diff options
| -rw-r--r-- | doc/source/developer/specs/index.rst | 1 | ||||
| -rw-r--r-- | doc/source/developer/specs/tracing.rst | 323 | ||||
| -rw-r--r-- | doc/source/examples/keycloak/docker-compose.yaml | 18 | ||||
| -rw-r--r-- | doc/source/examples/keycloak/etc_zuul/zuul.conf | 2 | ||||
| -rw-r--r-- | doc/source/examples/keycloak/keycloak/zuul-demo-data.json | 4083 | ||||
| -rw-r--r-- | doc/source/howtos/openid-with-keycloak.rst | 13 | ||||
| -rw-r--r-- | doc/source/tutorials/keycloak.rst | 15 | ||||
| -rw-r--r-- | playbooks/zuul-stream/fixtures/test-stream.yaml | 25 | ||||
| -rw-r--r-- | playbooks/zuul-stream/functional.yaml | 113 | ||||
| -rw-r--r-- | playbooks/zuul-stream/post.yaml | 12 | ||||
| -rw-r--r-- | playbooks/zuul-stream/validate.yaml | 38 | ||||
| -rw-r--r-- | tests/remote/test_remote_zuul_stream.py | 2 | ||||
| -rw-r--r-- | tests/unit/test_scheduler.py | 12 | ||||
| -rw-r--r-- | web/public/openapi.yaml | 8 | ||||
| -rw-r--r-- | zuul/ansible/base/callback/zuul_stream.py | 103 | ||||
| -rwxr-xr-x | zuul/ansible/base/library/zuul_console.py | 50 | ||||
| -rw-r--r-- | zuul/driver/smtp/smtpreporter.py | 2 | ||||
| -rw-r--r-- | zuul/executor/server.py | 4 | ||||
| -rw-r--r-- | zuul/scheduler.py | 4 |
19 files changed, 2538 insertions, 2290 deletions
diff --git a/doc/source/developer/specs/index.rst b/doc/source/developer/specs/index.rst index d96df0c26..78c11bbb8 100644 --- a/doc/source/developer/specs/index.rst +++ b/doc/source/developer/specs/index.rst @@ -23,3 +23,4 @@ documentation instead. enhanced-regional-executors tenant-resource-quota community-matrix + tracing diff --git a/doc/source/developer/specs/tracing.rst b/doc/source/developer/specs/tracing.rst new file mode 100644 index 000000000..5e0e9e4d1 --- /dev/null +++ b/doc/source/developer/specs/tracing.rst @@ -0,0 +1,323 @@ +Tracing +======= + +.. warning:: This is not authoritative documentation. These features + are not currently available in Zuul. They may change significantly + before final implementation, or may never be fully completed. + +It can be difficult for a user to understand what steps were involved +between a trigger event (such as a patchset upload or recheck comment) +and a buildset report. If it took an unusually long time it can be +difficult to determine why. At present, an operator would need to +examine logs to determine what steps were involved and the sources of +any potential delays. Even experienced operators and developers can +take quite some time to first collect and then analyze logs to answer +these questions. + +Sometimes these answers may point to routine system operation (such as +a delay caused by many gate resets, or preparing a large number of +repositories). Other times they may point to deficiencies in the +system (insufficient mergers) or bugs in the code. + +Being able to visualize the activities of a Zuul system can help +operators (and potentially users) triage and diagnose issues more +quickly and accurately. Even if examining logs is ultimately required +in order to fully diagnose an issue, being able to narrow down the +scope using analsys tools can greatly simplify the process. + +Proposed Solution +----------------- + +Implementing distributed tracing in Zuul can help improve the +observability of the system and aid operators and potentially users in +understanding the sequence of events. + +By exporting information about the processing Zuul performs using the +OpenTelemetry API, information about Zuul operations can be collected +in any of several tools for analysis. + +OpenTelemetry is an Open Source protocol for exchanging observability +data, an SDK implementing that protocol, as well as an implementation +of a collector for distributing information to multiple backends. + +It supports three kinds of observability data: `traces`, `metrics`, +and `logs`. Since Zuul already has support for metrics and logs, this +specification proposes that we use only the support in OpenTelemtry +for `traces`. + +Usage Scenarios +~~~~~~~~~~~~~~~ + +Usage of OpenTelemetry should be entirely optional and supplementary +for any Zuul deployment. Log messages alone should continue to be +sufficient to analyze any potential problem. + +Should a deployer wish to use OpenTelemetry tracing data, a very +simple deployment for smaller sites may be constructed by running only +Jaeger. Jaeger is a service that can receive, store, and display +tracing information. The project distributes an all-in-one container +image which can store data in local filesystem storage. + +https://www.jaegertracing.io/ + +Larger sites may wish to run multiple collectors and feed data to +larger, distributed storage backends (such as Cassandra, +Elasticsearch, etc). + +Suitability to Zuul +~~~~~~~~~~~~~~~~~~~ + +OpenTelemetry tracing, at a high level, is designed to record +information about events, their timing, and their relation to other +events. At first this seems like a natural fit for Zuul, which reacts +to events, processes events, and generates more events. However, +OpenTelemetry's bias toward small and simple web applications is +evident throughout its documentation and the SDK implementation. + + Traces give us the big picture of what happens when a request is + made by user or an application. + +Zuul is not driven by user or application requests, and a system +designed to record several millisecond-long events which make up the +internal response to a user request of a web app is not necessarily +the obvious right choice for recording sequences and combinations of +events which frequently take hours (and sometimes days) to play out +across multiple systems. + +Fortunately, the concepts and protocol implementation of OpenTelemtry +are sufficiently well-designed for the general case to be able to +accomodate a system like Zuul, even if the SDK makes incompatible +assumptions that make integration difficult. There are some +challenges to implementation, but because the concepts appear to be +well matched, we should proceed with using the OpenTelemetry protocol +and SDK. + +Spans +~~~~~ + +The key tracing concepts in OpenTelemety are `traces` and `spans`. +From a data model perspective, the unit of data storage is a `span`. +A trace itself is really just a unique ID that is common to multiple +spans. + +Spans can relate to other spans as either children or links. A trace +is generally considered to have a single 'root' span, and within the +time period represented by that span, it may have any number of child +spans (which may further have their own child spans). + +OpenTelemetry anticipates that a span on one system may spawn a child +span on another system and includes facilities for transferring enough +information about the parent span to a child system that the child +system alone can emit traces for its span and any children that it +spawns in turn. + +For a concrete example in Zuul, we might have a Zuul scheduler start a +span for a buildset, and then a merger might emit a child span for +performing the initial merge, and an executor might emit a child span +for executing a build. + +Spans can relate to other spans (including spans in other traces), so +sequences of events can be chained together without necessitating that +they all be part of the same span or trace. + +Because Zuul processes series of events which may stretch for long +periods of time, we should specify what events and actions should +correspond to spans and traces. Spans can have arbitrary metadat +associated with them, so we will be able to search by event or job +ids. + +The following sections describe traces and their child spans. + +Event Ingestion ++++++++++++++++ + +A trace will begin when Zuul receives an event and end when that event +has been enqueued into scheduler queues (or discarded). A driver +completing processing of an event is a definitive point in time so it +is easy to know when to close the root span for that event's trace +(whereas if we kept the trace open to include scheduler processing, we +would need to know when the last trigger event spawned by the +connection event was complete). + +This may include processing in internal queues by a given driver, and +these processing steps/queues should appear as their own child spans. +The spans should include event IDs (and potentially other information +about the event such as change or pull request numbers) as metadata. + +Tenant Event Processing ++++++++++++++++++++++++ + +A trace will begin when a scheduler begins processing a tenant event +and ends when it has forwarded the event to all pipelines within a +tenant. It will link to the event ingestion trace as a follow-on +span. + +Queue Item +++++++++++ + +A