diff --git a/src/components/dynamic/FileComponent.tsx b/src/components/dynamic/FileComponent.tsx
new file mode 100644
index 0000000000..ea5a083bc7
--- /dev/null
+++ b/src/components/dynamic/FileComponent.tsx
@@ -0,0 +1,47 @@
+import React, { useState } from "react";
+import { useTranslation } from "react-i18next";
+import { Controller, useFormContext } from "react-hook-form";
+import { FileUpload, FormGroup } from "@patternfly/react-core";
+
+import { HelpItem } from "../help-enabler/HelpItem";
+import type { ComponentProps } from "./components";
+
+export const FileComponent = ({
+ name,
+ label,
+ helpText,
+ defaultValue,
+ isDisabled = false,
+}: ComponentProps) => {
+ const { t } = useTranslation("dynamic");
+ const { control } = useFormContext();
+ const [filename, setFilename] = useState("");
+
+ return (
+
+ }
+ fieldId={name!}
+ >
+ (
+ {
+ onChange(value);
+ setFilename(filename);
+ }}
+ />
+ )}
+ />
+
+ );
+};
diff --git a/src/components/dynamic/components.ts b/src/components/dynamic/components.ts
index ec51b7dd9d..849572a3de 100644
--- a/src/components/dynamic/components.ts
+++ b/src/components/dynamic/components.ts
@@ -11,6 +11,7 @@ import { ClientSelectComponent } from "./ClientSelectComponent";
import { MultiValuedStringComponent } from "./MultivaluedStringComponent";
import { MultiValuedListComponent } from "./MultivaluedListComponent";
import { GroupComponent } from "./GroupComponent";
+import { FileComponent } from "./FileComponent";
export type ComponentProps = Omit & {
isDisabled?: boolean;
@@ -27,6 +28,7 @@ const ComponentTypes = [
"MultivaluedList",
"ClientList",
"MultivaluedString",
+ "File",
] as const;
export type Components = typeof ComponentTypes[number];
@@ -44,6 +46,7 @@ export const COMPONENTS: {
ClientList: ClientSelectComponent,
MultivaluedList: MultiValuedListComponent,
MultivaluedString: MultiValuedStringComponent,
+ File: FileComponent,
} as const;
export const isValidComponentType = (value: string): value is Components =>
diff --git a/src/context/server-info/__tests__/mock.json b/src/context/server-info/__tests__/mock.json
index 0af56ee93a..ed0bf8449e 100644
--- a/src/context/server-info/__tests__/mock.json
+++ b/src/context/server-info/__tests__/mock.json
@@ -1,7272 +1,7143 @@
{
- "systemInfo":{
- "version":"11.0.0",
- "serverTime":"Thu Oct 08 13:29:49 CEST 2020",
- "uptime":"5 days, 22 hours, 29 minutes, 46 seconds",
- "uptimeMillis":512986356,
- "javaVersion":"11.0.7",
- "javaVendor":"Oracle Corporation",
- "javaVm":"OpenJDK 64-Bit Server VM",
- "javaVmVersion":"11.0.7+10",
- "javaRuntime":"OpenJDK Runtime Environment",
- "javaHome":"/home/edewit/.sdkman/candidates/java/11.0.7-open",
- "osName":"Linux",
- "osArchitecture":"amd64",
- "osVersion":"5.8.11-200.fc32.x86_64",
- "fileEncoding":"UTF-8",
- "userName":"edewit",
- "userDir":"/home/edewit/workspace/keycloak/keycloak-admin",
- "userTimezone":"Europe/Zurich",
- "userLocale":"us_EN"
- },
- "memoryInfo":{
- "total":536870912,
- "totalFormated":"512 MB",
- "used":114736240,
- "usedFormated":"109 MB",
- "free":422134672,
- "freePercentage":78,
- "freeFormated":"402 MB"
- },
- "profileInfo":{
- "name":"community",
- "disabledFeatures":[
- "DOCKER",
- "TOKEN_EXCHANGE",
- "ACCOUNT_API",
- "UPLOAD_SCRIPTS",
- "SCRIPTS",
- "OPENSHIFT_INTEGRATION",
- "ADMIN_FINE_GRAINED_AUTHZ",
- "CLIENT_POLICIES",
- "ACCOUNT2"
- ],
- "previewFeatures":[
- "TOKEN_EXCHANGE",
- "ACCOUNT_API",
- "SCRIPTS",
- "OPENSHIFT_INTEGRATION",
- "ADMIN_FINE_GRAINED_AUTHZ",
- "CLIENT_POLICIES",
- "ACCOUNT2"
- ],
- "experimentalFeatures":[
-
- ]
- },
- "themes":{
- "common":[
- {
- "name":"keycloak"
- }
- ],
- "admin":[
- {
- "name":"base",
- "locales":[
- "ca",
- "de",
- "en",
- "es",
- "fr",
- "it",
- "ja",
- "lt",
- "nl",
- "no",
- "pl",
- "pt-BR",
- "ru",
- "sv",
- "zh-CN"
- ]
- },
- {
- "name":"keycloak",
- "locales":[
- "ca",
- "de",
- "en",
- "es",
- "fr",
- "it",
- "ja",
- "lt",
- "nl",
- "no",
- "pl",
- "pt-BR",
- "ru",
- "sv",
- "zh-CN"
- ]
- }
- ],
- "login":[
- {
- "name":"base",
- "locales":[
- "ca",
- "cs",
- "de",
- "en",
- "es",
- "fr",
- "it",
- "ja",
- "lt",
- "nl",
- "no",
- "pl",
- "pt-BR",
- "ru",
- "sk",
- "sv",
- "tr",
- "zh-CN"
- ]
- },
- {
- "name":"keycloak",
- "locales":[
- "ca",
- "cs",
- "de",
- "en",
- "es",
- "fr",
- "it",
- "ja",
- "lt",
- "nl",
- "no",
- "pl",
- "pt-BR",
- "ru",
- "sk",
- "sv",
- "tr",
- "zh-CN"
- ]
- }
- ],
- "welcome":[
- {
- "name":"keycloak"
- }
- ],
- "account":[
- {
- "name":"base",
- "locales":[
- "ca",
- "cs",
- "de",
- "en",
- "es",
- "fr",
- "it",
- "ja",
- "lt",
- "nl",
- "no",
- "pl",
- "pt-BR",
- "ru",
- "sk",
- "sv",
- "tr",
- "zh-CN"
- ]
- },
- {
- "name":"keycloak",
- "locales":[
- "ca",
- "cs",
- "de",
- "en",
- "es",
- "fr",
- "it",
- "ja",
- "lt",
- "nl",
- "no",
- "pl",
- "pt-BR",
- "ru",
- "sk",
- "sv",
- "tr",
- "zh-CN"
- ]
- }
- ],
- "email":[
- {
- "name":"base",
- "locales":[
- "ca",
- "cs",
- "de",
- "en",
- "es",
- "fr",
- "it",
- "ja",
- "lt",
- "nl",
- "no",
- "pl",
- "pt-BR",
- "ru",
- "sk",
- "sv",
- "tr",
- "zh-CN"
- ]
- },
- {
- "name":"keycloak",
- "locales":[
- "ca",
- "cs",
- "de",
- "en",
- "es",
- "fr",
- "it",
- "ja",
- "lt",
- "nl",
- "no",
- "pl",
- "pt-BR",
- "ru",
- "sk",
- "sv",
- "tr",
- "zh-CN"
- ]
- }
- ]
- },
- "socialProviders":[
+ "systemInfo": {
+ "version": "18.0.0-SNAPSHOT",
+ "serverTime": "Fri Mar 04 12:50:14 CET 2022",
+ "uptime": "0 days, 0 hours, 2 minutes, 38 seconds",
+ "uptimeMillis": 158820,
+ "javaVersion": "11.0.7",
+ "javaVendor": "Oracle Corporation",
+ "javaVm": "OpenJDK 64-Bit Server VM",
+ "javaVmVersion": "11.0.7+10",
+ "javaRuntime": "OpenJDK Runtime Environment",
+ "javaHome": "/home/edewit/.sdkman/candidates/java/11.0.7-open",
+ "osName": "Linux",
+ "osArchitecture": "amd64",
+ "osVersion": "5.16.9-200.fc35.x86_64",
+ "fileEncoding": "UTF-8",
+ "userName": "edewit",
+ "userDir": "/home/edewit/workspace/keycloak/keycloak/distribution/server-dist/target/keycloak-18.0.0-SNAPSHOT",
+ "userTimezone": "Europe/Zurich",
+ "userLocale": "gb_EN"
+ },
+ "memoryInfo": {
+ "total": 536870912,
+ "totalFormated": "512 MB",
+ "used": 93852512,
+ "usedFormated": "89 MB",
+ "free": 443018400,
+ "freePercentage": 82,
+ "freeFormated": "422 MB"
+ },
+ "profileInfo": {
+ "name": "community",
+ "disabledFeatures": [
+ "DOCKER",
+ "MAP_STORAGE",
+ "UPLOAD_SCRIPTS",
+ "DECLARATIVE_USER_PROFILE",
+ "DYNAMIC_SCOPES",
+ "SCRIPTS",
+ "OPENSHIFT_INTEGRATION",
+ "ADMIN_FINE_GRAINED_AUTHZ",
+ "TOKEN_EXCHANGE"
+ ],
+ "previewFeatures": [
+ "DECLARATIVE_USER_PROFILE",
+ "SCRIPTS",
+ "OPENSHIFT_INTEGRATION",
+ "ADMIN_FINE_GRAINED_AUTHZ",
+ "TOKEN_EXCHANGE"
+ ],
+ "experimentalFeatures": ["ADMIN2", "MAP_STORAGE", "DYNAMIC_SCOPES"]
+ },
+ "themes": {
+ "common": [{ "name": "keycloak" }],
+ "admin": [
{
- "groupName":"Social",
- "name":"GitHub",
- "id":"github"
+ "name": "base",
+ "locales": [
+ "ca",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "it",
+ "ja",
+ "lt",
+ "lv",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sv",
+ "zh-CN"
+ ]
},
{
- "groupName":"Social",
- "name":"Facebook",
- "id":"facebook"
+ "name": "keycloak",
+ "locales": [
+ "ca",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "it",
+ "ja",
+ "lt",
+ "lv",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sv",
+ "zh-CN"
+ ]
+ },
+ { "name": "keycloak.v2" }
+ ],
+ "login": [
+ {
+ "name": "base",
+ "locales": [
+ "ca",
+ "cs",
+ "da",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "hu",
+ "it",
+ "ja",
+ "lt",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sk",
+ "sv",
+ "tr",
+ "zh-CN"
+ ]
},
{
- "groupName":"Social",
- "name":"Google",
- "id":"google"
- },
- {
- "groupName":"Social",
- "name":"LinkedIn",
- "id":"linkedin"
- },
- {
- "groupName":"Social",
- "name":"Instagram",
- "id":"instagram"
- },
- {
- "groupName":"Social",
- "name":"Microsoft",
- "id":"microsoft"
- },
- {
- "groupName":"Social",
- "name":"BitBucket",
- "id":"bitbucket"
- },
- {
- "groupName":"Social",
- "name":"Twitter",
- "id":"twitter"
- },
- {
- "groupName":"Social",
- "name":"Openshift v4",
- "id":"openshift-v4"
- },
- {
- "groupName":"Social",
- "name":"Openshift v3",
- "id":"openshift-v3"
- },
- {
- "groupName":"Social",
- "name":"GitLab",
- "id":"gitlab"
- },
- {
- "groupName":"Social",
- "name":"PayPal",
- "id":"paypal"
- },
- {
- "groupName":"Social",
- "name":"StackOverflow",
- "id":"stackoverflow"
+ "name": "keycloak",
+ "locales": [
+ "ca",
+ "cs",
+ "da",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "hu",
+ "it",
+ "ja",
+ "lt",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sk",
+ "sv",
+ "tr",
+ "zh-CN"
+ ]
}
- ],
- "identityProviders":[
+ ],
+ "welcome": [{ "name": "keycloak" }],
+ "account": [
{
- "groupName":"User-defined",
- "name":"SAML v2.0",
- "id":"saml"
+ "name": "base",
+ "locales": [
+ "ca",
+ "cs",
+ "da",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "hu",
+ "it",
+ "ja",
+ "lt",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sk",
+ "sv",
+ "tr",
+ "zh-CN"
+ ]
},
{
- "groupName":"User-defined",
- "name":"OpenID Connect v1.0",
- "id":"oidc"
+ "name": "keycloak",
+ "locales": [
+ "ca",
+ "cs",
+ "da",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "hu",
+ "it",
+ "ja",
+ "lt",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sk",
+ "sv",
+ "tr",
+ "zh-CN"
+ ]
},
{
- "groupName":"User-defined",
- "name":"Keycloak OpenID Connect",
- "id":"keycloak-oidc"
- },
- {
- "groupName":"Social",
- "name":"GitHub",
- "id":"github"
- },
- {
- "groupName":"Social",
- "name":"Facebook",
- "id":"facebook"
- },
- {
- "groupName":"Social",
- "name":"Google",
- "id":"google"
- },
- {
- "groupName":"Social",
- "name":"LinkedIn",
- "id":"linkedin"
- },
- {
- "groupName":"Social",
- "name":"Instagram",
- "id":"instagram"
- },
- {
- "groupName":"Social",
- "name":"Microsoft",
- "id":"microsoft"
- },
- {
- "groupName":"Social",
- "name":"BitBucket",
- "id":"bitbucket"
- },
- {
- "groupName":"Social",
- "name":"Twitter",
- "id":"twitter"
- },
- {
- "groupName":"Social",
- "name":"Openshift v4",
- "id":"openshift-v4"
- },
- {
- "groupName":"Social",
- "name":"Openshift v3",
- "id":"openshift-v3"
- },
- {
- "groupName":"Social",
- "name":"GitLab",
- "id":"gitlab"
- },
- {
- "groupName":"Social",
- "name":"PayPal",
- "id":"paypal"
- },
- {
- "groupName":"Social",
- "name":"StackOverflow",
- "id":"stackoverflow"
+ "name": "keycloak.v2",
+ "locales": [
+ "ca",
+ "cs",
+ "da",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "hu",
+ "it",
+ "ja",
+ "lt",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sk",
+ "sv",
+ "tr",
+ "zh-CN"
+ ]
}
- ],
- "providers":{
- "account":{
- "internal":true,
- "providers":{
- "freemarker":{
- "order":0
- }
- }
- },
- "actionToken":{
- "internal":true,
- "providers":{
- "infinispan":{
- "order":0
- }
- }
- },
- "actionTokenHandler":{
- "internal":true,
- "providers":{
- "verify-email":{
- "order":0
- },
- "execute-actions":{
- "order":0
- },
- "reset-credentials":{
- "order":0
- },
- "idp-verify-account-via-email":{
- "order":0
- }
- }
- },
- "authenticationSessions":{
- "internal":true,
- "providers":{
- "infinispan":{
- "order":0
- }
- }
- },
- "authenticator":{
- "internal":true,
- "providers":{
- "no-cookie-redirect":{
- "order":0
- },
- "auth-cookie":{
- "order":0
- },
- "console-username-password":{
- "order":0
- },
- "reset-credentials-choose-user":{
- "order":0
- },
- "direct-grant-validate-password":{
- "order":0
- },
- "webauthn-authenticator":{
- "order":0
- },
- "auth-spnego":{
- "order":0
- },
- "direct-grant-auth-x509-username":{
- "order":0
- },
- "reset-password":{
- "order":0
- },
- "auth-password-form":{
- "order":0
- },
- "docker-http-basic-authenticator":{
- "order":0
- },
- "idp-username-password-form":{
- "order":0
- },
- "auth-x509-client-username-form":{
- "order":0
- },
- "idp-auto-link":{
- "order":0
- },
- "idp-email-verification":{
- "order":0
- },
- "basic-auth":{
- "order":0
- },
- "conditional-user-role":{
- "order":0
- },
- "direct-grant-validate-username":{
- "order":0
- },
- "identity-provider-redirector":{
- "order":0
- },
- "reset-otp":{
- "order":0
- },
- "conditional-user-configured":{
- "order":0
- },
- "webauthn-authenticator-passwordless":{
- "order":0
- },
- "basic-auth-otp":{
- "order":0
- },
- "auth-conditional-otp-form":{
- "order":0
- },
- "idp-confirm-link":{
- "order":0
- },
- "idp-review-profile":{
- "order":0
- },
- "auth-username-password-form":{
- "order":0
- },
- "reset-credential-email":{
- "order":0
- },
- "auth-username-form":{
- "order":0
- },
- "http-basic-authenticator":{
- "order":0
- },
- "auth-otp-form":{
- "order":0
- },
- "direct-grant-validate-otp":{
- "order":0
- },
- "idp-create-user-if-unique":{
- "order":0
- }
- }
- },
- "authorization":{
- "internal":true,
- "providers":{
- "authorization":{
- "order":0
- }
- }
- },
- "authorizationCache":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "authorizationPersister":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":0
- }
- }
- },
- "bruteForceProtector":{
- "internal":true,
- "providers":{
- "default-brute-force-detector":{
- "order":0
- }
- }
- },
- "cekmanagement":{
- "internal":true,
- "providers":{
- "RSA-OAEP":{
- "order":0
- },
- "RSA1_5":{
- "order":0
- }
- }
- },
- "client":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":0
- }
- }
- },
- "client-authenticator":{
- "internal":true,
- "providers":{
- "client-jwt":{
- "order":0
- },
- "client-secret":{
- "order":0
- },
- "client-x509":{
- "order":0
- },
- "client-secret-jwt":{
- "order":0
- }
- }
- },
- "client-description-converter":{
- "internal":true,
- "providers":{
- "keycloak":{
- "order":0
- },
- "saml2-entity-descriptor":{
- "order":0
- },
- "openid-connect":{
- "order":0
- }
- }
- },
- "client-installation":{
- "internal":true,
- "providers":{
- "docker-v2-variable-override":{
- "order":0
- },
- "keycloak-oidc-jboss-subsystem":{
- "order":0
- },
- "keycloak-oidc-jboss-subsystem-cli":{
- "order":0
- },
- "keycloak-saml":{
- "order":0
- },
- "keycloak-saml-subsystem-cli":{
- "order":0
- },
- "docker-v2-registry-config-file":{
- "order":0
- },
- "saml-sp-descriptor":{
- "order":0
- },
- "keycloak-saml-subsystem":{
- "order":0
- },
- "keycloak-oidc-keycloak-json":{
- "order":0
- },
- "docker-v2-compose-yaml":{
- "order":0
- },
- "mod-auth-mellon":{
- "order":0
- }
- }
- },
- "client-policy":{
- "internal":true,
- "providers":{
- "client-policy-provider":{
- "order":0
- }
- }
- },
- "client-policy-condition":{
- "internal":true,
- "providers":{
-
- }
- },
- "client-policy-executor":{
- "internal":true,
- "providers":{
-
- }
- },
- "client-registration":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- },
- "install":{
- "order":0
- },
- "saml2-entity-descriptor":{
- "order":0
- },
- "openid-connect":{
- "order":0
- }
- }
- },
- "client-registration-policy":{
- "internal":true,
- "providers":{
- "allowed-client-templates":{
- "order":0
- },
- "client-disabled":{
- "order":0
- },
- "max-clients":{
- "order":0
- },
- "scope":{
- "order":0
- },
- "allowed-protocol-mappers":{
- "order":0
- },
- "trusted-hosts":{
- "order":0
- },
- "consent-required":{
- "order":0
- }
- }
- },
- "client-storage":{
- "internal":true,
- "providers":{
-
- }
- },
- "clientSignature":{
- "internal":true,
- "providers":{
- "PS384":{
- "order":0
- },
- "ES384":{
- "order":0
- },
- "RS384":{
- "order":0
- },
- "HS256":{
- "order":0
- },
- "HS512":{
- "order":0
- },
- "ES256":{
- "order":0
- },
- "RS256":{
- "order":0
- },
- "HS384":{
- "order":0
- },
- "ES512":{
- "order":0
- },
- "PS256":{
- "order":0
- },
- "PS512":{
- "order":0
- },
- "RS512":{
- "order":0
- }
- }
- },
- "clientValidation":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "cluster":{
- "internal":true,
- "providers":{
- "infinispan":{
- "order":0
- }
- }
- },
- "codeToTokenStore":{
- "internal":true,
- "providers":{
- "infinispan":{
- "order":0
- }
- }
- },
- "connectionsHttpClient":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "connectionsInfinispan":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "connectionsJpa":{
- "internal":true,
- "providers":{
- "default":{
- "order":0,
- "operationalInfo":{
- "databaseUrl":"jdbc:h2:/home/edewit/workspace/keycloak/keycloak-admin/server/keycloak-11.0.0/standalone/data/keycloak",
- "databaseUser":"SA",
- "databaseProduct":"H2 1.4.197 (2018-03-18)",
- "databaseDriver":"H2 JDBC Driver 1.4.197 (2018-03-18)"
- }
- }
- }
- },
- "connectionsJpaUpdater":{
- "internal":true,
- "providers":{
- "liquibase":{
- "order":0
- }
- }
- },
- "connectionsLiquibase":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "contentencryption":{
- "internal":true,
- "providers":{
- "A256GCM":{
- "order":0
- },
- "A192GCM":{
- "order":0
- },
- "A128GCM":{
- "order":0
- },
- "A128CBC-HS256":{
- "order":0
- },
- "A192CBC-HS384":{
- "order":0
- },
- "A256CBC-HS512":{
- "order":0
- }
- }
- },
- "credential":{
- "internal":true,
- "providers":{
- "keycloak-webauthn":{
- "order":0
- },
- "keycloak-otp":{
- "order":0
- },
- "keycloak-password":{
- "order":0
- },
- "keycloak-webauthn-passwordless":{
- "order":0
- }
- }
- },
- "dblock":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":0
- }
- }
- },
- "emailSender":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "emailTemplate":{
- "internal":true,
- "providers":{
- "freemarker":{
- "order":0
- }
- }
- },
- "eventsListener":{
- "internal":true,
- "providers":{
- "jboss-logging":{
- "order":0
- },
- "email":{
- "order":0
- }
- }
- },
- "eventsStore":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":0
- }
- }
- },
- "exception-converter":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":0
- }
- }
- },
- "executors":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "export":{
- "internal":true,
- "providers":{
- "singleFile":{
- "order":0
- },
- "dir":{
- "order":0
- }
- }
- },
- "form-action":{
- "internal":true,
- "providers":{
- "registration-profile-action":{
- "order":0
- },
- "registration-recaptcha-action":{
- "order":0
- },
- "registration-password-action":{
- "order":0
- },
- "registration-user-creation":{
- "order":0
- }
- }
- },
- "form-authenticator":{
- "internal":true,
- "providers":{
- "registration-page-form":{
- "order":0
- }
- }
- },
- "hash":{
- "internal":true,
- "providers":{
- "SHA-384":{
- "order":0
- },
- "SHA-256":{
- "order":0
- },
- "SHA-512":{
- "order":0
- }
- }
- },
- "hostname":{
- "internal":false,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "identity-provider-mapper":{
- "internal":true,
- "providers":{
- "saml-advanced-role-idp-mapper":{
- "order":0
- },
- "saml-username-idp-mapper":{
- "order":0
- },
- "github-user-attribute-mapper":{
- "order":0
- },
- "stackoverflow-user-attribute-mapper":{
- "order":0
- },
- "hardcoded-user-session-attribute-idp-mapper":{
- "order":0
- },
- "oidc-advanced-role-idp-mapper":{
- "order":0
- },
- "saml-user-attribute-idp-mapper":{
- "order":0
- },
- "paypal-user-attribute-mapper":{
- "order":0
- },
- "google-user-attribute-mapper":{
- "order":0
- },
- "linkedin-user-attribute-mapper":{
- "order":0
- },
- "oidc-role-idp-mapper":{
- "order":0
- },
- "saml-role-idp-mapper":{
- "order":0
- },
- "instagram-user-attribute-mapper":{
- "order":0
- },
- "microsoft-user-attribute-mapper":{
- "order":0
- },
- "keycloak-oidc-role-to-role-idp-mapper":{
- "order":0
- },
- "oidc-user-attribute-idp-mapper":{
- "order":0
- },
- "facebook-user-attribute-mapper":{
- "order":0
- },
- "oidc-hardcoded-role-idp-mapper":{
- "order":0
- },
- "hardcoded-attribute-idp-mapper":{
- "order":0
- },
- "oidc-username-idp-mapper":{
- "order":0
- }
- }
- },
- "identity_provider":{
- "internal":true,
- "providers":{
- "saml":{
- "order":0
- },
- "oidc":{
- "order":0
- },
- "keycloak-oidc":{
- "order":0
- }
- }
- },
- "import":{
- "internal":true,
- "providers":{
- "singleFile":{
- "order":0
- },
- "dir":{
- "order":0
- }
- }
- },
- "jpa-entity-provider":{
- "internal":true,
- "providers":{
-
- }
- },
- "jta-lookup":{
- "internal":true,
- "providers":{
- "jboss":{
- "order":0
- }
- }
- },
- "keys":{
- "internal":true,
- "providers":{
- "rsa":{
- "order":0
- },
- "java-keystore":{
- "order":0
- },
- "rsa-generated":{
- "order":0
- },
- "aes-generated":{
- "order":0
- },
- "ecdsa-generated":{
- "order":0
- },
- "hmac-generated":{
- "order":0
- }
- }
- },
- "ldap-mapper":{
- "internal":true,
- "providers":{
- "msad-lds-user-account-control-mapper":{
- "order":0
- },
- "msad-user-account-control-mapper":{
- "order":0
- },
- "group-ldap-mapper":{
- "order":0
- },
- "user-attribute-ldap-mapper":{
- "order":0
- },
- "role-ldap-mapper":{
- "order":0
- },
- "hardcoded-attribute-mapper":{
- "order":0
- },
- "hardcoded-ldap-role-mapper":{
- "order":0
- },
- "certificate-ldap-mapper":{
- "order":0
- },
- "full-name-ldap-mapper":{
- "order":0
- },
- "hardcoded-ldap-attribute-mapper":{
- "order":0
- },
- "hardcoded-ldap-group-mapper":{
- "order":0
- }
- }
- },
- "localeSelector":{
- "internal":false,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "localeUpdater":{
- "internal":false,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "login":{
- "internal":true,
- "providers":{
- "freemarker":{
- "order":0
- }
- }
- },
- "login-protocol":{
- "internal":true,
- "providers":{
- "saml":{
- "order":0
- },
- "openid-connect":{
- "order":0
- }
- }
- },
- "migration":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "oauth2-token-introspection":{
- "internal":true,
- "providers":{
- "access_token":{
- "order":0
- },
- "refresh_token":{
- "order":0
- },
- "requesting_party_token":{
- "order":0
- }
- }
- },
- "openid-connect-ext":{
- "internal":true,
- "providers":{
-
- }
- },
- "password-hashing":{
- "internal":true,
- "providers":{
- "pbkdf2":{
- "order":0
- },
- "pbkdf2-sha512":{
- "order":0
- },
- "pbkdf2-sha256":{
- "order":0
- }
- }
- },
- "password-policy":{
- "internal":true,
- "providers":{
- "forceExpiredPasswordChange":{
- "order":0
- },
- "hashIterations":{
- "order":0
- },
- "specialChars":{
- "order":0
- },
- "passwordHistory":{
- "order":0
- },
- "upperCase":{
- "order":0
- },
- "lowerCase":{
- "order":0
- },
- "passwordBlacklist":{
- "order":0
- },
- "length":{
- "order":0
- },
- "regexPattern":{
- "order":0
- },
- "digits":{
- "order":0
- },
- "notUsername":{
- "order":0
- },
- "hashAlgorithm":{
- "order":0
- }
- }
- },
- "password-policy-manager":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "policy":{
- "internal":true,
- "providers":{
- "role":{
- "order":0
- },
- "resource":{
- "order":0
- },
- "scope":{
- "order":0
- },
- "uma":{
- "order":0
- },
- "client":{
- "order":0
- },
- "js":{
- "order":0
- },
- "time":{
- "order":0
- },
- "user":{
- "order":0
- },
- "aggregate":{
- "order":0
- },
- "group":{
- "order":0
- }
- }
- },
- "protocol-mapper":{
- "internal":true,
- "providers":{
- "oidc-usermodel-realm-role-mapper":{
- "order":0
- },
- "saml-javascript-mapper":{
- "order":0
- },
- "oidc-usersessionmodel-note-mapper":{
- "order":0
- },
- "oidc-address-mapper":{
- "order":0
- },
- "saml-audience-resolve-mapper":{
- "order":0
- },
- "oidc-role-name-mapper":{
- "order":0
- },
- "oidc-usermodel-client-role-mapper":{
- "order":0
- },
- "saml-user-session-note-mapper":{
- "order":0
- },
- "oidc-usermodel-property-mapper":{
- "order":0
- },
- "saml-audience-mapper":{
- "order":0
- },
- "saml-group-membership-mapper":{
- "order":0
- },
- "docker-v2-allow-all-mapper":{
- "order":0
- },
- "oidc-hardcoded-role-mapper":{
- "order":0
- },
- "oidc-hardcoded-claim-mapper":{
- "order":0
- },
- "oidc-sha256-pairwise-sub-mapper":{
- "order":0
- },
- "saml-role-name-mapper":{
- "order":0
- },
- "saml-role-list-mapper":{
- "order":0
- },
- "saml-user-property-mapper":{
- "order":0
- },
- "oidc-full-name-mapper":{
- "order":0
- },
- "oidc-allowed-origins-mapper":{
- "order":0
- },
- "oidc-audience-mapper":{
- "order":0
- },
- "oidc-usermodel-attribute-mapper":{
- "order":0
- },
- "saml-hardcode-attribute-mapper":{
- "order":0
- },
- "oidc-group-membership-mapper":{
- "order":0
- },
- "saml-user-attribute-mapper":{
- "order":0
- },
- "saml-hardcode-role-mapper":{
- "order":0
- },
- "oidc-audience-resolve-mapper":{
- "order":0
- }
- }
- },
- "publicKeyStorage":{
- "internal":true,
- "providers":{
- "infinispan":{
- "order":0
- }
- }
- },
- "realm":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":0
- }
- }
- },
- "realm-restapi-extension":{
- "internal":true,
- "providers":{
-
- }
- },
- "realmCache":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "required-action":{
- "internal":true,
- "providers":{
- "terms_and_conditions":{
- "order":0
- },
- "update_user_locale":{
- "order":0
- },
- "CONFIGURE_TOTP":{
- "order":0
- },
- "VERIFY_EMAIL":{
- "order":0
- },
- "webauthn-register-passwordless":{
- "order":0
- },
- "webauthn-register":{
- "order":0
- },
- "UPDATE_PASSWORD":{
- "order":0
- },
- "UPDATE_PROFILE":{
- "order":0
- }
- }
- },
- "saml-authentication-preprocessor":{
- "internal":false,
- "providers":{
-
- }
- },
- "scripting":{
- "internal":true,
- "providers":{
- "script-based-auth":{
- "order":0
- }
- }
- },
- "security-headers":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "signature":{
- "internal":true,
- "providers":{
- "PS384":{
- "order":0
- },
- "ES384":{
- "order":0
- },
- "RS384":{
- "order":0
- },
- "HS256":{
- "order":0
- },
- "HS512":{
- "order":0
- },
- "ES256":{
- "order":0
- },
- "RS256":{
- "order":0
- },
- "HS384":{
- "order":0
- },
- "ES512":{
- "order":0
- },
- "PS256":{
- "order":0
- },
- "PS512":{
- "order":0
- },
- "RS512":{
- "order":0
- }
- }
- },
- "singleUseTokenStore":{
- "internal":true,
- "providers":{
- "infinispan":{
- "order":0
- }
- }
- },
- "social":{
- "internal":true,
- "providers":{
- "github":{
- "order":0
- },
- "facebook":{
- "order":0
- },
- "google":{
- "order":0
- },
- "instagram":{
- "order":0
- },
- "linkedin":{
- "order":0
- },
- "bitbucket":{
- "order":0
- },
- "microsoft":{
- "order":0
- },
- "twitter":{
- "order":0
- },
- "openshift-v4":{
- "order":0
- },
- "openshift-v3":{
- "order":0
- },
- "gitlab":{
- "order":0
- },
- "paypal":{
- "order":0
- },
- "stackoverflow":{
- "order":0
- }
- }
- },
- "stickySessionEncoder":{
- "internal":true,
- "providers":{
- "infinispan":{
- "order":0
- }
- }
- },
- "storage":{
- "internal":false,
- "providers":{
- "ldap":{
- "order":0
- },
- "kerberos":{
- "order":0
- }
- }
- },
- "theme":{
- "internal":true,
- "providers":{
- "folder":{
- "order":0
- },
- "module":{
- "order":0
- },
- "jar":{
- "order":0
- }
- }
- },
- "themeResource":{
- "internal":false,
- "providers":{
-
- }
- },
- "themeSelector":{
- "internal":false,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "timer":{
- "internal":true,
- "providers":{
- "basic":{
- "order":0
- }
- }
- },
- "truststore":{
- "internal":true,
- "providers":{
- "file":{
- "order":0
- }
- }
- },
- "user":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":0
- }
- }
- },
- "userCache":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
- },
- "userFederatedStorage":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":0
- }
- }
- },
- "userSessionPersister":{
- "internal":true,
- "providers":{
- "jpa":{
- "order":100
- }
- }
- },
- "userSessions":{
- "internal":true,
- "providers":{
- "infinispan":{
- "order":0
- }
- }
- },
- "vault":{
- "internal":true,
- "providers":{
- "files-plaintext":{
- "order":0
- },
- "elytron-cs-keystore":{
- "order":0
- }
- }
- },
- "well-known":{
- "internal":true,
- "providers":{
- "openid-configuration":{
- "order":0
- },
- "uma2-configuration":{
- "order":0
- }
- }
- },
- "x509cert-lookup":{
- "internal":true,
- "providers":{
- "default":{
- "order":0
- }
- }
+ ],
+ "email": [
+ {
+ "name": "base",
+ "locales": [
+ "ca",
+ "cs",
+ "da",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "hu",
+ "it",
+ "ja",
+ "lt",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sk",
+ "sv",
+ "tr",
+ "zh-CN"
+ ]
+ },
+ {
+ "name": "keycloak",
+ "locales": [
+ "ca",
+ "cs",
+ "da",
+ "de",
+ "en",
+ "es",
+ "fr",
+ "hu",
+ "it",
+ "ja",
+ "lt",
+ "nl",
+ "no",
+ "pl",
+ "pt-BR",
+ "ru",
+ "sk",
+ "sv",
+ "tr",
+ "zh-CN"
+ ]
}
- },
- "protocolMapperTypes":{
- "saml":[
- {
- "id":"saml-javascript-mapper",
- "name":"Javascript Mapper",
- "category":"AttributeStatement Mapper",
- "helpText":"Evaluates a JavaScript function to produce an attribute value based on context information.",
- "priority":0,
- "properties":[
- {
- "name":"Script",
- "label":"Script",
- "helpText":"Script to compute the attribute value. \n Available variables: \n 'user' - the current user.\n 'realm' - the current realm.\n 'clientSession' - the current clientSession.\n 'userSession' - the current userSession.\n 'keycloakSession' - the current keycloakSession.\n\nTo use: the last statement is the value returned to Java.\nThe result will be tested if it can be iterated upon (e.g. an array or a collection).\n - If it is not, toString() will be called on the object to get the value of the attribute\n - If it is, toString() will be called on all elements to return multiple attribute values.\n",
- "type":"Script",
- "defaultValue":"/**\n * Available variables: \n * user - the current user\n * realm - the current realm\n * clientSession - the current clientSession\n * userSession - the current userSession\n * keycloakSession - the current keycloakSession\n */\n\n\n//insert your code here...",
- "secret":false
- },
- {
- "name":"single",
- "label":"Single Value Attribute",
- "helpText":"If true, all values will be stored under one attribute with multiple attribute values.",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- }
- ]
- },
- {
- "id":"saml-audience-resolve-mapper",
- "name":"Audience Resolve",
- "category":"Audience mapper",
- "helpText":"Adds all client_ids of \"allowed\" clients to the audience conditions in the assertion. Allowed client means any SAML client for which user has at least one client role",
- "priority":0,
- "properties":[
-
- ]
- },
- {
- "id":"saml-user-session-note-mapper",
- "name":"User Session Note",
- "category":"AttributeStatement Mapper",
- "helpText":"Map a user session note to a SAML attribute.",
- "priority":0,
- "properties":[
- {
- "name":"note",
- "label":"User Session Note Attribute",
- "helpText":"The user session note you want to grab the value from.",
- "type":"String",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- }
- ]
- },
- {
- "id":"saml-group-membership-mapper",
- "name":"Group list",
- "category":"Group Mapper",
- "helpText":"Group names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per group name depending on how you configure it. You can also specify the attribute name i.e. 'member' or 'memberOf' being examples.",
- "priority":0,
- "properties":[
- {
- "name":"attribute.name",
- "label":"Group attribute name",
- "helpText":"Name of the SAML attribute you want to put your groups into. i.e. 'member', 'memberOf'.",
- "type":"String",
- "defaultValue":"member",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- },
- {
- "name":"single",
- "label":"Single Group Attribute",
- "helpText":"If true, all groups will be stored under one attribute with multiple attribute values.",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"full.path",
- "label":"Full group path",
- "helpText":"Include full path to group i.e. /top/level1/level2, false will just specify the group name",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"saml-audience-mapper",
- "name":"Audience",
- "category":"Audience mapper",
- "helpText":"Add specified audience to the audience conditions in the assertion.",
- "priority":0,
- "properties":[
- {
- "name":"included.client.audience",
- "label":"included.client.audience.label",
- "helpText":"included.client.audience.tooltip",
- "type":"ClientList",
- "secret":false
- },
- {
- "name":"included.custom.audience",
- "label":"included.custom.audience.label",
- "helpText":"included.custom.audience.tooltip",
- "type":"String",
- "secret":false
- }
- ]
- },
- {
- "id":"saml-role-name-mapper",
- "name":"Role Name Mapper",
- "category":"Role Mapper",
- "helpText":"Map an assigned role to a new name",
- "priority":0,
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- },
- {
- "name":"new.role.name",
- "label":"New Role Name",
- "helpText":"The new role name.",
- "type":"String",
- "secret":false
- }
- ]
- },
- {
- "id":"saml-role-list-mapper",
- "name":"Role list",
- "category":"Role Mapper",
- "helpText":"Role names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per role name depending on how you configure it. You can also specify the attribute name i.e. 'Role' or 'memberOf' being examples.",
- "priority":0,
- "properties":[
- {
- "name":"attribute.name",
- "label":"Role attribute name",
- "helpText":"Name of the SAML attribute you want to put your roles into. i.e. 'Role', 'memberOf'.",
- "type":"String",
- "defaultValue":"Role",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- },
- {
- "name":"single",
- "label":"Single Role Attribute",
- "helpText":"If true, all roles will be stored under one attribute with multiple attribute values.",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"saml-user-property-mapper",
- "name":"User Property",
- "category":"AttributeStatement Mapper",
- "helpText":"Map a built in user property (email, firstName, lastName) to a SAML attribute type.",
- "priority":0,
- "properties":[
- {
- "name":"user.attribute",
- "label":"usermodel.prop.label",
- "helpText":"usermodel.prop.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- }
- ]
- },
- {
- "id":"saml-hardcode-attribute-mapper",
- "name":"Hardcoded attribute",
- "category":"AttributeStatement Mapper",
- "helpText":"Hardcode an attribute into the SAML Assertion.",
- "priority":0,
- "properties":[
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- },
- {
- "name":"attribute.value",
- "label":"Attribute value",
- "helpText":"Value of the attribute you want to hard code.",
- "type":"String",
- "secret":false
- }
- ]
- },
- {
- "id":"saml-user-attribute-mapper",
- "name":"User Attribute",
- "category":"AttributeStatement Mapper",
- "helpText":"Map a custom user attribute to a to a SAML attribute.",
- "priority":0,
- "properties":[
- {
- "name":"user.attribute",
- "label":"usermodel.attr.label",
- "helpText":"usermodel.attr.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- },
- {
- "name":"aggregate.attrs",
- "label":"aggregate.attrs.label",
- "helpText":"aggregate.attrs.tooltip",
- "type":"boolean",
- "secret":false
- }
- ]
- },
- {
- "id":"saml-hardcode-role-mapper",
- "name":"Hardcoded role",
- "category":"AttributeStatement Mapper",
- "helpText":"Hardcode role into SAML Assertion.",
- "priority":0,
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Arbitrary role name you want to hardcode. This role does not have to exist in current realm and can be just any string you need",
- "type":"Role",
- "secret":false
- }
- ]
- }
- ],
- "docker-v2":[
- {
- "id":"docker-v2-allow-all-mapper",
- "name":"Allow All",
- "category":"Docker Auth Mapper",
- "helpText":"Allows all grants, returning the full set of requested access attributes as permitted attributes.",
- "priority":0,
- "properties":[
-
- ]
- }
- ],
- "openid-connect":[
- {
- "id":"oidc-usermodel-realm-role-mapper",
- "name":"User Realm Role",
- "category":"Token mapper",
- "helpText":"Map a user realm role to a token claim.",
- "priority":40,
- "properties":[
- {
- "name":"usermodel.realmRoleMapping.rolePrefix",
- "label":"usermodel.realmRoleMapping.rolePrefix.label",
- "helpText":"usermodel.realmRoleMapping.rolePrefix.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"multivalued",
- "label":"multivalued.label",
- "helpText":"multivalued.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-usersessionmodel-note-mapper",
- "name":"User Session Note",
- "category":"Token mapper",
- "helpText":"Map a custom user session note to a token claim.",
- "priority":0,
- "properties":[
- {
- "name":"user.session.note",
- "label":"userSession.modelNote.label",
- "helpText":"userSession.modelNote.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-address-mapper",
- "name":"User Address",
- "category":"Token mapper",
- "helpText":"Maps user address attributes (street, locality, region, postal_code, and country) to the OpenID Connect 'address' claim.",
- "priority":0,
- "properties":[
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"user.attribute.street",
- "label":"addressClaim.street.label",
- "helpText":"addressClaim.street.tooltip",
- "type":"String",
- "defaultValue":"street",
- "secret":false
- },
- {
- "name":"user.attribute.locality",
- "label":"addressClaim.locality.label",
- "helpText":"addressClaim.locality.tooltip",
- "type":"String",
- "defaultValue":"locality",
- "secret":false
- },
- {
- "name":"user.attribute.region",
- "label":"addressClaim.region.label",
- "helpText":"addressClaim.region.tooltip",
- "type":"String",
- "defaultValue":"region",
- "secret":false
- },
- {
- "name":"user.attribute.postal_code",
- "label":"addressClaim.postal_code.label",
- "helpText":"addressClaim.postal_code.tooltip",
- "type":"String",
- "defaultValue":"postal_code",
- "secret":false
- },
- {
- "name":"user.attribute.country",
- "label":"addressClaim.country.label",
- "helpText":"addressClaim.country.tooltip",
- "type":"String",
- "defaultValue":"country",
- "secret":false
- },
- {
- "name":"user.attribute.formatted",
- "label":"addressClaim.formatted.label",
- "helpText":"addressClaim.formatted.tooltip",
- "type":"String",
- "defaultValue":"formatted",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-role-name-mapper",
- "name":"Role Name Mapper",
- "category":"Token mapper",
- "helpText":"Map an assigned role to a new name or position in the token.",
- "priority":10,
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- },
- {
- "name":"new.role.name",
- "label":"New Role Name",
- "helpText":"The new role name. The new name format corresponds to where in the access token the role will be mapped to. So, a new name of 'myapp.newname' will map the role to that position in the access token. A new name of 'newname' will map the role to the realm roles in the token.",
- "type":"String",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-usermodel-client-role-mapper",
- "name":"User Client Role",
- "category":"Token mapper",
- "helpText":"Map a user client role to a token claim.",
- "priority":40,
- "properties":[
- {
- "name":"usermodel.clientRoleMapping.clientId",
- "label":"usermodel.clientRoleMapping.clientId.label",
- "helpText":"usermodel.clientRoleMapping.clientId.tooltip",
- "type":"ClientList",
- "secret":false
- },
- {
- "name":"usermodel.clientRoleMapping.rolePrefix",
- "label":"usermodel.clientRoleMapping.rolePrefix.label",
- "helpText":"usermodel.clientRoleMapping.rolePrefix.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"multivalued",
- "label":"multivalued.label",
- "helpText":"multivalued.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"usermodel.clientRoleMapping.tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-usermodel-property-mapper",
- "name":"User Property",
- "category":"Token mapper",
- "helpText":"Map a built in user property (email, firstName, lastName) to a token claim.",
- "priority":0,
- "properties":[
- {
- "name":"user.attribute",
- "label":"usermodel.prop.label",
- "helpText":"usermodel.prop.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-hardcoded-role-mapper",
- "name":"Hardcoded Role",
- "category":"Token mapper",
- "helpText":"Hardcode a role into the access token.",
- "priority":20,
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role you want added to the token. Click 'Select Role' button to browse roles, or just type it in the textbox. To specify an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-hardcoded-claim-mapper",
- "name":"Hardcoded claim",
- "category":"Token mapper",
- "helpText":"Hardcode a claim into the token.",
- "priority":0,
- "properties":[
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.value",
- "label":"Claim value",
- "helpText":"Value of the claim you want to hard code. 'true' and 'false can be used for boolean values.",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-sha256-pairwise-sub-mapper",
- "name":"Pairwise subject identifier",
- "category":"Token mapper",
- "helpText":"Calculates a pairwise subject identifier using a salted sha-256 hash. See OpenID Connect specification for more info about pairwise subject identifiers.",
