libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Add new version of Welcome theme based on PatternFly 5 (#23008)

Browse source
This commit is contained in:
Jon Koops 2023-09-14 14:24:17 +02:00 committed by GitHub
parent 86c0e338d9
commit bcab75a7ef
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 2949 additions and 1817 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
.github/dependabot.yml vendored
View file

@ -22,6 +22,17 @@ updates:
labels: labels:
- area/dependencies - area/dependencies
- team/ui - team/ui
- package-ecosystem: npm
directory: /themes/src/main/resources/theme/keycloak.v2/welcome
schedule:
interval: daily
time: "00:00"
timezone: Etc/GMT
open-pull-requests-limit: 999
rebase-strategy: disabled
labels:
- area/dependencies
- team/ui
- package-ecosystem: npm - package-ecosystem: npm
directory: js directory: js
open-pull-requests-limit: 999 open-pull-requests-limit: 999

2
.github/workflows/js-ci.yml vendored
View file

@ -49,7 +49,7 @@ jobs:
- name: Build Keycloak - name: Build Keycloak
run: | run: |
./mvnw clean install --batch-mode --errors -DskipTests -DskipTestsuite -DskipExamples -DskipAccount2 -DskipCommon -Pdistribution ./mvnw clean install --batch-mode --errors -DskipTests -DskipTestsuite -DskipExamples -DskipAccount2 -DskipWelcome2 -DskipCommon -Pdistribution
mv ./quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz ./keycloak-999.0.0-SNAPSHOT.tar.gz mv ./quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz ./keycloak-999.0.0-SNAPSHOT.tar.gz
- name: Upload Keycloak dist - name: Upload Keycloak dist

2
common/src/main/java/org/keycloak/common/Profile.java
View file

@ -63,6 +63,8 @@ public class Profile {
WEB_AUTHN("W3C Web Authentication (WebAuthn)", Type.DEFAULT), WEB_AUTHN("W3C Web Authentication (WebAuthn)", Type.DEFAULT),
LEGACY_WELCOME("Disables the new 'welcome' theme, and restores the legacy version.", Type.DEPRECATED),
CLIENT_POLICIES("Client configuration policies", Type.DEFAULT), CLIENT_POLICIES("Client configuration policies", Type.DEFAULT),
CIBA("OpenID Connect Client Initiated Backchannel Authentication (CIBA)", Type.DEFAULT), CIBA("OpenID Connect Client Initiated Backchannel Authentication (CIBA)", Type.DEFAULT),

1
common/src/test/java/org/keycloak/common/ProfileTest.java
View file

@ -80,6 +80,7 @@ public class ProfileTest {
Profile.Feature.RECOVERY_CODES, Profile.Feature.RECOVERY_CODES,
Profile.Feature.SCRIPTS, Profile.Feature.SCRIPTS,
Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.TOKEN_EXCHANGE,
Profile.Feature.LEGACY_WELCOME,
Profile.Feature.MAP_STORAGE, Profile.Feature.MAP_STORAGE,
Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.DECLARATIVE_USER_PROFILE,
Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.CLIENT_SECRET_ROTATION,

3
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/HostnameDistTest.java vendored
View file

@ -24,6 +24,7 @@ import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.keycloak.it.junit5.extension.DistributionTest; import org.keycloak.it.junit5.extension.DistributionTest;
import org.keycloak.it.junit5.extension.RawDistOnly; import org.keycloak.it.junit5.extension.RawDistOnly;
import org.keycloak.it.junit5.extension.WithEnvVars;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation; import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import org.keycloak.quarkus.runtime.services.resources.DebugHostnameSettingsResource; import org.keycloak.quarkus.runtime.services.resources.DebugHostnameSettingsResource;
@ -107,6 +108,7 @@ public class HostnameDistTest {
} }
@Test @Test
@WithEnvVars({ "KEYCLOAK_ADMIN", "admin", "KEYCLOAK_ADMIN_PASSWORD", "admin" })
@Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=8543" }) @Launch({ "start", "--hostname=mykeycloak.org", "--hostname-port=8543" })
public void testWelcomePageAdminUrl() { public void testWelcomePageAdminUrl() {
Assert.assertTrue(when().get("http://mykeycloak.org:8080").asString().contains("http://mykeycloak.org:8080/admin/")); Assert.assertTrue(when().get("http://mykeycloak.org:8080").asString().contains("http://mykeycloak.org:8080/admin/"));
@ -172,6 +174,7 @@ public class HostnameDistTest {
} }
@Test @Test
@WithEnvVars({ "KEYCLOAK_ADMIN", "admin", "KEYCLOAK_ADMIN_PASSWORD", "admin" })
@Launch({ "start", "--proxy=edge", "--hostname=mykeycloak.org", "--hostname-admin-url=http://mykeycloakadmin.org:1234" }) @Launch({ "start", "--proxy=edge", "--hostname=mykeycloak.org", "--hostname-admin-url=http://mykeycloakadmin.org:1234" })
public void testAdminUrl() { public void testAdminUrl() {
Assert.assertTrue(when().get("https://mykeycloak.org:8443").asString().contains("http://mykeycloakadmin.org:1234/admin/")); Assert.assertTrue(when().get("https://mykeycloak.org:8443").asString().contains("http://mykeycloakadmin.org:1234/admin/"));

2
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/ProxyDistTest.java vendored
View file

@ -26,6 +26,7 @@ import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.keycloak.it.junit5.extension.DistributionTest; import org.keycloak.it.junit5.extension.DistributionTest;
import org.keycloak.it.junit5.extension.RawDistOnly; import org.keycloak.it.junit5.extension.RawDistOnly;
import org.keycloak.it.junit5.extension.WithEnvVars;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation; import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import io.quarkus.test.junit.main.Launch; import io.quarkus.test.junit.main.Launch;
@ -56,6 +57,7 @@ public class ProxyDistTest {
} }
@Test @Test
@WithEnvVars({ "KEYCLOAK_ADMIN", "admin", "KEYCLOAK_ADMIN_PASSWORD", "admin" })
@Launch({ "start-dev", "--hostname=mykeycloak.org", "--proxy=edge" }) @Launch({ "start-dev", "--hostname=mykeycloak.org", "--proxy=edge" })
public void testForwardedHeadersWithEdge() { public void testForwardedHeadersWithEdge() {
given().header("Forwarded", "for=12.34.56.78;host=test:1234;proto=https, for=23.45.67.89").when().get("http://mykeycloak.org:8080").then().body(containsString("https://test:1234/admin")); given().header("Forwarded", "for=12.34.56.78;host=test:1234;proto=https, for=23.45.67.89").when().get("http://mykeycloak.org:8080").then().body(containsString("https://test:1234/admin"));

8
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt vendored
View file

@ -48,16 +48,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
HTTP/TLS: HTTP/TLS:

238
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt vendored
View file

@ -1,119 +1,119 @@
Creates a new and optimized server image. Creates a new and optimized server image.
Usage: Usage:
kc.bat build [OPTIONS] kc.bat build [OPTIONS]
Creates a new and optimized server image based on the configuration options Creates a new and optimized server image based on the configuration options
passed to this command. Once created, the configuration will be persisted and passed to this command. Once created, the configuration will be persisted and
read during startup without having to pass them over again. read during startup without having to pass them over again.
Consider running this command before running the server in production for an Consider running this command before running the server in production for an
optimal runtime. optimal runtime.
Options: Options:
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
Transaction: Transaction:
--transaction-xa-enabled <true|false> --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. not support XA transactions. Default: true.
Feature: Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api, --features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
HTTP/TLS: HTTP/TLS:
--http-relative-path <path> --http-relative-path <path>
Set the path relative to '/' for serving resources. The path must start with a Set the path relative to '/' for serving resources. The path must start with a
'/'. Default: /. '/'. Default: /.
Health: Health:
--health-enabled <true|false> --health-enabled <true|false>
If the server should expose health check endpoints. If enabled, health checks If the server should expose health check endpoints. If enabled, health checks
are available at the '/health', '/health/ready' and '/health/live' are available at the '/health', '/health/ready' and '/health/live'
endpoints. Default: false. endpoints. Default: false.
Metrics: Metrics:
--metrics-enabled <true|false> --metrics-enabled <true|false>
If the server should expose metrics. If enabled, metrics are available at the If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false. '/metrics' endpoint. Default: false.
Vault: Vault:
--vault <provider> Enables a vault provider. Possible values are: file. --vault <provider> Enables a vault provider. Possible values are: file, keystore.
Security: Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on --fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled, mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips' which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default: feature is enabled. Possible values are: non-strict, strict. Default:
disabled. disabled.
Examples: Examples:
Change the database vendor: Change the database vendor:
$ kc.bat build --db=postgres $ kc.bat build --db=postgres
Enable a feature: Enable a feature:
$ kc.bat build --features=<feature_name> $ kc.bat build --features=<feature_name>
Or alternatively, enable all tech preview features: Or alternatively, enable all tech preview features:
$ kc.bat build --features=preview $ kc.bat build --features=preview
Enable health endpoints: Enable health endpoints:
$ kc.bat build --health-enabled=true $ kc.bat build --health-enabled=true
Enable metrics endpoints: Enable metrics endpoints:
$ kc.bat build --metrics-enabled=true $ kc.bat build --metrics-enabled=true
Change the relative path: Change the relative path:
$ kc.bat build --http-relative-path=/auth $ kc.bat build --http-relative-path=/auth

108
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testDefaultToHelp.windows.approved.txt vendored
View file

@ -1,55 +1,53 @@
Keycloak - Open Source Identity and Access Management Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest Find more information at: https://www.keycloak.org/docs/latest
Usage: Usage:
kc.bat [OPTIONS] [COMMAND] kc.bat [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster. Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.bat") to execute from the current folder. Options:
Options: -cf, --config-file <file>
Set the path to a configuration file. By default, configuration properties are
-cf, --config-file <file> read from the "keycloak.conf" file in the "conf" directory.
Set the path to a configuration file. By default, configuration properties are -h, --help This help message.
read from the "keycloak.conf" file in the "conf" directory. -v, --verbose Print out error details when running this command.
-h, --help This help message. -V, --version Show version information
-v, --verbose Print out error details when running this command.
-V, --version Show version information Commands:
Commands: build Creates a new and optimized server image.
start Start the server.
build Creates a new and optimized server image. start-dev Start the server in development mode.
start Start the server. export Export data from realms to a file or directory.
start-dev Start the server in development mode. import Import data from a directory or a file.
export Export data from realms to a file or directory. show-config Print out the current configuration.
import Import data from a directory or a file. tools Utilities for use and interaction with the server.
show-config Print out the current configuration. completion Generate bash/zsh completion script for kc.bat.
tools Utilities for use and interaction with the server.
completion Generate bash/zsh completion script for kc.bat. Examples:
Examples: Start the server in development mode for local development or testing:
Start the server in development mode for local development or testing: $ kc.bat start-dev
$ kc.bat start-dev Building an optimized server runtime:
Building an optimized server runtime: $ kc.bat build <OPTIONS>
$ kc.bat build <OPTIONS> Start the server in production mode:
Start the server in production mode: $ kc.bat start <OPTIONS>
$ kc.bat start <OPTIONS> Enable auto-completion to bash/zsh:
Enable auto-completion to bash/zsh: $ source <(kc.bat tools completion)
$ source <(kc.bat tools completion) Please, take a look at the documentation for more details before deploying in
production.
Please, take a look at the documentation for more details before deploying in
production. Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.
Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt vendored
View file

@ -59,16 +59,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Config: Config:
@ -142,4 +142,4 @@ Export:
--users-per-file <number> --users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing 'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50. export times. Default: 50.

145
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.windows.approved.txt vendored Normal file
View file

@ -0,0 +1,145 @@
Export data from realms to a file or directory.
Usage:
kc.bat export [OPTIONS]
Export data from realms to a file or directory.
Options:
-h, --help This help message.
--help-all This same help message but with additional options.
--optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command.
Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database.
--db-password <password>
The password of the database user.
--db-pool-initial-size <size>
The initial size of the connection pool.
--db-pool-max-size <size>
The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored.
--db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
The username of the database user.
Transaction:
--transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true.
Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
Config:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Logging:
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console.
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-file-format <format>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
localhost.
--log-gelf-include-location <true|false>
Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
--log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default:
INFO.
--log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Export:
--dir <dir> Set the path to a directory where files will be created with the exported data.
--file <file> Set the path to a file that will be created with the exported data. To export
more than 500 users, export to a directory with different files instead.
--realm <realm> Set the name of the realm to export. If not set, all realms are going to be
exported.
--users <strategy> Set how users should be exported. Possible values are: skip, realm_file,
same_file, different_files. Default: different_files.
--users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt vendored
View file

@ -122,16 +122,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Config: Config:
@ -205,4 +205,4 @@ Export:
--users-per-file <number> --users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing 'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50. export times. Default: 50.

208
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.windows.approved.txt vendored Normal file
View file

@ -0,0 +1,208 @@
Export data from realms to a file or directory.
Usage:
kc.bat export [OPTIONS]
Export data from realms to a file or directory.
Options:
-h, --help This help message.
--help-all This same help message but with additional options.
--optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command.
Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod, file.
--storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod, file.
--storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod, file.
--storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod, file.
--storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod, file.
--storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod, file.
--storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod, file.
--storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod, file.
--storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod, file.
--storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod.
--storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod, file.
--storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user.
--storage-jpa-db <type>
Experimental: The database vendor for jpa map storage. Possible values are:
postgres, cockroach. Default: postgres.
Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database.
--db-password <password>
The password of the database user.
--db-pool-initial-size <size>
The initial size of the connection pool.
--db-pool-max-size <size>
The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored.
--db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
The username of the database user.
Transaction:
--transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true.
Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
Config:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Logging:
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console.
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-file-format <format>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
localhost.
--log-gelf-include-location <true|false>
Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
--log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default:
INFO.
--log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Export:
--dir <dir> Set the path to a directory where files will be created with the exported data.
--file <file> Set the path to a file that will be created with the exported data. To export
more than 500 users, export to a directory with different files instead.
--realm <realm> Set the name of the realm to export. If not set, all realms are going to be
exported.
--users <strategy> Set how users should be exported. Possible values are: skip, realm_file,
same_file, different_files. Default: different_files.
--users-per-file <number>
Set the number of users per file. It is used only if 'users' is set to
'different_files'. Increasing this number leads to exponentially increasing
export times. Default: 50.

