libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Revert the new welcome screen experience (#23446)

Browse source 
This reverts commit bcab75a7ef.
This commit is contained in:
Jon Koops 2023-09-21 18:03:00 +02:00 committed by GitHub
parent 6543aa9a19
commit 47d9ae71c4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 1817 additions and 2949 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
.github/dependabot.yml vendored
View file

@ -22,17 +22,6 @@ updates:
labels: labels:
- area/dependencies - area/dependencies
- team/ui - team/ui
- package-ecosystem: npm
directory: /themes/src/main/resources/theme/keycloak.v2/welcome
schedule:
interval: daily
time: "00:00"
timezone: Etc/GMT
open-pull-requests-limit: 999
rebase-strategy: disabled
labels:
- area/dependencies
- team/ui
- package-ecosystem: npm - package-ecosystem: npm
directory: js directory: js
open-pull-requests-limit: 999 open-pull-requests-limit: 999

2
.github/workflows/js-ci.yml vendored
View file

@ -49,7 +49,7 @@ jobs:
- name: Build Keycloak - name: Build Keycloak
run: | run: |
./mvnw clean install --batch-mode --errors -DskipTests -DskipTestsuite -DskipExamples -DskipAccount2 -DskipWelcome2 -DskipCommon -Pdistribution ./mvnw clean install --batch-mode --errors -DskipTests -DskipTestsuite -DskipExamples -DskipAccount2 -DskipCommon -Pdistribution
mv ./quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz ./keycloak-999.0.0-SNAPSHOT.tar.gz mv ./quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz ./keycloak-999.0.0-SNAPSHOT.tar.gz
- name: Upload Keycloak dist - name: Upload Keycloak dist

2
common/src/main/java/org/keycloak/common/Profile.java
View file

@ -63,8 +63,6 @@ public class Profile {
WEB_AUTHN("W3C Web Authentication (WebAuthn)", Type.DEFAULT), WEB_AUTHN("W3C Web Authentication (WebAuthn)", Type.DEFAULT),
LEGACY_WELCOME("Disables the new 'welcome' theme, and restores the legacy version.", Type.DEPRECATED),
CLIENT_POLICIES("Client configuration policies", Type.DEFAULT), CLIENT_POLICIES("Client configuration policies", Type.DEFAULT),
CIBA("OpenID Connect Client Initiated Backchannel Authentication (CIBA)", Type.DEFAULT), CIBA("OpenID Connect Client Initiated Backchannel Authentication (CIBA)", Type.DEFAULT),

1
common/src/test/java/org/keycloak/common/ProfileTest.java
View file

@ -80,7 +80,6 @@ public class ProfileTest {
Profile.Feature.RECOVERY_CODES, Profile.Feature.RECOVERY_CODES,
Profile.Feature.SCRIPTS, Profile.Feature.SCRIPTS,
Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.TOKEN_EXCHANGE,
Profile.Feature.LEGACY_WELCOME,
Profile.Feature.MAP_STORAGE, Profile.Feature.MAP_STORAGE,
Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.DECLARATIVE_USER_PROFILE,
Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.CLIENT_SECRET_ROTATION,

3
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/HostnameDistTest.java vendored
View file

@ -25,7 +25,6 @@ import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.keycloak.it.junit5.extension.DistributionTest; import org.keycloak.it.junit5.extension.DistributionTest;
import org.keycloak.it.junit5.extension.RawDistOnly; import org.keycloak.it.junit5.extension.RawDistOnly;
import org.keycloak.it.junit5.extension.WithEnvVars;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation; import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import org.keycloak.quarkus.runtime.services.resources.DebugHostnameSettingsResource; import org.keycloak.quarkus.runtime.services.resources.DebugHostnameSettingsResource;
@ -109,7 +108,6 @@ public class HostnameDistTest {
} }
@Test @Test
@WithEnvVars({ "KEYCLOAK_ADMIN", "admin", "KEYCLOAK_ADMIN_PASSWORD", "admin" })
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=8543" }) @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=8543" })
public void testWelcomePageAdminUrl() { public void testWelcomePageAdminUrl() {
when().get("http://mykeycloak.org:8080").then().body(Matchers.containsString("http://mykeycloak.org:8080/admin/")); when().get("http://mykeycloak.org:8080").then().body(Matchers.containsString("http://mykeycloak.org:8080/admin/"));
@ -170,7 +168,6 @@ public class HostnameDistTest {
} }
@Test @Test
@WithEnvVars({ "KEYCLOAK_ADMIN", "admin", "KEYCLOAK_ADMIN_PASSWORD", "admin" })
@Launch({ "start", "--proxy=edge", "--hostname=mykeycloak.org", "--hostname-admin-url=http://mykeycloakadmin.org:1234" }) @Launch({ "start", "--proxy=edge", "--hostname=mykeycloak.org", "--hostname-admin-url=http://mykeycloakadmin.org:1234" })
public void testAdminUrl() { public void testAdminUrl() {
when().get("https://mykeycloak.org:8443").then().body(Matchers.containsString("http://mykeycloakadmin.org:1234/admin/")); when().get("https://mykeycloak.org:8443").then().body(Matchers.containsString("http://mykeycloakadmin.org:1234/admin/"));

2
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/ProxyDistTest.java vendored
View file

@ -26,7 +26,6 @@ import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.keycloak.it.junit5.extension.DistributionTest; import org.keycloak.it.junit5.extension.DistributionTest;
import org.keycloak.it.junit5.extension.RawDistOnly; import org.keycloak.it.junit5.extension.RawDistOnly;
import org.keycloak.it.junit5.extension.WithEnvVars;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation; import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import io.quarkus.test.junit.main.Launch; import io.quarkus.test.junit.main.Launch;
@ -57,7 +56,6 @@ public class ProxyDistTest {
} }
@Test @Test
@WithEnvVars({ "KEYCLOAK_ADMIN", "admin", "KEYCLOAK_ADMIN_PASSWORD", "admin" })
@Launch({ "start-dev", "--hostname=mykeycloak.org", "--proxy=edge" }) @Launch({ "start-dev", "--hostname=mykeycloak.org", "--proxy=edge" })
public void testForwardedHeadersWithEdge() { public void testForwardedHeadersWithEdge() {
given().header("Forwarded", "for=12.34.56.78;host=test:1234;proto=https, for=23.45.67.89").when().get("http://mykeycloak.org:8080").then().body(containsString("https://test:1234/admin")); given().header("Forwarded", "for=12.34.56.78;host=test:1234;proto=https, for=23.45.67.89").when().get("http://mykeycloak.org:8080").then().body(containsString("https://test:1234/admin"));

8
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt vendored
View file

@ -48,16 +48,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
HTTP/TLS: HTTP/TLS:

238
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt vendored
View file

@ -1,119 +1,119 @@
Creates a new and optimized server image. Creates a new and optimized server image.
Usage: Usage:
kc.bat build [OPTIONS] kc.bat build [OPTIONS]
Creates a new and optimized server image based on the configuration options Creates a new and optimized server image based on the configuration options
passed to this command. Once created, the configuration will be persisted and passed to this command. Once created, the configuration will be persisted and
read during startup without having to pass them over again. read during startup without having to pass them over again.
Consider running this command before running the server in production for an Consider running this command before running the server in production for an
optimal runtime. optimal runtime.
Options: Options:
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
Transaction: Transaction:
--transaction-xa-enabled <true|false> --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. not support XA transactions. Default: true.
Feature: Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api, --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
HTTP/TLS: HTTP/TLS:
--http-relative-path <path> --http-relative-path <path>
Set the path relative to '/' for serving resources. The path must start with a Set the path relative to '/' for serving resources. The path must start with a
'/'. Default: /. '/'. Default: /.
Health: Health:
--health-enabled <true|false> --health-enabled <true|false>
If the server should expose health check endpoints. If enabled, health checks If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live' are available at the '/health', '/health/ready' and '/health/live'
endpoints. Default: false. endpoints. Default: false.
Metrics: Metrics:
--metrics-enabled <true|false> --metrics-enabled <true|false>
If the server should expose metrics. If enabled, metrics are available at the If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false. '/metrics' endpoint. Default: false.
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file, keystore. --vault <provider> Enables a vault provider. Possible values are: file.
Security: Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on --fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled, mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips' which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default: feature is enabled. Possible values are: non-strict, strict. Default:
disabled. disabled.
Examples: Examples:
Change the database vendor: Change the database vendor:
$ kc.bat build --db=postgres $ kc.bat build --db=postgres
Enable a feature: Enable a feature:
$ kc.bat build --features=<feature_name> $ kc.bat build --features=<feature_name>
Or alternatively, enable all tech preview features: Or alternatively, enable all tech preview features:
$ kc.bat build --features=preview $ kc.bat build --features=preview
Enable health endpoints: Enable health endpoints:
$ kc.bat build --health-enabled=true $ kc.bat build --health-enabled=true
Enable metrics endpoints: Enable metrics endpoints:
$ kc.bat build --metrics-enabled=true $ kc.bat build --metrics-enabled=true
Change the relative path: Change the relative path:
$ kc.bat build --http-relative-path=/auth $ kc.bat build --http-relative-path=/auth

108
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testDefaultToHelp.windows.approved.txt vendored
View file

@ -1,53 +1,55 @@
Keycloak - Open Source Identity and Access Management Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest Find more information at: https://www.keycloak.org/docs/latest
Usage: Usage:
kc.bat [OPTIONS] [COMMAND] kc.bat [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster. Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
Options: "./kc.bat") to execute from the current folder.
-cf, --config-file <file> Options:
Set the path to a configuration file. By default, configuration properties are
read from the "keycloak.conf" file in the "conf" directory. -cf, --config-file <file>
-h, --help This help message. Set the path to a configuration file. By default, configuration properties are
-v, --verbose Print out error details when running this command. read from the "keycloak.conf" file in the "conf" directory.
-V, --version Show version information -h, --help This help message.
-v, --verbose Print out error details when running this command.
Commands: -V, --version Show version information
build Creates a new and optimized server image. Commands:
start Start the server.
start-dev Start the server in development mode. build Creates a new and optimized server image.
export Export data from realms to a file or directory. start Start the server.
import Import data from a directory or a file. start-dev Start the server in development mode.
show-config Print out the current configuration. export Export data from realms to a file or directory.
tools Utilities for use and interaction with the server. import Import data from a directory or a file.
completion Generate bash/zsh completion script for kc.bat. show-config Print out the current configuration.
tools Utilities for use and interaction with the server.
Examples: completion Generate bash/zsh completion script for kc.bat.
Start the server in development mode for local development or testing: Examples:
$ kc.bat start-dev Start the server in development mode for local development or testing:
Building an optimized server runtime: $ kc.bat start-dev
$ kc.bat build <OPTIONS> Building an optimized server runtime:
Start the server in production mode: $ kc.bat build <OPTIONS>
$ kc.bat start <OPTIONS> Start the server in production mode:
Enable auto-completion to bash/zsh: $ kc.bat start <OPTIONS>
$ source <(kc.bat tools completion) Enable auto-completion to bash/zsh:
Please, take a look at the documentation for more details before deploying in $ source <(kc.bat tools completion)
production.
Please, take a look at the documentation for more details before deploying in
Use "kc.bat start --help" for the available options when starting the server. production.
Use "kc.bat <command> --help" for more information about other commands.
Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt vendored
View file

@ -59,16 +59,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Config: Config:
@ -142,4 +142,4 @@ Export:
--users-per-file <number> --users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing 'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50. export times. Default: 50.

145
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.windows.approved.txt vendored
View file

@ -1,145 +0,0 @@
Export data from realms to a file or directory.
Usage:
kc.bat export [OPTIONS]
Export data from realms to a file or directory.
Options:
-h, --help This help message.
--help-all This same help message but with additional options.
--optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command.
Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database.
--db-password <password>
The password of the database user.
--db-pool-initial-size <size>
The initial size of the connection pool.
--db-pool-max-size <size>
The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored.
--db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
The username of the database user.
Transaction:
--transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true.
Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
Config:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Logging:
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console.
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-file-format <format>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
localhost.
--log-gelf-include-location <true|false>
Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
--log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default:
INFO.
--log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Export:
--dir <dir> Set the path to a directory where files will be created with the exported data.
--file <file> Set the path to a file that will be created with the exported data. To export
more than 500 users, export to a directory with different files instead.
--realm <realm> Set the name of the realm to export. If not set, all realms are going to be
exported.
--users <strategy> Set how users should be exported. Possible values are: skip, realm_file,
same_file, different_files. Default: different_files.
--users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt vendored
View file

@ -122,16 +122,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Config: Config:
@ -205,4 +205,4 @@ Export:
--users-per-file <number> --users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing 'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50. export times. Default: 50.

