KEYCLOAK-6146 realm import fails when password policy is specified
This commit is contained in:
parent
77334af34e
commit
019c3c9ef9
7 changed files with 1370 additions and 1 deletions
|
@ -79,6 +79,7 @@ import org.keycloak.models.UserCredentialModel;
|
|||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.UserProvider;
|
||||
import org.keycloak.models.credential.PasswordUserCredentialModel;
|
||||
import org.keycloak.policy.PasswordPolicyNotMetException;
|
||||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
import org.keycloak.representations.idm.ApplicationRepresentation;
|
||||
import org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation;
|
||||
|
@ -1534,7 +1535,17 @@ public class RepresentationToModel {
|
|||
if (cred.getValue() != null) {
|
||||
PasswordUserCredentialModel plainTextCred = convertCredential(cred);
|
||||
plainTextCred.setAdminRequest(adminRequest);
|
||||
|
||||
//if called from import we need to change realm in context to load password policies from the newly created realm
|
||||
RealmModel origRealm = session.getContext().getRealm();
|
||||
try {
|
||||
session.getContext().setRealm(realm);
|
||||
session.userCredentialManager().updateCredential(realm, user, plainTextCred);
|
||||
} catch (ModelException ex) {
|
||||
throw new PasswordPolicyNotMetException(ex.getMessage(), user.getUsername(), ex);
|
||||
} finally {
|
||||
session.getContext().setRealm(origRealm);
|
||||
}
|
||||
} else {
|
||||
CredentialModel hashedCred = new CredentialModel();
|
||||
hashedCred.setType(cred.getType());
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.policy;
|
||||
|
||||
import org.keycloak.models.ModelException;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:vramik@redhat.com">Vlastislav Ramik</a>
|
||||
*/
|
||||
public class PasswordPolicyNotMetException extends ModelException {
|
||||
|
||||
private String username;
|
||||
|
||||
public PasswordPolicyNotMetException() {
|
||||
super();
|
||||
}
|
||||
|
||||
public PasswordPolicyNotMetException(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
public PasswordPolicyNotMetException(String message, String username) {
|
||||
super(message);
|
||||
this.username = username;
|
||||
}
|
||||
|
||||
public PasswordPolicyNotMetException(String message, String username, Throwable cause) {
|
||||
super(message, cause);
|
||||
this.username = username;
|
||||
}
|
||||
|
||||
public PasswordPolicyNotMetException(String message, Throwable cause) {
|
||||
super(message, cause);
|
||||
}
|
||||
|
||||
public PasswordPolicyNotMetException(Throwable cause) {
|
||||
super(cause);
|
||||
}
|
||||
|
||||
public String getUsername() {
|
||||
return username;
|
||||
}
|
||||
}
|
|
@ -21,6 +21,7 @@ import org.jboss.resteasy.annotations.cache.NoCache;
|
|||
import org.jboss.resteasy.spi.NotFoundException;
|
||||
import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
||||
import org.keycloak.common.ClientConnection;
|
||||
import org.keycloak.policy.PasswordPolicyNotMetException;
|
||||
import org.keycloak.models.AdminRoles;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
|
@ -148,6 +149,10 @@ public class RealmsAdminResource {
|
|||
} catch (ModelDuplicateException e) {
|
||||
logger.error("Conflict detected", e);
|
||||
return ErrorResponse.exists("Conflict detected. See logs for details");
|
||||
} catch (PasswordPolicyNotMetException e) {
|
||||
logger.error("Password policy not met for user " + e.getUsername(), e);
|
||||
if (session.getTransactionManager().isActive()) session.getTransactionManager().setRollbackOnly();
|
||||
return ErrorResponse.error("Password policy not met. See logs for details", Response.Status.BAD_REQUEST);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.testsuite.updaters;
|
||||
|
||||
import java.io.Closeable;
|
||||
import javax.ws.rs.NotFoundException;
|
||||
import org.keycloak.admin.client.resource.RealmResource;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author <a href="mailto:vramik@redhat.com">Vlastislav Ramik</a>
|
||||
*/
|
||||
public class RealmRemover {
|
||||
|
||||
private final RealmResource realmResource;
|
||||
|
||||
public RealmRemover(RealmResource realmResource) {
|
||||
this.realmResource = realmResource;
|
||||
}
|
||||
|
||||
public Closeable remove() {
|
||||
return () -> {
|
||||
try {
|
||||
realmResource.remove();
|
||||
} catch (NotFoundException e) {