108
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testHelp.windows.approved.txt vendored
View file

@ -1,55 +1,53 @@
Keycloak - Open Source Identity and Access Management Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest Find more information at: https://www.keycloak.org/docs/latest
Usage: Usage:
kc.bat [OPTIONS] [COMMAND] kc.bat [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster. Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.bat") to execute from the current folder. Options:
Options: -cf, --config-file <file>
Set the path to a configuration file. By default, configuration properties are
-cf, --config-file <file> read from the "keycloak.conf" file in the "conf" directory.
Set the path to a configuration file. By default, configuration properties are -h, --help This help message.
read from the "keycloak.conf" file in the "conf" directory. -v, --verbose Print out error details when running this command.
-h, --help This help message. -V, --version Show version information
-v, --verbose Print out error details when running this command.
-V, --version Show version information Commands:
Commands: build Creates a new and optimized server image.
start Start the server.
build Creates a new and optimized server image. start-dev Start the server in development mode.
start Start the server. export Export data from realms to a file or directory.
start-dev Start the server in development mode. import Import data from a directory or a file.
export Export data from realms to a file or directory. show-config Print out the current configuration.
import Import data from a directory or a file. tools Utilities for use and interaction with the server.
show-config Print out the current configuration. completion Generate bash/zsh completion script for kc.bat.
tools Utilities for use and interaction with the server.
completion Generate bash/zsh completion script for kc.bat. Examples:
Examples: Start the server in development mode for local development or testing:
Start the server in development mode for local development or testing: $ kc.bat start-dev
$ kc.bat start-dev Building an optimized server runtime:
Building an optimized server runtime: $ kc.bat build <OPTIONS>
$ kc.bat build <OPTIONS> Start the server in production mode:
Start the server in production mode: $ kc.bat start <OPTIONS>
$ kc.bat start <OPTIONS> Enable auto-completion to bash/zsh:
Enable auto-completion to bash/zsh: $ source <(kc.bat tools completion)
$ source <(kc.bat tools completion) Please, take a look at the documentation for more details before deploying in
production.
Please, take a look at the documentation for more details before deploying in
production. Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.
Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.

108
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testHelpShort.windows.approved.txt vendored
View file

@ -1,55 +1,53 @@
Keycloak - Open Source Identity and Access Management Keycloak - Open Source Identity and Access Management
Find more information at: https://www.keycloak.org/docs/latest Find more information at: https://www.keycloak.org/docs/latest
Usage: Usage:
kc.bat [OPTIONS] [COMMAND] kc.bat [OPTIONS] [COMMAND]
Use this command-line tool to manage your Keycloak cluster. Use this command-line tool to manage your Keycloak cluster.
Make sure the command is available on your "PATH" or prefix it with "./" (e.g.:
"./kc.bat") to execute from the current folder. Options:
Options: -cf, --config-file <file>
Set the path to a configuration file. By default, configuration properties are
-cf, --config-file <file> read from the "keycloak.conf" file in the "conf" directory.
Set the path to a configuration file. By default, configuration properties are -h, --help This help message.
read from the "keycloak.conf" file in the "conf" directory. -v, --verbose Print out error details when running this command.
-h, --help This help message. -V, --version Show version information
-v, --verbose Print out error details when running this command.
-V, --version Show version information Commands:
Commands: build Creates a new and optimized server image.
start Start the server.
build Creates a new and optimized server image. start-dev Start the server in development mode.
start Start the server. export Export data from realms to a file or directory.
start-dev Start the server in development mode. import Import data from a directory or a file.
export Export data from realms to a file or directory. show-config Print out the current configuration.
import Import data from a directory or a file. tools Utilities for use and interaction with the server.
show-config Print out the current configuration. completion Generate bash/zsh completion script for kc.bat.
tools Utilities for use and interaction with the server.
completion Generate bash/zsh completion script for kc.bat. Examples:
Examples: Start the server in development mode for local development or testing:
Start the server in development mode for local development or testing: $ kc.bat start-dev
$ kc.bat start-dev Building an optimized server runtime:
Building an optimized server runtime: $ kc.bat build <OPTIONS>
$ kc.bat build <OPTIONS> Start the server in production mode:
Start the server in production mode: $ kc.bat start <OPTIONS>
$ kc.bat start <OPTIONS> Enable auto-completion to bash/zsh:
Enable auto-completion to bash/zsh: $ source <(kc.bat tools completion)
$ source <(kc.bat tools completion) Please, take a look at the documentation for more details before deploying in
production.
Please, take a look at the documentation for more details before deploying in
production. Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.
Use "kc.bat start --help" for the available options when starting the server.
Use "kc.bat <command> --help" for more information about other commands.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt vendored
View file

@ -59,16 +59,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Config: Config:
@ -136,4 +136,4 @@ Import:
--file <file> Set the path to a file that will be read. --file <file> Set the path to a file that will be read.
--override <true|false> --override <true|false>
Set if existing data should be overwritten. If set to false, data will be Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true. ignored. Default: true.

139
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.windows.approved.txt vendored Normal file
View file

@ -0,0 +1,139 @@
Import data from a directory or a file.
Usage:
kc.bat import [OPTIONS]
Import data from a directory or a file.
Options:
-h, --help This help message.
--help-all This same help message but with additional options.
--optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command.
Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database.
--db-password <password>
The password of the database user.
--db-pool-initial-size <size>
The initial size of the connection pool.
--db-pool-max-size <size>
The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored.
--db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
The username of the database user.
Transaction:
--transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true.
Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
Config:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Logging:
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console.
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-file-format <format>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
localhost.
--log-gelf-include-location <true|false>
Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
--log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default:
INFO.
--log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Import:
--dir <dir> Set the path to a directory where files will be read from.
--file <file> Set the path to a file that will be read.
--override <true|false>
Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt vendored
View file

@ -122,16 +122,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Config: Config:
@ -199,4 +199,4 @@ Import:
--file <file> Set the path to a file that will be read. --file <file> Set the path to a file that will be read.
--override <true|false> --override <true|false>
Set if existing data should be overwritten. If set to false, data will be Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true. ignored. Default: true.

202
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.windows.approved.txt vendored Normal file
View file

@ -0,0 +1,202 @@
Import data from a directory or a file.
Usage:
kc.bat import [OPTIONS]
Import data from a directory or a file.
Options:
-h, --help This help message.
--help-all This same help message but with additional options.
--optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command.
Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod, file.
--storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod, file.
--storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod, file.
--storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod, file.
--storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod, file.
--storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod, file.
--storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod, file.
--storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod, file.
--storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod, file.
--storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod.
--storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod, file.
--storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted.
--storage-file-dir <dir>
Experimental: Root directory for file map store.
--storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user.
--storage-jpa-db <type>
Experimental: The database vendor for jpa map storage. Possible values are:
postgres, cockroach. Default: postgres.
Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database.
--db-password <password>
The password of the database user.
--db-pool-initial-size <size>
The initial size of the connection pool.
--db-pool-max-size <size>
The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored.
--db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
The username of the database user.
Transaction:
--transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true.
Feature:
--features <feature> Enables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
--features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn.
Config:
--config-keystore <config-keystore>
Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Logging:
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console.
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
-5p [%c] (%t) %s%e%n.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-file-format <format>
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default.
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak.
--log-gelf-host <hostname>
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
localhost.
--log-gelf-include-location <true|false>
Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
--log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
logger. Message levels lower than this value will be discarded. Default:
INFO.
--log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Import:
--dir <dir> Set the path to a directory where files will be read from.
--file <file> Set the path to a file that will be read.
--override <true|false>
Set if existing data should be overwritten. If set to false, data will be
ignored. Default: true.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt vendored
View file

@ -75,16 +75,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Hostname: Hostname:
@ -254,4 +254,4 @@ Security:
Do NOT start the server using this command when deploying to production. Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build Use 'kc.sh start-dev --help-all' to list all available options, including build
options. options.

497
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt vendored
View file

@ -1,240 +1,257 @@
Start the server in development mode. Start the server in development mode.
Usage: Usage:
kc.bat start-dev [OPTIONS] kc.bat start-dev [OPTIONS]
Use this command if you want to run the server locally for development or Use this command if you want to run the server locally for development or
testing purposes. testing purposes.
Options: Options:
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database. driver is set accordingly to the chosen database.
--db-password <password> --db-password <password>
The password of the database user. The password of the database user.
--db-pool-initial-size <size> --db-pool-initial-size <size>
The initial size of the connection pool. The initial size of the connection pool.
--db-pool-max-size <size> --db-pool-max-size <size>
The maximum size of the connection pool. Default: 100. The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size> --db-pool-min-size <size>
The minimal size of the connection pool. The minimal size of the connection pool.
--db-schema <schema> The database schema to be used. --db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname> --db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-host <hostname> --db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored. option is set, this option is ignored.
--db-url-properties <properties> --db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. If the Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
`db-url` option is set, this option is ignored. set the properties accordingly to the format expected by the database
--db-username <username> vendor, as well as appending the right character at the beginning of this
The username of the database user. property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
Transaction: The username of the database user.
--transaction-xa-enabled <true|false> Transaction:
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
Feature: not support XA transactions. Default: true.
--features <feature> Enables a set of one or more features. Possible values are: account-api, Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, --features <feature> Enables a set of one or more features. Possible values are: account-api,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, account2, account3, admin-api, admin-fine-grained-authz, admin2,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, authorization, ciba, client-policies, client-secret-rotation,
recovery-codes, scripts, step-up-authentication, token-exchange, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
update-email, web-authn. js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
--features-disabled <feature> preview, recovery-codes, scripts, step-up-authentication, token-exchange,
Disables a set of one or more features. Possible values are: account-api, update-email, web-authn.
account2, account3, admin-api, admin-fine-grained-authz, admin2, --features-disabled <feature>
authorization, ciba, client-policies, client-secret-rotation, Disables a set of one or more features. Possible values are: account-api,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, account2, account3, admin-api, admin-fine-grained-authz, admin2,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, authorization, ciba, client-policies, client-secret-rotation,
recovery-codes, scripts, step-up-authentication, token-exchange, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
update-email, web-authn. js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
Hostname: update-email, web-authn.
--hostname <hostname> Hostname:
Hostname for the Keycloak server.
--hostname-admin <hostname> --hostname <hostname>
The hostname for accessing the administration console. Use this option if you Hostname for the Keycloak server.
are exposing the administration console using a hostname other than the --hostname-admin <hostname>
value set to the 'hostname' option. The hostname for accessing the administration console. Use this option if you
--hostname-admin-url <url> are exposing the administration console using a hostname other than the
Set the base URL for accessing the administration console, including scheme, value set to the 'hostname' option.
host, port and path --hostname-admin-url <url>
--hostname-path <path> Set the base URL for accessing the administration console, including scheme,
This should be set if proxy uses a different context-path for Keycloak. host, port and path
--hostname-port <port> --hostname-debug <true|false>
The port used by the proxy when exposing the hostname. Set this option if the Toggle the hostname debug page that is accessible at
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. /realms/master/hostname-debug Default: false.
--hostname-strict <true|false> --hostname-path <path>
Disables dynamically resolving the hostname from request headers. Should This should be set if proxy uses a different context-path for Keycloak.
always be set to true in production, unless proxy verifies the Host header. --hostname-port <port>
Default: true. The port used by the proxy when exposing the hostname. Set this option if the
--hostname-strict-backchannel <true|false> proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
By default backchannel URLs are dynamically resolved from request headers to --hostname-strict <true|false>
allow internal and external applications. If all applications use the public Disables dynamically resolving the hostname from request headers. Should
URL this option should be enabled. Default: false. always be set to true in production, unless proxy verifies the Host header.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Default: true.
--hostname-strict-backchannel <true|false>
HTTP/TLS: By default backchannel URLs are dynamically resolved from request headers to
allow internal and external applications. If all applications use the public
--http-enabled <true|false> URL this option should be enabled. Default: false.
Enables the HTTP listener. Default: false. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
--http-port <port> The used HTTP port. Default: 8080. HTTP/TLS:
--http-relative-path <path>
Set the path relative to '/' for serving resources. The path must start with a --http-enabled <true|false>
'/'. Default: /. Enables the HTTP listener. Default: false.
--https-certificate-file <file> --http-host <host> The used HTTP Host. Default: 0.0.0.0.
The file path to a server certificate or certificate chain in PEM format. --http-port <port> The used HTTP port. Default: 8080.
--https-certificate-key-file <file> --http-relative-path <path>
The file path to a private key in PEM format. Set the path relative to '/' for serving resources. The path must start with a
--https-cipher-suites <ciphers> '/'. Default: /.
The cipher suites to use. If none is given, a reasonable default is selected. --https-certificate-file <file>
--https-client-auth <auth> The file path to a server certificate or certificate chain in PEM format.
Configures the server to require/request client authentication. Possible --https-certificate-key-file <file>
values are: none, request, required. Default: none. The file path to a private key in PEM format.
--https-key-store-file <file> --https-cipher-suites <ciphers>
The key store which holds the certificate information instead of specifying The cipher suites to use. If none is given, a reasonable default is selected.
separate files. --https-client-auth <auth>
--https-key-store-password <password> Configures the server to require/request client authentication. Possible
The password of the key store file. Default: password. values are: none, request, required. Default: none.
--https-key-store-type <type> --https-key-store-file <file>
The type of the key store file. If not given, the type is automatically The key store which holds the certificate information instead of specifying
detected based on the file name. If 'fips-mode' is set to 'strict' and no separate files.
value is set, it defaults to 'BCFKS'. --https-key-store-password <password>
--https-port <port> The used HTTPS port. Default: 8443. The password of the key store file. Default: password.
--https-protocols <protocols> --https-key-store-type <type>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The type of the key store file. If not given, the type is automatically
--https-trust-store-file <file> detected based on the file name. If 'fips-mode' is set to 'strict' and no
The trust store which holds the certificate information of the certificates to value is set, it defaults to 'BCFKS'.
trust. --https-port <port> The used HTTPS port. Default: 8443.
--https-trust-store-password <password> --https-protocols <protocols>
The password of the trust store file. The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-trust-store-type <type> --https-trust-store-file <file>
The type of the trust store file. If not given, the type is automatically The trust store which holds the certificate information of the certificates to
detected based on the file name. If 'fips-mode' is set to 'strict' and no trust.
value is set, it defaults to 'BCFKS'. --https-trust-store-password <password>
The password of the trust store file.
Health: --https-trust-store-type <type>
The type of the trust store file. If not given, the type is automatically
--health-enabled <true|false> detected based on the file name. If 'fips-mode' is set to 'strict' and no
If the server should expose health check endpoints. If enabled, health checks value is set, it defaults to 'BCFKS'.
are available at the '/health', '/health/ready' and '/health/live'
endpoints. Default: false. Health:
Metrics: --health-enabled <true|false>
If the server should expose health check endpoints. If enabled, health checks
--metrics-enabled <true|false> are available at the '/health', '/health/ready' and '/health/live'
If the server should expose metrics. If enabled, metrics are available at the endpoints. Default: false.
'/metrics' endpoint. Default: false.
Config:
Proxy:
--config-keystore <config-keystore>
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. Specifies a path to the KeyStore Configuration Source.
Possible values are: none, edge, reencrypt, passthrough. Default: none. --config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
Vault: --config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Metrics:
given directory.
--metrics-enabled <true|false>
Logging: If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false.
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console. Proxy:
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false. --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
--log-console-format <format> Possible values are: none, edge, reencrypt, passthrough. Default: none.
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % Vault:
-5p [%c] (%t) %s%e%n.
--log-console-output <output> --vault <provider> Enables a vault provider. Possible values are: file, keystore.
Set the log output to JSON or default (plain) unstructured logging. Possible --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
values are: default, json. Default: default. given directory.
--log-file <file> Set the log file path and filename. Default: data/log/keycloak.log. --vault-file <file> Path to the keystore file.
--log-file-format <format> --vault-pass <pass> Password for the vault keystore.
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, --vault-type <type> Specifies the type of the keystore file. Default: PKCS12.
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output> Logging:
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default. --log <handler> Enable one or more log handlers in a comma-separated list. Possible values
--log-gelf-facility <name> are: console, file, gelf. Default: console.
The facility (name of the process) that sends the message. Default: keycloak. --log-console-color <true|false>
--log-gelf-host <hostname> Enable or disable colors when logging to console. Default: false.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-console-format <format>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: The format of unstructured console log entries. If the format has spaces in
localhost. it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
--log-gelf-include-location <true|false> -5p [%c] (%t) %s%e%n.
Include source code location. Default: true. --log-console-output <output>
--log-gelf-include-message-parameters <true|false> Set the log output to JSON or default (plain) unstructured logging. Possible
Include message parameters from the log event. Default: true. values are: default, json. Default: default.
--log-gelf-include-stack-trace <true|false> --log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
If set to true, occuring stack traces are included in the 'StackTrace' field --log-file-format <format>
in the GELF output. Default: true. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
--log-gelf-level <level> SSS} %-5p [%c] (%t) %s%e%n.
The log level specifying which message levels will be logged by the GELF --log-file-output <output>
logger. Message levels lower than this value will be discarded. Default: Set the log output to JSON or default (plain) unstructured logging. Possible
INFO. values are: default, json. Default: default.
--log-gelf-max-message-size <size> --log-gelf-facility <name>
Maximum message size (in bytes). If the message size is exceeded, GELF will The facility (name of the process) that sends the message. Default: keycloak.
submit the message in multiple chunks. Default: 8192. --log-gelf-host <hostname>
--log-gelf-port <port> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
The port the Logstash or Graylog Host is called on. Default: 12201. host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
--log-gelf-timestamp-format <pattern> localhost.
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat --log-gelf-include-location <true|false>
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Include source code location. Default: true.
--log-level <category:level> --log-gelf-include-message-parameters <true|false>
The log level of the root category or a comma-separated list of individual Include message parameters from the log event. Default: true.
categories and their levels. For the root category, you don't need to --log-gelf-include-stack-trace <true|false>
specify a category. Default: info. If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
Security: --log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on logger. Message levels lower than this value will be discarded. Default:
non-approved mode. For full FIPS compliance, set 'strict' to run on approved INFO.
mode. This option defaults to 'disabled' when 'fips' feature is disabled, --log-gelf-max-message-size <size>
which is by default. This option defaults to 'non-strict' when 'fips' Maximum message size (in bytes). If the message size is exceeded, GELF will
feature is enabled. Possible values are: non-strict, strict. Default: submit the message in multiple chunks. Default: 8192.
disabled. --log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
Do NOT start the server using this command when deploying to production. --log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
Use 'kc.bat start-dev --help-all' to list all available options, including pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
build options. --log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Do NOT start the server using this command when deploying to production.
Use 'kc.bat start-dev --help-all' to list all available options, including
build options.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt vendored
View file

