KEYCLOAK-6146 realm import fails when password policy is specified

This commit is contained in:
vramik 2018-01-11 12:49:26 +01:00 committed by Stian Thorgersen
parent 77334af34e
commit 019c3c9ef9
7 changed files with 1370 additions and 1 deletions

View file

@ -79,6 +79,7 @@ import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider; import org.keycloak.models.UserProvider;
import org.keycloak.models.credential.PasswordUserCredentialModel; import org.keycloak.models.credential.PasswordUserCredentialModel;
import org.keycloak.policy.PasswordPolicyNotMetException;
import org.keycloak.provider.ProviderConfigProperty; import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.idm.ApplicationRepresentation; import org.keycloak.representations.idm.ApplicationRepresentation;
import org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation; import org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation;
@ -1534,7 +1535,17 @@ public class RepresentationToModel {
if (cred.getValue() != null) { if (cred.getValue() != null) {
PasswordUserCredentialModel plainTextCred = convertCredential(cred); PasswordUserCredentialModel plainTextCred = convertCredential(cred);
plainTextCred.setAdminRequest(adminRequest); plainTextCred.setAdminRequest(adminRequest);
session.userCredentialManager().updateCredential(realm, user, plainTextCred);
//if called from import we need to change realm in context to load password policies from the newly created realm
RealmModel origRealm = session.getContext().getRealm();
try {
session.getContext().setRealm(realm);
session.userCredentialManager().updateCredential(realm, user, plainTextCred);
} catch (ModelException ex) {
throw new PasswordPolicyNotMetException(ex.getMessage(), user.getUsername(), ex);
} finally {
session.getContext().setRealm(origRealm);
}
} else { } else {
CredentialModel hashedCred = new CredentialModel(); CredentialModel hashedCred = new CredentialModel();
hashedCred.setType(cred.getType()); hashedCred.setType(cred.getType());

View file

@ -0,0 +1,58 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.policy;
import org.keycloak.models.ModelException;
/**
* @author <a href="mailto:vramik@redhat.com">Vlastislav Ramik</a>
*/
public class PasswordPolicyNotMetException extends ModelException {
private String username;
public PasswordPolicyNotMetException() {
super();
}
public PasswordPolicyNotMetException(String message) {
super(message);
}
public PasswordPolicyNotMetException(String message, String username) {
super(message);
this.username = username;
}
public PasswordPolicyNotMetException(String message, String username, Throwable cause) {
super(message, cause);
this.username = username;
}
public PasswordPolicyNotMetException(String message, Throwable cause) {
super(message, cause);
}
public PasswordPolicyNotMetException(Throwable cause) {
super(cause);
}
public String getUsername() {
return username;
}
}

View file

@ -21,6 +21,7 @@ import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.NotFoundException; import org.jboss.resteasy.spi.NotFoundException;
import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.common.ClientConnection; import org.keycloak.common.ClientConnection;
import org.keycloak.policy.PasswordPolicyNotMetException;
import org.keycloak.models.AdminRoles; import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
@ -148,6 +149,10 @@ public class RealmsAdminResource {
} catch (ModelDuplicateException e) { } catch (ModelDuplicateException e) {
logger.error("Conflict detected", e); logger.error("Conflict detected", e);
return ErrorResponse.exists("Conflict detected. See logs for details"); return ErrorResponse.exists("Conflict detected. See logs for details");
} catch (PasswordPolicyNotMetException e) {
logger.error("Password policy not met for user " + e.getUsername(), e);
if (session.getTransactionManager().isActive()) session.getTransactionManager().setRollbackOnly();
return ErrorResponse.error("Password policy not met. See logs for details", Response.Status.BAD_REQUEST);
} }
} }

View file

@ -0,0 +1,43 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.updaters;
import java.io.Closeable;
import javax.ws.rs.NotFoundException;
import org.keycloak.admin.client.resource.RealmResource;
/**
*
* @author <a href="mailto:vramik@redhat.com">Vlastislav Ramik</a>
*/
public class RealmRemover {
private final RealmResource realmResource;
public RealmRemover(RealmResource realmResource) {
this.realmResource = realmResource;
}
public Closeable remove() {
return () -> {
try {
realmResource.remove();
} catch (NotFoundException e) {
}
};
}
}