trace will begin when an item is enqueued and end when it is +dequeued. This will be quite a long trace (hours or days). It is +expected to be the primary benefit of this telemetry effort as it will +show the entire lifetime of a queue item. It will link to the tenant +event processing trace as a follow-on span. + +Within the root span, there will be a span for each buildset (so that +if a gate reset happens and a new buildset is created, users will see +a series of buildset spans). Within a buildset, there will be spans +for all of the major processing steps, such as merge operations, +layout calculating, freezing the job graph, and freezing jobs. Each +build will also merit a span (retried builds will get their own spans +as well), and within a job span, there will be child spans for git +repo prep, job setup, individual playbooks, and cleanup. + +SDK Challenges +~~~~~~~~~~~~~~ + +As a high-level concept, the idea of spans for each of these +operations makes sense. In practice, the SDK makes implementation +challenging. + +The OpenTelemtry SDK makes no provision for beginning a span on one +system and ending it on another, so the fact that one Zuul scheduler +might start a buildset span while another ends it is problematic. + +Fortunately, the OpenTelemetry API only reports spans when they end, +not when they start. This means that we don't need to coordinate a +"start" API call on one scheduler with an "end" API call on another. +We can simply emit the trace with its root span at the end. However, +any child spans emitted during that time need to know the trace ID +they should use, which means that we at least need to store a trace ID +and start timestamp on our starting scheduler for use by any child +spans as well as the "end span" API call. + +The SDK does not support creating a span with a specific trace ID or +start timestamp (most timestamps are automatic), but it has +well-defined interfaces for spans and we can subclass the +implementation to allow us to specify trace IDs and timestamps. With +this approach, we can "virtually" start a span on one host, store its +information in ZooKeeper with whatever long-lived object it is +associated with (such as a QueueItem) and then make it concrete on +another host when we end it. + +Alternatives +++++++++++++ + +This section describes some alternative ideas for dealing with the +SDK's mismatch with Zuul concepts as well as why they weren't +selected. + +* Multiple root spans with the same trace ID + + Jaeger handles this relatively well, and the timeline view appears + as expected (multiple events with whitespace between them). The + graph view in Jaeger may have some trouble displaying this. + + It is not clear that OpenTelemetry anticipates having multiple + "root" spans, so it may be best to avoid this in order to avoid + potential problems with other tools. + +* Child spans without a parent + + If we emit spans that specify a parent which does not exist, Jaeger + will display these traces but show a warning that the parent is + invalid. This may occur naturally while the system is operating + (builds complete while a buildset is running), but should be + eventually corrected once an item is dequeued. In case of a serious + error, we may never close a parent span, which would cause this to + persist. We should accept that this may happen, but try to avoid it + happening intentionally. + +Links +~~~~~ + +Links between spans are fairly primitive in Jaeger. While the +OpenTelemetry API includes attributes for links (so that when we link +a queue item to an event, we could specify that it was a forwarded +event), Jaeger does not store or render them. Instead, we are only +left with a reference to a ``< span in another trace >`` with a +reference type of ``FOLLOWS_FROM``. Clicking on that link will +immediately navigate to the other trace where metadata about the trace +will be visible, but before clicking on it, users will have little +idea of what awaits on the other side. + +For this reason, we should use span links sparingly so that when they +are encountered, users are likely to intuit what they are for and are +not overwhelmed by multiple indistinguishable links. + +Events and Exceptions +~~~~~~~~~~~~~~~~~~~~~ + +OpenTelemetry allows events to be added to spans. Events have their +own timestamp and attributes. These can be used to add additional +context to spans (representing single points in time rather than +events with duration that should be child spans). Examples might +include receiving a request to cancel a job or dequeue an item. + +Events should not be used as an alternative to logs, nor should all +log messages be copied as events. Events should be used sparingly to +avoid overwhelming the tracing storage with data and the user with +information. + +Exceptions may also be included in spans. This happens automatically +and by default when using the context managers supplied by the SDK. +Because many spans in Zuul will be unable to use the SDK context +managers and any exception information would need to be explicitly +handled and stored in ZooKeeper, we will disable inclusion of +exception information in spans. This will provide a more consistent +experience (so that users don't see the absence of an exception in +tracing information to indicate the absence of an error in logs) and +reduce the cost of supporting traces (extra storage in ZooKeeper and +in the telemetry storage). + +If we decide that exception information is worth including in the +future, this decision will be easy to revisit and reverse. + +Sensitive Information +~~~~~~~~~~~~~~~~~~~~~ + +No sensitive information (secrets, passwords, job variables, etc) +should be included in tracing output. All output should be suitable +for an audience of Zuul users (that is, if someone has access to the +Zuul dashboard, then tracing data should not have any more sensitive +information than they already have access to). For public-facing Zuul +systems (such as OpenDev), the information should be suitable for +public use. + +Protobuf and gRPC +~~~~~~~~~~~~~~~~~ + +The most efficient and straightforward method of transmitting data +from Zuul to a collector (including Jaeger) is using OTLP with gRPC +(OpenTelemetry Protocol + gRPC Remote Procedure Calls). Because +Protobuf applications include automatically generated code, we may +encounter the occasional version inconsistency. We may need to +navigate package requirements more than normal due to this (especially +if we have multiple packages that depend on protobuf). + +For a contemporary example, the OpenTelemetry project is in the +process of pinning to an older version of protobuf: + +https://github.com/open-telemetry/opentelemetry-python/issues/2717 + +There is an HTTP+JSON exporter as well, so in the case that something +goes very wrong with protobuf+gRPC, that may be available as a fallback. + +Work Items +---------- + +* Add OpenTelemetry SDK and support for configuring an exporter to + zuul.conf +* Implement SDK subclasses to support opening and closing spans on + different hosts +* Instrument event processing in each driver +* Instrument event processing in scheduler +* Instrument queue items and related spans +* Document a simple Jaeger setup as a quickstart add-on (similar to + authz) +* Optional: work with OpenDev to run a public Jaeger server for + OpenDev + +The last item is not required for this specification (and not our +choice as Zuul developers to make) but it would be nice if there were +one available so that all Zuul users and developers have a reference +implementation available for community collaboration. diff --git a/doc/source/examples/keycloak/docker-compose.yaml b/doc/source/examples/keycloak/docker-compose.yaml index 917c50231..9e70fec5f 100644 --- a/doc/source/examples/keycloak/docker-compose.yaml +++ b/doc/source/examples/keycloak/docker-compose.yaml @@ -7,21 +7,19 @@ version: '2.1' services: keycloak: - image: docker.io/jboss/keycloak + image: quay.io/keycloak/keycloak:18.0 environment: - - KEYCLOAK_USER=admin - - KEYCLOAK_PASSWORD=kcadmin + - KEYCLOAK_ADMIN=admin + - KEYCLOAK_ADMIN_PASSWORD=kcadmin - DB_VENDOR=h2 - - KEYCLOAK_IMPORT=/var/keycloak_import/zuul-demo-data.json - - JAVA_OPTS_APPEND="-Djboss.socket.binding.port-offset=2" + - KC_HTTP_PORT=8082 ports: - "8082:8082" volumes: - - "./keycloak/:/var/keycloak_import/:z" - entrypoint: | - /bin/sh -c '\ - /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0' - command: [] + - "./keycloak/:/opt/keycloak/data/import/:z" + command: + - start-dev + - --import-realm networks: - zuul diff --git a/doc/source/examples/keycloak/etc_zuul/zuul.conf b/doc/source/examples/keycloak/etc_zuul/zuul.conf