diff --git a/SAS/TMSS/src/tmss/settings.py b/SAS/TMSS/src/tmss/settings.py
index 046f8de35906fd6d5c5753625ee5a4c04de7f1aa..2e90189375ce39a426016f832845165dbd8e55e2 100644
--- a/SAS/TMSS/src/tmss/settings.py
+++ b/SAS/TMSS/src/tmss/settings.py
@@ -18,8 +18,54 @@ from lofar.common import dbcredentials
# logger
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
-logger.setLevel(logging.INFO)
-
+logger.setLevel(logging.DEBUG)
+
+LOGGING = {
+ 'version': 1,
+ 'disable_existing_loggers': False,
+ 'filters': {
+ 'require_debug_false': {
+ '()': 'django.utils.log.RequireDebugFalse',
+ },
+ 'require_debug_true': {
+ '()': 'django.utils.log.RequireDebugTrue',
+ },
+ },
+ 'formatters': {
+ 'django.server': {
+ '()': 'django.utils.log.ServerFormatter',
+ 'format': '[%(server_time)s] %(message)s',
+ },
+ },
+ 'handlers': {
+ 'console': {
+ 'level': 'DEBUG',
+ 'filters': ['require_debug_true'],
+ 'class': 'logging.StreamHandler',
+ },
+ 'django.server': {
+ 'level': 'DEBUG',
+ 'class': 'logging.StreamHandler',
+ 'formatter': 'django.server',
+ },
+ 'mail_admins': {
+ 'level': 'ERROR',
+ 'filters': ['require_debug_false'],
+ 'class': 'django.utils.log.AdminEmailHandler'
+ },
+ },
+ 'loggers': {
+ 'django': {
+ 'handlers': ['console', 'mail_admins'],
+ 'level': 'DEBUG',
+ },
+ 'django.server': {
+ 'handlers': ['django.server'],
+ 'level': 'DEBUG',
+ 'propagate': False,
+ },
+ }
+}
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -55,6 +101,7 @@ INSTALLED_APPS = [
'jsoneditor',
'drf_yasg',
'django_filters',
+ 'mozilla_django_oidc', # Load after auth
]
MIDDLEWARE = [
@@ -129,6 +176,7 @@ REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
+ 'mozilla_django_oidc.contrib.drf.OIDCAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': [
#'rest_framework.permissions.AllowAny',
@@ -171,9 +219,18 @@ AUTH_LDAP_USER_ATTR_MAP = {
"email": "mail"
}
+# OPEN-ID CONNECT
+
+OIDC_RP_CLIENT_ID = os.environ.get('OIDC_RP_CLIENT_ID', 'id') # Secret, do not put real credentials on Git
+OIDC_RP_CLIENT_SECRET = os.environ.get('OIDC_RP_CLIENT_SECRET', 'secret') # Secret, do not put real credentials on Git
+OIDC_OP_AUTHORIZATION_ENDPOINT = "https://localhost:9090/authentication"
+OIDC_OP_TOKEN_ENDPOINT = "https://localhost:9090/token"
+OIDC_OP_USER_ENDPOINT = "https://localhost:9090/userinfo"
+
AUTHENTICATION_BACKENDS = (
- 'django_auth_ldap.backend.LDAPBackend',
- 'django.contrib.auth.backends.ModelBackend',
+ #'django_auth_ldap.backend.LDAPBackend',
+ #'django.contrib.auth.backends.ModelBackend',
+ 'mozilla_django_oidc.auth.OIDCAuthenticationBackend',
)
# Password validation
diff --git a/SAS/TMSS/src/tmss/urls.py b/SAS/TMSS/src/tmss/urls.py
index c96864991dd29a38fa6b9ed385f1288f6684a14d..1bc27fb4b0f72c2363dde05e6703670d7ea74b6d 100644
--- a/SAS/TMSS/src/tmss/urls.py
+++ b/SAS/TMSS/src/tmss/urls.py
@@ -145,4 +145,4 @@ router.register(r'task_blueprint_C', viewsets.TaskBlueprintViewSetJSONeditorOnli
urlpatterns.extend(router.urls)
# prefix everything for proxy
-urlpatterns = [url(r'^api/', include(urlpatterns))]
\ No newline at end of file
+urlpatterns = [url(r'^api/', include(urlpatterns)), url(r'^oidc/', include('mozilla_django_oidc.urls')),]
\ No newline at end of file
diff --git a/SAS/TMSS/test/oidc/create-keycloak-user.sh b/SAS/TMSS/test/oidc/create-keycloak-user.sh
new file mode 100644
index 0000000000000000000000000000000000000000..1ede32adf3d5e7ab72f078c46fa8c438ae1464d0
--- /dev/null
+++ b/SAS/TMSS/test/oidc/create-keycloak-user.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+cd keycloak/bin
+./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin
+
+USERID=$(./kcadm.sh create users -r demo -s username=monitoring-user -s enabled=true -o --fields id | jq '.id' | tr -d '"')
+echo $USERID
+./kcadm.sh update users/$USERID/reset-password -r demo -s type=password -s value=default -s temporary=false -n
+./kcadm.sh add-roles --uusername monitoring-user --rolename monitoring -r demo
+
diff --git a/SAS/TMSS/test/oidc/example/README.md b/SAS/TMSS/test/oidc/example/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..eaff811bdcd0e7e41fdf8d56691fa96a3981133e
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/README.md
@@ -0,0 +1,8 @@
+# pyOP example application
+To run the example application, execute the following commands:
+
+```bash
+cd example/
+pip install -r requirements.txt # install the dependencies
+gunicorn wsgi:app -b :9090 --certfile https.crt --keyfile https.key # run the application
+```
\ No newline at end of file
diff --git a/SAS/TMSS/test/oidc/example/__init__.py b/SAS/TMSS/test/oidc/example/__init__.py
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/SAS/TMSS/test/oidc/example/__pycache__/__init__.cpython-34.pyc b/SAS/TMSS/test/oidc/example/__pycache__/__init__.cpython-34.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..819d68a23dababb1257d69f3b39b35a9d08a0ef0
Binary files /dev/null and b/SAS/TMSS/test/oidc/example/__pycache__/__init__.cpython-34.pyc differ
diff --git a/SAS/TMSS/test/oidc/example/__pycache__/app.cpython-34.pyc b/SAS/TMSS/test/oidc/example/__pycache__/app.cpython-34.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..004bd471eec2552f614d26573477e473b8be185d
Binary files /dev/null and b/SAS/TMSS/test/oidc/example/__pycache__/app.cpython-34.pyc differ