208
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.windows.approved.txt vendored
View file

@ -1,208 +0,0 @@
Export data from realms to a file or directory.
Usage:
kc.bat export [OPTIONS]
Export data from realms to a file or directory.
Options:
-h, --help This help message.
--help-all This same help message but with additional options.
--optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command.
Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod, file.
--storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod, file.
--storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod, file.
--storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod, file.
--storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod, file.
--storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod, file.
--storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod, file.
--storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod, file.
--storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod, file.
--storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod.
--storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod, file.
--storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user.
--storage-jpa-db <type>
Experimental: The database vendor for jpa map storage. Possible values are:
postgres, cockroach. Default: postgres.
Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database.
--db-password <password>
The password of the database user.
--db-pool-initial-size <size>
The initial size of the connection pool.
--db-pool-max-size <size>
The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored.
--db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
The username of the database user.
Transaction:
--transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true.
Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
Config:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Logging:
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console.
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-file-format <format>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
localhost.
--log-gelf-include-location <true|false>
Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
--log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default:
INFO.
--log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Export:
--dir <dir> Set the path to a directory where files will be created with the exported data.
--file <file> Set the path to a file that will be created with the exported data. To export
more than 500 users, export to a directory with different files instead.
--realm <realm> Set the name of the realm to export. If not set, all realms are going to be
exported.
--users <strategy> Set how users should be exported. Possible values are: skip, realm_file,
same_file, different_files. Default: different_files.
--users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50.

108
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testHelp.windows.approved.txt vendored
View file

@ -1,53 +1,55 @@
Keycloak - Open Source Identity and Access Management Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest Find more information at: https://www.keycloak.org/docs/latest
Usage: Usage:
kc.bat [OPTIONS] [COMMAND] kc.bat [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster. Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
Options: "./kc.bat") to execute from the current folder.
-cf, --config-file <file> Options:
Set the path to a configuration file. By default, configuration properties are
read from the "keycloak.conf" file in the "conf" directory. -cf, --config-file <file>
-h, --help This help message. Set the path to a configuration file. By default, configuration properties are
-v, --verbose Print out error details when running this command. read from the "keycloak.conf" file in the "conf" directory.
-V, --version Show version information -h, --help This help message.
-v, --verbose Print out error details when running this command.
Commands: -V, --version Show version information
build Creates a new and optimized server image. Commands:
start Start the server.
start-dev Start the server in development mode. build Creates a new and optimized server image.
export Export data from realms to a file or directory. start Start the server.
import Import data from a directory or a file. start-dev Start the server in development mode.
show-config Print out the current configuration. export Export data from realms to a file or directory.
tools Utilities for use and interaction with the server. import Import data from a directory or a file.
completion Generate bash/zsh completion script for kc.bat. show-config Print out the current configuration.
tools Utilities for use and interaction with the server.
Examples: completion Generate bash/zsh completion script for kc.bat.
Start the server in development mode for local development or testing: Examples:
$ kc.bat start-dev Start the server in development mode for local development or testing:
Building an optimized server runtime: $ kc.bat start-dev
$ kc.bat build <OPTIONS> Building an optimized server runtime:
Start the server in production mode: $ kc.bat build <OPTIONS>
$ kc.bat start <OPTIONS> Start the server in production mode:
Enable auto-completion to bash/zsh: $ kc.bat start <OPTIONS>
$ source <(kc.bat tools completion) Enable auto-completion to bash/zsh:
Please, take a look at the documentation for more details before deploying in $ source <(kc.bat tools completion)
production.
Please, take a look at the documentation for more details before deploying in
Use "kc.bat start --help" for the available options when starting the server. production.
Use "kc.bat <command> --help" for more information about other commands.
Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.

108
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testHelpShort.windows.approved.txt vendored
View file

@ -1,53 +1,55 @@
Keycloak - Open Source Identity and Access Management Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest Find more information at: https://www.keycloak.org/docs/latest
Usage: Usage:
kc.bat [OPTIONS] [COMMAND] kc.bat [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster. Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
Options: "./kc.bat") to execute from the current folder.
-cf, --config-file <file> Options:
Set the path to a configuration file. By default, configuration properties are
read from the "keycloak.conf" file in the "conf" directory. -cf, --config-file <file>
-h, --help This help message. Set the path to a configuration file. By default, configuration properties are
-v, --verbose Print out error details when running this command. read from the "keycloak.conf" file in the "conf" directory.
-V, --version Show version information -h, --help This help message.
-v, --verbose Print out error details when running this command.
Commands: -V, --version Show version information
build Creates a new and optimized server image. Commands:
start Start the server.
start-dev Start the server in development mode. build Creates a new and optimized server image.
export Export data from realms to a file or directory. start Start the server.
import Import data from a directory or a file. start-dev Start the server in development mode.
show-config Print out the current configuration. export Export data from realms to a file or directory.
tools Utilities for use and interaction with the server. import Import data from a directory or a file.
completion Generate bash/zsh completion script for kc.bat. show-config Print out the current configuration.
tools Utilities for use and interaction with the server.
Examples: completion Generate bash/zsh completion script for kc.bat.
Start the server in development mode for local development or testing: Examples:
$ kc.bat start-dev Start the server in development mode for local development or testing:
Building an optimized server runtime: $ kc.bat start-dev
$ kc.bat build <OPTIONS> Building an optimized server runtime:
Start the server in production mode: $ kc.bat build <OPTIONS>
$ kc.bat start <OPTIONS> Start the server in production mode:
Enable auto-completion to bash/zsh: $ kc.bat start <OPTIONS>
$ source <(kc.bat tools completion) Enable auto-completion to bash/zsh:
Please, take a look at the documentation for more details before deploying in $ source <(kc.bat tools completion)
production.
Please, take a look at the documentation for more details before deploying in
Use "kc.bat start --help" for the available options when starting the server. production.
Use "kc.bat <command> --help" for more information about other commands.
Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt vendored
View file

@ -59,16 +59,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Config: Config:
@ -136,4 +136,4 @@ Import:
--file <file> Set the path to a file that will be read. --file <file> Set the path to a file that will be read.
--override <true|false> --override <true|false>
Set if existing data should be overwritten. If set to false, data will be Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true. ignored. Default: true.

139
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.windows.approved.txt vendored
View file

@ -1,139 +0,0 @@
Import data from a directory or a file.
Usage:
kc.bat import [OPTIONS]
Import data from a directory or a file.
Options:
-h, --help This help message.
--help-all This same help message but with additional options.
--optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command.
Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database.
--db-password <password>
The password of the database user.
--db-pool-initial-size <size>
The initial size of the connection pool.
--db-pool-max-size <size>
The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored.
--db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
The username of the database user.
Transaction:
--transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true.
Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
Config:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Logging:
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console.
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-file-format <format>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
localhost.
--log-gelf-include-location <true|false>
Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
--log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default:
INFO.
--log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Import:
--dir <dir> Set the path to a directory where files will be read from.
--file <file> Set the path to a file that will be read.
--override <true|false>
Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt vendored
View file

@ -122,16 +122,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Config: Config:
@ -199,4 +199,4 @@ Import:
--file <file> Set the path to a file that will be read. --file <file> Set the path to a file that will be read.
--override <true|false> --override <true|false>
Set if existing data should be overwritten. If set to false, data will be Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true. ignored. Default: true.

202
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.windows.approved.txt vendored
View file

@ -1,202 +0,0 @@
Import data from a directory or a file.
Usage:
kc.bat import [OPTIONS]
Import data from a directory or a file.
Options:
-h, --help This help message.
--help-all This same help message but with additional options.
--optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command.
Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod, file.
--storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod, file.
--storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod, file.
--storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod, file.
--storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod, file.
--storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod, file.
--storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod, file.
--storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod, file.
--storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod, file.
--storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod.
--storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod, file.
--storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user.
--storage-jpa-db <type>
Experimental: The database vendor for jpa map storage. Possible values are:
postgres, cockroach. Default: postgres.
Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database.
--db-password <password>
The password of the database user.
--db-pool-initial-size <size>
The initial size of the connection pool.
--db-pool-max-size <size>
The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored.
--db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
The username of the database user.
Transaction:
--transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true.
Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
Config:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Logging:
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console.
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-file-format <format>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
localhost.
--log-gelf-include-location <true|false>
Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
--log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default:
INFO.
--log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Import:
--dir <dir> Set the path to a directory where files will be read from.
--file <file> Set the path to a file that will be read.
--override <true|false>
Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt vendored
View file

@ -75,16 +75,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Hostname: Hostname:
@ -254,4 +254,4 @@ Security:
Do NOT start the server using this command when deploying to production. Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build Use 'kc.sh start-dev --help-all' to list all available options, including build
options. options.

