/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl b/dev/config/keycloak/themes/ips/login/login-verify-email-code-text.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl rename to dev/config/keycloak/themes/ips/login/login-verify-email-code-text.ftl diff --git a/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl b/dev/config/keycloak/themes/ips/login/login-verify-email.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/login-verify-email.ftl rename to dev/config/keycloak/themes/ips/login/login-verify-email.ftl diff --git a/dev/config/keycloak/themes/ltt/login/login.ftl b/dev/config/keycloak/themes/ips/login/login.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/login.ftl rename to dev/config/keycloak/themes/ips/login/login.ftl diff --git a/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties b/dev/config/keycloak/themes/ips/login/messages/messages_en.properties similarity index 100% rename from dev/config/keycloak/themes/ltt/login/messages/messages_en.properties rename to dev/config/keycloak/themes/ips/login/messages/messages_en.properties diff --git a/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl b/dev/config/keycloak/themes/ips/login/register-user-profile.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/register-user-profile.ftl rename to dev/config/keycloak/themes/ips/login/register-user-profile.ftl diff --git a/dev/config/keycloak/themes/ltt/login/register.ftl b/dev/config/keycloak/themes/ips/login/register.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/register.ftl rename to dev/config/keycloak/themes/ips/login/register.ftl diff --git a/dev/config/keycloak/themes/ltt/login/resources/css/styles.css b/dev/config/keycloak/themes/ips/login/resources/css/styles.css similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/css/styles.css rename to dev/config/keycloak/themes/ips/login/resources/css/styles.css diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico b/dev/config/keycloak/themes/ips/login/resources/img/favicon.ico similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico rename to dev/config/keycloak/themes/ips/login/resources/img/favicon.ico diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png b/dev/config/keycloak/themes/ips/login/resources/img/feedback-error-arrow-down.png similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png rename to dev/config/keycloak/themes/ips/login/resources/img/feedback-error-arrow-down.png diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png b/dev/config/keycloak/themes/ips/login/resources/img/feedback-error-sign.png similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png rename to dev/config/keycloak/themes/ips/login/resources/img/feedback-error-sign.png diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-arrow-down.png b/dev/config/keycloak/themes/ips/login/resources/img/feedback-success-arrow-down.png similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-arrow-down.png rename to dev/config/keycloak/themes/ips/login/resources/img/feedback-success-arrow-down.png diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png b/dev/config/keycloak/themes/ips/login/resources/img/feedback-success-sign.png similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png rename to dev/config/keycloak/themes/ips/login/resources/img/feedback-success-sign.png diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png b/dev/config/keycloak/themes/ips/login/resources/img/feedback-warning-arrow-down.png similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png rename to dev/config/keycloak/themes/ips/login/resources/img/feedback-warning-arrow-down.png diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png b/dev/config/keycloak/themes/ips/login/resources/img/feedback-warning-sign.png similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png rename to dev/config/keycloak/themes/ips/login/resources/img/feedback-warning-sign.png diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/logo.svg b/dev/config/keycloak/themes/ips/login/resources/img/logo.svg similarity index 100% rename from dev/config/keycloak/themes/ltt/login/resources/img/logo.svg rename to dev/config/keycloak/themes/ips/login/resources/img/logo.svg diff --git a/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl b/dev/config/keycloak/themes/ips/login/select-authenticator.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/select-authenticator.ftl rename to dev/config/keycloak/themes/ips/login/select-authenticator.ftl diff --git a/dev/config/keycloak/themes/ltt/login/template.ftl b/dev/config/keycloak/themes/ips/login/template.ftl similarity index 100% rename from dev/config/keycloak/themes/ltt/login/template.ftl rename to dev/config/keycloak/themes/ips/login/template.ftl diff --git a/dev/config/keycloak/themes/ltt/login/theme.properties b/dev/config/keycloak/themes/ips/login/theme.properties similarity index 100% rename from dev/config/keycloak/themes/ltt/login/theme.properties rename to dev/config/keycloak/themes/ips/login/theme.properties diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index 8278ae9..60e67ea 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -123,10 +123,10 @@ services: fhir-auth.env environment: UPSTREAM_SERVER: http://fhir-internal:8080 - OIDC_AUTHORIZE_URL: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/auth - OIDC_TOKEN_URI: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/token - OIDC_TOKEN_INTROSPECTION_URI: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/token/introspect - JWKS_URL: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/certs + OIDC_AUTHORIZE_URL: https://keycloak.${BASE_DOMAIN}/realms/ips/protocol/openid-connect/auth + OIDC_TOKEN_URI: https://keycloak.${BASE_DOMAIN}/realms/ips/protocol/openid-connect/token + OIDC_TOKEN_INTROSPECTION_URI: https://keycloak.${BASE_DOMAIN}/realms/ips/protocol/openid-connect/token/introspect + JWKS_URL: https://keycloak.${BASE_DOMAIN}/realms/ips/protocol/openid-connect/certs PATH_WHITELIST: /fhir/metadata,/fhir/.well-known/smart-configuration labels: - traefik.enable=true @@ -158,8 +158,8 @@ services: VITE_BACK_URL: https://${BASE_DOMAIN}/pro_reports/clinic_report_inform VITE_SOF_ISS: https://fhir-auth.${BASE_DOMAIN}/fhir VITE_OIDC_SERVER_BASE: https://keycloak.${BASE_DOMAIN} - VITE_OIDC_LOGOUT_ENDPOINT: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/logout - VITE_OIDC_CHECK_SESSION_IFRAME: https://keycloak.${BASE_DOMAIN}/realms/ltt/protocol/openid-connect/login-status-iframe.html + VITE_OIDC_LOGOUT_ENDPOINT: https://keycloak.${BASE_DOMAIN}/realms/ips/protocol/openid-connect/logout + VITE_OIDC_CHECK_SESSION_IFRAME: https://keycloak.${BASE_DOMAIN}/realms/ips/protocol/openid-connect/login-status-iframe.html VITE_POST_LOGOUT_REDIRECT_URI: https://${BASE_DOMAIN}/users env_file: shl-creator.env From 7fe736139f1ddc5d89c0c78c15b35350cd4b907b Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Thu, 12 Dec 2024 14:54:37 -0800 Subject: [PATCH 09/16] Bump keycloak image default to 26.0 --- dev/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index 60e67ea..4d9aec8 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -69,7 +69,7 @@ services: keycloak: # use tini as init init: true - image: quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG:-22.0} + image: quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG:-26.0} labels: - traefik.enable=true - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.rule=Host(`keycloak.${BASE_DOMAIN}`) From 71bb9c987d4af90066bf35841f55dc1c656edeae Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Tue, 17 Dec 2024 18:52:11 -0800 Subject: [PATCH 10/16] Remove ltt themse and realm configuration --- dev/config/keycloak/import/ltt-realm.json | 1600 ----------------- dev/config/keycloak/import/ltt-users-0.json | 63 - .../ltt/email/messages/messages_en.properties | 54 - .../themes/ltt/email/theme.properties | 2 - .../ltt/login/login-config-totp-text.ftl | 31 - .../ltt/login/login-update-password.ftl | 45 - .../themes/ltt/login/login-update-profile.ftl | 61 - .../themes/ltt/login/login-username.ftl | 60 - .../login/login-verify-email-code-text.ftl | 2 - .../themes/ltt/login/login-verify-email.ftl | 13 - .../keycloak/themes/ltt/login/login.ftl | 107 -- .../ltt/login/messages/messages_en.properties | 442 ----- .../ltt/login/register-user-profile.ftl | 74 - .../keycloak/themes/ltt/login/register.ftl | 88 - .../themes/ltt/login/resources/css/styles.css | 384 ---- .../ltt/login/resources/img/favicon.ico | Bin 4286 -> 0 bytes .../img/feedback-error-arrow-down.png | Bin 513 -> 0 bytes .../resources/img/feedback-error-sign.png | Bin 343 -> 0 bytes .../img/feedback-success-arrow-down.png | Bin 678 -> 0 bytes .../resources/img/feedback-success-sign.png | Bin 410 -> 0 bytes .../img/feedback-warning-arrow-down.png | Bin 513 -> 0 bytes .../resources/img/feedback-warning-sign.png | Bin 646 -> 0 bytes .../themes/ltt/login/resources/img/logo.svg | 12 - .../themes/ltt/login/select-authenticator.ftl | 42 - .../keycloak/themes/ltt/login/template.ftl | 159 -- .../themes/ltt/login/theme.properties | 6 - 26 files changed, 3245 deletions(-) delete mode 100644 dev/config/keycloak/import/ltt-realm.json delete mode 100644 dev/config/keycloak/import/ltt-users-0.json delete mode 100644 dev/config/keycloak/themes/ltt/email/messages/messages_en.properties delete mode 100644 dev/config/keycloak/themes/ltt/email/theme.properties delete mode 100644 dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/login-update-password.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/login-update-profile.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/login-username.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/login-verify-email.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/login.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/messages/messages_en.properties delete mode 100644 dev/config/keycloak/themes/ltt/login/register-user-profile.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/register.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/css/styles.css delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-arrow-down.png delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png delete mode 100644 dev/config/keycloak/themes/ltt/login/resources/img/logo.svg delete mode 100644 dev/config/keycloak/themes/ltt/login/select-authenticator.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/template.ftl delete mode 100644 dev/config/keycloak/themes/ltt/login/theme.properties diff --git a/dev/config/keycloak/import/ltt-realm.json b/dev/config/keycloak/import/ltt-realm.json deleted file mode 100644 index b9bb5ac..0000000 --- a/dev/config/keycloak/import/ltt-realm.json +++ /dev/null @@ -1,1600 +0,0 @@ -{ - "id": "25facb13-fdb5-46cd-b66d-fa9305652f1a", - "realm": "ltt", - "displayName": "Let's Talk Tech", - "notBefore": 0, - "defaultSignatureAlgorithm": "RS256", - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 14400, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "enabled": true, - "sslRequired": "external", - "registrationAllowed": false, - "registrationEmailAsUsername": true, - "rememberMe": false, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": true, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "defaultRole": { - "id": "0f25599f-05d1-4859-895d-e097d2b8bc4d", - "name": "default-roles-ltt", - "description": "${role_default-roles}", - "composite": true, - "clientRole": false, - "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a" - }, - "roles": { - "realm": [ - { - "id": "5614c921-f5f1-44b8-a04a-fc3b06dec10f", - "name": "staff-realm-role", - "description": "realm-specific staff role", - "composite": false, - "clientRole": false, - "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a", - "attributes": {} - }, - { - "id": "5614c921-f5f1-44b8-a04a-fc3b06dec10g", - "name": "patient-realm-role", - "description": "realm-specific patient role", - "composite": false, - "clientRole": false, - "containerId": "25facb13-fdb5-46cd-b66d-fa9305652f1a", - "attributes": {} - } - ] - }, - "requiredCredentials": [ - "password" - ], - "otpPolicyType": "totp", - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyInitialCounter": 0, - "otpPolicyDigits": 6, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpPolicyCodeReusable": false, - "otpSupportedApplications": [ - "totpAppFreeOTPName", - "totpAppGoogleName", - "totpAppMicrosoftAuthenticatorName" - ], - "passwordPolicy": "length(8) and upperCase(1) and lowerCase(1) and digits(1) and passwordHistory(3)", - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "scopeMappings": [ - { - "clientScope": "offline_access", - "roles": [ - "offline_access" - ] - } - ], - "clients": [ - { - "id": "a9925af1-4dcb-4791-bb2d-0087758b8f18", - "clientId": "shl_creator", - "name": "SMART Health Links Creator", - "description": "", - "rootUrl": "${KEYCLOAK_SHL_CREATOR_BASE}", - "adminUrl": "", - "baseUrl": "${KEYCLOAK_SHL_CREATOR_BASE}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "${KEYCLOAK_SHL_CREATOR_BASE}/share" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false", - "frontchannel.logout.url": "${KEYCLOAK_SHL_CREATOR_BASE}/logout", - "backchannel.logout.url": "", - "post.logout.redirect.uris": "${KEYCLOAK_CPRO_LANDING_PAGE}" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "launch", - "offline_access", - "online_access", - "patient/*.read", - "microprofile-jwt" - ] - }, - { - "clientId": "ltt_cpro", - "name": "cPRO Let's Talk Tech", - "description": "cPRO configured as inform project", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "${KEYCLOAK_LTT_CPRO_CLIENT_SECRET}", - "redirectUris": [ - "*" - ], - "webOrigins": [ - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "oauth2.device.authorization.grant.enabled": "false", - "client.secret.creation.time": "1703195110", - "backchannel.logout.session.required": "true", - "backchannel.logout.revoke.offline.tokens": "false", - "backchannel.logout.url": "${KEYCLOAK_CPRO_BACKCHANNEL_LOGOUT_URL}", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } - } - ], - "clientScopes": [ - { - "id": "a972497d-27bb-4896-9002-575a23aac264", - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "784d5a9a-e4a4-4728-9ac5-473cee4e8f38", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - }, - { - "id": "6233b1ca-1387-4c2b-ba15-08baca2e8526", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - } - ] - }, - { - "id": "9165efea-0c4c-4e59-a560-0ba79586acd3", - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "54469bf3-8a4a-4d7f-ac15-567be2af871c", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - }, - { - "id": "ffd6e8be-fa9c-45db-8c25-8286fa4d2c36", - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "id": "c65a2ce4-e983-4109-b9df-82f73552b737", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" - } - } - ] - }, - { - "id": "b1a46bef-7912-4ea4-acd9-b06c07ee8b33", - "name": "offline_access", - "description": "OpenID Connect built-in scope: offline_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - }, - { - "id": "b1a46bef-7912-4ea4-acd9-b06c07ee8b34", - "name": "online_access", - "description": "OpenID Connect built-in scope: online_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${onlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - }, - { - "id": "dbbeab4e-2685-4f20-bfba-c0472c46922b", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "d5d73b1e-bb7c-42f2-a3f4-de9f6893c974", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - }, - { - "id": "4b636bf7-de44-44ac-99f2-5b29086cd7c1", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "18295a0a-daaf-448d-8793-cb39b36703cd", - "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", - "name": "patient/*.read", - "description": "SoF: Read all data for launch patient", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - } - }, - { - "id": "78ad99cd-c336-42ed-a55a-ddbe6119c928", - "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", - "name": "launch", - "description": "SoF: launch token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - } - }, - { - "id": "0e57bc1e-d2a9-4580-ad49-863c2ce868ac", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "df8de33c-3b45-461c-9f44-b59eff0d412d", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "id": "d51c4fc8-1065-4f50-bfad-bfa5048077a2", - "name": "profile", - "description": "OpenID Connect built-in scope: profile", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "88b4607d-87cf-41be-a66c-d34d20f4e12e", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - }, - { - "id": "21cb6b13-08b7-4d36-b515-97c83d56ad96", - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - }, - { - "id": "76c736da-2c61-4444-b39f-349a64aee528", - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String" - } - }, - { - "id": "e0f6830b-794d-4166-a905-4e050cc8a4c1", - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "birthdate", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "birthdate", - "jsonType.label": "String" - } - }, - { - "id": "dbecf4fa-47ac-49b4-b08f-a0794e40a5cc", - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "lastName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "family_name", - "jsonType.label": "String" - } - }, - { - "id": "7005f4a5-6e10-4591-af3d-9be8d22b692a", - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "profile", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "profile", - "jsonType.label": "String" - } - }, - { - "id": "a45e6212-dbad-4e3e-845d-cff7d054b695", - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "nickname", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "nickname", - "jsonType.label": "String" - } - }, - { - "id": "83fcc140-2b4b-4b1e-993e-4b088878bf94", - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "middleName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String" - } - }, - { - "id": "3fed8da8-02ae-457f-9b98-95bc8ecc4497", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - }, - { - "id": "85ba9aae-c581-4151-b22a-d71070937b31", - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "long" - } - }, - { - "id": "6541f6c8-7719-4e05-b2ff-181548fda2cd", - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "zoneinfo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String" - } - }, - { - "id": "226be08d-3913-4b5e-89e6-d4a0ee0e57a4", - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "website", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String" - } - }, - { - "id": "da095466-4d1c-4fdf-a19c-8062a4e6081d", - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "gender", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "gender", - "jsonType.label": "String" - } - }, - { - "id": "ea9b4c39-055d-494b-a6d2-2fa6d238ba94", - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "db9c2c49-23e3-4b34-af26-e92e6afd00fa", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "679636f1-dc0c-4d22-8da0-88982a3aebbb", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "85417b6b-d5ce-465b-ae88-deb8c1270889", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "b70b144d-acd9-4a74-a2a2-5180c9915347", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "c5b05448-c849-4f0a-ab39-76c2d556e6df", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "7529440e-912d-460e-9acc-5e6d4ec8535a", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "d4d27f0d-0a90-4071-8d89-c40fee4c4d25", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "id": "a56c6a78-77b3-4f5e-9a88-8890f00f5084", - "name": "acr", - "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "108d221e-418e-41e3-82e7-8f84a2c96e6c", - "name": "acr loa level", - "protocol": "openid-connect", - "protocolMapper": "oidc-acr-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true" - } - } - ] - } - ], - "defaultDefaultClientScopes": [ - "role_list", - "profile", - "email", - "roles", - "web-origins", - "acr" - ], - "defaultOptionalClientScopes": [ - "offline_access", - "online_access", - "launch", - "patient/*.read", - "address", - "phone", - "microprofile-jwt" - ], - "browserSecurityHeaders": { - "contentSecurityPolicyReportOnly": "", - "xContentTypeOptions": "nosniff", - "referrerPolicy": "no-referrer", - "xRobotsTag": "none", - "xFrameOptions": "SAMEORIGIN", - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection": "1; mode=block", - "strictTransportSecurity": "max-age=31536000; includeSubDomains" - }, - "smtpServer": { - "replyToDisplayName": "CIRG Support", - "starttls": "true", - "auth": "true", - "envelopeFrom": "support@cirg.washington.edu", - "ssl": "false", - "port": "587", - "host": "mail.cirg.washington.edu", - "replyTo": "cirghelp@uw.edu", - "from": "noreply@cirg.washington.edu", - "fromDisplayName": "CIRG Support", - "user": "${KEYCLOAK_EMAIL_USER}", - "password": "${KEYCLOAK_EMAIL_PASSWORD}" - }, - "loginTheme": "ltt", - "emailTheme": "ltt", - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "enabledEventTypes": [], - "adminEventsEnabled": false, - "adminEventsDetailsEnabled": false, - "identityProviders": [], - "identityProviderMappers": [], - "components": { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "id": "82a34186-fa1a-47bf-b7b8-114e7b59669e", - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "4ac932e4-863f-4f8e-b46f-e2b0b50f6b13", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "92671c84-f260-4618-b5f5-240433465e02", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, - { - "id": "83202741-1122-4207-85b6-c2f6af40ae30", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "oidc-full-name-mapper", - "saml-user-property-mapper", - "oidc-address-mapper", - "oidc-usermodel-property-mapper", - "oidc-usermodel-attribute-mapper", - "saml-user-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-role-list-mapper" - ] - } - }, - { - "id": "d636a75a-cdd0-4730-ae36-969ca632579c", - "name": "Trusted Hosts", - "providerId": "trusted-hosts", - "subType": "anonymous", - "subComponents": {}, - "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] - } - }, - { - "id": "58e0bbc1-8586-44f3-a29a-87d03272bbb8", - "name": "Consent Required", - "providerId": "consent-required", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "6e5106ae-d399-41c7-ab1d-2b8aa411d6f5", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "1ce2a26b-d410-48eb-a23a-c571a2629b0f", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", - "saml-role-list-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-usermodel-property-mapper", - "oidc-address-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-user-attribute-mapper", - "oidc-full-name-mapper" - ] - } - } - ], - "org.keycloak.keys.KeyProvider": [ - { - "id": "6e11d956-96f6-4307-8ae5-818f43772fde", - "name": "rsa-enc-generated", - "providerId": "rsa-enc-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ], - "algorithm": [ - "RSA-OAEP" - ] - } - }, - { - "id": "c7582004-92ce-467e-9434-6d78d453e673", - "name": "rsa-generated", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - }, - { - "id": "bce684a7-4307-46d1-9066-e9e6a688e363", - "name": "aes-generated", - "providerId": "aes-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - }, - { - "id": "da6cf182-6241-4346-9747-85d31b2b71b5", - "name": "hmac-generated", - "providerId": "hmac-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ], - "algorithm": [ - "HS256" - ] - } - } - ] - }, - "internationalizationEnabled": false, - "supportedLocales": [], - "authenticationFlows": [ - { - "id": "299d32a1-8433-412c-a6cd-b2787543d2a5", - "alias": "Account verification options", - "description": "Method with which to verity the existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "requirement": "ALTERNATIVE", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 20, - "authenticatorFlow": true, - "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false - } - ] - }, - { - "id": "4062c512-4b86-43e1-8d09-91fed41f5aa4", - "alias": "Browser - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "bfa3f5d0-3679-4035-acad-75eb79fd8f10", - "alias": "Direct Grant - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-otp", - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "574792e7-d619-4956-8273-a7ab11209c22", - "alias": "First broker login - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "470d681a-0cd5-4d9b-914a-aa592fcebad5", - "alias": "Handle Existing Account", - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": true, - "flowAlias": "Account verification options", - "userSetupAllowed": false - } - ] - }, - { - "id": "1be37090-9ace-4f53-8821-834d8a3f7fa0", - "alias": "Reset - Conditional OTP", - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-otp", - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "60ad8099-96de-49bc-abf7-68348b8e5cfd", - "alias": "User creation or linking", - "description": "Flow for the existing/non-existing user alternatives", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "create unique user config", - "authenticator": "idp-create-user-if-unique", - "requirement": "ALTERNATIVE", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 20, - "authenticatorFlow": true, - "flowAlias": "Handle Existing Account", - "userSetupAllowed": false - } - ] - }, - { - "id": "e91991e7-4e77-42a0-a4e6-b381745e8465", - "alias": "Verify Existing Account by Re-authentication", - "description": "Reauthentication of existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "CONDITIONAL", - "priority": 20, - "authenticatorFlow": true, - "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "5dfa29dd-926e-45e5-9c04-a03fe7411bc9", - "alias": "browser", - "description": "browser based authentication", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "requirement": "ALTERNATIVE", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-spnego", - "requirement": "DISABLED", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "identity-provider-redirector", - "requirement": "ALTERNATIVE", - "priority": 25, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 30, - "authenticatorFlow": true, - "flowAlias": "forms", - "userSetupAllowed": false - } - ] - }, - { - "id": "f4ecdcf1-3bc2-4763-b1a1-ccff11b61b85", - "alias": "clients", - "description": "Base authentication for clients", - "providerId": "client-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "requirement": "ALTERNATIVE", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-jwt", - "requirement": "ALTERNATIVE", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-secret-jwt", - "requirement": "ALTERNATIVE", - "priority": 30, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-x509", - "requirement": "ALTERNATIVE", - "priority": 40, - "authenticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "6ae32f11-e8af-4769-9da7-0121b714106b", - "alias": "direct grant", - "description": "OpenID Connect Resource Owner Grant", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-password", - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "CONDITIONAL", - "priority": 30, - "authenticatorFlow": true, - "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "3cac0a9c-51aa-470f-bee4-97790cd8320a", - "alias": "docker auth", - "description": "Used by Docker clients to authenticate against the IDP", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "0cd46511-9781-491f-85f4-a76509925d86", - "alias": "first broker login", - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "review profile config", - "authenticator": "idp-review-profile", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": true, - "flowAlias": "User creation or linking", - "userSetupAllowed": false - } - ] - }, - { - "id": "01656bb2-3871-41e3-bc71-b6b0060d4a60", - "alias": "forms", - "description": "Username, password, otp and other auth forms.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "CONDITIONAL", - "priority": 20, - "authenticatorFlow": true, - "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "2335a0d6-3f6b-4584-b88b-b0aaeeea218d", - "alias": "registration", - "description": "registration flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": true, - "flowAlias": "registration form", - "userSetupAllowed": false - } - ] - }, - { - "id": "4c69f335-8ed1-464a-8665-df946a6178c3", - "alias": "registration form", - "description": "registration form", - "providerId": "form-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "registration-profile-action", - "requirement": "REQUIRED", - "priority": 40, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "registration-password-action", - "requirement": "REQUIRED", - "priority": 50, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "registration-recaptcha-action", - "requirement": "DISABLED", - "priority": 60, - "authenticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "4ec56626-57b5-42d2-9903-97f65feb24d7", - "alias": "reset credentials", - "description": "Reset credentials for a user if they forgot their password or something", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-credential-email", - "requirement": "REQUIRED", - "priority": 20, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-password", - "requirement": "REQUIRED", - "priority": 30, - "authenticatorFlow": false, - "userSetupAllowed": false - }, - { - "requirement": "CONDITIONAL", - "priority": 40, - "authenticatorFlow": true, - "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "d3d0b313-b2de-4fba-88aa-8042681f7eb3", - "alias": "saml ecp", - "description": "SAML ECP Profile Authentication Flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "requirement": "REQUIRED", - "priority": 10, - "authenticatorFlow": false, - "userSetupAllowed": false - } - ] - } - ], - "authenticatorConfig": [ - { - "id": "a7b3366e-488c-47a0-a6f4-0433e6ff820d", - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" - } - }, - { - "id": "3033574d-ae62-456e-a325-aa6f7d026a1c", - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" - } - } - ], - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "name": "Configure OTP", - "providerId": "CONFIGURE_TOTP", - "enabled": true, - "defaultAction": false, - "priority": 10, - "config": {} - }, - { - "alias": "TERMS_AND_CONDITIONS", - "name": "Terms and Conditions", - "providerId": "TERMS_AND_CONDITIONS", - "enabled": false, - "defaultAction": false, - "priority": 20, - "config": {} - }, - { - "alias": "UPDATE_PASSWORD", - "name": "Update Password", - "providerId": "UPDATE_PASSWORD", - "enabled": true, - "defaultAction": false, - "priority": 30, - "config": {} - }, - { - "alias": "UPDATE_PROFILE", - "name": "Update Profile", - "providerId": "UPDATE_PROFILE", - "enabled": true, - "defaultAction": false, - "priority": 40, - "config": {} - }, - { - "alias": "VERIFY_EMAIL", - "name": "Verify Email", - "providerId": "VERIFY_EMAIL", - "enabled": true, - "defaultAction": false, - "priority": 50, - "config": {} - }, - { - "alias": "delete_account", - "name": "Delete Account", - "providerId": "delete_account", - "enabled": false, - "defaultAction": false, - "priority": 60, - "config": {} - }, - { - "alias": "webauthn-register", - "name": "Webauthn Register", - "providerId": "webauthn-register", - "enabled": true, - "defaultAction": false, - "priority": 70, - "config": {} - }, - { - "alias": "webauthn-register-passwordless", - "name": "Webauthn Register Passwordless", - "providerId": "webauthn-register-passwordless", - "enabled": true, - "defaultAction": false, - "priority": 80, - "config": {} - }, - { - "alias": "update_user_locale", - "name": "Update User Locale", - "providerId": "update_user_locale", - "enabled": true, - "defaultAction": false, - "priority": 1000, - "config": {} - } - ], - "browserFlow": "browser", - "registrationFlow": "registration", - "directGrantFlow": "direct grant", - "resetCredentialsFlow": "reset credentials", - "clientAuthenticationFlow": "clients", - "dockerAuthenticationFlow": "docker auth", - "attributes": { - "cibaBackchannelTokenDeliveryMode": "poll", - "cibaExpiresIn": "120", - "cibaAuthRequestedUserHint": "login_hint", - "oauth2DeviceCodeLifespan": "600", - "oauth2DevicePollingInterval": "5", - "parRequestUriLifespan": "60", - "cibaInterval": "5", - "realmReusableOtpCode": "false" - }, - "keycloakVersion": "22.0.5", - "userManagedAccessAllowed": false, - "clientProfiles": { - "profiles": [] - }, - "clientPolicies": { - "policies": [] - } -} diff --git a/dev/config/keycloak/import/ltt-users-0.json b/dev/config/keycloak/import/ltt-users-0.json deleted file mode 100644 index 7a04804..0000000 --- a/dev/config/keycloak/import/ltt-users-0.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "realm": "ltt", - "users": [ - { - "id": "ltt-test-user", - "createdTimestamp": 1709134971000, - "username": "test", - "enabled": true, - "totp": false, - "emailVerified": true, - "firstName": "FirstName", - "lastName": "LastName", - "email": "test@test.test", - "credentials": [ - { - "id": "ltt-test-user-password", - "type": "password", - "createdDate": 1709134971000, - "secretData": "{\"value\":\"7Vmr6+Io+gJJrH+EOcmOJXshJ0tMI5x0rQ1wkCYgSCA=\",\"salt\":\"LR0DSOi5850zn9tNFYS1uw==\",\"additionalParameters\":{}}", - "userLabel": "test user password is set to \"test\"", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "default-roles-ltt", - "patient-realm-role" - ], - "notBefore": 0, - "groups": [] - }, - { - "id": "ltt-staff-user", - "createdTimestamp": 1709134971000, - "username": "staff", - "enabled": true, - "totp": false, - "emailVerified": true, - "firstName": "Test", - "lastName": "Staff", - "email": "stafftest@test.test", - "credentials": [ - { - "id": "ltt-staff-user-password", - "type": "password", - "createdDate": 1709134971000, - "secretData" : "{\"value\":\"86AHPCF6rK9rndTfdST1Ijn4XQ6xC4/uoa3Q0S0O5nE=\",\"salt\":\"veo4rv2pmuiMhWcJgJmw7A==\",\"additionalParameters\":{}}", - "userLabel": "staff test user password is set to \"staff\"", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "default-roles-ltt", - "staff-realm-role" - ], - "notBefore": 0, - "groups": [] - } - ] -} diff --git a/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties b/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties deleted file mode 100644 index 7a7dacc..0000000 --- a/dev/config/keycloak/themes/ltt/email/messages/messages_en.properties +++ /dev/null @@ -1,54 +0,0 @@ -emailVerificationSubject=Verify email -emailVerificationBody=Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address\n\n{0}\n\nThis link will expire within {3}.\n\nIf you didn''t create this account, just ignore this message. -emailVerificationBodyHtml=