diff --git a/SAS/TMSS/test/oidc/example/__pycache__/views.cpython-34.pyc b/SAS/TMSS/test/oidc/example/__pycache__/views.cpython-34.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..0f4d528467e3f5573f883a850f931ff5a4c697dc
Binary files /dev/null and b/SAS/TMSS/test/oidc/example/__pycache__/views.cpython-34.pyc differ
diff --git a/SAS/TMSS/test/oidc/example/__pycache__/wsgi.cpython-34.pyc b/SAS/TMSS/test/oidc/example/__pycache__/wsgi.cpython-34.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..4d49e3aecb16e15abd0ed70fdceb8eb407a468ec
Binary files /dev/null and b/SAS/TMSS/test/oidc/example/__pycache__/wsgi.cpython-34.pyc differ
diff --git a/SAS/TMSS/test/oidc/example/app.py b/SAS/TMSS/test/oidc/example/app.py
new file mode 100644
index 0000000000000000000000000000000000000000..806dc4cab84103ad5ab3396b4a59cbc7b7032d4d
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/app.py
@@ -0,0 +1,60 @@
+from flask.app import Flask
+from flask.helpers import url_for
+from jwkest.jwk import RSAKey, rsa_load
+
+from pyop.authz_state import AuthorizationState
+from pyop.provider import Provider
+from pyop.subject_identifier import HashBasedSubjectIdentifierFactory
+from pyop.userinfo import Userinfo
+
+
+def init_oidc_provider(app):
+ with app.app_context():
+ issuer = url_for('oidc_provider.index')[:-1]
+ authentication_endpoint = url_for('oidc_provider.authentication_endpoint')
+ jwks_uri = url_for('oidc_provider.jwks_uri')
+ token_endpoint = url_for('oidc_provider.token_endpoint')
+ userinfo_endpoint = url_for('oidc_provider.userinfo_endpoint')
+ registration_endpoint = url_for('oidc_provider.registration_endpoint')
+ end_session_endpoint = url_for('oidc_provider.end_session_endpoint')
+
+ configuration_information = {
+ 'issuer': issuer,
+ 'authorization_endpoint': authentication_endpoint,
+ 'jwks_uri': jwks_uri,
+ 'token_endpoint': token_endpoint,
+ 'userinfo_endpoint': userinfo_endpoint,
+ 'registration_endpoint': registration_endpoint,
+ 'end_session_endpoint': end_session_endpoint,
+ 'scopes_supported': ['openid', 'profile'],
+ 'response_types_supported': ['code', 'code id_token', 'code token', 'code id_token token'], # code and hybrid
+ 'response_modes_supported': ['query', 'fragment'],
+ 'grant_types_supported': ['authorization_code', 'implicit'],
+ 'subject_types_supported': ['pairwise'],
+ 'token_endpoint_auth_methods_supported': ['client_secret_basic'],
+ 'claims_parameter_supported': True
+ }
+
+ userinfo_db = Userinfo(app.users)
+ signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256')
+ provider = Provider(signing_key, configuration_information,
+ AuthorizationState(HashBasedSubjectIdentifierFactory(app.config['SUBJECT_ID_HASH_SALT'])),
+ {}, userinfo_db)
+
+ return provider
+
+
+def oidc_provider_init_app(name=None):
+ name = name or __name__
+ app = Flask(name)
+ app.config.from_pyfile('application.cfg')
+
+ app.users = {'test_user': {'name': 'Testing Name'}}
+
+ from .views import oidc_provider_views
+ app.register_blueprint(oidc_provider_views)
+
+ # Initialize the oidc_provider after views to be able to set correct urls
+ app.provider = init_oidc_provider(app)
+
+ return app
diff --git a/SAS/TMSS/test/oidc/example/application.cfg b/SAS/TMSS/test/oidc/example/application.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..36a1da6723269c362ec85862a1ef2c25f9aade8d
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/application.cfg
@@ -0,0 +1,5 @@
+SERVER_NAME = 'localhost:9090'
+SECRET_KEY = 'secret_key'
+SESSION_COOKIE_NAME='pyop_session'
+SUBJECT_ID_HASH_SALT = 'salt'
+PREFERRED_URL_SCHEME = 'https'
\ No newline at end of file
diff --git a/SAS/TMSS/test/oidc/example/https.crt b/SAS/TMSS/test/oidc/example/https.crt
new file mode 100644
index 0000000000000000000000000000000000000000..20a202d8992f026f63a09dea769fe8abadabafb8
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/https.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEBjCCAu6gAwIBAgIJAIybVu7kfIK0MA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMTD2xva2kuaXRzLnVtdS5zZTAeFw0xNTEy
+MTAxNDQyMDFaFw0yNTEyMDcxNDQyMDFaMF8xCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+EwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+GDAWBgNVBAMTD2xva2kuaXRzLnVtdS5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALiLDBwIteIobC+7JHoNeQRrTIbws9BghN4UUzyLo7+xeP9YwHaS
+tq6HqYK4cVLyx8k06Siw/4PwqMPNj9/B4f/ZXhEkXgbBP5TP36UgKrUIk4zInRFb
+Rjy+DcqjSZdgW1CKBKWJstXjSYen5rPm+voM/0msi164NPcfDMQIZmcQWh0MmEfG
+qlvdwTvjdaAQt8p7CGsxIdu4gPfhubknbTQKu+BVq5/RCVP7VU830PSr1RYhthX8
+Gt8ir32jEdDdjIrfA/zFx6PChyLkQFXtg/9WymnIM1j2ngNreL2nppwnqMYRnI9i
+C/y7MY4al3WeL9IETrtgh1jzXUNpgpJ03B0CAwEAAaOBxDCBwTAdBgNVHQ4EFgQU
+cTNphzIIRpQBQ2VT0Vx9xQYzNN0wgZEGA1UdIwSBiTCBhoAUcTNphzIIRpQBQ2VT
+0Vx9xQYzNN2hY6RhMF8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRl
+MSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMTD2xv
+a2kuaXRzLnVtdS5zZYIJAIybVu7kfIK0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADggEBAJYJfUqOPTyZ+tflKoN4l+scIXpBxqtQbjX+MYli6VHpl+M8y163
+KsCglXPddL7Z58KBrUDx1m6f7dFQ3PMYn/S2dUcRrNOdfaDKZ5QgyYj/iVr8HSOh
+6i1OtMFaBqW5WyqA5YgvUz63hZ2kDOBHZcEfSn2+roylBUiueV9gFNKDWneNMLo2
+PMZxcGWZ3wIQbu9ahakbJUvTigFStKeLoY1A2ZSTH7W4elB5DDxYOKZSzd/KZpfn