View file

@ -23,8 +23,10 @@ import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.shrinkwrap.api.spec.WebArchive; import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.ServerInfoResource; import org.keycloak.admin.client.resource.ServerInfoResource;
import org.keycloak.common.util.Time; import org.keycloak.common.util.Time;
import org.keycloak.events.admin.OperationType; import org.keycloak.events.admin.OperationType;
@ -50,6 +52,7 @@ import org.keycloak.testsuite.auth.page.AuthRealm;
import org.keycloak.testsuite.client.KeycloakTestingClient; import org.keycloak.testsuite.client.KeycloakTestingClient;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment; import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
import org.keycloak.testsuite.runonserver.RunHelpers; import org.keycloak.testsuite.runonserver.RunHelpers;
import org.keycloak.testsuite.updaters.RealmRemover;
import org.keycloak.testsuite.util.AdminEventPaths; import org.keycloak.testsuite.util.AdminEventPaths;
import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.CredentialBuilder; import org.keycloak.testsuite.util.CredentialBuilder;
@ -60,6 +63,7 @@ import org.keycloak.util.JsonSerialization;
import javax.ws.rs.NotFoundException; import javax.ws.rs.NotFoundException;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import java.io.Closeable;
import java.io.IOException; import java.io.IOException;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
@ -68,6 +72,7 @@ import java.util.HashSet;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.ws.rs.BadRequestException;
import static org.junit.Assert.*; import static org.junit.Assert.*;
@ -83,6 +88,8 @@ public class RealmTest extends AbstractAdminTest {
@Rule @Rule
public AssertEvents events = new AssertEvents(this); public AssertEvents events = new AssertEvents(this);
@Rule
public ExpectedException expectedException = ExpectedException.none();
@Test @Test
public void getRealms() { public void getRealms() {
@ -195,6 +202,40 @@ public class RealmTest extends AbstractAdminTest {
adminClient.realms().realm("admin-test-1").remove(); adminClient.realms().realm("admin-test-1").remove();
} }
//KEYCLOAK-6146
@Test
public void createRealmWithPasswordPolicyFromJsonWithInvalidPasswords() {
//try to create realm with password policies and users with plain-text passwords what doesn't met the policies
RealmRepresentation rep = loadJson(getClass().getResourceAsStream("/import/testrealm-keycloak-6146-error.json"), RealmRepresentation.class);
expectedException.expect(NotFoundException.class);
expectedException.expectMessage(String.valueOf(Response.Status.NOT_FOUND.getStatusCode()));
try {
adminClient.realms().create(rep);
} catch (BadRequestException ex) {
//ensure the realm was not created
log.info("--Caught expected BadRequestException--");
adminClient.realms().realm("secure-app").toRepresentation();
}
//test will fail on AssertionError when both BadRequestException and NotFoundException is not thrown
}
//KEYCLOAK-6146
@Test
public void createRealmWithPasswordPolicyFromJsonWithValidPasswords() throws IOException {
//realm with password policies and users have passwords in correct state
RealmRepresentation rep = loadJson(getClass().getResourceAsStream("/import/testrealm-keycloak-6146.json"), RealmRepresentation.class);
adminClient.realms().create(rep);
RealmResource secureApp = adminClient.realms().realm("secure-app");
RealmRepresentation created = secureApp.toRepresentation();
try (Closeable c = new RealmRemover(secureApp).remove()) {
assertRealm(rep, created);
}
}
@Test @Test
public void removeRealm() { public void removeRealm() {
realm.remove(); realm.remove();