index 35cabe807..f2401cc90 100644 --- a/doc/source/examples/keycloak/etc_zuul/zuul.conf +++ b/doc/source/examples/keycloak/etc_zuul/zuul.conf @@ -14,7 +14,7 @@ tenant_config=/etc/zuul/main.yaml default=true driver=OpenIDConnect realm=zuul-demo -issuer_id=http://keycloak:8082/auth/realms/zuul-demo +issuer_id=http://keycloak:8082/realms/zuul-demo client_id=zuul [connection "gerrit"] diff --git a/doc/source/examples/keycloak/keycloak/zuul-demo-data.json b/doc/source/examples/keycloak/keycloak/zuul-demo-data.json index 448267eed..194814e1b 100644 --- a/doc/source/examples/keycloak/keycloak/zuul-demo-data.json +++ b/doc/source/examples/keycloak/keycloak/zuul-demo-data.json @@ -1,2224 +1,1927 @@ { - "id": "zuul-demo", - "realm": "zuul-demo", - "notBefore": 0, - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 1800, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "enabled": true, - "sslRequired": "external", - "registrationAllowed": true, - "registrationEmailAsUsername": false, - "rememberMe": false, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": false, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "roles": { - "realm": [ - { - "id": "b295f2e1-c823-4f30-84b4-c534676c3ded", - "name": "uma_authorization", - "composite": false, - "clientRole": false, - "containerId": "zuul-demo", - "attributes": {} - }, - { - "id": "047a5001-b3fe-452a-8fd3-985d82f7df31", - "name": "offline_access", - "description": "${role_offline-access}", - "composite": false, - "clientRole": false, - "containerId": "zuul-demo", - "attributes": {} - } - ], - "client": { - "realm-management": [ - { - "id": "7e18128e-7a99-4403-8107-5a90ac0b952c", - "name": "view-identity-providers", - "description": "${role_view-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "95f5f229-415e-48ba-8bfc-ff0a750f119e", - "name": "view-users", - "description": "${role_view-users}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-groups", - "query-users" - ] - } - }, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "7cffdbb0-ced3-4fb0-98de-6b1d8506dbe4", - "name": "manage-identity-providers", - "description": "${role_manage-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "08729d50-a31e-42fd-ad81-120cdee3b1b9", - "name": "query-clients", - "description": "${role_query-clients}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "69ffc663-32cb-4f4e-a9af-669bd23b4edc", - "name": "query-groups", - "description": "${role_query-groups}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "2a9f4d72-35bb-4072-b8aa-3fe7f1ab7f26", - "name": "view-clients", - "description": "${role_view-clients}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-clients" - ] - } - }, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "16c74fae-7feb-446d-9d42-08b31583ddf5", - "name": "manage-events", - "description": "${role_manage-events}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "30cc0071-f914-446a-9aa3-a3372d9f45c0", - "name": "manage-authorization", - "description": "${role_manage-authorization}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "d3d32a6d-f1da-410f-8c52-62d1b2ac7abc", - "name": "query-realms", - "description": "${role_query-realms}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "1f7afd46-36a8-46e8-abc1-8949836ec532", - "name": "view-authorization", - "description": "${role_view-authorization}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "6384baeb-1ec0-4e69-a5c2-7b632c3bfda5", - "name": "impersonation", - "description": "${role_impersonation}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "eefc7ff0-e2f2-4381-b034-c96d0bae3769", - "name": "realm-admin", - "description": "${role_realm-admin}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "view-identity-providers", - "view-users", - "manage-identity-providers", - "query-clients", - "query-groups", - "view-clients", - "manage-events", - "view-authorization", - "manage-authorization", - "query-realms", - "impersonation", - "create-client", - "manage-clients", - "manage-users", - "manage-realm", - "view-events", - "view-realm", - "query-users" - ] - } - }, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "1c104476-dc65-4df5-9f0e-3f9086a75813", - "name": "create-client", - "description": "${role_create-client}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "f0893b2a-770e-4b21-a430-1a9974ecc01a", - "name": "manage-clients", - "description": "${role_manage-clients}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "dfddee2e-682a-47ea-924c-59699f338e0c", - "name": "manage-users", - "description": "${role_manage-users}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "a8198df9-d3cd-460f-a48f-ccede56e08a9", - "name": "manage-realm", - "description": "${role_manage-realm}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "657b4b26-98c5-4963-a353-db26453f5dd2", - "name": "view-events", - "description": "${role_view-events}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "693093ae-6004-48be-bb22-8804f61af1c0", - "name": "view-realm", - "description": "${role_view-realm}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - }, - { - "id": "418abb16-fdc3-402e-8125-52800990445b", - "name": "query-users", - "description": "${role_query-users}", - "composite": false, - "clientRole": true, - "containerId": "63ae0908-5213-436d-b3d6-5a611eb24216", - "attributes": {} - } - ], - "security-admin-console": [], - "admin-cli": [], - "account-console": [], - "zuul": [], - "broker": [], - "account": [ - { - "id": "b839cd34-f23d-4c14-8060-ed635e708b87", - "name": "view-consent", - "description": "${role_view-consent}", - "composite": false, - "clientRole": true, - "containerId": "6fd2abe1-4aeb-4834-8a9e-e3f499d64a03", - "attributes": {} - }, - { - "id": "a98bcb3b-1584-45ab-afa8-e431ddfed5e7", - "name": "view-applications", - "description": "${role_view-applications}", - "composite": false, - "clientRole": true, - "containerId": "6fd2abe1-4aeb-4834-8a9e-e3f499d64a03", - "attributes": {} - }, - { - "id": "471d721c-872c-4004-bb76-e6399f5e1fd0", - "name": "delete-account", - "description": "${role_delete-account}", - "composite": false, - "clientRole": true, - "containerId": "6fd2abe1-4aeb-4834-8a9e-e3f499d64a03", - "attributes": {} - }, - { - "id": "e5a0f953-bdcb-4136-bfbf-0c311797e57f", - "name": "manage-account", - "composite": false, - "clientRole": true, - "containerId": "6fd2abe1-4aeb-4834-8a9e-e3f499d64a03", - "attributes": {} - }, - { - "id": "c8726cd0-6447-4131-9731-717897ff167a", - "name": "manage-consent", - "description": "${role_manage-consent}", - "composite": true, - "composites": { - "client": { - "account": [ - "view-consent" - ] - } - }, - "clientRole": true, - "containerId": "6fd2abe1-4aeb-4834-8a9e-e3f499d64a03", - "attributes": {} - }, - { - "id": "eb6c2340-cecf-4095-bdc7-d14f38a9aee6", - "name": "view-profile", - "composite": false, - "clientRole": true, - "containerId": "6fd2abe1-4aeb-4834-8a9e-e3f499d64a03", - "attributes": {} - } - ], - } - }, - "groups": [ - { - "id": "d372cb0e-f3c8-40be-8527-73775d1f7e47", - "name": "example-tenant-admin", - "path": "/example-tenant-admin", - "attributes": {}, - "realmRoles": [], - "clientRoles": {}, - "subGroups": [] - } - ], - "defaultRoles": [ - "uma_authorization", - "offline_access" - ], - "requiredCredentials": [ - "password" - ], - "otpPolicyType": "totp", - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyInitialCounter": 0, - "otpPolicyDigits": 6, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpSupportedApplications": [ - "FreeOTP", - "Google Authenticator" - ], - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "users": [ - { - "id": "3defcf9c-a89d-496e-9769-526bc65b6db6", - "createdTimestamp": 1609929909934, - "username": "admin", - "enabled": true, - "totp": false, - "emailVerified": false, - "firstName": "Zuul", - "lastName": "Administrator", - "email": "admin@example.com", - "credentials": [ - { - "id": "1a05a791-be4d-4060-ae6b-e117c6c8de70", - "type": "password", - "createdDate": 1609929922393, - "secretData": "{\"value\":\"BtE429Fzy8ygtLLD+eEHHY5DzJr3pzDf5wBwR8ZD4HFRPPn6NldxGTy+0AEJBGAQt+dZ0eEqVV8edytNR8PwMw==\",\"salt\":\"jL8euyHG4ZQy2BUMY/LpIg==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + "id" : "zuul-demo", + "realm" : "zuul-demo", + "notBefore" : 0, + "defaultSignatureAlgorithm" : "RS256", + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 300, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "oauth2DeviceCodeLifespan" : 600, + "oauth2DevicePollingInterval" : 5, + "enabled" : true, + "sslRequired" : "external", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "56408c69-b6fb-4845-be59-db262fe21dea", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "zuul-demo", + "attributes" : { } + }, { + "id" : "156d7b5b-65fb-4c89-b3d8-c2f82e9ecdd4", + "name" : "default-roles-zuul-demo", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "account" : [ "view-profile", "manage-account" ] } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "uma_authorization", - "offline_access" - ], - "clientRoles": { - "account": [ - "manage-account", - "view-profile" - ] - }, - "notBefore": 0, - "groups": [] - }, - { - "id": "091fbeb0-ac10-47eb-a113-88fbb0a7988f", - "createdTimestamp": 1609929807691, - "username": "user1", - "enabled": true, - "totp": false, - "emailVerified": false, - "firstName": "User", - "lastName": "One", - "email": "user1@example.com", - "credentials": [ - { - "id": "caec7277-9620-4232-b07f-10076ae32e17", - "type": "password", - "createdDate": 1609929824753, - "secretData": "{\"value\":\"XbD+O1HUVhvqMg2xP36il/haxbzS65GjV2YYwqJWGfJuztQCn2G5ArmeWcqMxEd6BEBnPjZCjM3tpaBSFluLvg==\",\"salt\":\"8dXWJvuUtbqZuBw3ZUL4zA==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "uma_authorization", - "offline_access" - ], - "clientRoles": { - "account": [ - "manage-account", - "view-profile" - ] - }, - "notBefore": 0, - "groups": [ - "/example-tenant-admin" - ] - }, - { - "id": "633cbfcd-43d9-4588-9c74-7af4ea007dda", - "createdTimestamp": 1609929870956, - "username": "user2", - "enabled": true, - "totp": false, - "emailVerified": false, - "firstName": "User", - "lastName": "Two", - "email": "user2@example.com", - "credentials": [ - { - "id": "1975173e-f07c-4223-9bf6-fa44dcd27cf0", - "type": "password", - "createdDate": 1609929881586, - "secretData": "{\"value\":\"SZ0ESXObiHfCOo4m9afbnpNaZ52H0k0VVuHe2PecmUZ4FxpAXbCsUimNNsz5VVRdqhAqWJi2AcExCoKFSJzeug==\",\"salt\":\"+pc2TGNg/CjypsBPjH0YJg==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "uma_authorization", - "offline_access" - ], - "clientRoles": { - "account": [ - "manage-account", - "view-profile" - ] - }, - "notBefore": 0, - "groups": [] - } - ], - "scopeMappings": [ - { - "clientScope": "offline_access", - "roles": [ - "offline_access" - ] - } - ], - "clientScopeMappings": { - "account": [ - { - "client": "account-console", - "roles": [ - "manage-account" - ] - } - ] - }, - "clients": [ - { - "id": "6fd2abe1-4aeb-4834-8a9e-e3f499d64a03", - "clientId": "account", - "name": "${client_account}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/zuul-demo/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "defaultRoles": [ - "manage-account", - "view-profile" - ], - "redirectUris": [ - "/realms/zuul-demo/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "1958e9b1-c3ce-4bec-89bd-3b0050a4dacf", - "clientId": "account-console", - "name": "${client_account-console}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/zuul-demo/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "e555a236-3a76-4ac9-a55a-48f81a00535f", - "redirectUris": [ - "/realms/zuul-demo/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "5a075254-4849-43dc-b036-53c606571988", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ], - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "3e59f406-d6b9-45bd-b072-ef1650233625", - "clientId": "admin-cli", - "name": "${client_admin-cli}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "b607307d-dde7-4563-9e70-a7fa9223c229", - "clientId": "broker", - "name": "${client_broker}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "63ae0908-5213-436d-b3d6-5a611eb24216", - "clientId": "realm-management", - "name": "${client_realm-management}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "26cb8208-4182-478b-903e-6abe9b555680", - "clientId": "security-admin-console", - "name": "${client_security-admin-console}", - "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/zuul-demo/console/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [ - "/admin/zuul-demo/console/*" - ], - "webOrigins": [ - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "9077bfa3-32f2-4690-a1f4-fdb2726a6ef2", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "118b61cd-e410-414a-a4ee-64e5722725b7", - "clientId": "zuul", - "description": "zuul oauth client", - "rootUrl": "http://localhost:9000", - "adminUrl": "http://localhost:9000", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [ - "http://127.0.0.1:9000/*", - "http://localhost:9000/*", - "http://127.0.0.1:3000/*", - "http://localhost:3000/*" - ], - "webOrigins": [ - "http://localhost:9000", - "http://localhost:3000" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": true, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "true", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "2389430c-5b5e-4185-a116-a89fe9b2cbe0", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "false", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "userinfo.token.claim": "true" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email", - "zuul_audience" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - } - ], - "clientScopes": [ - { - "id": "a8ff8d15-7e18-46a7-afe9-cb4b51317f21", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "2fb91b25-bf0f-4d30-8c32-8da4d6e2e14a", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "id": "2491f163-0678-4222-974b-42851cb8bbea", - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" }, - "protocolMappers": [ - { - "id": "247ada79-fd01-4e62-9231-46e09f2de990", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" + "clientRole" : false, + "containerId" : "zuul-demo", + "attributes" : { } + }, { + "id" : "a52bd4e0-3f93-4eaf-9792-b5a2b4f564b1", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "zuul-demo", + "attributes" : { } + } ], + "client" : { + "realm-management" : [ { + "id" : "76b84ff6-843c-4fbc-903e-56f82324726a", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "e95f28d5-0a2c-42e5-ac27-ba8c1e49ca9e", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "c57c009d-8cda-40a2-9f94-9faec21684d1", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-clients" ] } }, - { - "id": "6a89efdc-4a19-4059-943f-fbf4b0c80fbc", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - } - ] - }, - { - "id": "77dc1544-6890-4714-acb5-bce0d34c15d5", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "f1cc4b3b-6f0d-4564-b157-8e7790764643", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - }, - { - "id": "e9382111-9f81-455b-805a-9252c4c3db24", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "7652d555-2c47-4312-85bb-b33e3f6d53ac", - "name": "offline_access", - "description": "OpenID Connect built-in scope: offline_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - }, - { - "id": "e0d29ae8-b246-4d7c-bb0e-9b1f3b2fb95c", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "b68bd653-6780-4cd7-a588-31073e2cc88b", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "08a83a89-6029-4c5d-9fe1-3aaaed3a1579", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - } - ] - }, - { - "id": "2890097c-f60f-4690-a964-005272790b26", - "name": "profile", - "description": "OpenID Connect built-in scope: profile", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "c7fa5831-9380-42d8-929a-a31e89b0dca5", - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String" - } - }, - { - "id": "fcb6f43b-0dfd-42c4-8f96-2b25078be8cf", - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "middleName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String" - } - }, - { - "id": "15cc1330-fc07-4852-bd72-746ea7c70fc1", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - }, - { - "id": "59e8530c-0630-46e3-b1db-629bd8bafa78", - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "birthdate", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "birthdate", - "jsonType.label": "String" - } - }, - { - "id": "42a077a7-5a55-4838-b952-33f049fb5fc3", - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "lastName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "family_name", - "jsonType.label": "String" - } - }, - { - "id": "bdc4888d-48ae-4d56-b1cd-d256c50d9b64", - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "nickname", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "nickname", - "jsonType.label": "String" - } - }, - { - "id": "97fb10c8-ff6e-4ccc-a25a-cfae87e783ef", - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "profile", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "profile", - "jsonType.label": "String" + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "8eee1534-e312-4469-803e-ef89a2c4e02b", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "f9b1241a-c8ba-4842-841c-7c9f6126d13e", + "name" : "realm-admin", + "description" : "${role_realm-admin}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-groups", "view-clients", "manage-users", "view-identity-providers", "manage-identity-providers", "manage-clients", "query