+/o/Pc7YbbEUYgIyf3QNusdH+t2pw9ZkrlKMhiv9ZAmjAWMDY7O/i3r7u7AkODu7z
+OHbH3rJqkbaiS8/q0cMZG6AMUzPRglzsTc4=
+-----END CERTIFICATE-----
diff --git a/SAS/TMSS/test/oidc/example/https.key b/SAS/TMSS/test/oidc/example/https.key
new file mode 100644
index 0000000000000000000000000000000000000000..2abb725087feda493114a731026b866396c07797
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/https.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuIsMHAi14ihsL7skeg15BGtMhvCz0GCE3hRTPIujv7F4/1jA
+dpK2roepgrhxUvLHyTTpKLD/g/Cow82P38Hh/9leESReBsE/lM/fpSAqtQiTjMid
+EVtGPL4NyqNJl2BbUIoEpYmy1eNJh6fms+b6+gz/SayLXrg09x8MxAhmZxBaHQyY
+R8aqW93BO+N1oBC3ynsIazEh27iA9+G5uSdtNAq74FWrn9EJU/tVTzfQ9KvVFiG2
+Ffwa3yKvfaMR0N2Mit8D/MXHo8KHIuRAVe2D/1bKacgzWPaeA2t4vaemnCeoxhGc
+j2IL/LsxjhqXdZ4v0gROu2CHWPNdQ2mCknTcHQIDAQABAoIBAQCooAWUqDDqUl1o
+z+voyt7FtvXaZ58mzMsb0h6suDwMMTKKwKI8tprOp4+wrrB+RvFfXUWftPwFp6XO
+JMtOfm7vxcM6jqyMJ5DdfYSx8c6UVR3eCoHbFjf70P3xJ3tbIuTNlw/f4w7Sejj6
+B+W6hVjXm4C55TwEdPWQyYJ0rehESxITn7DDjDNXxxwDqwAv8yPTYf8m7mb7qh3V
+EBnvZPIWpgEIVqV2crQSfHJwg29KhS7cnExJBYEPppBQ4aoUGyMqJN0EyBL4DrRo
+Ds6hPttLaXEmB+ACm/OQzhEeFKduob5OIKRSyp9Z8t6/B9uHiIKCENRU4O4zux57
+jZ8MIypRAoGBAO0anHYHlniyP5f/8u4kvTnW3wbDtRJ3L3zVSKN8shQmQnjNWmsI
+LhLWLU2OTRsXlJB7oYqNBojUBdeGimYot9kmjx4XkxELB6XAaYDG6pDvM7axC5qH
+iuC4jVHdEsIfy9dP6wZ/b+A+JOWWpS1vdAizfvgWI32JLGDPkjjUlzNvAoGBAMdA
+F5KZZLZFYsZM470/bb20qFMURDRI+5yz0VUHTNUQEr/xhMcYFske6ox14A7gXzwd
+SHAvTDkV8DsGu/FzSWzZmVhNc1EtdM3Cbe3Y7WJoIQoupuxBDEvrBE9riyOjW61q
+dYIO2ymfJfc2Vx6d7LAK9itXdqa3RIo7ZPK7EbMzAoGAAR1C5vsaJe8QhXJafewG
+R6NO4QVCcJfGzVtjQAFyBM45OcAdUKt1K/l9tQOaMSpnNFagZ7pJ8ZKthFnJhLlk
+Q8z+lzGdK1NV8d15oXVN3OiC4bTrTQqeCHhVkbDsSaVEm/pwLFOk/vTLz5hpplED
+xpaxXhEckZZ3cu0GzuWQ4FkCgYAb34tspqjAFtTKiNcTElx3vV4OwTcJWWxZb45J
+JsxIwgbdcxvv/h6x4/FL1PGTIzAvaKlJiFRRaBBDMZ35GPeckpQxFiSbppBAeIKI
+U2Bh888rbXtMcY0W0bm4ooLEaYXZrJrjptBh8jGNc7ycO9twhRgK2CFxERI1hDmK
++0BuoQKBgHLRFdJYFkNKB+j56vTlB5AFTXcjs6x0dZ4j0SDAqVYgIHErpd2bhgOz
+s698rfdadwbYN4UEqvV/2NhDLx/jag4BvCermK71HaXvYnvqKw3UHGAG8K/dCCFR
+eSuZnxTSoWAPjMLi64hRzbWVT+oeZuy83lG6qDygbI1z1nlYWdo3
+-----END RSA PRIVATE KEY-----
diff --git a/SAS/TMSS/test/oidc/example/requirements.txt b/SAS/TMSS/test/oidc/example/requirements.txt
new file mode 100644
index 0000000000000000000000000000000000000000..e6b8e9f26cf02724603d4cdd5f621db2588e3b04
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/requirements.txt
@@ -0,0 +1,3 @@
+pyop
+Flask
+gunicorn
\ No newline at end of file
diff --git a/SAS/TMSS/test/oidc/example/signing_key.pem b/SAS/TMSS/test/oidc/example/signing_key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..74fe00d413e958c55ff2c8894c78ce47fc36ddcd
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/signing_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCi7nye2Ye1MrUD/sZAplfkpMkXHYduydvfvv/+Ihx1ClxKS/KG
+/1EhqyBVVvhHLRs9pimKMyLm2pBE51rGOt//XKhsoFAa37VID2iz7DQuV6DGgyBS
+FaKgaYBpinEQy2WcjU4eABnABV2r+K2UmGkqVJheqHqOqHUKasT4gy/6kQIDAQAB
+AoGAf7u+YX6ioNCvDwHHBVojn/H8YK3axmVkhiYkZWTysGM99VVTPridL2sMfzse
+jBZ1u8Av4tOyMg/5eLtz8+KmRjljpeAEFfsA1htWE8vESXnvDFwKldXD9Vi/kppb
+CYqASGCBUX3i1LPYffvjUxIgD+Tjx4k56c5EN5G331flDV0CQQDP8fWraegLJ+K1
+iXGNQzpaqG3EI3vf35Yb2bJpmD39QIXFIcJJ5MZHVW+1TyvgiavM4hS2+LGA8kGh
+OvMWfbYTAkEAyJWGBUmAW9mooo1Vw4tJjEWAHjHvzcQ4dqIju+WN8Xy5JTWkDD6Z
+VgKGtgLt2HfpSsgej14+Rh5mrjo4SbYxSwJAKG0syq9jOk/9xjc7STBJtvhJprkT
+SxnHsBBpnBfJ7WNO3l1KzVzZo2Kbvg7vQ87gBIvrZQsCT0RJuBOi0LuN2wJAAInm
+Qj1gSt7axRT8FfpZyDankW0w56yPOkJVNjv3lZ5wINl0B1RjtQdstTBs0xf/WGQR
+MPFf2XBbdjxRymDi4QJBAM3MUYPOlUk1UVCSQKyCkBwL3zMaPjBjD5LXkhGJzxsb
+T74NznwmCib/r0Rl/KmD7/bAq7R4aheOS/OMaZyhbkk=
+-----END RSA PRIVATE KEY-----
diff --git a/SAS/TMSS/test/oidc/example/templates/logout.jinja2 b/SAS/TMSS/test/oidc/example/templates/logout.jinja2
new file mode 100644
index 0000000000000000000000000000000000000000..4322588f2197e9b8579819a9084f7c95c17e1d27
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/templates/logout.jinja2
@@ -0,0 +1,8 @@
+<!doctype html>
+<title>Logout</title>
+
+Do you really want to logout?
+<form method="POST">
+ <button type="submit" name="logout" value="logout">Yes, logout</button>
+ <button type="submit" name="no_logout" value="no_logout">No, cancel logout</button>
+</form>
\ No newline at end of file
diff --git a/SAS/TMSS/test/oidc/example/views.py b/SAS/TMSS/test/oidc/example/views.py
new file mode 100644
index 0000000000000000000000000000000000000000..7d7335bb224c667973519d56203f73799d0af70c
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/views.py
@@ -0,0 +1,124 @@
+from urllib.parse import urlencode, parse_qs
+
+import flask
+from flask import Blueprint, redirect
+from flask import current_app
+from flask import jsonify
+from flask.helpers import make_response
+from flask.templating import render_template
+from oic.oic.message import TokenErrorResponse, UserInfoErrorResponse, EndSessionRequest
+
+from pyop.access_token import AccessToken, BearerTokenError
+from pyop.exceptions import InvalidAuthenticationRequest, InvalidAccessToken, InvalidClientAuthentication, OAuthError, \
+ InvalidSubjectIdentifier, InvalidClientRegistrationRequest
+from pyop.util import should_fragment_encode
+
+oidc_provider_views = Blueprint('oidc_provider', __name__, url_prefix='')
+
+
+@oidc_provider_views.route('/')
+def index():
+ return 'Hello world!'