- "priority":0,
- "properties":[
- {
- "name":"sectorIdentifierUri",
- "label":"sectorIdentifierUri.label",
- "helpText":"sectorIdentifierUri.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"pairwiseSubAlgorithmSalt",
- "label":"pairwiseSubAlgorithmSalt.label",
- "helpText":"pairwiseSubAlgorithmSalt.tooltip",
- "type":"String",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-full-name-mapper",
- "name":"User's full name",
- "category":"Token mapper",
- "helpText":"Maps the user's first and last name to the OpenID Connect 'name' claim. Format is + ' ' + ",
- "priority":0,
- "properties":[
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-allowed-origins-mapper",
- "name":"Allowed Web Origins",
- "category":"Token mapper",
- "helpText":"Adds all allowed web origins to the 'allowed-origins' claim in the token",
- "priority":0,
- "properties":[
-
- ]
- },
- {
- "id":"oidc-audience-mapper",
- "name":"Audience",
- "category":"Token mapper",
- "helpText":"Add specified audience to the audience (aud) field of token",
- "priority":0,
- "properties":[
- {
- "name":"included.client.audience",
- "label":"included.client.audience.label",
- "helpText":"included.client.audience.tooltip",
- "type":"ClientList",
- "secret":false
- },
- {
- "name":"included.custom.audience",
- "label":"included.custom.audience.label",
- "helpText":"included.custom.audience.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-usermodel-attribute-mapper",
- "name":"User Attribute",
- "category":"Token mapper",
- "helpText":"Map a custom user attribute to a token claim.",
- "priority":0,
- "properties":[
- {
- "name":"user.attribute",
- "label":"usermodel.attr.label",
- "helpText":"usermodel.attr.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"multivalued",
- "label":"multivalued.label",
- "helpText":"multivalued.tooltip",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"aggregate.attrs",
- "label":"aggregate.attrs.label",
- "helpText":"aggregate.attrs.tooltip",
- "type":"boolean",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-group-membership-mapper",
- "name":"Group Membership",
- "category":"Token mapper",
- "helpText":"Map user group membership",
- "priority":0,
- "properties":[
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"full.path",
- "label":"Full group path",
- "helpText":"Include full path to group i.e. /top/level1/level2, false will just specify the group name",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ]
- },
- {
- "id":"oidc-audience-resolve-mapper",
- "name":"Audience Resolve",
- "category":"Token mapper",
- "helpText":"Adds all client_ids of \"allowed\" clients to the audience field of the token. Allowed client means the client\n for which user has at least one client role",
- "priority":30,
- "properties":[
-
- ]
- }
- ]
- },
- "builtinProtocolMappers":{
- "saml":[
- {
- "name":"X500 email",
- "protocol":"saml",
- "protocolMapper":"saml-user-property-mapper",
- "consentRequired":false,
- "config":{
- "attribute.nameformat":"urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
- "user.attribute":"email",
- "friendly.name":"email",
- "attribute.name":"urn:oid:1.2.840.113549.1.9.1"
- }
- },
- {
- "name":"role list",
- "protocol":"saml",
- "protocolMapper":"saml-role-list-mapper",
- "consentRequired":false,
- "config":{
- "single":"false",
- "attribute.nameformat":"Basic",
- "attribute.name":"Role"
- }
- },
- {
- "name":"X500 givenName",
- "protocol":"saml",
- "protocolMapper":"saml-user-property-mapper",
- "consentRequired":false,
- "config":{
- "attribute.nameformat":"urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
- "user.attribute":"firstName",
- "friendly.name":"givenName",
- "attribute.name":"urn:oid:2.5.4.42"
- }
- },
- {
- "name":"X500 surname",
- "protocol":"saml",
- "protocolMapper":"saml-user-property-mapper",
- "consentRequired":false,
- "config":{
- "attribute.nameformat":"urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
- "user.attribute":"lastName",
- "friendly.name":"surname",
- "attribute.name":"urn:oid:2.5.4.4"
- }
- }
- ],
- "openid-connect":[
- {
- "name":"zoneinfo",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"zoneinfo",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"zoneinfo",
- "jsonType.label":"String"
- }
- },
- {
- "name":"birthdate",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"birthdate",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"birthdate",
- "jsonType.label":"String"
- }
- },
- {
- "name":"family name",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-property-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"lastName",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"family_name",
- "jsonType.label":"String"
- }
- },
- {
- "name":"gender",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"gender",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"gender",
- "jsonType.label":"String"
- }
- },
- {
- "name":"Impersonator Username",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usersessionmodel-note-mapper",
- "consentRequired":false,
- "config":{
- "user.session.note":"IMPERSONATOR_USERNAME",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"impersonator.username",
- "jsonType.label":"String"
- }
- },
- {
- "name":"phone number verified",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"phoneNumberVerified",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"phone_number_verified",
- "jsonType.label":"boolean"
- }
- },
- {
- "name":"locale",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"locale",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"locale",
- "jsonType.label":"String"
- }
- },
- {
- "name":"gss delegation credential",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usersessionmodel-note-mapper",
- "consentRequired":false,
- "config":{
- "user.session.note":"gss_delegation_credential",
- "access.token.claim":"true",
- "claim.name":"gss_delegation_credential",
- "jsonType.label":"String"
- }
- },
- {
- "name":"allowed web origins",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-allowed-origins-mapper",
- "consentRequired":false,
- "config":{
-
- }
- },
- {
- "name":"middle name",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"middleName",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"middle_name",
- "jsonType.label":"String"
- }
- },
- {
- "name":"nickname",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"nickname",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"nickname",
- "jsonType.label":"String"
- }
- },
- {
- "name":"updated at",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"updatedAt",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"updated_at",
- "jsonType.label":"String"
- }
- },
- {
- "name":"email verified",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-property-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"emailVerified",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"email_verified",
- "jsonType.label":"boolean"
- }
- },
- {
- "name":"email",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-property-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"email",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"email",
- "jsonType.label":"String"
- }
- },
- {
- "name":"client roles",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-client-role-mapper",
- "consentRequired":false,
- "config":{
- "multivalued":"true",
- "user.attribute":"foo",
- "access.token.claim":"true",
- "claim.name":"resource_access.${client_id}.roles",
- "jsonType.label":"String"
- }
- },
- {
- "name":"Impersonator User ID",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usersessionmodel-note-mapper",
- "consentRequired":false,
- "config":{
- "user.session.note":"IMPERSONATOR_ID",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"impersonator.id",
- "jsonType.label":"String"
- }
- },
- {
- "name":"website",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"website",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"website",
- "jsonType.label":"String"
- }
- },
- {
- "name":"address",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-address-mapper",
- "consentRequired":false,
- "config":{
- "user.attribute.formatted":"formatted",
- "user.attribute.country":"country",
- "user.attribute.postal_code":"postal_code",
- "userinfo.token.claim":"true",
- "user.attribute.street":"street",
- "id.token.claim":"true",
- "user.attribute.region":"region",
- "access.token.claim":"true",
- "user.attribute.locality":"locality"
- }
- },
- {
- "name":"given name",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-property-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"firstName",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"given_name",
- "jsonType.label":"String"
- }
- },
- {
- "name":"profile",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"profile",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"profile",
- "jsonType.label":"String"
- }
- },
- {
- "name":"groups",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-realm-role-mapper",
- "consentRequired":false,
- "config":{
- "multivalued":"true",
- "user.attribute":"foo",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"groups",
- "jsonType.label":"String"
- }
- },
- {
- "name":"phone number",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"phoneNumber",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"phone_number",
- "jsonType.label":"String"
- }
- },
- {
- "name":"full name",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-full-name-mapper",
- "consentRequired":false,
- "config":{
- "id.token.claim":"true",
- "access.token.claim":"true",
- "userinfo.token.claim":"true"
- }
- },
- {
- "name":"audience resolve",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-audience-resolve-mapper",
- "consentRequired":false,
- "config":{
-
- }
- },
- {
- "name":"picture",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-attribute-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"picture",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"picture",
- "jsonType.label":"String"
- }
- },
- {
- "name":"upn",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-property-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"username",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"upn",
- "jsonType.label":"String"
- }
- },
- {
- "name":"realm roles",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-realm-role-mapper",
- "consentRequired":false,
- "config":{
- "multivalued":"true",
- "user.attribute":"foo",
- "access.token.claim":"true",
- "claim.name":"realm_access.roles",
- "jsonType.label":"String"
- }
- },
- {
- "name":"username",
- "protocol":"openid-connect",
- "protocolMapper":"oidc-usermodel-property-mapper",
- "consentRequired":false,
- "config":{
- "userinfo.token.claim":"true",
- "user.attribute":"username",
- "id.token.claim":"true",
- "access.token.claim":"true",
- "claim.name":"preferred_username",
- "jsonType.label":"String"
- }
- }
- ]
- },
- "clientInstallations":{
- "docker-v2":[
- {
- "id":"docker-v2-variable-override",
- "protocol":"docker-v2",
- "downloadOnly":false,
- "displayType":"Variable Override",
- "helpText":"Configures environment variable overrides, typically used with a docker-compose.yaml configuration for a docker registry",
- "filename":"docker-env.txt",
- "mediaType":"text/plain"
- },
- {
- "id":"docker-v2-registry-config-file",
- "protocol":"docker-v2",
- "downloadOnly":false,
- "displayType":"Registry Config File",
- "helpText":"Provides a registry configuration file snippet for use with this client",
- "filename":"config.yml",
- "mediaType":"text/plain"
- },
- {
- "id":"docker-v2-compose-yaml",
- "protocol":"docker-v2",
- "downloadOnly":true,
- "displayType":"Docker Compose YAML",
- "helpText":"Produces a zip file that can be used to stand up a development registry on localhost",
- "filename":"keycloak-docker-compose-yaml.zip",
- "mediaType":"application/zip"
- }
- ],
- "saml":[
- {
- "id":"keycloak-saml",
- "protocol":"saml",
- "downloadOnly":false,
- "displayType":"Keycloak SAML Adapter keycloak-saml.xml",
- "helpText":"Keycloak SAML adapter configuration file you must edit. Put this in WEB-INF directory of your WAR.",
- "filename":"keycloak-saml.xml",
- "mediaType":"application/xml"
- },
- {
- "id":"keycloak-saml-subsystem-cli",
- "protocol":"saml",
- "downloadOnly":false,
- "displayType":"Keycloak SAML JBoss Subsystem CLI",
- "helpText":"CLI script you must edit and apply to your client app server. This type of configuration is useful when you can't or don't want to crack open your WAR file.",
- "filename":"keycloak-saml-subsystem.cli",
- "mediaType":"text/plain"
- },
- {
- "id":"saml-sp-descriptor",
- "protocol":"saml",
- "downloadOnly":false,
- "displayType":"SAML Metadata SPSSODescriptor",
- "helpText":"SAML SP Metadata EntityDescriptor or rather SPSSODescriptor. This is an XML file.",
- "filename":"saml-sp-metadata.xml",
- "mediaType":"application/xml"
- },
- {
- "id":"keycloak-saml-subsystem",
- "protocol":"saml",
- "downloadOnly":false,
- "displayType":"Keycloak SAML JBoss Subsystem XML",
- "helpText":"Keycloak SAML adapter JBoss subsystem xml you must edit. Put this into element of your standalone.xml file.",
- "filename":"keycloak-saml-subsystem.xml",
- "mediaType":"application/xml"
- },
- {
- "id":"mod-auth-mellon",
- "protocol":"saml",
- "downloadOnly":true,
- "displayType":"Mod Auth Mellon files",
- "helpText":"This is a zip file. It contains a SAML SP descriptor, SAML IDP descriptor, private key pem, and certificate pem that you will use to configure mod_auth_mellon for Apache. You'll use these files when crafting the main Apache configuration file. See mod_auth_mellon website for more details.",
- "filename":"keycloak-mod-auth-mellon-sp-config.zip",
- "mediaType":"application/zip"
- }
- ],
- "openid-connect":[
- {
- "id":"keycloak-oidc-jboss-subsystem-cli",
- "protocol":"openid-connect",
- "downloadOnly":false,
- "displayType":"Keycloak OIDC JBoss Subsystem CLI",
- "helpText":"CLI script you must edit and apply to your client app server. This type of configuration is useful when you can't or don't want to crack open your WAR file.",
- "filename":"keycloak-oidc-subsystem.cli",
- "mediaType":"text/plain"
- },
- {
- "id":"keycloak-oidc-jboss-subsystem",
- "protocol":"openid-connect",
- "downloadOnly":false,
- "displayType":"Keycloak OIDC JBoss Subsystem XML",
- "helpText":"XML snippet you must edit and add to the Keycloak OIDC subsystem on your client app server. This type of configuration is useful when you can't or don't want to crack open your WAR file.",
- "filename":"keycloak-oidc-subsystem.xml",
- "mediaType":"application/xml"
- },
- {
- "id":"keycloak-oidc-keycloak-json",
- "protocol":"openid-connect",
- "downloadOnly":false,
- "displayType":"Keycloak OIDC JSON",
- "helpText":"keycloak.json file used by the Keycloak OIDC client adapter to configure clients. This must be saved to a keycloak.json file and put in your WEB-INF directory of your WAR file. You may also want to tweak this file after you download it.",
- "filename":"keycloak.json",
- "mediaType":"application/json"
- }
- ]
- },
- "componentTypes":{
- "org.keycloak.authentication.ClientAuthenticator":[
- {
- "id":"client-jwt",
- "helpText":"Validates client based on signed JWT issued by client and signed with the Client private key",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"client-secret",
- "helpText":"Validates client based on 'client_id' and 'client_secret' sent either in request parameters or in 'Authorization: Basic' header",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"client-secret-jwt",
- "helpText":"Validates client based on signed JWT issued by client and signed with the Client Secret",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"client-x509",
- "helpText":"Validates client based on a X509 Certificate",
- "properties":[
-
- ],
- "metadata":{
-
- }
- }
- ],
- "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy":[
- {
- "id":"allowed-client-templates",
- "helpText":"When present, it allows to specify whitelist of client scopes, which will be allowed in representation of registered (or updated) client",
- "properties":[
- {
- "name":"allowed-client-scopes",
- "label":"allowed-client-scopes.label",
- "helpText":"allowed-client-scopes.tooltip",
- "type":"MultivaluedList",
- "secret":false
- },
- {
- "name":"allow-default-scopes",
- "label":"allow-default-scopes.label",
- "helpText":"allow-default-scopes.tooltip",
- "type":"boolean",
- "defaultValue":true,
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"allowed-protocol-mappers",
- "helpText":"When present, it allows to specify whitelist of protocol mapper types, which will be allowed in representation of registered (or updated) client",
- "properties":[
- {
- "name":"allowed-protocol-mapper-types",
- "label":"allowed-protocol-mappers.label",
- "helpText":"allowed-protocol-mappers.tooltip",
- "type":"MultivaluedList",
- "options":[
- "saml-javascript-mapper",
- "oidc-usermodel-realm-role-mapper",
- "oidc-usersessionmodel-note-mapper",
- "oidc-address-mapper",
- "saml-audience-resolve-mapper",
- "oidc-role-name-mapper",
- "saml-user-session-note-mapper",
- "oidc-usermodel-client-role-mapper",
- "oidc-usermodel-property-mapper",
- "saml-group-membership-mapper",
- "saml-audience-mapper",
- "docker-v2-allow-all-mapper",
- "oidc-hardcoded-role-mapper",
- "oidc-hardcoded-claim-mapper",
- "oidc-sha256-pairwise-sub-mapper",
- "saml-role-name-mapper",
- "saml-role-list-mapper",
- "saml-user-property-mapper",
- "oidc-full-name-mapper",
- "oidc-allowed-origins-mapper",
- "oidc-audience-mapper",
- "oidc-usermodel-attribute-mapper",
- "saml-hardcode-attribute-mapper",
- "oidc-group-membership-mapper",
- "saml-user-attribute-mapper",
- "saml-hardcode-role-mapper",
- "oidc-audience-resolve-mapper"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"client-disabled",
- "helpText":"When present, then newly registered client will be disabled and admin needs to manually enable them",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"consent-required",
- "helpText":"When present, then newly registered client will always have 'consentRequired' switch enabled",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"max-clients",
- "helpText":"When present, then it won't be allowed to register new client if count of existing clients in realm is same or bigger than configured limit",
- "properties":[
- {
- "name":"max-clients",
- "label":"max-clients.label",
- "helpText":"max-clients.tooltip",
- "type":"String",
- "defaultValue":"200",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"scope",
- "helpText":"When present, then newly registered client won't have full scope allowed",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"trusted-hosts",
- "helpText":"Allows to specify from which hosts is user able to register and which redirect URIs can client use in it's configuration",
- "properties":[
- {
- "name":"trusted-hosts",
- "label":"trusted-hosts.label",
- "helpText":"trusted-hosts.tooltip",
- "type":"MultivaluedString",
- "secret":false
- },
- {
- "name":"host-sending-registration-request-must-match",
- "label":"host-sending-registration-request-must-match.label",
- "helpText":"host-sending-registration-request-must-match.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"client-uris-must-match",
- "label":"client-uris-must-match.label",
- "helpText":"client-uris-must-match.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- }
- ],
- "org.keycloak.authentication.FormAction":[
- {
- "id":"registration-password-action",
- "helpText":"Validates that password matches password confirmation field. It also will store password in user's credential store.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"registration-profile-action",
- "helpText":"Validates email, first name, and last name attributes and stores them in user data.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"registration-recaptcha-action",
- "helpText":"Adds Google Recaptcha button. Recaptchas verify that the entity that is registering is a human. This can only be used on the internet and must be configured after you add it.",
- "properties":[
- {
- "name":"site.key",
- "label":"Recaptcha Site Key",
- "helpText":"Google Recaptcha Site Key",
- "type":"String",
- "secret":false
- },
- {
- "name":"secret",
- "label":"Recaptcha Secret",
- "helpText":"Google Recaptcha Secret",
- "type":"String",
- "secret":false
- },
- {
- "name":"useRecaptchaNet",
- "label":"use recaptcha.net",
- "helpText":"Use recaptcha.net? (or else google.com)",
- "type":"boolean",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"registration-user-creation",
- "helpText":"This action must always be first! Validates the username of the user in validation phase. In success phase, this will create the user in the database.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- }
- ],
- "org.keycloak.authentication.Authenticator":[
- {
- "id":"auth-conditional-otp-form",
- "helpText":"Validates a OTP on a separate OTP form. Only shown if required based on the configured conditions.",
- "properties":[
- {
- "name":"otpControlAttribute",
- "label":"OTP control User Attribute",
- "helpText":"The name of the user attribute to explicitly control OTP auth. If attribute value is 'force' then OTP is always required. If value is 'skip' the OTP auth is skipped. Otherwise this check is ignored.",
- "type":"String",
- "secret":false
- },
- {
- "name":"skipOtpRole",
- "label":"Skip OTP for Role",
- "helpText":"OTP is always skipped if user has the given Role.",
- "type":"Role",
- "secret":false
- },
- {
- "name":"forceOtpRole",
- "label":"Force OTP for Role",
- "helpText":"OTP is always required if user has the given Role.",
- "type":"Role",
- "secret":false
- },
- {
- "name":"noOtpRequiredForHeaderPattern",
- "label":"Skip OTP for Header",
- "helpText":"OTP is skipped if a HTTP request header does matches the given pattern.Can be used to specify trusted networks via: X-Forwarded-Host: (1.2.3.4|1.2.3.5).In this case requests from 1.2.3.4 and 1.2.3.5 come from a trusted source.",
- "type":"String",
- "defaultValue":"",
- "secret":false
- },
- {
- "name":"forceOtpForHeaderPattern",
- "label":"Force OTP for Header",
- "helpText":"OTP required if a HTTP request header matches the given pattern.",
- "type":"String",
- "defaultValue":"",
- "secret":false
- },
- {
- "name":"defaultOtpOutcome",
- "label":"Fallback OTP handling",
- "helpText":"What to do in case of every check abstains. Defaults to force OTP authentication.",
- "type":"List",
- "options":[
- "skip",
- "force"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"auth-cookie",
- "helpText":"Validates the SSO cookie set by the auth server.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"auth-otp-form",
- "helpText":"Validates a OTP on a separate OTP form.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"auth-password-form",
- "helpText":"Validates a password from login form.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"auth-spnego",
- "helpText":"Initiates the SPNEGO protocol. Most often used with Kerberos.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"auth-username-form",
- "helpText":"Selects a user from his username.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"auth-username-password-form",
- "helpText":"Validates a username and password from login form.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"auth-x509-client-username-form",
- "helpText":"Validates username and password from X509 client certificate received as a part of mutual SSL handshake.",
- "properties":[
- {
- "name":"x509-cert-auth.mapping-source-selection",
- "label":"User Identity Source",
- "helpText":"Choose how to extract user identity from X509 certificate or the certificate fields. For example, SubjectDN will match the custom regular expression specified below to the value of certificate's SubjectDN field.",
- "type":"List",
- "defaultValue":"Match SubjectDN using regular expression",
- "options":[
- "Match SubjectDN using regular expression",
- "Subject's e-mail",
- "Subject's Alternative Name E-mail",
- "Subject's Alternative Name otherName (UPN)",
- "Subject's Common Name",
- "Match IssuerDN using regular expression",
- "Certificate Serial Number",
- "Certificate Serial Number and IssuerDN",
- "SHA-256 Thumbprint",
- "Full Certificate in PEM format"
- ],
- "secret":false
- },
- {
- "name":"x509-cert-auth.canonical-dn-enabled",
- "label":"Canonical DN representation enabled",
- "helpText":"Use the canonical format to determine the distinguished name. This option is relevant for authenticators using a distinguished name.",
- "type":"boolean",
- "defaultValue":false,
- "secret":false
- },
- {
- "name":"x509-cert-auth.serialnumber-hex-enabled",
- "label":"Enable Serial Number hexadecimal representation",
- "helpText":"Use the hex representation of the serial number. This option is relevant for authenticators using serial number.",
- "type":"boolean",
- "defaultValue":false,
- "secret":false
- },
- {
- "name":"x509-cert-auth.regular-expression",
- "label":"A regular expression to extract user identity",
- "helpText":"The regular expression to extract a user identity. The expression must contain a single group. For example, 'uniqueId=(.*?)(?:,|$)' will match 'uniqueId=somebody@company.org, CN=somebody' and give somebody@company.org",
- "type":"String",
- "defaultValue":"(.*?)(?:$)",
- "secret":false
- },
- {
- "name":"x509-cert-auth.mapper-selection",
- "label":"User mapping method",
- "helpText":"Choose how to map extracted user identities to users",
- "type":"List",
- "defaultValue":"Custom Attribute Mapper",
- "options":[
- "Custom Attribute Mapper",
- "Username or Email"
- ],
- "secret":false
- },
- {
- "name":"x509-cert-auth.mapper-selection.user-attribute-name",
- "label":"A name of user attribute",
- "helpText":"A name of user attribute to map the extracted user identity to existing user. The name must be a valid, existing user attribute if User Mapping Method is set to Custom Attribute Mapper. Multiple values are relevant when attribute mapping is related to multiple values, e.g. 'Certificate Serial Number and IssuerDN'",
- "type":"MultivaluedString",
- "defaultValue":"usercertificate",
- "secret":false
- },
- {
- "name":"x509-cert-auth.timestamp-validation-enabled",
- "label":"Check certificate validity",
- "helpText":"Will verify that the certificate has not expired yet and is already valid by checking the attributes 'notBefore' and 'notAfter'.",
- "type":"boolean",
- "defaultValue":true,
- "secret":false
- },
- {
- "name":"x509-cert-auth.crl-checking-enabled",
- "label":"CRL Checking Enabled",
- "helpText":"Enable Certificate Revocation Checking using CRL",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"x509-cert-auth.crldp-checking-enabled",
- "label":"Enable CRL Distribution Point to check certificate revocation status",
- "helpText":"CRL Distribution Point is a starting point for CRL. If this is ON, then CRL checking will be done based on the CRL distribution points included in the checked certificates. CDP is optional, but most PKI authorities include CDP in their certificates.",
- "type":"boolean",
- "defaultValue":false,
- "secret":false
- },
- {
- "name":"x509-cert-auth.crl-relative-path",
- "label":"CRL Path",
- "helpText":"Applied just if CRL checking is ON and CRL Distribution point is OFF. It contains the URL (typically 'http' or 'ldap') where the CRL is available. Alternatively it can contain the path to a CRL file that contains a list of revoked certificates. Paths are assumed to be relative to $jboss.server.config.dir. Multiple CRLs can be included, however it can affect performance as the certificate will be checked against all listed CRLs.",
- "type":"MultivaluedString",
- "defaultValue":"crl.pem",
- "secret":false
- },
- {
- "name":"x509-cert-auth.ocsp-checking-enabled",
- "label":"OCSP Checking Enabled",
- "helpText":"Enable Certificate Revocation Checking using OCSP",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"x509-cert-auth.ocsp-responder-uri",
- "label":"OCSP Responder Uri",
- "helpText":"Clients use OCSP Responder Uri to check certificate revocation status.",
- "type":"String",
- "secret":false
- },
- {
- "name":"x509-cert-auth.ocsp-responder-certificate",
- "label":"OCSP Responder Certificate",
- "helpText":"Optional certificate used by the responder to sign the responses. The certificate should be in PEM format without BEGIN and END tags. It is only used if the OCSP Responder URI is set. By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated or one with the OCSPSigning extension and also issued by the same CA. This option identifies the certificate of the OCSP responder when the defaults do not apply.",
- "type":"Text",
- "secret":false
- },
- {
- "name":"x509-cert-auth.keyusage",
- "label":"Validate Key Usage",
- "helpText":"Validates that the purpose of the key contained in the certificate (encipherment, signature, etc.) matches its intended purpose. Leaving the field blank will disable Key Usage validation. For example, 'digitalSignature, keyEncipherment' will check if the digitalSignature and keyEncipherment bits (bit 0 and bit 2 respectively) are set in certificate's X509 Key Usage extension. See RFC 5280 for a detailed definition of X509 Key Usage extension.",
- "type":"String",
- "secret":false
- },
- {
- "name":"x509-cert-auth.extendedkeyusage",
- "label":"Validate Extended Key Usage",
- "helpText":"Validates the extended purposes of the certificate's key using certificate's Extended Key Usage extension. Leaving the field blank will disable Extended Key Usage validation. See RFC 5280 for a detailed definition of X509 Extended Key Usage extension.",
- "type":"String",
- "secret":false
- },
- {
- "name":"x509-cert-auth.confirmation-page-disallowed",
- "label":"Bypass identity confirmation",
- "helpText":"By default, the users are prompted to confirm their identity extracted from X509 client certificate. The identity confirmation prompt is skipped if the option is switched on.",
- "type":"boolean",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"basic-auth",
- "helpText":"Challenge-response authentication using HTTP BASIC scheme.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"basic-auth-otp",
- "helpText":"Challenge-response authentication using HTTP BASIC scheme. Password param should contain a combination of password + otp. Realm's OTP policy is used to determine how to parse this. This SHOULD NOT BE USED in conjection with regular basic auth provider.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"conditional-user-configured",
- "helpText":"Executes the current flow only if authenticators are configured",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"conditional-user-role",
- "helpText":"Flow is executed only if user has the given role.",
- "properties":[
- {
- "name":"condUserRole",
- "label":"User role",
- "helpText":"Role the user should have to execute this flow. Click 'Select Role' button to browse roles, or just type it in the textbox. To specify an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"console-username-password",
- "helpText":"Proprietary challenge protocol for CLI clients that queries for username password",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"direct-grant-auth-x509-username",
- "helpText":"Validates username and password from X509 client certificate received as a part of mutual SSL handshake.",
- "properties":[
- {
- "name":"x509-cert-auth.mapping-source-selection",
- "label":"User Identity Source",
- "helpText":"Choose how to extract user identity from X509 certificate or the certificate fields. For example, SubjectDN will match the custom regular expression specified below to the value of certificate's SubjectDN field.",
- "type":"List",
- "defaultValue":"Match SubjectDN using regular expression",
- "options":[
- "Match SubjectDN using regular expression",
- "Subject's e-mail",
- "Subject's Alternative Name E-mail",
- "Subject's Alternative Name otherName (UPN)",
- "Subject's Common Name",
- "Match IssuerDN using regular expression",
- "Certificate Serial Number",
- "Certificate Serial Number and IssuerDN",
- "SHA-256 Thumbprint",
- "Full Certificate in PEM format"
- ],
- "secret":false
- },
- {
- "name":"x509-cert-auth.canonical-dn-enabled",
- "label":"Canonical DN representation enabled",
- "helpText":"Use the canonical format to determine the distinguished name. This option is relevant for authenticators using a distinguished name.",
- "type":"boolean",
- "defaultValue":false,
- "secret":false
- },
- {
- "name":"x509-cert-auth.serialnumber-hex-enabled",
- "label":"Enable Serial Number hexadecimal representation",
- "helpText":"Use the hex representation of the serial number. This option is relevant for authenticators using serial number.",
- "type":"boolean",
- "defaultValue":false,
- "secret":false
- },
- {
- "name":"x509-cert-auth.regular-expression",
- "label":"A regular expression to extract user identity",
- "helpText":"The regular expression to extract a user identity. The expression must contain a single group. For example, 'uniqueId=(.*?)(?:,|$)' will match 'uniqueId=somebody@company.org, CN=somebody' and give somebody@company.org",
- "type":"String",
- "defaultValue":"(.*?)(?:$)",
- "secret":false
- },
- {
- "name":"x509-cert-auth.mapper-selection",
- "label":"User mapping method",
- "helpText":"Choose how to map extracted user identities to users",
- "type":"List",
- "defaultValue":"Custom Attribute Mapper",
- "options":[
- "Custom Attribute Mapper",
- "Username or Email"
- ],
- "secret":false
- },
- {
- "name":"x509-cert-auth.mapper-selection.user-attribute-name",
- "label":"A name of user attribute",
- "helpText":"A name of user attribute to map the extracted user identity to existing user. The name must be a valid, existing user attribute if User Mapping Method is set to Custom Attribute Mapper. Multiple values are relevant when attribute mapping is related to multiple values, e.g. 'Certificate Serial Number and IssuerDN'",
- "type":"MultivaluedString",
- "defaultValue":"usercertificate",
- "secret":false
- },
- {
- "name":"x509-cert-auth.timestamp-validation-enabled",
- "label":"Check certificate validity",
- "helpText":"Will verify that the certificate has not expired yet and is already valid by checking the attributes 'notBefore' and 'notAfter'.",
- "type":"boolean",
- "defaultValue":true,
- "secret":false
- },
- {
- "name":"x509-cert-auth.crl-checking-enabled",
- "label":"CRL Checking Enabled",
- "helpText":"Enable Certificate Revocation Checking using CRL",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"x509-cert-auth.crldp-checking-enabled",
- "label":"Enable CRL Distribution Point to check certificate revocation status",
- "helpText":"CRL Distribution Point is a starting point for CRL. If this is ON, then CRL checking will be done based on the CRL distribution points included in the checked certificates. CDP is optional, but most PKI authorities include CDP in their certificates.",
- "type":"boolean",
- "defaultValue":false,
- "secret":false
- },
- {
- "name":"x509-cert-auth.crl-relative-path",
- "label":"CRL Path",
- "helpText":"Applied just if CRL checking is ON and CRL Distribution point is OFF. It contains the URL (typically 'http' or 'ldap') where the CRL is available. Alternatively it can contain the path to a CRL file that contains a list of revoked certificates. Paths are assumed to be relative to $jboss.server.config.dir. Multiple CRLs can be included, however it can affect performance as the certificate will be checked against all listed CRLs.",
- "type":"MultivaluedString",
- "defaultValue":"crl.pem",
- "secret":false
- },
- {
- "name":"x509-cert-auth.ocsp-checking-enabled",
- "label":"OCSP Checking Enabled",
- "helpText":"Enable Certificate Revocation Checking using OCSP",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"x509-cert-auth.ocsp-responder-uri",
- "label":"OCSP Responder Uri",
- "helpText":"Clients use OCSP Responder Uri to check certificate revocation status.",
- "type":"String",
- "secret":false
- },
- {
- "name":"x509-cert-auth.ocsp-responder-certificate",
- "label":"OCSP Responder Certificate",
- "helpText":"Optional certificate used by the responder to sign the responses. The certificate should be in PEM format without BEGIN and END tags. It is only used if the OCSP Responder URI is set. By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated or one with the OCSPSigning extension and also issued by the same CA. This option identifies the certificate of the OCSP responder when the defaults do not apply.",
- "type":"Text",
- "secret":false
- },
- {
- "name":"x509-cert-auth.keyusage",
- "label":"Validate Key Usage",
- "helpText":"Validates that the purpose of the key contained in the certificate (encipherment, signature, etc.) matches its intended purpose. Leaving the field blank will disable Key Usage validation. For example, 'digitalSignature, keyEncipherment' will check if the digitalSignature and keyEncipherment bits (bit 0 and bit 2 respectively) are set in certificate's X509 Key Usage extension. See RFC 5280 for a detailed definition of X509 Key Usage extension.",
- "type":"String",
- "secret":false
- },
- {
- "name":"x509-cert-auth.extendedkeyusage",
- "label":"Validate Extended Key Usage",
- "helpText":"Validates the extended purposes of the certificate's key using certificate's Extended Key Usage extension. Leaving the field blank will disable Extended Key Usage validation. See RFC 5280 for a detailed definition of X509 Extended Key Usage extension.",
- "type":"String",
- "secret":false
- },
- {
- "name":"x509-cert-auth.confirmation-page-disallowed",
- "label":"Bypass identity confirmation",
- "helpText":"By default, the users are prompted to confirm their identity extracted from X509 client certificate. The identity confirmation prompt is skipped if the option is switched on.",
- "type":"boolean",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"direct-grant-validate-otp",
- "helpText":"Validates the one time password supplied as a 'totp' form parameter in direct grant request",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"direct-grant-validate-password",
- "helpText":"Validates the password supplied as a 'password' form parameter in direct grant request",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"direct-grant-validate-username",
- "helpText":"Validates the username supplied as a 'username' form parameter in direct grant request",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"docker-http-basic-authenticator",
- "helpText":"Uses HTTP Basic authentication to validate docker users, returning a docker error token on auth failure",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"http-basic-authenticator",
- "helpText":"Validates username and password from Authorization HTTP header",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"identity-provider-redirector",
- "helpText":"Redirects to default Identity Provider or Identity Provider specified with kc_idp_hint query parameter",
- "properties":[
- {
- "name":"defaultProvider",
- "label":"Default Identity Provider",
- "helpText":"To automatically redirect to an identity provider set to the alias of the identity provider",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"idp-auto-link",
- "helpText":"Automatically set existing user to authentication context without any verification",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"idp-confirm-link",
- "helpText":"Show the form where user confirms if he wants to link identity provider with existing account or rather edit user profile data retrieved from identity provider to avoid conflict",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"idp-create-user-if-unique",
- "helpText":"Detect if there is existing Keycloak account with same email like identity provider. If no, create new user",
- "properties":[
- {
- "name":"require.password.update.after.registration",
- "label":"Require Password Update After Registration",
- "helpText":"If this option is true and new user is successfully imported from Identity Provider to Keycloak (there is no duplicated email or username detected in Keycloak DB), then this user is required to update his password",