Someone has created a {2} account with this email address. If this was you, click the link below to verify your email address

Link to e-mail address verification

This link will expire within {3}.

If you didn''t create this account, just ignore this message.

-emailUpdateConfirmationSubject=Verify new email -emailUpdateConfirmationBody=To update your {2} account with email address {1}, click the link below\n\n{0}\n\nThis link will expire within {3}.\n\nIf you don''t want to proceed with this modification, just ignore this message. -emailUpdateConfirmationBodyHtml=

To update your {2} account with email address {1}, click the link below

{0}

This link will expire within {3}.

If you don''t want to proceed with this modification, just ignore this message.

-emailTestSubject=[KEYCLOAK] - SMTP test message -emailTestBody=This is a test message. Test Only. -emailTestBodyHtml=

This is a test message

-identityProviderLinkSubject=Link {0} -identityProviderLinkBody=Someone wants to link your "{1}" account with "{0}" account of user {2} . If this was you, click the link below to link accounts\n\n{3}\n\nThis link will expire within {5}.\n\nIf you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}. -identityProviderLinkBodyHtml=

Someone wants to link your {1} account with {0} account of user {2}. If this was you, click the link below to link accounts

Link to confirm account linking

This link will expire within {5}.

If you don''t want to link account, just ignore this message. If you link accounts, you will be able to login to {1} through {0}.

-passwordResetSubject=Reset password -passwordResetBody=Someone just requested to change your {2} account''s password. If this was you, click on the link below to reset them.\n\n{0}\n\nThis link and code will expire within {3}.\n\nIf you don''t want to reset your password, just ignore this message and nothing will be changed. -passwordResetBodyHtml=

Someone just requested to change your {2} account''s password. If this was you, click on the link below to reset them.

Link to reset password

This link will expire within {3}.

If you don''t want to reset your password, just ignore this message and nothing will be changed.

-executeActionsSubject=Update Your Account -executeActionsBody=Your administrator has just requested that you update your {2} account by performing the following action(s): {3}. Click on the link below to start this process.\n\n{0}\n\nThis link will expire within {4}.\n\nIf you are unaware that your administrator has requested this, just ignore this message and nothing will be changed. -executeActionsBodyHtml=

Your administrator has just requested that you update your {2} account by performing the following action(s): {3}. Click on the link below to start this process.

Link to account update

This link will expire within {4}.

If you are unaware that your administrator has requested this, just ignore this message and nothing will be changed.

-eventLoginErrorSubject=Login error -eventLoginErrorBody=A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an administrator. -eventLoginErrorBodyHtml=

A failed login attempt was detected to your account on {0} from {1}. If this was not you, please contact an administrator.

-eventRemoveTotpSubject=Remove OTP -eventRemoveTotpBody=OTP was removed from your account on {0} from {1}. If this was not you, please contact an administrator. -eventRemoveTotpBodyHtml=

OTP was removed from your account on {0} from {1}. If this was not you, please contact an administrator.

-eventUpdatePasswordSubject=Update password -eventUpdatePasswordBody=Your password was changed on {0} from {1}. If this was not you, please contact an administrator. -eventUpdatePasswordBodyHtml=

Your password was changed on {0} from {1}. If this was not you, please contact an administrator.

-eventUpdateTotpSubject=Update OTP -eventUpdateTotpBody=OTP was updated for your account on {0} from {1}. If this was not you, please contact an administrator. -eventUpdateTotpBodyHtml=

OTP was updated for your account on {0} from {1}. If this was not you, please contact an administrator.

- -requiredAction.CONFIGURE_TOTP=Configure OTP -requiredAction.TERMS_AND_CONDITIONS=Terms and Conditions -requiredAction.UPDATE_PASSWORD=Update Password -requiredAction.UPDATE_PROFILE=Update Profile -requiredAction.VERIFY_EMAIL=Verify Email -requiredAction.CONFIGURE_RECOVERY_AUTHN_CODES=Generate Recovery Codes - -# units for link expiration timeout formatting -# for languages which have more unit plural forms depending on the value (eg. Czech and other Slavic langs) you can override unit text for some other values like described in the Java choice format which is documented here. For Czech, it would be '{0,choice,0#minut|1#minuta|2#minuty|2Please verify your email address by entering in the following code.

{0}

- diff --git a/dev/config/keycloak/themes/ltt/email/theme.properties b/dev/config/keycloak/themes/ltt/email/theme.properties deleted file mode 100644 index 93d3b28..0000000 --- a/dev/config/keycloak/themes/ltt/email/theme.properties +++ /dev/null @@ -1,2 +0,0 @@ -parent=keycloak - diff --git a/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl b/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl deleted file mode 100644 index d609182..0000000 --- a/dev/config/keycloak/themes/ltt/login/login-config-totp-text.ftl +++ /dev/null @@ -1,31 +0,0 @@ -<#ftl output_format="plainText"> -${msg("loginTotpIntro")} - -${msg("loginTotpStep1")} - -<#list totp.policy.supportedApplications as app> -* ${app} - - -${msg("loginTotpManualStep2")} - - ${totp.totpSecretEncoded} - - -${msg("loginTotpManualStep3")} - -- ${msg("loginTotpType")}: ${msg("loginTotp." + totp.policy.type)} -- ${msg("loginTotpAlgorithm")}: ${totp.policy.getAlgorithmKey()} -- ${msg("loginTotpDigits")}: ${totp.policy.digits} -<#if totp.policy.type = "totp"> -- ${msg("loginTotpInterval")}: ${totp.policy.period} - -<#elseif totp.policy.type = "hotp"> -- ${msg("loginTotpCounter")}: ${totp.policy.initialCounter} - - - -Enter in your one time password so we can verify you have installed it correctly. - - - diff --git a/dev/config/keycloak/themes/ltt/login/login-update-password.ftl b/dev/config/keycloak/themes/ltt/login/login-update-password.ftl deleted file mode 100644 index 5c70fe0..0000000 --- a/dev/config/keycloak/themes/ltt/login/login-update-password.ftl +++ /dev/null @@ -1,45 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.registrationLayout displayInfo=true; section> - <#if section = "header"> - ${msg("updatePasswordTitle")} - <#elseif section = "form"> -
- - - -
-
- -
-
- -
${kcSanitize(msg("passwordPolicy"))?no_esc}
-
-
- -
-
- -
-
- -
-
-
-
-
-
-
- -
- <#if isAppInitiatedAction??> - - - <#else> - - -
-
-
- - diff --git a/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl b/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl deleted file mode 100644 index d87a90f..0000000 --- a/dev/config/keycloak/themes/ltt/login/login-update-profile.ftl +++ /dev/null @@ -1,61 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.registrationLayout; section> - <#if section = "header"> - ${msg("loginProfileTitle")} - <#elseif section = "form"> -
- <#if user.editUsernameAllowed> -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- -
-
-
-
-
- -
- <#if isAppInitiatedAction??> - - - <#else> - - -
-
-
- - diff --git a/dev/config/keycloak/themes/ltt/login/login-username.ftl b/dev/config/keycloak/themes/ltt/login/login-username.ftl deleted file mode 100644 index 6d5737e..0000000 --- a/dev/config/keycloak/themes/ltt/login/login-username.ftl +++ /dev/null @@ -1,60 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.registrationLayout displayInfo=social.displayInfo displayWide=(realm.password && social.providers??); section> - <#if section = "header"> - ${msg("doLogIn")} - <#elseif section = "form"> -
class="${properties.kcContentWrapperClass!}"> -
class="${properties.kcFormSocialAccountContentClass!} ${properties.kcFormSocialAccountClass!}"> - <#if realm.password> -
-
- - - <#if usernameEditDisabled??> - - <#else> - - -
- -
-
- <#if realm.rememberMe && !usernameEditDisabled??> -
- -
- -
-
- -
- -
-
- -
- <#if realm.password && social.providers??> -
- -
- -
- <#elseif section = "info" > - <#if realm.password && realm.registrationAllowed && !usernameEditDisabled??> -
- ${msg("noAccount")} ${msg("doRegister")} -
- - - - diff --git a/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl b/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl deleted file mode 100644 index 87abcd7..0000000 --- a/dev/config/keycloak/themes/ltt/login/login-verify-email-code-text.ftl +++ /dev/null @@ -1,2 +0,0 @@ -<#ftl output_format="plainText"> -${msg("console-verify-email",email, code)} \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl b/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl deleted file mode 100644 index e69a9fe..0000000 --- a/dev/config/keycloak/themes/ltt/login/login-verify-email.ftl +++ /dev/null @@ -1,13 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.registrationLayout; section> - <#if section = "header"> - ${msg("emailVerifyTitle")} - <#elseif section = "form"> -