@ -138,16 +138,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Hostname: Hostname:
@ -317,4 +317,4 @@ Security:
Do NOT start the server using this command when deploying to production. Do NOT start the server using this command when deploying to production.
Use 'kc.sh start-dev --help-all' to list all available options, including build Use 'kc.sh start-dev --help-all' to list all available options, including build
options. options.

623
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt vendored
View file

@ -1,303 +1,320 @@
Start the server in development mode. Start the server in development mode.
Usage: Usage:
kc.bat start-dev [OPTIONS] kc.bat start-dev [OPTIONS]
Use this command if you want to run the server locally for development or Use this command if you want to run the server locally for development or
testing purposes. testing purposes.
Options: Options:
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Storage (Experimental): Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible --storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type> --storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-area-authorization <type> --storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod, file. are: jpa, chm, hotrod, file.
--storage-area-client <type> --storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa, Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-client-scope <type> --storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are: Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod, file. jpa, chm, hotrod, file.
--storage-area-event-admin <type> --storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are: Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod, file. jpa, chm, hotrod, file.
--storage-area-event-auth <type> --storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod, file. events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type> --storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa, Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-login-failure <type> --storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod, file. are: jpa, chm, hotrod, file.
--storage-area-realm <type> --storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa, Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-role <type> --storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa, Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-single-use-object <type> --storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod.
--storage-area-user <type> --storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa, Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-user-session <type> --storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type> --storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster. Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir> --storage-file-dir <dir>
Experimental: Root directory for file map store. Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user. Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port> --storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server. Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username> --storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user. Experimental: Sets the username of the Infinispan user.
--storage-jpa-db <type> --storage-jpa-db <type>
Experimental: The database vendor for jpa map storage. Possible values are: Experimental: The database vendor for jpa map storage. Possible values are:
postgres, cockroach. Default: postgres. postgres, cockroach. Default: postgres.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database. driver is set accordingly to the chosen database.
--db-password <password> --db-password <password>
The password of the database user. The password of the database user.
--db-pool-initial-size <size> --db-pool-initial-size <size>
The initial size of the connection pool. The initial size of the connection pool.
--db-pool-max-size <size> --db-pool-max-size <size>
The maximum size of the connection pool. Default: 100. The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size> --db-pool-min-size <size>
The minimal size of the connection pool. The minimal size of the connection pool.
--db-schema <schema> The database schema to be used. --db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname> --db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-host <hostname> --db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored. option is set, this option is ignored.
--db-url-properties <properties> --db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. If the Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
`db-url` option is set, this option is ignored. set the properties accordingly to the format expected by the database
--db-username <username> vendor, as well as appending the right character at the beginning of this
The username of the database user. property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
Transaction: The username of the database user.
--transaction-xa-enabled <true|false> Transaction:
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
Feature: not support XA transactions. Default: true.
--features <feature> Enables a set of one or more features. Possible values are: account-api, Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, --features <feature> Enables a set of one or more features. Possible values are: account-api,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, account2, account3, admin-api, admin-fine-grained-authz, admin2,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, authorization, ciba, client-policies, client-secret-rotation,
recovery-codes, scripts, step-up-authentication, token-exchange, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
update-email, web-authn. js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
--features-disabled <feature> preview, recovery-codes, scripts, step-up-authentication, token-exchange,
Disables a set of one or more features. Possible values are: account-api, update-email, web-authn.
account2, account3, admin-api, admin-fine-grained-authz, admin2, --features-disabled <feature>
authorization, ciba, client-policies, client-secret-rotation, Disables a set of one or more features. Possible values are: account-api,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, account2, account3, admin-api, admin-fine-grained-authz, admin2,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, authorization, ciba, client-policies, client-secret-rotation,
recovery-codes, scripts, step-up-authentication, token-exchange, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
update-email, web-authn. js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
Hostname: update-email, web-authn.
--hostname <hostname> Hostname:
Hostname for the Keycloak server.
--hostname-admin <hostname> --hostname <hostname>
The hostname for accessing the administration console. Use this option if you Hostname for the Keycloak server.
are exposing the administration console using a hostname other than the --hostname-admin <hostname>
value set to the 'hostname' option. The hostname for accessing the administration console. Use this option if you
--hostname-admin-url <url> are exposing the administration console using a hostname other than the
Set the base URL for accessing the administration console, including scheme, value set to the 'hostname' option.
host, port and path --hostname-admin-url <url>
--hostname-path <path> Set the base URL for accessing the administration console, including scheme,
This should be set if proxy uses a different context-path for Keycloak. host, port and path
--hostname-port <port> --hostname-debug <true|false>
The port used by the proxy when exposing the hostname. Set this option if the Toggle the hostname debug page that is accessible at
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. /realms/master/hostname-debug Default: false.
--hostname-strict <true|false> --hostname-path <path>
Disables dynamically resolving the hostname from request headers. Should This should be set if proxy uses a different context-path for Keycloak.
always be set to true in production, unless proxy verifies the Host header. --hostname-port <port>
Default: true. The port used by the proxy when exposing the hostname. Set this option if the
--hostname-strict-backchannel <true|false> proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
By default backchannel URLs are dynamically resolved from request headers to --hostname-strict <true|false>
allow internal and external applications. If all applications use the public Disables dynamically resolving the hostname from request headers. Should
URL this option should be enabled. Default: false. always be set to true in production, unless proxy verifies the Host header.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Default: true.
--hostname-strict-backchannel <true|false>
HTTP/TLS: By default backchannel URLs are dynamically resolved from request headers to
allow internal and external applications. If all applications use the public
--http-enabled <true|false> URL this option should be enabled. Default: false.
Enables the HTTP listener. Default: false. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
--http-port <port> The used HTTP port. Default: 8080. HTTP/TLS:
--http-relative-path <path>
Set the path relative to '/' for serving resources. The path must start with a --http-enabled <true|false>
'/'. Default: /. Enables the HTTP listener. Default: false.
--https-certificate-file <file> --http-host <host> The used HTTP Host. Default: 0.0.0.0.
The file path to a server certificate or certificate chain in PEM format. --http-port <port> The used HTTP port. Default: 8080.
--https-certificate-key-file <file> --http-relative-path <path>
The file path to a private key in PEM format. Set the path relative to '/' for serving resources. The path must start with a
--https-cipher-suites <ciphers> '/'. Default: /.
The cipher suites to use. If none is given, a reasonable default is selected. --https-certificate-file <file>
--https-client-auth <auth> The file path to a server certificate or certificate chain in PEM format.
Configures the server to require/request client authentication. Possible --https-certificate-key-file <file>
values are: none, request, required. Default: none. The file path to a private key in PEM format.
--https-key-store-file <file> --https-cipher-suites <ciphers>
The key store which holds the certificate information instead of specifying The cipher suites to use. If none is given, a reasonable default is selected.
separate files. --https-client-auth <auth>
--https-key-store-password <password> Configures the server to require/request client authentication. Possible
The password of the key store file. Default: password. values are: none, request, required. Default: none.
--https-key-store-type <type> --https-key-store-file <file>
The type of the key store file. If not given, the type is automatically The key store which holds the certificate information instead of specifying
detected based on the file name. If 'fips-mode' is set to 'strict' and no separate files.
value is set, it defaults to 'BCFKS'. --https-key-store-password <password>
--https-port <port> The used HTTPS port. Default: 8443. The password of the key store file. Default: password.
--https-protocols <protocols> --https-key-store-type <type>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The type of the key store file. If not given, the type is automatically
--https-trust-store-file <file> detected based on the file name. If 'fips-mode' is set to 'strict' and no
The trust store which holds the certificate information of the certificates to value is set, it defaults to 'BCFKS'.
trust. --https-port <port> The used HTTPS port. Default: 8443.
--https-trust-store-password <password> --https-protocols <protocols>
The password of the trust store file. The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-trust-store-type <type> --https-trust-store-file <file>
The type of the trust store file. If not given, the type is automatically The trust store which holds the certificate information of the certificates to
detected based on the file name. If 'fips-mode' is set to 'strict' and no trust.
value is set, it defaults to 'BCFKS'. --https-trust-store-password <password>
The password of the trust store file.
Health: --https-trust-store-type <type>
The type of the trust store file. If not given, the type is automatically
--health-enabled <true|false> detected based on the file name. If 'fips-mode' is set to 'strict' and no
If the server should expose health check endpoints. If enabled, health checks value is set, it defaults to 'BCFKS'.
are available at the '/health', '/health/ready' and '/health/live'
endpoints. Default: false. Health:
Metrics: --health-enabled <true|false>
If the server should expose health check endpoints. If enabled, health checks
--metrics-enabled <true|false> are available at the '/health', '/health/ready' and '/health/live'
If the server should expose metrics. If enabled, metrics are available at the endpoints. Default: false.
'/metrics' endpoint. Default: false.
Config:
Proxy:
--config-keystore <config-keystore>
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. Specifies a path to the KeyStore Configuration Source.
Possible values are: none, edge, reencrypt, passthrough. Default: none. --config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
Vault: --config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Metrics:
given directory.
--metrics-enabled <true|false>
Logging: If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false.
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console. Proxy:
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false. --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
--log-console-format <format> Possible values are: none, edge, reencrypt, passthrough. Default: none.
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % Vault:
-5p [%c] (%t) %s%e%n.
--log-console-output <output> --vault <provider> Enables a vault provider. Possible values are: file, keystore.
Set the log output to JSON or default (plain) unstructured logging. Possible --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
values are: default, json. Default: default. given directory.
--log-file <file> Set the log file path and filename. Default: data/log/keycloak.log. --vault-file <file> Path to the keystore file.
--log-file-format <format> --vault-pass <pass> Password for the vault keystore.
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, --vault-type <type> Specifies the type of the keystore file. Default: PKCS12.
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output> Logging:
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default. --log <handler> Enable one or more log handlers in a comma-separated list. Possible values
--log-gelf-facility <name> are: console, file, gelf. Default: console.
The facility (name of the process) that sends the message. Default: keycloak. --log-console-color <true|false>
--log-gelf-host <hostname> Enable or disable colors when logging to console. Default: false.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-console-format <format>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: The format of unstructured console log entries. If the format has spaces in
localhost. it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
--log-gelf-include-location <true|false> -5p [%c] (%t) %s%e%n.
Include source code location. Default: true. --log-console-output <output>
--log-gelf-include-message-parameters <true|false> Set the log output to JSON or default (plain) unstructured logging. Possible
Include message parameters from the log event. Default: true. values are: default, json. Default: default.
--log-gelf-include-stack-trace <true|false> --log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
If set to true, occuring stack traces are included in the 'StackTrace' field --log-file-format <format>
in the GELF output. Default: true. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
--log-gelf-level <level> SSS} %-5p [%c] (%t) %s%e%n.
The log level specifying which message levels will be logged by the GELF --log-file-output <output>
logger. Message levels lower than this value will be discarded. Default: Set the log output to JSON or default (plain) unstructured logging. Possible
INFO. values are: default, json. Default: default.
--log-gelf-max-message-size <size> --log-gelf-facility <name>
Maximum message size (in bytes). If the message size is exceeded, GELF will The facility (name of the process) that sends the message. Default: keycloak.
submit the message in multiple chunks. Default: 8192. --log-gelf-host <hostname>
--log-gelf-port <port> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
The port the Logstash or Graylog Host is called on. Default: 12201. host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
--log-gelf-timestamp-format <pattern> localhost.
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat --log-gelf-include-location <true|false>
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Include source code location. Default: true.
--log-level <category:level> --log-gelf-include-message-parameters <true|false>
The log level of the root category or a comma-separated list of individual Include message parameters from the log event. Default: true.
categories and their levels. For the root category, you don't need to --log-gelf-include-stack-trace <true|false>
specify a category. Default: info. If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
Security: --log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on logger. Message levels lower than this value will be discarded. Default:
non-approved mode. For full FIPS compliance, set 'strict' to run on approved INFO.
mode. This option defaults to 'disabled' when 'fips' feature is disabled, --log-gelf-max-message-size <size>
which is by default. This option defaults to 'non-strict' when 'fips' Maximum message size (in bytes). If the message size is exceeded, GELF will
feature is enabled. Possible values are: non-strict, strict. Default: submit the message in multiple chunks. Default: 8192.
disabled. --log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
Do NOT start the server using this command when deploying to production. --log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
Use 'kc.bat start-dev --help-all' to list all available options, including pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
build options. --log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
Do NOT start the server using this command when deploying to production.
Use 'kc.bat start-dev --help-all' to list all available options, including
build options.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt vendored
View file