497
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt vendored
View file

@ -1,257 +1,240 @@
Start the server in development mode. Start the server in development mode.
Usage: Usage:
kc.bat start-dev [OPTIONS] kc.bat start-dev [OPTIONS]
Use this command if you want to run the server locally for development or Use this command if you want to run the server locally for development or
testing purposes. testing purposes.
Options: Options:
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database. driver is set accordingly to the chosen database.
--db-password <password> --db-password <password>
The password of the database user. The password of the database user.
--db-pool-initial-size <size> --db-pool-initial-size <size>
The initial size of the connection pool. The initial size of the connection pool.
--db-pool-max-size <size> --db-pool-max-size <size>
The maximum size of the connection pool. Default: 100. The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size> --db-pool-min-size <size>
The minimal size of the connection pool. The minimal size of the connection pool.
--db-schema <schema> The database schema to be used. --db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname> --db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-host <hostname> --db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored. option is set, this option is ignored.
--db-url-properties <properties> --db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to Sets the properties of the default JDBC URL of the chosen vendor. If the
set the properties accordingly to the format expected by the database `db-url` option is set, this option is ignored.
vendor, as well as appending the right character at the beginning of this --db-username <username>
property value. If the `db-url` option is set, this option is ignored. The username of the database user.
--db-username <username>
The username of the database user. Transaction:
Transaction: --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
--transaction-xa-enabled <true|false> not support XA transactions. Default: true.
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. Feature:
Feature: --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
--features <feature> Enables a set of one or more features. Possible values are: account-api, authorization, ciba, client-policies, client-secret-rotation,
account2, account3, admin-api, admin-fine-grained-authz, admin2, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
authorization, ciba, client-policies, client-secret-rotation, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, recovery-codes, scripts, step-up-authentication, token-exchange,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, update-email, web-authn.
preview, recovery-codes, scripts, step-up-authentication, token-exchange, --features-disabled <feature>
update-email, web-authn. Disables a set of one or more features. Possible values are: account-api,
--features-disabled <feature> account2, account3, admin-api, admin-fine-grained-authz, admin2,
Disables a set of one or more features. Possible values are: account-api, authorization, ciba, client-policies, client-secret-rotation,
account2, account3, admin-api, admin-fine-grained-authz, admin2, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
authorization, ciba, client-policies, client-secret-rotation, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, recovery-codes, scripts, step-up-authentication, token-exchange,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, update-email, web-authn.
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. Hostname:
Hostname: --hostname <hostname>
Hostname for the Keycloak server.
--hostname <hostname> --hostname-admin <hostname>
Hostname for the Keycloak server. The hostname for accessing the administration console. Use this option if you
--hostname-admin <hostname> are exposing the administration console using a hostname other than the
The hostname for accessing the administration console. Use this option if you value set to the 'hostname' option.
are exposing the administration console using a hostname other than the --hostname-admin-url <url>
value set to the 'hostname' option. Set the base URL for accessing the administration console, including scheme,
--hostname-admin-url <url> host, port and path
Set the base URL for accessing the administration console, including scheme, --hostname-path <path>
host, port and path This should be set if proxy uses a different context-path for Keycloak.
--hostname-debug <true|false> --hostname-port <port>
Toggle the hostname debug page that is accessible at The port used by the proxy when exposing the hostname. Set this option if the
/realms/master/hostname-debug Default: false. proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
--hostname-path <path> --hostname-strict <true|false>
This should be set if proxy uses a different context-path for Keycloak. Disables dynamically resolving the hostname from request headers. Should
--hostname-port <port> always be set to true in production, unless proxy verifies the Host header.
The port used by the proxy when exposing the hostname. Set this option if the Default: true.
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. --hostname-strict-backchannel <true|false>
--hostname-strict <true|false> By default backchannel URLs are dynamically resolved from request headers to
Disables dynamically resolving the hostname from request headers. Should allow internal and external applications. If all applications use the public
always be set to true in production, unless proxy verifies the Host header. URL this option should be enabled. Default: false.
Default: true. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--hostname-strict-backchannel <true|false>
By default backchannel URLs are dynamically resolved from request headers to HTTP/TLS:
allow internal and external applications. If all applications use the public
URL this option should be enabled. Default: false. --http-enabled <true|false>
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Enables the HTTP listener. Default: false.
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
HTTP/TLS: --http-port <port> The used HTTP port. Default: 8080.
--http-relative-path <path>
--http-enabled <true|false> Set the path relative to '/' for serving resources. The path must start with a
Enables the HTTP listener. Default: false. '/'. Default: /.
--http-host <host> The used HTTP Host. Default: 0.0.0.0. --https-certificate-file <file>
--http-port <port> The used HTTP port. Default: 8080. The file path to a server certificate or certificate chain in PEM format.
--http-relative-path <path> --https-certificate-key-file <file>
Set the path relative to '/' for serving resources. The path must start with a The file path to a private key in PEM format.
'/'. Default: /. --https-cipher-suites <ciphers>
--https-certificate-file <file> The cipher suites to use. If none is given, a reasonable default is selected.
The file path to a server certificate or certificate chain in PEM format. --https-client-auth <auth>
--https-certificate-key-file <file> Configures the server to require/request client authentication. Possible
The file path to a private key in PEM format. values are: none, request, required. Default: none.
--https-cipher-suites <ciphers> --https-key-store-file <file>
The cipher suites to use. If none is given, a reasonable default is selected. The key store which holds the certificate information instead of specifying
--https-client-auth <auth> separate files.
Configures the server to require/request client authentication. Possible --https-key-store-password <password>
values are: none, request, required. Default: none. The password of the key store file. Default: password.
--https-key-store-file <file> --https-key-store-type <type>
The key store which holds the certificate information instead of specifying The type of the key store file. If not given, the type is automatically
separate files. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-key-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the key store file. Default: password. --https-port <port> The used HTTPS port. Default: 8443.
--https-key-store-type <type> --https-protocols <protocols>
The type of the key store file. If not given, the type is automatically The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
detected based on the file name. If 'fips-mode' is set to 'strict' and no --https-trust-store-file <file>
value is set, it defaults to 'BCFKS'. The trust store which holds the certificate information of the certificates to
--https-port <port> The used HTTPS port. Default: 8443. trust.
--https-protocols <protocols> --https-trust-store-password <password>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The password of the trust store file.
--https-trust-store-file <file> --https-trust-store-type <type>
The trust store which holds the certificate information of the certificates to The type of the trust store file. If not given, the type is automatically
trust. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-trust-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the trust store file.
--https-trust-store-type <type> Health:
The type of the trust store file. If not given, the type is automatically
detected based on the file name. If 'fips-mode' is set to 'strict' and no --health-enabled <true|false>
value is set, it defaults to 'BCFKS'. If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live'
Health: endpoints. Default: false.
--health-enabled <true|false> Metrics:
If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live' --metrics-enabled <true|false>
endpoints. Default: false. If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false.
Config:
Proxy:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source. --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
--config-keystore-password <config-keystore-password> Possible values are: none, edge, reencrypt, passthrough. Default: none.
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type> Vault:
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
--vault <provider> Enables a vault provider. Possible values are: file.
Metrics: --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
--metrics-enabled <true|false>
If the server should expose metrics. If enabled, metrics are available at the Logging:
'/metrics' endpoint. Default: false.
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
Proxy: are: console, file, gelf. Default: console.
--log-console-color <true|false>
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. Enable or disable colors when logging to console. Default: false.
Possible values are: none, edge, reencrypt, passthrough. Default: none. --log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
Vault: it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--vault <provider> Enables a vault provider. Possible values are: file, keystore. --log-console-output <output>
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Set the log output to JSON or default (plain) unstructured logging. Possible
given directory. values are: default, json. Default: default.
--vault-file <file> Path to the keystore file. --log-file <file> Set the log file path and filename. Default: data/log/keycloak.log.
--vault-pass <pass> Password for the vault keystore. --log-file-format <format>
--vault-type <type> Specifies the type of the keystore file. Default: PKCS12. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
Logging: --log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values values are: default, json. Default: default.
are: console, file, gelf. Default: console. --log-gelf-facility <name>
--log-console-color <true|false> The facility (name of the process) that sends the message. Default: keycloak.
Enable or disable colors when logging to console. Default: false. --log-gelf-host <hostname>
--log-console-format <format> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
The format of unstructured console log entries. If the format has spaces in host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % localhost.
-5p [%c] (%t) %s%e%n. --log-gelf-include-location <true|false>
--log-console-output <output> Include source code location. Default: true.
Set the log output to JSON or default (plain) unstructured logging. Possible --log-gelf-include-message-parameters <true|false>
values are: default, json. Default: default. Include message parameters from the log event. Default: true.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log. --log-gelf-include-stack-trace <true|false>
--log-file-format <format> If set to true, occuring stack traces are included in the 'StackTrace' field
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, in the GELF output. Default: true.
SSS} %-5p [%c] (%t) %s%e%n. --log-gelf-level <level>
--log-file-output <output> The log level specifying which message levels will be logged by the GELF
Set the log output to JSON or default (plain) unstructured logging. Possible logger. Message levels lower than this value will be discarded. Default:
values are: default, json. Default: default. INFO.
--log-gelf-facility <name> --log-gelf-max-message-size <size>
The facility (name of the process) that sends the message. Default: keycloak. Maximum message size (in bytes). If the message size is exceeded, GELF will
--log-gelf-host <hostname> submit the message in multiple chunks. Default: 8192.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-gelf-port <port>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: The port the Logstash or Graylog Host is called on. Default: 12201.
localhost. --log-gelf-timestamp-format <pattern>
--log-gelf-include-location <true|false> Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
Include source code location. Default: true. pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-gelf-include-message-parameters <true|false> --log-level <category:level>
Include message parameters from the log event. Default: true. The log level of the root category or a comma-separated list of individual
--log-gelf-include-stack-trace <true|false> categories and their levels. For the root category, you don't need to
If set to true, occuring stack traces are included in the 'StackTrace' field specify a category. Default: info.
in the GELF output. Default: true.
--log-gelf-level <level> Security:
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default: --fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
INFO. non-approved mode. For full FIPS compliance, set 'strict' to run on approved
--log-gelf-max-message-size <size> mode. This option defaults to 'disabled' when 'fips' feature is disabled,
Maximum message size (in bytes). If the message size is exceeded, GELF will which is by default. This option defaults to 'non-strict' when 'fips'
submit the message in multiple chunks. Default: 8192. feature is enabled. Possible values are: non-strict, strict. Default:
--log-gelf-port <port> disabled.
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern> Do NOT start the server using this command when deploying to production.
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Use 'kc.bat start-dev --help-all' to list all available options, including
--log-level <category:level> build options.
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Do NOT start the server using this command when deploying to production.
Use 'kc.bat start-dev --help-all' to list all available options, including
build options.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt vendored
View file

@ -138,16 +138,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Hostname: Hostname:
@ -317,4 +317,4 @@ Security:
Do NOT start the server using this command when deploying to production. Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build Use 'kc.sh start-dev --help-all' to list all available options, including build
options. options.

623
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt vendored
View file

@ -1,320 +1,303 @@
Start the server in development mode. Start the server in development mode.
Usage: Usage:
kc.bat start-dev [OPTIONS] kc.bat start-dev [OPTIONS]
Use this command if you want to run the server locally for development or Use this command if you want to run the server locally for development or
testing purposes. testing purposes.
Options: Options:
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Storage (Experimental): Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible --storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type> --storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-area-authorization <type> --storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod, file. are: jpa, chm, hotrod, file.
--storage-area-client <type> --storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa, Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-client-scope <type> --storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are: Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod, file. jpa, chm, hotrod, file.
--storage-area-event-admin <type> --storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are: Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod, file. jpa, chm, hotrod, file.
--storage-area-event-auth <type> --storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod, file. events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type> --storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa, Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-login-failure <type> --storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod, file. are: jpa, chm, hotrod, file.
--storage-area-realm <type> --storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa, Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-role <type> --storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa, Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-single-use-object <type> --storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod.
--storage-area-user <type> --storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa, Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-user-session <type> --storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type> --storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster. Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir> --storage-file-dir <dir>
Experimental: Root directory for file map store. Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user. Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port> --storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server. Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username> --storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user. Experimental: Sets the username of the Infinispan user.
--storage-jpa-db <type> --storage-jpa-db <type>
Experimental: The database vendor for jpa map storage. Possible values are: Experimental: The database vendor for jpa map storage. Possible values are:
postgres, cockroach. Default: postgres. postgres, cockroach. Default: postgres.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database. driver is set accordingly to the chosen database.
--db-password <password> --db-password <password>
The password of the database user. The password of the database user.
--db-pool-initial-size <size> --db-pool-initial-size <size>
The initial size of the connection pool. The initial size of the connection pool.
--db-pool-max-size <size> --db-pool-max-size <size>
The maximum size of the connection pool. Default: 100. The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size> --db-pool-min-size <size>
The minimal size of the connection pool. The minimal size of the connection pool.
--db-schema <schema> The database schema to be used. --db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname> --db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-host <hostname> --db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored. option is set, this option is ignored.
--db-url-properties <properties> --db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to Sets the properties of the default JDBC URL of the chosen vendor. If the
set the properties accordingly to the format expected by the database `db-url` option is set, this option is ignored.
vendor, as well as appending the right character at the beginning of this --db-username <username>
property value. If the `db-url` option is set, this option is ignored. The username of the database user.
--db-username <username>
The username of the database user. Transaction:
Transaction: --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
--transaction-xa-enabled <true|false> not support XA transactions. Default: true.
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. Feature:
Feature: --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
--features <feature> Enables a set of one or more features. Possible values are: account-api, authorization, ciba, client-policies, client-secret-rotation,
account2, account3, admin-api, admin-fine-grained-authz, admin2, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
authorization, ciba, client-policies, client-secret-rotation, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, recovery-codes, scripts, step-up-authentication, token-exchange,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, update-email, web-authn.
preview, recovery-codes, scripts, step-up-authentication, token-exchange, --features-disabled <feature>
update-email, web-authn. Disables a set of one or more features. Possible values are: account-api,
--features-disabled <feature> account2, account3, admin-api, admin-fine-grained-authz, admin2,
Disables a set of one or more features. Possible values are: account-api, authorization, ciba, client-policies, client-secret-rotation,
account2, account3, admin-api, admin-fine-grained-authz, admin2, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
authorization, ciba, client-policies, client-secret-rotation, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, recovery-codes, scripts, step-up-authentication, token-exchange,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, update-email, web-authn.
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. Hostname:
Hostname: --hostname <hostname>
Hostname for the Keycloak server.
--hostname <hostname> --hostname-admin <hostname>
Hostname for the Keycloak server. The hostname for accessing the administration console. Use this option if you
--hostname-admin <hostname> are exposing the administration console using a hostname other than the
The hostname for accessing the administration console. Use this option if you value set to the 'hostname' option.
are exposing the administration console using a hostname other than the --hostname-admin-url <url>
value set to the 'hostname' option. Set the base URL for accessing the administration console, including scheme,
--hostname-admin-url <url> host, port and path
Set the base URL for accessing the administration console, including scheme, --hostname-path <path>
host, port and path This should be set if proxy uses a different context-path for Keycloak.
--hostname-debug <true|false> --hostname-port <port>
Toggle the hostname debug page that is accessible at The port used by the proxy when exposing the hostname. Set this option if the
/realms/master/hostname-debug Default: false. proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
--hostname-path <path> --hostname-strict <true|false>
This should be set if proxy uses a different context-path for Keycloak. Disables dynamically resolving the hostname from request headers. Should
--hostname-port <port> always be set to true in production, unless proxy verifies the Host header.
The port used by the proxy when exposing the hostname. Set this option if the Default: true.
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. --hostname-strict-backchannel <true|false>
--hostname-strict <true|false> By default backchannel URLs are dynamically resolved from request headers to
Disables dynamically resolving the hostname from request headers. Should allow internal and external applications. If all applications use the public
always be set to true in production, unless proxy verifies the Host header. URL this option should be enabled. Default: false.
Default: true. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--hostname-strict-backchannel <true|false>
By default backchannel URLs are dynamically resolved from request headers to HTTP/TLS:
allow internal and external applications. If all applications use the public
URL this option should be enabled. Default: false. --http-enabled <true|false>
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Enables the HTTP listener. Default: false.
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
HTTP/TLS: --http-port <port> The used HTTP port. Default: 8080.
--http-relative-path <path>
--http-enabled <true|false> Set the path relative to '/' for serving resources. The path must start with a
Enables the HTTP listener. Default: false. '/'. Default: /.
--http-host <host> The used HTTP Host. Default: 0.0.0.0. --https-certificate-file <file>
--http-port <port> The used HTTP port. Default: 8080. The file path to a server certificate or certificate chain in PEM format.
--http-relative-path <path> --https-certificate-key-file <file>
Set the path relative to '/' for serving resources. The path must start with a The file path to a private key in PEM format.
'/'. Default: /. --https-cipher-suites <ciphers>
--https-certificate-file <file> The cipher suites to use. If none is given, a reasonable default is selected.
The file path to a server certificate or certificate chain in PEM format. --https-client-auth <auth>
--https-certificate-key-file <file> Configures the server to require/request client authentication. Possible
The file path to a private key in PEM format. values are: none, request, required. Default: none.
--https-cipher-suites <ciphers> --https-key-store-file <file>
The cipher suites to use. If none is given, a reasonable default is selected. The key store which holds the certificate information instead of specifying
--https-client-auth <auth> separate files.
Configures the server to require/request client authentication. Possible --https-key-store-password <password>
values are: none, request, required. Default: none. The password of the key store file. Default: password.
--https-key-store-file <file> --https-key-store-type <type>
The key store which holds the certificate information instead of specifying The type of the key store file. If not given, the type is automatically
separate files. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-key-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the key store file. Default: password. --https-port <port> The used HTTPS port. Default: 8443.
--https-key-store-type <type> --https-protocols <protocols>
The type of the key store file. If not given, the type is automatically The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
detected based on the file name. If 'fips-mode' is set to 'strict' and no --https-trust-store-file <file>
value is set, it defaults to 'BCFKS'. The trust store which holds the certificate information of the certificates to
--https-port <port> The used HTTPS port. Default: 8443. trust.
--https-protocols <protocols> --https-trust-store-password <password>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The password of the trust store file.
--https-trust-store-file <file> --https-trust-store-type <type>
The trust store which holds the certificate information of the certificates to The type of the trust store file. If not given, the type is automatically
trust. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-trust-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the trust store file.
--https-trust-store-type <type> Health:
The type of the trust store file. If not given, the type is automatically
detected based on the file name. If 'fips-mode' is set to 'strict' and no --health-enabled <true|false>
value is set, it defaults to 'BCFKS'. If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live'
Health: endpoints. Default: false.
--health-enabled <true|false> Metrics:
If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live' --metrics-enabled <true|false>
endpoints. Default: false. If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false.
Config:
Proxy:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source. --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
--config-keystore-password <config-keystore-password> Possible values are: none, edge, reencrypt, passthrough. Default: none.
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type> Vault:
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
--vault <provider> Enables a vault provider. Possible values are: file.
Metrics: --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
--metrics-enabled <true|false>
If the server should expose metrics. If enabled, metrics are available at the Logging:
'/metrics' endpoint. Default: false.
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
Proxy: are: console, file, gelf. Default: console.
--log-console-color <true|false>
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. Enable or disable colors when logging to console. Default: false.
Possible values are: none, edge, reencrypt, passthrough. Default: none. --log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
Vault: it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--vault <provider> Enables a vault provider. Possible values are: file, keystore. --log-console-output <output>
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Set the log output to JSON or default (plain) unstructured logging. Possible
given directory. values are: default, json. Default: default.
--vault-file <file> Path to the keystore file. --log-file <file> Set the log file path and filename. Default: data/log/keycloak.log.
--vault-pass <pass> Password for the vault keystore. --log-file-format <format>
--vault-type <type> Specifies the type of the keystore file. Default: PKCS12. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
Logging: --log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values values are: default, json. Default: default.
are: console, file, gelf. Default: console. --log-gelf-facility <name>
--log-console-color <true|false> The facility (name of the process) that sends the message. Default: keycloak.
Enable or disable colors when logging to console. Default: false. --log-gelf-host <hostname>
--log-console-format <format> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
The format of unstructured console log entries. If the format has spaces in host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % localhost.
-5p [%c] (%t) %s%e%n. --log-gelf-include-location <true|false>
--log-console-output <output> Include source code location. Default: true.
Set the log output to JSON or default (plain) unstructured logging. Possible --log-gelf-include-message-parameters <true|false>
values are: default, json. Default: default. Include message parameters from the log event. Default: true.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log. --log-gelf-include-stack-trace <true|false>
--log-file-format <format> If set to true, occuring stack traces are included in the 'StackTrace' field
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, in the GELF output. Default: true.
SSS} %-5p [%c] (%t) %s%e%n. --log-gelf-level <level>
--log-file-output <output> The log level specifying which message levels will be logged by the GELF
Set the log output to JSON or default (plain) unstructured logging. Possible logger. Message levels lower than this value will be discarded. Default:
values are: default, json. Default: default. INFO.
--log-gelf-facility <name> --log-gelf-max-message-size <size>
The facility (name of the process) that sends the message. Default: keycloak. Maximum message size (in bytes). If the message size is exceeded, GELF will
--log-gelf-host <hostname> submit the message in multiple chunks. Default: 8192.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-gelf-port <port>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: The port the Logstash or Graylog Host is called on. Default: 12201.
localhost. --log-gelf-timestamp-format <pattern>
--log-gelf-include-location <true|false> Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
Include source code location. Default: true. pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-gelf-include-message-parameters <true|false> --log-level <category:level>
Include message parameters from the log event. Default: true. The log level of the root category or a comma-separated list of individual
--log-gelf-include-stack-trace <true|false> categories and their levels. For the root category, you don't need to
If set to true, occuring stack traces are included in the 'StackTrace' field specify a category. Default: info.
in the GELF output. Default: true.
--log-gelf-level <level> Security:
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default: --fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
INFO. non-approved mode. For full FIPS compliance, set 'strict' to run on approved
--log-gelf-max-message-size <size> mode. This option defaults to 'disabled' when 'fips' feature is disabled,
Maximum message size (in bytes). If the message size is exceeded, GELF will which is by default. This option defaults to 'non-strict' when 'fips'
submit the message in multiple chunks. Default: 8192. feature is enabled. Possible values are: non-strict, strict. Default:
--log-gelf-port <port> disabled.
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern> Do NOT start the server using this command when deploying to production.
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Use 'kc.bat start-dev --help-all' to list all available options, including
--log-level <category:level> build options.
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Do NOT start the server using this command when deploying to production.
Use 'kc.bat start-dev --help-all' to list all available options, including
build options.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt vendored
View file