+
+
+@oidc_provider_views.route('/registration', methods=['POST'])
+def registration_endpoint():
+ try:
+ response = current_app.provider.handle_client_registration_request(flask.request.get_data().decode('utf-8'))
+ return make_response(jsonify(response.to_dict()), 201)
+ except InvalidClientRegistrationRequest as e:
+ return make_response(jsonify(e.to_dict()), status=400)
+
+
+@oidc_provider_views.route('/authentication', methods=['GET'])
+def authentication_endpoint():
+ # parse authentication request
+ try:
+ auth_req = current_app.provider.parse_authentication_request(urlencode(flask.request.args),
+ flask.request.headers)
+ except InvalidAuthenticationRequest as e:
+ current_app.logger.debug('received invalid authn request', exc_info=True)
+ error_url = e.to_error_url()
+ if error_url:
+ return redirect(error_url, 303)
+ else:
+ # show error to user
+ return make_response('Something went wrong: {}'.format(str(e)), 400)
+
+ # automagic authentication
+ authn_response = current_app.provider.authorize(auth_req, 'test_user')
+ response_url = authn_response.request(auth_req['redirect_uri'], should_fragment_encode(auth_req))
+ return redirect(response_url, 303)
+
+
+@oidc_provider_views.route('/.well-known/openid-configuration')
+def provider_configuration():
+ return jsonify(current_app.provider.provider_configuration.to_dict())
+
+
+@oidc_provider_views.route('/jwks')
+def jwks_uri():
+ return jsonify(current_app.provider.jwks)
+
+
+@oidc_provider_views.route('/token', methods=['POST'])
+def token_endpoint():
+ try:
+ token_response = current_app.provider.handle_token_request(flask.request.get_data().decode('utf-8'),
+ flask.request.headers)
+ return jsonify(token_response.to_dict())
+ except InvalidClientAuthentication as e:
+ current_app.logger.debug('invalid client authentication at token endpoint', exc_info=True)
+ error_resp = TokenErrorResponse(error='invalid_client', error_description=str(e))
+ response = make_response(error_resp.to_json(), 401)
+ response.headers['Content-Type'] = 'application/json'
+ response.headers['WWW-Authenticate'] = 'Basic'
+ return response
+ except OAuthError as e:
+ current_app.logger.debug('invalid request: %s', str(e), exc_info=True)
+ error_resp = TokenErrorResponse(error=e.oauth_error, error_description=str(e))
+ response = make_response(error_resp.to_json(), 400)
+ response.headers['Content-Type'] = 'application/json'
+ return response
+
+
+@oidc_provider_views.route('/userinfo', methods=['GET', 'POST'])
+def userinfo_endpoint():
+ try:
+ response = current_app.provider.handle_userinfo_request(flask.request.get_data().decode('utf-8'),
+ flask.request.headers)
+ return jsonify(response.to_dict())
+ except (BearerTokenError, InvalidAccessToken) as e:
+ error_resp = UserInfoErrorResponse(error='invalid_token', error_description=str(e))
+ response = make_response(error_resp.to_json(), 401)
+ response.headers['WWW-Authenticate'] = AccessToken.BEARER_TOKEN_TYPE
+ response.headers['Content-Type'] = 'application/json'
+ return response
+
+
+def do_logout(end_session_request):
+ try:
+ current_app.provider.logout_user(end_session_request=end_session_request)
+ except InvalidSubjectIdentifier as e:
+ return make_response('Logout unsuccessful!', 400)
+
+ redirect_url = current_app.provider.do_post_logout_redirect(end_session_request)
+ if redirect_url:
+ return redirect(redirect_url, 303)
+
+ return make_response('Logout successful!')
+
+
+@oidc_provider_views.route('/logout', methods=['GET', 'POST'])
+def end_session_endpoint():
+ if flask.request.method == 'GET':
+ # redirect from RP
+ end_session_request = EndSessionRequest().deserialize(urlencode(flask.request.args))
+ flask.session['end_session_request'] = end_session_request.to_dict()
+ return render_template('logout.jinja2')
+ else:
+ form = parse_qs(flask.request.get_data().decode('utf-8'))
+ if 'logout' in form:
+ return do_logout(EndSessionRequest().from_dict(flask.session['end_session_request']))
+ else:
+ return make_response('You chose not to logout')
diff --git a/SAS/TMSS/test/oidc/example/wsgi.py b/SAS/TMSS/test/oidc/example/wsgi.py
new file mode 100644
index 0000000000000000000000000000000000000000..f98a0a821882982289dddc1606622dee3b0084b8
--- /dev/null
+++ b/SAS/TMSS/test/oidc/example/wsgi.py
@@ -0,0 +1,7 @@
+import logging
+
+from example.app import oidc_provider_init_app
+
+name = 'oidc_provider'
+app = oidc_provider_init_app(name)
+logging.basicConfig(level=logging.DEBUG)
diff --git a/SAS/TMSS/test/oidc/realm-export.json b/SAS/TMSS/test/oidc/realm-export.json
new file mode 100644
index 0000000000000000000000000000000000000000..5fa0d5bae6b1d0cf4faf618579693af9ce2c39e7
--- /dev/null
+++ b/SAS/TMSS/test/oidc/realm-export.json
@@ -0,0 +1,1808 @@
+
+ "id": "demo",
+ "realm": "demo",
+ "notBefore": 0,
+ "revokeRefreshToken": false,
+ "refreshTokenMaxReuse": 0,
+ "accessTokenLifespan": 300,
+ "accessTokenLifespanForImplicitFlow": 900,
+ "ssoSessionIdleTimeout": 1800,
+ "ssoSessionMaxLifespan": 36000,
+ "offlineSessionIdleTimeout": 2592000,
+ "offlineSessionMaxLifespanEnabled": false,
+ "offlineSessionMaxLifespan": 5184000,
+ "accessCodeLifespan": 60,
+ "accessCodeLifespanUserAction": 300,
+ "accessCodeLifespanLogin": 1800,
+ "actionTokenGeneratedByAdminLifespan": 43200,
+ "actionTokenGeneratedByUserLifespan": 300,
+ "enabled": true,
+ "sslRequired": "external",
+ "registrationAllowed": false,
+ "registrationEmailAsUsername": false,
+ "rememberMe": false,
+ "verifyEmail": false,
+ "loginWithEmailAllowed": true,
+ "duplicateEmailsAllowed": false,
+ "resetPasswordAllowed": false,
+ "editUsernameAllowed": false,
+ "bruteForceProtected": false,
+ "permanentLockout": false,
+ "maxFailureWaitSeconds": 900,
+ "minimumQuickLoginWaitSeconds": 60,
+ "waitIncrementSeconds": 60,
+ "quickLoginCheckMilliSeconds": 1000,
+ "maxDeltaTimeSeconds": 43200,
+ "failureFactor": 30,
+ "roles": {
+ "realm": [
+ {
+ "id": "9cdbfeb1-7dea-442b-a798-0845a15b3fef",
+ "name": "uma_authorization",
+ "description": "${role_uma_authorization}",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "demo",
+ "attributes": {}
+ },
+ {
+ "id": "5c42617f-2d8c-422d-8d15-b7630067990e",
+ "name": "demo-administrator",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "demo",
+ "attributes": {}
+ },
+ {
+ "id": "46b3080a-2957-4bd6-9d06-da15dac503e4",
+ "name": "promoter",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "demo",
+ "attributes": {}
+ },
+ {
+ "id": "16a657ca-7a97-4d27-b1d1-8a65087a1f19",
+ "name": "offline_access",
+ "description": "${role_offline-access}",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "demo",
+ "attributes": {}
+ },
+ {
+ "id": "cecacd7e-1775-4ac1-ba99-93d9020ead83",
+ "name": "monitoring",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "demo",
+ "attributes": {}
+ }
+ ],
+ "client": {
+ "realm-management": [
+ {
+ "id": "e441b81d-6ae3-4cf7-bfbf-ed4215eb2f47",
+ "name": "create-client",
+ "description": "${role_create-client}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "8c7cd27d-dfc5-4f83-80bf-373255b888d2",
+ "name": "manage-realm",
+ "description": "${role_manage-realm}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "ed027a01-9172-4e2c-a3c5-959de3d24c22",
+ "name": "view-users",
+ "description": "${role_view-users}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "realm-management": [
+ "query-users",
+ "query-groups"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "bf27552e-da67-4780-8d14-c795bc9f3407",
+ "name": "query-clients",