-realms", "manage-realm", "view-events", "create-client", "query-clients", "view-users", "view-realm", "manage-authorization", "impersonation", "query-users", "manage-events", "view-authorization" ] } }, - { - "id": "adb8eb09-943b-4e6f-a7ee-bc531a55e359", - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "gender", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "gender", - "jsonType.label": "String" + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "12782ab5-4041-4c49-962a-08d0560fd5ed", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "1d33026a-2968-4b14-931a-4d855bb82bbc", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "74152341-86df-4741-ad3d-2a4cc4037137", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "56ac5037-efe9-4b66-a8c9-41d6c573227a", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "9a648218-df86-4203-bc91-29825d91f802", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "e6b054ff-8f2b-43e2-8d4a-f7003b893203", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "3201e1fc-57b4-4531-a142-adda7c9a132a", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "e5e6855e-215a-4741-970c-269d201a7e9c", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "c7599b5a-5374-4867-a6f1-5f4608da8196", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-groups", "query-users" ] } }, - { - "id": "c2260f1f-eb68-4186-b86c-74c23a450151", - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "zoneinfo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String" + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "36aecf8f-3265-41c1-b585-307005ee02af", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "775ac110-9dc8-4dd5-93e7-45b61e9dd29a", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "f00e65f4-2e53-4684-9eb4-b55c1c0ef4a3", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "888e5d3f-1cb5-48f6-b3de-90acad8472f1", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + }, { + "id" : "125b0c77-45a3-4772-ab9d-cf45803cb3ef", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "attributes" : { } + } ], + "security-admin-console" : [ ], + "admin-cli" : [ ], + "account-console" : [ ], + "zuul" : [ ], + "broker" : [ { + "id" : "ec4aeaa2-8d80-47b3-a863-928f93b0157f", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "1f0c06e8-299d-4818-aada-4c59e326cbf8", + "attributes" : { } + } ], + "account" : [ { + "id" : "2c559af2-6553-42bd-a98b-de61ba35901a", + "name" : "view-applications", + "description" : "${role_view-applications}", + "composite" : false, + "clientRole" : true, + "containerId" : "38f83427-736e-4570-9f68-25a8b53f0b51", + "attributes" : { } + }, { + "id" : "976602d1-7350-4204-b8a1-00fd5349c7a6", + "name" : "view-consent", + "description" : "${role_view-consent}", + "composite" : false, + "clientRole" : true, + "containerId" : "38f83427-736e-4570-9f68-25a8b53f0b51", + "attributes" : { } + }, { + "id" : "edfc8de7-a5b8-4e33-8ca8-c577c40bb3e2", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "38f83427-736e-4570-9f68-25a8b53f0b51", + "attributes" : { } + }, { + "id" : "307ea046-f4ae-4cd4-b170-7f583682537b", + "name" : "delete-account", + "description" : "${role_delete-account}", + "composite" : false, + "clientRole" : true, + "containerId" : "38f83427-736e-4570-9f68-25a8b53f0b51", + "attributes" : { } + }, { + "id" : "0b943331-83af-4fac-b7c9-0ac6f4b73384", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] } }, - { - "id": "e618b191-1c20-466d-a412-9b59a221d587", - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "String" + "clientRole" : true, + "containerId" : "38f83427-736e-4570-9f68-25a8b53f0b51", + "attributes" : { } + }, { + "id" : "4b64f538-1336-44eb-ba18-c26859d7291a", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "38f83427-736e-4570-9f68-25a8b53f0b51", + "attributes" : { } + }, { + "id" : "12a120c6-1df6-47f6-b0ff-a3196cef8885", + "name" : "manage-consent", + "description" : "${role_manage-consent}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "view-consent" ] } }, - { - "id": "bf72e820-32b2-41ff-a812-7349dbc97dc1", - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "website", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String" - } - }, - { - "id": "00ec085d-5cdc-4009-968a-bc03843e0418", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - }, - { - "id": "e7f8706d-04b2-4ceb-97e0-d6c50f268653", - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String" - } - }, - { - "id": "dc881508-6029-4af0-9ab4-bc84613d0bfe", - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - } - ] - }, - { - "id": "a45a99e9-3413-4dbe-a1bf-da76d82c6887", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "8fdf3fb9-4eeb-4e14-986e-7c9711838ca5", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "cf8edb74-1db4-4cc0-89fa-ec2a9ef19565", - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "67629d5f-39aa-4521-b936-91964357e630", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - }, - { - "id": "75458c67-6f8c-4646-a851-c3a5f6c9c6e1", - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "id": "059aa66a-7d91-4116-8b4e-51f5ab57424c", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" - } - } - ] - }, - { - "id": "2637f0c2-5d96-4057-a032-ce8f11477048", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "33cbf353-644c-4801-91c1-b6ca677f65d2", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "id": "ace09ede-6cf1-4e36-9557-91beb58ce557", - "name": "zuul_audience", - "description": "fix audience claim for Zuul", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "9a1029e7-f142-4ff1-ba47-50ca6bb24073", - "name": "zuul_audience_mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.client.audience": "zuul", - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - } - ] + "clientRole" : true, + "containerId" : "38f83427-736e-4570-9f68-25a8b53f0b51", + "attributes" : { } + } ] } - ], - "defaultDefaultClientScopes": [ - "email", - "web-origins", - "profile", - "role_list", - "roles" - ], - "defaultOptionalClientScopes": [ - "offline_access", - "microprofile-jwt", - "address", - "phone" - ], - "browserSecurityHeaders": { - "contentSecurityPolicyReportOnly": "", - "xContentTypeOptions": "nosniff", - "xRobotsTag": "none", - "xFrameOptions": "SAMEORIGIN", - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection": "1; mode=block", - "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, - "smtpServer": {}, - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "enabledEventTypes": [], - "adminEventsEnabled": false, - "adminEventsDetailsEnabled": false, - "identityProviders": [], - "identityProviderMappers": [], - "components": { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "id": "909674c7-fb40-458b-af37-8372300725b1", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, - { - "id": "b350d08d-4298-4d76-bd94-e120b1aadd28", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "4c1d186e-250d-497b-ac28-b7dffd021c19", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "oidc-address-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-user-attribute-mapper", - "oidc-full-name-mapper", - "oidc-usermodel-attribute-mapper", - "saml-user-property-mapper", - "oidc-usermodel-property-mapper", - "saml-role-list-mapper" - ] - } - }, - { - "id": "74a38dd7-41bf-414e-9858-f4f287c8caf3", - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "19082549-290b-4e93-bd77-6ce5cc386b63", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-address-mapper", - "oidc-usermodel-property-mapper", - "saml-role-list-mapper", - "saml-user-attribute-mapper", - "oidc-full-name-mapper", - "oidc-sha256-pairwise-sub-mapper" - ] - } - }, - { - "id": "62c50eea-fc15-40f1-a3c0-9923dcb8a8c7", - "name": "Trusted Hosts", - "providerId": "trusted-hosts", - "subType": "anonymous", - "subComponents": {}, - "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] - } - }, - { - "id": "21095085-2c9b-45ea-99d3-9ce962ab2020", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "36577457-a002-4b44-8029-9a599f2395a5", - "name": "Consent Required", - "providerId": "consent-required", - "subType": "anonymous", - "subComponents": {}, - "config": {} - } - ], - "org.keycloak.keys.KeyProvider": [ - { - "id": "0a6a397a-6eb1-46ab-8c6d-a3d4ea47f085", - "name": "rsa-generated", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "privateKey": [ - "MIIEpQIBAAKCAQEA3q7PYMrX38XUpUScjbEn/4oyv5AI5TsyoFEPhgCFHzGEkeXWop3PNhh3OgFpz2Tn6qEqs9vRWi/8VDVC73lOZJWn70qfCDlr9Acmm1eKhrWkyHH6ONyg7qPj/PSsjapSsto5rVp1tdaOfObgWaLvg9dsOmbF+P6vUT6ggUD1p73KHySdDKiKHUTbaxaOVgDVTzeptDRg2iFaz+E0ETBsFKcJgXuPVd4IlxaXogDFLTKo6j2ITtnU8hw4wlqY3pkLI5OHP9EKmkV94fzmfYIoMxv4vLkwWRdz24hB459OCeDH0su25+JNnA0WA5SPRTUepeAsuZIFletYw2Mq/BFN5QIDAQABAoIBAQCX9e043VOxtjwlyAuZueJUxUdaaH1ZiStEMe0JAgPWRKF2OsVc1ZpZDRsXr204hWCqQe91K7XS+NoV0P7rkvmHNIWUi3S5VQ4xSkvzSCsVQJHB493gvdbo41iq/4Fdb3Td7oPbo9aeD1vPKnLBWKpgazrFI+tHvu1+4OEBM4YwP9KPXK4QOlxKFjzwGIeSgyMd3KnHbC6b9C8rlrf7b9Uj4UPVpGtNuPqTJyOeBTHh8CNJzYWYN0BPHk8DCMPaFkMXx42gSLsAAVOO1Kczby31Ac2IUIVDn/Z5kBmgxd6BWoVDSh1NpAlAYhK2A+LNUzveetE60CC80k387/N0JdlFAoGBAPr1v/e3rlD2pS3YA8UNQTcJjTJAvAuUw9kPXxYQd6G3UtuGwYNRw9DgZSA2E3eojzs6hLuS4W0mIVkmGwa/6SXD5TVbdaWbGO8C+x/Kxz0doRoM2AhA64uMy6zUNMwqIjroNuVn9vj8n5lMND4qqhMifYYuv9CQvyYOlXOSaFZTAoGBAOMnriWZQJqnLcd9zjr3DLxbrp/XCSLVvYRRVEleLkB+tahIFMNez50JHdTJb/TctDRfAFlZT2o0XI+FrHSqFI81UZes/cH2uqaIo+CgwRS4WY7f+Sp/ao6y+WZl2+Ip+Ao/QwjOvQ6u2jL+rCmZrPzoKoQHJaT+7WlHV2zZh9PnAoGBAOfquyCdakX/6N3YxoMPoLjP5uAN2rmJHQQ2pFSrmyKjW7rraWGF6kPZWxrNXmgyKUs+5PLC5fgMSL0t7cPrDfaMdgE9KBeGoSAfzRqwNjdQblS4kdvuwr4PuxlYcgJK3Z86gaC21xF5w7PTLGRW4R0VvpKGGVUQrtTonUxUfH9pAoGBALezd1pgvaZUXOlgDFATSvFpE6egN3s8b696Nje/Ophd4HrfECuPmUbeAIn8/dWARxuzWIzpdRfmkJRg/j667TWDYSDQfcdGyVu0VRNr7bnb/FFXQCHmOT597sOozFHyru1ai9OrnakqLrveyUw7Q3KkLv3m6cKth0IEt+cHZJkxAoGAHIGs8zI/Bp2U4Z4yHedyQ/tGF8Vk+ZehIsaHhOGEp3Cps4af5LBA5bstkArFsz+NJ7oDrxVBMUUNNypyUX4UF6EDcyZ+2vwBeill9fZqKR7BBBdC2AS6mT52gcCbFqBiGMHd+tYQj0tYnsann5e2a0ssqdXTYUn9YJO6iWh8EGY=" - ], - "certificate": [ - "MIICoTCCAYkCBgF210UjOTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAl6dXVsLWRlbW8wHhcNMjEwMTA2MTAzNTAxWhcNMzEwMTA2MTAzNjQxWjAUMRIwEAYDVQQDDAl6dXVsLWRlbW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDers9gytffxdSlRJyNsSf/ijK/kAjlOzKgUQ+GAIUfMYSR5dainc82GHc6AWnPZOfqoSqz29FaL/xUNULveU5klafvSp8IOWv0ByabV4qGtaTIcfo43KDuo+P89KyNqlKy2jmtWnW11o585uBZou+D12w6ZsX4/q9RPqCBQPWnvcofJJ0MqIodRNtrFo5WANVPN6m0NGDaIVrP4TQRMGwUpwmBe49V3giXFpeiAMUtMqjqPYhO2dTyHDjCWpjemQsjk4c/0QqaRX3h/OZ9gigzG/i8uTBZF3PbiEHjn04J4MfSy7bn4k2cDRYDlI9FNR6l4Cy5kgWV61jDYyr8EU3lAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEFDFCBBNEtzOuAs46BRNBzGO2QCvLXsBASKSDFTsv2AMaFJIlc9l5U16wMcrZMTvsPY5MQxuaZvIDyAQH7NaxuRW7siZFBMRtwPmSrPHb/XqGh5OO4lXLX+Vpnx/JuMt9dOgyr9hTIYZ2UCFYxdC7ht21XSlRU6dZfEO8lTu+XEPQil42sZ/aB2efKfgWHieNvzTx3RLfG9lbsP4Dhg7FX+rGDz3Ql8PCl0Puai4pDwMjvvpZcZBjEzonw9pQ1rlSyGx0DLSJxMPMlQ33auVwLYD3MYIrgJplnScA0aKelOYJrnbSFMOlb/DwKxQNvM77banJQGq5Lpn617r2FmHNk=" - ], - "priority": [ - "100" - ] - } - }, - { - "id": "78880d4c-8ff2-4619-82b4-02a8fbd4a624", - "name": "hmac-generated", - "providerId": "hmac-generated", - "subComponents": {}, - "config": { - "kid": [ - "a23a2cdc-8d85-4754-b885-fc14a9e1a7bc" - ], - "secret": [ - "k5rhshjW9QaQvYnfC4nZUzQRkLZHKJlW524t125u63s9nza8ptFhPkLl7C3AGYSS6vD3tKSfOvkGuxubsRIJKg" - ], - "priority": [ - "100" - ], - "algorithm": [ - "HS256" - ] - } - }, - { - "id": "96281deb-af4d-49f8-a35c-10993007c7df", - "name": "aes-generated", - "providerId": "aes-generated", - "subComponents": {}, - "config": { - "kid": [ - "074f1951-9f97-40ff-8f0a-4219353d6f3d" - ], - "secret": [ - "Csz6nXZD0tf117pBKkJ7qw" - ], - "priority": [ - "100" - ] - } - } - ] + "groups" : [ { + "id" : "33a7bf20-adbe-47d9-b18c-77aa9ae9f045", + "name" : "example-tenant-admin", + "path" : "/example-tenant-admin", + "attributes" : { }, + "realmRoles" : [ ], + "clientRoles" : { }, + "subGroups" : [ ] + } ], + "defaultRole" : { + "id" : "156d7b5b-65fb-4c89-b3d8-c2f82e9ecdd4", + "name" : "default-roles-zuul-demo", + "description" : "${role_default-roles}", + "composite" : true, + "clientRole" : false, + "containerId" : "zuul-demo" }, - "internationalizationEnabled": false, - "supportedLocales": [], - "authenticationFlows": [ - { - "id": "3e95c1d5-2e16-40ad-89d3-cc13bd514fee", - "alias": "Account verification options", - "description": "Method with which to verity the existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 20, - "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "7143f715-1076-4c59-a039-34c5ec30d7e8", - "alias": "Authentication Options", - "description": "Authentication options.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "basic-auth", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "basic-auth-otp", - "requirement": "DISABLED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-spnego", - "requirement": "DISABLED", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "e3804922-4ffa-4e53-aa28-e982730f96a5", - "alias": "Browser - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-otp-form", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "e5ba2a92-70f1-4559-b31a-968363222c72", - "alias": "Direct Grant - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "direct-grant-validate-otp", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "617c8570-c7aa-4b4a-8b52-3bb94dc7ba04", - "alias": "First broker login - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-otp-form", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "7bf3d19b-f551-4c1f-9188-850923a403b1", - "alias": "Handle Existing Account", - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Account verification options", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "ff1dd822-547c-4e25-8c9e-5b7a3dd30504", - "alias": "Reset - Conditional OTP", - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-otp", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "id": "3b586469-9250-4bbf-9af0-f3ad81ce2eaa", - "alias": "User creation or linking", - "description": "Flow for the existing/non-existing user alternatives", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "create unique user config", - "authenticator": "idp-create-user-if-unique", - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 20, - "flowAlias": "Handle Existing Account", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "80831f25-c4ab-4ad8-ad6c-f1d7b570d919", - "alias": "Verify Existing Account by Re-authentication", - "description": "Reauthentication of existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "CONDITIONAL", - "priority": 20, - "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "dec78792-6cf8-4752-9833-18c1386423df", - "alias": "browser", - "description": "browser based authentication", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-spnego", - "requirement": "DISABLED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "identity-provider-redirector", - "requirement": "ALTERNATIVE", - "priority": 25, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 30, - "flowAlias": "forms", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "id": "14c06286-51e3-4abc-af50-8554c57c9f8f", - "alias": "clients", - "description": "Base authentication for clients", - "providerId": "client-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-jwt", - "requirement": "ALTERNATIVE", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-secret-jwt", - "requirement": "ALTERNATIVE", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-x509", - "requirement": "ALTERNATIVE", - "priority": 40, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "users" : [ { + "id" : "b19092bd-b767-4175-9d9a-e8749b15012b", + "createdTimestamp" : 1658485873780, + "username" : "admin", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "Zuul", + "lastName" : "Administrator", + "email" : "admin@example.com", + "credentials" : [ { + "id" : "77e16b56-2d90-43f9-8064-ec1330dc9d60", + "type" : "password", + "createdDate" : 1658485888588, + "secretData" : "{\"value\":\"3mxFAhY4UWLcnbooTrxgKZEH3dp5H78VlxVPU0KRFveg6YtIm+onPncXU8qx3PYDcfZjCbKuPghhFSJhaXxVnw==\",\"salt\":\"PomCTIfrYWl4leXhqAkUsQ==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-zuul-demo" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "id" : "2c3b0f44-0488-42fe-acac-2d5e483b9806", + "createdTimestamp" : 1658485982882, + "username" : "user1", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "User", + "lastName" : "One", + "email" : "user1@example.com", + "credentials" : [ { + "id" : "52b67f84-8383-4684-8d45-ab9838ebda07", + "type" : "password", + "createdDate" : 1658485994760, + "secretData" : "{\"value\":\"RII4dJdPibGBeya28QKmZaZkumVXj0GltwHlUdv7w7IR7X+1JtlPke2Z7UfZYeb09CkHSj4xk3EaCMaQl4uUoA==\",\"salt\":\"C68vc47R5kfemCeGAbOKIQ==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-zuul-demo" ], + "notBefore" : 0, + "groups" : [ "/example-tenant-admin" ] + }, { + "id" : "832d027d-5ef8-4968-b950-e57944dde6d6", + "createdTimestamp" : 1658486020309, + "username" : "user2", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "User", + "lastName" : "Two", + "email" : "user2@example.com", + "credentials" : [ { + "id" : "304178ea-219a-4495-bca1-76361e841ce0", + "type" : "password", + "createdDate" : 1658486030056, + "secretData" : "{\"value\":\"uDqEwwwGuxSMttycSI+YMRkRxHGozlWxGJ4h2YZ21CXNSpx3BN/i4xAJ47nhhZzDoZKYPVqiTpWXFgVpaYb2jA==\",\"salt\":\"ADhTsq7HIlBEZ0KmurA9/Q==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-zuul-demo" ], + "notBefore" : 0, + "groups" : [ ] + } ], + "scopeMappings" : [ { + "clientScope" : "offline_access", + "roles" : [ "offline_access" ] + } ], + "clientScopeMappings" : { + "account" : [ { + "client" : "account-console", + "roles" : [ "manage-account" ] + } ] + }, + "clients" : [ { + "id" : "38f83427-736e-4570-9f68-25a8b53f0b51", + "clientId" : "account", + "name" : "${client_account}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/zuul-demo/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/realms/zuul-demo/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "a124c422-d35d-4ad9-bb85-4df87ae56fb3", + "clientId" : "account-console", + "name" : "${client_account-console}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/zuul-demo/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/realms/zuul-demo/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "pkce.code.challenge.method" : "S256" }, - { - "id": "54d29594-0183-486f-abb2-c1998d4e45c5", - "alias": "direct grant", - "description": "OpenID Connect Resource Owner Grant", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "direct-grant-validate-password", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "CONDITIONAL", - "priority": 30, - "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "849fdec6-5827-4e3e-b9bb-25fe91a8c3af", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "24514749-6257-4d58-bc00-e68592d4f8ee", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "1f0c06e8-299d-4818-aada-4c59e326cbf8", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "a9986aaf-a807-43db-b27e-bfcb4a6ed680", + "clientId" : "realm-management", + "name" : "${client_realm-management}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "952f56db-5191-41fd-ac39-572ba28d9ee5", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "rootUrl" : "${authAdminUrl}", + "baseUrl" : "/admin/zuul-demo/console/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/admin/zuul-demo/console/*" ], + "webOrigins" : [ "+" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "pkce.code.challenge.method" : "S256" }, - { - "id": "e6734c68-8029-4b27-bf56-7eccb2202903", - "alias": "docker auth", - "description": "Used by Docker clients to authenticate against the IDP", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "661a797e-0734-46b8-8c4b-17b1a58cf05a", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "99377c87-2fb8-4d8b-a628-6281350e7e9b", + "clientId" : "zuul", + "rootUrl" : "http://localhost:9000", + "adminUrl" : "http://localhost:9000", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "http://localhost:3000/*", "http://localhost:9000/*" ], + "webOrigins" : [ "*" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : true, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "frontchannel.logout.session.required" : "false", + "oauth2.device.authorization.grant.enabled" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "use.refresh.tokens" : "true", + "oidc.ciba.grant.enabled" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "require.pushed.authorization.requests" : "false", + "saml.client.signature" : "false", + "saml.allow.ecp.flow" : "false", + "id.token.as.detached.signature" : "false", + "saml.assertion.signature" : "false", + "saml.encrypt" : "false", + "saml.server.signature" : "false", + "exclude.session.state.from.auth.response" : "false", + "saml.artifact.binding" : "false", + "saml_force_name_id_format" : "false", + "acr.loa.map" : "{}", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "token.response.type.bearer.lower-case" : "false", + "saml.onetimeuse.condition" : "false" }, - { - "id": "0e26f9c0-bc34-4d38-b3fe-472580bff946", - "alias": "first broker login", - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "review profile config", - "authenticator": "idp-review-profile", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "User creation or linking", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "id" : "ab67e3ef-562f-4cfa-96ad-02d9e29ed483", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "zuul_aud", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "f9da357f-356a-45a7-8ad8-b0e47413c30e", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" }, - { - "id": "6f56d749-5f06-4e2a-a043-cd4103383899", - "alias": "forms", - "description": "Username, password, otp and other auth forms.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "CONDITIONAL", - "priority": 20, - "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] + "protocolMappers" : [ { + "id" : "2f31c90f-8237-4a54-b852-a2df857c6fc8", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] + }, { + "id" : "554bde36-edad-4c3b-a2f8-1461ad4181c8", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" }, - { - "id": "4a95b320-312e-468a-978e-215747302385", - "alias": "http challenge", - "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "no-cookie-redirect", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Authentication Options", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] + "protocolMappers" : [ { + "id" : "ab8dfb24-9c7e-4018-bafe-ef3fc2dd10c6", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + }, { + "id" : "c68d1141-1188-4adb-9c88-033ea1bff03a", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" }, - { - "id": "17678e79-9819-47f8-bbfe-3b68efb92f3d", - "alias": "registration", - "description": "registration flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "requirement": "REQUIRED", - "priority": 10, - "flowAlias": "registration form", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] + "protocolMappers" : [ { + "id" : "e97f7b55-12d6-40cb-9e60-b0cee354ae8f", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "18ceed25-cdb0-4911-8419-b8228d5947a2", + "name" : "zuul_aud", + "description" : "zuul audience mapper", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true" }, - { - "id": "7c23bfaa-420a-4975-a547-254bb0873457", - "alias": "registration form", - "description": "registration form", - "providerId": "form-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-profile-action", - "requirement": "REQUIRED", - "priority": 40, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-password-action", - "requirement": "REQUIRED", - "priority": 50, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-recaptcha-action", - "requirement": "DISABLED", - "priority": 60, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] + "protocolMappers" : [ { + "id" : "e54ce7f5-fb11-425f-ad3a-628db83c1ef2", + "name" : "zuul_aud_mapper", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-mapper", + "consentRequired" : false, + "config" : { + "included.client.audience" : "zuul", + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + } ] + }, { + "id" : "1f3ab062-a2bd-4929-9a49-434fa94b7f55", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" }, - { - "id": "ef21d1d8-4afd-4baf-a44d-34d657f673a4", - "alias": "reset credentials", - "description": "Reset credentials for a user if they forgot their password or something", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-credential-email", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-password", - "requirement": "REQUIRED", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "CONDITIONAL", - "priority": 40, - "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] + "protocolMappers" : [ { + "id" : "80212ba7-8894-4b23-b73c-b29fb6157c41", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + }, { + "id" : "1abd1cea-5b14-41ef-b865-bb81af679932", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "220b27ee-6e55-49c0-86a7-e2f915166bc7", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" }, - { - "id": "21fea2f5-c4e3-46af-a573-54f36aa25b4b", - "alias": "saml ecp", - "description": "SAML ECP Profile Authentication Flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - } - ], - "authenticatorConfig": [ - { - "id": "d093ee16-2996-4916-ba26-827877401a45", - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" + "protocolMappers" : [ { + "id" : "82f49e59-01d9-4435-9d57-8b51ba068f95", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" } + }, { + "id" : "4b7d2541-a139-4f35-8b0a-7f786abf8e25", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + } ] + }, { + "id" : "f862a715-e18d-491f-ad37-0c77253e1519", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" }, - { - "id": "9cf393f2-4659-473a-a1d8-2318e107fcfe", - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" + "protocolMappers" : [ { + "id" : "195a1039-aeca-4e57-888b-1a1e802fa64d", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + }, { + "id" : "4ccb27c0-2574-48b7-92bd-ec246306a944", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" } + } ] + }, { + "id" : "a03e0161-18f1-4d82-8482-4c6b1b6803bf", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" } - ], - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "name": "Configure