@ -81,16 +81,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Hostname: Hostname:
@ -264,4 +264,4 @@ By default, this command tries to update the server configuration by running a
$ kc.sh start '--optimized' $ kc.sh start '--optimized'
By doing that, the server should start faster based on any previous By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command. configuration you have set when manually running the 'build' command.

517
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt vendored
View file

@ -1,250 +1,267 @@
Start the server. Start the server.
Usage: Usage:
kc.bat start [OPTIONS] kc.bat start [OPTIONS]
Use this command to run the server in production. Use this command to run the server in production.
Options: Options:
-b, --auto-build (Deprecated) Automatically detects whether the server configuration changed -b, --auto-build (Deprecated) Automatically detects whether the server configuration changed
and a new server image must be built prior to starting the server. This and a new server image must be built prior to starting the server. This
option provides an alternative to manually running the 'build' prior to option provides an alternative to manually running the 'build' prior to
starting the server. Use this configuration carefully in production as it starting the server. Use this configuration carefully in production as it
might impact the startup time. might impact the startup time.
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
--optimized Use this option to achieve an optimal startup time if you have previously --optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command. built a server image using the 'build' command.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database. driver is set accordingly to the chosen database.
--db-password <password> --db-password <password>
The password of the database user. The password of the database user.
--db-pool-initial-size <size> --db-pool-initial-size <size>
The initial size of the connection pool. The initial size of the connection pool.
--db-pool-max-size <size> --db-pool-max-size <size>
The maximum size of the connection pool. Default: 100. The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size> --db-pool-min-size <size>
The minimal size of the connection pool. The minimal size of the connection pool.
--db-schema <schema> The database schema to be used. --db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname> --db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-host <hostname> --db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored. option is set, this option is ignored.
--db-url-properties <properties> --db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. If the Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
`db-url` option is set, this option is ignored. set the properties accordingly to the format expected by the database
--db-username <username> vendor, as well as appending the right character at the beginning of this
The username of the database user. property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
Transaction: The username of the database user.
--transaction-xa-enabled <true|false> Transaction:
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
Feature: not support XA transactions. Default: true.
--features <feature> Enables a set of one or more features. Possible values are: account-api, Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, --features <feature> Enables a set of one or more features. Possible values are: account-api,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, account2, account3, admin-api, admin-fine-grained-authz, admin2,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, authorization, ciba, client-policies, client-secret-rotation,
recovery-codes, scripts, step-up-authentication, token-exchange, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
update-email, web-authn. js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
--features-disabled <feature> preview, recovery-codes, scripts, step-up-authentication, token-exchange,
Disables a set of one or more features. Possible values are: account-api, update-email, web-authn.
account2, account3, admin-api, admin-fine-grained-authz, admin2, --features-disabled <feature>
authorization, ciba, client-policies, client-secret-rotation, Disables a set of one or more features. Possible values are: account-api,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, account2, account3, admin-api, admin-fine-grained-authz, admin2,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, authorization, ciba, client-policies, client-secret-rotation,
recovery-codes, scripts, step-up-authentication, token-exchange, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
update-email, web-authn. js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
Hostname: update-email, web-authn.
--hostname <hostname> Hostname:
Hostname for the Keycloak server.
--hostname-admin <hostname> --hostname <hostname>
The hostname for accessing the administration console. Use this option if you Hostname for the Keycloak server.
are exposing the administration console using a hostname other than the --hostname-admin <hostname>
value set to the 'hostname' option. The hostname for accessing the administration console. Use this option if you
--hostname-admin-url <url> are exposing the administration console using a hostname other than the
Set the base URL for accessing the administration console, including scheme, value set to the 'hostname' option.
host, port and path --hostname-admin-url <url>
--hostname-path <path> Set the base URL for accessing the administration console, including scheme,
This should be set if proxy uses a different context-path for Keycloak. host, port and path
--hostname-port <port> --hostname-debug <true|false>
The port used by the proxy when exposing the hostname. Set this option if the Toggle the hostname debug page that is accessible at
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. /realms/master/hostname-debug Default: false.
--hostname-strict <true|false> --hostname-path <path>
Disables dynamically resolving the hostname from request headers. Should This should be set if proxy uses a different context-path for Keycloak.
always be set to true in production, unless proxy verifies the Host header. --hostname-port <port>
Default: true. The port used by the proxy when exposing the hostname. Set this option if the
--hostname-strict-backchannel <true|false> proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
By default backchannel URLs are dynamically resolved from request headers to --hostname-strict <true|false>
allow internal and external applications. If all applications use the public Disables dynamically resolving the hostname from request headers. Should
URL this option should be enabled. Default: false. always be set to true in production, unless proxy verifies the Host header.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Default: true.
--hostname-strict-backchannel <true|false>
HTTP/TLS: By default backchannel URLs are dynamically resolved from request headers to
allow internal and external applications. If all applications use the public
--http-enabled <true|false> URL this option should be enabled. Default: false.
Enables the HTTP listener. Default: false. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
--http-port <port> The used HTTP port. Default: 8080. HTTP/TLS:
--http-relative-path <path>
Set the path relative to '/' for serving resources. The path must start with a --http-enabled <true|false>
'/'. Default: /. Enables the HTTP listener. Default: false.
--https-certificate-file <file> --http-host <host> The used HTTP Host. Default: 0.0.0.0.
The file path to a server certificate or certificate chain in PEM format. --http-port <port> The used HTTP port. Default: 8080.
--https-certificate-key-file <file> --http-relative-path <path>
The file path to a private key in PEM format. Set the path relative to '/' for serving resources. The path must start with a
--https-cipher-suites <ciphers> '/'. Default: /.
The cipher suites to use. If none is given, a reasonable default is selected. --https-certificate-file <file>
--https-client-auth <auth> The file path to a server certificate or certificate chain in PEM format.
Configures the server to require/request client authentication. Possible --https-certificate-key-file <file>
values are: none, request, required. Default: none. The file path to a private key in PEM format.
--https-key-store-file <file> --https-cipher-suites <ciphers>
The key store which holds the certificate information instead of specifying The cipher suites to use. If none is given, a reasonable default is selected.
separate files. --https-client-auth <auth>
--https-key-store-password <password> Configures the server to require/request client authentication. Possible
The password of the key store file. Default: password. values are: none, request, required. Default: none.
--https-key-store-type <type> --https-key-store-file <file>
The type of the key store file. If not given, the type is automatically The key store which holds the certificate information instead of specifying
detected based on the file name. If 'fips-mode' is set to 'strict' and no separate files.
value is set, it defaults to 'BCFKS'. --https-key-store-password <password>
--https-port <port> The used HTTPS port. Default: 8443. The password of the key store file. Default: password.
--https-protocols <protocols> --https-key-store-type <type>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The type of the key store file. If not given, the type is automatically
--https-trust-store-file <file> detected based on the file name. If 'fips-mode' is set to 'strict' and no
The trust store which holds the certificate information of the certificates to value is set, it defaults to 'BCFKS'.
trust. --https-port <port> The used HTTPS port. Default: 8443.
--https-trust-store-password <password> --https-protocols <protocols>
The password of the trust store file. The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-trust-store-type <type> --https-trust-store-file <file>
The type of the trust store file. If not given, the type is automatically The trust store which holds the certificate information of the certificates to
detected based on the file name. If 'fips-mode' is set to 'strict' and no trust.
value is set, it defaults to 'BCFKS'. --https-trust-store-password <password>
The password of the trust store file.
Health: --https-trust-store-type <type>
The type of the trust store file. If not given, the type is automatically
--health-enabled <true|false> detected based on the file name. If 'fips-mode' is set to 'strict' and no
If the server should expose health check endpoints. If enabled, health checks value is set, it defaults to 'BCFKS'.
are available at the '/health', '/health/ready' and '/health/live'
endpoints. Default: false. Health:
Metrics: --health-enabled <true|false>
If the server should expose health check endpoints. If enabled, health checks
--metrics-enabled <true|false> are available at the '/health', '/health/ready' and '/health/live'
If the server should expose metrics. If enabled, metrics are available at the endpoints. Default: false.
'/metrics' endpoint. Default: false.
Config:
Proxy:
--config-keystore <config-keystore>
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. Specifies a path to the KeyStore Configuration Source.
Possible values are: none, edge, reencrypt, passthrough. Default: none. --config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
Vault: --config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Metrics:
given directory.
--metrics-enabled <true|false>
Logging: If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false.
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console. Proxy:
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false. --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
--log-console-format <format> Possible values are: none, edge, reencrypt, passthrough. Default: none.
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % Vault:
-5p [%c] (%t) %s%e%n.
--log-console-output <output> --vault <provider> Enables a vault provider. Possible values are: file, keystore.
Set the log output to JSON or default (plain) unstructured logging. Possible --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
values are: default, json. Default: default. given directory.
--log-file <file> Set the log file path and filename. Default: data/log/keycloak.log. --vault-file <file> Path to the keystore file.
--log-file-format <format> --vault-pass <pass> Password for the vault keystore.
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, --vault-type <type> Specifies the type of the keystore file. Default: PKCS12.
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output> Logging:
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default. --log <handler> Enable one or more log handlers in a comma-separated list. Possible values
--log-gelf-facility <name> are: console, file, gelf. Default: console.
The facility (name of the process) that sends the message. Default: keycloak. --log-console-color <true|false>
--log-gelf-host <hostname> Enable or disable colors when logging to console. Default: false.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-console-format <format>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: The format of unstructured console log entries. If the format has spaces in
localhost. it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
--log-gelf-include-location <true|false> -5p [%c] (%t) %s%e%n.
Include source code location. Default: true. --log-console-output <output>
--log-gelf-include-message-parameters <true|false> Set the log output to JSON or default (plain) unstructured logging. Possible
Include message parameters from the log event. Default: true. values are: default, json. Default: default.
--log-gelf-include-stack-trace <true|false> --log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
If set to true, occuring stack traces are included in the 'StackTrace' field --log-file-format <format>
in the GELF output. Default: true. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
--log-gelf-level <level> SSS} %-5p [%c] (%t) %s%e%n.
The log level specifying which message levels will be logged by the GELF --log-file-output <output>
logger. Message levels lower than this value will be discarded. Default: Set the log output to JSON or default (plain) unstructured logging. Possible
INFO. values are: default, json. Default: default.
--log-gelf-max-message-size <size> --log-gelf-facility <name>
Maximum message size (in bytes). If the message size is exceeded, GELF will The facility (name of the process) that sends the message. Default: keycloak.
submit the message in multiple chunks. Default: 8192. --log-gelf-host <hostname>
--log-gelf-port <port> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
The port the Logstash or Graylog Host is called on. Default: 12201. host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
--log-gelf-timestamp-format <pattern> localhost.
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat --log-gelf-include-location <true|false>
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Include source code location. Default: true.
--log-level <category:level> --log-gelf-include-message-parameters <true|false>
The log level of the root category or a comma-separated list of individual Include message parameters from the log event. Default: true.
categories and their levels. For the root category, you don't need to --log-gelf-include-stack-trace <true|false>
specify a category. Default: info. If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
Security: --log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on logger. Message levels lower than this value will be discarded. Default:
non-approved mode. For full FIPS compliance, set 'strict' to run on approved INFO.
mode. This option defaults to 'disabled' when 'fips' feature is disabled, --log-gelf-max-message-size <size>
which is by default. This option defaults to 'non-strict' when 'fips' Maximum message size (in bytes). If the message size is exceeded, GELF will
feature is enabled. Possible values are: non-strict, strict. Default: submit the message in multiple chunks. Default: 8192.
disabled. --log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
By default, this command tries to update the server configuration by running a --log-gelf-timestamp-format <pattern>
'build' before starting the server. You can disable this behavior by using the Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
'--optimized' option: pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
$ kc.bat start '--optimized' The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
By doing that, the server should start faster based on any previous specify a category. Default: info.
configuration you have set when manually running the 'build' command.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt vendored
View file

@ -144,16 +144,16 @@ Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
--features-disabled <feature> --features-disabled <feature>
Disables a set of one or more features. Possible values are: account-api, Disables a set of one or more features. Possible values are: account-api,
account2, account3, admin-api, admin-fine-grained-authz, admin2, account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, authorization, ciba, client-policies, client-secret-rotation,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
recovery-codes, scripts, step-up-authentication, token-exchange, preview, recovery-codes, scripts, step-up-authentication, token-exchange,
update-email, web-authn. update-email, web-authn.
Hostname: Hostname:
@ -327,4 +327,4 @@ By default, this command tries to update the server configuration by running a
$ kc.sh start '--optimized' $ kc.sh start '--optimized'
By doing that, the server should start faster based on any previous By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command. configuration you have set when manually running the 'build' command.