@ -81,16 +81,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Hostname: Hostname:
@ -264,4 +264,4 @@ By default, this command tries to update the server configuration by running a
$ kc.sh start '--optimized' $ kc.sh start '--optimized'
By doing that, the server should start faster based on any previous By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command. configuration you have set when manually running the 'build' command.

517
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt vendored
View file

@ -1,267 +1,250 @@
Start the server. Start the server.
Usage: Usage:
kc.bat start [OPTIONS] kc.bat start [OPTIONS]
Use this command to run the server in production. Use this command to run the server in production.
Options: Options:
-b, --auto-build (Deprecated) Automatically detects whether the server configuration changed -b, --auto-build (Deprecated) Automatically detects whether the server configuration changed
and a new server image must be built prior to starting the server. This and a new server image must be built prior to starting the server. This
option provides an alternative to manually running the 'build' prior to option provides an alternative to manually running the 'build' prior to
starting the server. Use this configuration carefully in production as it starting the server. Use this configuration carefully in production as it
might impact the startup time. might impact the startup time.
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
--optimized Use this option to achieve an optimal startup time if you have previously --optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command. built a server image using the 'build' command.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database. driver is set accordingly to the chosen database.
--db-password <password> --db-password <password>
The password of the database user. The password of the database user.
--db-pool-initial-size <size> --db-pool-initial-size <size>
The initial size of the connection pool. The initial size of the connection pool.
--db-pool-max-size <size> --db-pool-max-size <size>
The maximum size of the connection pool. Default: 100. The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size> --db-pool-min-size <size>
The minimal size of the connection pool. The minimal size of the connection pool.
--db-schema <schema> The database schema to be used. --db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname> --db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-host <hostname> --db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored. option is set, this option is ignored.
--db-url-properties <properties> --db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to Sets the properties of the default JDBC URL of the chosen vendor. If the
set the properties accordingly to the format expected by the database `db-url` option is set, this option is ignored.
vendor, as well as appending the right character at the beginning of this --db-username <username>
property value. If the `db-url` option is set, this option is ignored. The username of the database user.
--db-username <username>
The username of the database user. Transaction:
Transaction: --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
--transaction-xa-enabled <true|false> not support XA transactions. Default: true.
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. Feature:
Feature: --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
--features <feature> Enables a set of one or more features. Possible values are: account-api, authorization, ciba, client-policies, client-secret-rotation,
account2, account3, admin-api, admin-fine-grained-authz, admin2, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
authorization, ciba, client-policies, client-secret-rotation, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, recovery-codes, scripts, step-up-authentication, token-exchange,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, update-email, web-authn.
preview, recovery-codes, scripts, step-up-authentication, token-exchange, --features-disabled <feature>
update-email, web-authn. Disables a set of one or more features. Possible values are: account-api,
--features-disabled <feature> account2, account3, admin-api, admin-fine-grained-authz, admin2,
Disables a set of one or more features. Possible values are: account-api, authorization, ciba, client-policies, client-secret-rotation,
account2, account3, admin-api, admin-fine-grained-authz, admin2, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
authorization, ciba, client-policies, client-secret-rotation, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, recovery-codes, scripts, step-up-authentication, token-exchange,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, update-email, web-authn.
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. Hostname:
Hostname: --hostname <hostname>
Hostname for the Keycloak server.
--hostname <hostname> --hostname-admin <hostname>
Hostname for the Keycloak server. The hostname for accessing the administration console. Use this option if you
--hostname-admin <hostname> are exposing the administration console using a hostname other than the
The hostname for accessing the administration console. Use this option if you value set to the 'hostname' option.
are exposing the administration console using a hostname other than the --hostname-admin-url <url>
value set to the 'hostname' option. Set the base URL for accessing the administration console, including scheme,
--hostname-admin-url <url> host, port and path
Set the base URL for accessing the administration console, including scheme, --hostname-path <path>
host, port and path This should be set if proxy uses a different context-path for Keycloak.
--hostname-debug <true|false> --hostname-port <port>
Toggle the hostname debug page that is accessible at The port used by the proxy when exposing the hostname. Set this option if the
/realms/master/hostname-debug Default: false. proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
--hostname-path <path> --hostname-strict <true|false>
This should be set if proxy uses a different context-path for Keycloak. Disables dynamically resolving the hostname from request headers. Should
--hostname-port <port> always be set to true in production, unless proxy verifies the Host header.
The port used by the proxy when exposing the hostname. Set this option if the Default: true.
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. --hostname-strict-backchannel <true|false>
--hostname-strict <true|false> By default backchannel URLs are dynamically resolved from request headers to
Disables dynamically resolving the hostname from request headers. Should allow internal and external applications. If all applications use the public
always be set to true in production, unless proxy verifies the Host header. URL this option should be enabled. Default: false.
Default: true. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--hostname-strict-backchannel <true|false>
By default backchannel URLs are dynamically resolved from request headers to HTTP/TLS:
allow internal and external applications. If all applications use the public
URL this option should be enabled. Default: false. --http-enabled <true|false>
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Enables the HTTP listener. Default: false.
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
HTTP/TLS: --http-port <port> The used HTTP port. Default: 8080.
--http-relative-path <path>
--http-enabled <true|false> Set the path relative to '/' for serving resources. The path must start with a
Enables the HTTP listener. Default: false. '/'. Default: /.
--http-host <host> The used HTTP Host. Default: 0.0.0.0. --https-certificate-file <file>
--http-port <port> The used HTTP port. Default: 8080. The file path to a server certificate or certificate chain in PEM format.
--http-relative-path <path> --https-certificate-key-file <file>
Set the path relative to '/' for serving resources. The path must start with a The file path to a private key in PEM format.
'/'. Default: /. --https-cipher-suites <ciphers>
--https-certificate-file <file> The cipher suites to use. If none is given, a reasonable default is selected.
The file path to a server certificate or certificate chain in PEM format. --https-client-auth <auth>
--https-certificate-key-file <file> Configures the server to require/request client authentication. Possible
The file path to a private key in PEM format. values are: none, request, required. Default: none.
--https-cipher-suites <ciphers> --https-key-store-file <file>
The cipher suites to use. If none is given, a reasonable default is selected. The key store which holds the certificate information instead of specifying
--https-client-auth <auth> separate files.
Configures the server to require/request client authentication. Possible --https-key-store-password <password>
values are: none, request, required. Default: none. The password of the key store file. Default: password.
--https-key-store-file <file> --https-key-store-type <type>
The key store which holds the certificate information instead of specifying The type of the key store file. If not given, the type is automatically
separate files. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-key-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the key store file. Default: password. --https-port <port> The used HTTPS port. Default: 8443.
--https-key-store-type <type> --https-protocols <protocols>
The type of the key store file. If not given, the type is automatically The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
detected based on the file name. If 'fips-mode' is set to 'strict' and no --https-trust-store-file <file>
value is set, it defaults to 'BCFKS'. The trust store which holds the certificate information of the certificates to
--https-port <port> The used HTTPS port. Default: 8443. trust.
--https-protocols <protocols> --https-trust-store-password <password>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The password of the trust store file.
--https-trust-store-file <file> --https-trust-store-type <type>
The trust store which holds the certificate information of the certificates to The type of the trust store file. If not given, the type is automatically
trust. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-trust-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the trust store file.
--https-trust-store-type <type> Health:
The type of the trust store file. If not given, the type is automatically
detected based on the file name. If 'fips-mode' is set to 'strict' and no --health-enabled <true|false>
value is set, it defaults to 'BCFKS'. If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live'
Health: endpoints. Default: false.
--health-enabled <true|false> Metrics:
If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live' --metrics-enabled <true|false>
endpoints. Default: false. If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false.
Config:
Proxy:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source. --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
--config-keystore-password <config-keystore-password> Possible values are: none, edge, reencrypt, passthrough. Default: none.
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type> Vault:
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
--vault <provider> Enables a vault provider. Possible values are: file.
Metrics: --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
--metrics-enabled <true|false>
If the server should expose metrics. If enabled, metrics are available at the Logging:
'/metrics' endpoint. Default: false.
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
Proxy: are: console, file, gelf. Default: console.
--log-console-color <true|false>
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. Enable or disable colors when logging to console. Default: false.
Possible values are: none, edge, reencrypt, passthrough. Default: none. --log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
Vault: it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--vault <provider> Enables a vault provider. Possible values are: file, keystore. --log-console-output <output>
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Set the log output to JSON or default (plain) unstructured logging. Possible
given directory. values are: default, json. Default: default.
--vault-file <file> Path to the keystore file. --log-file <file> Set the log file path and filename. Default: data/log/keycloak.log.
--vault-pass <pass> Password for the vault keystore. --log-file-format <format>
--vault-type <type> Specifies the type of the keystore file. Default: PKCS12. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
Logging: --log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values values are: default, json. Default: default.
are: console, file, gelf. Default: console. --log-gelf-facility <name>
--log-console-color <true|false> The facility (name of the process) that sends the message. Default: keycloak.
Enable or disable colors when logging to console. Default: false. --log-gelf-host <hostname>
--log-console-format <format> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
The format of unstructured console log entries. If the format has spaces in host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % localhost.
-5p [%c] (%t) %s%e%n. --log-gelf-include-location <true|false>
--log-console-output <output> Include source code location. Default: true.
Set the log output to JSON or default (plain) unstructured logging. Possible --log-gelf-include-message-parameters <true|false>
values are: default, json. Default: default. Include message parameters from the log event. Default: true.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log. --log-gelf-include-stack-trace <true|false>
--log-file-format <format> If set to true, occuring stack traces are included in the 'StackTrace' field
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, in the GELF output. Default: true.
SSS} %-5p [%c] (%t) %s%e%n. --log-gelf-level <level>
--log-file-output <output> The log level specifying which message levels will be logged by the GELF
Set the log output to JSON or default (plain) unstructured logging. Possible logger. Message levels lower than this value will be discarded. Default:
values are: default, json. Default: default. INFO.
--log-gelf-facility <name> --log-gelf-max-message-size <size>
The facility (name of the process) that sends the message. Default: keycloak. Maximum message size (in bytes). If the message size is exceeded, GELF will
--log-gelf-host <hostname> submit the message in multiple chunks. Default: 8192.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-gelf-port <port>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: The port the Logstash or Graylog Host is called on. Default: 12201.
localhost. --log-gelf-timestamp-format <pattern>
--log-gelf-include-location <true|false> Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
Include source code location. Default: true. pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-gelf-include-message-parameters <true|false> --log-level <category:level>
Include message parameters from the log event. Default: true. The log level of the root category or a comma-separated list of individual
--log-gelf-include-stack-trace <true|false> categories and their levels. For the root category, you don't need to
If set to true, occuring stack traces are included in the 'StackTrace' field specify a category. Default: info.
in the GELF output. Default: true.
--log-gelf-level <level> Security:
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default: --fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
INFO. non-approved mode. For full FIPS compliance, set 'strict' to run on approved
--log-gelf-max-message-size <size> mode. This option defaults to 'disabled' when 'fips' feature is disabled,
Maximum message size (in bytes). If the message size is exceeded, GELF will which is by default. This option defaults to 'non-strict' when 'fips'
submit the message in multiple chunks. Default: 8192. feature is enabled. Possible values are: non-strict, strict. Default:
--log-gelf-port <port> disabled.
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern> By default, this command tries to update the server configuration by running a
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat 'build' before starting the server. You can disable this behavior by using the
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. '--optimized' option:
--log-level <category:level>
The log level of the root category or a comma-separated list of individual $ kc.bat start '--optimized'
categories and their levels. For the root category, you don't need to
specify a category. Default: info. By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt vendored
View file