+ "description": "${role_query-clients}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "d6beb376-5920-411d-93fc-b90c091d3d2f",
+ "name": "manage-events",
+ "description": "${role_manage-events}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "3c5e7a53-7ead-4726-940f-d4190b0ec5c7",
+ "name": "manage-users",
+ "description": "${role_manage-users}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "031098a6-8e77-4e01-912b-e50a1f9e7749",
+ "name": "manage-authorization",
+ "description": "${role_manage-authorization}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "9fdf5253-30a4-4b3d-8ca7-2044396d9ccb",
+ "name": "query-groups",
+ "description": "${role_query-groups}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "d43dc9bd-5d06-4eae-9708-95f7e835fbfd",
+ "name": "view-clients",
+ "description": "${role_view-clients}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "realm-management": [
+ "query-clients"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "693555e2-14e1-461e-98a1-c8cab8137f8f",
+ "name": "view-realm",
+ "description": "${role_view-realm}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "6b90a2d2-f366-457d-9469-c5da38f990a6",
+ "name": "query-realms",
+ "description": "${role_query-realms}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "c073af53-414a-41f0-b093-0b68c0f1ecba",
+ "name": "impersonation",
+ "description": "${role_impersonation}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "1283a4ff-5217-449c-8c85-ddff72ed73fd",
+ "name": "query-users",
+ "description": "${role_query-users}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "57a640d0-f017-46f8-a23e-d3fc7f8e7de8",
+ "name": "realm-admin",
+ "description": "${role_realm-admin}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "realm-management": [
+ "manage-realm",
+ "create-client",
+ "view-users",
+ "query-clients",
+ "manage-events",
+ "manage-authorization",
+ "manage-users",
+ "query-groups",
+ "view-realm",
+ "view-clients",
+ "query-realms",
+ "impersonation",
+ "query-users",
+ "manage-clients",
+ "view-authorization",
+ "view-events",
+ "view-identity-providers",
+ "manage-identity-providers"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "5d4108b8-c2bc-44f2-9038-ea18bf3164ef",
+ "name": "manage-clients",
+ "description": "${role_manage-clients}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "7ee7d0f4-d61f-4e01-ac37-86a7d42e30a0",
+ "name": "view-authorization",
+ "description": "${role_view-authorization}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "9d6dd55e-2d70-4b35-9ae7-43b59ff84cd5",
+ "name": "view-events",
+ "description": "${role_view-events}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "e2b85d94-2efb-458f-ae69-84e04d0975e4",
+ "name": "view-identity-providers",
+ "description": "${role_view-identity-providers}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ },
+ {
+ "id": "466294e7-feb8-4d2f-ae45-6807160553ae",
+ "name": "manage-identity-providers",
+ "description": "${role_manage-identity-providers}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "attributes": {}
+ }
+ ],
+ "demo-frontend": [],
+ "security-admin-console": [],
+ "admin-cli": [],
+ "demo-api": [],
+ "broker": [
+ {
+ "id": "b375956d-b283-45b7-aa0b-76e19d3c9b2f",
+ "name": "read-token",
+ "description": "${role_read-token}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "d165281c-4c36-4185-bfbd-589c8a52945f",
+ "attributes": {}
+ }
+ ],
+ "account": [
+ {
+ "id": "aada5867-9268-4e37-b206-491041cd3360",
+ "name": "view-profile",
+ "description": "${role_view-profile}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "f5c24837-4fc7-4994-9c1e-bd70f2cbeed6",
+ "attributes": {}
+ },
+ {
+ "id": "39893eb7-65a6-4d5e-9704-f59952deaeab",
+ "name": "manage-account",
+ "description": "${role_manage-account}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "account": [
+ "manage-account-links"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "f5c24837-4fc7-4994-9c1e-bd70f2cbeed6",
+ "attributes": {}
+ },
+ {
+ "id": "193f4d1a-4c4a-4029-9092-1aa44df23b42",
+ "name": "manage-account-links",
+ "description": "${role_manage-account-links}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "f5c24837-4fc7-4994-9c1e-bd70f2cbeed6",
+ "attributes": {}
+ }
+ ]
+ }
+ },
+ "groups": [
+ {
+ "id": "62909b3a-eb39-4916-a640-f401d0592a47",
+ "name": "administrator",
+ "path": "/administrator",
+ "attributes": {},
+ "realmRoles": [
+ "demo-administrator"
+ ],
+ "clientRoles": {},
+ "subGroups": []
+ },
+ {
+ "id": "3e007c9c-297e-4403-8ad0-1888e05211ad",
+ "name": "monitoring",
+ "path": "/monitoring",
+ "attributes": {},
+ "realmRoles": [
+ "monitoring"
+ ],
+ "clientRoles": {},
+ "subGroups": []
+ },
+ {
+ "id": "9ca100d3-c97c-495e-9e28-828bfe7e2405",
+ "name": "promoter",
+ "path": "/promoter",
+ "attributes": {},
+ "realmRoles": [
+ "promoter"
+ ],
+ "clientRoles": {},
+ "subGroups": []
+ }
+ ],
+ "requiredCredentials": [
+ "password"
+ ],
+ "otpPolicyType": "totp",
+ "otpPolicyAlgorithm": "HmacSHA1",
+ "otpPolicyInitialCounter": 0,
+ "otpPolicyDigits": 6,
+ "otpPolicyLookAheadWindow": 1,
+ "otpPolicyPeriod": 30,
+ "otpSupportedApplications": [
+ "FreeOTP",
+ "Google Authenticator"
+ ],
+ "clients": [
+ {
+ "id": "1f279ab9-a6b9-4d19-b9f3-f881ff2257eb",
+ "clientId": "admin-cli",
+ "name": "${client_admin-cli}",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "**********",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": false,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "role_list",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access"
+ ]
+ },
+ {
+ "id": "f5c24837-4fc7-4994-9c1e-bd70f2cbeed6",
+ "clientId": "account",
+ "name": "${client_account}",
+ "baseUrl": "/auth/realms/demo/account",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "**********",
+ "redirectUris": [
+ "/auth/realms/demo/account/*"
+ ],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "role_list",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access"
+ ]
+ },
+ {
+ "id": "0c80e92e-024a-4324-b516-cf814f7e09df",
+ "clientId": "realm-management",
+ "name": "${client_realm-management}",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "**********",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": true,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "role_list",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access"
+ ]
+ },
+ {
+ "id": "3bcece73-8800-42d4-82fe-7c0012be3780",
+ "clientId": "security-admin-console",
+ "name": "${client_security-admin-console}",
+ "baseUrl": "/auth/admin/demo/console/index.html",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "**********",
+ "redirectUris": [
+ "/auth/admin/demo/console/*"
+ ],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "protocolMappers": [
+ {
+ "id": "e70c7d3c-dd18-4084-81c8-c57a31a31cb9",
+ "name": "locale",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "locale",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "locale",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "role_list",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access"
+ ]
+ },
+ {
+ "id": "2e0fa909-b029-4d69-ac0e-ff3e593d57e6",
+ "clientId": "demo-frontend",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "**********",
+ "redirectUris": [
+ "http://localhost:9002/*"
+ ],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.assertion.signature": "false",
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "saml.encrypt": "false",