643
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt vendored
View file

@ -1,313 +1,330 @@
Start the server. Start the server.
Usage: Usage:
kc.bat start [OPTIONS] kc.bat start [OPTIONS]
Use this command to run the server in production. Use this command to run the server in production.
Options: Options:
-b, --auto-build (Deprecated) Automatically detects whether the server configuration changed -b, --auto-build (Deprecated) Automatically detects whether the server configuration changed
and a new server image must be built prior to starting the server. This and a new server image must be built prior to starting the server. This
option provides an alternative to manually running the 'build' prior to option provides an alternative to manually running the 'build' prior to
starting the server. Use this configuration carefully in production as it starting the server. Use this configuration carefully in production as it
might impact the startup time. might impact the startup time.
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
--optimized Use this option to achieve an optimal startup time if you have previously --optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command. built a server image using the 'build' command.
Cache: Cache:
--cache <type> Defines the cache mechanism for high-availability. By default in production --cache <type> Defines the cache mechanism for high-availability. By default in production
mode, a 'ispn' cache is used to create a cluster between multiple server mode, a 'ispn' cache is used to create a cluster between multiple server
nodes. By default in development mode, a 'local' cache disables clustering nodes. By default in development mode, a 'local' cache disables clustering
and is intended for development and testing purposes. Possible values are: and is intended for development and testing purposes. Possible values are:
ispn, local. Default: ispn. ispn, local. Default: ispn.
--cache-config-file <file> --cache-config-file <file>
Defines the file from which cache configuration should be loaded from. The Defines the file from which cache configuration should be loaded from. The
configuration file is relative to the 'conf/' directory. configuration file is relative to the 'conf/' directory.
--cache-stack <stack> --cache-stack <stack>
Define the default stack to use for cluster communication and node discovery. Define the default stack to use for cluster communication and node discovery.
This option only takes effect if 'cache' is set to 'ispn'. Default: udp. This option only takes effect if 'cache' is set to 'ispn'. Default: udp.
Possible values are: tcp, udp, kubernetes, ec2, azure, google. Possible values are: tcp, udp, kubernetes, ec2, azure, google.
Storage (Experimental): Storage (Experimental):
--storage <type> Experimental: Sets the default storage mechanism for all areas. Possible --storage <type> Experimental: Sets the default storage mechanism for all areas. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-area-auth-session <type> --storage-area-auth-session <type>
Experimental: Sets a storage mechanism for authentication sessions. Possible Experimental: Sets a storage mechanism for authentication sessions. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-area-authorization <type> --storage-area-authorization <type>
Experimental: Sets a storage mechanism for authorizations. Possible values Experimental: Sets a storage mechanism for authorizations. Possible values
are: jpa, chm, hotrod, file. are: jpa, chm, hotrod, file.
--storage-area-client <type> --storage-area-client <type>
Experimental: Sets a storage mechanism for clients. Possible values are: jpa, Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-client-scope <type> --storage-area-client-scope <type>
Experimental: Sets a storage mechanism for client scopes. Possible values are: Experimental: Sets a storage mechanism for client scopes. Possible values are:
jpa, chm, hotrod, file. jpa, chm, hotrod, file.
--storage-area-event-admin <type> --storage-area-event-admin <type>
Experimental: Sets a storage mechanism for admin events. Possible values are: Experimental: Sets a storage mechanism for admin events. Possible values are:
jpa, chm, hotrod, file. jpa, chm, hotrod, file.
--storage-area-event-auth <type> --storage-area-event-auth <type>
Experimental: Sets a storage mechanism for authentication and authorization Experimental: Sets a storage mechanism for authentication and authorization
events. Possible values are: jpa, chm, hotrod, file. events. Possible values are: jpa, chm, hotrod, file.
--storage-area-group <type> --storage-area-group <type>
Experimental: Sets a storage mechanism for groups. Possible values are: jpa, Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-login-failure <type> --storage-area-login-failure <type>
Experimental: Sets a storage mechanism for login failures. Possible values Experimental: Sets a storage mechanism for login failures. Possible values
are: jpa, chm, hotrod, file. are: jpa, chm, hotrod, file.
--storage-area-realm <type> --storage-area-realm <type>
Experimental: Sets a storage mechanism for realms. Possible values are: jpa, Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-role <type> --storage-area-role <type>
Experimental: Sets a storage mechanism for roles. Possible values are: jpa, Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-single-use-object <type> --storage-area-single-use-object <type>
Experimental: Sets a storage mechanism for single use objects. Possible values Experimental: Sets a storage mechanism for single use objects. Possible values
are: jpa, chm, hotrod. are: jpa, chm, hotrod.
--storage-area-user <type> --storage-area-user <type>
Experimental: Sets a storage mechanism for users. Possible values are: jpa, Experimental: Sets a storage mechanism for users. Possible values are: jpa,
chm, hotrod, file. chm, hotrod, file.
--storage-area-user-session <type> --storage-area-user-session <type>
Experimental: Sets a storage mechanism for user and client sessions. Possible Experimental: Sets a storage mechanism for user and client sessions. Possible
values are: jpa, chm, hotrod, file. values are: jpa, chm, hotrod, file.
--storage-deployment-state-version-seed <type> --storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster. Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir> --storage-file-dir <dir>
Experimental: Root directory for file map store. Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user. Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port> --storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server. Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username> --storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user. Experimental: Sets the username of the Infinispan user.
--storage-jpa-db <type> --storage-jpa-db <type>
Experimental: The database vendor for jpa map storage. Possible values are: Experimental: The database vendor for jpa map storage. Possible values are:
postgres, cockroach. Default: postgres. postgres, cockroach. Default: postgres.
Database: Database:
--db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql, --db <vendor> The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
mysql, oracle, postgres. Default: dev-file. mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
driver is set accordingly to the chosen database. driver is set accordingly to the chosen database.
--db-password <password> --db-password <password>
The password of the database user. The password of the database user.
--db-pool-initial-size <size> --db-pool-initial-size <size>
The initial size of the connection pool. The initial size of the connection pool.
--db-pool-max-size <size> --db-pool-max-size <size>
The maximum size of the connection pool. Default: 100. The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size> --db-pool-min-size <size>
The minimal size of the connection pool. The minimal size of the connection pool.
--db-schema <schema> The database schema to be used. --db-schema <schema> The database schema to be used.
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
selected database vendor. For instance, if using 'postgres', the default selected database vendor. For instance, if using 'postgres', the default
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname> --db-url-database <dbname>
Sets the database name of the default JDBC URL of the chosen vendor. If the Sets the database name of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-host <hostname> --db-url-host <hostname>
Sets the hostname of the default JDBC URL of the chosen vendor. If the Sets the hostname of the default JDBC URL of the chosen vendor. If the
`db-url` option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
option is set, this option is ignored. option is set, this option is ignored.
--db-url-properties <properties> --db-url-properties <properties>
Sets the properties of the default JDBC URL of the chosen vendor. If the Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
`db-url` option is set, this option is ignored. set the properties accordingly to the format expected by the database
--db-username <username> vendor, as well as appending the right character at the beginning of this
The username of the database user. property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
Transaction: The username of the database user.
--transaction-xa-enabled <true|false> Transaction:
If set to false, Keycloak uses a non-XA datasource in case the database does
not support XA transactions. Default: true. --transaction-xa-enabled <true|false>
If set to false, Keycloak uses a non-XA datasource in case the database does
Feature: not support XA transactions. Default: true.
--features <feature> Enables a set of one or more features. Possible values are: account-api, Feature:
account2, account3, admin-api, admin-fine-grained-authz, admin2,
authorization, ciba, client-policies, client-secret-rotation, --features <feature> Enables a set of one or more features. Possible values are: account-api,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, account2, account3, admin-api, admin-fine-grained-authz, admin2,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, authorization, ciba, client-policies, client-secret-rotation,
recovery-codes, scripts, step-up-authentication, token-exchange, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
update-email, web-authn. js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
--features-disabled <feature> preview, recovery-codes, scripts, step-up-authentication, token-exchange,
Disables a set of one or more features. Possible values are: account-api, update-email, web-authn.
account2, account3, admin-api, admin-fine-grained-authz, admin2, --features-disabled <feature>
authorization, ciba, client-policies, client-secret-rotation, Disables a set of one or more features. Possible values are: account-api,
declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation, account2, account3, admin-api, admin-fine-grained-authz, admin2,
js-adapter, kerberos, linkedin-oauth, map-storage, par, preview, authorization, ciba, client-policies, client-secret-rotation,
recovery-codes, scripts, step-up-authentication, token-exchange, declarative-user-profile, docker, dpop, dynamic-scopes, fips, impersonation,
update-email, web-authn. js-adapter, kerberos, legacy-welcome, linkedin-oauth, map-storage, par,
preview, recovery-codes, scripts, step-up-authentication, token-exchange,
Hostname: update-email, web-authn.
--hostname <hostname> Hostname:
Hostname for the Keycloak server.
--hostname-admin <hostname> --hostname <hostname>
The hostname for accessing the administration console. Use this option if you Hostname for the Keycloak server.
are exposing the administration console using a hostname other than the --hostname-admin <hostname>
value set to the 'hostname' option. The hostname for accessing the administration console. Use this option if you
--hostname-admin-url <url> are exposing the administration console using a hostname other than the
Set the base URL for accessing the administration console, including scheme, value set to the 'hostname' option.
host, port and path --hostname-admin-url <url>
--hostname-path <path> Set the base URL for accessing the administration console, including scheme,
This should be set if proxy uses a different context-path for Keycloak. host, port and path
--hostname-port <port> --hostname-debug <true|false>
The port used by the proxy when exposing the hostname. Set this option if the Toggle the hostname debug page that is accessible at
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. /realms/master/hostname-debug Default: false.
--hostname-strict <true|false> --hostname-path <path>
Disables dynamically resolving the hostname from request headers. Should This should be set if proxy uses a different context-path for Keycloak.
always be set to true in production, unless proxy verifies the Host header. --hostname-port <port>
Default: true. The port used by the proxy when exposing the hostname. Set this option if the
--hostname-strict-backchannel <true|false> proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
By default backchannel URLs are dynamically resolved from request headers to --hostname-strict <true|false>
allow internal and external applications. If all applications use the public Disables dynamically resolving the hostname from request headers. Should
URL this option should be enabled. Default: false. always be set to true in production, unless proxy verifies the Host header.
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Default: true.
--hostname-strict-backchannel <true|false>
HTTP/TLS: By default backchannel URLs are dynamically resolved from request headers to
allow internal and external applications. If all applications use the public
--http-enabled <true|false> URL this option should be enabled. Default: false.
Enables the HTTP listener. Default: false. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
--http-port <port> The used HTTP port. Default: 8080. HTTP/TLS:
--http-relative-path <path>
Set the path relative to '/' for serving resources. The path must start with a --http-enabled <true|false>
'/'. Default: /. Enables the HTTP listener. Default: false.
--https-certificate-file <file> --http-host <host> The used HTTP Host. Default: 0.0.0.0.
The file path to a server certificate or certificate chain in PEM format. --http-port <port> The used HTTP port. Default: 8080.
--https-certificate-key-file <file> --http-relative-path <path>
The file path to a private key in PEM format. Set the path relative to '/' for serving resources. The path must start with a
--https-cipher-suites <ciphers> '/'. Default: /.
The cipher suites to use. If none is given, a reasonable default is selected. --https-certificate-file <file>
--https-client-auth <auth> The file path to a server certificate or certificate chain in PEM format.
Configures the server to require/request client authentication. Possible --https-certificate-key-file <file>
values are: none, request, required. Default: none. The file path to a private key in PEM format.
--https-key-store-file <file> --https-cipher-suites <ciphers>
The key store which holds the certificate information instead of specifying The cipher suites to use. If none is given, a reasonable default is selected.
separate files. --https-client-auth <auth>
--https-key-store-password <password> Configures the server to require/request client authentication. Possible
The password of the key store file. Default: password. values are: none, request, required. Default: none.
--https-key-store-type <type> --https-key-store-file <file>
The type of the key store file. If not given, the type is automatically The key store which holds the certificate information instead of specifying
detected based on the file name. If 'fips-mode' is set to 'strict' and no separate files.
value is set, it defaults to 'BCFKS'. --https-key-store-password <password>
--https-port <port> The used HTTPS port. Default: 8443. The password of the key store file. Default: password.
--https-protocols <protocols> --https-key-store-type <type>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The type of the key store file. If not given, the type is automatically
--https-trust-store-file <file> detected based on the file name. If 'fips-mode' is set to 'strict' and no
The trust store which holds the certificate information of the certificates to value is set, it defaults to 'BCFKS'.
trust. --https-port <port> The used HTTPS port. Default: 8443.
--https-trust-store-password <password> --https-protocols <protocols>
The password of the trust store file. The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
--https-trust-store-type <type> --https-trust-store-file <file>
The type of the trust store file. If not given, the type is automatically The trust store which holds the certificate information of the certificates to
detected based on the file name. If 'fips-mode' is set to 'strict' and no trust.
value is set, it defaults to 'BCFKS'. --https-trust-store-password <password>
The password of the trust store file.
Health: --https-trust-store-type <type>
The type of the trust store file. If not given, the type is automatically
--health-enabled <true|false> detected based on the file name. If 'fips-mode' is set to 'strict' and no
If the server should expose health check endpoints. If enabled, health checks value is set, it defaults to 'BCFKS'.
are available at the '/health', '/health/ready' and '/health/live'
endpoints. Default: false. Health:
Metrics: --health-enabled <true|false>
If the server should expose health check endpoints. If enabled, health checks
--metrics-enabled <true|false> are available at the '/health', '/health/ready' and '/health/live'
If the server should expose metrics. If enabled, metrics are available at the endpoints. Default: false.
'/metrics' endpoint. Default: false.
Config:
Proxy:
--config-keystore <config-keystore>
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. Specifies a path to the KeyStore Configuration Source.
Possible values are: none, edge, reencrypt, passthrough. Default: none. --config-keystore-password <config-keystore-password>
Specifies a password to the KeyStore Configuration Source.
Vault: --config-keystore-type <config-keystore-type>
Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
--vault <provider> Enables a vault provider. Possible values are: file.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Metrics:
given directory.
--metrics-enabled <true|false>
Logging: If the server should expose metrics. If enabled, metrics are available at the
'/metrics' endpoint. Default: false.
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values
are: console, file, gelf. Default: console. Proxy:
--log-console-color <true|false>
Enable or disable colors when logging to console. Default: false. --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
--log-console-format <format> Possible values are: none, edge, reencrypt, passthrough. Default: none.
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % Vault:
-5p [%c] (%t) %s%e%n.
--log-console-output <output> --vault <provider> Enables a vault provider. Possible values are: file, keystore.
Set the log output to JSON or default (plain) unstructured logging. Possible --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
values are: default, json. Default: default. given directory.
--log-file <file> Set the log file path and filename. Default: data/log/keycloak.log. --vault-file <file> Path to the keystore file.
--log-file-format <format> --vault-pass <pass> Password for the vault keystore.
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, --vault-type <type> Specifies the type of the keystore file. Default: PKCS12.
SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output> Logging:
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default. --log <handler> Enable one or more log handlers in a comma-separated list. Possible values
--log-gelf-facility <name> are: console, file, gelf. Default: console.
The facility (name of the process) that sends the message. Default: keycloak. --log-console-color <true|false>
--log-gelf-host <hostname> Enable or disable colors when logging to console. Default: false.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-console-format <format>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: The format of unstructured console log entries. If the format has spaces in
localhost. it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
--log-gelf-include-location <true|false> -5p [%c] (%t) %s%e%n.
Include source code location. Default: true. --log-console-output <output>
--log-gelf-include-message-parameters <true|false> Set the log output to JSON or default (plain) unstructured logging. Possible
Include message parameters from the log event. Default: true. values are: default, json. Default: default.
--log-gelf-include-stack-trace <true|false> --log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
If set to true, occuring stack traces are included in the 'StackTrace' field --log-file-format <format>
in the GELF output. Default: true. Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
--log-gelf-level <level> SSS} %-5p [%c] (%t) %s%e%n.
The log level specifying which message levels will be logged by the GELF --log-file-output <output>
logger. Message levels lower than this value will be discarded. Default: Set the log output to JSON or default (plain) unstructured logging. Possible
INFO. values are: default, json. Default: default.
--log-gelf-max-message-size <size> --log-gelf-facility <name>
Maximum message size (in bytes). If the message size is exceeded, GELF will The facility (name of the process) that sends the message. Default: keycloak.
submit the message in multiple chunks. Default: 8192. --log-gelf-host <hostname>
--log-gelf-port <port> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
The port the Logstash or Graylog Host is called on. Default: 12201. host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
--log-gelf-timestamp-format <pattern> localhost.
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat --log-gelf-include-location <true|false>
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. Include source code location. Default: true.
--log-level <category:level> --log-gelf-include-message-parameters <true|false>
The log level of the root category or a comma-separated list of individual Include message parameters from the log event. Default: true.
categories and their levels. For the root category, you don't need to --log-gelf-include-stack-trace <true|false>
specify a category. Default: info. If set to true, occuring stack traces are included in the 'StackTrace' field
in the GELF output. Default: true.
Security: --log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on logger. Message levels lower than this value will be discarded. Default:
non-approved mode. For full FIPS compliance, set 'strict' to run on approved INFO.
mode. This option defaults to 'disabled' when 'fips' feature is disabled, --log-gelf-max-message-size <size>
which is by default. This option defaults to 'non-strict' when 'fips' Maximum message size (in bytes). If the message size is exceeded, GELF will
feature is enabled. Possible values are: non-strict, strict. Default: submit the message in multiple chunks. Default: 8192.
disabled. --log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
By default, this command tries to update the server configuration by running a --log-gelf-timestamp-format <pattern>
'build' before starting the server. You can disable this behavior by using the Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
'--optimized' option: pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
$ kc.bat start '--optimized' The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
By doing that, the server should start faster based on any previous specify a category. Default: info.
configuration you have set when manually running the 'build' command.
Security:
--fips-mode <mode> Sets the FIPS mode. If 'non-strict' is set, FIPS is enabled but on
non-approved mode. For full FIPS compliance, set 'strict' to run on approved
mode. This option defaults to 'disabled' when 'fips' feature is disabled,
which is by default. This option defaults to 'non-strict' when 'fips'
feature is enabled. Possible values are: non-strict, strict. Default:
disabled.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.