- "type":"boolean",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"idp-email-verification",
- "helpText":"Email verification of existing Keycloak user, that wants to link his user account with identity provider",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"idp-review-profile",
- "helpText":"User reviews and updates profile data retrieved from Identity Provider in the displayed form",
- "properties":[
- {
- "name":"update.profile.on.first.login",
- "label":"{{:: 'update-profile-on-first-login' | translate}}",
- "helpText":"Define conditions under which a user has to review and update his profile after first-time login. Value 'On' means that page for reviewing profile will be displayed and user can review and update his profile. Value 'off' means that page won't be displayed. Value 'missing' means that page is displayed just when some required attribute is missing (wasn't downloaded from identity provider). Value 'missing' is the default one. WARN: In case that user clicks 'Review profile info' on link duplications page, the update page will be always displayed. You would need to disable this authenticator to never display the page.",
- "type":"List",
- "defaultValue":"missing",
- "options":[
- "on",
- "missing",
- "off"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"idp-username-password-form",
- "helpText":"Validates a password from login form. Username may be already known from identity provider authentication",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"no-cookie-redirect",
- "helpText":"Perform a 302 redirect to get user agent's current URI on authenticate path with an auth_session_id query parameter. This is for client's that do not support cookies.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"reset-credential-email",
- "helpText":"Send email to user and wait for response.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"reset-credentials-choose-user",
- "helpText":"Choose a user to reset credentials for",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"reset-otp",
- "helpText":"Sets the Configure OTP required action.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"reset-password",
- "helpText":"Sets the Update Password required action if execution is REQUIRED. Will also set it if execution is OPTIONAL and the password is currently configured for it.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"webauthn-authenticator",
- "helpText":"Authenticator for WebAuthn. Usually used for WebAuthn two-factor authentication",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"webauthn-authenticator-passwordless",
- "helpText":"Authenticator for Passwordless WebAuthn authentication",
- "properties":[
-
- ],
- "metadata":{
-
- }
- }
- ],
- "org.keycloak.storage.UserStorageProvider":[
- {
- "id":"kerberos",
- "helpText":"",
- "properties":[
- {
- "name":"kerberosRealm",
- "label":"kerberos-realm",
- "helpText":"kerberos-realm.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"serverPrincipal",
- "label":"server-principal",
- "helpText":"server-principal.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"keyTab",
- "label":"keytab",
- "helpText":"keytab.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"debug",
- "label":"debug",
- "helpText":"debug.tooltip",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"allowPasswordAuthentication",
- "label":"allow-password-authentication",
- "helpText":"allow-password-authentication.tooltip",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"editMode",
- "label":"edit-mode",
- "helpText":"edit-mode.tooltip",
- "type":"List",
- "options":[
- "READ_ONLY",
- "UNSYNCED"
- ],
- "secret":false
- },
- {
- "name":"updateProfileFirstLogin",
- "label":"update-profile-first-login",
- "helpText":"update-profile-first-login.tooltip",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"ldap",
- "helpText":"",
- "properties":[
- {
- "name":"editMode",
- "type":"String",
- "secret":false
- },
- {
- "name":"importEnabled",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"syncRegistrations",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"vendor",
- "type":"String",
- "secret":false
- },
- {
- "name":"usePasswordModifyExtendedOp",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"usernameLDAPAttribute",
- "type":"String",
- "secret":false
- },
- {
- "name":"rdnLDAPAttribute",
- "type":"String",
- "secret":false
- },
- {
- "name":"uuidLDAPAttribute",
- "type":"String",
- "secret":false
- },
- {
- "name":"userObjectClasses",
- "type":"String",
- "secret":false
- },
- {
- "name":"connectionUrl",
- "type":"String",
- "secret":false
- },
- {
- "name":"usersDn",
- "type":"String",
- "secret":false
- },
- {
- "name":"authType",
- "type":"String",
- "defaultValue":"simple",
- "secret":false
- },
- {
- "name":"startTls",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"bindDn",
- "type":"String",
- "secret":false
- },
- {
- "name":"bindCredential",
- "type":"Password",
- "secret":true
- },
- {
- "name":"customUserSearchFilter",
- "type":"String",
- "secret":false
- },
- {
- "name":"searchScope",
- "type":"String",
- "defaultValue":"1",
- "secret":false
- },
- {
- "name":"validatePasswordPolicy",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"trustEmail",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"useTruststoreSpi",
- "type":"String",
- "defaultValue":"ldapsOnly",
- "secret":false
- },
- {
- "name":"connectionPooling",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"connectionPoolingAuthentication",
- "type":"String",
- "secret":false
- },
- {
- "name":"connectionPoolingDebug",
- "type":"String",
- "secret":false
- },
- {
- "name":"connectionPoolingInitSize",
- "type":"String",
- "secret":false
- },
- {
- "name":"connectionPoolingMaxSize",
- "type":"String",
- "secret":false
- },
- {
- "name":"connectionPoolingPrefSize",
- "type":"String",
- "secret":false
- },
- {
- "name":"connectionPoolingProtocol",
- "type":"String",
- "secret":false
- },
- {
- "name":"connectionPoolingTimeout",
- "type":"String",
- "secret":false
- },
- {
- "name":"connectionTimeout",
- "type":"String",
- "secret":false
- },
- {
- "name":"readTimeout",
- "type":"String",
- "secret":false
- },
- {
- "name":"pagination",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"allowKerberosAuthentication",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"serverPrincipal",
- "type":"String",
- "secret":false
- },
- {
- "name":"keyTab",
- "type":"String",
- "secret":false
- },
- {
- "name":"kerberosRealm",
- "type":"String",
- "secret":false
- },
- {
- "name":"debug",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"useKerberosForPasswordAuthentication",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"serverPrincipal",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
- "synchronizable":true
- }
- }
- ],
- "org.keycloak.keys.KeyProvider":[
- {
- "id":"aes-generated",
- "helpText":"Generates AES secret key",
- "properties":[
- {
- "name":"priority",
- "label":"Priority",
- "helpText":"Priority for the provider",
- "type":"String",
- "defaultValue":"0",
- "secret":false
- },
- {
- "name":"enabled",
- "label":"Enabled",
- "helpText":"Set if the keys are enabled",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"active",
- "label":"Active",
- "helpText":"Set if the keys can be used for signing",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"secretSize",
- "label":"AES Key size",
- "helpText":"Size in bytes for the generated AES Key. Size 16 is for AES-128, Size 24 for AES-192 and Size 32 for AES-256. WARN: Bigger keys then 128 bits are not allowed on some JDK implementations",
- "type":"List",
- "defaultValue":"16",
- "options":[
- "16",
- "24",
- "32"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"ecdsa-generated",
- "helpText":"Generates ECDSA keys",
- "properties":[
- {
- "name":"priority",
- "label":"Priority",
- "helpText":"Priority for the provider",
- "type":"String",
- "defaultValue":"0",
- "secret":false
- },
- {
- "name":"enabled",
- "label":"Enabled",
- "helpText":"Set if the keys are enabled",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"active",
- "label":"Active",
- "helpText":"Set if the keys can be used for signing",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"ecdsaEllipticCurveKey",
- "label":"Elliptic Curve",
- "helpText":"Elliptic Curve used in ECDSA",
- "type":"List",
- "defaultValue":"P-256",
- "options":[
- "P-256",
- "P-384",
- "P-521"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"hmac-generated",
- "helpText":"Generates HMAC secret key",
- "properties":[
- {
- "name":"priority",
- "label":"Priority",
- "helpText":"Priority for the provider",
- "type":"String",
- "defaultValue":"0",
- "secret":false
- },
- {
- "name":"enabled",
- "label":"Enabled",
- "helpText":"Set if the keys are enabled",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"active",
- "label":"Active",
- "helpText":"Set if the keys can be used for signing",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"secretSize",
- "label":"Secret size",
- "helpText":"Size in bytes for the generated secret",
- "type":"List",
- "defaultValue":"64",
- "options":[
- "16",
- "24",
- "32",
- "64",
- "128",
- "256",
- "512"
- ],
- "secret":false
- },
- {
- "name":"algorithm",
- "label":"Algorithm",
- "helpText":"Intended algorithm for the key",
- "type":"List",
- "defaultValue":"HS256",
- "options":[
- "HS256",
- "HS384",
- "HS512"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"java-keystore",
- "helpText":"Loads keys from a Java keys file",
- "properties":[
- {
- "name":"priority",
- "label":"Priority",
- "helpText":"Priority for the provider",
- "type":"String",
- "defaultValue":"0",
- "secret":false
- },
- {
- "name":"enabled",
- "label":"Enabled",
- "helpText":"Set if the keys are enabled",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"active",
- "label":"Active",
- "helpText":"Set if the keys can be used for signing",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"algorithm",
- "label":"Algorithm",
- "helpText":"Intended algorithm for the key",
- "type":"List",
- "defaultValue":"RS256",
- "options":[
- "RS256",
- "RS384",
- "RS512",
- "PS256",
- "PS384",
- "PS512"
- ],
- "secret":false
- },
- {
- "name":"keystore",
- "label":"Keystore",
- "helpText":"Path to keys file",
- "type":"String",
- "secret":false
- },
- {
- "name":"keystorePassword",
- "label":"Keystore Password",
- "helpText":"Password for the keys",
- "type":"String",
- "secret":true
- },
- {
- "name":"keyAlias",
- "label":"Key Alias",
- "helpText":"Alias for the private key",
- "type":"String",
- "secret":false
- },
- {
- "name":"keyPassword",
- "label":"Key Password",
- "helpText":"Password for the private key",
- "type":"String",
- "secret":true
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"rsa",
- "helpText":"RSA key provider that can optionally generated a self-signed certificate",
- "properties":[
- {
- "name":"priority",
- "label":"Priority",
- "helpText":"Priority for the provider",
- "type":"String",
- "defaultValue":"0",
- "secret":false
- },
- {
- "name":"enabled",
- "label":"Enabled",
- "helpText":"Set if the keys are enabled",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"active",
- "label":"Active",
- "helpText":"Set if the keys can be used for signing",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"algorithm",
- "label":"Algorithm",
- "helpText":"Intended algorithm for the key",
- "type":"List",
- "defaultValue":"RS256",
- "options":[
- "RS256",
- "RS384",
- "RS512",
- "PS256",
- "PS384",
- "PS512"
- ],
- "secret":false
- },
- {
- "name":"privateKey",
- "label":"Private RSA Key",
- "helpText":"Private RSA Key encoded in PEM format",
- "type":"File",
- "secret":true
- },
- {
- "name":"certificate",
- "label":"X509 Certificate",
- "helpText":"X509 Certificate encoded in PEM format",
- "type":"File",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"rsa-generated",
- "helpText":"Generates RSA keys and creates a self-signed certificate",
- "properties":[
- {
- "name":"priority",
- "label":"Priority",
- "helpText":"Priority for the provider",
- "type":"String",
- "defaultValue":"0",
- "secret":false
- },
- {
- "name":"enabled",
- "label":"Enabled",
- "helpText":"Set if the keys are enabled",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"active",
- "label":"Active",
- "helpText":"Set if the keys can be used for signing",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"algorithm",
- "label":"Algorithm",
- "helpText":"Intended algorithm for the key",
- "type":"List",
- "defaultValue":"RS256",
- "options":[
- "RS256",
- "RS384",
- "RS512",
- "PS256",
- "PS384",
- "PS512"
- ],
- "secret":false
- },
- {
- "name":"keySize",
- "label":"Key size",
- "helpText":"Size for the generated keys",
- "type":"List",
- "defaultValue":"2048",
- "options":[
- "1024",
- "2048",
- "4096"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- }
- ],
- "org.keycloak.storage.ldap.mappers.LDAPStorageMapper":[
- {
- "id":"certificate-ldap-mapper",
- "helpText":"Used to map single attribute which contains a certificate from LDAP user to attribute of UserModel in Keycloak DB",
- "properties":[
- {
- "name":"user.model.attribute",
- "label":"User Model Attribute",
- "helpText":"Name of the UserModel property or attribute you want to map the LDAP attribute into. For example 'firstName', 'lastName, 'email', 'street' etc.",
- "type":"String",
- "secret":false
- },
- {
- "name":"ldap.attribute",
- "label":"LDAP Attribute",
- "helpText":"Name of mapped attribute on LDAP object. For example 'cn', 'sn, 'mail', 'street' etc.",
- "type":"String",
- "secret":false
- },
- {
- "name":"read.only",
- "label":"Read Only",
- "helpText":"Read-only attribute is imported from LDAP to UserModel, but it's not saved back to LDAP when user is updated in Keycloak.",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"always.read.value.from.ldap",
- "label":"Always Read Value From LDAP",
- "helpText":"If on, then during reading of the LDAP attribute value will always used instead of the value from Keycloak DB",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"is.mandatory.in.ldap",
- "label":"Is Mandatory In LDAP",
- "helpText":"If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB, the empty value will be set to be propagated to LDAP",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"is.binary.attribute",
- "label":"Is Binary Attribute",
- "helpText":"Should be true for binary LDAP attributes",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"is.der.formatted",
- "label":"DER Formatted",
- "helpText":"Activate this if the certificate is DER formatted in LDAP and not PEM formatted.",
- "type":"boolean",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- },
- {
- "id":"full-name-ldap-mapper",
- "helpText":"Used to map full-name of user from single attribute in LDAP (usually 'cn' attribute) to firstName and lastName attributes of UserModel in Keycloak DB",
- "properties":[
- {
- "name":"ldap.full.name.attribute",
- "label":"LDAP Full Name Attribute",
- "helpText":"Name of LDAP attribute, which contains fullName of user. Usually it will be 'cn' ",
- "type":"String",
- "defaultValue":"cn",
- "secret":false
- },
- {
- "name":"read.only",
- "label":"Read Only",
- "helpText":"For Read-only is data imported from LDAP to Keycloak DB, but it's not saved back to LDAP when user is updated in Keycloak.",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"write.only",
- "label":"Write Only",
- "helpText":"For Write-only is data propagated to LDAP when user is created or updated in Keycloak. But this mapper is not used to propagate data from LDAP back into Keycloak. This setting is useful if you configured separate firstName and lastName attribute mappers and you want to use those to read attribute from LDAP into Keycloak",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- },
- {
- "id":"group-ldap-mapper",
- "helpText":"Used to map group mappings of groups from some LDAP DN to Keycloak group mappings",
- "properties":[
- {
- "name":"groups.dn",
- "label":"LDAP Groups DN",
- "helpText":"LDAP DN where are groups of this tree saved. For example 'ou=groups,dc=example,dc=org' ",
- "type":"String",
- "secret":false
- },
- {
- "name":"group.name.ldap.attribute",
- "label":"Group Name LDAP Attribute",
- "helpText":"Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=Group1,ou=groups,dc=example,dc=org' ",
- "type":"String",
- "defaultValue":"cn",
- "secret":false
- },
- {
- "name":"group.object.classes",
- "label":"Group Object Classes",
- "helpText":"Object class (or classes) of the group object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ",
- "type":"String",
- "defaultValue":"groupOfNames",
- "secret":false
- },
- {
- "name":"preserve.group.inheritance",
- "label":"Preserve Group Inheritance",
- "helpText":"Flag whether group inheritance from LDAP should be propagated to Keycloak. If false, then all LDAP groups will be mapped as flat top-level groups in Keycloak. Otherwise group inheritance is preserved into Keycloak, but the group sync might fail if LDAP structure contains recursions or multiple parent groups per child groups",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"ignore.missing.groups",
- "label":"Ignore Missing Groups",
- "helpText":"Ignore missing groups in the group hierarchy",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"membership.ldap.attribute",
- "label":"Membership LDAP Attribute",
- "helpText":"Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member' .However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .",
- "type":"String",
- "defaultValue":"member",
- "secret":false
- },
- {
- "name":"membership.attribute.type",
- "label":"Membership Attribute Type",
- "helpText":"DN means that LDAP group has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . UID means that LDAP group has it's members declared in form of pure user uids. For example 'memberUid: john' .",
- "type":"List",
- "defaultValue":"DN",
- "options":[
- "DN",
- "UID"
- ],
- "secret":false
- },
- {
- "name":"membership.user.ldap.attribute",
- "label":"Membership User LDAP Attribute",
- "helpText":"Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of 'Membership User LDAP Attribute' is 'uid' and LDAP group has 'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .",
- "type":"String",
- "defaultValue":"uid",
- "secret":false
- },
- {
- "name":"groups.ldap.filter",
- "label":"LDAP Filter",
- "helpText":"LDAP Filter adds additional custom filter to the whole query for retrieve LDAP groups. Leave this empty if no additional filtering is needed and you want to retrieve all groups from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'",
- "type":"String",
- "secret":false
- },
- {
- "name":"mode",
- "label":"Mode",
- "helpText":"LDAP_ONLY means that all group mappings of users are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where group mappings are retrieved from both LDAP and DB and merged together. New group joins are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where group mappings are retrieved from LDAP just at the time when user is imported from LDAP and then they are saved to local keycloak DB.",
- "type":"List",
- "defaultValue":"LDAP_ONLY",
- "options":[
- "LDAP_ONLY",
- "IMPORT",
- "READ_ONLY"
- ],
- "secret":false
- },
- {
- "name":"user.roles.retrieve.strategy",
- "label":"User Groups Retrieve Strategy",
- "helpText":"Specify how to retrieve groups of user. LOAD_GROUPS_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all groups where 'member' is our user. GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE means that groups of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . ",
- "type":"List",
- "defaultValue":"LOAD_GROUPS_BY_MEMBER_ATTRIBUTE",
- "options":[
- "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE",
- "GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE"
- ],
- "secret":false
- },
- {
- "name":"memberof.ldap.attribute",
- "label":"Member-Of LDAP Attribute",
- "helpText":"Used just when 'User Roles Retrieve Strategy' is GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE . It specifies the name of the LDAP attribute on the LDAP user, which contains the groups, which the user is member of. Usually it will be 'memberOf' and that's also the default value.",
- "type":"String",
- "defaultValue":"memberOf",
- "secret":false
- },
- {
- "name":"mapped.group.attributes",
- "label":"Mapped Group Attributes",
- "helpText":"List of names of attributes divided by comma. This points to the list of attributes on LDAP group, which will be mapped as attributes of Group in Keycloak. Leave this empty if no additional group attributes are required to be mapped in Keycloak. ",
- "type":"String",
- "secret":false
- },
- {
- "name":"drop.non.existing.groups.during.sync",
- "label":"Drop non-existing groups during sync",
- "helpText":"If this flag is true, then during sync of groups from LDAP to Keycloak, we will keep just those Keycloak groups, which still exists in LDAP. Rest will be deleted",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"groups.path",
- "label":"Groups Path",
- "helpText":"Keycloak group path the LDAP groups are added to. For example if value '/Applications/App1' is used, then LDAP groups will be available in Keycloak under group 'App1', which is child of top level group 'Applications'. The default value is '/' so LDAP groups will be mapped to the Keycloak groups at the top level. The configured group path must already exists in the Keycloak when creating this mapper.",
- "type":"String",
- "defaultValue":"/",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":true,
- "keycloakToFedSyncSupported":true,
- "fedToKeycloakSyncMessage":"sync-ldap-groups-to-keycloak",
- "keycloakToFedSyncMessage":"sync-keycloak-groups-to-ldap"
- }
- },
- {
- "id":"hardcoded-attribute-mapper",
- "helpText":"This mapper will hardcode any model user attribute and some property (like emailVerified or enabled) when importing user from ldap.",
- "properties":[
- {
- "name":"user.model.attribute",
- "label":"User Model Attribute Name",
- "helpText":"Name of the model attribute, which will be added when importing user from ldap",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.value",
- "label":"Attribute Value",
- "helpText":"Value of the model attribute, which will be added when importing user from ldap.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- },
- {
- "id":"hardcoded-ldap-attribute-mapper",
- "helpText":"This mapper is supported just if syncRegistrations is enabled. When new user is registered in Keycloak, he will be written to the LDAP with the hardcoded value of some specified attribute.",
- "properties":[
- {
- "name":"ldap.attribute.name",
- "label":"LDAP Attribute Name",
- "helpText":"Name of the LDAP attribute, which will be added to the new user during registration",
- "type":"String",
- "secret":false
- },
- {
- "name":"ldap.attribute.value",
- "label":"LDAP Attribute Value",
- "helpText":"Value of the LDAP attribute, which will be added to the new user during registration. You can either hardcode any value like 'foo' but you can also use some special tokens. Only supported token right now is '${RANDOM}' , which will be replaced with some randomly generated String.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- },
- {
- "id":"hardcoded-ldap-group-mapper",
- "helpText":"When user is imported from LDAP, he will be automatically added into this configured group.",
- "properties":[
- {
- "name":"group",
- "label":"Group",
- "helpText":"Group to add the user in. Fill the full path of the group including path. For example '/root-group/child-group'",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- },
- {
- "id":"hardcoded-ldap-role-mapper",
- "helpText":"When user is imported from LDAP, he will be automatically added into this configured role.",
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role to grant to user. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- },
- {
- "id":"msad-lds-user-account-control-mapper",
- "helpText":"Mapper specific to MSAD LDS. It's able to integrate the MSAD LDS user account state into Keycloak account state (account enabled, password is expired etc). It's using msDS-UserAccountDisabled and pwdLastSet MSAD attributes for that. For example if pwdLastSet is 0, the Keycloak user is required to update password, if msDS-UserAccountDisabled is 'TRUE' the Keycloak user is disabled as well etc. Mapper is also able to handle exception code from LDAP user authentication.",
- "properties":[
-
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- },
- {
- "id":"msad-user-account-control-mapper",
- "helpText":"Mapper specific to MSAD. It's able to integrate the MSAD user account state into Keycloak account state (account enabled, password is expired etc). It's using userAccountControl and pwdLastSet MSAD attributes for that. For example if pwdLastSet is 0, the Keycloak user is required to update password, if userAccountControl is 514 (disabled account) the Keycloak user is disabled as well etc. Mapper is also able to handle exception code from LDAP user authentication.",
- "properties":[
- {
- "name":"ldap.password.policy.hints.enabled",
- "label":"Password Policy Hints Enabled",
- "helpText":"Applicable just for writable MSAD. If on, then updating password of MSAD user will use LDAP_SERVER_POLICY_HINTS_OID extension, which means that advanced MSAD password policies like 'password history' or 'minimal password age' will be applied. This extension works just for MSAD 2008 R2 or newer.",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- },
- {
- "id":"role-ldap-mapper",
- "helpText":"Used to map role mappings of roles from some LDAP DN to Keycloak role mappings of either realm roles or client roles of particular client",
- "properties":[
- {
- "name":"roles.dn",
- "label":"LDAP Roles DN",
- "helpText":"LDAP DN where are roles of this tree saved. For example 'ou=finance,dc=example,dc=org' ",
- "type":"String",
- "secret":false
- },
- {
- "name":"role.name.ldap.attribute",
- "label":"Role Name LDAP Attribute",
- "helpText":"Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=role1,ou=finance,dc=example,dc=org' ",
- "type":"String",
- "defaultValue":"cn",
- "secret":false
- },
- {
- "name":"role.object.classes",
- "label":"Role Object Classes",
- "helpText":"Object class (or classes) of the role object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ",
- "type":"String",
- "defaultValue":"groupOfNames",
- "secret":false
- },
- {
- "name":"membership.ldap.attribute",
- "label":"Membership LDAP Attribute",
- "helpText":"Name of LDAP attribute on role, which is used for membership mappings. Usually it will be 'member' .However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .",
- "type":"String",
- "defaultValue":"member",
- "secret":false
- },
- {
- "name":"membership.attribute.type",
- "label":"Membership Attribute Type",
- "helpText":"DN means that LDAP role has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . UID means that LDAP role has it's members declared in form of pure user uids. For example 'memberUid: john' .",
- "type":"List",
- "defaultValue":"DN",
- "options":[
- "DN",
- "UID"
- ],
- "secret":false
- },
- {
- "name":"membership.user.ldap.attribute",
- "label":"Membership User LDAP Attribute",
- "helpText":"Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of 'Membership User LDAP Attribute' is 'uid' and LDAP group has 'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .",
- "type":"String",
- "defaultValue":"uid",
- "secret":false
- },
- {
- "name":"roles.ldap.filter",
- "label":"LDAP Filter",
- "helpText":"LDAP Filter adds additional custom filter to the whole query for retrieve LDAP roles. Leave this empty if no additional filtering is needed and you want to retrieve all roles from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'",
- "type":"String",
- "secret":false
- },
- {
- "name":"mode",
- "label":"Mode",
- "helpText":"LDAP_ONLY means that all role mappings are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where role mappings are retrieved from both LDAP and DB and merged together. New role grants are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where role mappings are retrieved from LDAP just at the time when user is imported from LDAP and then they are saved to local keycloak DB.",
- "type":"List",
- "defaultValue":"LDAP_ONLY",
- "options":[
- "LDAP_ONLY",
- "IMPORT",
- "READ_ONLY"
- ],
- "secret":false
- },
- {
- "name":"user.roles.retrieve.strategy",
- "label":"User Roles Retrieve Strategy",
- "helpText":"Specify how to retrieve roles of user. LOAD_ROLES_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all roles where 'member' is our user. GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE means that roles of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . ",
- "type":"List",
- "defaultValue":"LOAD_ROLES_BY_MEMBER_ATTRIBUTE",
- "options":[
- "LOAD_ROLES_BY_MEMBER_ATTRIBUTE",
- "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE"
- ],
- "secret":false
- },
- {
- "name":"memberof.ldap.attribute",
- "label":"Member-Of LDAP Attribute",
- "helpText":"Used just when 'User Roles Retrieve Strategy' is GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE . It specifies the name of the LDAP attribute on the LDAP user, which contains the roles (LDAP Groups), which the user is member of. Usually it will be 'memberOf' and that's also the default value.",
- "type":"String",
- "defaultValue":"memberOf",
- "secret":false
- },
- {
- "name":"use.realm.roles.mapping",
- "label":"Use Realm Roles Mapping",
- "helpText":"If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"client.id",
- "label":"Client ID",
- "helpText":"Client ID of client to which LDAP role mappings will be mapped. Applicable just if 'Use Realm Roles Mapping' is false",
- "type":"ClientList",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":true,
- "keycloakToFedSyncSupported":true,
- "fedToKeycloakSyncMessage":"sync-ldap-roles-to-keycloak",
- "keycloakToFedSyncMessage":"sync-keycloak-roles-to-ldap"
- }
- },
- {
- "id":"user-attribute-ldap-mapper",
- "helpText":"Used to map single attribute from LDAP user to attribute of UserModel in Keycloak DB",
- "properties":[
- {
- "name":"user.model.attribute",
- "label":"User Model Attribute",
- "helpText":"Name of the UserModel property or attribute you want to map the LDAP attribute into. For example 'firstName', 'lastName, 'email', 'street' etc.",
- "type":"String",
- "secret":false
- },
- {
- "name":"ldap.attribute",
- "label":"LDAP Attribute",
- "helpText":"Name of mapped attribute on LDAP object. For example 'cn', 'sn, 'mail', 'street' etc.",
- "type":"String",
- "secret":false
- },
- {
- "name":"read.only",
- "label":"Read Only",
- "helpText":"Read-only attribute is imported from LDAP to UserModel, but it's not saved back to LDAP when user is updated in Keycloak.",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"always.read.value.from.ldap",
- "label":"Always Read Value From LDAP",
- "helpText":"If on, then during reading of the LDAP attribute value will always used instead of the value from Keycloak DB",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"is.mandatory.in.ldap",
- "label":"Is Mandatory In LDAP",
- "helpText":"If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB, the empty value will be set to be propagated to LDAP",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"is.binary.attribute",
- "label":"Is Binary Attribute",
- "helpText":"Should be true for binary LDAP attributes",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- }
- ],
- "metadata":{
- "fedToKeycloakSyncSupported":false,
- "keycloakToFedSyncSupported":false
- }
- }
- ],
- "org.keycloak.authentication.FormAuthenticator":[
- {
- "id":"registration-page-form",
- "helpText":"This is the controller for the registration page",
- "properties":[
-
- ],
- "metadata":{
-
- }
- }
- ],
- "org.keycloak.services.clientpolicy.ClientPolicyProvider":[
- {
- "id":"client-policy-provider",
- "properties":[
- {
- "name":"client-policy-condition-ids",
- "type":"List",
- "secret":false
- },
- {
- "name":"client-policy-executor-ids",
- "type":"List",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- }
- ],
- "org.keycloak.protocol.ProtocolMapper":[
- {
- "id":"docker-v2-allow-all-mapper",
- "helpText":"Allows all grants, returning the full set of requested access attributes as permitted attributes.",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-address-mapper",
- "helpText":"Maps user address attributes (street, locality, region, postal_code, and country) to the OpenID Connect 'address' claim.",
- "properties":[
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"user.attribute.street",
- "label":"addressClaim.street.label",
- "helpText":"addressClaim.street.tooltip",
- "type":"String",
- "defaultValue":"street",
- "secret":false
- },
- {
- "name":"user.attribute.locality",
- "label":"addressClaim.locality.label",
- "helpText":"addressClaim.locality.tooltip",
- "type":"String",
- "defaultValue":"locality",
- "secret":false
- },
- {
- "name":"user.attribute.region",
- "label":"addressClaim.region.label",
- "helpText":"addressClaim.region.tooltip",
- "type":"String",
- "defaultValue":"region",
- "secret":false
- },
- {
- "name":"user.attribute.postal_code",
- "label":"addressClaim.postal_code.label",
- "helpText":"addressClaim.postal_code.tooltip",
- "type":"String",
- "defaultValue":"postal_code",
- "secret":false
- },
- {
- "name":"user.attribute.country",
- "label":"addressClaim.country.label",
- "helpText":"addressClaim.country.tooltip",
- "type":"String",
- "defaultValue":"country",
- "secret":false
- },
- {
- "name":"user.attribute.formatted",
- "label":"addressClaim.formatted.label",
- "helpText":"addressClaim.formatted.tooltip",
- "type":"String",
- "defaultValue":"formatted",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-allowed-origins-mapper",
- "helpText":"Adds all allowed web origins to the 'allowed-origins' claim in the token",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-audience-mapper",
- "helpText":"Add specified audience to the audience (aud) field of token",
- "properties":[
- {
- "name":"included.client.audience",
- "label":"included.client.audience.label",
- "helpText":"included.client.audience.tooltip",
- "type":"ClientList",
- "secret":false
- },
- {
- "name":"included.custom.audience",
- "label":"included.custom.audience.label",
- "helpText":"included.custom.audience.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"false",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-audience-resolve-mapper",
- "helpText":"Adds all client_ids of \"allowed\" clients to the audience field of the token. Allowed client means the client\n for which user has at least one client role",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-full-name-mapper",
- "helpText":"Maps the user's first and last name to the OpenID Connect 'name' claim. Format is + ' ' + ",
- "properties":[
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-group-membership-mapper",
- "helpText":"Map user group membership",
- "properties":[
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"full.path",
- "label":"Full group path",
- "helpText":"Include full path to group i.e. /top/level1/level2, false will just specify the group name",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-hardcoded-claim-mapper",
- "helpText":"Hardcode a claim into the token.",
- "properties":[
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.value",
- "label":"Claim value",
- "helpText":"Value of the claim you want to hard code. 'true' and 'false can be used for boolean values.",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-hardcoded-role-mapper",
- "helpText":"Hardcode a role into the access token.",
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role you want added to the token. Click 'Select Role' button to browse roles, or just type it in the textbox. To specify an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-role-name-mapper",
- "helpText":"Map an assigned role to a new name or position in the token.",
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- },
- {
- "name":"new.role.name",
- "label":"New Role Name",
- "helpText":"The new role name. The new name format corresponds to where in the access token the role will be mapped to. So, a new name of 'myapp.newname' will map the role to that position in the access token. A new name of 'newname' will map the role to the realm roles in the token.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-sha256-pairwise-sub-mapper",
- "helpText":"Calculates a pairwise subject identifier using a salted sha-256 hash. See OpenID Connect specification for more info about pairwise subject identifiers.",
- "properties":[
- {
- "name":"sectorIdentifierUri",
- "label":"sectorIdentifierUri.label",
- "helpText":"sectorIdentifierUri.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"pairwiseSubAlgorithmSalt",
- "label":"pairwiseSubAlgorithmSalt.label",
- "helpText":"pairwiseSubAlgorithmSalt.tooltip",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-usermodel-attribute-mapper",
- "helpText":"Map a custom user attribute to a token claim.",
- "properties":[
- {
- "name":"user.attribute",
- "label":"usermodel.attr.label",
- "helpText":"usermodel.attr.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"multivalued",
- "label":"multivalued.label",
- "helpText":"multivalued.tooltip",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"aggregate.attrs",
- "label":"aggregate.attrs.label",
- "helpText":"aggregate.attrs.tooltip",
- "type":"boolean",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-usermodel-client-role-mapper",
- "helpText":"Map a user client role to a token claim.",
- "properties":[
- {
- "name":"usermodel.clientRoleMapping.clientId",
- "label":"usermodel.clientRoleMapping.clientId.label",
- "helpText":"usermodel.clientRoleMapping.clientId.tooltip",
- "type":"ClientList",
- "secret":false
- },
- {
- "name":"usermodel.clientRoleMapping.rolePrefix",
- "label":"usermodel.clientRoleMapping.rolePrefix.label",
- "helpText":"usermodel.clientRoleMapping.rolePrefix.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"multivalued",
- "label":"multivalued.label",
- "helpText":"multivalued.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"usermodel.clientRoleMapping.tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-usermodel-property-mapper",
- "helpText":"Map a built in user property (email, firstName, lastName) to a token claim.",
- "properties":[
- {
- "name":"user.attribute",
- "label":"usermodel.prop.label",
- "helpText":"usermodel.prop.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-usermodel-realm-role-mapper",
- "helpText":"Map a user realm role to a token claim.",
- "properties":[
- {
- "name":"usermodel.realmRoleMapping.rolePrefix",
- "label":"usermodel.realmRoleMapping.rolePrefix.label",
- "helpText":"usermodel.realmRoleMapping.rolePrefix.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"multivalued",
- "label":"multivalued.label",
- "helpText":"multivalued.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"userinfo.token.claim",
- "label":"includeInUserInfo.label",
- "helpText":"includeInUserInfo.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-usersessionmodel-note-mapper",
- "helpText":"Map a custom user session note to a token claim.",
- "properties":[
- {
- "name":"user.session.note",
- "label":"userSession.modelNote.label",
- "helpText":"userSession.modelNote.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.name",
- "label":"tokenClaimName.label",
- "helpText":"tokenClaimName.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"jsonType.label",
- "label":"jsonType.label",
- "helpText":"jsonType.tooltip",
- "type":"List",
- "options":[
- "String",
- "long",
- "int",
- "boolean",
- "JSON"
- ],
- "secret":false
- },
- {
- "name":"id.token.claim",
- "label":"includeInIdToken.label",
- "helpText":"includeInIdToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"access.token.claim",
- "label":"includeInAccessToken.label",
- "helpText":"includeInAccessToken.tooltip",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-audience-mapper",