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
|
@ -23,8 +23,10 @@ import org.jboss.arquillian.container.test.api.Deployment;
|
|||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.ExpectedException;
|
||||
import org.keycloak.OAuth2Constants;
|
||||
import org.keycloak.admin.client.Keycloak;
|
||||
import org.keycloak.admin.client.resource.RealmResource;
|
||||
import org.keycloak.admin.client.resource.ServerInfoResource;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.events.admin.OperationType;
|
||||
|
@ -50,6 +52,7 @@ import org.keycloak.testsuite.auth.page.AuthRealm;
|
|||
import org.keycloak.testsuite.client.KeycloakTestingClient;
|
||||
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
|
||||
import org.keycloak.testsuite.runonserver.RunHelpers;
|
||||
import org.keycloak.testsuite.updaters.RealmRemover;
|
||||
import org.keycloak.testsuite.util.AdminEventPaths;
|
||||
import org.keycloak.testsuite.util.ClientBuilder;
|
||||
import org.keycloak.testsuite.util.CredentialBuilder;
|
||||
|
@ -60,6 +63,7 @@ import org.keycloak.util.JsonSerialization;
|
|||
|
||||
import javax.ws.rs.NotFoundException;
|
||||
import javax.ws.rs.core.Response;
|
||||
import java.io.Closeable;
|
||||
import java.io.IOException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
|
@ -68,6 +72,7 @@ import java.util.HashSet;
|
|||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import javax.ws.rs.BadRequestException;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
|
@ -83,6 +88,8 @@ public class RealmTest extends AbstractAdminTest {
|
|||
|
||||
@Rule
|
||||
public AssertEvents events = new AssertEvents(this);
|
||||
@Rule
|
||||
public ExpectedException expectedException = ExpectedException.none();
|
||||
|
||||
@Test
|
||||
public void getRealms() {
|
||||
|
@ -195,6 +202,40 @@ public class RealmTest extends AbstractAdminTest {
|
|||
adminClient.realms().realm("admin-test-1").remove();
|
||||
}
|
||||
|
||||
//KEYCLOAK-6146
|
||||
@Test
|
||||
public void createRealmWithPasswordPolicyFromJsonWithInvalidPasswords() {
|
||||
//try to create realm with password policies and users with plain-text passwords what doesn't met the policies
|
||||
RealmRepresentation rep = loadJson(getClass().getResourceAsStream("/import/testrealm-keycloak-6146-error.json"), RealmRepresentation.class);
|
||||
|
||||
expectedException.expect(NotFoundException.class);
|
||||
expectedException.expectMessage(String.valueOf(Response.Status.NOT_FOUND.getStatusCode()));
|
||||
|
||||
try {
|
||||
adminClient.realms().create(rep);
|
||||
} catch (BadRequestException ex) {
|
||||
//ensure the realm was not created
|
||||
log.info("--Caught expected BadRequestException--");
|
||||
adminClient.realms().realm("secure-app").toRepresentation();
|
||||
}
|
||||
//test will fail on AssertionError when both BadRequestException and NotFoundException is not thrown
|
||||
}
|
||||
|
||||
//KEYCLOAK-6146
|
||||
@Test
|
||||
public void createRealmWithPasswordPolicyFromJsonWithValidPasswords() throws IOException {
|
||||
//realm with password policies and users have passwords in correct state
|
||||
RealmRepresentation rep = loadJson(getClass().getResourceAsStream("/import/testrealm-keycloak-6146.json"), RealmRepresentation.class);
|
||||
adminClient.realms().create(rep);
|
||||
|
||||
RealmResource secureApp = adminClient.realms().realm("secure-app");
|
||||
RealmRepresentation created = secureApp.toRepresentation();
|
||||
|
||||
try (Closeable c = new RealmRemover(secureApp).remove()) {
|
||||
assertRealm(rep, created);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void removeRealm() {
|
||||
realm.remove();
|
||||
|
|
|
@ -0,0 +1,605 @@
|
|||
{
|
||||
"id":"secure-app",
|
||||
"realm":"secure-app",
|
||||
"enabled":true,
|
||||
"sslRequired":"external",
|
||||
"bruteForceProtected" : true,
|
||||
"permanentLockout": true,
|
||||
"maxFailureWaitSeconds" : 900,
|
||||
"minimumQuickLoginWaitSeconds" : 60,
|
||||
"waitIncrementSeconds" : 60,
|
||||
"quickLoginCheckMilliSeconds" : 1000,
|
||||
"maxDeltaTimeSeconds" : 43200,
|
||||
"failureFactor" : 3,
|
||||
"eventsEnabled" : true,
|
||||
"eventsListeners" : [ "jboss-logging" ],
|
||||