View file

@ -0,0 +1,605 @@
{
"id":"secure-app",
"realm":"secure-app",
"enabled":true,
"sslRequired":"external",
"bruteForceProtected" : true,
"permanentLockout": true,
"maxFailureWaitSeconds" : 900,
"minimumQuickLoginWaitSeconds" : 60,
"waitIncrementSeconds" : 60,
"quickLoginCheckMilliSeconds" : 1000,
"maxDeltaTimeSeconds" : 43200,
"failureFactor" : 3,
"eventsEnabled" : true,
"eventsListeners" : [ "jboss-logging" ],
"enabledEventTypes" : [ "SEND_RESET_PASSWORD", "UPDATE_TOTP", "REMOVE_TOTP", "REVOKE_GRANT", "LOGIN_ERROR", "CLIENT_LOGIN", "RESET_PASSWORD_ERROR", "IMPERSONATE_ERROR", "CODE_TO_TOKEN_ERROR", "CUSTOM_REQUIRED_ACTION", "RESTART_AUTHENTICATION", "UPDATE_PROFILE_ERROR", "IMPERSONATE", "LOGIN", "UPDATE_PASSWORD_ERROR", "CLIENT_INITIATED_ACCOUNT_LINKING", "REGISTER", "LOGOUT", "CLIENT_REGISTER", "IDENTITY_PROVIDER_LINK_ACCOUNT", "UPDATE_PASSWORD", "FEDERATED_IDENTITY_LINK_ERROR", "CLIENT_DELETE", "IDENTITY_PROVIDER_FIRST_LOGIN", "VERIFY_EMAIL", "CLIENT_DELETE_ERROR", "CLIENT_LOGIN_ERROR", "RESTART_AUTHENTICATION_ERROR", "REMOVE_FEDERATED_IDENTITY_ERROR", "EXECUTE_ACTIONS", "SEND_IDENTITY_PROVIDER_LINK_ERROR", "EXECUTE_ACTION_TOKEN_ERROR", "SEND_VERIFY_EMAIL", "EXECUTE_ACTIONS_ERROR", "REMOVE_FEDERATED_IDENTITY", "IDENTITY_PROVIDER_POST_LOGIN", "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", "UPDATE_EMAIL", "REGISTER_ERROR", "REVOKE_GRANT_ERROR", "LOGOUT_ERROR", "UPDATE_EMAIL_ERROR", "EXECUTE_ACTION_TOKEN", "CLIENT_UPDATE_ERROR", "UPDATE_PROFILE", "FEDERATED_IDENTITY_LINK", "CLIENT_REGISTER_ERROR", "SEND_VERIFY_EMAIL_ERROR", "SEND_IDENTITY_PROVIDER_LINK", "RESET_PASSWORD", "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", "REMOVE_TOTP_ERROR", "VERIFY_EMAIL_ERROR", "SEND_RESET_PASSWORD_ERROR", "CLIENT_UPDATE", "IDENTITY_PROVIDER_POST_LOGIN_ERROR", "CUSTOM_REQUIRED_ACTION_ERROR", "UPDATE_TOTP_ERROR", "CODE_TO_TOKEN", "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" ],
"adminEventsEnabled" : true,
"adminEventsDetailsEnabled" : true,
"requiredCredentials":[
"password"
],
"passwordPolicy": "length(10) and lowerCase(1) and upperCase(1) and passwordHistory(3) and digits(1) and specialChars(1) and hashAlgorithm(pbkdf2-sha256)",
"users":[
{
"username":"user1",
"firstName" : "User",
"lastName" : "1",
"email" : "user1@feedhenry.org",
"enabled":true,
"credentials":[
{
"type":"password",
"value":"123"
}
],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users" ]
},
{
"username":"user2",
"firstName" : "User",
"lastName" : "2",
"email" : "user2@feedhenry.org",
"enabled":true,
"credentials":[
{
"type":"password",
"value":"123"
}
],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users" ]
},
{
"username":"secure-user",
"enabled" : true,
"emailVerified" : true,
"firstName" : "Secure",
"lastName" : "User",
"email" : "secure-user@feedhenry.org",
"credentials":[
{
"type":"password",
"value":"123"
}
],
"requiredActions" : [ "CONFIGURE_TOTP" ],
"realmRoles" : [ ],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users", "/API Access" ]
},
{
"username":"secure-user2",
"enabled" : true,
"emailVerified" : true,
"firstName" : "Secure",
"lastName" : "User 2",
"email" : "secure-user2@feedhenry.org",
"credentials":[
{
"type":"password",
"value":"123"
}
],
"requiredActions" : [ "CONFIGURE_TOTP" ],
"realmRoles" : [ ],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users", "/API Access" ]
},
{
"username":"superuser",
"enabled" : true,
"emailVerified" : true,
"firstName" : "Super",
"lastName" : "User",
"email" : "superuser@feedhenry.org",
"credentials":[
{
"type":"password",
"value":"123"
}
],
"realmRoles" : [ ],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users", "/API Access", "Superuser" ]
}
],
"clients":[
{
"clientId":"api-server",
"enabled":true,
"bearerOnly":true,
"adminUrl":"http://localhost:8080"
},
{
"clientId":"client-app",
"enabled":true,
"publicClient":true,
"redirectUris":[
"com.feedhenry.securenativeandroidtemplate:/callback"
],
"webOrigins":[
"*"
]
}
],
"clientScopeMappings":{
"account":[
{
"client":"api-server",
"roles":[
"view-profile"
]
},
{
"client":"client-app",
"roles":[
"view-profile"
]
}
]
},
"groups" : [ {
"name" : "Mobile Users",
"path" : "/Mobile Users",
"attributes" : { },
"realmRoles" : [ "mobile-user" ],
"clientRoles" : { },
"subGroups" : [ ]
},
{
"name" : "API Access",
"path" : "/API Access",
"attributes" : { },