- "helpText":"Add specified audience to the audience conditions in the assertion.",
- "properties":[
- {
- "name":"included.client.audience",
- "label":"included.client.audience.label",
- "helpText":"included.client.audience.tooltip",
- "type":"ClientList",
- "secret":false
- },
- {
- "name":"included.custom.audience",
- "label":"included.custom.audience.label",
- "helpText":"included.custom.audience.tooltip",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-audience-resolve-mapper",
- "helpText":"Adds all client_ids of \"allowed\" clients to the audience conditions in the assertion. Allowed client means any SAML client for which user has at least one client role",
- "properties":[
-
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-group-membership-mapper",
- "helpText":"Group names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per group name depending on how you configure it. You can also specify the attribute name i.e. 'member' or 'memberOf' being examples.",
- "properties":[
- {
- "name":"attribute.name",
- "label":"Group attribute name",
- "helpText":"Name of the SAML attribute you want to put your groups into. i.e. 'member', 'memberOf'.",
- "type":"String",
- "defaultValue":"member",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- },
- {
- "name":"single",
- "label":"Single Group Attribute",
- "helpText":"If true, all groups will be stored under one attribute with multiple attribute values.",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"full.path",
- "label":"Full group path",
- "helpText":"Include full path to group i.e. /top/level1/level2, false will just specify the group name",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-hardcode-attribute-mapper",
- "helpText":"Hardcode an attribute into the SAML Assertion.",
- "properties":[
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- },
- {
- "name":"attribute.value",
- "label":"Attribute value",
- "helpText":"Value of the attribute you want to hard code.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-hardcode-role-mapper",
- "helpText":"Hardcode role into SAML Assertion.",
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Arbitrary role name you want to hardcode. This role does not have to exist in current realm and can be just any string you need",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-javascript-mapper",
- "helpText":"Evaluates a JavaScript function to produce an attribute value based on context information.",
- "properties":[
- {
- "name":"Script",
- "label":"Script",
- "helpText":"Script to compute the attribute value. \n Available variables: \n 'user' - the current user.\n 'realm' - the current realm.\n 'clientSession' - the current clientSession.\n 'userSession' - the current userSession.\n 'keycloakSession' - the current keycloakSession.\n\nTo use: the last statement is the value returned to Java.\nThe result will be tested if it can be iterated upon (e.g. an array or a collection).\n - If it is not, toString() will be called on the object to get the value of the attribute\n - If it is, toString() will be called on all elements to return multiple attribute values.\n",
- "type":"Script",
- "defaultValue":"/**\n * Available variables: \n * user - the current user\n * realm - the current realm\n * clientSession - the current clientSession\n * userSession - the current userSession\n * keycloakSession - the current keycloakSession\n */\n\n\n//insert your code here...",
- "secret":false
- },
- {
- "name":"single",
- "label":"Single Value Attribute",
- "helpText":"If true, all values will be stored under one attribute with multiple attribute values.",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-role-list-mapper",
- "helpText":"Role names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per role name depending on how you configure it. You can also specify the attribute name i.e. 'Role' or 'memberOf' being examples.",
- "properties":[
- {
- "name":"attribute.name",
- "label":"Role attribute name",
- "helpText":"Name of the SAML attribute you want to put your roles into. i.e. 'Role', 'memberOf'.",
- "type":"String",
- "defaultValue":"Role",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- },
- {
- "name":"single",
- "label":"Single Role Attribute",
- "helpText":"If true, all roles will be stored under one attribute with multiple attribute values.",
- "type":"boolean",
- "defaultValue":"true",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-role-name-mapper",
- "helpText":"Map an assigned role to a new name",
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- },
- {
- "name":"new.role.name",
- "label":"New Role Name",
- "helpText":"The new role name.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-user-attribute-mapper",
- "helpText":"Map a custom user attribute to a to a SAML attribute.",
- "properties":[
- {
- "name":"user.attribute",
- "label":"usermodel.attr.label",
- "helpText":"usermodel.attr.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- },
- {
- "name":"aggregate.attrs",
- "label":"aggregate.attrs.label",
- "helpText":"aggregate.attrs.tooltip",
- "type":"boolean",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-user-property-mapper",
- "helpText":"Map a built in user property (email, firstName, lastName) to a SAML attribute type.",
- "properties":[
- {
- "name":"user.attribute",
- "label":"usermodel.prop.label",
- "helpText":"usermodel.prop.tooltip",
- "type":"String",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-user-session-note-mapper",
- "helpText":"Map a user session note to a SAML attribute.",
- "properties":[
- {
- "name":"note",
- "label":"User Session Note Attribute",
- "helpText":"The user session note you want to grab the value from.",
- "type":"String",
- "secret":false
- },
- {
- "name":"friendly.name",
- "label":"Friendly Name",
- "helpText":"Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.name",
- "label":"SAML Attribute Name",
- "helpText":"SAML Attribute Name",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.nameformat",
- "label":"SAML Attribute NameFormat",
- "helpText":"SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
- "type":"List",
- "options":[
- "Basic",
- "URI Reference",
- "Unspecified"
- ],
- "secret":false
- }
- ],
- "metadata":{
-
- }
- }
- ],
- "org.keycloak.broker.provider.IdentityProviderMapper":[
- {
- "id":"facebook-user-attribute-mapper",
- "helpText":"Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
- "properties":[
- {
- "name":"jsonField",
- "label":"Social Profile JSON Field Path",
- "helpText":"Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
- "type":"String",
- "secret":false
- },
- {
- "name":"userAttribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store information into.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"github-user-attribute-mapper",
- "helpText":"Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
- "properties":[
- {
- "name":"jsonField",
- "label":"Social Profile JSON Field Path",
- "helpText":"Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
- "type":"String",
- "secret":false
- },
- {
- "name":"userAttribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store information into.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"google-user-attribute-mapper",
- "helpText":"Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
- "properties":[
- {
- "name":"jsonField",
- "label":"Social Profile JSON Field Path",
- "helpText":"Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
- "type":"String",
- "secret":false
- },
- {
- "name":"userAttribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store information into.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"hardcoded-attribute-idp-mapper",
- "helpText":"When user is imported from provider, hardcode a value to a specific user attribute.",
- "properties":[
- {
- "name":"attribute",
- "label":"User Attribute",
- "helpText":"Name of user attribute you want to hardcode",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.value",
- "label":"User Attribute Value",
- "helpText":"Value you want to hardcode",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"hardcoded-user-session-attribute-idp-mapper",
- "helpText":"When user is imported from provider, hardcode a value to a specific user session attribute.",
- "properties":[
- {
- "name":"attribute",
- "label":"User Session Attribute",
- "helpText":"Name of user session attribute you want to hardcode",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.value",
- "label":"User Session Attribute Value",
- "helpText":"Value you want to hardcode",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"instagram-user-attribute-mapper",
- "helpText":"Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
- "properties":[
- {
- "name":"jsonField",
- "label":"Social Profile JSON Field Path",
- "helpText":"Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
- "type":"String",
- "secret":false
- },
- {
- "name":"userAttribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store information into.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"keycloak-oidc-role-to-role-idp-mapper",
- "helpText":"Looks for an external role in a keycloak access token. If external role exists, grant the user the specified realm or application role.",
- "properties":[
- {
- "name":"external.role",
- "label":"External role",
- "helpText":"External role to check for. To reference an application role the syntax is appname.approle, i.e. myapp.myrole.",
- "type":"String",
- "secret":false
- },
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role to grant to user if external role is present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"linkedin-user-attribute-mapper",
- "helpText":"Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
- "properties":[
- {
- "name":"jsonField",
- "label":"Social Profile JSON Field Path",
- "helpText":"Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
- "type":"String",
- "secret":false
- },
- {
- "name":"userAttribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store information into.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"microsoft-user-attribute-mapper",
- "helpText":"Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
- "properties":[
- {
- "name":"jsonField",
- "label":"Social Profile JSON Field Path",
- "helpText":"Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
- "type":"String",
- "secret":false
- },
- {
- "name":"userAttribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store information into.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-advanced-role-idp-mapper",
- "helpText":"If all claims exists, grant the user the specified realm or application role.",
- "properties":[
- {
- "name":"claims",
- "label":"Claims",
- "helpText":"Name and value of the claims to search for in token. You can reference nested claims using a '.', i.e. 'address.locality'. To use dot (.) literally, escape it with backslash (\\.)",
- "type":"Map",
- "secret":false
- },
- {
- "name":"are.claim.values.regex",
- "label":"Regex Claim Values",
- "helpText":"If enabled claim values are interpreted as regular expressions.",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role to grant to user if claim is present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-hardcoded-role-idp-mapper",
- "helpText":"When user is imported from provider, hardcode a role mapping for it.",
- "properties":[
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role to grant to user. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-role-idp-mapper",
- "helpText":"If a claim exists, grant the user the specified realm or application role.",
- "properties":[
- {
- "name":"claim",
- "label":"Claim",
- "helpText":"Name of claim to search for in token. You can reference nested claims using a '.', i.e. 'address.locality'. To use dot (.) literally, escape it with backslash (\\.)",
- "type":"String",
- "secret":false
- },
- {
- "name":"claim.value",
- "label":"Claim Value",
- "helpText":"Value the claim must have. If the claim is an array, then the value must be contained in the array.",
- "type":"String",
- "secret":false
- },
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role to grant to user if claim is present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-user-attribute-idp-mapper",
- "helpText":"Import declared claim if it exists in ID, access token or the claim set returned by the user profile endpoint into the specified user property or attribute.",
- "properties":[
- {
- "name":"claim",
- "label":"Claim",
- "helpText":"Name of claim to search for in token. You can reference nested claims using a '.', i.e. 'address.locality'. To use dot (.) literally, escape it with backslash (\\.)",
- "type":"String",
- "secret":false
- },
- {
- "name":"user.attribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store claim. Use email, lastName, and firstName to map to those predefined user properties.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"oidc-username-idp-mapper",
- "helpText":"Format the username to import.",
- "properties":[
- {
- "name":"template",
- "label":"Template",
- "helpText":"Template to use to format the username to import. Substitutions are enclosed in ${}. For example: '${ALIAS}.${CLAIM.sub}'. ALIAS is the provider alias. CLAIM. references an ID or Access token claim.",
- "type":"String",
- "defaultValue":"${ALIAS}.${CLAIM.preferred_username}",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"paypal-user-attribute-mapper",
- "helpText":"Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
- "properties":[
- {
- "name":"jsonField",
- "label":"Social Profile JSON Field Path",
- "helpText":"Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
- "type":"String",
- "secret":false
- },
- {
- "name":"userAttribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store information into.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-advanced-role-idp-mapper",
- "helpText":"If the set of attributes exists and can be matched, grant the user the specified realm or application role.",
- "properties":[
- {
- "name":"attributes",
- "label":"Attributes",
- "helpText":"Name and (regex) value of the attributes to search for in token. The configured name of an attribute is searched in SAML attribute name and attribute friendly name fields. Every given attribute description must be met to set the role. If the attribute is an array, then the value must be contained in the array. If an attribute can be found several times, then one match is sufficient.",
- "type":"Map",
- "secret":false
- },
- {
- "name":"are.attribute.values.regex",
- "label":"Regex Attribute Values",
- "helpText":"If enabled attribute values are interpreted as regular expressions.",
- "type":"boolean",
- "secret":false
- },
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role to grant to user if all attributes are present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-role-idp-mapper",
- "helpText":"If an attribute exists, grant the user the specified realm or application role.",
- "properties":[
- {
- "name":"attribute.name",
- "label":"Attribute Name",
- "helpText":"Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.friendly.name",
- "label":"Friendly Name",
- "helpText":"Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.value",
- "label":"Attribute Value",
- "helpText":"Value the attribute must have. If the attribute is a list, then the value must be contained in the list.",
- "type":"String",
- "secret":false
- },
- {
- "name":"role",
- "label":"Role",
- "helpText":"Role to grant to user. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole",
- "type":"Role",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-user-attribute-idp-mapper",
- "helpText":"Import declared saml attribute if it exists in assertion into the specified user property or attribute.",
- "properties":[
- {
- "name":"attribute.name",
- "label":"Attribute Name",
- "helpText":"Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead.",
- "type":"String",
- "secret":false
- },
- {
- "name":"attribute.friendly.name",
- "label":"Friendly Name",
- "helpText":"Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.",
- "type":"String",
- "secret":false
- },
- {
- "name":"user.attribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store saml attribute. Use email, lastName, and firstName to map to those predefined user properties.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"saml-username-idp-mapper",
- "helpText":"Format the username to import.",
- "properties":[
- {
- "name":"template",
- "label":"Template",
- "helpText":"Template to use to format the username to import. Substitutions are enclosed in ${}. For example: '${ALIAS}.${NAMEID}'. ALIAS is the provider alias. NAMEID is that SAML name id assertion. ATTRIBUTE. references a SAML attribute where name is the attribute name or friendly name.",
- "type":"String",
- "defaultValue":"${ALIAS}.${NAMEID}",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- },
- {
- "id":"stackoverflow-user-attribute-mapper",
- "helpText":"Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
- "properties":[
- {
- "name":"jsonField",
- "label":"Social Profile JSON Field Path",
- "helpText":"Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
- "type":"String",
- "secret":false
- },
- {
- "name":"userAttribute",
- "label":"User Attribute Name",
- "helpText":"User attribute name to store information into.",
- "type":"String",
- "secret":false
- }
- ],
- "metadata":{
-
- }
- }
- ]
- },
- "passwordPolicies":[
- {
- "id":"forceExpiredPasswordChange",
- "displayName":"Expire Password",
- "configType":"String",
- "defaultValue":"365",
- "multipleSupported":false
- },
- {
- "id":"hashIterations",
- "displayName":"Hashing Iterations",
- "configType":"int",
- "defaultValue":"27500",
- "multipleSupported":false
- },
- {
- "id":"specialChars",
- "displayName":"Special Characters",
- "configType":"int",
- "defaultValue":"1",
- "multipleSupported":false
- },
- {
- "id":"passwordHistory",
- "displayName":"Not Recently Used",
- "configType":"int",
- "defaultValue":"3",
- "multipleSupported":false
- },
- {
- "id":"upperCase",
- "displayName":"Uppercase Characters",
- "configType":"int",
- "defaultValue":"1",
- "multipleSupported":false
- },
- {
- "id":"lowerCase",
- "displayName":"Lowercase Characters",
- "configType":"int",
- "defaultValue":"1",
- "multipleSupported":false
- },
- {
- "id":"passwordBlacklist",
- "displayName":"Password Blacklist",
- "configType":"String",
- "defaultValue":"",
- "multipleSupported":false
- },
- {
- "id":"length",
- "displayName":"Minimum Length",
- "configType":"int",
- "defaultValue":"8",
- "multipleSupported":false
- },
- {
- "id":"regexPattern",
- "displayName":"Regular Expression",
- "configType":"String",
- "defaultValue":"",
- "multipleSupported":true
- },
- {
- "id":"digits",
- "displayName":"Digits",
- "configType":"int",
- "defaultValue":"1",
- "multipleSupported":false
- },
- {
- "id":"notUsername",
- "displayName":"Not Username",
- "multipleSupported":false
- },
- {
- "id":"hashAlgorithm",
- "displayName":"Hashing Algorithm",
- "configType":"String",
- "defaultValue":"pbkdf2-sha256",
- "multipleSupported":false
+ ]
+ },
+ "socialProviders": [
+ { "groupName": "Social", "name": "GitHub", "id": "github" },
+ { "groupName": "Social", "name": "Facebook", "id": "facebook" },
+ { "groupName": "Social", "name": "Google", "id": "google" },
+ { "groupName": "Social", "name": "LinkedIn", "id": "linkedin" },
+ { "groupName": "Social", "name": "Instagram", "id": "instagram" },
+ { "groupName": "Social", "name": "Microsoft", "id": "microsoft" },
+ { "groupName": "Social", "name": "BitBucket", "id": "bitbucket" },
+ { "groupName": "Social", "name": "Twitter", "id": "twitter" },
+ { "groupName": "Social", "name": "Openshift v4", "id": "openshift-v4" },
+ { "groupName": "Social", "name": "Openshift v3", "id": "openshift-v3" },
+ { "groupName": "Social", "name": "GitLab", "id": "gitlab" },
+ { "groupName": "Social", "name": "PayPal", "id": "paypal" },
+ { "groupName": "Social", "name": "StackOverflow", "id": "stackoverflow" }
+ ],
+ "identityProviders": [
+ { "groupName": "User-defined", "name": "SAML v2.0", "id": "saml" },
+ {
+ "groupName": "User-defined",
+ "name": "OpenID Connect v1.0",
+ "id": "oidc"
+ },
+ {
+ "groupName": "User-defined",
+ "name": "Keycloak OpenID Connect",
+ "id": "keycloak-oidc"
+ },
+ { "groupName": "Social", "name": "GitHub", "id": "github" },
+ { "groupName": "Social", "name": "Facebook", "id": "facebook" },
+ { "groupName": "Social", "name": "Google", "id": "google" },
+ { "groupName": "Social", "name": "LinkedIn", "id": "linkedin" },
+ { "groupName": "Social", "name": "Instagram", "id": "instagram" },
+ { "groupName": "Social", "name": "Microsoft", "id": "microsoft" },
+ { "groupName": "Social", "name": "BitBucket", "id": "bitbucket" },
+ { "groupName": "Social", "name": "Twitter", "id": "twitter" },
+ { "groupName": "Social", "name": "Openshift v4", "id": "openshift-v4" },
+ { "groupName": "Social", "name": "Openshift v3", "id": "openshift-v3" },
+ { "groupName": "Social", "name": "GitLab", "id": "gitlab" },
+ { "groupName": "Social", "name": "PayPal", "id": "paypal" },
+ { "groupName": "Social", "name": "StackOverflow", "id": "stackoverflow" }
+ ],
+ "providers": {
+ "account": {
+ "internal": true,
+ "providers": { "freemarker": { "order": 0 } }
+ },
+ "actionToken": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "actionTokenHandler": {
+ "internal": true,
+ "providers": {
+ "verify-email": { "order": 0 },
+ "execute-actions": { "order": 0 },
+ "reset-credentials": { "order": 0 },
+ "idp-verify-account-via-email": { "order": 0 }
}
- ],
- "enums":{
- "operationType":[
- "ACTION",
- "CREATE",
- "DELETE",
- "UPDATE"
- ],
- "eventType":[
- "CLIENT_DELETE",
- "CLIENT_DELETE_ERROR",
- "CLIENT_INFO",
- "CLIENT_INFO_ERROR",
- "CLIENT_INITIATED_ACCOUNT_LINKING",
- "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR",
- "CLIENT_LOGIN",
- "CLIENT_LOGIN_ERROR",
- "CLIENT_REGISTER",
- "CLIENT_REGISTER_ERROR",
- "CLIENT_UPDATE",
- "CLIENT_UPDATE_ERROR",
- "CODE_TO_TOKEN",
- "CODE_TO_TOKEN_ERROR",
- "CUSTOM_REQUIRED_ACTION",
- "CUSTOM_REQUIRED_ACTION_ERROR",
- "EXECUTE_ACTIONS",
- "EXECUTE_ACTIONS_ERROR",
- "EXECUTE_ACTION_TOKEN",
- "EXECUTE_ACTION_TOKEN_ERROR",
- "FEDERATED_IDENTITY_LINK",
- "FEDERATED_IDENTITY_LINK_ERROR",
- "GRANT_CONSENT",
- "GRANT_CONSENT_ERROR",
- "IDENTITY_PROVIDER_FIRST_LOGIN",
- "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR",
- "IDENTITY_PROVIDER_LINK_ACCOUNT",
- "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR",
- "IDENTITY_PROVIDER_LOGIN",
- "IDENTITY_PROVIDER_LOGIN_ERROR",
- "IDENTITY_PROVIDER_POST_LOGIN",
- "IDENTITY_PROVIDER_POST_LOGIN_ERROR",
- "IDENTITY_PROVIDER_RESPONSE",
- "IDENTITY_PROVIDER_RESPONSE_ERROR",
- "IDENTITY_PROVIDER_RETRIEVE_TOKEN",
- "IDENTITY_PROVIDER_RETRIEVE_TOKEN_ERROR",
- "IMPERSONATE",
- "IMPERSONATE_ERROR",
- "INTROSPECT_TOKEN",
- "INTROSPECT_TOKEN_ERROR",
- "INVALID_SIGNATURE",
- "INVALID_SIGNATURE_ERROR",
- "LOGIN",
- "LOGIN_ERROR",
- "LOGOUT",
- "LOGOUT_ERROR",
- "PERMISSION_TOKEN",
- "PERMISSION_TOKEN_ERROR",
- "REFRESH_TOKEN",
- "REFRESH_TOKEN_ERROR",
- "REGISTER",
- "REGISTER_ERROR",
- "REGISTER_NODE",
- "REGISTER_NODE_ERROR",
- "REMOVE_FEDERATED_IDENTITY",
- "REMOVE_FEDERATED_IDENTITY_ERROR",
- "REMOVE_TOTP",
- "REMOVE_TOTP_ERROR",
- "RESET_PASSWORD",
- "RESET_PASSWORD_ERROR",
- "RESTART_AUTHENTICATION",
- "RESTART_AUTHENTICATION_ERROR",
- "REVOKE_GRANT",
- "REVOKE_GRANT_ERROR",
- "SEND_IDENTITY_PROVIDER_LINK",
- "SEND_IDENTITY_PROVIDER_LINK_ERROR",
- "SEND_RESET_PASSWORD",
- "SEND_RESET_PASSWORD_ERROR",
- "SEND_VERIFY_EMAIL",
- "SEND_VERIFY_EMAIL_ERROR",
- "TOKEN_EXCHANGE",
- "TOKEN_EXCHANGE_ERROR",
- "UNREGISTER_NODE",
- "UNREGISTER_NODE_ERROR",
- "UPDATE_CONSENT",
- "UPDATE_CONSENT_ERROR",
- "UPDATE_EMAIL",
- "UPDATE_EMAIL_ERROR",
- "UPDATE_PASSWORD",
- "UPDATE_PASSWORD_ERROR",
- "UPDATE_PROFILE",
- "UPDATE_PROFILE_ERROR",
- "UPDATE_TOTP",
- "UPDATE_TOTP_ERROR",
- "USER_INFO_REQUEST",
- "USER_INFO_REQUEST_ERROR",
- "VALIDATE_ACCESS_TOKEN",
- "VALIDATE_ACCESS_TOKEN_ERROR",
- "VERIFY_EMAIL",
- "VERIFY_EMAIL_ERROR"
- ],
- "resourceType":[
- "AUTHENTICATOR_CONFIG",
- "AUTHORIZATION_POLICY",
- "AUTHORIZATION_RESOURCE",
- "AUTHORIZATION_RESOURCE_SERVER",
- "AUTHORIZATION_SCOPE",
- "AUTH_EXECUTION",
- "AUTH_EXECUTION_FLOW",
- "AUTH_FLOW",
- "CLIENT",
- "CLIENT_INITIAL_ACCESS_MODEL",
- "CLIENT_ROLE",
- "CLIENT_ROLE_MAPPING",
- "CLIENT_SCOPE",
- "CLIENT_SCOPE_MAPPING",
- "CLUSTER_NODE",
- "COMPONENT",
- "CUSTOM",
- "GROUP",
- "GROUP_MEMBERSHIP",
- "IDENTITY_PROVIDER",
- "IDENTITY_PROVIDER_MAPPER",
- "PROTOCOL_MAPPER",
- "REALM",
- "REALM_ROLE",
- "REALM_ROLE_MAPPING",
- "REALM_SCOPE_MAPPING",
- "REQUIRED_ACTION",
- "USER",
- "USER_FEDERATION_MAPPER",
- "USER_FEDERATION_PROVIDER",
- "USER_LOGIN_FAILURE",
- "USER_SESSION"
- ]
- }
-}
\ No newline at end of file
+ },
+ "authenticationSessions": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "authenticator": {
+ "internal": true,
+ "providers": {
+ "no-cookie-redirect": { "order": 0 },
+ "auth-cookie": { "order": 0 },
+ "console-username-password": { "order": 0 },
+ "reset-credentials-choose-user": { "order": 0 },
+ "direct-grant-validate-password": { "order": 0 },
+ "webauthn-authenticator": { "order": 0 },
+ "auth-spnego": { "order": 0 },
+ "direct-grant-auth-x509-username": { "order": 0 },
+ "reset-password": { "order": 0 },
+ "auth-password-form": { "order": 0 },
+ "docker-http-basic-authenticator": { "order": 0 },
+ "allow-access-authenticator": { "order": 0 },
+ "idp-username-password-form": { "order": 0 },
+ "auth-x509-client-username-form": { "order": 0 },
+ "idp-auto-link": { "order": 0 },
+ "idp-email-verification": { "order": 0 },
+ "basic-auth": { "order": 0 },
+ "conditional-user-role": { "order": 0 },
+ "deny-access-authenticator": { "order": 0 },
+ "direct-grant-validate-username": { "order": 0 },
+ "identity-provider-redirector": { "order": 0 },
+ "reset-otp": { "order": 0 },
+ "conditional-user-configured": { "order": 0 },
+ "webauthn-authenticator-passwordless": { "order": 0 },
+ "basic-auth-otp": { "order": 0 },
+ "auth-conditional-otp-form": { "order": 0 },
+ "idp-confirm-link": { "order": 0 },
+ "idp-review-profile": { "order": 0 },
+ "auth-username-password-form": { "order": 0 },
+ "user-session-limits": { "order": 0 },
+ "reset-credential-email": { "order": 0 },
+ "auth-username-form": { "order": 0 },
+ "idp-detect-existing-broker-user": { "order": 0 },
+ "http-basic-authenticator": { "order": 0 },
+ "conditional-level-of-authentication": { "order": 0 },
+ "auth-otp-form": { "order": 0 },
+ "direct-grant-validate-otp": { "order": 0 },
+ "idp-create-user-if-unique": { "order": 0 }
+ }
+ },
+ "authorization": {
+ "internal": true,
+ "providers": { "authorization": { "order": 0 } }
+ },
+ "authorization-request-parser": {
+ "internal": true,
+ "providers": { "client-scope": { "order": 0 } }
+ },
+ "authorizationCache": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "authorizationPersister": {
+ "internal": true,
+ "providers": { "jpa": { "order": 1 } }
+ },
+ "bruteForceProtector": {
+ "internal": true,
+ "providers": { "default-brute-force-detector": { "order": 0 } }
+ },
+ "cekmanagement": {
+ "internal": true,
+ "providers": {
+ "RSA-OAEP": { "order": 0 },
+ "RSA-OAEP-256": { "order": 0 },
+ "RSA1_5": { "order": 0 }
+ }
+ },
+ "ciba-auth-channel": {
+ "internal": true,
+ "providers": { "ciba-http-auth-channel": { "order": 0 } }
+ },
+ "ciba-login-user-resolver": {
+ "internal": true,
+ "providers": { "default-ciba-login-user-resolver": { "order": 0 } }
+ },
+ "client": { "internal": true, "providers": { "jpa": { "order": 1 } } },
+ "client-authenticator": {
+ "internal": true,
+ "providers": {
+ "client-jwt": { "order": 0 },
+ "client-secret": { "order": 0 },
+ "client-x509": { "order": 0 },
+ "client-secret-jwt": { "order": 0 }
+ }
+ },
+ "client-description-converter": {
+ "internal": true,
+ "providers": {
+ "keycloak": { "order": 0 },
+ "saml2-entity-descriptor": { "order": 0 },
+ "openid-connect": { "order": 0 }
+ }
+ },
+ "client-installation": {
+ "internal": true,
+ "providers": {
+ "docker-v2-variable-override": { "order": 0 },
+ "keycloak-oidc-jboss-subsystem": { "order": 0 },
+ "keycloak-oidc-jboss-subsystem-cli": { "order": 0 },
+ "keycloak-saml": { "order": 0 },
+ "keycloak-saml-subsystem-cli": { "order": 0 },
+ "docker-v2-registry-config-file": { "order": 0 },
+ "saml-sp-descriptor": { "order": 0 },
+ "keycloak-saml-subsystem": { "order": 0 },
+ "keycloak-oidc-keycloak-json": { "order": 0 },
+ "docker-v2-compose-yaml": { "order": 0 },
+ "mod-auth-mellon": { "order": 0 }
+ }
+ },
+ "client-policy-condition": {
+ "internal": true,
+ "providers": {
+ "client-scopes": { "order": 0 },
+ "client-updater-source-roles": { "order": 0 },
+ "client-updater-source-groups": { "order": 0 },
+ "client-access-type": { "order": 0 },
+ "any-client": { "order": 0 },
+ "client-updater-context": { "order": 0 },
+ "client-updater-source-host": { "order": 0 },
+ "client-roles": { "order": 0 }
+ }
+ },
+ "client-policy-executor": {
+ "internal": true,
+ "providers": {
+ "secure-client-uris": { "order": 0 },
+ "secure-signature-algorithm": { "order": 0 },
+ "secure-signature-algorithm-signed-jwt": { "order": 0 },
+ "secure-session": { "order": 0 },
+ "secure-ciba-session": { "order": 0 },
+ "pkce-enforcer": { "order": 0 },
+ "secure-ciba-signed-authn-req": { "order": 0 },
+ "holder-of-key-enforcer": { "order": 0 },
+ "secure-ciba-req-sig-algorithm": { "order": 0 },
+ "reject-ropc-grant": { "order": 0 },
+ "full-scope-disabled": { "order": 0 },
+ "confidential-client": { "order": 0 },
+ "secure-request-object": { "order": 0 },
+ "secure-logout": { "order": 0 },
+ "secure-client-authenticator": { "order": 0 },
+ "secure-response-type": { "order": 0 },
+ "consent-required": { "order": 0 }
+ }
+ },
+ "client-policy-manager": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "client-registration": {
+ "internal": true,
+ "providers": {
+ "default": { "order": 0 },
+ "install": { "order": 0 },
+ "saml2-entity-descriptor": { "order": 0 },
+ "openid-connect": { "order": 0 }
+ }
+ },
+ "client-registration-policy": {
+ "internal": true,
+ "providers": {
+ "allowed-client-templates": { "order": 0 },
+ "client-disabled": { "order": 0 },
+ "max-clients": { "order": 0 },
+ "scope": { "order": 0 },
+ "allowed-protocol-mappers": { "order": 0 },
+ "trusted-hosts": { "order": 0 },
+ "consent-required": { "order": 0 }
+ }
+ },
+ "client-storage": { "internal": true, "providers": {} },
+ "clientScope": { "internal": true, "providers": { "jpa": { "order": 1 } } },
+ "clientSignature": {
+ "internal": true,
+ "providers": {
+ "PS384": { "order": 0 },
+ "ES384": { "order": 0 },
+ "RS384": { "order": 0 },
+ "HS256": { "order": 0 },
+ "HS512": { "order": 0 },
+ "ES256": { "order": 0 },
+ "RS256": { "order": 0 },
+ "HS384": { "order": 0 },
+ "ES512": { "order": 0 },
+ "PS256": { "order": 0 },
+ "PS512": { "order": 0 },
+ "RS512": { "order": 0 }
+ }
+ },
+ "clientValidation": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "clientscope-storage": { "internal": true, "providers": {} },
+ "cluster": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 0 } }
+ },
+ "codeToTokenStore": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "componentFactory": {
+ "internal": false,
+ "providers": { "default": { "order": 0 } }
+ },
+ "connectionsHttpClient": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "connectionsInfinispan": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "connectionsJpa": {
+ "internal": true,
+ "providers": {
+ "default": {
+ "order": 0,
+ "operationalInfo": {
+ "databaseUrl": "jdbc:h2:/home/edewit/workspace/keycloak/keycloak/distribution/server-dist/target/keycloak-18.0.0-SNAPSHOT/standalone/data/keycloak",
+ "databaseUser": "SA",
+ "databaseProduct": "H2 1.4.197 (2018-03-18)",
+ "databaseDriver": "H2 JDBC Driver 1.4.197 (2018-03-18)"
+ }
+ }
+ }
+ },
+ "connectionsJpaUpdater": {
+ "internal": true,
+ "providers": { "liquibase": { "order": 0 } }
+ },
+ "connectionsLiquibase": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "contentencryption": {
+ "internal": true,
+ "providers": {
+ "A256GCM": { "order": 0 },
+ "A192GCM": { "order": 0 },
+ "A128GCM": { "order": 0 },
+ "A128CBC-HS256": { "order": 0 },
+ "A192CBC-HS384": { "order": 0 },
+ "A256CBC-HS512": { "order": 0 }
+ }
+ },
+ "credential": {
+ "internal": true,
+ "providers": {
+ "keycloak-webauthn": { "order": 0 },
+ "keycloak-otp": { "order": 0 },
+ "keycloak-password": { "order": 0 },
+ "keycloak-webauthn-passwordless": { "order": 0 }
+ }
+ },
+ "dblock": { "internal": true, "providers": { "jpa": { "order": 1 } } },
+ "deploymentState": {
+ "internal": true,
+ "providers": { "jpa": { "order": 1 } }
+ },
+ "emailSender": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "emailTemplate": {
+ "internal": true,
+ "providers": { "freemarker": { "order": 0 } }
+ },
+ "eventsListener": {
+ "internal": true,
+ "providers": { "jboss-logging": { "order": 0 }, "email": { "order": 0 } }
+ },
+ "eventsStore": { "internal": true, "providers": { "jpa": { "order": 0 } } },
+ "exception-converter": {
+ "internal": true,
+ "providers": { "jpa": { "order": 0 } }
+ },
+ "executors": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "export": {
+ "internal": true,
+ "providers": { "singleFile": { "order": 0 }, "dir": { "order": 0 } }
+ },
+ "form-action": {
+ "internal": true,
+ "providers": {
+ "registration-profile-action": { "order": 0 },
+ "registration-recaptcha-action": { "order": 0 },
+ "registration-password-action": { "order": 0 },
+ "registration-user-creation": { "order": 0 }
+ }
+ },
+ "form-authenticator": {
+ "internal": true,
+ "providers": { "registration-page-form": { "order": 0 } }
+ },
+ "group": { "internal": true, "providers": { "jpa": { "order": 1 } } },
+ "group-storage": { "internal": true, "providers": {} },
+ "hash": {
+ "internal": true,
+ "providers": {
+ "SHA-384": { "order": 0 },
+ "SHA-256": { "order": 0 },
+ "SHA-512": { "order": 0 }
+ }
+ },
+ "hostname": {
+ "internal": false,
+ "providers": { "default": { "order": 0 } }
+ },
+ "identity-provider-mapper": {
+ "internal": true,
+ "providers": {
+ "saml-advanced-role-idp-mapper": { "order": 0 },
+ "saml-username-idp-mapper": { "order": 0 },
+ "github-user-attribute-mapper": { "order": 0 },
+ "stackoverflow-user-attribute-mapper": { "order": 0 },
+ "hardcoded-user-session-attribute-idp-mapper": { "order": 0 },
+ "oidc-advanced-role-idp-mapper": { "order": 0 },
+ "saml-user-attribute-idp-mapper": { "order": 0 },
+ "openshift-v4-user-attribute-mapper": { "order": 0 },
+ "paypal-user-attribute-mapper": { "order": 0 },
+ "google-user-attribute-mapper": { "order": 0 },
+ "linkedin-user-attribute-mapper": { "order": 0 },
+ "oidc-role-idp-mapper": { "order": 0 },
+ "saml-role-idp-mapper": { "order": 0 },
+ "instagram-user-attribute-mapper": { "order": 0 },
+ "microsoft-user-attribute-mapper": { "order": 0 },
+ "oidc-advanced-group-idp-mapper": { "order": 0 },
+ "keycloak-oidc-role-to-role-idp-mapper": { "order": 0 },
+ "oidc-user-attribute-idp-mapper": { "order": 0 },
+ "facebook-user-attribute-mapper": { "order": 0 },
+ "oidc-hardcoded-role-idp-mapper": { "order": 0 },
+ "hardcoded-attribute-idp-mapper": { "order": 0 },
+ "oidc-username-idp-mapper": { "order": 0 }
+ }
+ },
+ "identity_provider": {
+ "internal": true,
+ "providers": {
+ "saml": { "order": 0 },
+ "oidc": { "order": 0 },
+ "keycloak-oidc": { "order": 0 }
+ }
+ },
+ "import": {
+ "internal": true,
+ "providers": { "singleFile": { "order": 0 }, "dir": { "order": 0 } }
+ },
+ "jpa-entity-provider": { "internal": true, "providers": {} },
+ "jta-lookup": {
+ "internal": true,
+ "providers": { "jboss": { "order": 0 } }
+ },
+ "keys": {
+ "internal": true,
+ "providers": {
+ "rsa": { "order": 0 },
+ "java-keystore": { "order": 0 },
+ "rsa-generated": { "order": 0 },
+ "rsa-enc-generated": { "order": 0 },
+ "aes-generated": { "order": 0 },
+ "ecdsa-generated": { "order": 0 },
+ "rsa-enc": { "order": 0 },
+ "hmac-generated": { "order": 0 }
+ }
+ },
+ "ldap-mapper": {
+ "internal": true,
+ "providers": {
+ "msad-lds-user-account-control-mapper": { "order": 0 },
+ "msad-user-account-control-mapper": { "order": 0 },
+ "group-ldap-mapper": { "order": 0 },
+ "user-attribute-ldap-mapper": { "order": 0 },
+ "role-ldap-mapper": { "order": 0 },
+ "hardcoded-attribute-mapper": { "order": 0 },
+ "hardcoded-ldap-role-mapper": { "order": 0 },
+ "certificate-ldap-mapper": { "order": 0 },
+ "full-name-ldap-mapper": { "order": 0 },
+ "hardcoded-ldap-attribute-mapper": { "order": 0 },
+ "hardcoded-ldap-group-mapper": { "order": 0 }
+ }
+ },
+ "localeSelector": {
+ "internal": false,
+ "providers": { "default": { "order": 0 } }
+ },
+ "localeUpdater": {
+ "internal": false,
+ "providers": { "default": { "order": 0 } }
+ },
+ "login": {
+ "internal": true,
+ "providers": { "freemarker": { "order": 0 } }
+ },
+ "login-protocol": {
+ "internal": true,
+ "providers": { "saml": { "order": 0 }, "openid-connect": { "order": 0 } }
+ },
+ "loginFailure": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "mapStorage": { "internal": false, "providers": {} },
+ "migration": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "oauth2-token-exchange": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "oauth2-token-introspection": {
+ "internal": true,
+ "providers": {
+ "access_token": { "order": 0 },
+ "refresh_token": { "order": 0 },
+ "requesting_party_token": { "order": 0 }
+ }
+ },
+ "oauth2DeviceTokenStore": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "oauth2DeviceUserCode": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "openid-connect-ext": {
+ "internal": true,
+ "providers": { "par": { "order": 0 }, "ciba": { "order": 0 } }
+ },
+ "password-hashing": {
+ "internal": true,
+ "providers": {
+ "pbkdf2": { "order": 0 },
+ "pbkdf2-sha512": { "order": 0 },
+ "pbkdf2-sha256": { "order": 0 }
+ }
+ },
+ "password-policy": {
+ "internal": true,
+ "providers": {
+ "forceExpiredPasswordChange": { "order": 0 },
+ "hashIterations": { "order": 0 },
+ "passwordHistory": { "order": 0 },
+ "passwordBlacklist": { "order": 0 },
+ "length": { "order": 0 },
+ "regexPattern": { "order": 0 },
+ "notUsername": { "order": 0 },
+ "notEmail": { "order": 0 },
+ "specialChars": { "order": 0 },
+ "upperCase": { "order": 0 },
+ "lowerCase": { "order": 0 },
+ "digits": { "order": 0 },
+ "hashAlgorithm": { "order": 0 },
+ "maxLength": { "order": 0 }
+ }
+ },
+ "password-policy-manager": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "policy": {
+ "internal": true,
+ "providers": {
+ "regex": { "order": 0 },
+ "role": { "order": 0 },
+ "resource": { "order": 0 },
+ "scope": { "order": 0 },
+ "uma": { "order": 0 },
+ "client": { "order": 0 },
+ "js": { "order": 0 },
+ "time": { "order": 0 },
+ "client-scope": { "order": 0 },
+ "user": { "order": 0 },
+ "aggregate": { "order": 0 },
+ "group": { "order": 0 }
+ }
+ },
+ "protocol-mapper": {
+ "internal": true,
+ "providers": {
+ "oidc-claims-param-token-mapper": { "order": 0 },
+ "oidc-usermodel-realm-role-mapper": { "order": 0 },
+ "saml-javascript-mapper": { "order": 0 },
+ "saml-user-attribute-nameid-mapper": { "order": 0 },
+ "oidc-usersessionmodel-note-mapper": { "order": 0 },
+ "oidc-address-mapper": { "order": 0 },
+ "saml-audience-resolve-mapper": { "order": 0 },
+ "oidc-role-name-mapper": { "order": 0 },
+ "oidc-usermodel-client-role-mapper": { "order": 0 },
+ "saml-user-session-note-mapper": { "order": 0 },
+ "oidc-usermodel-property-mapper": { "order": 0 },
+ "saml-audience-mapper": { "order": 0 },
+ "saml-group-membership-mapper": { "order": 0 },
+ "docker-v2-allow-all-mapper": { "order": 0 },
+ "oidc-hardcoded-role-mapper": { "order": 0 },
+ "oidc-hardcoded-claim-mapper": { "order": 0 },
+ "oidc-sha256-pairwise-sub-mapper": { "order": 0 },
+ "saml-role-name-mapper": { "order": 0 },
+ "saml-role-list-mapper": { "order": 0 },
+ "saml-user-property-mapper": { "order": 0 },
+ "oidc-full-name-mapper": { "order": 0 },
+ "oidc-allowed-origins-mapper": { "order": 0 },
+ "oidc-audience-mapper": { "order": 0 },