@ -144,16 +144,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
preview, recovery-codes, scripts, step-up-authentication, token-exchange, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Hostname: Hostname:
@ -327,4 +327,4 @@ By default, this command tries to update the server configuration by running a
$ kc.sh start '--optimized' $ kc.sh start '--optimized'
By doing that, the server should start faster based on any previous By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command. configuration you have set when manually running the 'build' command.

643
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt vendored
View file

@ -1,330 +1,313 @@
Start the server. Start the server.
Usage: Usage:
kc.bat start [OPTIONS] kc.bat start [OPTIONS]
Use this command to run the server in production. Use this command to run the server in production.
Options: Options:
-b, --auto-build (Deprecated) Automatically detects whether the server configuration changed -b, --auto-build (Deprecated) Automatically detects whether the server configuration changed
and a new server image must be built prior to starting the server. This and a new server image must be built prior to starting the server. This
option provides an alternative to manually running the 'build' prior to option provides an alternative to manually running the 'build' prior to
starting the server. Use this configuration carefully in production as it starting the server. Use this configuration carefully in production as it
might impact the startup time. might impact the startup time.
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
--optimized Use this option to achieve an optimal startup time if you have previously --optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command. built a server image using the 'build' command.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Storage (Experimental): Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible --storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type> --storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-area-authorization <type> --storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod, file. are: jpa, chm, hotrod, file.
--storage-area-client <type> --storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa, Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-client-scope <type> --storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are: Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod, file. jpa, chm, hotrod, file.
--storage-area-event-admin <type> --storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are: Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod, file. jpa, chm, hotrod, file.
--storage-area-event-auth <type> --storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod, file. events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type> --storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa, Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-login-failure <type> --storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod, file. are: jpa, chm, hotrod, file.
--storage-area-realm <type> --storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa, Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-role <type> --storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa, Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-single-use-object <type> --storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod.
--storage-area-user <type> --storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa, Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-user-session <type> --storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type> --storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster. Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir> --storage-file-dir <dir>
Experimental: Root directory for file map store. Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user. Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port> --storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server. Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username> --storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user. Experimental: Sets the username of the Infinispan user.
--storage-jpa-db <type> --storage-jpa-db <type>
Experimental: The database vendor for jpa map storage. Possible values are: Experimental: The database vendor for jpa map storage. Possible values are:
postgres, cockroach. Default: postgres. postgres, cockroach. Default: postgres.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database. driver is set accordingly to the chosen database.
--db-password <password> --db-password <password>
The password of the database user. The password of the database user.
--db-pool-initial-size <size> --db-pool-initial-size <size>
The initial size of the connection pool. The initial size of the connection pool.
--db-pool-max-size <size> --db-pool-max-size <size>
The maximum size of the connection pool. Default: 100. The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size> --db-pool-min-size <size>
The minimal size of the connection pool. The minimal size of the connection pool.
--db-schema <schema> The database schema to be used. --db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname> --db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-host <hostname> --db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored. option is set, this option is ignored.
--db-url-properties <properties> --db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to Sets the properties of the default JDBC URL of the chosen vendor. If the
set the properties accordingly to the format expected by the database `db-url` option is set, this option is ignored.
vendor, as well as appending the right character at the beginning of this --db-username <username>
property value. If the `db-url` option is set, this option is ignored. The username of the database user.
--db-username <username>
The username of the database user. Transaction:
Transaction: --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
--transaction-xa-enabled <true|false> not support XA transactions. Default: true.
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. Feature:
Feature: --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
--features <feature> Enables a set of one or more features. Possible values are: account-api, authorization, ciba, client-policies, client-secret-rotation,
account2, account3, admin-api, admin-fine-grained-authz, admin2, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
authorization, ciba, client-policies, client-secret-rotation, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, recovery-codes, scripts, step-up-authentication, token-exchange,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, update-email, web-authn.
preview, recovery-codes, scripts, step-up-authentication, token-exchange, --features-disabled <feature>
update-email, web-authn. Disables a set of one or more features. Possible values are: account-api,
--features-disabled <feature> account2, account3, admin-api, admin-fine-grained-authz, admin2,
Disables a set of one or more features. Possible values are: account-api, authorization, ciba, client-policies, client-secret-rotation,
account2, account3, admin-api, admin-fine-grained-authz, admin2, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
authorization, ciba, client-policies, client-secret-rotation, js-adapter, kerberos, linkedin-oauth, map-storage, par, preview,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, recovery-codes, scripts, step-up-authentication, token-exchange,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par, update-email, web-authn.
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. Hostname:
Hostname: --hostname <hostname>
Hostname for the Keycloak server.
--hostname <hostname> --hostname-admin <hostname>
Hostname for the Keycloak server. The hostname for accessing the administration console. Use this option if you
--hostname-admin <hostname> are exposing the administration console using a hostname other than the
The hostname for accessing the administration console. Use this option if you value set to the 'hostname' option.
are exposing the administration console using a hostname other than the --hostname-admin-url <url>
value set to the 'hostname' option. Set the base URL for accessing the administration console, including scheme,
--hostname-admin-url <url> host, port and path
Set the base URL for accessing the administration console, including scheme, --hostname-path <path>
host, port and path This should be set if proxy uses a different context-path for Keycloak.
--hostname-debug <true|false> --hostname-port <port>
Toggle the hostname debug page that is accessible at The port used by the proxy when exposing the hostname. Set this option if the
/realms/master/hostname-debug Default: false. proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
--hostname-path <path> --hostname-strict <true|false>
This should be set if proxy uses a different context-path for Keycloak. Disables dynamically resolving the hostname from request headers. Should
--hostname-port <port> always be set to true in production, unless proxy verifies the Host header.
The port used by the proxy when exposing the hostname. Set this option if the Default: true.
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. --hostname-strict-backchannel <true|false>
--hostname-strict <true|false> By default backchannel URLs are dynamically resolved from request headers to
Disables dynamically resolving the hostname from request headers. Should allow internal and external applications. If all applications use the public
always be set to true in production, unless proxy verifies the Host header. URL this option should be enabled. Default: false.
Default: true. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--hostname-strict-backchannel <true|false>
By default backchannel URLs are dynamically resolved from request headers to HTTP/TLS:
allow internal and external applications. If all applications use the public
URL this option should be enabled. Default: false. --http-enabled <true|false>
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Enables the HTTP listener. Default: false.
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
HTTP/TLS: --http-port <port> The used HTTP port. Default: 8080.
--http-relative-path <path>
--http-enabled <true|false> Set the path relative to '/' for serving resources. The path must start with a
Enables the HTTP listener. Default: false. '/'. Default: /.
--http-host <host> The used HTTP Host. Default: 0.0.0.0. --https-certificate-file <file>
--http-port <port> The used HTTP port. Default: 8080. The file path to a server certificate or certificate chain in PEM format.
--http-relative-path <path> --https-certificate-key-file <file>
Set the path relative to '/' for serving resources. The path must start with a The file path to a private key in PEM format.
'/'. Default: /. --https-cipher-suites <ciphers>
--https-certificate-file <file> The cipher suites to use. If none is given, a reasonable default is selected.
The file path to a server certificate or certificate chain in PEM format. --https-client-auth <auth>
--https-certificate-key-file <file> Configures the server to require/request client authentication. Possible
The file path to a private key in PEM format. values are: none, request, required. Default: none.
--https-cipher-suites <ciphers> --https-key-store-file <file>
The cipher suites to use. If none is given, a reasonable default is selected. The key store which holds the certificate information instead of specifying
--https-client-auth <auth> separate files.
Configures the server to require/request client authentication. Possible --https-key-store-password <password>
values are: none, request, required. Default: none. The password of the key store file. Default: password.
--https-key-store-file <file> --https-key-store-type <type>
The key store which holds the certificate information instead of specifying The type of the key store file. If not given, the type is automatically
separate files. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-key-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the key store file. Default: password. --https-port <port> The used HTTPS port. Default: 8443.
--https-key-store-type <type> --https-protocols <protocols>
The type of the key store file. If not given, the type is automatically The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
detected based on the file name. If 'fips-mode' is set to 'strict' and no --https-trust-store-file <file>
value is set, it defaults to 'BCFKS'. The trust store which holds the certificate information of the certificates to
--https-port <port> The used HTTPS port. Default: 8443. trust.
--https-protocols <protocols> --https-trust-store-password <password>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The password of the trust store file.
--https-trust-store-file <file> --https-trust-store-type <type>
The trust store which holds the certificate information of the certificates to The type of the trust store file. If not given, the type is automatically
trust. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-trust-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the trust store file.
--https-trust-store-type <type> Health:
The type of the trust store file. If not given, the type is automatically
detected based on the file name. If 'fips-mode' is set to 'strict' and no --health-enabled <true|false>
value is set, it defaults to 'BCFKS'. If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live'
Health: endpoints. Default: false.
--health-enabled <true|false> Metrics:
If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live' --metrics-enabled <true|false>
endpoints. Default: false. If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false.
Config:
Proxy:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source. --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
--config-keystore-password <config-keystore-password> Possible values are: none, edge, reencrypt, passthrough. Default: none.
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type> Vault:
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
--vault <provider> Enables a vault provider. Possible values are: file.
Metrics: --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
--metrics-enabled <true|false>
If the server should expose metrics. If enabled, metrics are available at the Logging:
'/metrics' endpoint. Default: false.
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
Proxy: are: console, file, gelf. Default: console.
--log-console-color <true|false>
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. Enable or disable colors when logging to console. Default: false.
Possible values are: none, edge, reencrypt, passthrough. Default: none. --log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
Vault: it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--vault <provider> Enables a vault provider. Possible values are: file, keystore. --log-console-output <output>
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Set the log output to JSON or default (plain) unstructured logging. Possible
given directory. values are: default, json. Default: default.
--vault-file <file> Path to the keystore file. --log-file <file> Set the log file path and filename. Default: data/log/keycloak.log.
--vault-pass <pass> Password for the vault keystore. --log-file-format <format>
--vault-type <type> Specifies the type of the keystore file. Default: PKCS12. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
Logging: --log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values values are: default, json. Default: default.
are: console, file, gelf. Default: console. --log-gelf-facility <name>
--log-console-color <true|false> The facility (name of the process) that sends the message. Default: keycloak.
Enable or disable colors when logging to console. Default: false. --log-gelf-host <hostname>
--log-console-format <format> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
The format of unstructured console log entries. If the format has spaces in host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % localhost.
-5p [%c] (%t) %s%e%n. --log-gelf-include-location <true|false>
--log-console-output <output> Include source code location. Default: true.
Set the log output to JSON or default (plain) unstructured logging. Possible --log-gelf-include-message-parameters <true|false>
values are: default, json. Default: default. Include message parameters from the log event. Default: true.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log. --log-gelf-include-stack-trace <true|false>
--log-file-format <format> If set to true, occuring stack traces are included in the 'StackTrace' field
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, in the GELF output. Default: true.
SSS} %-5p [%c] (%t) %s%e%n. --log-gelf-level <level>
--log-file-output <output> The log level specifying which message levels will be logged by the GELF
Set the log output to JSON or default (plain) unstructured logging. Possible logger. Message levels lower than this value will be discarded. Default:
values are: default, json. Default: default. INFO.
--log-gelf-facility <name> --log-gelf-max-message-size <size>
The facility (name of the process) that sends the message. Default: keycloak. Maximum message size (in bytes). If the message size is exceeded, GELF will
--log-gelf-host <hostname> submit the message in multiple chunks. Default: 8192.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-gelf-port <port>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: The port the Logstash or Graylog Host is called on. Default: 12201.
localhost. --log-gelf-timestamp-format <pattern>
--log-gelf-include-location <true|false> Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
Include source code location. Default: true. pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-gelf-include-message-parameters <true|false> --log-level <category:level>
Include message parameters from the log event. Default: true. The log level of the root category or a comma-separated list of individual
--log-gelf-include-stack-trace <true|false> categories and their levels. For the root category, you don't need to
If set to true, occuring stack traces are included in the 'StackTrace' field specify a category. Default: info.
in the GELF output. Default: true.
--log-gelf-level <level> Security:
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default: --fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
INFO. non-approved mode. For full FIPS compliance, set 'strict' to run on approved
--log-gelf-max-message-size <size> mode. This option defaults to 'disabled' when 'fips' feature is disabled,
Maximum message size (in bytes). If the message size is exceeded, GELF will which is by default. This option defaults to 'non-strict' when 'fips'
submit the message in multiple chunks. Default: 8192. feature is enabled. Possible values are: non-strict, strict. Default:
--log-gelf-port <port> disabled.
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern> By default, this command tries to update the server configuration by running a
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat 'build' before starting the server. You can disable this behavior by using the
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. '--optimized' option:
--log-level <category:level>
The log level of the root category or a comma-separated list of individual $ kc.bat start '--optimized'
categories and their levels. For the root category, you don't need to
specify a category. Default: info. By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.