381
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.windows.approved.txt vendored
View file

@ -1,181 +1,200 @@
Start the server. Start the server.
Usage: Usage:
kc.bat start [OPTIONS] kc.bat start [OPTIONS]
Use this command to run the server in production. Use this command to run the server in production.
Options: Options:
-b, --auto-build (Deprecated) Automatically detects whether the server configuration changed -b, --auto-build (Deprecated) Automatically detects whether the server configuration changed
and a new server image must be built prior to starting the server. This and a new server image must be built prior to starting the server. This
option provides an alternative to manually running the 'build' prior to option provides an alternative to manually running the 'build' prior to
starting the server. Use this configuration carefully in production as it starting the server. Use this configuration carefully in production as it
might impact the startup time. might impact the startup time.
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
--optimized Use this option to achieve an optimal startup time if you have previously --optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command. built a server image using the 'build' command.
Database: Database:
--db-password <password> --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
The password of the database user. driver is set accordingly to the chosen database.
--db-pool-initial-size <size> --db-password <password>
The initial size of the connection pool. The password of the database user.
--db-pool-max-size <size> --db-pool-initial-size <size>
The maximum size of the connection pool. Default: 100. The initial size of the connection pool.
--db-pool-min-size <size> --db-pool-max-size <size>
The minimal size of the connection pool. The maximum size of the connection pool. Default: 100.
--db-schema <schema> The database schema to be used. --db-pool-min-size <size>
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the The minimal size of the connection pool.
selected database vendor. For instance, if using 'postgres', the default --db-schema <schema> The database schema to be used.
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
--db-url-database <dbname> selected database vendor. For instance, if using 'postgres', the default
Sets the database name of the default JDBC URL of the chosen vendor. If the JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
`db-url` option is set, this option is ignored. --db-url-database <dbname>
--db-url-host <hostname> Sets the database name of the default JDBC URL of the chosen vendor. If the
Sets the hostname of the default JDBC URL of the chosen vendor. If the `db-url` option is set, this option is ignored.
`db-url` option is set, this option is ignored. --db-url-host <hostname>
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` Sets the hostname of the default JDBC URL of the chosen vendor. If the
option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-properties <properties> --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
Sets the properties of the default JDBC URL of the chosen vendor. If the option is set, this option is ignored.
`db-url` option is set, this option is ignored. --db-url-properties <properties>
--db-username <username> Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
The username of the database user. set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
Hostname: property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
--hostname <hostname> The username of the database user.
Hostname for the Keycloak server.
--hostname-admin <hostname> Hostname:
The hostname for accessing the administration console. Use this option if you
are exposing the administration console using a hostname other than the --hostname <hostname>
value set to the 'hostname' option. Hostname for the Keycloak server.
--hostname-admin-url <url> --hostname-admin <hostname>
Set the base URL for accessing the administration console, including scheme, The hostname for accessing the administration console. Use this option if you
host, port and path are exposing the administration console using a hostname other than the
--hostname-path <path> value set to the 'hostname' option.
This should be set if proxy uses a different context-path for Keycloak. --hostname-admin-url <url>
--hostname-port <port> Set the base URL for accessing the administration console, including scheme,
The port used by the proxy when exposing the hostname. Set this option if the host, port and path
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. --hostname-debug <true|false>
--hostname-strict <true|false> Toggle the hostname debug page that is accessible at
Disables dynamically resolving the hostname from request headers. Should /realms/master/hostname-debug Default: false.
always be set to true in production, unless proxy verifies the Host header. --hostname-path <path>
Default: true. This should be set if proxy uses a different context-path for Keycloak.
--hostname-strict-backchannel <true|false> --hostname-port <port>
By default backchannel URLs are dynamically resolved from request headers to The port used by the proxy when exposing the hostname. Set this option if the
allow internal and external applications. If all applications use the public proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
URL this option should be enabled. Default: false. --hostname-strict <true|false>
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Disables dynamically resolving the hostname from request headers. Should
always be set to true in production, unless proxy verifies the Host header.
HTTP/TLS: Default: true.
--hostname-strict-backchannel <true|false>
--http-enabled <true|false> By default backchannel URLs are dynamically resolved from request headers to
Enables the HTTP listener. Default: false. allow internal and external applications. If all applications use the public
--http-host <host> The used HTTP Host. Default: 0.0.0.0. URL this option should be enabled. Default: false.
--http-port <port> The used HTTP port. Default: 8080. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--https-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format. HTTP/TLS:
--https-certificate-key-file <file>
The file path to a private key in PEM format. --http-enabled <true|false>
--https-cipher-suites <ciphers> Enables the HTTP listener. Default: false.
The cipher suites to use. If none is given, a reasonable default is selected. --http-host <host> The used HTTP Host. Default: 0.0.0.0.
--https-client-auth <auth> --http-port <port> The used HTTP port. Default: 8080.
Configures the server to require/request client authentication. Possible --https-certificate-file <file>
values are: none, request, required. Default: none. The file path to a server certificate or certificate chain in PEM format.
--https-key-store-file <file> --https-certificate-key-file <file>
The key store which holds the certificate information instead of specifying The file path to a private key in PEM format.
separate files. --https-cipher-suites <ciphers>
--https-key-store-password <password> The cipher suites to use. If none is given, a reasonable default is selected.
The password of the key store file. Default: password. --https-client-auth <auth>
--https-key-store-type <type> Configures the server to require/request client authentication. Possible
The type of the key store file. If not given, the type is automatically values are: none, request, required. Default: none.
detected based on the file name. If 'fips-mode' is set to 'strict' and no --https-key-store-file <file>
value is set, it defaults to 'BCFKS'. The key store which holds the certificate information instead of specifying
--https-port <port> The used HTTPS port. Default: 8443. separate files.
--https-protocols <protocols> --https-key-store-password <password>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The password of the key store file. Default: password.
--https-trust-store-file <file> --https-key-store-type <type>
The trust store which holds the certificate information of the certificates to The type of the key store file. If not given, the type is automatically
trust. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-trust-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the trust store file. --https-port <port> The used HTTPS port. Default: 8443.
--https-trust-store-type <type> --https-protocols <protocols>
The type of the trust store file. If not given, the type is automatically The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
detected based on the file name. If 'fips-mode' is set to 'strict' and no --https-trust-store-file <file>
value is set, it defaults to 'BCFKS'. The trust store which holds the certificate information of the certificates to
trust.
Proxy: --https-trust-store-password <password>
The password of the trust store file.
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. --https-trust-store-type <type>
Possible values are: none, edge, reencrypt, passthrough. Default: none. The type of the trust store file. If not given, the type is automatically
detected based on the file name. If 'fips-mode' is set to 'strict' and no
Vault: value is set, it defaults to 'BCFKS'.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Config:
given directory.
--config-keystore <config-keystore>
Logging: Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values Specifies a password to the KeyStore Configuration Source.
are: console, file, gelf. Default: console. --config-keystore-type <config-keystore-type>
--log-console-color <true|false> Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Enable or disable colors when logging to console. Default: false.
--log-console-format <format> Proxy:
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
-5p [%c] (%t) %s%e%n. Possible values are: none, edge, reencrypt, passthrough. Default: none.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible Vault:
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data/log/keycloak.log. --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
--log-file-format <format> given directory.
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, --vault-file <file> Path to the keystore file.
SSS} %-5p [%c] (%t) %s%e%n. --vault-pass <pass> Password for the vault keystore.
--log-file-output <output> --vault-type <type> Specifies the type of the keystore file. Default: PKCS12.
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default. Logging:
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak. --log <handler> Enable one or more log handlers in a comma-separated list. Possible values
--log-gelf-host <hostname> are: console, file, gelf. Default: console.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-console-color <true|false>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: Enable or disable colors when logging to console. Default: false.
localhost. --log-console-format <format>
--log-gelf-include-location <true|false> The format of unstructured console log entries. If the format has spaces in
Include source code location. Default: true. it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
--log-gelf-include-message-parameters <true|false> -5p [%c] (%t) %s%e%n.
Include message parameters from the log event. Default: true. --log-console-output <output>
--log-gelf-include-stack-trace <true|false> Set the log output to JSON or default (plain) unstructured logging. Possible
If set to true, occuring stack traces are included in the 'StackTrace' field values are: default, json. Default: default.
in the GELF output. Default: true. --log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-gelf-level <level> --log-file-format <format>
The log level specifying which message levels will be logged by the GELF Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
logger. Message levels lower than this value will be discarded. Default: SSS} %-5p [%c] (%t) %s%e%n.
INFO. --log-file-output <output>
--log-gelf-max-message-size <size> Set the log output to JSON or default (plain) unstructured logging. Possible
Maximum message size (in bytes). If the message size is exceeded, GELF will values are: default, json. Default: default.
submit the message in multiple chunks. Default: 8192. --log-gelf-facility <name>
--log-gelf-port <port> The facility (name of the process) that sends the message. Default: keycloak.
The port the Logstash or Graylog Host is called on. Default: 12201. --log-gelf-host <hostname>
--log-gelf-timestamp-format <pattern> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. localhost.
--log-level <category:level> --log-gelf-include-location <true|false>
The log level of the root category or a comma-separated list of individual Include source code location. Default: true.
categories and their levels. For the root category, you don't need to --log-gelf-include-message-parameters <true|false>
specify a category. Default: info. Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
By default, this command tries to update the server configuration by running a If set to true, occuring stack traces are included in the 'StackTrace' field
'build' before starting the server. You can disable this behavior by using the in the GELF output. Default: true.
'--optimized' option: --log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
$ kc.bat start '--optimized' logger. Message levels lower than this value will be discarded. Default:
INFO.
By doing that, the server should start faster based on any previous --log-gelf-max-message-size <size>
configuration you have set when manually running the 'build' command. Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command.