+ "oidc-usermodel-attribute-mapper": { "order": 0 },
+ "saml-hardcode-attribute-mapper": { "order": 0 },
+ "oidc-group-membership-mapper": { "order": 0 },
+ "saml-user-attribute-mapper": { "order": 0 },
+ "saml-hardcode-role-mapper": { "order": 0 },
+ "oidc-audience-resolve-mapper": { "order": 0 }
+ }
+ },
+ "publicKeyStorage": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 0 } }
+ },
+ "pushedAuthzRequestStore": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 0 } }
+ },
+ "realm": { "internal": true, "providers": { "jpa": { "order": 1 } } },
+ "realm-restapi-extension": {
+ "internal": true,
+ "providers": { "device": { "order": 0 } }
+ },
+ "realmCache": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "required-action": {
+ "internal": true,
+ "providers": {
+ "terms_and_conditions": { "order": 0 },
+ "update_user_locale": { "order": 0 },
+ "CONFIGURE_TOTP": { "order": 0 },
+ "VERIFY_EMAIL": { "order": 0 },
+ "delete_account": { "order": 0 },
+ "webauthn-register-passwordless": { "order": 0 },
+ "webauthn-register": { "order": 0 },
+ "VERIFY_PROFILE": { "order": 0 },
+ "UPDATE_PASSWORD": { "order": 0 },
+ "UPDATE_PROFILE": { "order": 0 }
+ }
+ },
+ "resource-encoding": {
+ "internal": true,
+ "providers": { "gzip": { "order": 0 } }
+ },
+ "role": { "internal": true, "providers": { "jpa": { "order": 1 } } },
+ "role-storage": { "internal": true, "providers": {} },
+ "saml-artifact-resolver": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "saml-authentication-preprocessor": { "internal": false, "providers": {} },
+ "samlArtifactSessionMappingStore": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "scripting": {
+ "internal": true,
+ "providers": { "script-based-auth": { "order": 0 } }
+ },
+ "security-headers": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "signature": {
+ "internal": true,
+ "providers": {
+ "PS384": { "order": 0 },
+ "ES384": { "order": 0 },
+ "RS384": { "order": 0 },
+ "HS256": { "order": 0 },
+ "HS512": { "order": 0 },
+ "ES256": { "order": 0 },
+ "RS256": { "order": 0 },
+ "HS384": { "order": 0 },
+ "ES512": { "order": 0 },
+ "PS256": { "order": 0 },
+ "PS512": { "order": 0 },
+ "RS512": { "order": 0 }
+ }
+ },
+ "singleUseTokenStore": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "social": {
+ "internal": true,
+ "providers": {
+ "github": { "order": 0 },
+ "facebook": { "order": 0 },
+ "google": { "order": 0 },
+ "instagram": { "order": 0 },
+ "linkedin": { "order": 0 },
+ "bitbucket": { "order": 0 },
+ "microsoft": { "order": 0 },
+ "twitter": { "order": 0 },
+ "openshift-v4": { "order": 0 },
+ "openshift-v3": { "order": 0 },
+ "gitlab": { "order": 0 },
+ "paypal": { "order": 0 },
+ "stackoverflow": { "order": 0 }
+ }
+ },
+ "stickySessionEncoder": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "storage": {
+ "internal": false,
+ "providers": { "ldap": { "order": 0 }, "kerberos": { "order": 0 } }
+ },
+ "theme": {
+ "internal": true,
+ "providers": {
+ "folder": { "order": 0 },
+ "module": { "order": 0 },
+ "jar": { "order": 0 }
+ }
+ },
+ "themeResource": { "internal": false, "providers": {} },
+ "themeSelector": {
+ "internal": false,
+ "providers": { "default": { "order": 0 } }
+ },
+ "timer": { "internal": true, "providers": { "basic": { "order": 0 } } },
+ "tokenRevocationStore": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "truststore": { "internal": true, "providers": { "file": { "order": 0 } } },
+ "user": { "internal": true, "providers": { "jpa": { "order": 1 } } },
+ "userCache": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ },
+ "userFederatedStorage": {
+ "internal": true,
+ "providers": { "jpa": { "order": 0 } }
+ },
+ "userProfile": {
+ "internal": true,
+ "providers": { "declarative-user-profile": { "order": 1 } }
+ },
+ "userSessionPersister": {
+ "internal": true,
+ "providers": { "jpa": { "order": 100 } }
+ },
+ "userSessions": {
+ "internal": true,
+ "providers": { "infinispan": { "order": 1 } }
+ },
+ "validator": {
+ "internal": true,
+ "providers": {
+ "pattern": { "order": 0 },
+ "up-readonly-attribute-unchanged": { "order": 0 },
+ "integer": { "order": 0 },
+ "up-brokering-federated-username-has-value": { "order": 0 },
+ "up-attribute-required-by-metadata-value": { "order": 0 },
+ "up-registration-email-as-username-email-value": { "order": 0 },
+ "username-prohibited-characters": { "order": 0 },
+ "up-blank-attribute-value": { "order": 0 },
+ "options": { "order": 0 },
+ "up-email-exists-as-username": { "order": 0 },
+ "up-username-has-value": { "order": 0 },
+ "email": { "order": 0 },
+ "up-registration-email-as-username-username-value": { "order": 0 },
+ "person-name-prohibited-characters": { "order": 0 },
+ "up-duplicate-username": { "order": 0 },
+ "not-blank": { "order": 0 },
+ "double": { "order": 0 },
+ "length": { "order": 0 },
+ "up-immutable-attribute": { "order": 0 },
+ "up-registration-username-exists": { "order": 0 },
+ "up-duplicate-email": { "order": 0 },
+ "uri": { "order": 0 },
+ "up-username-mutation": { "order": 0 },
+ "not-empty": { "order": 0 },
+ "local-date": { "order": 0 }
+ }
+ },
+ "vault": {
+ "internal": true,
+ "providers": {
+ "files-plaintext": { "order": 0 },
+ "elytron-cs-keystore": { "order": 0 }
+ }
+ },
+ "well-known": {
+ "internal": true,
+ "providers": {
+ "openid-configuration": { "order": 0 },
+ "uma2-configuration": { "order": 0 }
+ }
+ },
+ "x509cert-lookup": {
+ "internal": true,
+ "providers": { "default": { "order": 0 } }
+ }
+ },
+ "protocolMapperTypes": {
+ "docker-v2": [
+ {
+ "id": "docker-v2-allow-all-mapper",
+ "name": "Allow All",
+ "category": "Docker Auth Mapper",
+ "helpText": "Allows all grants, returning the full set of requested access attributes as permitted attributes.",
+ "priority": 0,
+ "properties": []
+ }
+ ],
+ "saml": [
+ {
+ "id": "saml-javascript-mapper",
+ "name": "Javascript Mapper",
+ "category": "AttributeStatement Mapper",
+ "helpText": "Evaluates a JavaScript function to produce an attribute value based on context information.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "Script",
+ "label": "Script",
+ "helpText": "Script to compute the attribute value. \n Available variables: \n 'user' - the current user.\n 'realm' - the current realm.\n 'clientSession' - the current clientSession.\n 'userSession' - the current userSession.\n 'keycloakSession' - the current keycloakSession.\n\nTo use: the last statement is the value returned to Java.\nThe result will be tested if it can be iterated upon (e.g. an array or a collection).\n - If it is not, toString() will be called on the object to get the value of the attribute\n - If it is, toString() will be called on all elements to return multiple attribute values.\n",
+ "type": "Script",
+ "defaultValue": "/**\n * Available variables: \n * user - the current user\n * realm - the current realm\n * clientSession - the current clientSession\n * userSession - the current userSession\n * keycloakSession - the current keycloakSession\n */\n\n\n//insert your code here...",
+ "secret": false
+ },
+ {
+ "name": "single",
+ "label": "Single Value Attribute",
+ "helpText": "If true, all values will be stored under one attribute with multiple attribute values.",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-user-attribute-nameid-mapper",
+ "name": "User Attribute Mapper For NameID",
+ "category": "NameID Mapper",
+ "helpText": "Map user attribute to SAML NameID value.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "mapper.nameid.format",
+ "label": "name-id-format",
+ "helpText": "mapper.nameid.format.tooltip",
+ "type": "List",
+ "options": [
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName",
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName",
+ "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos",
+ "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
+ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+ "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+ ],
+ "secret": false
+ },
+ {
+ "name": "user.attribute",
+ "label": "usermodel.attr.label",
+ "helpText": "usermodel.attr.tooltip",
+ "type": "String",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-audience-resolve-mapper",
+ "name": "Audience Resolve",
+ "category": "Audience mapper",
+ "helpText": "Adds all client_ids of \"allowed\" clients to the audience conditions in the assertion. Allowed client means any SAML client for which user has at least one client role",
+ "priority": 0,
+ "properties": []
+ },
+ {
+ "id": "saml-user-session-note-mapper",
+ "name": "User Session Note",
+ "category": "AttributeStatement Mapper",
+ "helpText": "Map a user session note to a SAML attribute.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "note",
+ "label": "User Session Note Attribute",
+ "helpText": "The user session note you want to grab the value from.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-group-membership-mapper",
+ "name": "Group list",
+ "category": "Group Mapper",
+ "helpText": "Group names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per group name depending on how you configure it. You can also specify the attribute name i.e. 'member' or 'memberOf' being examples.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "attribute.name",
+ "label": "Group attribute name",
+ "helpText": "Name of the SAML attribute you want to put your groups into. i.e. 'member', 'memberOf'.",
+ "type": "String",
+ "defaultValue": "member",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ },
+ {
+ "name": "single",
+ "label": "Single Group Attribute",
+ "helpText": "If true, all groups will be stored under one attribute with multiple attribute values.",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "full.path",
+ "label": "Full group path",
+ "helpText": "Include full path to group i.e. /top/level1/level2, false will just specify the group name",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-audience-mapper",
+ "name": "Audience",
+ "category": "Audience mapper",
+ "helpText": "Add specified audience to the audience conditions in the assertion.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "included.client.audience",
+ "label": "included.client.audience.label",
+ "helpText": "included.client.audience.tooltip",
+ "type": "ClientList",
+ "secret": false
+ },
+ {
+ "name": "included.custom.audience",
+ "label": "included.custom.audience.label",
+ "helpText": "included.custom.audience.tooltip",
+ "type": "String",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-role-name-mapper",
+ "name": "Role Name Mapper",
+ "category": "Role Mapper",
+ "helpText": "Map an assigned role to a new name",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ },
+ {
+ "name": "new.role.name",
+ "label": "New Role Name",
+ "helpText": "The new role name.",
+ "type": "String",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-role-list-mapper",
+ "name": "Role list",
+ "category": "Role Mapper",
+ "helpText": "Role names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per role name depending on how you configure it. You can also specify the attribute name i.e. 'Role' or 'memberOf' being examples.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "attribute.name",
+ "label": "Role attribute name",
+ "helpText": "Name of the SAML attribute you want to put your roles into. i.e. 'Role', 'memberOf'.",
+ "type": "String",
+ "defaultValue": "Role",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ },
+ {
+ "name": "single",
+ "label": "Single Role Attribute",
+ "helpText": "If true, all roles will be stored under one attribute with multiple attribute values.",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-user-property-mapper",
+ "name": "User Property",
+ "category": "AttributeStatement Mapper",
+ "helpText": "Map a built in user property (email, firstName, lastName) to a SAML attribute type.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "user.attribute",
+ "label": "usermodel.prop.label",
+ "helpText": "usermodel.prop.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-hardcode-attribute-mapper",
+ "name": "Hardcoded attribute",
+ "category": "AttributeStatement Mapper",
+ "helpText": "Hardcode an attribute into the SAML Assertion.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ },
+ {
+ "name": "attribute.value",
+ "label": "Attribute value",
+ "helpText": "Value of the attribute you want to hard code.",
+ "type": "String",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-user-attribute-mapper",
+ "name": "User Attribute",
+ "category": "AttributeStatement Mapper",
+ "helpText": "Map a custom user attribute to a to a SAML attribute.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "user.attribute",
+ "label": "usermodel.attr.label",
+ "helpText": "usermodel.attr.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ },
+ {
+ "name": "aggregate.attrs",
+ "label": "aggregate.attrs.label",
+ "helpText": "aggregate.attrs.tooltip",
+ "type": "boolean",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "saml-hardcode-role-mapper",
+ "name": "Hardcoded role",
+ "category": "AttributeStatement Mapper",
+ "helpText": "Hardcode role into SAML Assertion.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Arbitrary role name you want to hardcode. This role does not have to exist in current realm and can be just any string you need",
+ "type": "Role",
+ "secret": false
+ }
+ ]
+ }
+ ],
+ "openid-connect": [
+ {
+ "id": "oidc-claims-param-token-mapper",
+ "name": "Claims parameter Token",
+ "category": "Token mapper",
+ "helpText": "Claims specified by Claims parameter are put into tokens.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-usermodel-realm-role-mapper",
+ "name": "User Realm Role",
+ "category": "Token mapper",
+ "helpText": "Map a user realm role to a token claim.",
+ "priority": 40,
+ "properties": [
+ {
+ "name": "usermodel.realmRoleMapping.rolePrefix",
+ "label": "usermodel.realmRoleMapping.rolePrefix.label",
+ "helpText": "usermodel.realmRoleMapping.rolePrefix.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "multivalued",
+ "label": "multivalued.label",
+ "helpText": "multivalued.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-usersessionmodel-note-mapper",
+ "name": "User Session Note",
+ "category": "Token mapper",
+ "helpText": "Map a custom user session note to a token claim.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "user.session.note",
+ "label": "userSession.modelNote.label",
+ "helpText": "userSession.modelNote.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.tokenResponse.claim",
+ "label": "includeInAccessTokenResponse.label",
+ "helpText": "includeInAccessTokenResponse.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-address-mapper",
+ "name": "User Address",
+ "category": "Token mapper",
+ "helpText": "Maps user address attributes (street, locality, region, postal_code, and country) to the OpenID Connect 'address' claim.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.street",
+ "label": "addressClaim.street.label",
+ "helpText": "addressClaim.street.tooltip",
+ "type": "String",
+ "defaultValue": "street",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.locality",
+ "label": "addressClaim.locality.label",
+ "helpText": "addressClaim.locality.tooltip",
+ "type": "String",
+ "defaultValue": "locality",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.region",
+ "label": "addressClaim.region.label",
+ "helpText": "addressClaim.region.tooltip",
+ "type": "String",
+ "defaultValue": "region",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.postal_code",
+ "label": "addressClaim.postal_code.label",
+ "helpText": "addressClaim.postal_code.tooltip",
+ "type": "String",
+ "defaultValue": "postal_code",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.country",
+ "label": "addressClaim.country.label",
+ "helpText": "addressClaim.country.tooltip",
+ "type": "String",
+ "defaultValue": "country",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.formatted",
+ "label": "addressClaim.formatted.label",
+ "helpText": "addressClaim.formatted.tooltip",
+ "type": "String",
+ "defaultValue": "formatted",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-role-name-mapper",
+ "name": "Role Name Mapper",
+ "category": "Token mapper",
+ "helpText": "Map an assigned role to a new name or position in the token.",
+ "priority": 10,
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ },
+ {
+ "name": "new.role.name",
+ "label": "New Role Name",
+ "helpText": "The new role name. The new name format corresponds to where in the access token the role will be mapped to. So, a new name of 'myapp.newname' will map the role to that position in the access token. A new name of 'newname' will map the role to the realm roles in the token.",
+ "type": "String",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-usermodel-client-role-mapper",
+ "name": "User Client Role",
+ "category": "Token mapper",
+ "helpText": "Map a user client role to a token claim.",
+ "priority": 40,
+ "properties": [
+ {
+ "name": "usermodel.clientRoleMapping.clientId",
+ "label": "usermodel.clientRoleMapping.clientId.label",
+ "helpText": "usermodel.clientRoleMapping.clientId.tooltip",
+ "type": "ClientList",
+ "secret": false
+ },
+ {
+ "name": "usermodel.clientRoleMapping.rolePrefix",
+ "label": "usermodel.clientRoleMapping.rolePrefix.label",
+ "helpText": "usermodel.clientRoleMapping.rolePrefix.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "multivalued",
+ "label": "multivalued.label",
+ "helpText": "multivalued.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "usermodel.clientRoleMapping.tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-usermodel-property-mapper",
+ "name": "User Property",
+ "category": "Token mapper",
+ "helpText": "Map a built in user property (email, firstName, lastName) to a token claim.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "user.attribute",
+ "label": "usermodel.prop.label",
+ "helpText": "usermodel.prop.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-hardcoded-role-mapper",
+ "name": "Hardcoded Role",
+ "category": "Token mapper",
+ "helpText": "Hardcode a role into the access token.",
+ "priority": 20,
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role you want added to the token. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-hardcoded-claim-mapper",
+ "name": "Hardcoded claim",
+ "category": "Token mapper",
+ "helpText": "Hardcode a claim into the token.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.value",
+ "label": "Claim value",
+ "helpText": "Value of the claim you want to hard code. 'true' and 'false can be used for boolean values.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.tokenResponse.claim",
+ "label": "includeInAccessTokenResponse.label",
+ "helpText": "includeInAccessTokenResponse.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-sha256-pairwise-sub-mapper",
+ "name": "Pairwise subject identifier",
+ "category": "Token mapper",
+ "helpText": "Calculates a pairwise subject identifier using a salted sha-256 hash. See OpenID Connect specification for more info about pairwise subject identifiers.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "sectorIdentifierUri",
+ "label": "sectorIdentifierUri.label",
+ "helpText": "sectorIdentifierUri.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "pairwiseSubAlgorithmSalt",
+ "label": "pairwiseSubAlgorithmSalt.label",
+ "helpText": "pairwiseSubAlgorithmSalt.tooltip",
+ "type": "String",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-full-name-mapper",
+ "name": "User's full name",
+ "category": "Token mapper",
+ "helpText": "Maps the user's first and last name to the OpenID Connect 'name' claim. Format is + ' ' + ",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-allowed-origins-mapper",
+ "name": "Allowed Web Origins",
+ "category": "Token mapper",
+ "helpText": "Adds all allowed web origins to the 'allowed-origins' claim in the token",
+ "priority": 0,
+ "properties": []
+ },
+ {
+ "id": "oidc-audience-mapper",
+ "name": "Audience",
+ "category": "Token mapper",
+ "helpText": "Add specified audience to the audience (aud) field of token",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "included.client.audience",
+ "label": "included.client.audience.label",
+ "helpText": "included.client.audience.tooltip",
+ "type": "ClientList",
+ "secret": false
+ },
+ {
+ "name": "included.custom.audience",
+ "label": "included.custom.audience.label",
+ "helpText": "included.custom.audience.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-usermodel-attribute-mapper",
+ "name": "User Attribute",
+ "category": "Token mapper",
+ "helpText": "Map a custom user attribute to a token claim.",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "user.attribute",
+ "label": "usermodel.attr.label",
+ "helpText": "usermodel.attr.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "multivalued",
+ "label": "multivalued.label",
+ "helpText": "multivalued.tooltip",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "aggregate.attrs",
+ "label": "aggregate.attrs.label",
+ "helpText": "aggregate.attrs.tooltip",
+ "type": "boolean",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-group-membership-mapper",
+ "name": "Group Membership",
+ "category": "Token mapper",
+ "helpText": "Map user group membership",
+ "priority": 0,
+ "properties": [
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "full.path",
+ "label": "Full group path",
+ "helpText": "Include full path to group i.e. /top/level1/level2, false will just specify the group name",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ]
+ },
+ {
+ "id": "oidc-audience-resolve-mapper",
+ "name": "Audience Resolve",
+ "category": "Token mapper",
+ "helpText": "Adds all client_ids of \"allowed\" clients to the audience field of the token. Allowed client means the client\n for which user has at least one client role",
+ "priority": 30,
+ "properties": []
+ }
+ ]
+ },
+ "builtinProtocolMappers": {
+ "saml": [
+ {
+ "name": "X500 email",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+ "user.attribute": "email",
+ "friendly.name": "email",
+ "attribute.name": "urn:oid:1.2.840.113549.1.9.1"
+ }
+ },
+ {
+ "name": "role list",
+ "protocol": "saml",
+ "protocolMapper": "saml-role-list-mapper",
+ "consentRequired": false,
+ "config": {
+ "single": "false",
+ "attribute.nameformat": "Basic",
+ "attribute.name": "Role"
+ }
+ },
+ {
+ "name": "X500 givenName",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+ "user.attribute": "firstName",
+ "friendly.name": "givenName",
+ "attribute.name": "urn:oid:2.5.4.42"
+ }
+ },
+ {
+ "name": "X500 surname",
+ "protocol": "saml",
+ "protocolMapper": "saml-user-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "attribute.nameformat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+ "user.attribute": "lastName",
+ "friendly.name": "surname",
+ "attribute.name": "urn:oid:2.5.4.4"
+ }
+ }
+ ],
+ "openid-connect": [
+ {
+ "name": "zoneinfo",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "zoneinfo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "zoneinfo",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "birthdate",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "birthdate",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "birthdate",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "family name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "lastName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "family_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "gender",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "gender",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "gender",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "Impersonator Username",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "IMPERSONATOR_USERNAME",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "impersonator.username",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "phone number verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumberVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number_verified",
+ "jsonType.label": "boolean"
+ }
+ },
+ {
+ "name": "locale",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "locale",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "locale",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "gss delegation credential",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "gss_delegation_credential",
+ "access.token.claim": "true",
+ "claim.name": "gss_delegation_credential",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "allowed web origins",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-allowed-origins-mapper",
+ "consentRequired": false,
+ "config": {}
+ },
+ {
+ "name": "middle name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "middleName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "middle_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "nickname",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "nickname",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "nickname",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "updated at",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "updatedAt",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "updated_at",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "email verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "emailVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email_verified",
+ "jsonType.label": "boolean"
+ }
+ },
+ {
+ "name": "email",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "email",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "client roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-client-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "true",
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "resource_access.${client_id}.roles",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "Impersonator User ID",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usersessionmodel-note-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.session.note": "IMPERSONATOR_ID",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "impersonator.id",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "website",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "website",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "website",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-address-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute.formatted": "formatted",
+ "user.attribute.country": "country",
+ "user.attribute.postal_code": "postal_code",
+ "userinfo.token.claim": "true",
+ "user.attribute.street": "street",
+ "id.token.claim": "true",
+ "user.attribute.region": "region",
+ "access.token.claim": "true",
+ "user.attribute.locality": "locality"
+ }
+ },
+ {
+ "name": "given name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "firstName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "given_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "profile",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "profile",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "profile",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "groups",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "true",
+ "user.attribute": "foo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "groups",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "phone number",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumber",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "full name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-full-name-mapper",
+ "consentRequired": false,
+ "config": {
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "userinfo.token.claim": "true"
+ }
+ },
+ {
+ "name": "audience resolve",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-audience-resolve-mapper",
+ "consentRequired": false,
+ "config": {}
+ },
+ {
+ "name": "picture",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "picture",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "picture",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "upn",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "upn",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "realm roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "true",
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "realm_access.roles",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "name": "username",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "preferred_username",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ "clientInstallations": {
+ "saml": [
+ {
+ "id": "keycloak-saml",
+ "protocol": "saml",
+ "downloadOnly": false,
+ "displayType": "Keycloak SAML Adapter keycloak-saml.xml",
+ "helpText": "Keycloak SAML adapter configuration file you must edit. Put this in WEB-INF directory of your WAR.",
+ "filename": "keycloak-saml.xml",
+ "mediaType": "application/xml"
+ },
+ {
+ "id": "keycloak-saml-subsystem-cli",
+ "protocol": "saml",
+ "downloadOnly": false,
+ "displayType": "Keycloak SAML JBoss Subsystem CLI",
+ "helpText": "CLI script you must edit and apply to your client app server. This type of configuration is useful when you can't or don't want to crack open your WAR file.",
+ "filename": "keycloak-saml-subsystem.cli",
+ "mediaType": "text/plain"
+ },
+ {
+ "id": "saml-sp-descriptor",
+ "protocol": "saml",
+ "downloadOnly": false,
+ "displayType": "SAML Metadata SPSSODescriptor",
+ "helpText": "SAML SP Metadata EntityDescriptor or rather SPSSODescriptor. This is an XML file.",
+ "filename": "saml-sp-metadata.xml",
+ "mediaType": "application/xml"
+ },
+ {
+ "id": "keycloak-saml-subsystem",
+ "protocol": "saml",
+ "downloadOnly": false,
+ "displayType": "Keycloak SAML JBoss Subsystem XML",
+ "helpText": "Keycloak SAML adapter JBoss subsystem xml you must edit. Put this into element of your standalone.xml file.",
+ "filename": "keycloak-saml-subsystem.xml",
+ "mediaType": "application/xml"
+ },
+ {
+ "id": "mod-auth-mellon",
+ "protocol": "saml",
+ "downloadOnly": true,
+ "displayType": "Mod Auth Mellon files",
+ "helpText": "This is a zip file. It contains a SAML SP descriptor, SAML IDP descriptor, private key pem, and certificate pem that you will use to configure mod_auth_mellon for Apache. You'll use these files when crafting the main Apache configuration file. See mod_auth_mellon website for more details.",
+ "filename": "keycloak-mod-auth-mellon-sp-config.zip",
+ "mediaType": "application/zip"
+ }
+ ],
+ "docker-v2": [
+ {
+ "id": "docker-v2-variable-override",
+ "protocol": "docker-v2",
+ "downloadOnly": false,
+ "displayType": "Variable Override",
+ "helpText": "Configures environment variable overrides, typically used with a docker-compose.yaml configuration for a docker registry",
+ "filename": "docker-env.txt",
+ "mediaType": "text/plain"
+ },
+ {
+ "id": "docker-v2-registry-config-file",
+ "protocol": "docker-v2",
+ "downloadOnly": false,
+ "displayType": "Registry Config File",
+ "helpText": "Provides a registry configuration file snippet for use with this client",
+ "filename": "config.yml",
+ "mediaType": "text/plain"
+ },
+ {
+ "id": "docker-v2-compose-yaml",
+ "protocol": "docker-v2",
+ "downloadOnly": true,
+ "displayType": "Docker Compose YAML",
+ "helpText": "Produces a zip file that can be used to stand up a development registry on localhost",
+ "filename": "keycloak-docker-compose-yaml.zip",
+ "mediaType": "application/zip"
+ }
+ ],
+ "openid-connect": [
+ {
+ "id": "keycloak-oidc-jboss-subsystem-cli",
+ "protocol": "openid-connect",
+ "downloadOnly": false,
+ "displayType": "Keycloak OIDC JBoss Subsystem CLI",
+ "helpText": "CLI script you must edit and apply to your client app server. This type of configuration is useful when you can't or don't want to crack open your WAR file.",
+ "filename": "keycloak-oidc-subsystem.cli",
+ "mediaType": "text/plain"
+ },
+ {
+ "id": "keycloak-oidc-jboss-subsystem",
+ "protocol": "openid-connect",
+ "downloadOnly": false,
+ "displayType": "Keycloak OIDC JBoss Subsystem XML",
+ "helpText": "XML snippet you must edit and add to the Keycloak OIDC subsystem on your client app server. This type of configuration is useful when you can't or don't want to crack open your WAR file.",
+ "filename": "keycloak-oidc-subsystem.xml",
+ "mediaType": "application/xml"
+ },
+ {
+ "id": "keycloak-oidc-keycloak-json",
+ "protocol": "openid-connect",
+ "downloadOnly": false,
+ "displayType": "Keycloak OIDC JSON",
+ "helpText": "keycloak.json file used by the Keycloak OIDC client adapter to configure clients. This must be saved to a keycloak.json file and put in your WEB-INF directory of your WAR file. You may also want to tweak this file after you download it.",
+ "filename": "keycloak.json",
+ "mediaType": "application/json"
+ }
+ ]
+ },
+ "componentTypes": {
+ "org.keycloak.authentication.FormAction": [
+ {
+ "id": "registration-password-action",
+ "helpText": "Validates that password matches password confirmation field. It also will store password in user's credential store.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "registration-profile-action",
+ "helpText": "Validates email, first name, and last name attributes and stores them in user data.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "registration-recaptcha-action",
+ "helpText": "Adds Google Recaptcha button. Recaptchas verify that the entity that is registering is a human. This can only be used on the internet and must be configured after you add it.",
+ "properties": [
+ {
+ "name": "site.key",
+ "label": "Recaptcha Site Key",
+ "helpText": "Google Recaptcha Site Key",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "secret",
+ "label": "Recaptcha Secret",
+ "helpText": "Google Recaptcha Secret",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "useRecaptchaNet",
+ "label": "use recaptcha.net",
+ "helpText": "Use recaptcha.net? (or else google.com)",
+ "type": "boolean",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "registration-user-creation",
+ "helpText": "This action must always be first! Validates the username of the user in validation phase. In success phase, this will create the user in the database.",
+ "properties": [],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.authentication.Authenticator": [
+ {
+ "id": "allow-access-authenticator",
+ "helpText": "Authenticator will always successfully authenticate. Useful for example in the conditional flows to be used after satisfying the previous conditions",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "auth-conditional-otp-form",
+ "helpText": "Validates a OTP on a separate OTP form. Only shown if required based on the configured conditions.",
+ "properties": [
+ {
+ "name": "otpControlAttribute",
+ "label": "OTP control User Attribute",
+ "helpText": "The name of the user attribute to explicitly control OTP auth. If attribute value is 'force' then OTP is always required. If value is 'skip' the OTP auth is skipped. Otherwise this check is ignored.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "skipOtpRole",
+ "label": "Skip OTP for Role",
+ "helpText": "OTP is always skipped if user has the given Role.",
+ "type": "Role",
+ "secret": false
+ },
+ {
+ "name": "forceOtpRole",
+ "label": "Force OTP for Role",
+ "helpText": "OTP is always required if user has the given Role.",
+ "type": "Role",
+ "secret": false
+ },
+ {
+ "name": "noOtpRequiredForHeaderPattern",
+ "label": "Skip OTP for Header",
+ "helpText": "OTP is skipped if a HTTP request header does matches the given pattern.Can be used to specify trusted networks via: X-Forwarded-Host: (1.2.3.4|1.2.3.5).In this case requests from 1.2.3.4 and 1.2.3.5 come from a trusted source.",
+ "type": "String",
+ "defaultValue": "",
+ "secret": false
+ },
+ {
+ "name": "forceOtpForHeaderPattern",
+ "label": "Force OTP for Header",
+ "helpText": "OTP required if a HTTP request header matches the given pattern.",
+ "type": "String",
+ "defaultValue": "",
+ "secret": false
+ },
+ {
+ "name": "defaultOtpOutcome",
+ "label": "Fallback OTP handling",
+ "helpText": "What to do in case of every check abstains. Defaults to force OTP authentication.",
+ "type": "List",
+ "options": ["skip", "force"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "auth-cookie",
+ "helpText": "Validates the SSO cookie set by the auth server.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "auth-otp-form",
+ "helpText": "Validates a OTP on a separate OTP form.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "auth-password-form",
+ "helpText": "Validates a password from login form.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "auth-spnego",
+ "helpText": "Initiates the SPNEGO protocol. Most often used with Kerberos.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "auth-username-form",
+ "helpText": "Selects a user from his username.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "auth-username-password-form",
+ "helpText": "Validates a username and password from login form.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "auth-x509-client-username-form",
+ "helpText": "Validates username and password from X509 client certificate received as a part of mutual SSL handshake.",
+ "properties": [
+ {
+ "name": "x509-cert-auth.mapping-source-selection",
+ "label": "User Identity Source",
+ "helpText": "Choose how to extract user identity from X509 certificate or the certificate fields. For example, SubjectDN will match the custom regular expression specified below to the value of certificate's SubjectDN field.",
+ "type": "List",
+ "defaultValue": "Match SubjectDN using regular expression",
+ "options": [
+ "Match SubjectDN using regular expression",
+ "Subject's e-mail",
+ "Subject's Alternative Name E-mail",
+ "Subject's Alternative Name otherName (UPN)",
+ "Subject's Common Name",
+ "Match IssuerDN using regular expression",
+ "Certificate Serial Number",
+ "Certificate Serial Number and IssuerDN",
+ "SHA-256 Thumbprint",
+ "Full Certificate in PEM format"
+ ],
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.canonical-dn-enabled",
+ "label": "Canonical DN representation enabled",
+ "helpText": "Use the canonical format to determine the distinguished name. This option is relevant for authenticators using a distinguished name.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.serialnumber-hex-enabled",
+ "label": "Enable Serial Number hexadecimal representation",
+ "helpText": "Use the hex representation of the serial number. This option is relevant for authenticators using serial number.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.regular-expression",
+ "label": "A regular expression to extract user identity",
+ "helpText": "The regular expression to extract a user identity. The expression must contain a single group. For example, 'uniqueId=(.*?)(?:,|$)' will match 'uniqueId=somebody@company.org, CN=somebody' and give somebody@company.org",
+ "type": "String",
+ "defaultValue": "(.*?)(?:$)",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.mapper-selection",
+ "label": "User mapping method",
+ "helpText": "Choose how to map extracted user identities to users",
+ "type": "List",
+ "defaultValue": "Custom Attribute Mapper",
+ "options": ["Custom Attribute Mapper", "Username or Email"],
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.mapper-selection.user-attribute-name",
+ "label": "A name of user attribute",
+ "helpText": "A name of user attribute to map the extracted user identity to existing user. The name must be a valid, existing user attribute if User Mapping Method is set to Custom Attribute Mapper. Multiple values are relevant when attribute mapping is related to multiple values, e.g. 'Certificate Serial Number and IssuerDN'",
+ "type": "MultivaluedString",
+ "defaultValue": "usercertificate",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.timestamp-validation-enabled",
+ "label": "Check certificate validity",
+ "helpText": "Will verify that the certificate has not expired yet and is already valid by checking the attributes 'notBefore' and 'notAfter'.",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.crl-checking-enabled",
+ "label": "CRL Checking Enabled",
+ "helpText": "Enable Certificate Revocation Checking using CRL",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.crldp-checking-enabled",