381
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.windows.approved.txt vendored
View file

@ -1,200 +1,181 @@
Start the server. Start the server.
Usage: Usage:
kc.bat start [OPTIONS] kc.bat start [OPTIONS]
Use this command to run the server in production. Use this command to run the server in production.
Options: Options:
-b, --auto-build (Deprecated) Automatically detects whether the server configuration changed -b, --auto-build (Deprecated) Automatically detects whether the server configuration changed
and a new server image must be built prior to starting the server. This and a new server image must be built prior to starting the server. This
option provides an alternative to manually running the 'build' prior to option provides an alternative to manually running the 'build' prior to
starting the server. Use this configuration carefully in production as it starting the server. Use this configuration carefully in production as it
might impact the startup time. might impact the startup time.
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
--optimized Use this option to achieve an optimal startup time if you have previously --optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command. built a server image using the 'build' command.
Database: Database:
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-password <password>
driver is set accordingly to the chosen database. The password of the database user.
--db-password <password> --db-pool-initial-size <size>
The password of the database user. The initial size of the connection pool.
--db-pool-initial-size <size> --db-pool-max-size <size>
The initial size of the connection pool. The maximum size of the connection pool. Default: 100.
--db-pool-max-size <size> --db-pool-min-size <size>
The maximum size of the connection pool. Default: 100. The minimal size of the connection pool.
--db-pool-min-size <size> --db-schema <schema> The database schema to be used.
The minimal size of the connection pool. --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
--db-schema <schema> The database schema to be used. selected database vendor. For instance, if using 'postgres', the default
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
selected database vendor. For instance, if using 'postgres', the default --db-url-database <dbname>
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. Sets the database name of the default JDBC URL of the chosen vendor. If the
--db-url-database <dbname> `db-url` option is set, this option is ignored.
Sets the database name of the default JDBC URL of the chosen vendor. If the --db-url-host <hostname>
`db-url` option is set, this option is ignored. Sets the hostname of the default JDBC URL of the chosen vendor. If the
--db-url-host <hostname> `db-url` option is set, this option is ignored.
Sets the hostname of the default JDBC URL of the chosen vendor. If the --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
`db-url` option is set, this option is ignored. option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-properties <properties>
option is set, this option is ignored. Sets the properties of the default JDBC URL of the chosen vendor. If the
--db-url-properties <properties> `db-url` option is set, this option is ignored.
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to --db-username <username>
set the properties accordingly to the format expected by the database The username of the database user.
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored. Hostname:
--db-username <username>
The username of the database user. --hostname <hostname>
Hostname for the Keycloak server.
Hostname: --hostname-admin <hostname>
The hostname for accessing the administration console. Use this option if you
--hostname <hostname> are exposing the administration console using a hostname other than the
Hostname for the Keycloak server. value set to the 'hostname' option.
--hostname-admin <hostname> --hostname-admin-url <url>
The hostname for accessing the administration console. Use this option if you Set the base URL for accessing the administration console, including scheme,
are exposing the administration console using a hostname other than the host, port and path
value set to the 'hostname' option. --hostname-path <path>
--hostname-admin-url <url> This should be set if proxy uses a different context-path for Keycloak.
Set the base URL for accessing the administration console, including scheme, --hostname-port <port>
host, port and path The port used by the proxy when exposing the hostname. Set this option if the
--hostname-debug <true|false> proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
Toggle the hostname debug page that is accessible at --hostname-strict <true|false>
/realms/master/hostname-debug Default: false. Disables dynamically resolving the hostname from request headers. Should
--hostname-path <path> always be set to true in production, unless proxy verifies the Host header.
This should be set if proxy uses a different context-path for Keycloak. Default: true.
--hostname-port <port> --hostname-strict-backchannel <true|false>
The port used by the proxy when exposing the hostname. Set this option if the By default backchannel URLs are dynamically resolved from request headers to
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. allow internal and external applications. If all applications use the public
--hostname-strict <true|false> URL this option should be enabled. Default: false.
Disables dynamically resolving the hostname from request headers. Should --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
always be set to true in production, unless proxy verifies the Host header.
Default: true. HTTP/TLS:
--hostname-strict-backchannel <true|false>
By default backchannel URLs are dynamically resolved from request headers to --http-enabled <true|false>
allow internal and external applications. If all applications use the public Enables the HTTP listener. Default: false.
URL this option should be enabled. Default: false. --http-host <host> The used HTTP Host. Default: 0.0.0.0.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. --http-port <port> The used HTTP port. Default: 8080.
--https-certificate-file <file>
HTTP/TLS: The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
--http-enabled <true|false> The file path to a private key in PEM format.
Enables the HTTP listener. Default: false. --https-cipher-suites <ciphers>
--http-host <host> The used HTTP Host. Default: 0.0.0.0. The cipher suites to use. If none is given, a reasonable default is selected.
--http-port <port> The used HTTP port. Default: 8080. --https-client-auth <auth>
--https-certificate-file <file> Configures the server to require/request client authentication. Possible
The file path to a server certificate or certificate chain in PEM format. values are: none, request, required. Default: none.
--https-certificate-key-file <file> --https-key-store-file <file>
The file path to a private key in PEM format. The key store which holds the certificate information instead of specifying
--https-cipher-suites <ciphers> separate files.
The cipher suites to use. If none is given, a reasonable default is selected. --https-key-store-password <password>
--https-client-auth <auth> The password of the key store file. Default: password.
Configures the server to require/request client authentication. Possible --https-key-store-type <type>
values are: none, request, required. Default: none. The type of the key store file. If not given, the type is automatically
--https-key-store-file <file> detected based on the file name. If 'fips-mode' is set to 'strict' and no
The key store which holds the certificate information instead of specifying value is set, it defaults to 'BCFKS'.
separate files. --https-port <port> The used HTTPS port. Default: 8443.
--https-key-store-password <password> --https-protocols <protocols>
The password of the key store file. Default: password. The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-key-store-type <type> --https-trust-store-file <file>
The type of the key store file. If not given, the type is automatically The trust store which holds the certificate information of the certificates to
detected based on the file name. If 'fips-mode' is set to 'strict' and no trust.
value is set, it defaults to 'BCFKS'. --https-trust-store-password <password>
--https-port <port> The used HTTPS port. Default: 8443. The password of the trust store file.
--https-protocols <protocols> --https-trust-store-type <type>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The type of the trust store file. If not given, the type is automatically
--https-trust-store-file <file> detected based on the file name. If 'fips-mode' is set to 'strict' and no
The trust store which holds the certificate information of the certificates to value is set, it defaults to 'BCFKS'.
trust.
--https-trust-store-password <password> Proxy:
The password of the trust store file.
--https-trust-store-type <type> --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
The type of the trust store file. If not given, the type is automatically Possible values are: none, edge, reencrypt, passthrough. Default: none.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'. Vault:
Config: --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source. Logging:
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source. --log <handler> Enable one or more log handlers in a comma-separated list. Possible values
--config-keystore-type <config-keystore-type> are: console, file, gelf. Default: console.
Specifies a type of the KeyStore Configuration Source. Default: PKCS12. --log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
Proxy: --log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
Possible values are: none, edge, reencrypt, passthrough. Default: none. -5p [%c] (%t) %s%e%n.
--log-console-output <output>
Vault: Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --log-file <file> Set the log file path and filename. Default: data/log/keycloak.log.
given directory. --log-file-format <format>
--vault-file <file> Path to the keystore file. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
--vault-pass <pass> Password for the vault keystore. SSS} %-5p [%c] (%t) %s%e%n.
--vault-type <type> Specifies the type of the keystore file. Default: PKCS12. --log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
Logging: values are: default, json. Default: default.
--log-gelf-facility <name>
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values The facility (name of the process) that sends the message. Default: keycloak.
are: console, file, gelf. Default: console. --log-gelf-host <hostname>
--log-console-color <true|false> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
Enable or disable colors when logging to console. Default: false. host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
--log-console-format <format> localhost.
The format of unstructured console log entries. If the format has spaces in --log-gelf-include-location <true|false>
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % Include source code location. Default: true.
-5p [%c] (%t) %s%e%n. --log-gelf-include-message-parameters <true|false>
--log-console-output <output> Include message parameters from the log event. Default: true.
Set the log output to JSON or default (plain) unstructured logging. Possible --log-gelf-include-stack-trace <true|false>
values are: default, json. Default: default. If set to true, occuring stack traces are included in the 'StackTrace' field
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log. in the GELF output. Default: true.
--log-file-format <format> --log-gelf-level <level>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, The log level specifying which message levels will be logged by the GELF
SSS} %-5p [%c] (%t) %s%e%n. logger. Message levels lower than this value will be discarded. Default:
--log-file-output <output> INFO.
Set the log output to JSON or default (plain) unstructured logging. Possible --log-gelf-max-message-size <size>
values are: default, json. Default: default. Maximum message size (in bytes). If the message size is exceeded, GELF will
--log-gelf-facility <name> submit the message in multiple chunks. Default: 8192.
The facility (name of the process) that sends the message. Default: keycloak. --log-gelf-port <port>
--log-gelf-host <hostname> The port the Logstash or Graylog Host is called on. Default: 12201.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-gelf-timestamp-format <pattern>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
localhost. pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-gelf-include-location <true|false> --log-level <category:level>
Include source code location. Default: true. The log level of the root category or a comma-separated list of individual
--log-gelf-include-message-parameters <true|false> categories and their levels. For the root category, you don't need to
Include message parameters from the log event. Default: true. specify a category. Default: info.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field By default, this command tries to update the server configuration by running a
in the GELF output. Default: true. 'build' before starting the server. You can disable this behavior by using the
--log-gelf-level <level> '--optimized' option:
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default: $ kc.bat start '--optimized'
INFO.
--log-gelf-max-message-size <size> By doing that, the server should start faster based on any previous
Maximum message size (in bytes). If the message size is exceeded, GELF will configuration you have set when manually running the 'build' command.
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.