- ${msg("emailVerifyInstruction1")} -

-

- ${msg("emailVerifyInstruction2")} ${msg("doClickHere")} ${msg("emailVerifyInstruction3")} -

- - \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/login.ftl b/dev/config/keycloak/themes/ltt/login/login.ftl deleted file mode 100644 index c789a58..0000000 --- a/dev/config/keycloak/themes/ltt/login/login.ftl +++ /dev/null @@ -1,107 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.registrationLayout displayMessage=!messagesPerField.existsError('username','password') displayInfo=realm.password && realm.registrationAllowed && !registrationDisabled??; section> - <#if section = "header"> - ${msg("loginAccountTitle")} - <#elseif section = "form"> -
-
- <#if realm.password> -
- <#if !usernameHidden??> -
- - - - - <#if messagesPerField.existsError('username','password')> - - ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc} - - - -
- - -
- - - - - <#if usernameHidden?? && messagesPerField.existsError('username','password')> - - ${kcSanitize(messagesPerField.getFirstError('username','password'))?no_esc} - - - -
- -
-
- <#if realm.rememberMe && !usernameHidden??> -
- -
- -
-
- <#if realm.resetPasswordAllowed> - ${msg("doForgotPassword")} - -
- -
- -
- value="${auth.selectedCredential}"/> - -
-
- -
- -
- <#elseif section = "info" > - <#if realm.password && realm.registrationAllowed && !registrationDisabled??> -
-
- ${msg("noAccount")} ${msg("doRegister")} -
-
- - <#elseif section = "socialProviders" > - <#if realm.password && social.providers??> -
-
-

${msg("identity-provider-login-label")}

- - -
- - - - diff --git a/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties b/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties deleted file mode 100644 index 60405bb..0000000 --- a/dev/config/keycloak/themes/ltt/login/messages/messages_en.properties +++ /dev/null @@ -1,442 +0,0 @@ -doLogIn=Sign In -doRegister=Register -doCancel=Cancel -doSubmit=Submit -doBack=Back -doYes=Yes -doNo=No -doContinue=Continue -doIgnore=Ignore -doAccept=Accept -doDecline=Decline -doForgotPassword=First time using, or forgot password? -doClickHere=Click here -doImpersonate=Impersonate -doTryAgain=Try again -doTryAnotherWay=Try Another Way -doConfirmDelete=Confirm deletion -errorDeletingAccount=Error happened while deleting account -deletingAccountForbidden=You do not have enough permissions to delete your own account, contact admin. -kerberosNotConfigured=Kerberos Not Configured -kerberosNotConfiguredTitle=Kerberos Not Configured -bypassKerberosDetail=Either you are not logged in by Kerberos or your browser is not set up for Kerberos login. Please click continue to login in through other means -kerberosNotSetUp=Kerberos is not set up. You cannot login. -registerTitle=Register -loginAccountTitle=Sign in to your account -loginTitle=Sign in to {0} -loginTitleHtml={0} -impersonateTitle={0} Impersonate User -impersonateTitleHtml={0} Impersonate User -realmChoice=Realm -unknownUser=Unknown user -loginTotpTitle=Mobile Authenticator Setup -loginProfileTitle=Update Account Information -loginIdpReviewProfileTitle=Update Account Information -loginTimeout=Your login attempt timed out. Login will start from the beginning. -oauthGrantTitle=Grant Access to {0} -oauthGrantTitleHtml={0} -errorTitle=We are sorry... -errorTitleHtml=We are sorry ... -emailVerifyTitle=Email verification -emailForgotTitle=First time using, or forgot password? -updatePasswordTitle=Update password -codeSuccessTitle=Success code -codeErrorTitle=Error code\: {0} -displayUnsupported=Requested display type unsupported -browserRequired=Browser required to login -browserContinue=Browser required to complete login -browserContinuePrompt=Open browser and continue login? [y/n]: -browserContinueAnswer=y - - -termsTitle=Terms and Conditions -termsText=

Terms and conditions to be defined

-termsPlainText=Terms and conditions to be defined. - -recaptchaFailed=Invalid Recaptcha -recaptchaNotConfigured=Recaptcha is required, but not configured -consentDenied=Consent denied. - -noAccount=New user? -username=Username -usernameOrEmail=Username or email -firstName=First name -givenName=Given name -fullName=Full name -lastName=Last name -familyName=Family name -email=Email -password=Password -passwordConfirm=Confirm password -passwordNew=New Password -passwordNewConfirm=New Password confirmation -passwordPolicy=

Password must:

  • Include at least one upper case letter, one lower case letter, and one number
  • Be at least 8 characters long
  • Have not been used recently
-rememberMe=Remember me -authenticatorCode=One-time code -address=Address -street=Street -locality=City or Locality -region=State, Province, or Region -postal_code=Zip or Postal code -country=Country -emailVerified=Email verified -website=Web page -phoneNumber=Phone number -phoneNumberVerified=Phone number verified -gender=Gender -birthday=Birthdate -zoneinfo=Time zone -gssDelegationCredential=GSS Delegation Credential -logoutOtherSessions=Sign out from other devices - -profileScopeConsentText=User profile -emailScopeConsentText=Email address -addressScopeConsentText=Address -phoneScopeConsentText=Phone number -offlineAccessScopeConsentText=Offline Access -samlRoleListScopeConsentText=My Roles -rolesScopeConsentText=User roles - -restartLoginTooltip=Restart login - -loginTotpIntro=You need to set up a One Time Password generator to access this account -loginTotpStep1=Install one of the following applications on your mobile: -loginTotpStep2=Open the application and scan the barcode: -loginTotpStep3=Enter the one-time code provided by the application and click Submit to finish the setup. -loginTotpStep3DeviceName=Provide a Device Name to help you manage your OTP devices. -loginTotpManualStep2=Open the application and enter the key: -loginTotpManualStep3=Use the following configuration values if the application allows setting them: -loginTotpUnableToScan=Unable to scan? -loginTotpScanBarcode=Scan barcode? -loginCredential=Credential -loginOtpOneTime=One-time code -loginTotpType=Type -loginTotpAlgorithm=Algorithm -loginTotpDigits=Digits -loginTotpInterval=Interval -loginTotpCounter=Counter -loginTotpDeviceName=Device Name - -loginTotp.totp=Time-based -loginTotp.hotp=Counter-based - -loginChooseAuthenticator=Select login method - -oauthGrantRequest=Do you grant these access privileges? -inResource=in - -oauth2DeviceVerificationTitle=Device Login -verifyOAuth2DeviceUserCode=Enter the code provided by your device and click Submit -oauth2DeviceInvalidUserCodeMessage=Invalid code, please try again. -oauth2DeviceExpiredUserCodeMessage=The code has expired. Please go back to your device and try connecting again. -oauth2DeviceVerificationCompleteHeader=Device Login Successful -oauth2DeviceVerificationCompleteMessage=You may close this browser window and go back to your device. -oauth2DeviceVerificationFailedHeader=Device Login Failed -oauth2DeviceVerificationFailedMessage=You may close this browser window and go back to your device and try connecting again. -oauth2DeviceConsentDeniedMessage=Consent denied for connecting the device. -oauth2DeviceAuthorizationGrantDisabledMessage=Client is not allowed to initiate OAuth 2.0 Device Authorization Grant. The flow is disabled for the client. - -emailVerifyInstruction1=An email with instructions to verify your email address has been sent to you. -emailVerifyInstruction2=Haven''t received a verification code in your email? -emailVerifyInstruction3=to re-send the email. - -emailLinkIdpTitle=Link {0} -emailLinkIdp1=An email with instructions to link {0} account {1} with your {2} account has been sent to you. -emailLinkIdp2=Haven''t received a verification code in your email? -emailLinkIdp3=to re-send the email. -emailLinkIdp4=If you already verified the email in different browser -emailLinkIdp5=to continue. - -backToLogin=« Back to Login - -emailInstruction=Enter your username or email address and we will send you instructions on how to create a new password. - -copyCodeInstruction=Please copy this code and paste it into your application: - -pageExpiredTitle=Page has expired -pageExpiredMsg1=To restart the login process -pageExpiredMsg2=To continue the login process - -personalInfo=Personal Info: -role_admin=Admin -role_realm-admin=Realm Admin -role_create-realm=Create realm -role_create-client=Create client -role_view-realm=View realm -role_view-users=View users -role_view-applications=View applications -role_view-clients=View clients -role_view-events=View events -role_view-identity-providers=View identity providers -role_manage-realm=Manage realm -role_manage-users=Manage users -role_manage-applications=Manage applications -role_manage-identity-providers=Manage identity providers -role_manage-clients=Manage clients -role_manage-events=Manage events -role_view-profile=View profile -role_manage-account=Manage account -role_manage-account-links=Manage account links -role_read-token=Read token -role_offline-access=Offline access -client_account=Account -client_account-console=Account Console -client_security-admin-console=Security Admin Console -client_admin-cli=Admin CLI -client_realm-management=Realm Management -client_broker=Broker - -requiredFields=Required fields - -invalidUserMessage=Invalid username or password. -invalidUsernameMessage=Invalid username. -invalidUsernameOrEmailMessage=Invalid username or email. -invalidPasswordMessage=Invalid password. -invalidEmailMessage=Invalid email address. -accountDisabledMessage=Account is disabled, contact your administrator. -accountTemporarilyDisabledMessage=Account is temporarily disabled; contact your administrator or retry later. -expiredCodeMessage=Login timeout. Please sign in again. -expiredActionMessage=Action expired. Please continue with login now. -expiredActionTokenNoSessionMessage=Action expired. -expiredActionTokenSessionExistsMessage=Action expired. Please start again. - -missingFirstNameMessage=Please specify first name. -missingLastNameMessage=Please specify last name. -missingEmailMessage=Please specify email. -missingUsernameMessage=Please specify username. -missingPasswordMessage=Please specify password. -missingTotpMessage=Please specify authenticator code. -missingTotpDeviceNameMessage=Please specify device name. -notMatchPasswordMessage=Passwords don''t match. - -error-invalid-value=Invalid value. -error-invalid-blank=Please specify value. -error-empty=Please specify value. -error-invalid-length=Length must be between {1} and {2}. -error-invalid-length-too-short=Minimal length is {1}. -error-invalid-length-too-long=Maximal length is {2}. -error-invalid-email=Invalid email address. -error-invalid-number=Invalid number. -error-number-out-of-range=Number must be between {1} and {2}. -error-number-out-of-range-too-small=Number must have minimal value of {1}. -error-number-out-of-range-too-big=Number must have maximal value of {2}. -error-pattern-no-match=Invalid value. -error-invalid-uri=Invalid URL. -error-invalid-uri-scheme=Invalid URL scheme. -error-invalid-uri-fragment=Invalid URL fragment. -error-user-attribute-required=Please specify this field. -error-invalid-date=Invalid date. -error-user-attribute-read-only=This field is read only. -error-username-invalid-character=Value contains invalid character. -error-person-name-invalid-character=Value contains invalid character. - -invalidPasswordExistingMessage=Invalid existing password. -invalidPasswordBlacklistedMessage=Invalid password: password is blacklisted. -invalidPasswordConfirmMessage=Password confirmation doesn''t match. -invalidTotpMessage=Invalid authenticator code. - -usernameExistsMessage=Username already exists. -emailExistsMessage=Email already exists. - -federatedIdentityExistsMessage=User with {0} {1} already exists. Please login to account management to link the account. -federatedIdentityUnavailableMessage=User {0} authenticated with identity provider {1} does not exists. Please contact your administrator. - -confirmLinkIdpTitle=Account already exists -federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How do you want to continue? -federatedIdentityConfirmReauthenticateMessage=Authenticate to link your account with {0} -nestedFirstBrokerFlowMessage=The {0} user {1} is not linked to any known user. -confirmLinkIdpReviewProfile=Review profile -confirmLinkIdpContinue=Add to existing account - -configureTotpMessage=You need to set up Mobile Authenticator to activate your account. -updateProfileMessage=You need to update your user profile to activate your account. -updatePasswordMessage=You need to change your password to activate your account. -resetPasswordMessage=You need to change your password. -verifyEmailMessage=You need to verify your email address to activate your account. -linkIdpMessage=You need to verify your email address to link your account with {0}. - -emailSentMessage=You should receive an email shortly with further instructions. -emailSendErrorMessage=Failed to send email, please try again later. - -accountUpdatedMessage=Your account has been updated. -accountPasswordUpdatedMessage=Your password has been updated. - -delegationCompleteHeader=Login Successful -delegationCompleteMessage=You may close this browser window and go back to your console application. -delegationFailedHeader=Login Failed -delegationFailedMessage=You may close this browser window and go back to your console application and try logging in again. - -noAccessMessage=No access - -invalidPasswordMinLengthMessage=Invalid password: minimum length {0}. -invalidPasswordMaxLengthMessage=Invalid password: maximum length {0}. -invalidPasswordMinDigitsMessage=Invalid password: must contain at least {0} numerical digits. -invalidPasswordMinLowerCaseCharsMessage=Invalid password: must contain at least {0} lower case characters. -invalidPasswordMinUpperCaseCharsMessage=Invalid password: must contain at least {0} upper case characters. -invalidPasswordMinSpecialCharsMessage=Invalid password: must contain at least {0} special characters. -invalidPasswordNotUsernameMessage=Invalid password: must not be equal to the username. -invalidPasswordNotEmailMessage=Invalid password: must not be equal to the email. -invalidPasswordRegexPatternMessage=Invalid password: fails to match regex pattern(s). -invalidPasswordHistoryMessage=Invalid password: must not be equal to any of last {0} passwords. -invalidPasswordGenericMessage=Invalid password: new password doesn''t match password policies. - -failedToProcessResponseMessage=Failed to process response -httpsRequiredMessage=HTTPS required -realmNotEnabledMessage=Realm not enabled -invalidRequestMessage=Invalid Request -failedLogout=Logout failed -unknownLoginRequesterMessage=Unknown login requester -loginRequesterNotEnabledMessage=Login requester not enabled -bearerOnlyMessage=Bearer-only applications are not allowed to initiate browser login -standardFlowDisabledMessage=Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client. -implicitFlowDisabledMessage=Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client. -invalidRedirectUriMessage=Invalid redirect uri -unsupportedNameIdFormatMessage=Unsupported NameIDFormat -invalidRequesterMessage=Invalid requester -registrationNotAllowedMessage=Registration not allowed -resetCredentialNotAllowedMessage=Reset Credential not allowed - -permissionNotApprovedMessage=Permission not approved. -noRelayStateInResponseMessage=No relay state in response from identity provider. -insufficientPermissionMessage=Insufficient permissions to link identities. -couldNotProceedWithAuthenticationRequestMessage=Could not proceed with authentication request to identity provider. -couldNotObtainTokenMessage=Could not obtain token from identity provider. -unexpectedErrorRetrievingTokenMessage=Unexpected error when retrieving token from identity provider. -unexpectedErrorHandlingResponseMessage=Unexpected error when handling response from identity provider. -identityProviderAuthenticationFailedMessage=Authentication failed. Could not authenticate with identity provider. -couldNotSendAuthenticationRequestMessage=Could not send authentication request to identity provider. -unexpectedErrorHandlingRequestMessage=Unexpected error when handling authentication request to identity provider. -invalidAccessCodeMessage=Invalid access code. -sessionNotActiveMessage=Session not active. -invalidCodeMessage=An error occurred, please login again through your application. -identityProviderUnexpectedErrorMessage=Unexpected error when authenticating with identity provider -identityProviderMissingStateMessage=Missing state parameter in response from identity provider. -identityProviderNotFoundMessage=Could not find an identity provider with the identifier. -identityProviderLinkSuccess=You successfully verified your email. Please go back to your original browser and continue there with the login. -staleCodeMessage=This page is no longer valid, please go back to your application and sign in again -realmSupportsNoCredentialsMessage=Realm does not support any credential type. -credentialSetupRequired=Cannot login, credential setup required. -identityProviderNotUniqueMessage=Realm supports multiple identity providers. Could not determine which identity provider should be used to authenticate with. -emailVerifiedMessage=Your email address has been verified. -staleEmailVerificationLink=The link you clicked is an old stale link and is no longer valid. Maybe you have already verified your email. -identityProviderAlreadyLinkedMessage=Federated identity returned by {0} is already linked to another user. -confirmAccountLinking=Confirm linking the account {0} of identity provider {1} with your account. -confirmEmailAddressVerification=Confirm validity of e-mail address {0}. -confirmExecutionOfActions=Perform the following action(s) - -locale_ca=Catal\u00E0 -locale_cs=\u010Ce\u0161tina -locale_da=Dansk -locale_de=Deutsch -locale_en=English -locale_es=Espa\u00F1ol -locale_fr=Fran\u00E7ais -locale_hu=Magyar -locale_it=Italiano -locale_ja=\u65E5\u672C\u8A9E -locale_lt=Lietuvi\u0173 -locale_nl=Nederlands -locale_no=Norsk -locale_pl=Polski -locale_pt_BR=Portugu\u00EAs (Brasil) -locale_pt-BR=Portugu\u00EAs (Brasil) -locale_ru=\u0420\u0443\u0441\u0441\u043A\u0438\u0439 -locale_sk=Sloven\u010Dina -locale_sv=Svenska -locale_tr=T\u00FCrk\u00E7e -locale_zh-CN=\u4E2D\u6587\u7B80\u4F53 - -backToApplication=« Back to Application -missingParameterMessage=Missing parameters\: {0} -clientNotFoundMessage=Client not found. -clientDisabledMessage=Client disabled. -invalidParameterMessage=Invalid parameter\: {0} -alreadyLoggedIn=You are already logged in. -differentUserAuthenticated=You are already authenticated as different user ''{0}'' in this session. Please sign out first. -brokerLinkingSessionExpired=Requested broker account linking, but current session is no longer valid. -proceedWithAction=» Click here to proceed - -requiredAction.CONFIGURE_TOTP=Configure OTP -requiredAction.terms_and_conditions=Terms and Conditions -requiredAction.UPDATE_PASSWORD=Update Password -requiredAction.UPDATE_PROFILE=Update Profile -requiredAction.VERIFY_EMAIL=Verify Email - -doX509Login=You will be logged in as\: -clientCertificate=X509 client certificate\: -noCertificate=[No Certificate] - - -pageNotFound=Page not found -internalServerError=An internal server error has occurred - -console-username=Username: -console-password=Password: -console-otp=One Time Password: -console-new-password=New Password: -console-confirm-password=Confirm Password: -console-update-password=Update of your password is required. -console-verify-email=You need to verify your email address. We sent an email to {0} that contains a verification code. Please enter this code into the input below. -console-email-code=Email Code: -console-accept-terms=Accept Terms? [y/n]: -console-accept=y - -# Openshift messages -openshift.scope.user_info=User information -openshift.scope.user_check-access=User access information -openshift.scope.user_full=Full Access -openshift.scope.list-projects=List projects - -# SAML authentication -saml.post-form.title=Authentication Redirect -saml.post-form.message=Redirecting, please wait. -saml.post-form.js-disabled=JavaScript is disabled. We strongly recommend to enable it. Click the button below to continue. -saml.artifactResolutionServiceInvalidResponse=Unable to resolve artifact. - -#authenticators -otp-display-name=Authenticator Application -otp-help-text=Enter a verification code from authenticator application. -password-display-name=Password -password-help-text=Sign in by entering your password. -auth-username-form-display-name=Username -auth-username-form-help-text=Start sign in by entering your username -auth-username-password-form-display-name=Username and password -auth-username-password-form-help-text=Sign in by entering your username and password. - -# WebAuthn -webauthn-display-name=Security Key -webauthn-help-text=Use your security key to sign in. -webauthn-passwordless-display-name=Security Key -webauthn-passwordless-help-text=Use your security key for passwordless sign in. -webauthn-login-title=Security Key login -webauthn-registration-title=Security Key Registration -webauthn-available-authenticators=Available authenticators -webauthn-unsupported-browser-text=WebAuthn is not supported by this browser. Try another one or contact your administrator. -webauthn-doAuthenticate=Sign in with Security Key - -# WebAuthn Error -webauthn-error-title=Security Key Error -webauthn-error-registration=Failed to register your Security key.