+ "saml.server.signature": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml_force_name_id_format": "false",
+ "saml.client.signature": "false",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "defaultClientScopes": [
+ "web-origins",
+ "role_list",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access"
+ ]
+ },
+ {
+ "id": "d165281c-4c36-4185-bfbd-589c8a52945f",
+ "clientId": "broker",
+ "name": "${client_broker}",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "**********",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "role_list",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access"
+ ]
+ },
+ {
+ "id": "79e1f43b-283a-40d9-a953-c60e9686d329",
+ "clientId": "demo-api",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "clientAuthenticatorType": "client-secret",
+ "secret": "**********",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": true,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "saml.assertion.signature": "false",
+ "saml.force.post.binding": "false",
+ "saml.multivalued.roles": "false",
+ "saml.encrypt": "false",
+ "saml.server.signature": "false",
+ "saml.server.signature.keyinfo.ext": "false",
+ "exclude.session.state.from.auth.response": "false",
+ "saml_force_name_id_format": "false",
+ "saml.client.signature": "false",
+ "tls.client.certificate.bound.access.tokens": "false",
+ "saml.authnstatement": "false",
+ "display.on.consent.screen": "false",
+ "saml.onetimeuse.condition": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "defaultClientScopes": [
+ "web-origins",
+ "role_list",
+ "roles",
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access"
+ ]
+ }
+ ],
+ "clientScopes": [
+ {
+ "id": "90b602f0-d9a0-4781-9e9b-2dd5f7d28665",
+ "name": "address",
+ "description": "OpenID Connect built-in scope: address",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${addressScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "45f8b45d-72bb-47dc-ab28-2a5c83b81cf8",
+ "name": "address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-address-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute.formatted": "formatted",
+ "user.attribute.country": "country",
+ "user.attribute.postal_code": "postal_code",
+ "userinfo.token.claim": "true",
+ "user.attribute.street": "street",
+ "id.token.claim": "true",
+ "user.attribute.region": "region",
+ "access.token.claim": "true",
+ "user.attribute.locality": "locality"
+ }
+ }
+ ]
+ },
+ {
+ "id": "10c965ec-c1af-4f24-9945-9d94fb7ee037",
+ "name": "email",
+ "description": "OpenID Connect built-in scope: email",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${emailScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "c31c85b3-9641-4656-b19a-eb399567522e",
+ "name": "email",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "email",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "33354d4c-bb3b-4410-9238-f5e8448dc955",
+ "name": "email verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "emailVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email_verified",
+ "jsonType.label": "boolean"
+ }
+ }
+ ]
+ },
+ {
+ "id": "1338f8cd-1cc1-4446-9f54-4e7db3e319d1",
+ "name": "offline_access",
+ "description": "OpenID Connect built-in scope: offline_access",
+ "protocol": "openid-connect",
+ "attributes": {
+ "consent.screen.text": "${offlineAccessScopeConsentText}",
+ "display.on.consent.screen": "true"
+ }
+ },
+ {
+ "id": "0c36241e-ca1f-415d-b218-4da0ef9fc57b",
+ "name": "phone",
+ "description": "OpenID Connect built-in scope: phone",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${phoneScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "9b8380cc-5aaf-4bf7-89b4-f29c7dba6a0c",
+ "name": "phone number",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumber",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d2bdd3f1-3293-4c59-92c5-a64967a49ec7",
+ "name": "phone number verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumberVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number_verified",
+ "jsonType.label": "boolean"
+ }
+ }
+ ]
+ },
+ {
+ "id": "9ba88b22-dfd9-4544-966e-ab2e07e02283",
+ "name": "profile",
+ "description": "OpenID Connect built-in scope: profile",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${profileScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "abc6a671-5996-48ec-aac3-5d970b85e9a6",
+ "name": "family name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "lastName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "family_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "7a6e6867-8767-4782-8400-e8cba29588e2",
+ "name": "updated at",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "updatedAt",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "updated_at",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "a45c0185-4e57-4d73-a55c-de4e30886c84",
+ "name": "picture",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "picture",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "picture",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "8786b25f-17e7-4187-8d7d-d2aa61c6dcd8",
+ "name": "profile",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "profile",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "profile",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "95ece622-b3cc-49f5-b848-a9b8a5407ef4",
+ "name": "birthdate",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "birthdate",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "birthdate",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "59189670-aa93-4933-a796-53dab6a23e45",
+ "name": "locale",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "locale",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "locale",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "addccb2b-468f-404c-9e80-de9d344f6b94",
+ "name": "nickname",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "nickname",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "nickname",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "cd2fe8d9-f253-477f-94fd-29942d56849c",
+ "name": "website",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "website",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "website",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "450e97fc-e780-4262-8f26-0cf8ac903aa3",
+ "name": "username",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "preferred_username",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "4b40a0f9-44a1-4a01-b0c5-bfb8be5bccb6",
+ "name": "full name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-full-name-mapper",
+ "consentRequired": false,
+ "config": {
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "userinfo.token.claim": "true"
+ }
+ },
+ {
+ "id": "07343c50-155a-430c-8ebb-c68a931a0c80",
+ "name": "gender",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "gender",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "gender",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "8076d3ce-1d9f-4779-93c3-9b6a06e8bdac",
+ "name": "middle name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "middleName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "middle_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d26abee7-b8a7-4ca5-9755-38e18cc539d6",
+ "name": "given name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "firstName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "given_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "83344728-39e4-4600-9c5b-b9d69da3c4f0",