"realmRoles" : [ "mobile-user", "api-access" ],
"clientRoles" : { },
"subGroups" : [ ]
},
{
"name" : "Superuser",
"path" : "/Superusers",
"attributes" : { },
"realmRoles" : [ "mobile-user", "api-access", "superuser" ],
"clientRoles" : { },
"subGroups" : [ ]
} ],
"roles":{
"client":{
"api-server":[
],
"client-app":[
]
}
},
"authenticationFlows" : [ {
"alias" : "Handle Existing Account",
"description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
"providerId" : "basic-flow",
"topLevel" : false,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "idp-confirm-link",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "idp-email-verification",
"requirement" : "ALTERNATIVE",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"requirement" : "ALTERNATIVE",
"priority" : 30,
"flowAlias" : "Verify Existing Account by Re-authentication",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "Verify Existing Account by Re-authentication",
"description" : "Reauthentication of existing account",
"providerId" : "basic-flow",
"topLevel" : false,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "idp-username-password-form",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-otp-form",
"requirement" : "OPTIONAL",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "X.509 Browser",
"description" : "browser based authentication",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : false,
"authenticationExecutions" : [ {
"authenticator" : "auth-cookie",
"requirement" : "ALTERNATIVE",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-spnego",
"requirement" : "DISABLED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticatorConfig" : "authenticator config",
"authenticator" : "identity-provider-redirector",
"requirement" : "ALTERNATIVE",
"priority" : 25,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticatorConfig" : "x509 browser auth config",
"authenticator" : "auth-x509-client-username-form",
"requirement" : "ALTERNATIVE",
"priority" : 30,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"requirement" : "ALTERNATIVE",
"priority" : 31,
"flowAlias" : "X.509 Browser forms",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "X.509 Browser forms",
"description" : "Username, password, otp and other auth forms.",
"providerId" : "basic-flow",
"topLevel" : false,
"builtIn" : false,
"authenticationExecutions" : [ {
"authenticator" : "auth-username-password-form",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-otp-form",
"requirement" : "OPTIONAL",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "X.509 Direct Grant",
"description" : "OpenID Connect Resource Owner Grant",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : false,
"authenticationExecutions" : [ {
"authenticatorConfig" : "x509 direct grant config",
"authenticator" : "direct-grant-auth-x509-username",
"requirement" : "REQUIRED",
"priority" : 0,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "browser",
"description" : "browser based authentication",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "auth-cookie",
"requirement" : "ALTERNATIVE",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-spnego",
"requirement" : "DISABLED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "identity-provider-redirector",
"requirement" : "ALTERNATIVE",
"priority" : 25,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"requirement" : "ALTERNATIVE",
"priority" : 30,
"flowAlias" : "forms",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "clients",
"description" : "Base authentication for clients",
"providerId" : "client-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "client-secret",
"requirement" : "ALTERNATIVE",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "client-jwt",
"requirement" : "ALTERNATIVE",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "direct grant",
"description" : "OpenID Connect Resource Owner Grant",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "direct-grant-validate-username",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "direct-grant-validate-password",
"requirement" : "REQUIRED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "direct-grant-validate-otp",
"requirement" : "OPTIONAL",
"priority" : 30,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "docker auth",