"enabledEventTypes" : [ "SEND_RESET_PASSWORD", "UPDATE_TOTP", "REMOVE_TOTP", "REVOKE_GRANT", "LOGIN_ERROR", "CLIENT_LOGIN", "RESET_PASSWORD_ERROR", "IMPERSONATE_ERROR", "CODE_TO_TOKEN_ERROR", "CUSTOM_REQUIRED_ACTION", "RESTART_AUTHENTICATION", "UPDATE_PROFILE_ERROR", "IMPERSONATE", "LOGIN", "UPDATE_PASSWORD_ERROR", "CLIENT_INITIATED_ACCOUNT_LINKING", "REGISTER", "LOGOUT", "CLIENT_REGISTER", "IDENTITY_PROVIDER_LINK_ACCOUNT", "UPDATE_PASSWORD", "FEDERATED_IDENTITY_LINK_ERROR", "CLIENT_DELETE", "IDENTITY_PROVIDER_FIRST_LOGIN", "VERIFY_EMAIL", "CLIENT_DELETE_ERROR", "CLIENT_LOGIN_ERROR", "RESTART_AUTHENTICATION_ERROR", "REMOVE_FEDERATED_IDENTITY_ERROR", "EXECUTE_ACTIONS", "SEND_IDENTITY_PROVIDER_LINK_ERROR", "EXECUTE_ACTION_TOKEN_ERROR", "SEND_VERIFY_EMAIL", "EXECUTE_ACTIONS_ERROR", "REMOVE_FEDERATED_IDENTITY", "IDENTITY_PROVIDER_POST_LOGIN", "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", "UPDATE_EMAIL", "REGISTER_ERROR", "REVOKE_GRANT_ERROR", "LOGOUT_ERROR", "UPDATE_EMAIL_ERROR", "EXECUTE_ACTION_TOKEN", "CLIENT_UPDATE_ERROR", "UPDATE_PROFILE", "FEDERATED_IDENTITY_LINK", "CLIENT_REGISTER_ERROR", "SEND_VERIFY_EMAIL_ERROR", "SEND_IDENTITY_PROVIDER_LINK", "RESET_PASSWORD", "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", "REMOVE_TOTP_ERROR", "VERIFY_EMAIL_ERROR", "SEND_RESET_PASSWORD_ERROR", "CLIENT_UPDATE", "IDENTITY_PROVIDER_POST_LOGIN_ERROR", "CUSTOM_REQUIRED_ACTION_ERROR", "UPDATE_TOTP_ERROR", "CODE_TO_TOKEN", "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" ],
|
||||
"adminEventsEnabled" : true,
|
||||
"adminEventsDetailsEnabled" : true,
|
||||
"requiredCredentials":[
|
||||
"password"
|
||||
],
|
||||
"passwordPolicy": "length(10) and lowerCase(1) and upperCase(1) and passwordHistory(3) and digits(1) and specialChars(1) and hashAlgorithm(pbkdf2-sha256)",
|
||||
"users":[
|
||||
{
|
||||
"username":"user1",
|
||||
"firstName" : "User",
|
||||
"lastName" : "1",
|
||||
"email" : "user1@feedhenry.org",
|
||||
"enabled":true,
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"123"
|
||||
}
|
||||
],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users" ]
|
||||
},
|
||||
{
|
||||
"username":"user2",
|
||||
"firstName" : "User",
|
||||
"lastName" : "2",
|
||||
"email" : "user2@feedhenry.org",
|
||||
"enabled":true,
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"123"
|
||||
}
|
||||
],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users" ]
|
||||
},
|
||||
{
|
||||
"username":"secure-user",
|
||||
"enabled" : true,
|
||||
"emailVerified" : true,
|
||||
"firstName" : "Secure",
|
||||
"lastName" : "User",
|
||||
"email" : "secure-user@feedhenry.org",
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"123"
|
||||
}
|
||||
],
|
||||
"requiredActions" : [ "CONFIGURE_TOTP" ],
|
||||
"realmRoles" : [ ],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users", "/API Access" ]
|
||||
},
|
||||
{
|
||||
"username":"secure-user2",
|
||||
"enabled" : true,
|
||||
"emailVerified" : true,
|
||||
"firstName" : "Secure",
|
||||
"lastName" : "User 2",
|
||||
"email" : "secure-user2@feedhenry.org",
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"123"
|
||||
}
|
||||
],
|
||||
"requiredActions" : [ "CONFIGURE_TOTP" ],
|
||||
"realmRoles" : [ ],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users", "/API Access" ]
|
||||
},
|
||||
{
|
||||
"username":"superuser",
|
||||
"enabled" : true,
|
||||
"emailVerified" : true,
|
||||
"firstName" : "Super",
|
||||
"lastName" : "User",
|
||||
"email" : "superuser@feedhenry.org",
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"123"
|
||||
}
|
||||
],
|
||||
"realmRoles" : [ ],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users", "/API Access", "Superuser" ]
|
||||
}
|
||||
],
|
||||
"clients":[
|
||||
{
|
||||
"clientId":"api-server",
|
||||
"enabled":true,
|
||||
"bearerOnly":true,
|
||||
"adminUrl":"http://localhost:8080"
|
||||
},
|
||||
{
|
||||
"clientId":"client-app",
|
||||
"enabled":true,
|
||||
"publicClient":true,
|
||||
"redirectUris":[
|
||||
"com.feedhenry.securenativeandroidtemplate:/callback"
|
||||
],
|
||||
"webOrigins":[
|
||||
"*"
|
||||
]
|
||||
}
|
||||
],
|
||||
"clientScopeMappings":{
|
||||
"account":[
|
||||
{
|
||||
"client":"api-server",
|
||||
"roles":[
|
||||
"view-profile"
|
||||
]
|
||||
},
|
||||
{
|
||||
"client":"client-app",
|
||||
"roles":[
|
||||
"view-profile"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"groups" : [ {
|
||||
"name" : "Mobile Users",
|
||||
"path" : "/Mobile Users",
|
||||
"attributes" : { },
|
||||
"realmRoles" : [ "mobile-user" ],
|
||||
"clientRoles" : { },