+ "name": "zoneinfo",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "zoneinfo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "zoneinfo",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "289f7853-fa6e-4f17-a01d-6c409bddc25a",
+ "name": "role_list",
+ "description": "SAML role list",
+ "protocol": "saml",
+ "attributes": {
+ "consent.screen.text": "${samlRoleListScopeConsentText}",
+ "display.on.consent.screen": "true"
+ },
+ "protocolMappers": [
+ {
+ "id": "c0d2acb4-d20f-48de-94c7-ec6ac1c964e1",
+ "name": "role list",
+ "protocol": "saml",
+ "protocolMapper": "saml-role-list-mapper",
+ "consentRequired": false,
+ "config": {
+ "single": "false",
+ "attribute.nameformat": "Basic",
+ "attribute.name": "Role"
+ }
+ }
+ ]
+ },
+ {
+ "id": "6820c5fc-b7db-4a1d-b71a-8dbd0c7cf98c",
+ "name": "roles",
+ "description": "OpenID Connect scope for add user roles to the access token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${rolesScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "1cb77c0d-6397-4b3d-acef-8ae1d4089944",
+ "name": "client roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-client-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "true",
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "resource_access.${client_id}.roles",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "0cf6603d-891d-4f42-8da0-d187f0816a6d",
+ "name": "audience resolve",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-audience-resolve-mapper",
+ "consentRequired": false,
+ "config": {}
+ },
+ {
+ "id": "9e8111be-4598-4145-96da-a9a0fcda8169",
+ "name": "realm roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "true",
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "realm_access.roles",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "ba84e265-6519-45db-88fc-f86ec057f28c",
+ "name": "web-origins",
+ "description": "OpenID Connect scope for add allowed web origins to the access token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "false",
+ "consent.screen.text": ""
+ },
+ "protocolMappers": [
+ {
+ "id": "3d010883-cafc-4e4a-9246-3669d767f409",
+ "name": "allowed web origins",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-allowed-origins-mapper",
+ "consentRequired": false,
+ "config": {}
+ }
+ ]
+ }
+ ],
+ "defaultDefaultClientScopes": [
+ "role_list",
+ "profile",
+ "email",
+ "roles",
+ "web-origins"
+ ],
+ "defaultOptionalClientScopes": [
+ "offline_access",
+ "address",
+ "phone"
+ ],
+ "browserSecurityHeaders": {
+ "contentSecurityPolicyReportOnly": "",
+ "xContentTypeOptions": "nosniff",
+ "xRobotsTag": "none",
+ "xFrameOptions": "SAMEORIGIN",
+ "xXSSProtection": "1; mode=block",
+ "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+ "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+ },
+ "smtpServer": {},
+ "eventsEnabled": false,
+ "eventsListeners": [
+ "jboss-logging"
+ ],
+ "enabledEventTypes": [],
+ "adminEventsEnabled": false,
+ "adminEventsDetailsEnabled": false,
+ "components": {
+ "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
+ {
+ "id": "5d3fa6d3-b34b-4996-b19c-4b57c49968c0",
+ "name": "Allowed Client Scopes",
+ "providerId": "allowed-client-templates",
+ "subType": "authenticated",
+ "subComponents": {},
+ "config": {
+ "allow-default-scopes": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "eee392b9-35d5-4166-90b3-87b8e7fe7102",
+ "name": "Allowed Client Scopes",
+ "providerId": "allowed-client-templates",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "allow-default-scopes": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "5d4439dc-fae2-41ff-b1a9-36f70dc0ca79",
+ "name": "Trusted Hosts",
+ "providerId": "trusted-hosts",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "host-sending-registration-request-must-match": [
+ "true"
+ ],
+ "client-uris-must-match": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "c1ba9983-f538-417e-8c7c-a4569946ac98",
+ "name": "Allowed Protocol Mapper Types",
+ "providerId": "allowed-protocol-mappers",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "allowed-protocol-mapper-types": [
+ "oidc-full-name-mapper",
+ "oidc-usermodel-attribute-mapper",
+ "oidc-usermodel-property-mapper",
+ "oidc-address-mapper",
+ "saml-user-attribute-mapper",
+ "saml-user-property-mapper",
+ "oidc-sha256-pairwise-sub-mapper",
+ "saml-role-list-mapper"
+ ]
+ }
+ },
+ {
+ "id": "506d7fe8-a747-4ad2-89be-6c467cd9820d",
+ "name": "Max Clients Limit",
+ "providerId": "max-clients",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "max-clients": [
+ "200"
+ ]
+ }
+ },
+ {
+ "id": "bdb7e39e-b1dd-4d19-826f-dcf0b1e8b505",
+ "name": "Allowed Protocol Mapper Types",
+ "providerId": "allowed-protocol-mappers",
+ "subType": "authenticated",
+ "subComponents": {},
+ "config": {
+ "allowed-protocol-mapper-types": [
+ "saml-user-attribute-mapper",
+ "oidc-full-name-mapper",
+ "saml-role-list-mapper",
+ "saml-user-property-mapper",
+ "oidc-usermodel-attribute-mapper",
+ "oidc-sha256-pairwise-sub-mapper",
+ "oidc-usermodel-property-mapper",
+ "oidc-address-mapper"
+ ]
+ }
+ },
+ {
+ "id": "4d541fe3-f769-4457-817d-5ca7af5705a0",
+ "name": "Full Scope Disabled",
+ "providerId": "scope",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {}
+ },
+ {
+ "id": "d1b29f0d-4c6b-4c03-95bf-e27c23ef3a2c",
+ "name": "Consent Required",
+ "providerId": "consent-required",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {}
+ }
+ ],
+ "org.keycloak.keys.KeyProvider": [
+ {
+ "id": "5ca0e66f-c953-4088-842a-f65f1cfce006",
+ "name": "rsa-generated",
+ "providerId": "rsa-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ]
+ }
+ },
+ {
+ "id": "004fea62-f268-4580-aafd-0b59b82740f2",
+ "name": "aes-generated",
+ "providerId": "aes-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ]
+ }
+ },
+ {
+ "id": "b9531509-0e75-48dd-8860-7dbec1431d09",
+ "name": "hmac-generated",
+ "providerId": "hmac-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ],
+ "algorithm": [
+ "HS256"
+ ]
+ }
+ }
+ ]
+ },
+ "internationalizationEnabled": false,
+ "supportedLocales": [],
+ "authenticationFlows": [
+ {
+ "id": "e18853d2-04f1-4abd-a397-6d204a640c0d",
+ "alias": "Handle Existing Account",
+ "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-confirm-link",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "idp-email-verification",
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "flowAlias": "Verify Existing Account by Re-authentication",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "1fea2aeb-619c-41fc-b8cc-d5b4529a500d",
+ "alias": "Verify Existing Account by Re-authentication",
+ "description": "Reauthentication of existing account",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-username-password-form",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "auth-otp-form",
+ "requirement": "OPTIONAL",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "382ebfeb-0fd2-4612-890b-6351a44fe1c1",
+ "alias": "browser",
+ "description": "browser based authentication",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "auth-cookie",
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "auth-spnego",
+ "requirement": "DISABLED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "identity-provider-redirector",
+ "requirement": "ALTERNATIVE",
+ "priority": 25,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "flowAlias": "forms",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "34a5ff88-ffd5-4f60-9d65-99ddc6d9c41a",
+ "alias": "clients",
+ "description": "Base authentication for clients",