+ "label": "Enable CRL Distribution Point to check certificate revocation status",
+ "helpText": "CRL Distribution Point is a starting point for CRL. If this is ON, then CRL checking will be done based on the CRL distribution points included in the checked certificates. CDP is optional, but most PKI authorities include CDP in their certificates.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.crl-relative-path",
+ "label": "CRL Path",
+ "helpText": "Applied just if CRL checking is ON and CRL Distribution point is OFF. It contains the URL (typically 'http' or 'ldap') where the CRL is available. Alternatively it can contain the path to a CRL file that contains a list of revoked certificates. Paths are assumed to be relative to $jboss.server.config.dir. Multiple CRLs can be included, however it can affect performance as the certificate will be checked against all listed CRLs.",
+ "type": "MultivaluedString",
+ "defaultValue": "crl.pem",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.ocsp-checking-enabled",
+ "label": "OCSP Checking Enabled",
+ "helpText": "Enable Certificate Revocation Checking using OCSP",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.ocsp-fail-open",
+ "label": "OCSP Fail-Open Behavior",
+ "helpText": "Whether to allow or deny authentication for client certificates that have missing/invalid/inconclusive OCSP endpoints. By default a successful OCSP response is required.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.ocsp-responder-uri",
+ "label": "OCSP Responder Uri",
+ "helpText": "Clients use OCSP Responder Uri to check certificate revocation status.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.ocsp-responder-certificate",
+ "label": "OCSP Responder Certificate",
+ "helpText": "Optional certificate used by the responder to sign the responses. The certificate should be in PEM format without BEGIN and END tags. It is only used if the OCSP Responder URI is set. By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated or one with the OCSPSigning extension and also issued by the same CA. This option identifies the certificate of the OCSP responder when the defaults do not apply.",
+ "type": "Text",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.keyusage",
+ "label": "Validate Key Usage",
+ "helpText": "Validates that the purpose of the key contained in the certificate (encipherment, signature, etc.) matches its intended purpose. Leaving the field blank will disable Key Usage validation. For example, 'digitalSignature, keyEncipherment' will check if the digitalSignature and keyEncipherment bits (bit 0 and bit 2 respectively) are set in certificate's X509 Key Usage extension. See RFC 5280 for a detailed definition of X509 Key Usage extension.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.extendedkeyusage",
+ "label": "Validate Extended Key Usage",
+ "helpText": "Validates the extended purposes of the certificate's key using certificate's Extended Key Usage extension. Leaving the field blank will disable Extended Key Usage validation. See RFC 5280 for a detailed definition of X509 Extended Key Usage extension.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.confirmation-page-disallowed",
+ "label": "Bypass identity confirmation",
+ "helpText": "By default, the users are prompted to confirm their identity extracted from X509 client certificate. The identity confirmation prompt is skipped if the option is switched on.",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.revalidate-certificate-enabled",
+ "label": "Revalidate Client Certificate",
+ "helpText": "Forces revalidation of the client certificate according to the certificates defined in the truststore. This is useful when behind a non-validating proxy or when the number of allowed certificate chains would be too large for mutual SSL negotiation.",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.certificate-policy",
+ "label": "Validate Certificate Policy",
+ "helpText": "Validates the certificate policies of the certificate's key using certificate's Policy extension. Leaving the field blank will disable Certificate Policies validation. Multiple policies should be separated using a comma. See RFC 5280 for a detailed definition of X509 Certificate Policy extension.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.certificate-policy-mode",
+ "label": "Certificate Policy Validation Mode",
+ "helpText": "If Certificate Policy validation is specified, indicates whether it should match all or at least one of the specified policies.",
+ "type": "List",
+ "defaultValue": "All",
+ "options": ["All", "Any"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "basic-auth",
+ "helpText": "Challenge-response authentication using HTTP BASIC scheme.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "basic-auth-otp",
+ "helpText": "Challenge-response authentication using HTTP BASIC scheme. Password param should contain a combination of password + otp. Realm's OTP policy is used to determine how to parse this. This SHOULD NOT BE USED in conjection with regular basic auth provider.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "conditional-level-of-authentication",
+ "helpText": "Flow is executed only if the configured LOA or a higher one has been requested but not yet satisfied. After the flow is successfully finished, the LOA in the session will be updated to value prescribed by this condition.",
+ "properties": [
+ {
+ "name": "loa-condition-level",
+ "label": "loa-condition-level",
+ "helpText": "loa-condition-level.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "loa-store-in-user-session",
+ "label": "loa-store-in-user-session",
+ "helpText": "loa-store-in-user-session.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "conditional-user-configured",
+ "helpText": "Executes the current flow only if authenticators are configured",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "conditional-user-role",
+ "helpText": "Flow is executed only if user has the given role.",
+ "properties": [
+ {
+ "name": "condUserRole",
+ "label": "User role",
+ "helpText": "Role the user should have to execute this flow. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ },
+ {
+ "name": "negate",
+ "label": "Negate output",
+ "helpText": "Apply a NOT to the check result. When this is true, then the condition will evaluate to true just if user does NOT have the specified role. When this is false, the condition will evaluate to true just if user has the specified role",
+ "type": "boolean",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "console-username-password",
+ "helpText": "Proprietary challenge protocol for CLI clients that queries for username password",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "deny-access-authenticator",
+ "helpText": "Access will be always denied. Useful for example in the conditional flows to be used after satisfying the previous conditions",
+ "properties": [
+ {
+ "name": "denyErrorMessage",
+ "label": "Error message",
+ "helpText": "Error message which will be shown to the user. You can directly define particular message or property, which will be used for mapping the error message f.e `deny-access-role1`. If the field is blank, default property 'access-denied' is used.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "direct-grant-auth-x509-username",
+ "helpText": "Validates username and password from X509 client certificate received as a part of mutual SSL handshake.",
+ "properties": [
+ {
+ "name": "x509-cert-auth.mapping-source-selection",
+ "label": "User Identity Source",
+ "helpText": "Choose how to extract user identity from X509 certificate or the certificate fields. For example, SubjectDN will match the custom regular expression specified below to the value of certificate's SubjectDN field.",
+ "type": "List",
+ "defaultValue": "Match SubjectDN using regular expression",
+ "options": [
+ "Match SubjectDN using regular expression",
+ "Subject's e-mail",
+ "Subject's Alternative Name E-mail",
+ "Subject's Alternative Name otherName (UPN)",
+ "Subject's Common Name",
+ "Match IssuerDN using regular expression",
+ "Certificate Serial Number",
+ "Certificate Serial Number and IssuerDN",
+ "SHA-256 Thumbprint",
+ "Full Certificate in PEM format"
+ ],
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.canonical-dn-enabled",
+ "label": "Canonical DN representation enabled",
+ "helpText": "Use the canonical format to determine the distinguished name. This option is relevant for authenticators using a distinguished name.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.serialnumber-hex-enabled",
+ "label": "Enable Serial Number hexadecimal representation",
+ "helpText": "Use the hex representation of the serial number. This option is relevant for authenticators using serial number.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.regular-expression",
+ "label": "A regular expression to extract user identity",
+ "helpText": "The regular expression to extract a user identity. The expression must contain a single group. For example, 'uniqueId=(.*?)(?:,|$)' will match 'uniqueId=somebody@company.org, CN=somebody' and give somebody@company.org",
+ "type": "String",
+ "defaultValue": "(.*?)(?:$)",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.mapper-selection",
+ "label": "User mapping method",
+ "helpText": "Choose how to map extracted user identities to users",
+ "type": "List",
+ "defaultValue": "Custom Attribute Mapper",
+ "options": ["Custom Attribute Mapper", "Username or Email"],
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.mapper-selection.user-attribute-name",
+ "label": "A name of user attribute",
+ "helpText": "A name of user attribute to map the extracted user identity to existing user. The name must be a valid, existing user attribute if User Mapping Method is set to Custom Attribute Mapper. Multiple values are relevant when attribute mapping is related to multiple values, e.g. 'Certificate Serial Number and IssuerDN'",
+ "type": "MultivaluedString",
+ "defaultValue": "usercertificate",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.timestamp-validation-enabled",
+ "label": "Check certificate validity",
+ "helpText": "Will verify that the certificate has not expired yet and is already valid by checking the attributes 'notBefore' and 'notAfter'.",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.crl-checking-enabled",
+ "label": "CRL Checking Enabled",
+ "helpText": "Enable Certificate Revocation Checking using CRL",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.crldp-checking-enabled",
+ "label": "Enable CRL Distribution Point to check certificate revocation status",
+ "helpText": "CRL Distribution Point is a starting point for CRL. If this is ON, then CRL checking will be done based on the CRL distribution points included in the checked certificates. CDP is optional, but most PKI authorities include CDP in their certificates.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.crl-relative-path",
+ "label": "CRL Path",
+ "helpText": "Applied just if CRL checking is ON and CRL Distribution point is OFF. It contains the URL (typically 'http' or 'ldap') where the CRL is available. Alternatively it can contain the path to a CRL file that contains a list of revoked certificates. Paths are assumed to be relative to $jboss.server.config.dir. Multiple CRLs can be included, however it can affect performance as the certificate will be checked against all listed CRLs.",
+ "type": "MultivaluedString",
+ "defaultValue": "crl.pem",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.ocsp-checking-enabled",
+ "label": "OCSP Checking Enabled",
+ "helpText": "Enable Certificate Revocation Checking using OCSP",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.ocsp-fail-open",
+ "label": "OCSP Fail-Open Behavior",
+ "helpText": "Whether to allow or deny authentication for client certificates that have missing/invalid/inconclusive OCSP endpoints. By default a successful OCSP response is required.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.ocsp-responder-uri",
+ "label": "OCSP Responder Uri",
+ "helpText": "Clients use OCSP Responder Uri to check certificate revocation status.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.ocsp-responder-certificate",
+ "label": "OCSP Responder Certificate",
+ "helpText": "Optional certificate used by the responder to sign the responses. The certificate should be in PEM format without BEGIN and END tags. It is only used if the OCSP Responder URI is set. By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated or one with the OCSPSigning extension and also issued by the same CA. This option identifies the certificate of the OCSP responder when the defaults do not apply.",
+ "type": "Text",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.keyusage",
+ "label": "Validate Key Usage",
+ "helpText": "Validates that the purpose of the key contained in the certificate (encipherment, signature, etc.) matches its intended purpose. Leaving the field blank will disable Key Usage validation. For example, 'digitalSignature, keyEncipherment' will check if the digitalSignature and keyEncipherment bits (bit 0 and bit 2 respectively) are set in certificate's X509 Key Usage extension. See RFC 5280 for a detailed definition of X509 Key Usage extension.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.extendedkeyusage",
+ "label": "Validate Extended Key Usage",
+ "helpText": "Validates the extended purposes of the certificate's key using certificate's Extended Key Usage extension. Leaving the field blank will disable Extended Key Usage validation. See RFC 5280 for a detailed definition of X509 Extended Key Usage extension.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.confirmation-page-disallowed",
+ "label": "Bypass identity confirmation",
+ "helpText": "By default, the users are prompted to confirm their identity extracted from X509 client certificate. The identity confirmation prompt is skipped if the option is switched on.",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.revalidate-certificate-enabled",
+ "label": "Revalidate Client Certificate",
+ "helpText": "Forces revalidation of the client certificate according to the certificates defined in the truststore. This is useful when behind a non-validating proxy or when the number of allowed certificate chains would be too large for mutual SSL negotiation.",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.certificate-policy",
+ "label": "Validate Certificate Policy",
+ "helpText": "Validates the certificate policies of the certificate's key using certificate's Policy extension. Leaving the field blank will disable Certificate Policies validation. Multiple policies should be separated using a comma. See RFC 5280 for a detailed definition of X509 Certificate Policy extension.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "x509-cert-auth.certificate-policy-mode",
+ "label": "Certificate Policy Validation Mode",
+ "helpText": "If Certificate Policy validation is specified, indicates whether it should match all or at least one of the specified policies.",
+ "type": "List",
+ "defaultValue": "All",
+ "options": ["All", "Any"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "direct-grant-validate-otp",
+ "helpText": "Validates the one time password supplied as a 'totp' form parameter in direct grant request",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "direct-grant-validate-password",
+ "helpText": "Validates the password supplied as a 'password' form parameter in direct grant request",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "direct-grant-validate-username",
+ "helpText": "Validates the username supplied as a 'username' form parameter in direct grant request",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "docker-http-basic-authenticator",
+ "helpText": "Uses HTTP Basic authentication to validate docker users, returning a docker error token on auth failure",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "http-basic-authenticator",
+ "helpText": "Validates username and password from Authorization HTTP header",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "identity-provider-redirector",
+ "helpText": "Redirects to default Identity Provider or Identity Provider specified with kc_idp_hint query parameter",
+ "properties": [
+ {
+ "name": "defaultProvider",
+ "label": "Default Identity Provider",
+ "helpText": "To automatically redirect to an identity provider set to the alias of the identity provider",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "idp-auto-link",
+ "helpText": "Automatically set existing user to authentication context without any verification",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "idp-confirm-link",
+ "helpText": "Show the form where user confirms if he wants to link identity provider with existing account or rather edit user profile data retrieved from identity provider to avoid conflict",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "idp-create-user-if-unique",
+ "helpText": "Detect if there is existing Keycloak account with same email like identity provider. If no, create new user",
+ "properties": [
+ {
+ "name": "require.password.update.after.registration",
+ "label": "Require Password Update After Registration",
+ "helpText": "If this option is true and new user is successfully imported from Identity Provider to Keycloak (there is no duplicated email or username detected in Keycloak DB), then this user is required to update his password",
+ "type": "boolean",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "idp-detect-existing-broker-user",
+ "helpText": "Detect if there is an existing Keycloak account with same email like identity provider. If no, throw an error.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "idp-email-verification",
+ "helpText": "Email verification of existing Keycloak user, that wants to link his user account with identity provider",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "idp-review-profile",
+ "helpText": "User reviews and updates profile data retrieved from Identity Provider in the displayed form",
+ "properties": [
+ {
+ "name": "update.profile.on.first.login",
+ "label": "{{:: 'update-profile-on-first-login' | translate}}",
+ "helpText": "Define conditions under which a user has to review and update his profile after first-time login. Value 'On' means that page for reviewing profile will be displayed and user can review and update his profile. Value 'off' means that page won't be displayed. Value 'missing' means that page is displayed just when some required attribute is missing (wasn't downloaded from identity provider). Value 'missing' is the default one. WARN: In case that user clicks 'Review profile info' on link duplications page, the update page will be always displayed. You would need to disable this authenticator to never display the page.",
+ "type": "List",
+ "defaultValue": "missing",
+ "options": ["on", "missing", "off"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "idp-username-password-form",
+ "helpText": "Validates a password from login form. Username may be already known from identity provider authentication",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "no-cookie-redirect",
+ "helpText": "Perform a 302 redirect to get user agent's current URI on authenticate path with an auth_session_id query parameter. This is for client's that do not support cookies.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "reset-credential-email",
+ "helpText": "Send email to user and wait for response.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "reset-credentials-choose-user",
+ "helpText": "Choose a user to reset credentials for",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "reset-otp",
+ "helpText": "Sets the Configure OTP required action.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "reset-password",
+ "helpText": "Sets the Update Password required action if execution is REQUIRED. Will also set it if execution is OPTIONAL and the password is currently configured for it.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "user-session-limits",
+ "helpText": "Configures how many concurrent sessions a single user is allowed to create for this realm and/or client",
+ "properties": [
+ {
+ "name": "userRealmLimit",
+ "label": "Maximum concurrent sessions for each user within this realm.",
+ "helpText": "Provide a zero or negative value to disable this limit.",
+ "type": "String",
+ "defaultValue": "3",
+ "secret": false
+ },
+ {
+ "name": "userClientLimit",
+ "label": "Maximum concurrent sessions for each user per keycloak client.",
+ "helpText": "Provide a zero or negative value to disable this limit. In case a limit for the realm is enabled, specify this value below the total realm limit.",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "behavior",
+ "label": "Behavior when user session limit is exceeded",
+ "type": "List",
+ "defaultValue": "Deny new session",
+ "options": ["Deny new session", "Terminate oldest session"],
+ "secret": false
+ },
+ {
+ "name": "errorMessage",
+ "label": "Optional custom error message",
+ "helpText": "If left empty a default error message is shown",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "webauthn-authenticator",
+ "helpText": "Authenticator for WebAuthn. Usually used for WebAuthn two-factor authentication",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "webauthn-authenticator-passwordless",
+ "helpText": "Authenticator for Passwordless WebAuthn authentication",
+ "properties": [],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.storage.UserStorageProvider": [
+ {
+ "id": "kerberos",
+ "helpText": "",
+ "properties": [
+ {
+ "name": "kerberosRealm",
+ "label": "kerberos-realm",
+ "helpText": "kerberos-realm.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "serverPrincipal",
+ "label": "server-principal",
+ "helpText": "server-principal.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "keyTab",
+ "label": "keytab",
+ "helpText": "keytab.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "debug",
+ "label": "debug",
+ "helpText": "debug.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "allowPasswordAuthentication",
+ "label": "allow-password-authentication",
+ "helpText": "allow-password-authentication.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "editMode",
+ "label": "edit-mode",
+ "helpText": "edit-mode.tooltip",
+ "type": "List",
+ "options": ["READ_ONLY", "UNSYNCED"],
+ "secret": false
+ },
+ {
+ "name": "updateProfileFirstLogin",
+ "label": "update-profile-first-login",
+ "helpText": "update-profile-first-login.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "ldap",
+ "helpText": "",
+ "properties": [
+ { "name": "editMode", "type": "String", "secret": false },
+ {
+ "name": "importEnabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "syncRegistrations",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ { "name": "vendor", "type": "String", "secret": false },
+ {
+ "name": "usePasswordModifyExtendedOp",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "usernameLDAPAttribute",
+ "type": "String",
+ "secret": false
+ },
+ { "name": "rdnLDAPAttribute", "type": "String", "secret": false },
+ { "name": "uuidLDAPAttribute", "type": "String", "secret": false },
+ { "name": "userObjectClasses", "type": "String", "secret": false },
+ { "name": "connectionUrl", "type": "String", "secret": false },
+ { "name": "usersDn", "type": "String", "secret": false },
+ {
+ "name": "authType",
+ "type": "String",
+ "defaultValue": "simple",
+ "secret": false
+ },
+ { "name": "startTls", "type": "boolean", "secret": false },
+ { "name": "bindDn", "type": "String", "secret": false },
+ { "name": "bindCredential", "type": "Password", "secret": true },
+ {
+ "name": "customUserSearchFilter",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "searchScope",
+ "type": "String",
+ "defaultValue": "1",
+ "secret": false
+ },
+ {
+ "name": "validatePasswordPolicy",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "trustEmail",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "useTruststoreSpi",
+ "type": "String",
+ "defaultValue": "ldapsOnly",
+ "secret": false
+ },
+ {
+ "name": "connectionPooling",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "connectionPoolingAuthentication",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "connectionPoolingDebug",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "connectionPoolingInitSize",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "connectionPoolingMaxSize",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "connectionPoolingPrefSize",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "connectionPoolingProtocol",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "connectionPoolingTimeout",
+ "type": "String",
+ "secret": false
+ },
+ { "name": "connectionTimeout", "type": "String", "secret": false },
+ { "name": "readTimeout", "type": "String", "secret": false },
+ {
+ "name": "pagination",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "allowKerberosAuthentication",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ { "name": "serverPrincipal", "type": "String", "secret": false },
+ { "name": "keyTab", "type": "String", "secret": false },
+ { "name": "kerberosRealm", "type": "String", "secret": false },
+ {
+ "name": "debug",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "useKerberosForPasswordAuthentication",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ { "name": "serverPrincipal", "type": "String", "secret": false }
+ ],
+ "metadata": { "synchronizable": true }
+ }
+ ],
+ "org.keycloak.storage.ldap.mappers.LDAPStorageMapper": [
+ {
+ "id": "certificate-ldap-mapper",
+ "helpText": "Used to map single attribute which contains a certificate from LDAP user to attribute of UserModel in Keycloak DB",
+ "properties": [
+ {
+ "name": "user.model.attribute",
+ "label": "User Model Attribute",
+ "helpText": "Name of the UserModel property or attribute you want to map the LDAP attribute into. For example 'firstName', 'lastName, 'email', 'street' etc.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "ldap.attribute",
+ "label": "LDAP Attribute",
+ "helpText": "Name of mapped attribute on LDAP object. For example 'cn', 'sn, 'mail', 'street' etc.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "read.only",
+ "label": "Read Only",
+ "helpText": "Read-only attribute is imported from LDAP to UserModel, but it's not saved back to LDAP when user is updated in Keycloak.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "always.read.value.from.ldap",
+ "label": "Always Read Value From LDAP",
+ "helpText": "If on, then during reading of the LDAP attribute value will always used instead of the value from Keycloak DB",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "is.mandatory.in.ldap",
+ "label": "Is Mandatory In LDAP",
+ "helpText": "If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB, the default or empty value will be set to be propagated to LDAP",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "attribute.default.value",
+ "label": "Attribute default value",
+ "helpText": "If there is no value in Keycloak DB and attribute is mandatory in LDAP, this value will be propagated to LDAP",
+ "type": "String",
+ "defaultValue": "",
+ "secret": false
+ },
+ {
+ "name": "is.binary.attribute",
+ "label": "Is Binary Attribute",
+ "helpText": "Should be true for binary LDAP attributes",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "is.der.formatted",
+ "label": "DER Formatted",
+ "helpText": "Activate this if the certificate is DER formatted in LDAP and not PEM formatted.",
+ "type": "boolean",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ },
+ {
+ "id": "full-name-ldap-mapper",
+ "helpText": "Used to map full-name of user from single attribute in LDAP (usually 'cn' attribute) to firstName and lastName attributes of UserModel in Keycloak DB",
+ "properties": [
+ {
+ "name": "ldap.full.name.attribute",
+ "label": "LDAP Full Name Attribute",
+ "helpText": "Name of LDAP attribute, which contains fullName of user. Usually it will be 'cn' ",
+ "type": "String",
+ "defaultValue": "cn",
+ "secret": false
+ },
+ {
+ "name": "read.only",
+ "label": "Read Only",
+ "helpText": "For Read-only is data imported from LDAP to Keycloak DB, but it's not saved back to LDAP when user is updated in Keycloak.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "write.only",
+ "label": "Write Only",
+ "helpText": "For Write-only is data propagated to LDAP when user is created or updated in Keycloak. But this mapper is not used to propagate data from LDAP back into Keycloak. This setting is useful if you configured separate firstName and lastName attribute mappers and you want to use those to read attribute from LDAP into Keycloak",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ },
+ {
+ "id": "group-ldap-mapper",
+ "helpText": "Used to map group mappings of groups from some LDAP DN to Keycloak group mappings",
+ "properties": [
+ {
+ "name": "groups.dn",
+ "label": "LDAP Groups DN",
+ "helpText": "LDAP DN where are groups of this tree saved. For example 'ou=groups,dc=example,dc=org' ",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "group.name.ldap.attribute",
+ "label": "Group Name LDAP Attribute",
+ "helpText": "Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=Group1,ou=groups,dc=example,dc=org' ",
+ "type": "String",
+ "defaultValue": "cn",
+ "secret": false
+ },
+ {
+ "name": "group.object.classes",
+ "label": "Group Object Classes",
+ "helpText": "Object class (or classes) of the group object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ",
+ "type": "String",
+ "defaultValue": "groupOfNames",
+ "secret": false
+ },
+ {
+ "name": "preserve.group.inheritance",
+ "label": "Preserve Group Inheritance",
+ "helpText": "Flag whether group inheritance from LDAP should be propagated to Keycloak. If false, then all LDAP groups will be mapped as flat top-level groups in Keycloak. Otherwise group inheritance is preserved into Keycloak, but the group sync might fail if LDAP structure contains recursions or multiple parent groups per child groups",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "ignore.missing.groups",
+ "label": "Ignore Missing Groups",
+ "helpText": "Ignore missing groups in the group hierarchy",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "membership.ldap.attribute",
+ "label": "Membership LDAP Attribute",
+ "helpText": "Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member' .However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .",
+ "type": "String",
+ "defaultValue": "member",
+ "secret": false
+ },
+ {
+ "name": "membership.attribute.type",
+ "label": "Membership Attribute Type",
+ "helpText": "DN means that LDAP group has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . UID means that LDAP group has it's members declared in form of pure user uids. For example 'memberUid: john' .",
+ "type": "List",
+ "defaultValue": "DN",
+ "options": ["DN", "UID"],
+ "secret": false
+ },
+ {
+ "name": "membership.user.ldap.attribute",
+ "label": "Membership User LDAP Attribute",
+ "helpText": "Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of 'Membership User LDAP Attribute' is 'uid' and LDAP group has 'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .",
+ "type": "String",
+ "defaultValue": "uid",
+ "secret": false
+ },
+ {
+ "name": "groups.ldap.filter",
+ "label": "LDAP Filter",
+ "helpText": "LDAP Filter adds additional custom filter to the whole query for retrieve LDAP groups. Leave this empty if no additional filtering is needed and you want to retrieve all groups from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "mode",
+ "label": "Mode",
+ "helpText": "LDAP_ONLY means that all group mappings of users are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where group mappings are retrieved from both LDAP and DB and merged together. New group joins are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where group mappings are retrieved from LDAP just at the time when user is imported from LDAP and then they are saved to local keycloak DB.",
+ "type": "List",
+ "defaultValue": "LDAP_ONLY",
+ "options": ["LDAP_ONLY", "IMPORT", "READ_ONLY"],
+ "secret": false
+ },
+ {
+ "name": "user.roles.retrieve.strategy",
+ "label": "User Groups Retrieve Strategy",
+ "helpText": "Specify how to retrieve groups of user. LOAD_GROUPS_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all groups where 'member' is our user. GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE means that groups of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . ",
+ "type": "List",
+ "defaultValue": "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE",
+ "options": [
+ "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE",
+ "GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE"
+ ],
+ "secret": false
+ },
+ {
+ "name": "memberof.ldap.attribute",
+ "label": "Member-Of LDAP Attribute",
+ "helpText": "Used just when 'User Roles Retrieve Strategy' is GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE . It specifies the name of the LDAP attribute on the LDAP user, which contains the groups, which the user is member of. Usually it will be 'memberOf' and that's also the default value.",
+ "type": "String",
+ "defaultValue": "memberOf",
+ "secret": false
+ },
+ {
+ "name": "mapped.group.attributes",
+ "label": "Mapped Group Attributes",
+ "helpText": "List of names of attributes divided by comma. This points to the list of attributes on LDAP group, which will be mapped as attributes of Group in Keycloak. Leave this empty if no additional group attributes are required to be mapped in Keycloak. ",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "drop.non.existing.groups.during.sync",
+ "label": "Drop non-existing groups during sync",
+ "helpText": "If this flag is true, then during sync of groups from LDAP to Keycloak, we will keep just those Keycloak groups, which still exists in LDAP. Rest will be deleted",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "groups.path",
+ "label": "Groups Path",
+ "helpText": "Keycloak group path the LDAP groups are added to. For example if value '/Applications/App1' is used, then LDAP groups will be available in Keycloak under group 'App1', which is child of top level group 'Applications'. The default value is '/' so LDAP groups will be mapped to the Keycloak groups at the top level. The configured group path must already exists in the Keycloak when creating this mapper.",
+ "type": "String",
+ "defaultValue": "/",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": true,
+ "keycloakToFedSyncSupported": true,
+ "fedToKeycloakSyncMessage": "sync-ldap-groups-to-keycloak",
+ "keycloakToFedSyncMessage": "sync-keycloak-groups-to-ldap"
+ }
+ },
+ {
+ "id": "hardcoded-attribute-mapper",
+ "helpText": "This mapper will hardcode any model user attribute and some property (like emailVerified or enabled) when importing user from ldap.",
+ "properties": [
+ {
+ "name": "user.model.attribute",
+ "label": "User Model Attribute Name",
+ "helpText": "Name of the model attribute, which will be added when importing user from ldap",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.value",
+ "label": "Attribute Value",
+ "helpText": "Value of the model attribute, which will be added when importing user from ldap.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ },
+ {
+ "id": "hardcoded-ldap-attribute-mapper",
+ "helpText": "This mapper is supported just if syncRegistrations is enabled. When new user is registered in Keycloak, he will be written to the LDAP with the hardcoded value of some specified attribute.",
+ "properties": [
+ {
+ "name": "ldap.attribute.name",
+ "label": "LDAP Attribute Name",
+ "helpText": "Name of the LDAP attribute, which will be added to the new user during registration",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "ldap.attribute.value",
+ "label": "LDAP Attribute Value",
+ "helpText": "Value of the LDAP attribute, which will be added to the new user during registration. You can either hardcode any value like 'foo' but you can also use some special tokens. Only supported token right now is '${RANDOM}' , which will be replaced with some randomly generated String.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ },
+ {
+ "id": "hardcoded-ldap-group-mapper",
+ "helpText": "When user is imported from LDAP, he will be automatically added into this configured group.",
+ "properties": [
+ {
+ "name": "group",
+ "label": "Group",
+ "helpText": "Group to add the user in. Fill the full path of the group including path. For example '/root-group/child-group'",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ },
+ {
+ "id": "hardcoded-ldap-role-mapper",
+ "helpText": "When user is imported from LDAP, he will be automatically added into this configured role.",
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role to grant to user. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ },
+ {
+ "id": "msad-lds-user-account-control-mapper",
+ "helpText": "Mapper specific to MSAD LDS. It's able to integrate the MSAD LDS user account state into Keycloak account state (account enabled, password is expired etc). It's using msDS-UserAccountDisabled and pwdLastSet MSAD attributes for that. For example if pwdLastSet is 0, the Keycloak user is required to update password, if msDS-UserAccountDisabled is 'TRUE' the Keycloak user is disabled as well etc. Mapper is also able to handle exception code from LDAP user authentication.",
+ "properties": [],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ },
+ {
+ "id": "msad-user-account-control-mapper",
+ "helpText": "Mapper specific to MSAD. It's able to integrate the MSAD user account state into Keycloak account state (account enabled, password is expired etc). It's using userAccountControl and pwdLastSet MSAD attributes for that. For example if pwdLastSet is 0, the Keycloak user is required to update password, if userAccountControl is 514 (disabled account) the Keycloak user is disabled as well etc. Mapper is also able to handle exception code from LDAP user authentication.",
+ "properties": [
+ {
+ "name": "ldap.password.policy.hints.enabled",
+ "label": "Password Policy Hints Enabled",
+ "helpText": "Applicable just for writable MSAD. If on, then updating password of MSAD user will use LDAP_SERVER_POLICY_HINTS_OID extension, which means that advanced MSAD password policies like 'password history' or 'minimal password age' will be applied. This extension works just for MSAD 2008 R2 or newer.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ },
+ {
+ "id": "role-ldap-mapper",
+ "helpText": "Used to map role mappings of roles from some LDAP DN to Keycloak role mappings of either realm roles or client roles of particular client",
+ "properties": [
+ {
+ "name": "roles.dn",
+ "label": "LDAP Roles DN",
+ "helpText": "LDAP DN where are roles of this tree saved. For example 'ou=finance,dc=example,dc=org' ",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "role.name.ldap.attribute",
+ "label": "Role Name LDAP Attribute",
+ "helpText": "Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=role1,ou=finance,dc=example,dc=org' ",
+ "type": "String",
+ "defaultValue": "cn",
+ "secret": false
+ },
+ {
+ "name": "role.object.classes",
+ "label": "Role Object Classes",
+ "helpText": "Object class (or classes) of the role object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ",
+ "type": "String",
+ "defaultValue": "groupOfNames",
+ "secret": false
+ },
+ {
+ "name": "membership.ldap.attribute",
+ "label": "Membership LDAP Attribute",
+ "helpText": "Name of LDAP attribute on role, which is used for membership mappings. Usually it will be 'member' .However when 'Membership Attribute Type' is 'UID' then 'Membership LDAP Attribute' could be typically 'memberUid' .",
+ "type": "String",
+ "defaultValue": "member",
+ "secret": false
+ },
+ {
+ "name": "membership.attribute.type",
+ "label": "Membership Attribute Type",