"description" : "Used by Docker clients to authenticate against the IDP",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "docker-http-basic-authenticator",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "first broker login",
"description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticatorConfig" : "review profile config",
"authenticator" : "idp-review-profile",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticatorConfig" : "create unique user config",
"authenticator" : "idp-create-user-if-unique",
"requirement" : "ALTERNATIVE",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"requirement" : "ALTERNATIVE",
"priority" : 30,
"flowAlias" : "Handle Existing Account",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "forms",
"description" : "Username, password, otp and other auth forms.",
"providerId" : "basic-flow",
"topLevel" : false,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "auth-username-password-form",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-otp-form",
"requirement" : "OPTIONAL",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "registration",
"description" : "registration flow",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "registration-page-form",
"requirement" : "REQUIRED",
"priority" : 10,
"flowAlias" : "registration form",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "registration form",
"description" : "registration form",
"providerId" : "form-flow",
"topLevel" : false,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "registration-user-creation",
"requirement" : "REQUIRED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "registration-profile-action",
"requirement" : "REQUIRED",
"priority" : 40,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "registration-password-action",
"requirement" : "REQUIRED",
"priority" : 50,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "registration-recaptcha-action",
"requirement" : "DISABLED",
"priority" : 60,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "reset credentials",
"description" : "Reset credentials for a user if they forgot their password or something",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "reset-credentials-choose-user",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "reset-credential-email",
"requirement" : "REQUIRED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "reset-password",
"requirement" : "REQUIRED",
"priority" : 30,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "reset-otp",
"requirement" : "OPTIONAL",
"priority" : 40,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "saml ecp",
"description" : "SAML ECP Profile Authentication Flow",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "http-basic-authenticator",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
} ],
"authenticatorConfig" : [ {
"alias" : "authenticator config",
"config" : {
"defaultProvider" : ""
}
}, {
"alias" : "create unique user config",
"config" : {
"require.password.update.after.registration" : "false"
}
}, {
"alias" : "review profile config",
"config" : {
"update.profile.on.first.login" : "missing"
}
}, {
"alias" : "x509 browser auth config",
"config" : {
"x509-cert-auth.extendedkeyusage" : "",
"x509-cert-auth.mapper-selection.user-attribute-name" : "usercertificate",
"x509-cert-auth.ocsp-responder-uri" : "",
"x509-cert-auth.regular-expression" : "(.*?)(?:$)",
"x509-cert-auth.crl-checking-enabled" : "",
"x509-cert-auth.confirmation-page-disallowed" : "",
"x509-cert-auth.keyusage" : "",
"x509-cert-auth.mapper-selection" : "Username or Email",
"x509-cert-auth.crl-relative-path" : "crl.pem",
"x509-cert-auth.crldp-checking-enabled" : "false",
"x509-cert-auth.mapping-source-selection" : "Subject's Common Name",
"x509-cert-auth.ocsp-checking-enabled" : ""
}
}, {
"alias" : "x509 direct grant config",
"config" : {
"x509-cert-auth.extendedkeyusage" : "",
"x509-cert-auth.mapper-selection.user-attribute-name" : "usercertificate",
"x509-cert-auth.ocsp-responder-uri" : "",
"x509-cert-auth.regular-expression" : "(.*?)(?:$)",
"x509-cert-auth.crl-checking-enabled" : "",
"x509-cert-auth.confirmation-page-disallowed" : "",
"x509-cert-auth.keyusage" : "",
"x509-cert-auth.mapper-selection" : "Username or Email",
"x509-cert-auth.crl-relative-path" : "crl.pem",
"x509-cert-auth.crldp-checking-enabled" : "false",
"x509-cert-auth.mapping-source-selection" : "Subject's Common Name",
"x509-cert-auth.ocsp-checking-enabled" : ""
}
} ]
}