{0} -webauthn-error-api-get=Failed to authenticate by the Security key.
{0} -webauthn-error-different-user=First authenticated user is not the one authenticated by the Security key. -webauthn-error-auth-verification=Security key authentication result is invalid.
{0} -webauthn-error-register-verification=Security key registration result is invalid.
{0} -webauthn-error-user-not-found=Unknown user authenticated by the Security key. - -# Identity provider -identity-provider-redirector=Connect with another Identity Provider -identity-provider-login-label=Or sign in with - -finalDeletionConfirmation=If you delete your account, it cannot be restored. To keep your account, click Cancel. -irreversibleAction=This action is irreversible -deleteAccountConfirm=Delete account confirmation - -deletingImplies=Deleting your account implies: -errasingData=Erasing all your data -loggingOutImmediately=Logging you out immediately -accountUnusable=Any subsequent use of the application will not be possible with this account -userDeletedSuccessfully=User deleted successfully - -access-denied=Access denied - -systemType={0} System diff --git a/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl b/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl deleted file mode 100644 index e0d533b..0000000 --- a/dev/config/keycloak/themes/ltt/login/register-user-profile.ftl +++ /dev/null @@ -1,74 +0,0 @@ -<#import "template.ftl" as layout> -<#import "user-profile-commons.ftl" as userProfileCommons> -<@layout.registrationLayout displayMessage=messagesPerField.exists('global') displayRequiredFields=true; section> - <#if section = "header"> - ${msg("registerTitle")} - <#elseif section = "form"> -
- - <@userProfileCommons.userProfileFormFields; callback, attribute> - <#if callback = "afterField"> - <#-- render password fields just under the username or email (if used as username) --> - <#if passwordRequired?? && (attribute.name == 'username' || (attribute.name == 'email' && realm.registrationEmailAsUsername))> -
-
- * -
-
- - - <#if messagesPerField.existsError('password')> - - ${kcSanitize(messagesPerField.get('password'))?no_esc} - - -
-
- -
-
- * -
-
- - - <#if messagesPerField.existsError('password-confirm')> - - ${kcSanitize(messagesPerField.get('password-confirm'))?no_esc} - - -
-
- - - - - <#if recaptchaRequired??> -
-
-
-
-
- - -
- - -
- -
-
-
- - \ No newline at end of file diff --git a/dev/config/keycloak/themes/ltt/login/register.ftl b/dev/config/keycloak/themes/ltt/login/register.ftl deleted file mode 100644 index 07829a0..0000000 --- a/dev/config/keycloak/themes/ltt/login/register.ftl +++ /dev/null @@ -1,88 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.registrationLayout; section> - <#if section = "header"> - ${msg("registerTitle")} - <#elseif section = "form"> -
- <#-- -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- --> - -
-
- -
-
- -
-
- - <#if !realm.registrationEmailAsUsername> -
-
- -
-
- -
-
- - - <#if passwordRequired??> -
-
- -
-
- -
-
- -
-
- -
-
- -
-
- - - <#if recaptchaRequired??> -
-
-
-
-
- - -
- - -
- -
-
-
- - diff --git a/dev/config/keycloak/themes/ltt/login/resources/css/styles.css b/dev/config/keycloak/themes/ltt/login/resources/css/styles.css deleted file mode 100644 index 7b94eb2..0000000 --- a/dev/config/keycloak/themes/ltt/login/resources/css/styles.css +++ /dev/null @@ -1,384 +0,0 @@ -:root { - --body-bg-color: #325c33; - --primary-color: #325c33; - --primary-hover-color: #254325; - --section-border-color: #dcdfdc; - --button-primary-color: #af4507; - --button-primary-hover-color: #883505; - --title-color: #325c33; - --label-color: #71757b; - --link-color: #1994d0; - --link-hover-color: #126994; - --highlight-bg-color: #f9e4d3; - --text-default-color: #444; - --default-body-font-size: 16px; -} -body { - font-family: "Roboto", "Helvetica", "Arial", sans-serif; - font-size: var(--default-body-font-size); -} -.pf-c-alert__title { - font-size: var(--default-body-font-size); - line-height: 1.4; -} - -html.login-pf { - background: var(--body-bg-color); -} - -#header { - position: fixed; - z-index: 10000; - left: 0; - top: 0; - width: 100%; - background-color: var(--body-bg-color); - color: #fff; - line-height: 3em; - box-shadow: 0 0 0.15em 0 rgba(0, 0, 0, 0.1); - margin-bottom: 1em; - display: flex; - align-items: center; - height: 4em; -} - -#header img { - height: 2em; - padding-left: 1em; -} - -#kc-header { - margin-top: 4em; -} - -.login-pf-page { - background-color: var(--body-bg-color); - height: 100%; - padding-top: 4em; - padding-bottom: 24px; - background-color: var(--body-bg-color); -} -@media (min-width: 768px) { - .login-pf-page { - padding-top: 3em; - } -} - -h1, -h2, -h3, -h4, -h5, -h6 { - font-weight: 600; - color: inherit; - /* letter-spacing: -0.0325em; */ -} - -html, -body, -div, -span, -applet, -object, -iframe, -h1, -h2, -h3, -h4, -h5, -h6, -p, -blockquote, -pre, -a, -abbr, -acronym, -address, -big, -cite, -code, -del, -dfn, -em, -img, -ins, -kbd, -q, -s, -samp, -small, -strike, -strong, -sub, -sup, -tt, -var, -b, -u, -i, -center, -dl, -dt, -dd, -ol, -ul, -li, -fieldset, -form, -label, -legend, -table, -caption, -tbody, -tfoot, -thead, -tr, -th, -td, -article, -aside, -canvas, -details, -embed, -figure, -figcaption, -footer, -header, -hgroup, -menu, -nav, -output, -ruby, -section, -summary, -time, -mark, -audio, -video { - margin: 0; - padding: 0; - border: 0; - font-size: 100%; - font: inherit; - vertical-align: baseline; -} - -ul, p { - line-height: 1.4; -} - -.alert { - padding-left: 16px; - padding-right: 16px; -} -.alert-error { - color: #9b0202; -} -input[type="text"], -input[type="password"] { - display: block; - width: 100%; - height: 32px; - padding: 2px 6px; - font-size: var(--default-body-font-size); - line-height: 1.66666667; - color: #363636; - background-color: #fff; - background-image: none; - border: 1px solid #bbb; - border-top-color: rgb(187, 187, 187); - border-right-color: rgb(187, 187, 187); - border-bottom-color: rgb(187, 187, 187); - border-left-color: rgb(187, 187, 187); - border-radius: 0; - box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); - transition: border-color ease-in-out 0.15s, box-shadow ease-in-out 0.15s; - margin-bottom: 24px; - box-sizing: border-box; -} -input[type="submit"] { - background-image: none; - background-color: var(--primary-color); - padding: 16px; - width: 100%; - font-size: var(--default-body-font-size); - color: #fff; - box-sizing: border-box; - box-shadow: none; - border: 0; - display: block; -} -input[type="submit"]:hover { - background-color: var(--primary-hover-color); -} -a { - color: var(--link-color); - text-decoration: none; -} -a:hover { - color: var(--link-hover-color); -} -[class*="pf-c-"], -[class*="pf-c-"]::before, -[class*="pf-c-"]::after { - padding: 4px 0; -} -label { - font-weight: 500; - display: inline-block; - font-size: 14px; - margin-bottom: 4px; - color: var(--label-color); -} -.btn { - border-radius: 8px; -} -.btn-primary, -.pf-c-button.pf-m-primary { - background-image: none; - background-color: var(--button-primary-color); - border: 0; - border-radius: 8px; -} -.btn-primary:hover, -.btn-primary:focus, -.btn-primary:active, -.pf-c-button.pf-m-primary:hover, -.pf-c-button.pf-m-primary:focus, -.pf-c-button.pf-m-primary:active { - background-color: var(--button-primary-hover-color); -} - -.login-pf body { - font-family: "Roboto", "Helvetica", "Arial", sans-serif; - background-color: var(--body-bg-color); - background-image: none; - font-size: var(--default-body-font-size); -} -.login-pf-page .card-pf { - margin-bottom: 32px; -} -@media (min-width: 768px) { - .login-pf-page .card-pf { - padding: 16px 32px 48px 32px; - } -} -.login-pf-page .card-pf p { - font-size: var(--default-body-font-size); - line-height: 1.4; -} -@media (min-width: 768px) { - .login-pf-page .login-pf-header { - margin-bottom: 10px; - } -} -@media (max-width: 767px) { - .login-pf-page .card-pf { - max-width: 100%; - margin-left: 16px; - margin-right: 16px; - padding: 4px 16px 24px; - } -} -.login-pf-page .login-pf-header h1 { - font-size: 1.75em; -} -#kc-info-wrapper { - background-color: transparent; - padding: 0; - text-align: left; - font-size: var(--default-body-font-size); - line-height: 1.4; -} -#kc-header-wrapper { - font-weight: 500; - text-transform: capitalize; - line-height: 1.5; - font-weight: 500; - display: flex; - flex-direction: column; - gap: 16px; - align-items: center; - justify-content: center; -} -@media (max-width: 767px) { - #kc-header-wrapper { - color: #fff; - padding: 0; - } -} -#kc-site-name, -#kc-system-type { - color: #fff; - text-align: center; - text-transform: capitalize; - font-size: 1.8rem; -} -#kc-login-info-message { - max-width: 100%; - margin: auto; - line-height: 1.55; - background: var(--highlight-bg-color); - color: var(--text-default-color); - padding: 16px; - font-size: 1rem; - font-weight: 500; -} -@media (min-width: 768px) { - #kc-login-info-message { - max-width: 60%; - margin: auto; - } -} -#kc-content-wrapper { - display: flex; - justify-content: center; - flex-direction: column; -} -#kc-header { - margin-top: 0; - margin-bottom: 24px; -} -#kc-page-title { - text-align: center; - font-weight: 600; - color: var(--title-color); - padding-bottom: 4px; - font-size: 1.75em; -} -h1#kc-page-title { - margin-top: 24px; -} -#kc-form { - width: 100%; -} -#kc-form-buttons { - margin-top: 24px; - text-align: center; -} -#kc-form-options .checkbox { - display: none; -} -#kc-info { - margin-top: 0; - margin-bottom: 8px; - margin-left: 0; - margin-right: 0; - color: #777; -} -.card-pf { - background: #fff; - margin: 0 auto; - margin-bottom: 0px; - padding: 0 20px; - max-width: 420px; - border-top: 0; - box-shadow: 0 0 0; - padding: 0 40px 40px; - margin-top: 28px; - margin-bottom: 32px; -} -.card-pf form.form-actions .btn { - margin-bottom: 16px; -} diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico b/dev/config/keycloak/themes/ltt/login/resources/img/favicon.ico deleted file mode 100644 index 62de3a266ec8c9991463b5d4bf230679a4ee71c3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4286 zcmeH~K~BOz6oy9^ZcL0yf(C(Nv=LbdmMG#vU3mhdCgN2*j^Yhmz`|3wGwwYBBz64% z!fOXZfdZCIAs^FDJM+EwW(q;6CA;Re0Z`lVj-~;epb8foYfNr+DJ`Fz@_X4(n@8$u|fd#%m*xby!Gva#K zIJ2KIyn=xka6XBjZq~(|Pp1woojKjpxpRB4|L=Xlxx}zdZ-o41O$I!h@Y7wnuSAWZ z3BOkd#sMras{Y~rx~;1XM;}WJhzWCzL+T(g%EYb(;Cn89)**TfW<0}={rtJ-g^i-6v;F<&=igrko=Y9% z{%P8NO+0_Pva7STeVskCd(>=gUzfafALjS=U^o`UUrI BO-%p* diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-arrow-down.png deleted file mode 100644 index 6f2d9d2aeb1c1461767988a042aae50492d454bc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 513 zcmV+c0{;DpP)pbFH`>7=NJimT8HPR1b>!7GRq%%D)H?|Wo% zC@Pq9$n!u*^5*>k`A#3+kZfF(`zJ152&b=J2><{9!0hZbO_;oR8NR%F9kLkE@5Z(} z|9X+Rqj^|(^f2UQ`B&qbstQ}zSHs@7Mx_7%0O*T*Sywa1;J+C|`oj73Q8;qyTvEs3fk{(-JWjQ|4!;N?Hk9Wu}T8~06?E)T~0nO z$|9aN^E2gq`rLgk&kqde>9h9ceYG2J7l(CKD-8eu0DaQs4ti*V_8>1|L40001@p8^a34>6V-IeVqb00000NkvXXu0mjf D@HyfE diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-error-sign.png deleted file mode 100644 index 0dd500445d7249ddd1b1dea7dc79d5e2f75cf223..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 343 zcmV-d0jU0oP)Rb^f-HfiA|a#ZS&BN>m{U!Bf9XBlP=AUsPhep z0;u>nQCxb~G6c;4tOM)aDVebC2LF?__!*$Y%|S5$e;ZcIdR+o#XrlC>L#@3RFZO+y z4ac0_$8S?_3L#)o1cV>wsb|~_2qr}-{Xy0sk1ddFrS2NjYBy!#lv@hhf%T~P1a2ls zg9cR!$Y8{U0euD81vt(&PyxuVl0?xy+oT=qfZ( zU<;qzo;L~X{8Dl*OuQ;g6C?jcvTY4MH)UgY@3N+I%Y&B-aM#Gmz4*K9-@h9B>+j#Q z@1I{-{^;BJ=zrF!cK!}Pr!g=bh|HcT>Z=m}wDHmbyC0nDaV#gVm&uycGotW zpv;r|b9e9Fzj)!!_FHF``Wx|qb*+1{*5LE=)%xG0rlsBtdT?-dwR{mlor@ArQ!T)1>sQ|BRGRy6pUXk5Eq%Jj zt#hDSUl#1`1Hp4rtdp{v4HrVu6{1-oD!M}vd diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-success-sign.png deleted file mode 100644 index 640bd71cab7bdfc7a8adcf28ffaf6db736a1c008..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 410 zcmeAS@N?(olHy`uVBq!ia0vp^f*{Pn1|+R>-G2comSQK*5Dp-y;YjHK@;M7UB8!3Q zuY)k7lg8`{prB-lYeY$Kep*R+Vo@qXd3m{BW?pu2a$-TMUVc&f>~}U&3=E9oo-U3d z7QI&|@AYC16lmSQ(|nzi6W2vA0hQiX{shsj9%4*QVx6m7=T11}S0g4pTOrBJ(L2zj zqqUbmAu&;Tnwis)`FE;yFXbH4TM_-V#F%}bS9C7N)nccy^_%s?ydQOE$UA=bQASGdP zUS5*^?Y}eFBd=Y%8?p303zx;a-hVOO%tz8T)jmnDmV3_E#n4nO@i}MX#=5_=rbOm! z*!s=OFZw-8%CQyiuZC^?Jc-4l;#4*gQu&X%Q~loCIB2_ BsrLW? diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-arrow-down.png deleted file mode 100644 index 6f2d9d2aeb1c1461767988a042aae50492d454bc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 513 zcmV+c0{;DpP)pbFH`>7=NJimT8HPR1b>!7GRq%%D)H?|Wo% zC@Pq9$n!u*^5*>k`A#3+kZfF(`zJ152&b=J2><{9!0hZbO_;oR8NR%F9kLkE@5Z(} z|9X+Rqj^|(^f2UQ`B&qbstQ}zSHs@7Mx_7%0O*T*Sywa1;J+C|`oj73Q8;qyTvEs3fk{(-JWjQ|4!;N?Hk9Wu}T8~06?E)T~0nO z$|9aN^E2gq`rLgk&kqde>9h9ceYG2J7l(CKD-8eu0DaQs4ti*V_8>1|L40001@p8^a34>6V-IeVqb00000NkvXXu0mjf D@HyfE diff --git a/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png b/dev/config/keycloak/themes/ltt/login/resources/img/feedback-warning-sign.png deleted file mode 100644 index f9392a356fd3b383997c1ef289b48d02be96c351..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 646 zcmV;10(t$3P)5ebW)JIb`v2;&5sUEt7(pdR?_rqvF~(w z&wHPH?%{G}o6t%tD3-YcoIt#ZimsMn=fj5~SV}0ANdw)$JIs+vm8VEr5vY*RCc!0O zJeKiMnQmZjF~P}|ITC|_fPR3sChh|hh#}5v^?!j1No^OL5!{Yt{P|l#ojGW*>A`F% zG;=oe?E0{aNj(7$L<2hJOpDEg;c-0Uu3}QpfZdv9Yul(xOFAm{YCmuc7-<=Hz6#rb zwStWR%+Uk1dKH(KznaJbxtT_8h1rkY@F&AK;#}dXHiv>reL9ZVhZt;6c{&UPfawRU z3PX!QX+>?W8zy57-1{e1nf<%`Ip2$C{RJ2WP8EB!V*#i*Ll@AAxI)U6d9kg;Tft2N zvI|T#k_Ga${UDcC6K25hA)et;?S`pV)*0TbLbSFYPx%LC5OMf>LI(kYhG{MW?Gclt z?kz+j>;xV-pszlvScx&iWL1nHDUdjgc-@-yi~8Zf?-uKCu&$j zmGV@tHY^&3ufPQiVR|G&lMFKJqcV3b2BIPt0$RTQ1o3gEnU}InzE6h&(}7s>n+PkJ gT)C0w?I} - - - - - - - - - - - diff --git a/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl b/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl deleted file mode 100644 index 0225cf9..0000000 --- a/dev/config/keycloak/themes/ltt/login/select-authenticator.ftl +++ /dev/null @@ -1,42 +0,0 @@ -<#import "template.ftl" as layout> -<@layout.registrationLayout displayInfo=true; section> - <#if section = "header" || section = "show-username"> - - <#if section = "header"> - ${msg("loginChooseAuthenticator")} - - <#elseif section = "form"> - -
-
- <#list auth.authenticationSelections as authenticationSelection> -
-
-
- -
-
-
-
- ${msg('${authenticationSelection.displayName}')} -
-
- ${msg('${authenticationSelection.helpText}')} -
-
-
-
-
- - -
-
- - - - diff --git a/dev/config/keycloak/themes/ltt/login/template.ftl b/dev/config/keycloak/themes/ltt/login/template.ftl deleted file mode 100644 index 042f887..0000000 --- a/dev/config/keycloak/themes/ltt/login/template.ftl +++ /dev/null @@ -1,159 +0,0 @@ -<#macro registrationLayout bodyClass="" displayInfo=false displayMessage=true displayRequiredFields=false> - - lang="${locale.currentLanguageTag}"> - - - - - - - <#if properties.meta?has_content> - <#list properties.meta?split(' ') as meta> - - - - ${msg("loginTitle",(realm.displayName!''))} - - <#if properties.stylesCommon?has_content> - <#list properties.stylesCommon?split(' ') as style> - - - - <#if properties.styles?has_content> - <#list properties.styles?split(' ') as style> - - - - <#if properties.scripts?has_content> - <#list properties.scripts?split(' ') as script> - - - - <#if scripts??> - <#list scripts as script> - - - - - -
- -
-
- <#if properties.systemType?has_content> -
${kcSanitize(msg("systemType", properties.systemType))?no_esc}
- - <#if properties.loginInfoMessage?has_content> -
${kcSanitize(properties.loginInfoMessage)?no_esc}
- -
-
-
- <#if realm.internationalizationEnabled && locale.supported?size gt 1> -
-
-
- ${locale.current} -
    - <#list locale.supported as l> -
  • - ${l.label} -
    • - -
-
-
-
- - <#if !(auth?has_content && auth.showUsername() && !auth.showResetCredentials())> - <#if displayRequiredFields> -
-
- * ${msg("requiredFields")} -
-
-