|
||||
"subGroups" : [ ]
|
||||
},
|
||||
{
|
||||
"name" : "API Access",
|
||||
"path" : "/API Access",
|
||||
"attributes" : { },
|
||||
"realmRoles" : [ "mobile-user", "api-access" ],
|
||||
"clientRoles" : { },
|
||||
"subGroups" : [ ]
|
||||
},
|
||||
{
|
||||
"name" : "Superuser",
|
||||
"path" : "/Superusers",
|
||||
"attributes" : { },
|
||||
"realmRoles" : [ "mobile-user", "api-access", "superuser" ],
|
||||
"clientRoles" : { },
|
||||
"subGroups" : [ ]
|
||||
} ],
|
||||
"roles":{
|
||||
"client":{
|
||||
"api-server":[
|
||||
|
||||
],
|
||||
"client-app":[
|
||||
|
||||
]
|
||||
}
|
||||
},
|
||||
"authenticationFlows" : [ {
|
||||
"alias" : "Handle Existing Account",
|
||||
"description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "idp-confirm-link",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "idp-email-verification",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 30,
|
||||
"flowAlias" : "Verify Existing Account by Re-authentication",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "Verify Existing Account by Re-authentication",
|
||||
"description" : "Reauthentication of existing account",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "idp-username-password-form",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-otp-form",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "X.509 Browser",
|
||||
"description" : "browser based authentication",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : false,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "auth-cookie",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-spnego",
|
||||
"requirement" : "DISABLED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticatorConfig" : "authenticator config",
|
||||
"authenticator" : "identity-provider-redirector",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 25,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticatorConfig" : "x509 browser auth config",
|
||||
"authenticator" : "auth-x509-client-username-form",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 30,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 31,
|
||||
"flowAlias" : "X.509 Browser forms",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "X.509 Browser forms",
|
||||
"description" : "Username, password, otp and other auth forms.",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : false,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "auth-username-password-form",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-otp-form",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "X.509 Direct Grant",
|
||||
"description" : "OpenID Connect Resource Owner Grant",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : false,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticatorConfig" : "x509 direct grant config",
|
||||
"authenticator" : "direct-grant-auth-x509-username",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 0,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "browser",
|
||||
"description" : "browser based authentication",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "auth-cookie",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-spnego",
|
||||
"requirement" : "DISABLED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "identity-provider-redirector",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 25,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 30,
|
||||
"flowAlias" : "forms",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "clients",
|
||||
"description" : "Base authentication for clients",
|
||||
"providerId" : "client-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "client-secret",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "client-jwt",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "direct grant",
|
||||
"description" : "OpenID Connect Resource Owner Grant",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "direct-grant-validate-username",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "direct-grant-validate-password",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "direct-grant-validate-otp",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 30,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "docker auth",
|
||||
"description" : "Used by Docker clients to authenticate against the IDP",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "docker-http-basic-authenticator",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "first broker login",