417
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.windows.approved.txt vendored
View file

@ -1,200 +1,219 @@
Start the server. Start the server.
Usage: Usage:
kc.bat start [OPTIONS] kc.bat start [OPTIONS]
Use this command to run the server in production. Use this command to run the server in production.
Options: Options:
-b, --auto-build (Deprecated) Automatically detects whether the server configuration changed -b, --auto-build (Deprecated) Automatically detects whether the server configuration changed
and a new server image must be built prior to starting the server. This and a new server image must be built prior to starting the server. This
option provides an alternative to manually running the 'build' prior to option provides an alternative to manually running the 'build' prior to
starting the server. Use this configuration carefully in production as it starting the server. Use this configuration carefully in production as it
might impact the startup time. might impact the startup time.
-h, --help This help message. -h, --help This help message.
--help-all This same help message but with additional options. --help-all This same help message but with additional options.
--import-realm Import realms during startup by reading any realm configuration file from the --import-realm Import realms during startup by reading any realm configuration file from the
'data/import' directory. 'data/import' directory.
--optimized Use this option to achieve an optimal startup time if you have previously --optimized Use this option to achieve an optimal startup time if you have previously
built a server image using the 'build' command. built a server image using the 'build' command.
Storage (Experimental): Storage (Experimental):
--storage-deployment-state-version-seed <type> --storage-deployment-state-version-seed <type>
Experimental: Secret that serves as a seed to mask the version number of Experimental: Secret that serves as a seed to mask the version number of
Keycloak in URLs. Need to be identical across all servers in the cluster. Keycloak in URLs. Need to be identical across all servers in the cluster.
Will default to a random number generated when starting the server which is Will default to a random number generated when starting the server which is
secure but will lead to problems when a loadbalancer without sticky sessions secure but will lead to problems when a loadbalancer without sticky sessions
is used or nodes are restarted. is used or nodes are restarted.
--storage-file-dir <dir> --storage-file-dir <dir>
Experimental: Root directory for file map store. Experimental: Root directory for file map store.
--storage-hotrod-host <host> --storage-hotrod-host <host>
Experimental: Sets the host of the Infinispan server. Experimental: Sets the host of the Infinispan server.
--storage-hotrod-password <password> --storage-hotrod-password <password>
Experimental: Sets the password of the Infinispan user. Experimental: Sets the password of the Infinispan user.
--storage-hotrod-port <port> --storage-hotrod-port <port>
Experimental: Sets the port of the Infinispan server. Experimental: Sets the port of the Infinispan server.
--storage-hotrod-username <username> --storage-hotrod-username <username>
Experimental: Sets the username of the Infinispan user. Experimental: Sets the username of the Infinispan user.
Database: Database:
--db-password <password> --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
The password of the database user. driver is set accordingly to the chosen database.
--db-pool-initial-size <size> --db-password <password>
The initial size of the connection pool. The password of the database user.
--db-pool-max-size <size> --db-pool-initial-size <size>
The maximum size of the connection pool. Default: 100. The initial size of the connection pool.
--db-pool-min-size <size> --db-pool-max-size <size>
The minimal size of the connection pool. The maximum size of the connection pool. Default: 100.
--db-schema <schema> The database schema to be used. --db-pool-min-size <size>
--db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the The minimal size of the connection pool.
selected database vendor. For instance, if using 'postgres', the default --db-schema <schema> The database schema to be used.
JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. --db-url <jdbc-url> The full database JDBC URL. If not provided, a default URL is set based on the
--db-url-database <dbname> selected database vendor. For instance, if using 'postgres', the default
Sets the database name of the default JDBC URL of the chosen vendor. If the JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
`db-url` option is set, this option is ignored. --db-url-database <dbname>
--db-url-host <hostname> Sets the database name of the default JDBC URL of the chosen vendor. If the
Sets the hostname of the default JDBC URL of the chosen vendor. If the `db-url` option is set, this option is ignored.
`db-url` option is set, this option is ignored. --db-url-host <hostname>
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url` Sets the hostname of the default JDBC URL of the chosen vendor. If the
option is set, this option is ignored. `db-url` option is set, this option is ignored.
--db-url-properties <properties> --db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
Sets the properties of the default JDBC URL of the chosen vendor. If the option is set, this option is ignored.
`db-url` option is set, this option is ignored. --db-url-properties <properties>
--db-username <username> Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
The username of the database user. set the properties accordingly to the format expected by the database
vendor, as well as appending the right character at the beginning of this
Hostname: property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
--hostname <hostname> The username of the database user.
Hostname for the Keycloak server.
--hostname-admin <hostname> Hostname:
The hostname for accessing the administration console. Use this option if you
are exposing the administration console using a hostname other than the --hostname <hostname>
value set to the 'hostname' option. Hostname for the Keycloak server.
--hostname-admin-url <url> --hostname-admin <hostname>
Set the base URL for accessing the administration console, including scheme, The hostname for accessing the administration console. Use this option if you
host, port and path are exposing the administration console using a hostname other than the
--hostname-path <path> value set to the 'hostname' option.
This should be set if proxy uses a different context-path for Keycloak. --hostname-admin-url <url>
--hostname-port <port> Set the base URL for accessing the administration console, including scheme,
The port used by the proxy when exposing the hostname. Set this option if the host, port and path
proxy uses a port other than the default HTTP and HTTPS ports. Default: -1. --hostname-debug <true|false>
--hostname-strict <true|false> Toggle the hostname debug page that is accessible at
Disables dynamically resolving the hostname from request headers. Should /realms/master/hostname-debug Default: false.
always be set to true in production, unless proxy verifies the Host header. --hostname-path <path>
Default: true. This should be set if proxy uses a different context-path for Keycloak.
--hostname-strict-backchannel <true|false> --hostname-port <port>
By default backchannel URLs are dynamically resolved from request headers to The port used by the proxy when exposing the hostname. Set this option if the
allow internal and external applications. If all applications use the public proxy uses a port other than the default HTTP and HTTPS ports. Default: -1.
URL this option should be enabled. Default: false. --hostname-strict <true|false>
--hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path. Disables dynamically resolving the hostname from request headers. Should
always be set to true in production, unless proxy verifies the Host header.
HTTP/TLS: Default: true.
--hostname-strict-backchannel <true|false>
--http-enabled <true|false> By default backchannel URLs are dynamically resolved from request headers to
Enables the HTTP listener. Default: false. allow internal and external applications. If all applications use the public
--http-host <host> The used HTTP Host. Default: 0.0.0.0. URL this option should be enabled. Default: false.
--http-port <port> The used HTTP port. Default: 8080. --hostname-url <url> Set the base URL for frontend URLs, including scheme, host, port and path.
--https-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format. HTTP/TLS:
--https-certificate-key-file <file>
The file path to a private key in PEM format. --http-enabled <true|false>
--https-cipher-suites <ciphers> Enables the HTTP listener. Default: false.
The cipher suites to use. If none is given, a reasonable default is selected. --http-host <host> The used HTTP Host. Default: 0.0.0.0.
--https-client-auth <auth> --http-port <port> The used HTTP port. Default: 8080.
Configures the server to require/request client authentication. Possible --https-certificate-file <file>
values are: none, request, required. Default: none. The file path to a server certificate or certificate chain in PEM format.
--https-key-store-file <file> --https-certificate-key-file <file>
The key store which holds the certificate information instead of specifying The file path to a private key in PEM format.
separate files. --https-cipher-suites <ciphers>
--https-key-store-password <password> The cipher suites to use. If none is given, a reasonable default is selected.
The password of the key store file. Default: password. --https-client-auth <auth>
--https-key-store-type <type> Configures the server to require/request client authentication. Possible
The type of the key store file. If not given, the type is automatically values are: none, request, required. Default: none.
detected based on the file name. If 'fips-mode' is set to 'strict' and no --https-key-store-file <file>
value is set, it defaults to 'BCFKS'. The key store which holds the certificate information instead of specifying
--https-port <port> The used HTTPS port. Default: 8443. separate files.
--https-protocols <protocols> --https-key-store-password <password>
The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2. The password of the key store file. Default: password.
--https-trust-store-file <file> --https-key-store-type <type>
The trust store which holds the certificate information of the certificates to The type of the key store file. If not given, the type is automatically
trust. detected based on the file name. If 'fips-mode' is set to 'strict' and no
--https-trust-store-password <password> value is set, it defaults to 'BCFKS'.
The password of the trust store file. --https-port <port> The used HTTPS port. Default: 8443.
--https-trust-store-type <type> --https-protocols <protocols>
The type of the trust store file. If not given, the type is automatically The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
detected based on the file name. If 'fips-mode' is set to 'strict' and no --https-trust-store-file <file>
value is set, it defaults to 'BCFKS'. The trust store which holds the certificate information of the certificates to
trust.
Proxy: --https-trust-store-password <password>
The password of the trust store file.
--proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy. --https-trust-store-type <type>
Possible values are: none, edge, reencrypt, passthrough. Default: none. The type of the trust store file. If not given, the type is automatically
detected based on the file name. If 'fips-mode' is set to 'strict' and no
Vault: value is set, it defaults to 'BCFKS'.
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the Config:
given directory.
--config-keystore <config-keystore>
Logging: Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
--log <handler> Enable one or more log handlers in a comma-separated list. Possible values Specifies a password to the KeyStore Configuration Source.
are: console, file, gelf. Default: console. --config-keystore-type <config-keystore-type>
--log-console-color <true|false> Specifies a type of the KeyStore Configuration Source. Default: PKCS12.
Enable or disable colors when logging to console. Default: false.
--log-console-format <format> Proxy:
The format of unstructured console log entries. If the format has spaces in
it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} % --proxy <mode> The proxy address forwarding mode if the server is behind a reverse proxy.
-5p [%c] (%t) %s%e%n. Possible values are: none, edge, reencrypt, passthrough. Default: none.
--log-console-output <output>
Set the log output to JSON or default (plain) unstructured logging. Possible Vault:
values are: default, json. Default: default.
--log-file <file> Set the log file path and filename. Default: data/log/keycloak.log. --vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
--log-file-format <format> given directory.
Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss, --vault-file <file> Path to the keystore file.
SSS} %-5p [%c] (%t) %s%e%n. --vault-pass <pass> Password for the vault keystore.
--log-file-output <output> --vault-type <type> Specifies the type of the keystore file. Default: PKCS12.
Set the log output to JSON or default (plain) unstructured logging. Possible
values are: default, json. Default: default. Logging:
--log-gelf-facility <name>
The facility (name of the process) that sends the message. Default: keycloak. --log <handler> Enable one or more log handlers in a comma-separated list. Possible values
--log-gelf-host <hostname> are: console, file, gelf. Default: console.
Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the --log-console-color <true|false>
host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default: Enable or disable colors when logging to console. Default: false.
localhost. --log-console-format <format>
--log-gelf-include-location <true|false> The format of unstructured console log entries. If the format has spaces in
Include source code location. Default: true. it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
--log-gelf-include-message-parameters <true|false> -5p [%c] (%t) %s%e%n.
Include message parameters from the log event. Default: true. --log-console-output <output>
--log-gelf-include-stack-trace <true|false> Set the log output to JSON or default (plain) unstructured logging. Possible
If set to true, occuring stack traces are included in the 'StackTrace' field values are: default, json. Default: default.
in the GELF output. Default: true. --log-file <file> Set the log file path and filename. Default: data\log\keycloak.log.
--log-gelf-level <level> --log-file-format <format>
The log level specifying which message levels will be logged by the GELF Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
logger. Message levels lower than this value will be discarded. Default: SSS} %-5p [%c] (%t) %s%e%n.
INFO. --log-file-output <output>
--log-gelf-max-message-size <size> Set the log output to JSON or default (plain) unstructured logging. Possible
Maximum message size (in bytes). If the message size is exceeded, GELF will values are: default, json. Default: default.
submit the message in multiple chunks. Default: 8192. --log-gelf-facility <name>
--log-gelf-port <port> The facility (name of the process) that sends the message. Default: keycloak.
The port the Logstash or Graylog Host is called on. Default: 12201. --log-gelf-host <hostname>
--log-gelf-timestamp-format <pattern> Hostname of the Logstash or Graylog Host. By default UDP is used, prefix the
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat host with 'tcp:' to switch to TCP. Example: 'tcp:localhost' Default:
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS. localhost.
--log-level <category:level> --log-gelf-include-location <true|false>
The log level of the root category or a comma-separated list of individual Include source code location. Default: true.
categories and their levels. For the root category, you don't need to --log-gelf-include-message-parameters <true|false>
specify a category. Default: info. Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
By default, this command tries to update the server configuration by running a If set to true, occuring stack traces are included in the 'StackTrace' field
'build' before starting the server. You can disable this behavior by using the in the GELF output. Default: true.
'--optimized' option: --log-gelf-level <level>
The log level specifying which message levels will be logged by the GELF
$ kc.bat start '--optimized' logger. Message levels lower than this value will be discarded. Default:
INFO.
By doing that, the server should start faster based on any previous --log-gelf-max-message-size <size>
Maximum message size (in bytes). If the message size is exceeded, GELF will
submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
Set the format for the GELF timestamp field. Uses Java SimpleDateFormat
pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
The log level of the root category or a comma-separated list of individual
categories and their levels. For the root category, you don't need to
specify a category. Default: info.
By default, this command tries to update the server configuration by running a
'build' before starting the server. You can disable this behavior by using the
'--optimized' option:
$ kc.bat start '--optimized'
By doing that, the server should start faster based on any previous
configuration you have set when manually running the 'build' command. configuration you have set when manually running the 'build' command.