<#nested "header">

-
-
- <#else> -

<#nested "header">

- - <#else> - <#if displayRequiredFields> -
-
- * ${msg("requiredFields")} -
-
- <#nested "show-username"> -
- - - - -
-
-
- <#else> - <#nested "show-username"> -
- - - - -
- - -
-
- - <#-- App-initiated actions should not see warning messages about the need to complete the action --> - <#-- during login. --> - <#if displayMessage && message?has_content && (message.type != 'warning' || !isAppInitiatedAction??)> -
-
- <#if message.type = 'success'> - <#if message.type = 'warning'> - <#if message.type = 'error'> - <#if message.type = 'info'> -
- ${kcSanitize(message.summary)?no_esc} -
- - - <#nested "form"> - - <#if auth?has_content && auth.showTryAnotherWayLink()> -
-
- - ${msg("doTryAnotherWay")} -
-
- - - <#nested "socialProviders"> - - <#if displayInfo> -
-
- <#nested "info"> -
-
- -
-
-
-
- - - diff --git a/dev/config/keycloak/themes/ltt/login/theme.properties b/dev/config/keycloak/themes/ltt/login/theme.properties deleted file mode 100644 index 00fe026..0000000 --- a/dev/config/keycloak/themes/ltt/login/theme.properties +++ /dev/null @@ -1,6 +0,0 @@ -parent=keycloak -import=common/keycloak -systemType=${env.__KEYCLOAK_SYSTEM_TYPE:} -loginInfoMessage=${env.__KEYCLOAK_LOGIN_INFO_MESSAGE:} -styles=css/login.css css/styles.css - From 0f52a64e9de1aa6286e82320277181d9f2d1c1ac Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 6 Jan 2025 11:14:45 -0800 Subject: [PATCH 11/16] Revert keycloak version from 26.0 back to 22.0 --- dev/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index 4d9aec8..60e67ea 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -69,7 +69,7 @@ services: keycloak: # use tini as init init: true - image: quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG:-26.0} + image: quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG:-22.0} labels: - traefik.enable=true - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME}.rule=Host(`keycloak.${BASE_DOMAIN}`) From a57a20c55ad80df234000ccd5c437a57c44dc7ea Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 6 Jan 2025 11:35:25 -0800 Subject: [PATCH 12/16] Update kc import with acct creation and google idp --- dev/config/keycloak/import/ips-realm.json | 386 ++++++++++-------- .../ips/login/messages/messages_en.properties | 6 +- 2 files changed, 208 insertions(+), 184 deletions(-) diff --git a/dev/config/keycloak/import/ips-realm.json b/dev/config/keycloak/import/ips-realm.json index 7bd319b..b2298d7 100644 --- a/dev/config/keycloak/import/ips-realm.json +++ b/dev/config/keycloak/import/ips-realm.json @@ -28,13 +28,13 @@ "oauth2DevicePollingInterval": 5, "enabled": true, "sslRequired": "external", - "registrationAllowed": false, + "registrationAllowed": true, "registrationEmailAsUsername": true, - "rememberMe": false, + "rememberMe": true, "verifyEmail": false, "loginWithEmailAllowed": true, "duplicateEmailsAllowed": false, - "resetPasswordAllowed": true, + "resetPasswordAllowed": false, "editUsernameAllowed": false, "bruteForceProtected": false, "permanentLockout": false, @@ -77,6 +77,7 @@ "requiredCredentials": [ "password" ], + "passwordPolicy": "length(8) and upperCase(1) and lowerCase(1) and digits(1) and passwordHistory(3)", "otpPolicyType": "totp", "otpPolicyAlgorithm": "HmacSHA1", "otpPolicyInitialCounter": 0, @@ -89,7 +90,6 @@ "totpAppGoogleName", "totpAppMicrosoftAuthenticatorName" ], - "passwordPolicy": "length(8) and upperCase(1) and lowerCase(1) and digits(1) and passwordHistory(3)", "webAuthnPolicyRpEntityName": "keycloak", "webAuthnPolicySignatureAlgorithms": [ "ES256" @@ -225,6 +225,17 @@ } ] }, + { + "id": "18295a0a-daaf-448d-8793-cb39b36703cd", + "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", + "name": "patient/*.read", + "description": "SoF: Read all data for launch patient", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + } + }, { "id": "9165efea-0c4c-4e59-a560-0ba79586acd3", "name": "roles", @@ -294,6 +305,104 @@ "display.on.consent.screen": "true" } }, + { + "id": "db9c2c49-23e3-4b34-af26-e92e6afd00fa", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "679636f1-dc0c-4d22-8da0-88982a3aebbb", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "85417b6b-d5ce-465b-ae88-deb8c1270889", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "b70b144d-acd9-4a74-a2a2-5180c9915347", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "c5b05448-c849-4f0a-ab39-76c2d556e6df", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "7529440e-912d-460e-9acc-5e6d4ec8535a", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "d4d27f0d-0a90-4071-8d89-c40fee4c4d25", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, { "id": "dbbeab4e-2685-4f20-bfba-c0472c46922b", "name": "microprofile-jwt", @@ -312,6 +421,7 @@ "consentRequired": false, "config": { "multivalued": "true", + "userinfo.token.claim": "true", "user.attribute": "foo", "id.token.claim": "true", "access.token.claim": "true", @@ -336,28 +446,6 @@ } ] }, - { - "id": "18295a0a-daaf-448d-8793-cb39b36703cd", - "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", - "name": "patient/*.read", - "description": "SoF: Read all data for launch patient", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - } - }, - { - "id": "78ad99cd-c336-42ed-a55a-ddbe6119c928", - "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", - "name": "launch", - "description": "SoF: launch token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - } - }, { "id": "0e57bc1e-d2a9-4580-ad49-863c2ce868ac", "name": "web-origins", @@ -379,6 +467,17 @@ } ] }, + { + "id": "78ad99cd-c336-42ed-a55a-ddbe6119c928", + "_comment": "http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/", + "name": "launch", + "description": "SoF: launch token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + } + }, { "id": "d51c4fc8-1065-4f50-bfad-bfa5048077a2", "name": "profile", @@ -599,104 +698,6 @@ } ] }, - { - "id": "db9c2c49-23e3-4b34-af26-e92e6afd00fa", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "679636f1-dc0c-4d22-8da0-88982a3aebbb", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "85417b6b-d5ce-465b-ae88-deb8c1270889", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "b70b144d-acd9-4a74-a2a2-5180c9915347", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "c5b05448-c849-4f0a-ab39-76c2d556e6df", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "7529440e-912d-460e-9acc-5e6d4ec8535a", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "d4d27f0d-0a90-4071-8d89-c40fee4c4d25", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, { "id": "a56c6a78-77b3-4f5e-9a88-8890f00f5084", "name": "acr", @@ -715,7 +716,8 @@ "consentRequired": false, "config": { "id.token.claim": "true", - "access.token.claim": "true" + "access.token.claim": "true", + "userinfo.token.claim": "true" } } ] @@ -771,7 +773,25 @@ "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, - "identityProviders": [], + "identityProviders": [ + { + "alias": "google", + "internalId": "c89e7660-1b6f-4596-bbef-090d4dd31f74", + "providerId": "google", + "enabled": true, + "updateProfileFirstLoginMode": "on", + "trustEmail": false, + "storeToken": false, + "addReadTokenRoleOnCreate": false, + "authenticateByDefault": false, + "linkOnly": false, + "firstBrokerLoginFlowAlias": "first broker login", + "config": { + "clientSecret": "**********", + "clientId": "694968866760-2s4l6qj4jtetdfd8l4e4g0aj0ef8qs02.apps.googleusercontent.com" + } + } + ], "identityProviderMappers": [], "components": { "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ @@ -815,14 +835,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ + "oidc-usermodel-property-mapper", + "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", - "saml-user-property-mapper", "oidc-address-mapper", - "oidc-usermodel-property-mapper", - "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-role-list-mapper" + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper" ] } }, @@ -869,14 +889,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", "saml-role-list-mapper", - "oidc-usermodel-attribute-mapper", + "saml-user-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", - "saml-user-attribute-mapper", - "oidc-full-name-mapper" + "saml-user-property-mapper" ] } } @@ -947,15 +967,15 @@ "authenticationExecutions": [ { "authenticator": "idp-email-verification", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 20, - "authenticatorFlow": true, "flowAlias": "Verify Existing Account by Re-authentication", "userSetupAllowed": false } @@ -971,16 +991,16 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "auth-otp-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false } ] @@ -995,16 +1015,16 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false } ] @@ -1019,16 +1039,16 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "auth-otp-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false } ] @@ -1043,15 +1063,15 @@ "authenticationExecutions": [ { "authenticator": "idp-confirm-link", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": true, "flowAlias": "Account verification options", "userSetupAllowed": false } @@ -1067,16 +1087,16 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "reset-otp", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false } ] @@ -1092,15 +1112,15 @@ { "authenticatorConfig": "create unique user config", "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 20, - "authenticatorFlow": true, "flowAlias": "Handle Existing Account", "userSetupAllowed": false } @@ -1116,15 +1136,15 @@ "authenticationExecutions": [ { "authenticator": "idp-username-password-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 20, - "authenticatorFlow": true, "flowAlias": "First broker login - Conditional OTP", "userSetupAllowed": false } @@ -1140,29 +1160,29 @@ "authenticationExecutions": [ { "authenticator": "auth-cookie", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "auth-spnego", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 25, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 30, - "authenticatorFlow": true, "flowAlias": "forms", "userSetupAllowed": false } @@ -1178,30 +1198,30 @@ "authenticationExecutions": [ { "authenticator": "client-secret", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "client-jwt", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "client-secret-jwt", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 30, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "client-x509", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 40, - "authenticatorFlow": false, "userSetupAllowed": false } ] @@ -1216,22 +1236,22 @@ "authenticationExecutions": [ { "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 30, - "authenticatorFlow": true, "flowAlias": "Direct Grant - Conditional OTP", "userSetupAllowed": false } @@ -1247,9 +1267,9 @@ "authenticationExecutions": [ { "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false } ] @@ -1265,15 +1285,15 @@ { "authenticatorConfig": "review profile config", "authenticator": "idp-review-profile", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": true, "flowAlias": "User creation or linking", "userSetupAllowed": false } @@ -1289,15 +1309,15 @@ "authenticationExecutions": [ { "authenticator": "auth-username-password-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 20, - "authenticatorFlow": true, "flowAlias": "Browser - Conditional OTP", "userSetupAllowed": false } @@ -1313,9 +1333,9 @@ "authenticationExecutions": [ { "authenticator": "registration-page-form", + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": true, "flowAlias": "registration form", "userSetupAllowed": false } @@ -1331,30 +1351,30 @@ "authenticationExecutions": [ { "authenticator": "registration-user-creation", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "registration-profile-action", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 40, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "registration-password-action", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 50, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 60, - "authenticatorFlow": false, "userSetupAllowed": false } ] @@ -1369,29 +1389,29 @@ "authenticationExecutions": [ { "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "reset-credential-email", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, - "authenticatorFlow": false, "userSetupAllowed": false }, { "authenticator": "reset-password", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 30, - "authenticatorFlow": false, "userSetupAllowed": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 40, - "authenticatorFlow": true, "flowAlias": "Reset - Conditional OTP", "userSetupAllowed": false } @@ -1407,9 +1427,9 @@ "authenticationExecutions": [ { "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, - "authenticatorFlow": false, "userSetupAllowed": false } ] @@ -1436,7 +1456,7 @@ "alias": "CONFIGURE_TOTP", "name": "Configure OTP", "providerId": "CONFIGURE_TOTP", - "enabled": true, + "enabled": false, "defaultAction": false, "priority": 10, "config": {} @@ -1454,7 +1474,7 @@ "alias": "UPDATE_PASSWORD", "name": "Update Password", "providerId": "UPDATE_PASSWORD", - "enabled": true, + "enabled": false, "defaultAction": false, "priority": 30, "config": {} @@ -1463,7 +1483,7 @@ "alias": "UPDATE_PROFILE", "name": "Update Profile", "providerId": "UPDATE_PROFILE", - "enabled": true, + "enabled": false, "defaultAction": false, "priority": 40, "config": {} @@ -1472,7 +1492,7 @@ "alias": "VERIFY_EMAIL", "name": "Verify Email", "providerId": "VERIFY_EMAIL", - "enabled": true, + "enabled": false, "defaultAction": false, "priority": 50, "config": {} @@ -1525,8 +1545,12 @@ "cibaExpiresIn": "120", "cibaAuthRequestedUserHint": "login_hint", "oauth2DeviceCodeLifespan": "600", + "clientOfflineSessionMaxLifespan": "0", "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "clientOfflineSessionIdleTimeout": "0", "cibaInterval": "5", "realmReusableOtpCode": "false" }, diff --git a/dev/config/keycloak/themes/ips/login/messages/messages_en.properties b/dev/config/keycloak/themes/ips/login/messages/messages_en.properties index 60405bb..63a6500 100644 --- a/dev/config/keycloak/themes/ips/login/messages/messages_en.properties +++ b/dev/config/keycloak/themes/ips/login/messages/messages_en.properties @@ -9,7 +9,7 @@ doContinue=Continue doIgnore=Ignore doAccept=Accept doDecline=Decline -doForgotPassword=First time using, or forgot password? +doForgotPassword=Forgot password? doClickHere=Click here doImpersonate=Impersonate doTryAgain=Try again @@ -21,7 +21,7 @@ kerberosNotConfigured=Kerberos Not Configured kerberosNotConfiguredTitle=Kerberos Not Configured bypassKerberosDetail=Either you are not logged in by Kerberos or your browser is not set up for Kerberos login. Please click continue to login in through other means kerberosNotSetUp=Kerberos is not set up. You cannot login. -registerTitle=Register +registerTitle=Create new account loginAccountTitle=Sign in to your account loginTitle=Sign in to {0} loginTitleHtml={0} @@ -38,7 +38,7 @@ oauthGrantTitleHtml={0} errorTitle=We are sorry... errorTitleHtml=We are sorry ... emailVerifyTitle=Email verification -emailForgotTitle=First time using, or forgot password? +emailForgotTitle=Forgot email or password? updatePasswordTitle=Update password codeSuccessTitle=Success code codeErrorTitle=Error code\: {0} From 587c5db8008678f122ad184f9df6747ac461149c Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Wed, 8 Jan 2025 13:31:37 -0800 Subject: [PATCH 13/16] Update login page styles --- .../themes/ips/login/resources/css/styles.css | 8 +- .../ips/login/resources/img/favicon.ico | Bin 4286 -> 1150 bytes .../themes/ips/login/resources/img/logo.svg | 649 +++++++++++++++++- 3 files changed, 641 insertions(+), 16 deletions(-) diff --git a/dev/config/keycloak/themes/ips/login/resources/css/styles.css b/dev/config/keycloak/themes/ips/login/resources/css/styles.css index 7b94eb2..b9d9ca1 100644 --- a/dev/config/keycloak/themes/ips/login/resources/css/styles.css +++ b/dev/config/keycloak/themes/ips/login/resources/css/styles.css @@ -1,11 +1,11 @@ :root { - --body-bg-color: #325c33; - --primary-color: #325c33; + --body-bg-color: #e7f1ff; + --primary-color: #rgb(34, 72, 156); --primary-hover-color: #254325; --section-border-color: #dcdfdc; --button-primary-color: #af4507; --button-primary-hover-color: #883505; - --title-color: #325c33; + --title-color: rgb(34, 72, 156); --label-color: #71757b; --link-color: #1994d0; --link-hover-color: #126994; @@ -32,7 +32,7 @@ html.login-pf { left: 0; top: 0; width: 100%; - background-color: var(--body-bg-color); + background-color: #fff; color: #fff; line-height: 3em; box-shadow: 0 0 0.15em 0 rgba(0, 0, 0, 0.1); diff --git a/dev/config/keycloak/themes/ips/login/resources/img/favicon.ico b/dev/config/keycloak/themes/ips/login/resources/img/favicon.ico index 62de3a266ec8c9991463b5d4bf230679a4ee71c3..37d183ad22209a2c8bbaa9a2d0e483015f48b2dd 100644 GIT binary patch literal 1150 zcmdUuzfHt26o(%IiK~z+S_0J-6gNUT+LVlds4{{#NP&bzl@U_VB4q^F;6`8pg!z6x zKjfS;0QmHsrFZ_`A17ya!Y2gdyRnBevr9AE0wE%YIGY*2{ioI6J_XpR=hw$=2NN`F zGrYarxFaChr ztoXBfuKeE~@IrCbe?Et=`QKpz&6E4ZpQ{|X2b{L@lj``oe~tlKp&0I1`RYNg-<|4< zhVvclAyu@T*FDN}X3h`Ab6@rP%JUpi^(r^#z*P=+wX3#rxaa$b8&>=dC(48TuHkBK z_k5qq9q3sqmuAWLqWJN`A7FwA>PdgcKerN3Tzub|eVm)c)55jc1}>Uq%NwTnx;i-W FegG1zHy{82 literal 4286 zcmeH~K~BOz6oy9^ZcL0yf(C(Nv=LbdmMG#vU3mhdCgN2*j^Yhmz`|3wGwwYBBz64% z!fOXZfdZCIAs^FDJM+EwW(q;6CA;Re0Z`lVj-~;epb8foYfNr+DJ`Fz@_X4(n@8$u|fd#%m*xby!Gva#K zIJ2KIyn=xka6XBjZq~(|Pp1woojKjpxpRB4|L=Xlxx}zdZ-o41O$I!h@Y7wnuSAWZ z3BOkd#sMras{Y~rx~;1XM;}WJhzWCzL+T(g%EYb(;Cn89)**TfW<0}={rtJ-g^i-6v;F<&=igrko=Y9% z{%P8NO+0_Pva7STeVskCd(>=gUzfafALjS=U^o`UUrI BO-%p* diff --git a/dev/config/keycloak/themes/ips/login/resources/img/logo.svg b/dev/config/keycloak/themes/ips/login/resources/img/logo.svg index e78ce21..7f4f05c 100644 --- a/dev/config/keycloak/themes/ips/login/resources/img/logo.svg +++ b/dev/config/keycloak/themes/ips/login/resources/img/logo.svg @@ -1,12 +1,637 @@ - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + \ No newline at end of file From 6823a5cc79a5e6db1f5fde7d304d37e34c01a312 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 13 Jan 2025 13:13:50 -0800 Subject: [PATCH 14/16] Update shl-creator env vars --- dev/docker-compose.yaml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml index 60e67ea..aa7876e 100644 --- a/dev/docker-compose.yaml +++ b/dev/docker-compose.yaml @@ -154,13 +154,11 @@ services: image: ghcr.io/uwcirg/shl-ips:${SHL_CREATOR_IMAGE_TAG:-latest} environment: VITE_API_BASE: https://shl-server.${BASE_DOMAIN}/api - VITE_INTERMEDIATE_FHIR_SERVER_BASE: https://fhir.${BASE_DOMAIN}/fhir/ - VITE_BACK_URL: https://${BASE_DOMAIN}/pro_reports/clinic_report_inform - VITE_SOF_ISS: https://fhir-auth.${BASE_DOMAIN}/fhir - VITE_OIDC_SERVER_BASE: https://keycloak.${BASE_DOMAIN} - VITE_OIDC_LOGOUT_ENDPOINT: https://keycloak.${BASE_DOMAIN}/realms/ips/protocol/openid-connect/logout - VITE_OIDC_CHECK_SESSION_IFRAME: https://keycloak.${BASE_DOMAIN}/realms/ips/protocol/openid-connect/login-status-iframe.html - VITE_POST_LOGOUT_REDIRECT_URI: https://${BASE_DOMAIN}/users + VITE_INTERMEDIATE_FHIR_SERVER_BASE: https://fhir.${BASE_DOMAIN}/fhir + VITE_AUTH_URL: https://keycloak.${BASE_DOMAIN}/realms/ips + VITE_AUTH_CLIENT_ID: shl_creator + VITE_AUTH_REDIRECT_URI: https://shl-creator.${BASE_DOMAIN}/auth + VITE_AUTH_POST_LOGOUT_URI: https://shl-creator.${BASE_DOMAIN}/home env_file: shl-creator.env labels: From a13dd5e65808da7563f562726ab1868ac9fd191a Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 13 Jan 2025 13:32:23 -0800 Subject: [PATCH 15/16] Update shl_creator client uris in keycloak import --- dev/config/keycloak/import/ips-realm.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/config/keycloak/import/ips-realm.json b/dev/config/keycloak/import/ips-realm.json index b2298d7..402466e 100644 --- a/dev/config/keycloak/import/ips-realm.json +++ b/dev/config/keycloak/import/ips-realm.json @@ -136,7 +136,7 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "${KEYCLOAK_SHL_CREATOR_BASE}/create" + "${KEYCLOAK_SHL_CREATOR_BASE}/auth" ], "webOrigins": [ "*" @@ -158,7 +158,7 @@ "backchannel.logout.revoke.offline.tokens": "false", "frontchannel.logout.url": "${KEYCLOAK_SHL_CREATOR_BASE}/logout", "backchannel.logout.url": "", - "post.logout.redirect.uris": "${KEYCLOAK_SHL_CREATOR_BASE}" + "post.logout.redirect.uris": "${KEYCLOAK_SHL_CREATOR_BASE}/home##${KEYCLOAK_SHL_CREATOR_BASE}" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, From 80a7e9b96bb64b5d428b55cfc335686d6a3432b4 Mon Sep 17 00:00:00 2001 From: Daniel Lorigan Date: Mon, 13 Jan 2025 13:38:10 -0800 Subject: [PATCH 16/16] Update google idp config to use env variables --- dev/config/keycloak/import/ips-realm.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev/config/keycloak/import/ips-realm.json b/dev/config/keycloak/import/ips-realm.json index 402466e..bfb0cb8 100644 --- a/dev/config/keycloak/import/ips-realm.json +++ b/dev/config/keycloak/import/ips-realm.json @@ -778,7 +778,7 @@ "alias": "google", "internalId": "c89e7660-1b6f-4596-bbef-090d4dd31f74", "providerId": "google", - "enabled": true, + "enabled": "${KEYCLOAK_GOOGLE_IDP_ENABLED}", "updateProfileFirstLoginMode": "on", "trustEmail": false, "storeToken": false, @@ -787,8 +787,8 @@ "linkOnly": false, "firstBrokerLoginFlowAlias": "first broker login", "config": { - "clientSecret": "**********", - "clientId": "694968866760-2s4l6qj4jtetdfd8l4e4g0aj0ef8qs02.apps.googleusercontent.com" + "clientSecret": "${KEYCLOAK_GOOGLE_IDP_CLIENT_SECRET}", + "clientId": "${KEYCLOAK_GOOGLE_IDP_CLIENT_ID}" } } ],