|
||||
"description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticatorConfig" : "review profile config",
|
||||
"authenticator" : "idp-review-profile",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticatorConfig" : "create unique user config",
|
||||
"authenticator" : "idp-create-user-if-unique",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 30,
|
||||
"flowAlias" : "Handle Existing Account",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "forms",
|
||||
"description" : "Username, password, otp and other auth forms.",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "auth-username-password-form",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-otp-form",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "registration",
|
||||
"description" : "registration flow",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "registration-page-form",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"flowAlias" : "registration form",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "registration form",
|
||||
"description" : "registration form",
|
||||
"providerId" : "form-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "registration-user-creation",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "registration-profile-action",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 40,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "registration-password-action",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 50,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "registration-recaptcha-action",
|
||||
"requirement" : "DISABLED",
|
||||
"priority" : 60,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "reset credentials",
|
||||
"description" : "Reset credentials for a user if they forgot their password or something",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "reset-credentials-choose-user",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "reset-credential-email",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "reset-password",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 30,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "reset-otp",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 40,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "saml ecp",
|
||||
"description" : "SAML ECP Profile Authentication Flow",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "http-basic-authenticator",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
} ],
|
||||
"authenticatorConfig" : [ {
|
||||
"alias" : "authenticator config",
|
||||
"config" : {
|
||||
"defaultProvider" : ""
|
||||
}
|
||||
}, {
|
||||
"alias" : "create unique user config",
|
||||
"config" : {
|
||||
"require.password.update.after.registration" : "false"
|
||||
}
|
||||
}, {
|
||||
"alias" : "review profile config",
|
||||
"config" : {
|
||||
"update.profile.on.first.login" : "missing"
|
||||
}
|
||||
}, {
|
||||
"alias" : "x509 browser auth config",
|
||||
"config" : {
|
||||
"x509-cert-auth.extendedkeyusage" : "",
|
||||
"x509-cert-auth.mapper-selection.user-attribute-name" : "usercertificate",
|
||||
"x509-cert-auth.ocsp-responder-uri" : "",
|
||||
"x509-cert-auth.regular-expression" : "(.*?)(?:$)",
|
||||
"x509-cert-auth.crl-checking-enabled" : "",
|
||||
"x509-cert-auth.confirmation-page-disallowed" : "",
|
||||
"x509-cert-auth.keyusage" : "",
|
||||
"x509-cert-auth.mapper-selection" : "Username or Email",
|
||||
"x509-cert-auth.crl-relative-path" : "crl.pem",
|
||||
"x509-cert-auth.crldp-checking-enabled" : "false",
|
||||
"x509-cert-auth.mapping-source-selection" : "Subject's Common Name",
|
||||
"x509-cert-auth.ocsp-checking-enabled" : ""
|
||||
}
|
||||
}, {
|
||||
"alias" : "x509 direct grant config",
|
||||
"config" : {
|
||||
"x509-cert-auth.extendedkeyusage" : "",
|
||||
"x509-cert-auth.mapper-selection.user-attribute-name" : "usercertificate",
|
||||
"x509-cert-auth.ocsp-responder-uri" : "",
|
||||
"x509-cert-auth.regular-expression" : "(.*?)(?:$)",
|
||||
"x509-cert-auth.crl-checking-enabled" : "",
|
||||
"x509-cert-auth.confirmation-page-disallowed" : "",
|
||||
"x509-cert-auth.keyusage" : "",
|
||||
"x509-cert-auth.mapper-selection" : "Username or Email",
|
||||
"x509-cert-auth.crl-relative-path" : "crl.pem",
|
||||
"x509-cert-auth.crldp-checking-enabled" : "false",