417
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.windows.approved.txt vendored
View file

@ -1,219 +1,200 @@
Start the server. Start the server.
Usage: Usage:
kc.bat start [OPTIONS] kc.bat start [OPTIONS]
Use this command to run the server in production. Use this command to run the server in production.
Options: Options:
-b, --auto-build (Deprecated) Automatically detects whether the server configuration changed -b, --auto-build (Deprecated) Automatically detects whether the server configuration changed
and a new server image must be built prior to starting the server. This and a new server image must be built prior to starting the server. This
option provides an alternative to manually running the 'build' prior to option provides an alternative to manually running the 'build' prior to
starting the server. Use this configuration carefully in production as it starting the server. Use this configuration carefully in production as it
might impact the startup time. might impact the startup time.
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
--optimized Use this option to achieve an optimal startup time if you have previously --optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command. built a server image using the 'build' command.
Storage (Experimental): Storage (Experimental):
--storage-deployment-state-version-seed <type> --storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster. Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir> --storage-file-dir <dir>
Experimental: Root directory for file map store. Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user. Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port> --storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server. Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username> --storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user. Experimental: Sets the username of the Infinispan user.
Database: Database:
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-password <password>
driver is set accordingly to the chosen database. The password of the database user.
--db-password <password> --db-pool-initial-size <size>
The password of the database user. The initial size of the connection pool.
--db-pool-initial-size <size> --db-pool-max-size <size>
The initial size of the connection pool. The maximum size of the connection pool. Default: 100.
--db-pool-max-size <size> --db-pool-min-size <size>
The maximum size of the connection pool. Default: 100. The minimal size of the connection pool.
--db-pool-min-size <size> --db-schema <schema> The database schema to be used.
The minimal size of the connection pool. --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
--db-schema <schema> The database schema to be used. selected database vendor. For instance, if using 'postgres', the default
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
selected database vendor. For instance, if using 'postgres', the default --db-url-database <dbname>
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. Sets the database name of the default JDBC URL of the chosen vendor. If the
--db-url-database <dbname> `db-url` option is set, this option is ignored.
Sets the database name of the default JDBC URL of the chosen vendor. If the --db-url-host <hostname>
`db-url` option is set, this option is ignored. Sets the hostname of the default JDBC URL of the chosen vendor. If the
--db-url-host <hostname> `db-url` option is set, this option is ignored.
Sets the hostname of the default JDBC URL of the chosen vendor. If the --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
`db-url` option is set, this option is ignored. option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-properties <properties>
option is set, this option is ignored. Sets the properties of the default JDBC URL of the chosen vendor. If the
--db-url-properties <properties> `db-url` option is set, this option is ignored.
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to --db-username <username>
set the properties accordingly to the format expected by the database The username of the database user.
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored. Hostname:
--db-username <username>
The username of the database user. --hostname <hostname>
Hostname for the Keycloak server.
Hostname: --hostname-admin <hostname>
The hostname for accessing the administration console. Use this option if you
--hostname <hostname> are exposing the administration console using a hostname other than the
Hostname for the Keycloak server. value set to the 'hostname' option.
--hostname-admin <hostname> --hostname-admin-url <url>
The hostname for accessing the administration console. Use this option if you Set the base URL for accessing the administration console, including scheme,
are exposing the administration console using a hostname other than the host, port and path
value set to the 'hostname' option. --hostname-path <path>
--hostname-admin-url <url> This should be set if proxy uses a different context-path for Keycloak.
Set the base URL for accessing the administration console, including scheme, --hostname-port <port>
host, port and path The port used by the proxy when exposing the hostname. Set this option if the
--hostname-debug <true|false> proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
Toggle the hostname debug page that is accessible at --hostname-strict <true|false>
/realms/master/hostname-debug Default: false. Disables dynamically resolving the hostname from request headers. Should
--hostname-path <path> always be set to true in production, unless proxy verifies the Host header.
This should be set if proxy uses a different context-path for Keycloak. Default: true.
--hostname-port <port> --hostname-strict-backchannel <true|false>
The port used by the proxy when exposing the hostname. Set this option if the By default backchannel URLs are dynamically resolved from request headers to
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. allow internal and external applications. If all applications use the public
--hostname-strict <true|false> URL this option should be enabled. Default: false.
Disables dynamically resolving the hostname from request headers. Should --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
always be set to true in production, unless proxy verifies the Host header.
Default: true. HTTP/TLS:
--hostname-strict-backchannel <true|false>
By default backchannel URLs are dynamically resolved from request headers to --http-enabled <true|false>
allow internal and external applications. If all applications use the public Enables the HTTP listener. Default: false.
URL this option should be enabled. Default: false. --http-host <host> The used HTTP Host. Default: 0.0.0.0.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. --http-port <port> The used HTTP port. Default: 8080.
--https-certificate-file <file>
HTTP/TLS: The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
--http-enabled <true|false> The file path to a private key in PEM format.
Enables the HTTP listener. Default: false. --https-cipher-suites <ciphers>
--http-host <host> The used HTTP Host. Default: 0.0.0.0. The cipher suites to use. If none is given, a reasonable default is selected.
--http-port <port> The used HTTP port. Default: 8080. --https-client-auth <auth>
--https-certificate-file <file> Configures the server to require/request client authentication. Possible
The file path to a server certificate or certificate chain in PEM format. values are: none, request, required. Default: none.
--https-certificate-key-file <file> --https-key-store-file <file>
The file path to a private key in PEM format. The key store which holds the certificate information instead of specifying
--https-cipher-suites <ciphers> separate files.
The cipher suites to use. If none is given, a reasonable default is selected. --https-key-store-password <password>
--https-client-auth <auth> The password of the key store file. Default: password.
Configures the server to require/request client authentication. Possible --https-key-store-type <type>
values are: none, request, required. Default: none. The type of the key store file. If not given, the type is automatically
--https-key-store-file <file> detected based on the file name. If 'fips-mode' is set to 'strict' and no
The key store which holds the certificate information instead of specifying value is set, it defaults to 'BCFKS'.
separate files. --https-port <port> The used HTTPS port. Default: 8443.
--https-key-store-password <password> --https-protocols <protocols>
The password of the key store file. Default: password. The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-key-store-type <type> --https-trust-store-file <file>
The type of the key store file. If not given, the type is automatically The trust store which holds the certificate information of the certificates to
detected based on the file name. If 'fips-mode' is set to 'strict' and no trust.
value is set, it defaults to 'BCFKS'. --https-trust-store-password <password>
--https-port <port> The used HTTPS port. Default: 8443. The password of the trust store file.
--https-protocols <protocols> --https-trust-store-type <type>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The type of the trust store file. If not given, the type is automatically
--https-trust-store-file <file> detected based on the file name. If 'fips-mode' is set to 'strict' and no
The trust store which holds the certificate information of the certificates to value is set, it defaults to 'BCFKS'.
trust.
--https-trust-store-password <password> Proxy:
The password of the trust store file.
--https-trust-store-type <type> --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
The type of the trust store file. If not given, the type is automatically Possible values are: none, edge, reencrypt, passthrough. Default: none.
detected based on the file name. If 'fips-mode' is set to 'strict' and no
value is set, it defaults to 'BCFKS'. Vault:
Config: --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
given directory.
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source. Logging:
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source. --log <handler> Enable one or more log handlers in a comma-separated list. Possible values
--config-keystore-type <config-keystore-type> are: console, file, gelf. Default: console.
Specifies a type of the KeyStore Configuration Source. Default: PKCS12. --log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
Proxy: --log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
Possible values are: none, edge, reencrypt, passthrough. Default: none. -5p [%c] (%t) %s%e%n.
--log-console-output <output>
Vault: Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the --log-file <file> Set the log file path and filename. Default: data/log/keycloak.log.
given directory. --log-file-format <format>
--vault-file <file> Path to the keystore file. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
--vault-pass <pass> Password for the vault keystore. SSS} %-5p [%c] (%t) %s%e%n.
--vault-type <type> Specifies the type of the keystore file. Default: PKCS12. --log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
Logging: values are: default, json. Default: default.
--log-gelf-facility <name>
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values The facility (name of the process) that sends the message. Default: keycloak.
are: console, file, gelf. Default: console. --log-gelf-host <hostname>
--log-console-color <true|false> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
Enable or disable colors when logging to console. Default: false. host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
--log-console-format <format> localhost.
The format of unstructured console log entries. If the format has spaces in --log-gelf-include-location <true|false>
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % Include source code location. Default: true.
-5p [%c] (%t) %s%e%n. --log-gelf-include-message-parameters <true|false>
--log-console-output <output> Include message parameters from the log event. Default: true.
Set the log output to JSON or default (plain) unstructured logging. Possible --log-gelf-include-stack-trace <true|false>
values are: default, json. Default: default. If set to true, occuring stack traces are included in the 'StackTrace' field
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log. in the GELF output. Default: true.
--log-file-format <format> --log-gelf-level <level>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, The log level specifying which message levels will be logged by the GELF
SSS} %-5p [%c] (%t) %s%e%n. logger. Message levels lower than this value will be discarded. Default:
--log-file-output <output> INFO.
Set the log output to JSON or default (plain) unstructured logging. Possible --log-gelf-max-message-size <size>
values are: default, json. Default: default. Maximum message size (in bytes). If the message size is exceeded, GELF will
--log-gelf-facility <name> submit the message in multiple chunks. Default: 8192.
The facility (name of the process) that sends the message. Default: keycloak. --log-gelf-port <port>
--log-gelf-host <hostname> The port the Logstash or Graylog Host is called on. Default: 12201.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-gelf-timestamp-format <pattern>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
localhost. pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-gelf-include-location <true|false> --log-level <category:level>
Include source code location. Default: true. The log level of the root category or a comma-separated list of individual
--log-gelf-include-message-parameters <true|false> categories and their levels. For the root category, you don't need to
Include message parameters from the log event. Default: true. specify a category. Default: info.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field By default, this command tries to update the server configuration by running a
in the GELF output. Default: true. 'build' before starting the server. You can disable this behavior by using the
--log-gelf-level <level> '--optimized' option:
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default: $ kc.bat start '--optimized'
INFO.
--log-gelf-max-message-size <size> By doing that, the server should start faster based on any previous
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command. configuration you have set when manually running the 'build' command.