View file

@ -0,0 +1,606 @@
{
"id":"secure-app",
"realm":"secure-app",
"accessCodeLifespanUserAction" : 300,
"enabled":true,
"sslRequired":"external",
"bruteForceProtected" : true,
"permanentLockout": true,
"maxFailureWaitSeconds" : 900,
"minimumQuickLoginWaitSeconds" : 60,
"waitIncrementSeconds" : 60,
"quickLoginCheckMilliSeconds" : 1000,
"maxDeltaTimeSeconds" : 43200,
"failureFactor" : 3,
"eventsEnabled" : true,
"eventsListeners" : [ "jboss-logging" ],
"enabledEventTypes" : [ "SEND_RESET_PASSWORD", "UPDATE_TOTP", "REMOVE_TOTP", "REVOKE_GRANT", "LOGIN_ERROR", "CLIENT_LOGIN", "RESET_PASSWORD_ERROR", "IMPERSONATE_ERROR", "CODE_TO_TOKEN_ERROR", "CUSTOM_REQUIRED_ACTION", "RESTART_AUTHENTICATION", "UPDATE_PROFILE_ERROR", "IMPERSONATE", "LOGIN", "UPDATE_PASSWORD_ERROR", "CLIENT_INITIATED_ACCOUNT_LINKING", "REGISTER", "LOGOUT", "CLIENT_REGISTER", "IDENTITY_PROVIDER_LINK_ACCOUNT", "UPDATE_PASSWORD", "FEDERATED_IDENTITY_LINK_ERROR", "CLIENT_DELETE", "IDENTITY_PROVIDER_FIRST_LOGIN", "VERIFY_EMAIL", "CLIENT_DELETE_ERROR", "CLIENT_LOGIN_ERROR", "RESTART_AUTHENTICATION_ERROR", "REMOVE_FEDERATED_IDENTITY_ERROR", "EXECUTE_ACTIONS", "SEND_IDENTITY_PROVIDER_LINK_ERROR", "EXECUTE_ACTION_TOKEN_ERROR", "SEND_VERIFY_EMAIL", "EXECUTE_ACTIONS_ERROR", "REMOVE_FEDERATED_IDENTITY", "IDENTITY_PROVIDER_POST_LOGIN", "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", "UPDATE_EMAIL", "REGISTER_ERROR", "REVOKE_GRANT_ERROR", "LOGOUT_ERROR", "UPDATE_EMAIL_ERROR", "EXECUTE_ACTION_TOKEN", "CLIENT_UPDATE_ERROR", "UPDATE_PROFILE", "FEDERATED_IDENTITY_LINK", "CLIENT_REGISTER_ERROR", "SEND_VERIFY_EMAIL_ERROR", "SEND_IDENTITY_PROVIDER_LINK", "RESET_PASSWORD", "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", "REMOVE_TOTP_ERROR", "VERIFY_EMAIL_ERROR", "SEND_RESET_PASSWORD_ERROR", "CLIENT_UPDATE", "IDENTITY_PROVIDER_POST_LOGIN_ERROR", "CUSTOM_REQUIRED_ACTION_ERROR", "UPDATE_TOTP_ERROR", "CODE_TO_TOKEN", "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" ],
"adminEventsEnabled" : true,
"adminEventsDetailsEnabled" : true,
"requiredCredentials":[
"password"
],
"passwordPolicy": "length(10) and lowerCase(1) and upperCase(1) and passwordHistory(3) and digits(1) and specialChars(1) and hashAlgorithm(pbkdf2-sha256)",
"users":[
{
"username":"user1",
"firstName" : "User",
"lastName" : "1",
"email" : "user1@feedhenry.org",
"enabled":true,
"credentials":[
{
"type":"password",
"value":"Password123!"
}
],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users" ]
},
{
"username":"user2",
"firstName" : "User",
"lastName" : "2",
"email" : "user2@feedhenry.org",
"enabled":true,
"credentials":[
{
"type":"password",
"value":"Password123!"
}
],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users" ]
},
{
"username":"secure-user",
"enabled" : true,
"emailVerified" : true,
"firstName" : "Secure",
"lastName" : "User",
"email" : "secure-user@feedhenry.org",
"credentials":[
{
"type":"password",
"value":"Password123!"
}
],
"requiredActions" : [ "CONFIGURE_TOTP" ],
"realmRoles" : [ ],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users", "/API Access" ]
},
{
"username":"secure-user2",
"enabled" : true,
"emailVerified" : true,
"firstName" : "Secure",
"lastName" : "User 2",
"email" : "secure-user2@feedhenry.org",
"credentials":[
{
"type":"password",
"value":"Password123!"
}
],
"requiredActions" : [ "CONFIGURE_TOTP" ],
"realmRoles" : [ ],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users", "/API Access" ]
},
{
"username":"superuser",
"enabled" : true,
"emailVerified" : true,
"firstName" : "Super",
"lastName" : "User",
"email" : "superuser@feedhenry.org",
"credentials":[
{
"type":"password",
"value":"Password123!"
}
],
"realmRoles" : [ ],
"clientRoles":{
"account":[
"view-profile",
"manage-account"
]
},
"attributes":{
},
"groups" : [ "/Mobile Users", "/API Access", "Superuser" ]
}
],
"clients":[
{
"clientId":"api-server",
"enabled":true,
"bearerOnly":true,
"adminUrl":"http://localhost:8080"
},
{
"clientId":"client-app",
"enabled":true,
"publicClient":true,
"redirectUris":[
"com.feedhenry.securenativeandroidtemplate:/callback"
],
"webOrigins":[
"*"
]
}
],
"clientScopeMappings":{
"account":[
{
"client":"api-server",
"roles":[
"view-profile"
]
},
{
"client":"client-app",
"roles":[
"view-profile"
]
}
]
},
"groups" : [ {
"name" : "Mobile Users",
"path" : "/Mobile Users",
"attributes" : { },
"realmRoles" : [ "mobile-user" ],
"clientRoles" : { },
"subGroups" : [ ]
},
{
"name" : "API Access",
"path" : "/API Access",