|
||||
"x509-cert-auth.mapping-source-selection" : "Subject's Common Name",
|
||||
"x509-cert-auth.ocsp-checking-enabled" : ""
|
||||
}
|
||||
} ]
|
||||
}
|
|
@ -0,0 +1,606 @@
|
|||
{
|
||||
"id":"secure-app",
|
||||
"realm":"secure-app",
|
||||
"accessCodeLifespanUserAction" : 300,
|
||||
"enabled":true,
|
||||
"sslRequired":"external",
|
||||
"bruteForceProtected" : true,
|
||||
"permanentLockout": true,
|
||||
"maxFailureWaitSeconds" : 900,
|
||||
"minimumQuickLoginWaitSeconds" : 60,
|
||||
"waitIncrementSeconds" : 60,
|
||||
"quickLoginCheckMilliSeconds" : 1000,
|
||||
"maxDeltaTimeSeconds" : 43200,
|
||||
"failureFactor" : 3,
|
||||
"eventsEnabled" : true,
|
||||
"eventsListeners" : [ "jboss-logging" ],
|
||||
"enabledEventTypes" : [ "SEND_RESET_PASSWORD", "UPDATE_TOTP", "REMOVE_TOTP", "REVOKE_GRANT", "LOGIN_ERROR", "CLIENT_LOGIN", "RESET_PASSWORD_ERROR", "IMPERSONATE_ERROR", "CODE_TO_TOKEN_ERROR", "CUSTOM_REQUIRED_ACTION", "RESTART_AUTHENTICATION", "UPDATE_PROFILE_ERROR", "IMPERSONATE", "LOGIN", "UPDATE_PASSWORD_ERROR", "CLIENT_INITIATED_ACCOUNT_LINKING", "REGISTER", "LOGOUT", "CLIENT_REGISTER", "IDENTITY_PROVIDER_LINK_ACCOUNT", "UPDATE_PASSWORD", "FEDERATED_IDENTITY_LINK_ERROR", "CLIENT_DELETE", "IDENTITY_PROVIDER_FIRST_LOGIN", "VERIFY_EMAIL", "CLIENT_DELETE_ERROR", "CLIENT_LOGIN_ERROR", "RESTART_AUTHENTICATION_ERROR", "REMOVE_FEDERATED_IDENTITY_ERROR", "EXECUTE_ACTIONS", "SEND_IDENTITY_PROVIDER_LINK_ERROR", "EXECUTE_ACTION_TOKEN_ERROR", "SEND_VERIFY_EMAIL", "EXECUTE_ACTIONS_ERROR", "REMOVE_FEDERATED_IDENTITY", "IDENTITY_PROVIDER_POST_LOGIN", "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", "UPDATE_EMAIL", "REGISTER_ERROR", "REVOKE_GRANT_ERROR", "LOGOUT_ERROR", "UPDATE_EMAIL_ERROR", "EXECUTE_ACTION_TOKEN", "CLIENT_UPDATE_ERROR", "UPDATE_PROFILE", "FEDERATED_IDENTITY_LINK", "CLIENT_REGISTER_ERROR", "SEND_VERIFY_EMAIL_ERROR", "SEND_IDENTITY_PROVIDER_LINK", "RESET_PASSWORD", "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", "REMOVE_TOTP_ERROR", "VERIFY_EMAIL_ERROR", "SEND_RESET_PASSWORD_ERROR", "CLIENT_UPDATE", "IDENTITY_PROVIDER_POST_LOGIN_ERROR", "CUSTOM_REQUIRED_ACTION_ERROR", "UPDATE_TOTP_ERROR", "CODE_TO_TOKEN", "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" ],
|
||||
"adminEventsEnabled" : true,
|
||||
"adminEventsDetailsEnabled" : true,
|
||||
"requiredCredentials":[
|
||||
"password"
|
||||
],
|
||||
"passwordPolicy": "length(10) and lowerCase(1) and upperCase(1) and passwordHistory(3) and digits(1) and specialChars(1) and hashAlgorithm(pbkdf2-sha256)",
|
||||
"users":[
|
||||
{
|
||||
"username":"user1",
|
||||
"firstName" : "User",
|
||||
"lastName" : "1",
|
||||
"email" : "user1@feedhenry.org",
|
||||
"enabled":true,
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"Password123!"
|
||||
}
|
||||
],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users" ]
|
||||
},
|
||||
{
|
||||
"username":"user2",
|
||||
"firstName" : "User",
|
||||
"lastName" : "2",
|
||||
"email" : "user2@feedhenry.org",
|
||||
"enabled":true,
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"Password123!"
|
||||
}
|
||||
],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users" ]
|
||||
},
|
||||
{
|
||||
"username":"secure-user",
|
||||
"enabled" : true,
|
||||
"emailVerified" : true,
|
||||
"firstName" : "Secure",
|
||||
"lastName" : "User",
|
||||
"email" : "secure-user@feedhenry.org",
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"Password123!"
|
||||
}
|
||||
],
|
||||
"requiredActions" : [ "CONFIGURE_TOTP" ],
|
||||
"realmRoles" : [ ],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users", "/API Access" ]
|
||||
},
|
||||
{
|
||||
"username":"secure-user2",
|
||||
"enabled" : true,
|
||||
"emailVerified" : true,
|
||||
"firstName" : "Secure",
|
||||
"lastName" : "User 2",
|
||||
"email" : "secure-user2@feedhenry.org",
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"Password123!"
|
||||
}
|
||||
],
|
||||
"requiredActions" : [ "CONFIGURE_TOTP" ],
|
||||
"realmRoles" : [ ],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users", "/API Access" ]
|
||||
},
|
||||
{
|
||||
"username":"superuser",
|
||||
"enabled" : true,
|
||||
"emailVerified" : true,
|
||||
"firstName" : "Super",
|
||||
"lastName" : "User",
|
||||
"email" : "superuser@feedhenry.org",
|
||||
"credentials":[
|
||||
{
|
||||
"type":"password",
|
||||
"value":"Password123!"