4
server-spi/src/main/java/org/keycloak/theme/ThemeSelectorProvider.java
View file

@ -56,10 +56,6 @@ public interface ThemeSelectorProvider extends Provider {
return DEFAULT_V2; return DEFAULT_V2;
} }
if ((type == Theme.Type.WELCOME) && !Profile.isFeatureEnabled(Profile.Feature.LEGACY_WELCOME)) {
return DEFAULT_V2;
}
return DEFAULT; return DEFAULT;
} }

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ServerInfoTest.java
View file

@ -61,7 +61,7 @@ public class ServerInfoTest extends AbstractKeycloakTest {
Assert.assertNames(info.getThemes().get("admin"), "base", "keycloak.v2"); Assert.assertNames(info.getThemes().get("admin"), "base", "keycloak.v2");
Assert.assertNames(info.getThemes().get("email"), "base", "keycloak"); Assert.assertNames(info.getThemes().get("email"), "base", "keycloak");
Assert.assertNames(info.getThemes().get("login"), "address", "base", "environment-agnostic", "keycloak"); Assert.assertNames(info.getThemes().get("login"), "address", "base", "environment-agnostic", "keycloak");
Assert.assertNames(info.getThemes().get("welcome"), "keycloak", "keycloak.v2"); Assert.assertNames(info.getThemes().get("welcome"), "keycloak");
assertNotNull(info.getEnums()); assertNotNull(info.getEnums());

79
themes/pom.xml
View file

@ -15,14 +15,12 @@
<properties> <properties>
<dir.common>src/main/resources/theme/keycloak/common/resources</dir.common> <dir.common>src/main/resources/theme/keycloak/common/resources</dir.common>
<dir.account2>src/main/resources/theme/keycloak.v2/account/src</dir.account2> <dir.account2>src/main/resources/theme/keycloak.v2/account/src</dir.account2>
<dir.welcome2>src/main/resources/theme/keycloak.v2/welcome</dir.welcome2>
<args.npm.install>ci --no-optional --ignore-scripts</args.npm.install> <args.npm.install>ci --no-optional --ignore-scripts</args.npm.install>
<!-- ignore folders for incremental builds by the maven build cache plugin --> <!-- ignore folders for incremental builds by the maven build cache plugin -->
<maven.build.cache.exclude.1>${project.basedir}/src/main/resources/theme/keycloak/common/resources/node_modules</maven.build.cache.exclude.1> <maven.build.cache.exclude.1>${project.basedir}/src/main/resources/theme/keycloak/common/resources/node_modules</maven.build.cache.exclude.1>
<maven.build.cache.exclude.2>${project.basedir}/src/main/resources/theme/keycloak/common/resources/web_modules</maven.build.cache.exclude.2> <maven.build.cache.exclude.2>${project.basedir}/src/main/resources/theme/keycloak/common/resources/web_modules</maven.build.cache.exclude.2>
<maven.build.cache.exclude.3>${project.basedir}/src/main/resources/theme/keycloak.v2/account/src/node_modules</maven.build.cache.exclude.3> <maven.build.cache.exclude.3>${project.basedir}/src/main/resources/theme/keycloak.v2/account/src/node_modules</maven.build.cache.exclude.3>
<maven.build.cache.exclude.4>${project.basedir}/src/main/resources/theme/keycloak.v2/account/src/web_modules</maven.build.cache.exclude.4> <maven.build.cache.exclude.4>${project.basedir}/src/main/resources/theme/keycloak.v2/account/src/web_modules</maven.build.cache.exclude.4>
<maven.build.cache.exclude.5>${project.basedir}/src/main/resources/theme/keycloak.v2/welcome/node_modules</maven.build.cache.exclude.5>
</properties> </properties>
<build> <build>
@ -168,83 +166,6 @@
</build> </build>
</profile> </profile>
<profile>
<id>welcome2</id>
<activation>
<property>
<name>!skipWelcome2</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<configuration>
<filesets>
<fileset>
<directory>${dir.welcome2}/node_modules</directory>
<directory>${dir.welcome2}/resources/vendor</directory>
</fileset>
</filesets>
</configuration>
</plugin>
<plugin>
<groupId>com.github.eirslett</groupId>
<artifactId>frontend-maven-plugin</artifactId>
<executions>
<execution>
<id>setup-node</id>
<goals>
<goal>install-node-and-npm</goal>
</goals>
<phase>initialize</phase>
</execution>
<execution>
<id>npm-install-welcome2</id>
<phase>initialize</phase>
<goals>
<goal>npm</goal>
</goals>
<configuration>
<workingDirectory>${dir.welcome2}</workingDirectory>
<arguments>${args.npm.install}</arguments>
</configuration>
</execution>
</executions>
<configuration>
<nodeVersion>${node.version}</nodeVersion>
<installDirectory>../</installDirectory>
</configuration>
</plugin>
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<executions>
<execution>
<id>copy-patternfly</id>
<phase>generate-resources</phase>
<goals>
<goal>copy-resources</goal>
</goals>
<configuration>
<outputDirectory>${dir.welcome2}/resources/vendor/patternfly</outputDirectory>
<resources>
<resource>
<directory>${dir.welcome2}/node_modules/@patternfly/patternfly</directory>
<includes>
<include>patternfly.css</include>
<include>patternfly-addons.css</include>
<include>assets/fonts/**/*</include>
</includes>
</resource>
</resources>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile> <profile>
<id>common</id> <id>common</id>
<activation> <activation>

2
themes/src/main/resources/META-INF/keycloak-themes.json
View file

@ -7,6 +7,6 @@
"types": [ "login", "common", "email", "welcome" ] "types": [ "login", "common", "email", "welcome" ]
}, { }, {
"name" : "keycloak.v2", "name" : "keycloak.v2",
"types": [ "account", "admin", "welcome" ] "types": [ "account", "admin" ]
}] }]
} }

1
themes/src/main/resources/theme/keycloak.v2/welcome/.gitignore vendored
View file

@ -1 +0,0 @@
resources/vendor

205
themes/src/main/resources/theme/keycloak.v2/welcome/index.ftl
View file

@ -1,205 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Welcome to ${productName}</title>
<meta name="robots" content="noindex, nofollow">
<link rel="shortcut icon" href="${resourcesPath}/img/favicon.ico">
<#if properties.stylesCommon?has_content>
<#list properties.stylesCommon?split(' ') as style>
<link href="${resourcesCommonPath}/${style}" rel="stylesheet">
</#list>
</#if>
<#if properties.styles?has_content>
<#list properties.styles?split(' ') as style>
<link href="${resourcesPath}/${style}" rel="stylesheet">
</#list>
</#if>
</head>
<body>
<div class="pf-v5-c-page">
<main class="pf-v5-c-page__main">
<section class="pf-v5-c-page__main-section pf-m-limit-width pf-m-align-center">
<div class="pf-v5-c-page__main-body">
<div class="pf-v5-c-content">
<h1 class="pf-v5-c-title pf-m-2xl pf-v5-u-mb-lg">Welcome to <strong>${productName}</strong></h1>
</div>
<div class="pf-v5-l-grid pf-m-gutter pf-m-all-4-col-on-sm">
<#if adminConsoleEnabled>
<div class="pf-v5-l-grid__item">
<div class="pf-v5-c-card pf-m-full-height">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">Administration Console</h2>
</div>
<div class="pf-v5-c-card__body">
<#if bootstrap>
<#if localUser>
<div class="pf-v5-c-content">
<p class="pf-v5-u-mb-sm">Please create an initial admin user to get started.</p>
</div>
<form id="create-user" class="pf-v5-c-form" method="post" novalidate>
<div class="pf-v5-c-form__group">
<div class="pf-v5-c-form__group-label">
<label class="pf-v5-c-form__label" for="username">
<span class="pf-v5-c-form__label-text">Username</span>&nbsp;<span class="pf-v5-c-form__label-required" aria-hidden="true">&#42;</span>
</label>
</div>
<div class="pf-v5-c-form__group-control">
<span class="pf-v5-c-form-control pf-m-required">
<input id="username" type="text" name="username" autocomplete="username" required>
</span>
</div>
</div>
<div class="pf-v5-c-form__group">
<div class="pf-v5-c-form__group-label">
<label class="pf-v5-c-form__label" for="password">
<span class="pf-v5-c-form__label-text">Password</span>&nbsp;<span class="pf-v5-c-form__label-required" aria-hidden="true">&#42;</span>
</label>
</div>
<div class="pf-v5-c-form__group-control">
<span class="pf-v5-c-form-control pf-m-required">
<input id="password" type="password" name="password" autocomplete="new-password" required>
</span>
</div>
</div>
<div class="pf-v5-c-form__group">
<div class="pf-v5-c-form__group-label">
<label class="pf-v5-c-form__label" for="password-confirmation">
<span class="pf-v5-c-form__label-text">Password confirmation</span>&nbsp;<span class="pf-v5-c-form__label-required" aria-hidden="true">&#42;</span>
</label>
</div>
<div class="pf-v5-c-form__group-control">
<span class="pf-v5-c-form-control pf-m-required">
<input id="password-confirmation" type="password" name="passwordConfirmation" autocomplete="new-password" required>
</span>
</div>
</div>
<input name="stateChecker" type="hidden" value="${stateChecker}">
<#if errorMessage?has_content>
<div class="pf-v5-c-alert pf-m-danger pf-m-plain pf-m-inline pf-v5-u-mb-sm">
<div class="pf-v5-c-alert__icon">
<i class="fas fa-fw fa-exclamation-circle" aria-hidden="true"></i>
</div>
<p class="pf-v5-c-alert__title">
${errorMessage}
</p>
</div>
</#if>
<div class="pf-v5-c-form__group pf-m-action">
<div class="pf-v5-c-form__actions">
<button class="pf-v5-c-button pf-m-primary" type="submit" form="create-user">Create user</button>
</div>
</div>
</form>
<#else>
<div class="pf-v5-c-content">
<p>
You will need local access to create the initial admin user.<br><br>
To create one open <a href="${localAdminUrl}">${localAdminUrl}</a>, or set the environment variables <code>KEYCLOAK_ADMIN</code> and <code>KEYCLOAK_ADMIN_PASSWORD</code> when starting the server.
</p>
</div>
</#if>
<#else>
<div class="pf-v5-c-content">
<p>Centrally manage all aspects of the ${productName} server.</p>
</div>
<#if successMessage?has_content>
<div class="pf-v5-c-alert pf-m-success pf-m-inline pf-v5-u-mt-lg">
<div class="pf-v5-c-alert__icon">
<i class="fas fa-fw fa-check-circle" aria-hidden="true"></i>
</div>
<p class="pf-v5-c-alert__title">
${successMessage}
</p>
</div>
</#if>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="${adminUrl}">
Visit the administration console
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</#if>
</div>
</div>
</div>
</#if>
<div class="pf-v5-l-grid__item">
<div class="pf-v5-c-card pf-m-full-height">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">Documentation</h2>
</div>
<div class="pf-v5-c-card__body">User Guide, Admin REST API and Javadocs.</div>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="${properties.documentationUrl}">
Read the documentation
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</div>
</div>
<#if properties.displayCommunityLinks = "true">
<div class="pf-v5-l-grid__item">
<div class="pf-v5-l-grid pf-m-gutter">
<div class="pf-v5-l-grid__item pf-m-12-col">
<div class="pf-v5-c-card">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">${productName} Project</h2>
</div>
<div class="pf-v5-c-card__body">The home page of the ${productName} project.</div>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="https://www.keycloak.org/">
Visit the ${productName} project
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</div>
</div>
<div class="pf-v5-l-grid__item pf-m-12-col">
<div class="pf-v5-c-card">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">Mailing List</h2>
</div>
<div class="pf-v5-c-card__body">Discussions about ${productName}.</div>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="https://groups.google.com/g/keycloak-user">
Start a discussion
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</div>
</div>
<div class="pf-v5-l-grid__item pf-m-12-col">
<div class="pf-v5-c-card">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">Issue Tracker</h2>
</div>
<div class="pf-v5-c-card__body">Report issues with ${productName}.</div>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="https://github.com/keycloak/keycloak/issues">
Report an issue
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</div>
</div>
</div>
</div>
</#if>
</div>
</div>
</section>
</main>
</div>
</body>
</html>

18
themes/src/main/resources/theme/keycloak.v2/welcome/package-lock.json generated
View file

@ -1,18 +0,0 @@
{
"name": "welcome-v2",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "welcome-v2",
"dependencies": {
"@patternfly/patternfly": "^5.0.2"
}
},
"node_modules/@patternfly/patternfly": {
"version": "5.0.2",
"resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-5.0.2.tgz",
"integrity": "sha512-PB8+MLdYVgF1hIOxGmnVsZG+YHUX3RePe5W1oMS4gS00EmSgw1cobr1Qbpy/BqqS8/R9DRN4hZ2FKDT0d5tkFQ=="
}
}
}

6
themes/src/main/resources/theme/keycloak.v2/welcome/package.json
View file

@ -1,6 +0,0 @@
{
"name": "welcome-v2",
"dependencies": {
"@patternfly/patternfly": "^5.0.2"
}
}

6
themes/src/main/resources/theme/keycloak.v2/welcome/theme.properties
View file

@ -1,6 +0,0 @@
import=common/keycloak
styles=vendor/patternfly/patternfly.css vendor/patternfly/patternfly-addons.css
documentationUrl=https://www.keycloak.org/documentation.html
displayCommunityLinks=true