"attributes" : { },
"realmRoles" : [ "mobile-user", "api-access" ],
"clientRoles" : { },
"subGroups" : [ ]
},
{
"name" : "Superuser",
"path" : "/Superusers",
"attributes" : { },
"realmRoles" : [ "mobile-user", "api-access", "superuser" ],
"clientRoles" : { },
"subGroups" : [ ]
} ],
"roles":{
"client":{
"api-server":[
],
"client-app":[
]
}
},
"authenticationFlows" : [ {
"alias" : "Handle Existing Account",
"description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
"providerId" : "basic-flow",
"topLevel" : false,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "idp-confirm-link",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "idp-email-verification",
"requirement" : "ALTERNATIVE",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"requirement" : "ALTERNATIVE",
"priority" : 30,
"flowAlias" : "Verify Existing Account by Re-authentication",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "Verify Existing Account by Re-authentication",
"description" : "Reauthentication of existing account",
"providerId" : "basic-flow",
"topLevel" : false,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "idp-username-password-form",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-otp-form",
"requirement" : "OPTIONAL",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "X.509 Browser",
"description" : "browser based authentication",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : false,
"authenticationExecutions" : [ {
"authenticator" : "auth-cookie",
"requirement" : "ALTERNATIVE",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-spnego",
"requirement" : "DISABLED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticatorConfig" : "authenticator config",
"authenticator" : "identity-provider-redirector",
"requirement" : "ALTERNATIVE",
"priority" : 25,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticatorConfig" : "x509 browser auth config",
"authenticator" : "auth-x509-client-username-form",
"requirement" : "ALTERNATIVE",
"priority" : 30,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"requirement" : "ALTERNATIVE",
"priority" : 31,
"flowAlias" : "X.509 Browser forms",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "X.509 Browser forms",
"description" : "Username, password, otp and other auth forms.",
"providerId" : "basic-flow",
"topLevel" : false,
"builtIn" : false,
"authenticationExecutions" : [ {
"authenticator" : "auth-username-password-form",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-otp-form",
"requirement" : "OPTIONAL",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "X.509 Direct Grant",
"description" : "OpenID Connect Resource Owner Grant",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : false,
"authenticationExecutions" : [ {
"authenticatorConfig" : "x509 direct grant config",
"authenticator" : "direct-grant-auth-x509-username",
"requirement" : "REQUIRED",
"priority" : 0,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "browser",
"description" : "browser based authentication",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "auth-cookie",
"requirement" : "ALTERNATIVE",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-spnego",
"requirement" : "DISABLED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "identity-provider-redirector",
"requirement" : "ALTERNATIVE",
"priority" : 25,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"requirement" : "ALTERNATIVE",
"priority" : 30,
"flowAlias" : "forms",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "clients",
"description" : "Base authentication for clients",
"providerId" : "client-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "client-secret",
"requirement" : "ALTERNATIVE",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "client-jwt",
"requirement" : "ALTERNATIVE",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "direct grant",
"description" : "OpenID Connect Resource Owner Grant",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "direct-grant-validate-username",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "direct-grant-validate-password",
"requirement" : "REQUIRED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "direct-grant-validate-otp",
"requirement" : "OPTIONAL",
"priority" : 30,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "docker auth",
"description" : "Used by Docker clients to authenticate against the IDP",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "docker-http-basic-authenticator",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "first broker login",