+ "helpText": "DN means that LDAP role has it's members declared in form of their full DN. For example 'member: uid=john,ou=users,dc=example,dc=com' . UID means that LDAP role has it's members declared in form of pure user uids. For example 'memberUid: john' .",
+ "type": "List",
+ "defaultValue": "DN",
+ "options": ["DN", "UID"],
+ "secret": false
+ },
+ {
+ "name": "membership.user.ldap.attribute",
+ "label": "Membership User LDAP Attribute",
+ "helpText": "Used just if Membership Attribute Type is UID. It is name of LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid' . For example if value of 'Membership User LDAP Attribute' is 'uid' and LDAP group has 'memberUid: john', then it is expected that particular LDAP user will have attribute 'uid: john' .",
+ "type": "String",
+ "defaultValue": "uid",
+ "secret": false
+ },
+ {
+ "name": "roles.ldap.filter",
+ "label": "LDAP Filter",
+ "helpText": "LDAP Filter adds additional custom filter to the whole query for retrieve LDAP roles. Leave this empty if no additional filtering is needed and you want to retrieve all roles from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "mode",
+ "label": "Mode",
+ "helpText": "LDAP_ONLY means that all role mappings are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where role mappings are retrieved from both LDAP and DB and merged together. New role grants are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where role mappings are retrieved from LDAP just at the time when user is imported from LDAP and then they are saved to local keycloak DB.",
+ "type": "List",
+ "defaultValue": "LDAP_ONLY",
+ "options": ["LDAP_ONLY", "IMPORT", "READ_ONLY"],
+ "secret": false
+ },
+ {
+ "name": "user.roles.retrieve.strategy",
+ "label": "User Roles Retrieve Strategy",
+ "helpText": "Specify how to retrieve roles of user. LOAD_ROLES_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all roles where 'member' is our user. GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE means that roles of user will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by 'Member-Of LDAP Attribute' . ",
+ "type": "List",
+ "defaultValue": "LOAD_ROLES_BY_MEMBER_ATTRIBUTE",
+ "options": [
+ "LOAD_ROLES_BY_MEMBER_ATTRIBUTE",
+ "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE"
+ ],
+ "secret": false
+ },
+ {
+ "name": "memberof.ldap.attribute",
+ "label": "Member-Of LDAP Attribute",
+ "helpText": "Used just when 'User Roles Retrieve Strategy' is GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE . It specifies the name of the LDAP attribute on the LDAP user, which contains the roles (LDAP Groups), which the user is member of. Usually it will be 'memberOf' and that's also the default value.",
+ "type": "String",
+ "defaultValue": "memberOf",
+ "secret": false
+ },
+ {
+ "name": "use.realm.roles.mapping",
+ "label": "Use Realm Roles Mapping",
+ "helpText": "If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "client.id",
+ "label": "Client ID",
+ "helpText": "Client ID of client to which LDAP role mappings will be mapped. Applicable just if 'Use Realm Roles Mapping' is false",
+ "type": "ClientList",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": true,
+ "keycloakToFedSyncSupported": true,
+ "fedToKeycloakSyncMessage": "sync-ldap-roles-to-keycloak",
+ "keycloakToFedSyncMessage": "sync-keycloak-roles-to-ldap"
+ }
+ },
+ {
+ "id": "user-attribute-ldap-mapper",
+ "helpText": "Used to map single attribute from LDAP user to attribute of UserModel in Keycloak DB",
+ "properties": [
+ {
+ "name": "user.model.attribute",
+ "label": "User Model Attribute",
+ "helpText": "Name of the UserModel property or attribute you want to map the LDAP attribute into. For example 'firstName', 'lastName, 'email', 'street' etc.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "ldap.attribute",
+ "label": "LDAP Attribute",
+ "helpText": "Name of mapped attribute on LDAP object. For example 'cn', 'sn, 'mail', 'street' etc.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "read.only",
+ "label": "Read Only",
+ "helpText": "Read-only attribute is imported from LDAP to UserModel, but it's not saved back to LDAP when user is updated in Keycloak.",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "always.read.value.from.ldap",
+ "label": "Always Read Value From LDAP",
+ "helpText": "If on, then during reading of the LDAP attribute value will always used instead of the value from Keycloak DB",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "is.mandatory.in.ldap",
+ "label": "Is Mandatory In LDAP",
+ "helpText": "If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB, the default or empty value will be set to be propagated to LDAP",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "attribute.default.value",
+ "label": "Attribute default value",
+ "helpText": "If there is no value in Keycloak DB and attribute is mandatory in LDAP, this value will be propagated to LDAP",
+ "type": "String",
+ "defaultValue": "",
+ "secret": false
+ },
+ {
+ "name": "is.binary.attribute",
+ "label": "Is Binary Attribute",
+ "helpText": "Should be true for binary LDAP attributes",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ }
+ ],
+ "metadata": {
+ "fedToKeycloakSyncSupported": false,
+ "keycloakToFedSyncSupported": false
+ }
+ }
+ ],
+ "org.keycloak.authentication.ClientAuthenticator": [
+ {
+ "id": "client-jwt",
+ "helpText": "Validates client based on signed JWT issued by client and signed with the Client private key",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "client-secret",
+ "helpText": "Validates client based on 'client_id' and 'client_secret' sent either in request parameters or in 'Authorization: Basic' header",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "client-secret-jwt",
+ "helpText": "Validates client based on signed JWT issued by client and signed with the Client Secret",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "client-x509",
+ "helpText": "Validates client based on a X509 Certificate",
+ "properties": [],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
+ {
+ "id": "allowed-client-templates",
+ "helpText": "When present, it allows to specify whitelist of client scopes, which will be allowed in representation of registered (or updated) client",
+ "properties": [
+ {
+ "name": "allowed-client-scopes",
+ "label": "allowed-client-scopes.label",
+ "helpText": "allowed-client-scopes.tooltip",
+ "type": "MultivaluedList",
+ "secret": false
+ },
+ {
+ "name": "allow-default-scopes",
+ "label": "allow-default-scopes.label",
+ "helpText": "allow-default-scopes.tooltip",
+ "type": "boolean",
+ "defaultValue": true,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "allowed-protocol-mappers",
+ "helpText": "When present, it allows to specify whitelist of protocol mapper types, which will be allowed in representation of registered (or updated) client",
+ "properties": [
+ {
+ "name": "allowed-protocol-mapper-types",
+ "label": "allowed-protocol-mappers.label",
+ "helpText": "allowed-protocol-mappers.tooltip",
+ "type": "MultivaluedList",
+ "options": [
+ "oidc-claims-param-token-mapper",
+ "saml-javascript-mapper",
+ "oidc-usermodel-realm-role-mapper",
+ "saml-user-attribute-nameid-mapper",
+ "oidc-usersessionmodel-note-mapper",
+ "oidc-address-mapper",
+ "saml-audience-resolve-mapper",
+ "oidc-role-name-mapper",
+ "saml-user-session-note-mapper",
+ "oidc-usermodel-client-role-mapper",
+ "oidc-usermodel-property-mapper",
+ "saml-group-membership-mapper",
+ "saml-audience-mapper",
+ "docker-v2-allow-all-mapper",
+ "oidc-hardcoded-role-mapper",
+ "oidc-hardcoded-claim-mapper",
+ "oidc-sha256-pairwise-sub-mapper",
+ "saml-role-name-mapper",
+ "saml-role-list-mapper",
+ "saml-user-property-mapper",
+ "oidc-full-name-mapper",
+ "oidc-allowed-origins-mapper",
+ "oidc-audience-mapper",
+ "oidc-usermodel-attribute-mapper",
+ "saml-hardcode-attribute-mapper",
+ "oidc-group-membership-mapper",
+ "saml-user-attribute-mapper",
+ "saml-hardcode-role-mapper",
+ "oidc-audience-resolve-mapper"
+ ],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "client-disabled",
+ "helpText": "When present, then newly registered client will be disabled and admin needs to manually enable them",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "consent-required",
+ "helpText": "When present, then newly registered client will always have 'consentRequired' switch enabled",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "max-clients",
+ "helpText": "When present, then it won't be allowed to register new client if count of existing clients in realm is same or bigger than configured limit",
+ "properties": [
+ {
+ "name": "max-clients",
+ "label": "max-clients.label",
+ "helpText": "max-clients.tooltip",
+ "type": "String",
+ "defaultValue": "200",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "scope",
+ "helpText": "When present, then newly registered client won't have full scope allowed",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "trusted-hosts",
+ "helpText": "Allows to specify from which hosts is user able to register and which redirect URIs can client use in it's configuration",
+ "properties": [
+ {
+ "name": "trusted-hosts",
+ "label": "trusted-hosts.label",
+ "helpText": "trusted-hosts.tooltip",
+ "type": "MultivaluedString",
+ "secret": false
+ },
+ {
+ "name": "host-sending-registration-request-must-match",
+ "label": "host-sending-registration-request-must-match.label",
+ "helpText": "host-sending-registration-request-must-match.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "client-uris-must-match",
+ "label": "client-uris-must-match.label",
+ "helpText": "client-uris-must-match.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.validate.Validator": [
+ {
+ "id": "double",
+ "helpText": "Validator to check Double number format and optionally min and max values",
+ "properties": [
+ {
+ "name": "min",
+ "label": "Minimum",
+ "helpText": "The minimal allowed value - this config is optional.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "max",
+ "label": "Maximum",
+ "helpText": "The maximal allowed value - this config is optional.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "email",
+ "helpText": "Email format validator",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "integer",
+ "helpText": "Validator to check Integer number format and optionally min and max values",
+ "properties": [
+ {
+ "name": "min",
+ "label": "Minimum",
+ "helpText": "The minimal allowed value - this config is optional.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "max",
+ "label": "Maximum",
+ "helpText": "The maximal allowed value - this config is optional.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "length",
+ "helpText": "Length validator",
+ "properties": [
+ {
+ "name": "min",
+ "label": "Minimum length",
+ "helpText": "The minimum length",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "max",
+ "label": "Maximum length",
+ "helpText": "The maximum length",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "trim-disabled",
+ "label": "Trimming disabled",
+ "helpText": "Disable trimming of the String value before the length check",
+ "type": "boolean",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "local-date",
+ "helpText": "Validates date formats based on the realm or user locale.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "options",
+ "helpText": "Options validator",
+ "properties": [
+ {
+ "name": "options",
+ "label": "Options",
+ "helpText": "List of allowed options",
+ "type": "MultivaluedString",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "pattern",
+ "helpText": "RegExp Pattern validator",
+ "properties": [
+ {
+ "name": "pattern",
+ "label": "RegExp pattern",
+ "helpText": "RegExp pattern the value must match. Java Pattern syntax is used.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "error-message",
+ "label": "Error message key",
+ "helpText": "Key of the error message in i18n bundle. Dafault message key is error-pattern-no-match",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "person-name-prohibited-characters",
+ "helpText": "Basic person name (First, Middle, Last name) validator disallowing bunch of characters we really do not expect in names.",
+ "properties": [
+ {
+ "name": "error-message",
+ "label": "Error message key",
+ "helpText": "Key of the error message in i18n bundle. Dafault message key is error-person-name-invalid-character",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "uri",
+ "helpText": "Uri Validator",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "username-prohibited-characters",
+ "helpText": "Basic Username validator disallowing bunch of characters we really do not expect in username.",
+ "properties": [
+ {
+ "name": "error-message",
+ "label": "Error message key",
+ "helpText": "Key of the error message in i18n bundle. Dafault message key is error-username-invalid-character",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.userprofile.UserProfileProvider": [
+ { "id": "declarative-user-profile", "properties": [], "metadata": {} }
+ ],
+ "org.keycloak.keys.KeyProvider": [
+ {
+ "id": "aes-generated",
+ "helpText": "Generates AES secret key",
+ "properties": [
+ {
+ "name": "priority",
+ "label": "Priority",
+ "helpText": "Priority for the provider",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "enabled",
+ "label": "Enabled",
+ "helpText": "Set if the keys are enabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "active",
+ "label": "Active",
+ "helpText": "Set if the keys can be used for signing",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "secretSize",
+ "label": "AES Key size",
+ "helpText": "Size in bytes for the generated AES Key. Size 16 is for AES-128, Size 24 for AES-192 and Size 32 for AES-256. WARN: Bigger keys then 128 bits are not allowed on some JDK implementations",
+ "type": "List",
+ "defaultValue": "16",
+ "options": ["16", "24", "32"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "ecdsa-generated",
+ "helpText": "Generates ECDSA keys",
+ "properties": [
+ {
+ "name": "priority",
+ "label": "Priority",
+ "helpText": "Priority for the provider",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "enabled",
+ "label": "Enabled",
+ "helpText": "Set if the keys are enabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "active",
+ "label": "Active",
+ "helpText": "Set if the keys can be used for signing",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "ecdsaEllipticCurveKey",
+ "label": "Elliptic Curve",
+ "helpText": "Elliptic Curve used in ECDSA",
+ "type": "List",
+ "defaultValue": "P-256",
+ "options": ["P-256", "P-384", "P-521"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "hmac-generated",
+ "helpText": "Generates HMAC secret key",
+ "properties": [
+ {
+ "name": "priority",
+ "label": "Priority",
+ "helpText": "Priority for the provider",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "enabled",
+ "label": "Enabled",
+ "helpText": "Set if the keys are enabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "active",
+ "label": "Active",
+ "helpText": "Set if the keys can be used for signing",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "secretSize",
+ "label": "Secret size",
+ "helpText": "Size in bytes for the generated secret",
+ "type": "List",
+ "defaultValue": "64",
+ "options": ["16", "24", "32", "64", "128", "256", "512"],
+ "secret": false
+ },
+ {
+ "name": "algorithm",
+ "label": "Algorithm",
+ "helpText": "Intended algorithm for the key",
+ "type": "List",
+ "defaultValue": "HS256",
+ "options": ["HS256", "HS384", "HS512"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "java-keystore",
+ "helpText": "Loads keys from a Java keys file",
+ "properties": [
+ {
+ "name": "priority",
+ "label": "Priority",
+ "helpText": "Priority for the provider",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "enabled",
+ "label": "Enabled",
+ "helpText": "Set if the keys are enabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "active",
+ "label": "Active",
+ "helpText": "Set if the keys can be used for signing",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "algorithm",
+ "label": "Algorithm",
+ "helpText": "Intended algorithm for the key",
+ "type": "List",
+ "defaultValue": "RS256",
+ "options": ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"],
+ "secret": false
+ },
+ {
+ "name": "keystore",
+ "label": "Keystore",
+ "helpText": "Path to keys file",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "keystorePassword",
+ "label": "Keystore Password",
+ "helpText": "Password for the keys",
+ "type": "String",
+ "secret": true
+ },
+ {
+ "name": "keyAlias",
+ "label": "Key Alias",
+ "helpText": "Alias for the private key",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "keyPassword",
+ "label": "Key Password",
+ "helpText": "Password for the private key",
+ "type": "String",
+ "secret": true
+ },
+ {
+ "name": "keyUse",
+ "label": "Key use",
+ "helpText": "Whether the key should be used for signing or encryption.",
+ "type": "List",
+ "defaultValue": "sig",
+ "options": ["sig", "enc"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "rsa",
+ "helpText": "RSA signature key provider that can optionally generated a self-signed certificate",
+ "properties": [
+ {
+ "name": "priority",
+ "label": "Priority",
+ "helpText": "Priority for the provider",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "enabled",
+ "label": "Enabled",
+ "helpText": "Set if the keys are enabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "active",
+ "label": "Active",
+ "helpText": "Set if the keys can be used for signing",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "privateKey",
+ "label": "Private RSA Key",
+ "helpText": "Private RSA Key encoded in PEM format",
+ "type": "File",
+ "secret": true
+ },
+ {
+ "name": "certificate",
+ "label": "X509 Certificate",
+ "helpText": "X509 Certificate encoded in PEM format",
+ "type": "File",
+ "secret": false
+ },
+ {
+ "name": "algorithm",
+ "label": "Algorithm",
+ "helpText": "Intended algorithm for the key",
+ "type": "List",
+ "defaultValue": "RS256",
+ "options": ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "rsa-enc",
+ "helpText": "RSA for key encryption provider that can optionally generated a self-signed certificate",
+ "properties": [
+ {
+ "name": "priority",
+ "label": "Priority",
+ "helpText": "Priority for the provider",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "enabled",
+ "label": "Enabled",
+ "helpText": "Set if the keys are enabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "active",
+ "label": "Active",
+ "helpText": "Set if the keys can be used for signing",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "privateKey",
+ "label": "Private RSA Key",
+ "helpText": "Private RSA Key encoded in PEM format",
+ "type": "File",
+ "secret": true
+ },
+ {
+ "name": "certificate",
+ "label": "X509 Certificate",
+ "helpText": "X509 Certificate encoded in PEM format",
+ "type": "File",
+ "secret": false
+ },
+ {
+ "name": "algorithm",
+ "label": "Algorithm",
+ "helpText": "Intended algorithm for the key encryption",
+ "type": "List",
+ "defaultValue": "RSA-OAEP",
+ "options": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "rsa-enc-generated",
+ "helpText": "Generates RSA keys for key encryption and creates a self-signed certificate",
+ "properties": [
+ {
+ "name": "priority",
+ "label": "Priority",
+ "helpText": "Priority for the provider",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "enabled",
+ "label": "Enabled",
+ "helpText": "Set if the keys are enabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "active",
+ "label": "Active",
+ "helpText": "Set if the keys can be used for signing",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "keySize",
+ "label": "Key size",
+ "helpText": "Size for the generated keys",
+ "type": "List",
+ "defaultValue": "2048",
+ "options": ["1024", "2048", "4096"],
+ "secret": false
+ },
+ {
+ "name": "algorithm",
+ "label": "Algorithm",
+ "helpText": "Intended algorithm for the key encryption",
+ "type": "List",
+ "defaultValue": "RSA-OAEP",
+ "options": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "rsa-generated",
+ "helpText": "Generates RSA signature keys and creates a self-signed certificate",
+ "properties": [
+ {
+ "name": "priority",
+ "label": "Priority",
+ "helpText": "Priority for the provider",
+ "type": "String",
+ "defaultValue": "0",
+ "secret": false
+ },
+ {
+ "name": "enabled",
+ "label": "Enabled",
+ "helpText": "Set if the keys are enabled",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "active",
+ "label": "Active",
+ "helpText": "Set if the keys can be used for signing",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "keySize",
+ "label": "Key size",
+ "helpText": "Size for the generated keys",
+ "type": "List",
+ "defaultValue": "2048",
+ "options": ["1024", "2048", "4096"],
+ "secret": false
+ },
+ {
+ "name": "algorithm",
+ "label": "Algorithm",
+ "helpText": "Intended algorithm for the key",
+ "type": "List",
+ "defaultValue": "RS256",
+ "options": ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.authentication.FormAuthenticator": [
+ {
+ "id": "registration-page-form",
+ "helpText": "This is the controller for the registration page",
+ "properties": [],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.protocol.ProtocolMapper": [
+ {
+ "id": "docker-v2-allow-all-mapper",
+ "helpText": "Allows all grants, returning the full set of requested access attributes as permitted attributes.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-address-mapper",
+ "helpText": "Maps user address attributes (street, locality, region, postal_code, and country) to the OpenID Connect 'address' claim.",
+ "properties": [
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.street",
+ "label": "addressClaim.street.label",
+ "helpText": "addressClaim.street.tooltip",
+ "type": "String",
+ "defaultValue": "street",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.locality",
+ "label": "addressClaim.locality.label",
+ "helpText": "addressClaim.locality.tooltip",
+ "type": "String",
+ "defaultValue": "locality",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.region",
+ "label": "addressClaim.region.label",
+ "helpText": "addressClaim.region.tooltip",
+ "type": "String",
+ "defaultValue": "region",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.postal_code",
+ "label": "addressClaim.postal_code.label",
+ "helpText": "addressClaim.postal_code.tooltip",
+ "type": "String",
+ "defaultValue": "postal_code",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.country",
+ "label": "addressClaim.country.label",
+ "helpText": "addressClaim.country.tooltip",
+ "type": "String",
+ "defaultValue": "country",
+ "secret": false
+ },
+ {
+ "name": "user.attribute.formatted",
+ "label": "addressClaim.formatted.label",
+ "helpText": "addressClaim.formatted.tooltip",
+ "type": "String",
+ "defaultValue": "formatted",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-allowed-origins-mapper",
+ "helpText": "Adds all allowed web origins to the 'allowed-origins' claim in the token",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-audience-mapper",
+ "helpText": "Add specified audience to the audience (aud) field of token",
+ "properties": [
+ {
+ "name": "included.client.audience",
+ "label": "included.client.audience.label",
+ "helpText": "included.client.audience.tooltip",
+ "type": "ClientList",
+ "secret": false
+ },
+ {
+ "name": "included.custom.audience",
+ "label": "included.custom.audience.label",
+ "helpText": "included.custom.audience.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-audience-resolve-mapper",
+ "helpText": "Adds all client_ids of \"allowed\" clients to the audience field of the token. Allowed client means the client\n for which user has at least one client role",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-claims-param-token-mapper",
+ "helpText": "Claims specified by Claims parameter are put into tokens.",
+ "properties": [
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-full-name-mapper",
+ "helpText": "Maps the user's first and last name to the OpenID Connect 'name' claim. Format is + ' ' + ",
+ "properties": [
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-group-membership-mapper",
+ "helpText": "Map user group membership",
+ "properties": [
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "full.path",
+ "label": "Full group path",
+ "helpText": "Include full path to group i.e. /top/level1/level2, false will just specify the group name",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-hardcoded-claim-mapper",
+ "helpText": "Hardcode a claim into the token.",
+ "properties": [
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.value",
+ "label": "Claim value",
+ "helpText": "Value of the claim you want to hard code. 'true' and 'false can be used for boolean values.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.tokenResponse.claim",
+ "label": "includeInAccessTokenResponse.label",
+ "helpText": "includeInAccessTokenResponse.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-hardcoded-role-mapper",
+ "helpText": "Hardcode a role into the access token.",
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role you want added to the token. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-role-name-mapper",
+ "helpText": "Map an assigned role to a new name or position in the token.",
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ },
+ {
+ "name": "new.role.name",
+ "label": "New Role Name",
+ "helpText": "The new role name. The new name format corresponds to where in the access token the role will be mapped to. So, a new name of 'myapp.newname' will map the role to that position in the access token. A new name of 'newname' will map the role to the realm roles in the token.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-sha256-pairwise-sub-mapper",
+ "helpText": "Calculates a pairwise subject identifier using a salted sha-256 hash. See OpenID Connect specification for more info about pairwise subject identifiers.",
+ "properties": [
+ {
+ "name": "sectorIdentifierUri",
+ "label": "sectorIdentifierUri.label",
+ "helpText": "sectorIdentifierUri.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "pairwiseSubAlgorithmSalt",
+ "label": "pairwiseSubAlgorithmSalt.label",
+ "helpText": "pairwiseSubAlgorithmSalt.tooltip",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-usermodel-attribute-mapper",
+ "helpText": "Map a custom user attribute to a token claim.",
+ "properties": [
+ {
+ "name": "user.attribute",
+ "label": "usermodel.attr.label",
+ "helpText": "usermodel.attr.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "multivalued",
+ "label": "multivalued.label",
+ "helpText": "multivalued.tooltip",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "aggregate.attrs",
+ "label": "aggregate.attrs.label",
+ "helpText": "aggregate.attrs.tooltip",
+ "type": "boolean",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-usermodel-client-role-mapper",
+ "helpText": "Map a user client role to a token claim.",
+ "properties": [
+ {
+ "name": "usermodel.clientRoleMapping.clientId",
+ "label": "usermodel.clientRoleMapping.clientId.label",
+ "helpText": "usermodel.clientRoleMapping.clientId.tooltip",
+ "type": "ClientList",
+ "secret": false
+ },
+ {
+ "name": "usermodel.clientRoleMapping.rolePrefix",
+ "label": "usermodel.clientRoleMapping.rolePrefix.label",
+ "helpText": "usermodel.clientRoleMapping.rolePrefix.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "multivalued",
+ "label": "multivalued.label",
+ "helpText": "multivalued.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "usermodel.clientRoleMapping.tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-usermodel-property-mapper",
+ "helpText": "Map a built in user property (email, firstName, lastName) to a token claim.",
+ "properties": [
+ {
+ "name": "user.attribute",
+ "label": "usermodel.prop.label",
+ "helpText": "usermodel.prop.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-usermodel-realm-role-mapper",
+ "helpText": "Map a user realm role to a token claim.",
+ "properties": [
+ {
+ "name": "usermodel.realmRoleMapping.rolePrefix",
+ "label": "usermodel.realmRoleMapping.rolePrefix.label",
+ "helpText": "usermodel.realmRoleMapping.rolePrefix.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "multivalued",
+ "label": "multivalued.label",
+ "helpText": "multivalued.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "userinfo.token.claim",
+ "label": "includeInUserInfo.label",
+ "helpText": "includeInUserInfo.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-usersessionmodel-note-mapper",
+ "helpText": "Map a custom user session note to a token claim.",
+ "properties": [
+ {
+ "name": "user.session.note",
+ "label": "userSession.modelNote.label",
+ "helpText": "userSession.modelNote.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.name",
+ "label": "tokenClaimName.label",
+ "helpText": "tokenClaimName.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "jsonType.label",
+ "label": "jsonType.label",
+ "helpText": "jsonType.tooltip",
+ "type": "List",
+ "options": ["String", "long", "int", "boolean", "JSON"],
+ "secret": false
+ },
+ {
+ "name": "id.token.claim",
+ "label": "includeInIdToken.label",
+ "helpText": "includeInIdToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.token.claim",
+ "label": "includeInAccessToken.label",
+ "helpText": "includeInAccessToken.tooltip",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "access.tokenResponse.claim",
+ "label": "includeInAccessTokenResponse.label",
+ "helpText": "includeInAccessTokenResponse.tooltip",
+ "type": "boolean",
+ "defaultValue": "false",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-audience-mapper",
+ "helpText": "Add specified audience to the audience conditions in the assertion.",
+ "properties": [
+ {
+ "name": "included.client.audience",
+ "label": "included.client.audience.label",
+ "helpText": "included.client.audience.tooltip",
+ "type": "ClientList",
+ "secret": false
+ },
+ {
+ "name": "included.custom.audience",
+ "label": "included.custom.audience.label",
+ "helpText": "included.custom.audience.tooltip",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-audience-resolve-mapper",
+ "helpText": "Adds all client_ids of \"allowed\" clients to the audience conditions in the assertion. Allowed client means any SAML client for which user has at least one client role",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "saml-group-membership-mapper",
+ "helpText": "Group names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per group name depending on how you configure it. You can also specify the attribute name i.e. 'member' or 'memberOf' being examples.",
+ "properties": [
+ {
+ "name": "attribute.name",
+ "label": "Group attribute name",
+ "helpText": "Name of the SAML attribute you want to put your groups into. i.e. 'member', 'memberOf'.",
+ "type": "String",
+ "defaultValue": "member",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ },
+ {
+ "name": "single",
+ "label": "Single Group Attribute",
+ "helpText": "If true, all groups will be stored under one attribute with multiple attribute values.",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "full.path",
+ "label": "Full group path",
+ "helpText": "Include full path to group i.e. /top/level1/level2, false will just specify the group name",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-hardcode-attribute-mapper",
+ "helpText": "Hardcode an attribute into the SAML Assertion.",
+ "properties": [
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ },
+ {
+ "name": "attribute.value",
+ "label": "Attribute value",
+ "helpText": "Value of the attribute you want to hard code.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-hardcode-role-mapper",
+ "helpText": "Hardcode role into SAML Assertion.",
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Arbitrary role name you want to hardcode. This role does not have to exist in current realm and can be just any string you need",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-javascript-mapper",
+ "helpText": "Evaluates a JavaScript function to produce an attribute value based on context information.",
+ "properties": [
+ {
+ "name": "Script",
+ "label": "Script",
+ "helpText": "Script to compute the attribute value. \n Available variables: \n 'user' - the current user.\n 'realm' - the current realm.\n 'clientSession' - the current clientSession.\n 'userSession' - the current userSession.\n 'keycloakSession' - the current keycloakSession.\n\nTo use: the last statement is the value returned to Java.\nThe result will be tested if it can be iterated upon (e.g. an array or a collection).\n - If it is not, toString() will be called on the object to get the value of the attribute\n - If it is, toString() will be called on all elements to return multiple attribute values.\n",
+ "type": "Script",
+ "defaultValue": "/**\n * Available variables: \n * user - the current user\n * realm - the current realm\n * clientSession - the current clientSession\n * userSession - the current userSession\n * keycloakSession - the current keycloakSession\n */\n\n\n//insert your code here...",
+ "secret": false
+ },
+ {
+ "name": "single",
+ "label": "Single Value Attribute",
+ "helpText": "If true, all values will be stored under one attribute with multiple attribute values.",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-role-list-mapper",
+ "helpText": "Role names are stored in an attribute value. There is either one attribute with multiple attribute values, or an attribute per role name depending on how you configure it. You can also specify the attribute name i.e. 'Role' or 'memberOf' being examples.",
+ "properties": [
+ {
+ "name": "attribute.name",
+ "label": "Role attribute name",
+ "helpText": "Name of the SAML attribute you want to put your roles into. i.e. 'Role', 'memberOf'.",
+ "type": "String",
+ "defaultValue": "Role",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ },
+ {
+ "name": "single",
+ "label": "Single Role Attribute",
+ "helpText": "If true, all roles will be stored under one attribute with multiple attribute values.",
+ "type": "boolean",
+ "defaultValue": "true",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-role-name-mapper",
+ "helpText": "Map an assigned role to a new name",
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role name you want changed. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ },
+ {
+ "name": "new.role.name",
+ "label": "New Role Name",
+ "helpText": "The new role name.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-user-attribute-mapper",
+ "helpText": "Map a custom user attribute to a to a SAML attribute.",
+ "properties": [
+ {
+ "name": "user.attribute",
+ "label": "usermodel.attr.label",
+ "helpText": "usermodel.attr.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ },
+ {
+ "name": "aggregate.attrs",
+ "label": "aggregate.attrs.label",
+ "helpText": "aggregate.attrs.tooltip",
+ "type": "boolean",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-user-attribute-nameid-mapper",
+ "helpText": "Map user attribute to SAML NameID value.",
+ "properties": [
+ {
+ "name": "mapper.nameid.format",
+ "label": "name-id-format",
+ "helpText": "mapper.nameid.format.tooltip",
+ "type": "List",
+ "options": [
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName",
+ "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName",
+ "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos",
+ "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
+ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+ "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+ ],
+ "secret": false
+ },
+ {
+ "name": "user.attribute",
+ "label": "usermodel.attr.label",
+ "helpText": "usermodel.attr.tooltip",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-user-property-mapper",
+ "helpText": "Map a built in user property (email, firstName, lastName) to a SAML attribute type.",
+ "properties": [
+ {
+ "name": "user.attribute",
+ "label": "usermodel.prop.label",
+ "helpText": "usermodel.prop.tooltip",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-user-session-note-mapper",
+ "helpText": "Map a user session note to a SAML attribute.",
+ "properties": [
+ {
+ "name": "note",
+ "label": "User Session Note Attribute",
+ "helpText": "The user session note you want to grab the value from.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Standard SAML attribute setting. An optional, more human-readable form of the attribute's name that can be provided if the actual attribute name is cryptic.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.name",
+ "label": "SAML Attribute Name",
+ "helpText": "SAML Attribute Name",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.nameformat",
+ "label": "SAML Attribute NameFormat",
+ "helpText": "SAML Attribute NameFormat. Can be basic, URI reference, or unspecified.",
+ "type": "List",
+ "options": ["Basic", "URI Reference", "Unspecified"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProvider": [
+ {
+ "id": "any-client",
+ "helpText": "The condition is satisfied by any client on any event.",
+ "properties": [
+ {
+ "name": "is-negative-logic",
+ "label": "Negative Logic",
+ "helpText": "If On, the result of condition's evaluation is reverted from true to false and vice versa.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "client-access-type",
+ "helpText": "It uses the client's access type (confidential, public, bearer-only) to determine whether the policy is applied. Condition is checked during most of OpenID Connect requests (Authorization request, token requests, introspection endpoint request etc).",
+ "properties": [
+ {
+ "name": "is-negative-logic",
+ "label": "Negative Logic",
+ "helpText": "If On, the result of condition's evaluation is reverted from true to false and vice versa.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ },
+ {
+ "name": "type",
+ "label": "client-accesstype.label",
+ "helpText": "client-accesstype.tooltip",
+ "type": "MultivaluedList",
+ "defaultValue": "confidential",
+ "options": ["confidential", "public", "bearer-only"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "client-roles",
+ "helpText": "The condition checks whether one of the specified client roles exists on the client to determine whether the policy is applied. This effectively allows client administrator to create client role of specified name on the client to make sure that particular client policy will be applied on requests of this client. Condition is checked during most of OpenID Connect requests (Authorization request, token requests, introspection endpoint request etc).",
+ "properties": [
+ {
+ "name": "is-negative-logic",
+ "label": "Negative Logic",
+ "helpText": "If On, the result of condition's evaluation is reverted from true to false and vice versa.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ },
+ {
+ "name": "roles",
+ "label": "client-roles.label",
+ "helpText": "client-roles-condition.tooltip",
+ "type": "MultivaluedString",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "client-scopes",
+ "helpText": "It uses the scopes requested or assigned in advance to the client to determine whether the policy is applied to this client. Condition is evaluated during OpenID Connect authorization request and/or token request.",
+ "properties": [
+ {
+ "name": "is-negative-logic",
+ "label": "Negative Logic",
+ "helpText": "If On, the result of condition's evaluation is reverted from true to false and vice versa.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ },
+ {
+ "name": "scopes",
+ "label": "client-scopes-condition.label",
+ "helpText": "client-scopes-condition.tooltip",
+ "type": "MultivaluedString",
+ "defaultValue": "offline_access",
+ "secret": false
+ },
+ {
+ "name": "type",
+ "label": "Scope Type",
+ "helpText": "If set to 'Default', condition evaluates to true if client has some default scopes of the values specified by the 'Expected Scopes' property. If set to 'Optional', condition evaluates to true if client has some optional scopes of the values specified by the 'Expected Scopes' property and at the same time, the scope were used as a value of 'scope' parameter in the request",
+ "type": "List",