|
||||
}
|
||||
],
|
||||
"realmRoles" : [ ],
|
||||
"clientRoles":{
|
||||
"account":[
|
||||
"view-profile",
|
||||
"manage-account"
|
||||
]
|
||||
},
|
||||
"attributes":{
|
||||
|
||||
},
|
||||
"groups" : [ "/Mobile Users", "/API Access", "Superuser" ]
|
||||
}
|
||||
],
|
||||
"clients":[
|
||||
{
|
||||
"clientId":"api-server",
|
||||
"enabled":true,
|
||||
"bearerOnly":true,
|
||||
"adminUrl":"http://localhost:8080"
|
||||
},
|
||||
{
|
||||
"clientId":"client-app",
|
||||
"enabled":true,
|
||||
"publicClient":true,
|
||||
"redirectUris":[
|
||||
"com.feedhenry.securenativeandroidtemplate:/callback"
|
||||
],
|
||||
"webOrigins":[
|
||||
"*"
|
||||
]
|
||||
}
|
||||
],
|
||||
"clientScopeMappings":{
|
||||
"account":[
|
||||
{
|
||||
"client":"api-server",
|
||||
"roles":[
|
||||
"view-profile"
|
||||
]
|
||||
},
|
||||
{
|
||||
"client":"client-app",
|
||||
"roles":[
|
||||
"view-profile"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"groups" : [ {
|
||||
"name" : "Mobile Users",
|
||||
"path" : "/Mobile Users",
|
||||
"attributes" : { },
|
||||
"realmRoles" : [ "mobile-user" ],
|
||||
"clientRoles" : { },
|
||||
"subGroups" : [ ]
|
||||
},
|
||||
{
|
||||
"name" : "API Access",
|
||||
"path" : "/API Access",
|
||||
"attributes" : { },
|
||||
"realmRoles" : [ "mobile-user", "api-access" ],
|
||||
"clientRoles" : { },
|
||||
"subGroups" : [ ]
|
||||
},
|
||||
{
|
||||
"name" : "Superuser",
|
||||
"path" : "/Superusers",
|
||||
"attributes" : { },
|
||||
"realmRoles" : [ "mobile-user", "api-access", "superuser" ],
|
||||
"clientRoles" : { },
|
||||
"subGroups" : [ ]
|
||||
} ],
|
||||
"roles":{
|
||||
"client":{
|
||||
"api-server":[
|
||||
|
||||
],
|
||||
"client-app":[
|
||||
|
||||
]
|
||||
}
|
||||
},
|
||||
"authenticationFlows" : [ {
|
||||
"alias" : "Handle Existing Account",
|
||||
"description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "idp-confirm-link",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "idp-email-verification",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 30,
|
||||
"flowAlias" : "Verify Existing Account by Re-authentication",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "Verify Existing Account by Re-authentication",
|
||||
"description" : "Reauthentication of existing account",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "idp-username-password-form",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-otp-form",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "X.509 Browser",
|
||||
"description" : "browser based authentication",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : false,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "auth-cookie",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-spnego",
|
||||
"requirement" : "DISABLED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticatorConfig" : "authenticator config",
|
||||
"authenticator" : "identity-provider-redirector",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 25,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticatorConfig" : "x509 browser auth config",
|
||||
"authenticator" : "auth-x509-client-username-form",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 30,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 31,
|
||||
"flowAlias" : "X.509 Browser forms",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "X.509 Browser forms",
|
||||
"description" : "Username, password, otp and other auth forms.",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : false,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "auth-username-password-form",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-otp-form",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "X.509 Direct Grant",
|
||||
"description" : "OpenID Connect Resource Owner Grant",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : false,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticatorConfig" : "x509 direct grant config",
|
||||
"authenticator" : "direct-grant-auth-x509-username",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 0,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "browser",
|
||||
"description" : "browser based authentication",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "auth-cookie",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-spnego",
|
||||
"requirement" : "DISABLED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "identity-provider-redirector",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 25,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 30,
|
||||
"flowAlias" : "forms",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "clients",
|
||||
"description" : "Base authentication for clients",
|
||||
"providerId" : "client-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "client-secret",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "client-jwt",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "direct grant",
|
||||
"description" : "OpenID Connect Resource Owner Grant",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "direct-grant-validate-username",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "direct-grant-validate-password",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "direct-grant-validate-otp",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 30,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "docker auth",