+ "providerId": "client-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "client-secret",
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "client-jwt",
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "client-secret-jwt",
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "client-x509",
+ "requirement": "ALTERNATIVE",
+ "priority": 40,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "3d8c95b8-49a5-416b-823b-5533e089e1a7",
+ "alias": "direct grant",
+ "description": "OpenID Connect Resource Owner Grant",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "direct-grant-validate-username",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "direct-grant-validate-password",
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "direct-grant-validate-otp",
+ "requirement": "OPTIONAL",
+ "priority": 30,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "0ae57c67-dfd8-4264-b6ce-6731f71c3237",
+ "alias": "docker auth",
+ "description": "Used by Docker clients to authenticate against the IDP",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "docker-http-basic-authenticator",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "272cb097-3372-45c6-b0cc-d920a1cc6bd6",
+ "alias": "first broker login",
+ "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticatorConfig": "review profile config",
+ "authenticator": "idp-review-profile",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticatorConfig": "create unique user config",
+ "authenticator": "idp-create-user-if-unique",
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "flowAlias": "Handle Existing Account",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "ab046190-a8d4-4d52-9503-35325498a15f",
+ "alias": "forms",
+ "description": "Username, password, otp and other auth forms.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "auth-username-password-form",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "auth-otp-form",
+ "requirement": "OPTIONAL",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "21f7be44-8819-4ba0-95cb-01a336745cd0",
+ "alias": "http challenge",
+ "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "no-cookie-redirect",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "basic-auth",
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "basic-auth-otp",
+ "requirement": "DISABLED",
+ "priority": 30,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "auth-spnego",
+ "requirement": "DISABLED",
+ "priority": 40,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "e2f99e58-44fb-4776-aaa4-ffc809294c15",
+ "alias": "registration",
+ "description": "registration flow",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "registration-page-form",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "flowAlias": "registration form",
+ "userSetupAllowed": false,
+ "autheticatorFlow": true
+ }
+ ]
+ },
+ {
+ "id": "6b1f9993-fd6b-4cf5-b218-99914899154b",
+ "alias": "registration form",
+ "description": "registration form",
+ "providerId": "form-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "registration-user-creation",
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "registration-profile-action",
+ "requirement": "REQUIRED",
+ "priority": 40,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "registration-password-action",
+ "requirement": "REQUIRED",
+ "priority": 50,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "registration-recaptcha-action",
+ "requirement": "DISABLED",
+ "priority": 60,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "2ac061c4-101e-453d-9b00-ecced9adf98a",
+ "alias": "reset credentials",
+ "description": "Reset credentials for a user if they forgot their password or something",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "reset-credentials-choose-user",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "reset-credential-email",
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "reset-password",
+ "requirement": "REQUIRED",
+ "priority": 30,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ },
+ {
+ "authenticator": "reset-otp",
+ "requirement": "OPTIONAL",
+ "priority": 40,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ },
+ {
+ "id": "d5cb10f4-333b-4b2e-85ef-533e16d25029",
+ "alias": "saml ecp",
+ "description": "SAML ECP Profile Authentication Flow",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "http-basic-authenticator",
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "userSetupAllowed": false,
+ "autheticatorFlow": false
+ }
+ ]
+ }
+ ],
+ "authenticatorConfig": [
+ {
+ "id": "9181f4be-676d-4639-8883-e8b3bd99dc9c",
+ "alias": "create unique user config",
+ "config": {
+ "require.password.update.after.registration": "false"
+ }
+ },
+ {
+ "id": "580e9d0d-3439-44cb-8be7-852cdf9de45a",
+ "alias": "review profile config",
+ "config": {
+ "update.profile.on.first.login": "missing"
+ }
+ }
+ ],
+ "requiredActions": [
+ {
+ "alias": "CONFIGURE_TOTP",
+ "name": "Configure OTP",
+ "providerId": "CONFIGURE_TOTP",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 10,
+ "config": {}
+ },
+ {
+ "alias": "terms_and_conditions",
+ "name": "Terms and Conditions",
+ "providerId": "terms_and_conditions",
+ "enabled": false,
+ "defaultAction": false,
+ "priority": 20,
+ "config": {}
+ },
+ {
+ "alias": "UPDATE_PASSWORD",
+ "name": "Update Password",
+ "providerId": "UPDATE_PASSWORD",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 30,
+ "config": {}
+ },
+ {
+ "alias": "UPDATE_PROFILE",
+ "name": "Update Profile",
+ "providerId": "UPDATE_PROFILE",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 40,
+ "config": {}
+ },
+ {
+ "alias": "VERIFY_EMAIL",
+ "name": "Verify Email",
+ "providerId": "VERIFY_EMAIL",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 50,
+ "config": {}
+ }
+ ],
+ "browserFlow": "browser",
+ "registrationFlow": "registration",
+ "directGrantFlow": "direct grant",
+ "resetCredentialsFlow": "reset credentials",
+ "clientAuthenticationFlow": "clients",
+ "dockerAuthenticationFlow": "docker auth",
+ "attributes": {
+ "_browser_header.xXSSProtection": "1; mode=block",
+ "_browser_header.xFrameOptions": "SAMEORIGIN",
+ "_browser_header.strictTransportSecurity": "max-age=31536000; includeSubDomains",
+ "permanentLockout": "false",
+ "quickLoginCheckMilliSeconds": "1000",
+ "_browser_header.xRobotsTag": "none",
+ "maxFailureWaitSeconds": "900",
+ "minimumQuickLoginWaitSeconds": "60",
+ "failureFactor": "30",
+ "actionTokenGeneratedByUserLifespan": "300",
+ "maxDeltaTimeSeconds": "43200",
+ "_browser_header.xContentTypeOptions": "nosniff",
+ "offlineSessionMaxLifespan": "5184000",
+ "actionTokenGeneratedByAdminLifespan": "43200",
+ "_browser_header.contentSecurityPolicyReportOnly": "",
+ "bruteForceProtected": "false",
+ "_browser_header.contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+ "waitIncrementSeconds": "60",
+ "offlineSessionMaxLifespanEnabled": "false"
+ },
+ "keycloakVersion": "4.6.0.Final",
+ "userManagedAccessAllowed": false
+}
diff --git a/SAS/TMSS/test/oidc/tmss_keycloak_Dockerfile b/SAS/TMSS/test/oidc/tmss_keycloak_Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..40af052fa688ac67a90b5fff8eb358237900aa19
--- /dev/null
+++ b/SAS/TMSS/test/oidc/tmss_keycloak_Dockerfile
@@ -0,0 +1,10 @@
+FROM jboss/keycloak:4.6.0.Final
+
+ENV KEYCLOAK_USER=admin
+ENV KEYCLOAK_PASSWORD=admin
+ENV KEYCLOAK_IMPORT=/tmp/realm-export.json
+
+ADD realm-export.json /tmp/realm-export.json
+ADD create-keycloak-user.sh /opt/jboss/create-keycloak-user.sh
+
+