+ "defaultValue": "Optional",
+ "options": ["Default", "Optional"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "client-updater-context",
+ "helpText": "The condition checks the context how is client created/updated to determine whether the policy is applied. For example it checks if client is created with admin REST API or OIDC dynamic client registration. And for the letter case if it is ANONYMOUS client registration or AUTHENTICATED client registration with Initial access token or Registration access token and so on.",
+ "properties": [
+ {
+ "name": "is-negative-logic",
+ "label": "Negative Logic",
+ "helpText": "If On, the result of condition's evaluation is reverted from true to false and vice versa.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ },
+ {
+ "name": "update-client-source",
+ "label": "Update Client Context",
+ "helpText": "Specifies the context how is client created or updated. ByInitialAccessToken is usually OpenID Connect client registration with the initial access token. ByRegistrationAccessToken is usually OpenID Connect client update request with the registration access token. ByAuthenticatedUser is usually Admin REST request with the token on behalf of authenticated user or client (service account). ByAnonymous is usually anonymous OpenID Client registration request.",
+ "type": "MultivaluedList",
+ "defaultValue": "ByAuthenticatedUser",
+ "options": [
+ "ByAuthenticatedUser",
+ "ByAnonymous",
+ "ByInitialAccessToken",
+ "ByRegistrationAccessToken"
+ ],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "client-updater-source-groups",
+ "helpText": "The condition checks the group of the entity who tries to create/update the client to determine whether the policy is applied.",
+ "properties": [
+ {
+ "name": "is-negative-logic",
+ "label": "Negative Logic",
+ "helpText": "If On, the result of condition's evaluation is reverted from true to false and vice versa.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ },
+ {
+ "name": "groups",
+ "label": "client-updater-source-groups.label",
+ "helpText": "client-updater-source-groups.tooltip",
+ "type": "MultivaluedString",
+ "defaultValue": "topGroup",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "client-updater-source-host",
+ "helpText": "The condition checks the host/domain of the entity who tries to create/update the client to determine whether the policy is applied.",
+ "properties": [
+ {
+ "name": "is-negative-logic",
+ "label": "Negative Logic",
+ "helpText": "If On, the result of condition's evaluation is reverted from true to false and vice versa.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ },
+ {
+ "name": "trusted-hosts",
+ "label": "client-updater-trusted-hosts.label",
+ "helpText": "client-updater-trusted-hosts.tooltip",
+ "type": "MultivaluedString",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "client-updater-source-roles",
+ "helpText": "The condition checks the role of the entity who tries to create/update the client to determine whether the policy is applied.",
+ "properties": [
+ {
+ "name": "is-negative-logic",
+ "label": "Negative Logic",
+ "helpText": "If On, the result of condition's evaluation is reverted from true to false and vice versa.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ },
+ {
+ "name": "roles",
+ "label": "client-updater-source-roles.label",
+ "helpText": "client-updater-source-roles.tooltip",
+ "type": "MultivaluedString",
+ "defaultValue": "admin",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider": [
+ {
+ "id": "confidential-client",
+ "helpText": "On authorization endpoint and token endpoint, this executor checks whether the client is confidential client. If not, it denies its request.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "consent-required",
+ "helpText": "When present, then registered/updated clients will be verified to have 'consentRequired' switch enabled and eventually will be auto-configured for 'consentRequired' switch to be enabled",
+ "properties": [
+ {
+ "name": "auto-configure",
+ "label": "Auto-configure",
+ "helpText": "If On, the configuration of the client will be auto-configured to enable consentRequired during client creation or update.If Off, the clients are validated to have consentRequired enabled during create/update client",
+ "type": "boolean",
+ "defaultValue": true,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "full-scope-disabled",
+ "helpText": "When present, then registered/updated clients will be verified to have 'fullScopeAllowed' switch disabled and eventually will be auto-configured for 'fullScopeAllowed' switch to be disabled",
+ "properties": [
+ {
+ "name": "auto-configure",
+ "label": "Auto-configure",
+ "helpText": "If On, the configuration of the client will be auto-configured to disable fullScopeAllowed during client creation or update.If off, the clients are validated to not have fullScopeAllowed enabled during create/update client",
+ "type": "boolean",
+ "defaultValue": true,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "holder-of-key-enforcer",
+ "helpText": "It prohibits the client whose MTLS certificate does not match with the certificate thumbprint from the tokens.",
+ "properties": [
+ {
+ "name": "auto-configure",
+ "label": "Auto-configure",
+ "helpText": "If On, then the during client creation or update, the configuration of the client will be auto-configured to use MTLS HoK token",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "pkce-enforcer",
+ "helpText": "It makes the client enforce Proof Key for Code Exchange operation with secure algorithm like S256.",
+ "properties": [
+ {
+ "name": "auto-configure",
+ "label": "Auto-configure",
+ "helpText": "If On, then the during client creation or update, the configuration of the client will be auto-configured to enforce usage of PKCE with secure algorithm S256",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "reject-ropc-grant",
+ "helpText": "It makes keycloak to reject a resource owner password credentials grant.",
+ "properties": [
+ {
+ "name": "auto-configure",
+ "label": "Auto-configure",
+ "helpText": "If On, then the during client creation or update, the configuration of the client will be auto-configured to reject a resource owner password credentials grant.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "secure-ciba-req-sig-algorithm",
+ "helpText": "It refuses the client whose signature algorithms are considered not to be secure. This is applied by server for CIBA backchannel signed authentication request. It accepts ES256, ES384, ES512, PS256, PS384 and PS512.",
+ "properties": [
+ {
+ "name": "default-algorithm",
+ "label": "Default Algorithm",
+ "helpText": "Default signature algorithm, which will be set to clients during client registration/update in case that client does not specify any algorithm",
+ "type": "List",
+ "defaultValue": "PS256",
+ "options": ["PS256", "PS384", "PS512", "ES256", "ES384", "ES512"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "secure-ciba-session",
+ "helpText": "To distinguish which authentication belongs to which CIBA flow, it refuses backchannel authentication request which lacks 'binding_message' parameter.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "secure-ciba-signed-authn-req",
+ "helpText": "The executor checks whether the client treats the signed authentication request in its CIBA backchannel authentication request by following Financial-grade API CIBA Security Profile.",
+ "properties": [
+ {
+ "name": "available-period",
+ "label": "Available Period",
+ "helpText": "The maximum period in seconds for which the 'request' signed authentication request used in CIBA backchannel authentication request is considered valid.",
+ "type": "String",
+ "defaultValue": "3600",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "secure-client-authenticator",
+ "helpText": "It makes the client enforce registering/updating secure client authentication.",
+ "properties": [
+ {
+ "name": "allowed-client-authenticators",
+ "label": "Allowed Client Authenticators",
+ "helpText": "List of available client authentication methods, which are allowed for clients to use. Other client authentication methods will not be allowed.",
+ "type": "MultivaluedList",
+ "options": [
+ "client-jwt",
+ "client-secret",
+ "client-x509",
+ "client-secret-jwt"
+ ],
+ "secret": false
+ },
+ {
+ "name": "default-client-authenticator",
+ "label": "Default Client Authenticator",
+ "helpText": "This client authentication method will be set as the authentication method to new clients during register/update request of the client in case that client does not have explicitly set other client authenticator method. If it is not set, then the client authenticator won't be set on new clients. Regardless the value of this option, client is still always validated to match with any of the allowed client authentication methods",
+ "type": "List",
+ "defaultValue": "client-jwt",
+ "options": [
+ "client-jwt",
+ "client-secret",
+ "client-x509",
+ "client-secret-jwt"
+ ],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "secure-client-uris",
+ "helpText": "It prohibits the client registering/specifying http scheme URI.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "secure-logout",
+ "helpText": "Enforces certain constraints on how clients should support logout.",
+ "properties": [
+ {
+ "name": "allow-front-channel-logout",
+ "label": "Allow Front-Channel Logout",
+ "helpText": "If On, then front-channel logout should be allowed. Otherwise, clients should favor other logout mechanisms such as back-channel logout.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "secure-request-object",
+ "helpText": "The executor checks whether the client treats the request object in its authorization request by following Financial-grade API Security Profile : Read and Write API Security Profile.",
+ "properties": [
+ {
+ "name": "verify-nbf",
+ "label": "Verify Not-Before",
+ "helpText": "If ON, then it will be verified if 'request' object used in OIDC authorization request contains not-before claim and this claim will be validated",
+ "type": "boolean",
+ "defaultValue": true,
+ "secret": false
+ },
+ {
+ "name": "available-period",
+ "label": "Available Period",
+ "helpText": "The maximum period in seconds for which the 'request' object used in OIDC authorization request is considered valid. It is used if 'Verify Not-Before' is ON.",
+ "type": "String",
+ "defaultValue": "3600",
+ "secret": false
+ },
+ {
+ "name": "encryption-required",
+ "label": "Encryption Required",
+ "helpText": "Whether request object encryption is required. If enabled, request objects must be encrypted. Otherwise, encryption is optional.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "secure-response-type",
+ "helpText": "The executor checks whether the client sent its authorization request with code id_token or code id_token token in its response type depending on its setting.",
+ "properties": [
+ {
+ "name": "auto-configure",
+ "label": "Auto-configure",
+ "helpText": "If On, then the during client creation or update, the configuration of the client will be auto-configured to use ID token returned from authorization endpoint as detached signature.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ },
+ {
+ "name": "allow-token-response-type",
+ "label": "Allow-token-response-type",
+ "helpText": "If On, then it allows an access token returned from authorization endpoint in hybrid flow.",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "secure-session",
+ "helpText": "To prevent CSRF, it refuses the client's authorization request which lacks 'nonce' parameter in OIDC flow or 'state' parameter in OAuth2 grant.",
+ "properties": [],
+ "metadata": {}
+ },
+ {
+ "id": "secure-signature-algorithm",
+ "helpText": "It refuses the client whose signature algorithms are considered not to be secure. This is applied by server for signing ID Token, UserInfo and Access Token. Also it is used by client for Token Endpoint Authentication signature algorithm (for JWT client authenticators) and OIDC Request object. It accepts ES256, ES384, ES512, PS256, PS384 and PS512.",
+ "properties": [
+ {
+ "name": "default-algorithm",
+ "label": "Default Algorithm",
+ "helpText": "Default signature algorithm, which will be set to clients during client registration/update in case that client does not specify any algorithm",
+ "type": "List",
+ "defaultValue": "PS256",
+ "options": ["PS256", "PS384", "PS512", "ES256", "ES384", "ES512"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "secure-signature-algorithm-signed-jwt",
+ "helpText": "It refuses the client whose JWT token signature algorithms are considered not to be secure. It accepts ES256, ES384, ES512, PS256, PS384 and PS512.",
+ "properties": [
+ {
+ "name": "require-client-assertion",
+ "label": "Require Client Assertion",
+ "helpText": "If this is ON, then parameter 'client_assertion' will be required in the requests and request will fail if it is not present. If false, then parameter 'client_assertion' is not required in the requests, which is convenient for example for clients authenticating with MTLS. When 'client_assertion' parameter is present in the request, then the algorithm on the JWT from specified client assertion is always checked regardless of the value of this switch",
+ "type": "boolean",
+ "defaultValue": false,
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ }
+ ],
+ "org.keycloak.broker.provider.IdentityProviderMapper": [
+ {
+ "id": "facebook-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "github-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "google-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "hardcoded-attribute-idp-mapper",
+ "helpText": "When user is imported from provider, hardcode a value to a specific user attribute.",
+ "properties": [
+ {
+ "name": "attribute",
+ "label": "User Attribute",
+ "helpText": "Name of user attribute you want to hardcode",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.value",
+ "label": "User Attribute Value",
+ "helpText": "Value you want to hardcode",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "hardcoded-user-session-attribute-idp-mapper",
+ "helpText": "When user is imported from provider, hardcode a value to a specific user session attribute.",
+ "properties": [
+ {
+ "name": "attribute",
+ "label": "User Session Attribute",
+ "helpText": "Name of user session attribute you want to hardcode",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.value",
+ "label": "User Session Attribute Value",
+ "helpText": "Value you want to hardcode",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "instagram-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "keycloak-oidc-role-to-role-idp-mapper",
+ "helpText": "Looks for an external role in a keycloak access token. If external role exists, grant the user the specified realm or client role.",
+ "properties": [
+ {
+ "name": "external.role",
+ "label": "External role",
+ "helpText": "External role to check for. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role to grant to user if external role is present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "linkedin-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "microsoft-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-advanced-group-idp-mapper",
+ "helpText": "If all claims exists, assign the user to the specified group.",
+ "properties": [
+ {
+ "name": "claims",
+ "label": "Claims",
+ "helpText": "Name and value of the claims to search for in token. You can reference nested claims using a '.', i.e. 'address.locality'. To use dot (.) literally, escape it with backslash (\\.)",
+ "type": "Map",
+ "secret": false
+ },
+ {
+ "name": "are.claim.values.regex",
+ "label": "Regex Claim Values",
+ "helpText": "If enabled claim values are interpreted as regular expressions.",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "group",
+ "label": "Group",
+ "helpText": "Group to assign the user to if claim is present.",
+ "type": "Group",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-advanced-role-idp-mapper",
+ "helpText": "If all claims exists, grant the user the specified realm or client role.",
+ "properties": [
+ {
+ "name": "claims",
+ "label": "Claims",
+ "helpText": "Name and value of the claims to search for in token. You can reference nested claims using a '.', i.e. 'address.locality'. To use dot (.) literally, escape it with backslash (\\.)",
+ "type": "Map",
+ "secret": false
+ },
+ {
+ "name": "are.claim.values.regex",
+ "label": "Regex Claim Values",
+ "helpText": "If enabled claim values are interpreted as regular expressions.",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role to grant to user if claim is present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-hardcoded-role-idp-mapper",
+ "helpText": "When user is imported from provider, hardcode a role mapping for it.",
+ "properties": [
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role to grant to user. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-role-idp-mapper",
+ "helpText": "If a claim exists, grant the user the specified realm or client role.",
+ "properties": [
+ {
+ "name": "claim",
+ "label": "Claim",
+ "helpText": "Name of claim to search for in token. You can reference nested claims using a '.', i.e. 'address.locality'. To use dot (.) literally, escape it with backslash (\\.)",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "claim.value",
+ "label": "Claim Value",
+ "helpText": "Value the claim must have. If the claim is an array, then the value must be contained in the array.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role to grant to user if claim is present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-user-attribute-idp-mapper",
+ "helpText": "Import declared claim if it exists in ID, access token or the claim set returned by the user profile endpoint into the specified user property or attribute.",
+ "properties": [
+ {
+ "name": "claim",
+ "label": "Claim",
+ "helpText": "Name of claim to search for in token. You can reference nested claims using a '.', i.e. 'address.locality'. To use dot (.) literally, escape it with backslash (\\.)",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "user.attribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store claim. Use email, lastName, and firstName to map to those predefined user properties.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "oidc-username-idp-mapper",
+ "helpText": "Format the username to import.",
+ "properties": [
+ {
+ "name": "template",
+ "label": "Template",
+ "helpText": "Template to use to format the username to import. Substitutions are enclosed in ${}. For example: '${ALIAS}.${CLAIM.sub}'. ALIAS is the provider alias. CLAIM. references an ID or Access token claim. \nThe substitution can be converted to upper or lower case by appending |uppercase or |lowercase to the substituted value, e.g. '${CLAIM.sub | lowercase}",
+ "type": "String",
+ "defaultValue": "${ALIAS}.${CLAIM.preferred_username}",
+ "secret": false
+ },
+ {
+ "name": "target",
+ "label": "Target",
+ "helpText": "Destination field for the mapper. LOCAL (default) means that the changes are applied to the username stored in local database upon user import. BROKER_ID and BROKER_USERNAME means that the changes are stored into the ID or username used for federation user lookup, respectively.",
+ "type": "List",
+ "defaultValue": "LOCAL",
+ "options": ["LOCAL", "BROKER_ID", "BROKER_USERNAME"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "openshift-v4-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "paypal-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-advanced-role-idp-mapper",
+ "helpText": "If the set of attributes exists and can be matched, grant the user the specified realm or client role.",
+ "properties": [
+ {
+ "name": "attributes",
+ "label": "Attributes",
+ "helpText": "Name and (regex) value of the attributes to search for in token. The configured name of an attribute is searched in SAML attribute name and attribute friendly name fields. Every given attribute description must be met to set the role. If the attribute is an array, then the value must be contained in the array. If an attribute can be found several times, then one match is sufficient.",
+ "type": "Map",
+ "secret": false
+ },
+ {
+ "name": "are.attribute.values.regex",
+ "label": "Regex Attribute Values",
+ "helpText": "If enabled attribute values are interpreted as regular expressions.",
+ "type": "boolean",
+ "secret": false
+ },
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role to grant to user if all attributes are present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-role-idp-mapper",
+ "helpText": "If an attribute exists, grant the user the specified realm or client role.",
+ "properties": [
+ {
+ "name": "attribute.name",
+ "label": "Attribute Name",
+ "helpText": "Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.value",
+ "label": "Attribute Value",
+ "helpText": "Value the attribute must have. If the attribute is a list, then the value must be contained in the list.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "role",
+ "label": "Role",
+ "helpText": "Role to grant to user. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole",
+ "type": "Role",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-user-attribute-idp-mapper",
+ "helpText": "Import declared saml attribute if it exists in assertion into the specified user property or attribute.",
+ "properties": [
+ {
+ "name": "attribute.name",
+ "label": "Attribute Name",
+ "helpText": "Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "attribute.friendly.name",
+ "label": "Friendly Name",
+ "helpText": "Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "user.attribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store saml attribute. Use email, lastName, and firstName to map to those predefined user properties.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "saml-username-idp-mapper",
+ "helpText": "Format the username to import.",
+ "properties": [
+ {
+ "name": "template",
+ "label": "Template",
+ "helpText": "Template to use to format the username to import. Substitutions are enclosed in ${}. For example: '${ALIAS}.${NAMEID}'. ALIAS is the provider alias. NAMEID is that SAML name id assertion. ATTRIBUTE. references a SAML attribute where name is the attribute name or friendly name. \nThe substitution can be converted to upper or lower case by appending |uppercase or |lowercase to the substituted value, e.g. '${NAMEID | lowercase} \nLocal part of email can be extracted by appending |localpart to the substituted value, e.g. ${CLAIM.email | localpart}. If \"@\" is not part of the string, this conversion leaves the substitution untouched.",
+ "type": "String",
+ "defaultValue": "${ALIAS}.${NAMEID}",
+ "secret": false
+ },
+ {
+ "name": "target",
+ "label": "Target",
+ "helpText": "Destination field for the mapper. LOCAL (default) means that the changes are applied to the username stored in local database upon user import. BROKER_ID and BROKER_USERNAME means that the changes are stored into the ID or username used for federation user lookup, respectively.",
+ "type": "List",
+ "defaultValue": "LOCAL",
+ "options": ["LOCAL", "BROKER_ID", "BROKER_USERNAME"],
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ },
+ {
+ "id": "stackoverflow-user-attribute-mapper",
+ "helpText": "Import user profile information if it exists in Social provider JSON data into the specified user attribute.",
+ "properties": [
+ {
+ "name": "jsonField",
+ "label": "Social Profile JSON Field Path",
+ "helpText": "Path of field in Social provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. Eg. 'contact.address[0].country'.",
+ "type": "String",
+ "secret": false
+ },
+ {
+ "name": "userAttribute",
+ "label": "User Attribute Name",
+ "helpText": "User attribute name to store information into.",
+ "type": "String",
+ "secret": false
+ }
+ ],
+ "metadata": {}
+ }
+ ]
+ },
+ "passwordPolicies": [
+ {
+ "id": "forceExpiredPasswordChange",
+ "displayName": "Expire Password",
+ "configType": "String",
+ "defaultValue": "365",
+ "multipleSupported": false
+ },
+ {
+ "id": "hashIterations",
+ "displayName": "Hashing Iterations",
+ "configType": "int",
+ "defaultValue": "27500",
+ "multipleSupported": false
+ },
+ {
+ "id": "passwordHistory",
+ "displayName": "Not Recently Used",
+ "configType": "int",
+ "defaultValue": "3",
+ "multipleSupported": false
+ },
+ {
+ "id": "passwordBlacklist",
+ "displayName": "Password Blacklist",
+ "configType": "String",
+ "defaultValue": "",
+ "multipleSupported": false
+ },
+ {
+ "id": "length",
+ "displayName": "Minimum Length",
+ "configType": "int",
+ "defaultValue": "8",
+ "multipleSupported": false
+ },
+ {
+ "id": "regexPattern",
+ "displayName": "Regular Expression",
+ "configType": "String",
+ "defaultValue": "",
+ "multipleSupported": true
+ },
+ {
+ "id": "notUsername",
+ "displayName": "Not Username",
+ "multipleSupported": false
+ },
+ {
+ "id": "notEmail",
+ "displayName": "Not Email",
+ "multipleSupported": false
+ },
+ {
+ "id": "specialChars",
+ "displayName": "Special Characters",
+ "configType": "int",
+ "defaultValue": "1",
+ "multipleSupported": false
+ },
+ {
+ "id": "upperCase",
+ "displayName": "Uppercase Characters",
+ "configType": "int",
+ "defaultValue": "1",
+ "multipleSupported": false
+ },
+ {
+ "id": "lowerCase",
+ "displayName": "Lowercase Characters",
+ "configType": "int",
+ "defaultValue": "1",
+ "multipleSupported": false
+ },
+ {
+ "id": "digits",
+ "displayName": "Digits",
+ "configType": "int",
+ "defaultValue": "1",
+ "multipleSupported": false
+ },
+ {
+ "id": "hashAlgorithm",
+ "displayName": "Hashing Algorithm",
+ "configType": "String",
+ "defaultValue": "pbkdf2-sha256",
+ "multipleSupported": false
+ },
+ {
+ "id": "maxLength",
+ "displayName": "Maximum Length",
+ "configType": "int",
+ "defaultValue": "64",
+ "multipleSupported": false
+ }
+ ],
+ "enums": {
+ "operationType": ["ACTION", "CREATE", "DELETE", "UPDATE"],
+ "eventType": [
+ "AUTHREQID_TO_TOKEN",
+ "AUTHREQID_TO_TOKEN_ERROR",
+ "CLIENT_DELETE",
+ "CLIENT_DELETE_ERROR",
+ "CLIENT_INFO",
+ "CLIENT_INFO_ERROR",
+ "CLIENT_INITIATED_ACCOUNT_LINKING",
+ "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR",
+ "CLIENT_LOGIN",
+ "CLIENT_LOGIN_ERROR",
+ "CLIENT_REGISTER",
+ "CLIENT_REGISTER_ERROR",
+ "CLIENT_UPDATE",
+ "CLIENT_UPDATE_ERROR",
+ "CODE_TO_TOKEN",
+ "CODE_TO_TOKEN_ERROR",
+ "CUSTOM_REQUIRED_ACTION",
+ "CUSTOM_REQUIRED_ACTION_ERROR",
+ "DELETE_ACCOUNT",
+ "DELETE_ACCOUNT_ERROR",
+ "EXECUTE_ACTIONS",
+ "EXECUTE_ACTIONS_ERROR",
+ "EXECUTE_ACTION_TOKEN",
+ "EXECUTE_ACTION_TOKEN_ERROR",
+ "FEDERATED_IDENTITY_LINK",
+ "FEDERATED_IDENTITY_LINK_ERROR",
+ "GRANT_CONSENT",
+ "GRANT_CONSENT_ERROR",
+ "IDENTITY_PROVIDER_FIRST_LOGIN",
+ "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR",
+ "IDENTITY_PROVIDER_LINK_ACCOUNT",
+ "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR",
+ "IDENTITY_PROVIDER_LOGIN",
+ "IDENTITY_PROVIDER_LOGIN_ERROR",
+ "IDENTITY_PROVIDER_POST_LOGIN",
+ "IDENTITY_PROVIDER_POST_LOGIN_ERROR",
+ "IDENTITY_PROVIDER_RESPONSE",
+ "IDENTITY_PROVIDER_RESPONSE_ERROR",
+ "IDENTITY_PROVIDER_RETRIEVE_TOKEN",
+ "IDENTITY_PROVIDER_RETRIEVE_TOKEN_ERROR",
+ "IMPERSONATE",
+ "IMPERSONATE_ERROR",
+ "INTROSPECT_TOKEN",
+ "INTROSPECT_TOKEN_ERROR",
+ "INVALID_SIGNATURE",
+ "INVALID_SIGNATURE_ERROR",
+ "LOGIN",
+ "LOGIN_ERROR",
+ "LOGOUT",
+ "LOGOUT_ERROR",
+ "OAUTH2_DEVICE_AUTH",
+ "OAUTH2_DEVICE_AUTH_ERROR",
+ "OAUTH2_DEVICE_CODE_TO_TOKEN",
+ "OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR",
+ "OAUTH2_DEVICE_VERIFY_USER_CODE",
+ "OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR",
+ "PERMISSION_TOKEN",
+ "PERMISSION_TOKEN_ERROR",
+ "PUSHED_AUTHORIZATION_REQUEST",
+ "PUSHED_AUTHORIZATION_REQUEST_ERROR",
+ "REFRESH_TOKEN",
+ "REFRESH_TOKEN_ERROR",
+ "REGISTER",
+ "REGISTER_ERROR",
+ "REGISTER_NODE",
+ "REGISTER_NODE_ERROR",
+ "REMOVE_FEDERATED_IDENTITY",
+ "REMOVE_FEDERATED_IDENTITY_ERROR",
+ "REMOVE_TOTP",
+ "REMOVE_TOTP_ERROR",
+ "RESET_PASSWORD",
+ "RESET_PASSWORD_ERROR",
+ "RESTART_AUTHENTICATION",
+ "RESTART_AUTHENTICATION_ERROR",
+ "REVOKE_GRANT",
+ "REVOKE_GRANT_ERROR",
+ "SEND_IDENTITY_PROVIDER_LINK",
+ "SEND_IDENTITY_PROVIDER_LINK_ERROR",
+ "SEND_RESET_PASSWORD",
+ "SEND_RESET_PASSWORD_ERROR",
+ "SEND_VERIFY_EMAIL",
+ "SEND_VERIFY_EMAIL_ERROR",
+ "TOKEN_EXCHANGE",
+ "TOKEN_EXCHANGE_ERROR",
+ "UNREGISTER_NODE",
+ "UNREGISTER_NODE_ERROR",
+ "UPDATE_CONSENT",
+ "UPDATE_CONSENT_ERROR",
+ "UPDATE_EMAIL",
+ "UPDATE_EMAIL_ERROR",
+ "UPDATE_PASSWORD",
+ "UPDATE_PASSWORD_ERROR",
+ "UPDATE_PROFILE",
+ "UPDATE_PROFILE_ERROR",
+ "UPDATE_TOTP",
+ "UPDATE_TOTP_ERROR",
+ "USER_INFO_REQUEST",
+ "USER_INFO_REQUEST_ERROR",
+ "VALIDATE_ACCESS_TOKEN",
+ "VALIDATE_ACCESS_TOKEN_ERROR",
+ "VERIFY_EMAIL",
+ "VERIFY_EMAIL_ERROR",
+ "VERIFY_PROFILE",
+ "VERIFY_PROFILE_ERROR"
+ ],
+ "resourceType": [
+ "AUTHENTICATOR_CONFIG",
+ "AUTHORIZATION_POLICY",
+ "AUTHORIZATION_RESOURCE",
+ "AUTHORIZATION_RESOURCE_SERVER",
+ "AUTHORIZATION_SCOPE",
+ "AUTH_EXECUTION",
+ "AUTH_EXECUTION_FLOW",
+ "AUTH_FLOW",
+ "CLIENT",
+ "CLIENT_INITIAL_ACCESS_MODEL",
+ "CLIENT_ROLE",
+ "CLIENT_ROLE_MAPPING",
+ "CLIENT_SCOPE",
+ "CLIENT_SCOPE_CLIENT_MAPPING",
+ "CLIENT_SCOPE_MAPPING",
+ "CLUSTER_NODE",
+ "COMPONENT",
+ "CUSTOM",
+ "GROUP",
+ "GROUP_MEMBERSHIP",
+ "IDENTITY_PROVIDER",
+ "IDENTITY_PROVIDER_MAPPER",
+ "PROTOCOL_MAPPER",
+ "REALM",
+ "REALM_ROLE",
+ "REALM_ROLE_MAPPING",
+ "REALM_SCOPE_MAPPING",
+ "REQUIRED_ACTION",
+ "USER",
+ "USER_FEDERATION_MAPPER",
+ "USER_FEDERATION_PROVIDER",
+ "USER_LOGIN_FAILURE",
+ "USER_SESSION"
+ ]
+ }
+}
diff --git a/src/realm-settings/keys/key-providers/KeyProviderForm.tsx b/src/realm-settings/keys/key-providers/KeyProviderForm.tsx
index 5fedc0e3d2..3c9120eb94 100644
--- a/src/realm-settings/keys/key-providers/KeyProviderForm.tsx
+++ b/src/realm-settings/keys/key-providers/KeyProviderForm.tsx
@@ -6,7 +6,6 @@ import {
AlertVariant,
FormGroup,
ValidatedOptions,
- Switch,
TextInput,
PageSection,
ActionGroup,
@@ -21,12 +20,8 @@ import { FormAccess } from "../../../components/form-access/FormAccess";
import { HelpItem } from "../../../components/help-enabler/HelpItem";
import { KEY_PROVIDER_TYPE } from "../../../util";
import { ViewHeader } from "../../../components/view-header/ViewHeader";
-import AesView from "./aes-generated/View";
-import EcdsaView from "./ecdsa-generated/View";
-import HmacView from "./hmac-generated/View";
-import JavaKeystoreView from "./java-keystore/View";
-import RsaView from "./rsa/View";
-import RsaGeneratedView from "./rsa-generated/View";
+import { DynamicComponents } from "../../../components/dynamic/DynamicComponents";
+import { useServerInfo } from "../../../context/server-info/ServerInfoProvider";
type KeyProviderFormProps = {
id?: string;
@@ -34,30 +29,6 @@ type KeyProviderFormProps = {
onClose?: () => void;
};
-const SubView = ({ providerType }: { providerType: ProviderType }) => {
- switch (providerType) {
- case "aes-generated":
- return ;
- case "ecdsa-generated":
- return ;
- case "hmac-generated":
- return ;
- case "java-keystore":
- return ;
- case "rsa":
- return ;
- case "rsa-enc":
- return ;
- case "rsa-enc-generated":
- return ;
- case "rsa-generated":
- return ;
-
- default:
- return <>invalid view type;
- }
-};
-
export const KeyProviderForm = ({
providerType,
onClose,
@@ -67,6 +38,10 @@ export const KeyProviderForm = ({
const adminClient = useAdminClient();
const { addAlert, addError } = useAlerts();
+ const serverInfo = useServerInfo();
+ const allComponentTypes =
+ serverInfo.componentTypes?.[KEY_PROVIDER_TYPE] ?? [];
+
const form = useForm({
shouldUnregister: false,
mode: "onChange",
@@ -74,6 +49,11 @@ export const KeyProviderForm = ({
const { register, control, handleSubmit, errors, reset } = form;
const save = async (component: ComponentRepresentation) => {
+ if (component.config)
+ Object.entries(component.config).forEach(
+ ([key, value]) =>
+ (component.config![key] = Array.isArray(value) ? value : [value])
+ );
try {
if (id) {
await adminClient.components.update(
@@ -168,66 +148,13 @@ export const KeyProviderForm = ({
)}
/>
-
- }
- >
- (
- {
- onChange([value.toString()]);
- }}
- />
- )}
- />
-
-
- }
- >
- {
- return (
- {
- onChange([value.toString()]);
- }}
- />
- );
- }}
- />
-
-
+ type.id === providerType)
+ ?.properties || []
+ }
+ />
- }
- >
- (
-
- )}
- />
-
- );
-}
diff --git a/src/realm-settings/keys/key-providers/ecdsa-generated/View.tsx b/src/realm-settings/keys/key-providers/ecdsa-generated/View.tsx
deleted file mode 100644
index 296bf5a8c3..0000000000
--- a/src/realm-settings/keys/key-providers/ecdsa-generated/View.tsx
+++ /dev/null
@@ -1,64 +0,0 @@
-import React from "react";
-import { useTranslation } from "react-i18next";
-import { useFormContext, Controller } from "react-hook-form";
-import {
- FormGroup,
- Select,
- SelectOption,
- SelectVariant,
-} from "@patternfly/react-core";
-
-import { useServerInfo } from "../../../../context/server-info/ServerInfoProvider";
-import { HelpItem } from "../../../../components/help-enabler/HelpItem";
-import { KEY_PROVIDER_TYPE } from "../../../../util";
-import useToggle from "../../../../utils/useToggle";
-
-export default function View() {
- const { t } = useTranslation("realm-settings");
- const { control } = useFormContext();
- const [isKeySizeDropdownOpen, toggleDropdown] = useToggle();
-
- const serverInfo = useServerInfo();
- const allComponentTypes =
- serverInfo.componentTypes?.[KEY_PROVIDER_TYPE] ?? [];
-
- const ecdsaEllipticCurveOptions = allComponentTypes[1].properties[3].options!;
-
- return (
-
- }
- >
- (
-
- )}
- />
-
- );
-}
diff --git a/src/realm-settings/keys/key-providers/hmac-generated/View.tsx b/src/realm-settings/keys/key-providers/hmac-generated/View.tsx
deleted file mode 100644
index c1278006df..0000000000
--- a/src/realm-settings/keys/key-providers/hmac-generated/View.tsx
+++ /dev/null
@@ -1,109 +0,0 @@
-import React from "react";
-import { useTranslation } from "react-i18next";
-import { useFormContext, Controller } from "react-hook-form";
-import {
- FormGroup,
- Select,
- SelectOption,
- SelectVariant,
-} from "@patternfly/react-core";
-
-import { useServerInfo } from "../../../../context/server-info/ServerInfoProvider";
-import { HelpItem } from "../../../../components/help-enabler/HelpItem";
-import { KEY_PROVIDER_TYPE } from "../../../../util";
-import useToggle from "../../../../utils/useToggle";
-
-export default function View() {
- const { t } = useTranslation("realm-settings");
- const { control } = useFormContext();
-
- const [isKeySizeDropdownOpen, toggleKeySizeDropdown] = useToggle();
- const [isEllipticCurveDropdownOpen, toggleEllipticDropdown] = useToggle();
-
- const serverInfo = useServerInfo();
- const allComponentTypes =
- serverInfo.componentTypes?.[KEY_PROVIDER_TYPE] ?? [];
-
- const hmacSecretSizeOptions =
- allComponentTypes[2].properties[3].options ?? [];
-
- const hmacAlgorithmOptions = allComponentTypes[2].properties[4].options ?? [];
-
- return (
- <>
-
- }
- >
- (
-
- )}
- />
-
-
- }
- >
- (
-
- )}
- />
-
-
- );
-}
diff --git a/src/realm-settings/keys/key-providers/java-keystore/View.tsx b/src/realm-settings/keys/key-providers/java-keystore/View.tsx
deleted file mode 100644
index d1a940e2d4..0000000000
--- a/src/realm-settings/keys/key-providers/java-keystore/View.tsx
+++ /dev/null
@@ -1,167 +0,0 @@
-import React from "react";
-import { useTranslation } from "react-i18next";
-import { useFormContext, Controller } from "react-hook-form";
-import {
- FormGroup,
- Select,
- SelectOption,
- SelectVariant,
- TextInput,
-} from "@patternfly/react-core";
-
-import { useServerInfo } from "../../../../context/server-info/ServerInfoProvider";
-import { HelpItem } from "../../../../components/help-enabler/HelpItem";
-import { KEY_PROVIDER_TYPE } from "../../../../util";
-import useToggle from "../../../../utils/useToggle";
-
-export default function View() {
- const { t } = useTranslation("realm-settings");
- const { control } = useFormContext();
- const [isAlgorithmDropdownOpen, toggleDropdown] = useToggle();
-
- const serverInfo = useServerInfo();
- const allComponentTypes =
- serverInfo.componentTypes?.[KEY_PROVIDER_TYPE] ?? [];
-
- const javaKeystoreAlgorithmOptions =
- allComponentTypes[3].properties[3].options ?? [];
-
- return (
- <>
-
- }
- >
- (
-
- )}
- />
-
-
- }
- >
- (
- {
- onChange([value.toString()]);
- }}
- data-testid="keystore"
- />
- )}
- />
-
-
- }
- >
- (
- {
- onChange([value.toString()]);
- }}
- data-testid="keystorePassword"
- />
- )}
- />
-
-
- }
- >
- (
- {
- onChange([value.toString()]);
- }}
- data-testid="key-alias"
- />
- )}
- />
-
-
- }
- >
- (
- {
- onChange([value.toString()]);
- }}
- data-testid="key-password"
- />
- )}
- />
-
-
- );
-}
diff --git a/src/realm-settings/keys/key-providers/rsa-generated/View.tsx b/src/realm-settings/keys/key-providers/rsa-generated/View.tsx
deleted file mode 100644
index 6fa9317c6d..0000000000
--- a/src/realm-settings/keys/key-providers/rsa-generated/View.tsx
+++ /dev/null
@@ -1,123 +0,0 @@
-import React from "react";
-import { useTranslation } from "react-i18next";
-import { useFormContext, Controller } from "react-hook-form";
-import {
- FormGroup,
- Select,
- SelectOption,
- SelectVariant,
-} from "@patternfly/react-core";
-
-import { useServerInfo } from "../../../../context/server-info/ServerInfoProvider";
-import { HelpItem } from "../../../../components/help-enabler/HelpItem";
-import { KEY_PROVIDER_TYPE } from "../../../../util";
-import useToggle from "../../../../utils/useToggle";
-
-export default function View({ isEnc = false }: { isEnc?: boolean }) {
- const { t } = useTranslation("realm-settings");
- const { control } = useFormContext();
-
- const [isKeySizeDropdownOpen, toggleKeySizeDropdown] = useToggle();
- const [isEllipticCurveDropdownOpen, toggleEllipticCurveDropdown] =
- useToggle();
-
- const serverInfo = useServerInfo();
- const allComponentTypes =
- serverInfo.componentTypes?.[KEY_PROVIDER_TYPE] ?? [];
-
- const rsaGeneratedKeySizeOptions =
- allComponentTypes[6].properties[3].options ?? [];
-
- const rsaGeneratedAlgorithmOptions =
- allComponentTypes[6].properties[4].options ?? [];
-
- const rsaEncGeneratedKeySizeOptions =
- allComponentTypes[5].properties[3].options ?? [];
-
- const rsaEncGeneratedAlgorithmOptions =
- allComponentTypes[5].properties[4].options ?? [];
-
- return (
- <>
-
- }
- >
- (
-
- )}
- />
-
-
- }
- >
- (
-
- )}
- />
-
-
- );
-}
diff --git a/src/realm-settings/keys/key-providers/rsa/View.tsx b/src/realm-settings/keys/key-providers/rsa/View.tsx
deleted file mode 100644
index d2b352d3cd..0000000000
--- a/src/realm-settings/keys/key-providers/rsa/View.tsx
+++ /dev/null
@@ -1,130 +0,0 @@
-import React, { useState } from "react";
-import { useTranslation } from "react-i18next";
-import { useFormContext, Controller } from "react-hook-form";
-import {
- FileUpload,
- FormGroup,
- Select,
- SelectOption,
- SelectVariant,
-} from "@patternfly/react-core";
-
-import { useServerInfo } from "../../../../context/server-info/ServerInfoProvider";
-import { HelpItem } from "../../../../components/help-enabler/HelpItem";
-import { KEY_PROVIDER_TYPE } from "../../../../util";
-import useToggle from "../../../../utils/useToggle";
-
-export default function View({ isEnc = false }: { isEnc?: boolean }) {
- const { t } = useTranslation("realm-settings");
- const { control } = useFormContext();
- const [isRSAalgDropdownOpen, toggleDropdown] = useToggle();
- const [privateKey, setPrivateKey] = useState("");
- const [certificate, setCertificate] = useState("");
-
- const serverInfo = useServerInfo();
- const allComponentTypes =
- serverInfo.componentTypes?.[KEY_PROVIDER_TYPE] ?? [];
-
- const rsaAlgOptions =
- allComponentTypes[isEnc ? 5 : 4].properties[isEnc ? 5 : 3].options ?? [];
-
- return (
- <>
-
- }
- >
- (
-
- )}
- />
-
-
- }
- >
- (
- {
- onChange(value);
- setPrivateKey(filename);
- }}
- filenamePlaceholder={t("filenamePlaceholder")}
- />
- )}
- />
-
-
- }
- >
- (
- {
- onChange(value);
- setCertificate(filename);
- }}
- filenamePlaceholder={t("filenamePlaceholder")}
- />
- )}
- />
-
-
- );
-}