|
||||
"description" : "Used by Docker clients to authenticate against the IDP",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "docker-http-basic-authenticator",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "first broker login",
|
||||
"description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticatorConfig" : "review profile config",
|
||||
"authenticator" : "idp-review-profile",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticatorConfig" : "create unique user config",
|
||||
"authenticator" : "idp-create-user-if-unique",
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"requirement" : "ALTERNATIVE",
|
||||
"priority" : 30,
|
||||
"flowAlias" : "Handle Existing Account",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "forms",
|
||||
"description" : "Username, password, otp and other auth forms.",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "auth-username-password-form",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "auth-otp-form",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "registration",
|
||||
"description" : "registration flow",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "registration-page-form",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"flowAlias" : "registration form",
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : true
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "registration form",
|
||||
"description" : "registration form",
|
||||
"providerId" : "form-flow",
|
||||
"topLevel" : false,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "registration-user-creation",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "registration-profile-action",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 40,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "registration-password-action",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 50,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "registration-recaptcha-action",
|
||||
"requirement" : "DISABLED",
|
||||
"priority" : 60,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "reset credentials",
|
||||
"description" : "Reset credentials for a user if they forgot their password or something",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "reset-credentials-choose-user",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "reset-credential-email",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 20,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "reset-password",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 30,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
}, {
|
||||
"authenticator" : "reset-otp",
|
||||
"requirement" : "OPTIONAL",
|
||||
"priority" : 40,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
}, {
|
||||
"alias" : "saml ecp",
|
||||
"description" : "SAML ECP Profile Authentication Flow",
|
||||
"providerId" : "basic-flow",
|
||||
"topLevel" : true,
|
||||
"builtIn" : true,
|
||||
"authenticationExecutions" : [ {
|
||||
"authenticator" : "http-basic-authenticator",
|
||||
"requirement" : "REQUIRED",
|
||||
"priority" : 10,
|
||||
"userSetupAllowed" : false,
|
||||
"autheticatorFlow" : false
|
||||
} ]
|
||||
} ],
|
||||
"authenticatorConfig" : [ {
|
||||
"alias" : "authenticator config",
|
||||
"config" : {
|
||||
"defaultProvider" : ""
|
||||
}
|
||||
}, {
|
||||
"alias" : "create unique user config",
|
||||
"config" : {
|
||||
"require.password.update.after.registration" : "false"
|
||||
}
|
||||
}, {
|
||||
"alias" : "review profile config",
|
||||
"config" : {
|
||||
"update.profile.on.first.login" : "missing"
|
||||
}
|
||||
}, {
|
||||
"alias" : "x509 browser auth config",
|
||||
"config" : {
|
||||
"x509-cert-auth.extendedkeyusage" : "",
|
||||
"x509-cert-auth.mapper-selection.user-attribute-name" : "usercertificate",
|
||||
"x509-cert-auth.ocsp-responder-uri" : "",
|
||||
"x509-cert-auth.regular-expression" : "(.*?)(?:$)",
|
||||
"x509-cert-auth.crl-checking-enabled" : "",
|
||||
"x509-cert-auth.confirmation-page-disallowed" : "",
|
||||
"x509-cert-auth.keyusage" : "",
|
||||
"x509-cert-auth.mapper-selection" : "Username or Email",
|
||||
"x509-cert-auth.crl-relative-path" : "crl.pem",
|
||||
"x509-cert-auth.crldp-checking-enabled" : "false",
|
||||
"x509-cert-auth.mapping-source-selection" : "Subject's Common Name",
|
||||
"x509-cert-auth.ocsp-checking-enabled" : ""
|
||||
}
|
||||
}, {
|
||||
"alias" : "x509 direct grant config",
|
||||
"config" : {
|
||||
"x509-cert-auth.extendedkeyusage" : "",
|
||||
"x509-cert-auth.mapper-selection.user-attribute-name" : "usercertificate",
|
||||
"x509-cert-auth.ocsp-responder-uri" : "",
|
||||
"x509-cert-auth.regular-expression" : "(.*?)(?:$)",
|
||||
"x509-cert-auth.crl-checking-enabled" : "",
|
||||
"x509-cert-auth.confirmation-page-disallowed" : "",
|
||||
"x509-cert-auth.keyusage" : "",
|
||||
"x509-cert-auth.mapper-selection" : "Username or Email",
|
||||
"x509-cert-auth.crl-relative-path" : "crl.pem",
|
||||
"x509-cert-auth.crldp-checking-enabled" : "false",
|
||||
"x509-cert-auth.mapping-source-selection" : "Subject's Common Name",
|
||||
"x509-cert-auth.ocsp-checking-enabled" : ""
|
||||
}
|
||||
} ]
|
||||
}
|
Loading…
Reference in a new issue