4
server-spi/src/main/java/org/keycloak/theme/ThemeSelectorProvider.java
View file

@ -56,6 +56,10 @@ public interface ThemeSelectorProvider extends Provider {
return DEFAULT_V2; return DEFAULT_V2;
} }
if ((type == Theme.Type.WELCOME) && !Profile.isFeatureEnabled(Profile.Feature.LEGACY_WELCOME)) {
return DEFAULT_V2;
}
return DEFAULT; return DEFAULT;
} }

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ServerInfoTest.java
View file

@ -61,7 +61,7 @@ public class ServerInfoTest extends AbstractKeycloakTest {
Assert.assertNames(info.getThemes().get("admin"), "base", "keycloak.v2"); Assert.assertNames(info.getThemes().get("admin"), "base", "keycloak.v2");
Assert.assertNames(info.getThemes().get("email"), "base", "keycloak"); Assert.assertNames(info.getThemes().get("email"), "base", "keycloak");
Assert.assertNames(info.getThemes().get("login"), "address", "base", "environment-agnostic", "keycloak"); Assert.assertNames(info.getThemes().get("login"), "address", "base", "environment-agnostic", "keycloak");
Assert.assertNames(info.getThemes().get("welcome"), "keycloak"); Assert.assertNames(info.getThemes().get("welcome"), "keycloak", "keycloak.v2");
assertNotNull(info.getEnums()); assertNotNull(info.getEnums());

79
themes/pom.xml
View file

@ -15,12 +15,14 @@
<properties> <properties>
<dir.common>src/main/resources/theme/keycloak/common/resources</dir.common> <dir.common>src/main/resources/theme/keycloak/common/resources</dir.common>
<dir.account2>src/main/resources/theme/keycloak.v2/account/src</dir.account2> <dir.account2>src/main/resources/theme/keycloak.v2/account/src</dir.account2>
<dir.welcome2>src/main/resources/theme/keycloak.v2/welcome</dir.welcome2>
<args.npm.install>ci --no-optional --ignore-scripts</args.npm.install> <args.npm.install>ci --no-optional --ignore-scripts</args.npm.install>
<!-- ignore folders for incremental builds by the maven build cache plugin --> <!-- ignore folders for incremental builds by the maven build cache plugin -->
<maven.build.cache.exclude.1>${project.basedir}/src/main/resources/theme/keycloak/common/resources/node_modules</maven.build.cache.exclude.1> <maven.build.cache.exclude.1>${project.basedir}/src/main/resources/theme/keycloak/common/resources/node_modules</maven.build.cache.exclude.1>
<maven.build.cache.exclude.2>${project.basedir}/src/main/resources/theme/keycloak/common/resources/web_modules</maven.build.cache.exclude.2> <maven.build.cache.exclude.2>${project.basedir}/src/main/resources/theme/keycloak/common/resources/web_modules</maven.build.cache.exclude.2>
<maven.build.cache.exclude.3>${project.basedir}/src/main/resources/theme/keycloak.v2/account/src/node_modules</maven.build.cache.exclude.3> <maven.build.cache.exclude.3>${project.basedir}/src/main/resources/theme/keycloak.v2/account/src/node_modules</maven.build.cache.exclude.3>
<maven.build.cache.exclude.4>${project.basedir}/src/main/resources/theme/keycloak.v2/account/src/web_modules</maven.build.cache.exclude.4> <maven.build.cache.exclude.4>${project.basedir}/src/main/resources/theme/keycloak.v2/account/src/web_modules</maven.build.cache.exclude.4>
<maven.build.cache.exclude.5>${project.basedir}/src/main/resources/theme/keycloak.v2/welcome/node_modules</maven.build.cache.exclude.5>
</properties> </properties>
<build> <build>
@ -166,6 +168,83 @@
</build> </build>
</profile> </profile>
<profile>
<id>welcome2</id>
<activation>
<property>
<name>!skipWelcome2</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<configuration>
<filesets>
<fileset>
<directory>${dir.welcome2}/node_modules</directory>
<directory>${dir.welcome2}/resources/vendor</directory>
</fileset>
</filesets>
</configuration>
</plugin>
<plugin>
<groupId>com.github.eirslett</groupId>
<artifactId>frontend-maven-plugin</artifactId>
<executions>
<execution>
<id>setup-node</id>
<goals>
<goal>install-node-and-npm</goal>
</goals>
<phase>initialize</phase>
</execution>
<execution>
<id>npm-install-welcome2</id>
<phase>initialize</phase>
<goals>
<goal>npm</goal>
</goals>
<configuration>
<workingDirectory>${dir.welcome2}</workingDirectory>
<arguments>${args.npm.install}</arguments>
</configuration>
</execution>
</executions>
<configuration>
<nodeVersion>${node.version}</nodeVersion>
<installDirectory>../</installDirectory>
</configuration>
</plugin>
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<executions>
<execution>
<id>copy-patternfly</id>
<phase>generate-resources</phase>
<goals>
<goal>copy-resources</goal>
</goals>
<configuration>
<outputDirectory>${dir.welcome2}/resources/vendor/patternfly</outputDirectory>
<resources>
<resource>
<directory>${dir.welcome2}/node_modules/@patternfly/patternfly</directory>
<includes>
<include>patternfly.css</include>
<include>patternfly-addons.css</include>
<include>assets/fonts/**/*</include>
</includes>
</resource>
</resources>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile> <profile>
<id>common</id> <id>common</id>
<activation> <activation>

2
themes/src/main/resources/META-INF/keycloak-themes.json
View file

@ -7,6 +7,6 @@
"types": [ "login", "common", "email", "welcome" ] "types": [ "login", "common", "email", "welcome" ]
}, { }, {
"name" : "keycloak.v2", "name" : "keycloak.v2",
"types": [ "account", "admin" ] "types": [ "account", "admin", "welcome" ]
}] }]
} }

1
themes/src/main/resources/theme/keycloak.v2/welcome/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
resources/vendor

205
themes/src/main/resources/theme/keycloak.v2/welcome/index.ftl Executable file
View file

@ -0,0 +1,205 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Welcome to ${productName}</title>
<meta name="robots" content="noindex, nofollow">
<link rel="shortcut icon" href="${resourcesPath}/img/favicon.ico">
<#if properties.stylesCommon?has_content>
<#list properties.stylesCommon?split(' ') as style>
<link href="${resourcesCommonPath}/${style}" rel="stylesheet">
</#list>
</#if>
<#if properties.styles?has_content>
<#list properties.styles?split(' ') as style>
<link href="${resourcesPath}/${style}" rel="stylesheet">
</#list>
</#if>
</head>
<body>
<div class="pf-v5-c-page">
<main class="pf-v5-c-page__main">
<section class="pf-v5-c-page__main-section pf-m-limit-width pf-m-align-center">
<div class="pf-v5-c-page__main-body">
<div class="pf-v5-c-content">
<h1 class="pf-v5-c-title pf-m-2xl pf-v5-u-mb-lg">Welcome to <strong>${productName}</strong></h1>
</div>
<div class="pf-v5-l-grid pf-m-gutter pf-m-all-4-col-on-sm">
<#if adminConsoleEnabled>
<div class="pf-v5-l-grid__item">
<div class="pf-v5-c-card pf-m-full-height">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">Administration Console</h2>
</div>
<div class="pf-v5-c-card__body">
<#if bootstrap>
<#if localUser>
<div class="pf-v5-c-content">
<p class="pf-v5-u-mb-sm">Please create an initial admin user to get started.</p>
</div>
<form id="create-user" class="pf-v5-c-form" method="post" novalidate>
<div class="pf-v5-c-form__group">
<div class="pf-v5-c-form__group-label">
<label class="pf-v5-c-form__label" for="username">
<span class="pf-v5-c-form__label-text">Username</span>&nbsp;<span class="pf-v5-c-form__label-required" aria-hidden="true">&#42;</span>
</label>
</div>
<div class="pf-v5-c-form__group-control">
<span class="pf-v5-c-form-control pf-m-required">
<input id="username" type="text" name="username" autocomplete="username" required>
</span>
</div>
</div>
<div class="pf-v5-c-form__group">
<div class="pf-v5-c-form__group-label">
<label class="pf-v5-c-form__label" for="password">
<span class="pf-v5-c-form__label-text">Password</span>&nbsp;<span class="pf-v5-c-form__label-required" aria-hidden="true">&#42;</span>
</label>
</div>
<div class="pf-v5-c-form__group-control">
<span class="pf-v5-c-form-control pf-m-required">
<input id="password" type="password" name="password" autocomplete="new-password" required>
</span>
</div>
</div>
<div class="pf-v5-c-form__group">
<div class="pf-v5-c-form__group-label">
<label class="pf-v5-c-form__label" for="password-confirmation">
<span class="pf-v5-c-form__label-text">Password confirmation</span>&nbsp;<span class="pf-v5-c-form__label-required" aria-hidden="true">&#42;</span>
</label>
</div>
<div class="pf-v5-c-form__group-control">
<span class="pf-v5-c-form-control pf-m-required">
<input id="password-confirmation" type="password" name="passwordConfirmation" autocomplete="new-password" required>
</span>
</div>
</div>
<input name="stateChecker" type="hidden" value="${stateChecker}">
<#if errorMessage?has_content>
<div class="pf-v5-c-alert pf-m-danger pf-m-plain pf-m-inline pf-v5-u-mb-sm">
<div class="pf-v5-c-alert__icon">
<i class="fas fa-fw fa-exclamation-circle" aria-hidden="true"></i>
</div>
<p class="pf-v5-c-alert__title">
${errorMessage}
</p>
</div>
</#if>
<div class="pf-v5-c-form__group pf-m-action">
<div class="pf-v5-c-form__actions">
<button class="pf-v5-c-button pf-m-primary" type="submit" form="create-user">Create user</button>
</div>
</div>
</form>
<#else>
<div class="pf-v5-c-content">
<p>
You will need local access to create the initial admin user.<br><br>
To create one open <a href="${localAdminUrl}">${localAdminUrl}</a>, or set the environment variables <code>KEYCLOAK_ADMIN</code> and <code>KEYCLOAK_ADMIN_PASSWORD</code> when starting the server.
</p>
</div>
</#if>
<#else>
<div class="pf-v5-c-content">
<p>Centrally manage all aspects of the ${productName} server.</p>
</div>
<#if successMessage?has_content>
<div class="pf-v5-c-alert pf-m-success pf-m-inline pf-v5-u-mt-lg">
<div class="pf-v5-c-alert__icon">
<i class="fas fa-fw fa-check-circle" aria-hidden="true"></i>
</div>
<p class="pf-v5-c-alert__title">
${successMessage}
</p>
</div>
</#if>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="${adminUrl}">
Visit the administration console
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</#if>
</div>
</div>
</div>
</#if>
<div class="pf-v5-l-grid__item">
<div class="pf-v5-c-card pf-m-full-height">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">Documentation</h2>
</div>
<div class="pf-v5-c-card__body">User Guide, Admin REST API and Javadocs.</div>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="${properties.documentationUrl}">
Read the documentation
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</div>
</div>
<#if properties.displayCommunityLinks = "true">
<div class="pf-v5-l-grid__item">
<div class="pf-v5-l-grid pf-m-gutter">
<div class="pf-v5-l-grid__item pf-m-12-col">
<div class="pf-v5-c-card">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">${productName} Project</h2>
</div>
<div class="pf-v5-c-card__body">The home page of the ${productName} project.</div>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="https://www.keycloak.org/">
Visit the ${productName} project
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</div>
</div>
<div class="pf-v5-l-grid__item pf-m-12-col">
<div class="pf-v5-c-card">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">Mailing List</h2>
</div>
<div class="pf-v5-c-card__body">Discussions about ${productName}.</div>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="https://groups.google.com/g/keycloak-user">
Start a discussion
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</div>
</div>
<div class="pf-v5-l-grid__item pf-m-12-col">
<div class="pf-v5-c-card">
<div class="pf-v5-c-card__title">
<h2 class="pf-v5-c-card__title-text">Issue Tracker</h2>
</div>
<div class="pf-v5-c-card__body">Report issues with ${productName}.</div>
<div class="pf-v5-c-card__footer">
<a class="pf-v5-c-button pf-m-link pf-m-inline" href="https://github.com/keycloak/keycloak/issues">
Report an issue
<span class="pf-v5-c-button__icon pf-m-end">
<i class="fas fa-arrow-right" aria-hidden="true"></i>
</span>
</a>
</div>
</div>
</div>
</div>
</div>
</#if>
</div>
</div>
</section>
</main>
</div>
</body>
</html>

18
themes/src/main/resources/theme/keycloak.v2/welcome/package-lock.json generated Normal file
View file

@ -0,0 +1,18 @@
{
"name": "welcome-v2",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "welcome-v2",
"dependencies": {
"@patternfly/patternfly": "^5.0.2"
}
},
"node_modules/@patternfly/patternfly": {
"version": "5.0.2",
"resolved": "https://registry.npmjs.org/@patternfly/patternfly/-/patternfly-5.0.2.tgz",
"integrity": "sha512-PB8+MLdYVgF1hIOxGmnVsZG+YHUX3RePe5W1oMS4gS00EmSgw1cobr1Qbpy/BqqS8/R9DRN4hZ2FKDT0d5tkFQ=="
}
}
}

6
themes/src/main/resources/theme/keycloak.v2/welcome/package.json Normal file
View file

@ -0,0 +1,6 @@
{
"name": "welcome-v2",
"dependencies": {
"@patternfly/patternfly": "^5.0.2"
}
}

6
themes/src/main/resources/theme/keycloak.v2/welcome/theme.properties Normal file
View file

@ -0,0 +1,6 @@
import=common/keycloak
styles=vendor/patternfly/patternfly.css vendor/patternfly/patternfly-addons.css
documentationUrl=https://www.keycloak.org/documentation.html
displayCommunityLinks=true