"description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticatorConfig" : "review profile config",
"authenticator" : "idp-review-profile",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticatorConfig" : "create unique user config",
"authenticator" : "idp-create-user-if-unique",
"requirement" : "ALTERNATIVE",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"requirement" : "ALTERNATIVE",
"priority" : 30,
"flowAlias" : "Handle Existing Account",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "forms",
"description" : "Username, password, otp and other auth forms.",
"providerId" : "basic-flow",
"topLevel" : false,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "auth-username-password-form",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "auth-otp-form",
"requirement" : "OPTIONAL",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "registration",
"description" : "registration flow",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "registration-page-form",
"requirement" : "REQUIRED",
"priority" : 10,
"flowAlias" : "registration form",
"userSetupAllowed" : false,
"autheticatorFlow" : true
} ]
}, {
"alias" : "registration form",
"description" : "registration form",
"providerId" : "form-flow",
"topLevel" : false,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "registration-user-creation",
"requirement" : "REQUIRED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "registration-profile-action",
"requirement" : "REQUIRED",
"priority" : 40,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "registration-password-action",
"requirement" : "REQUIRED",
"priority" : 50,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "registration-recaptcha-action",
"requirement" : "DISABLED",
"priority" : 60,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "reset credentials",
"description" : "Reset credentials for a user if they forgot their password or something",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "reset-credentials-choose-user",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "reset-credential-email",
"requirement" : "REQUIRED",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "reset-password",
"requirement" : "REQUIRED",
"priority" : 30,
"userSetupAllowed" : false,
"autheticatorFlow" : false
}, {
"authenticator" : "reset-otp",
"requirement" : "OPTIONAL",
"priority" : 40,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}, {
"alias" : "saml ecp",
"description" : "SAML ECP Profile Authentication Flow",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : true,
"authenticationExecutions" : [ {
"authenticator" : "http-basic-authenticator",
"requirement" : "REQUIRED",
"priority" : 10,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
} ],
"authenticatorConfig" : [ {
"alias" : "authenticator config",
"config" : {
"defaultProvider" : ""
}
}, {
"alias" : "create unique user config",
"config" : {
"require.password.update.after.registration" : "false"
}
}, {
"alias" : "review profile config",
"config" : {
"update.profile.on.first.login" : "missing"
}
}, {
"alias" : "x509 browser auth config",
"config" : {
"x509-cert-auth.extendedkeyusage" : "",
"x509-cert-auth.mapper-selection.user-attribute-name" : "usercertificate",
"x509-cert-auth.ocsp-responder-uri" : "",
"x509-cert-auth.regular-expression" : "(.*?)(?:$)",
"x509-cert-auth.crl-checking-enabled" : "",
"x509-cert-auth.confirmation-page-disallowed" : "",
"x509-cert-auth.keyusage" : "",
"x509-cert-auth.mapper-selection" : "Username or Email",
"x509-cert-auth.crl-relative-path" : "crl.pem",
"x509-cert-auth.crldp-checking-enabled" : "false",
"x509-cert-auth.mapping-source-selection" : "Subject's Common Name",
"x509-cert-auth.ocsp-checking-enabled" : ""
}
}, {
"alias" : "x509 direct grant config",
"config" : {
"x509-cert-auth.extendedkeyusage" : "",
"x509-cert-auth.mapper-selection.user-attribute-name" : "usercertificate",
"x509-cert-auth.ocsp-responder-uri" : "",
"x509-cert-auth.regular-expression" : "(.*?)(?:$)",
"x509-cert-auth.crl-checking-enabled" : "",
"x509-cert-auth.confirmation-page-disallowed" : "",
"x509-cert-auth.keyusage" : "",
"x509-cert-auth.mapper-selection" : "Username or Email",
"x509-cert-auth.crl-relative-path" : "crl.pem",
"x509-cert-auth.crldp-checking-enabled" : "false",
"x509-cert-auth.mapping-source-selection" : "Subject's Common Name",
"x509-cert-auth.ocsp-checking-enabled" : ""
}
} ]
}