OTP", - "providerId": "CONFIGURE_TOTP", - "enabled": true, - "defaultAction": false, - "priority": 10, - "config": {} - }, - { - "alias": "terms_and_conditions", - "name": "Terms and Conditions", - "providerId": "terms_and_conditions", - "enabled": false, - "defaultAction": false, - "priority": 20, - "config": {} - }, - { - "alias": "UPDATE_PASSWORD", - "name": "Update Password", - "providerId": "UPDATE_PASSWORD", - "enabled": true, - "defaultAction": false, - "priority": 30, - "config": {} + }, { + "id" : "3bc63b52-838d-48bc-b0b6-b0805901c4b0", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${rolesScopeConsentText}" }, - { - "alias": "UPDATE_PROFILE", - "name": "Update Profile", - "providerId": "UPDATE_PROFILE", - "enabled": true, - "defaultAction": false, - "priority": 40, - "config": {} - }, - { - "alias": "VERIFY_EMAIL", - "name": "Verify Email", - "providerId": "VERIFY_EMAIL", - "enabled": true, - "defaultAction": false, - "priority": 50, - "config": {} + "protocolMappers" : [ { + "id" : "f654cdcf-ad35-483d-bc9a-36e27cf2d459", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "f6b687b6-94d6-4cfd-b167-eac16d07d1ff", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + }, { + "id" : "f59d4345-6702-43ca-82d9-dc2d60c9b66e", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + } ] + }, { + "id" : "6cdcdd5e-8a80-4366-b38f-49005db03f27", + "name" : "acr", + "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false" }, - { - "alias": "delete_account", - "name": "Delete Account", - "providerId": "delete_account", - "enabled": false, - "defaultAction": false, - "priority": 60, - "config": {} + "protocolMappers" : [ { + "id" : "941b04f7-0f19-49b5-a11b-0790dcf83e3a", + "name" : "acr loa level", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-acr-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + } ] + }, { + "id" : "197b457a-28ff-48c2-a879-be4eceeeaed6", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${profileScopeConsentText}" }, - { - "alias": "update_user_locale", - "name": "Update User Locale", - "providerId": "update_user_locale", - "enabled": true, - "defaultAction": false, - "priority": 1000, - "config": {} + "protocolMappers" : [ { + "id" : "8247fb9a-2a89-4491-ae97-9a3ef846a32d", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + }, { + "id" : "7b71b659-4929-454d-a2f1-9e84c3ebd970", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + }, { + "id" : "58bbcd2b-77a8-4a98-b51e-b9802b0d300c", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "2bdf1469-3ce1-408d-a6db-616a687efd20", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + }, { + "id" : "ee34f510-aa37-47f0-81b6-eee4d0bd2073", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "a7e5ad5f-afe7-4e10-833a-db4ca4502083", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "6731543a-4fd5-4064-8cd6-438d59f07d98", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "dfbc8ef9-be5e-476b-a4cb-8a4130b00ad7", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + }, { + "id" : "3c2b96fc-fcff-4847-b7a5-6c915adad250", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "long" + } + }, { + "id" : "6487b361-8548-4131-9636-f5e6c1db962d", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + }, { + "id" : "4e93de0c-7f96-499e-8014-fc260fd82960", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "7e202343-ae40-4149-985b-3f4cbf9b1588", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + }, { + "id" : "e9175df7-260b-4fe7-8655-db30ccc9c424", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "59663d46-72dd-4ea6-b106-7a264d01ebcb", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + } ] + } ], + "defaultDefaultClientScopes" : [ "profile", "roles", "role_list", "acr", "email", "web-origins" ], + "defaultOptionalClientScopes" : [ "microprofile-jwt", "phone", "offline_access", "address" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection" : "1; mode=block", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "identityProviders" : [ ], + "identityProviderMappers" : [ ], + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "c6df0a44-af38-4795-8990-ffc359a2b62b", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "fa50952d-682b-4bf3-936c-2e35abfd810a", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "adb59412-5ad2-4531-bcde-cdd3048e8698", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "270f6a69-5b86-4a4b-b54c-1900ea3d325d", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "oidc-address-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper" ] + } + }, { + "id" : "a107bb7f-7b95-4c80-bf36-0793913507b9", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] + } + }, { + "id" : "5e3c37e6-455a-4cab-9058-59d7ba1e6a91", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "829ff854-352f-453e-ae71-b3ed893167e5", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper" ] + } + }, { + "id" : "eb1f66db-d2a2-435f-958d-f385db20740e", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + } ], + "org.keycloak.keys.KeyProvider" : [ { + "id" : "34336282-9f58-471a-9794-440b180296aa", + "name" : "rsa-generated", + "providerId" : "rsa-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEowIBAAKCAQEA0fI5OZ/LCxI/TNxVpWi9q6EeaOv/yshrPOFevhg5eJ52G2uzvv7XWN4FNWMg3ln97qmZPm6PvB6utCSM776WZ5O3t1zy6KXc5LKRSF9WW/RdoLlrIAvo9R2XRpdClfc4906Dl8q8NlxC6klVkP5OwTzuH9fh36qf2BAb39F6AhosY8lfWiE7+QpF7CEvYkZTdp02PtqbV2R7DMjzhPs3aLLbJybu9BVfsdNbHdsk6owauJMtvJhIvcigk5azUk6leVp27010zv+DuWVtbMhzX+qnYy4+SnkyfKPPX1lYtQzw6pDTJuWTjcpSKgZ/68xKyVQWzNqsrSZyGWXEtmsTvwIDAQABAoIBABZMpRliyJ0/bevLB2nPSz4cme9JCd1PFlzcD0Ufq5MNObxF30ytItB0nJcEFWyooFkmOHmyIqA3nhTSQQoB81XDEeNvAvoFDAZalSXbwn934C3/I8q+mRrX7sZ3sIHfRXS3KTEJPp6DhDQAYA9Lg6/wudY2Bu7L37iCVYOba1snnUFaqSGzBqkx68SisYUpjj9LpBHwgoAO4UwTzijN6UUS0MwpxJ1Y10A3c5v3XfzAYTm9FhzT5TyrO6NgXCQIbfC5tbTdSPXbsrYiNucmqlqB/Ym/f1KSM8peBQSFt8h0yjjeVRYe2/oVfiWeDeBHdYZCCpY20RJtSKjScOcwFNkCgYEA8G3xS8DfTZonCx4mR/SU+9Yjx8KU+g/erRHhwUHATY0zV+usz/ZTBz7wfVSBLQ7MDzpbpjOVF0CjFeNgI3kS4ju0smEylwZ8ghlDa578ITArV5Wb9uECdu86ZzNzugeoGx5pZYEkqEvO1MfS3tecX8h02eCwvUCZ26WJTDu1ev0CgYEA34rmzlXqDyrBENvwKNvfL/NfTpQ6lLfAAirRov8UvKjtcRo131PDIfGzsFDMrN3640rKyY1HOiW2SDYK0NrLOmPxzitcXxVjBtqcI879qAQeMWYLdFA3R7kJE1hn8aNoC+hzjpUYjaoBXZFqQrw+HvEl0UTRErhn2FCpnnuhHGsCgYB4zqVp7PXHJmfr3DBcA3dAuy6rVwhIReUbjVqkIoef8A0WZmMk855wi52HPAjUPRUnqakXb9/AGUhY3TEXYeStLFb1MoWbATVaoZsQ3ofNnUiJ77C4cgMtA7OS23WQyfwb9EH9MNDch4rbu7QnKKt4LV8Zgx8LWQR2K007stzTeQKBgEv7ZqBTy48ENUOJvoPk2GPwEUEgWRkbrAQQkdkZYu8NbEe5ZP5X9kefZDhV/nvzp8eCMJN5lfBJyT+aPurms5VRS2uMiYU4O8SkodX6EXX+kFSyHsqWSXPzjQYqUoprxH3nsP+R5hqg4n3vY3LzkRnrVbNf9MCsNX/tSvo3g3epAoGBAM50hFFzEo6V+Tk+grZfGI47vTmQ0w+oTtImHsu6kD8fMbfP/+eq28n5BnI7yBK0kmP5Z2pOByHQfc0Dn90O7J1kwaxi4URwNUIFmWfofL11fRFtRHALH/U/LiFprkDwnmjp8qt8MutlyElcpyuDCKFWidq8lx4CfqnINzFfdWh7" ], + "keyUse" : [ "SIG" ], + "certificate" : [ "MIICoTCCAYkCBgGCJXQ9oDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAl6dXVsLWRlbW8wHhcNMjIwNzIyMTAyNzMxWhcNMzIwNzIyMTAyOTExWjAUMRIwEAYDVQQDDAl6dXVsLWRlbW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR8jk5n8sLEj9M3FWlaL2roR5o6//KyGs84V6+GDl4nnYba7O+/tdY3gU1YyDeWf3uqZk+bo+8Hq60JIzvvpZnk7e3XPLopdzkspFIX1Zb9F2guWsgC+j1HZdGl0KV9zj3ToOXyrw2XELqSVWQ/k7BPO4f1+Hfqp/YEBvf0XoCGixjyV9aITv5CkXsIS9iRlN2nTY+2ptXZHsMyPOE+zdostsnJu70FV+x01sd2yTqjBq4ky28mEi9yKCTlrNSTqV5WnbvTXTO/4O5ZW1syHNf6qdjLj5KeTJ8o89fWVi1DPDqkNMm5ZONylIqBn/rzErJVBbM2qytJnIZZcS2axO/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKYr1dxc8eMlgaZWXvd4vbP1ugbqUswt3kgBbrrFmzfzocU1/Hd0f5YW5ziq1oBqB2Ke6ByTt5h7M4q5ss+w6Gb3bLyNV9wmP1SQO0JBk0TvRo7CId68SZwAPNH4Bmo5z9efhdvvDevnM79bKw65D/xu3t4YPUAOHfd+idVQkk38DWdmKSFz/4VZ2luNrQFBQS0KW39K30BaR/65xGRlefNKVqYBFYDb4u9QUfiD6Q4jckXPCMEKgOD4oGlUmHnmTufoRzH9W0jqOy5856gHgXD7+lJtvRjj+alHJ4on7ABk+yPSgEuI3WCVSITGd0KW5gaB8YjyhG7NAV4rKXpPv20=" ], + "priority" : [ "100" ] + } + }, { + "id" : "558fe888-18c5-48e2-9c45-a072532315f7", + "name" : "hmac-generated", + "providerId" : "hmac-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "bed016a0-d455-4ef2-827a-e5deb8569f3e" ], + "secret" : [ "0Aph42iALP396xPal2boz2dTNi9j8gculw6H_g6ohYO1vdJdwjBUsH-GD-GCBQk49Rtxa1yNZDWrr1f-2inGfw" ], + "priority" : [ "100" ], + "algorithm" : [ "HS256" ] + } + }, { + "id" : "67d8a3df-b709-4726-a929-e592530f7889", + "name" : "rsa-enc-generated", + "providerId" : "rsa-enc-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEpAIBAAKCAQEAjXU8U4JzDj2z5+L/kAuBZGayBnqwbsRaafkQcDf2OztpEaqPZt9KbQtK7x9eev4VkXepRl6FhNgfqTfwlLWd9CQZl5dXgKXC/9kZo4WhNiKfRpFdfcFZTULKJWROgPddx8pz3tw9yU4wZDrAA5wGo6qC9v7QMu4A/ARTpGjl5gRnEFDswM9OuHGqd7oAxCskn0XPVbOVcAbs2KPB7jNopyuGsUpox3uxv79sAjEMY64Y/Da9lkBZBpCkh8v3hZtGAQTvGf4VZLx8e00U1BrKomuJuBMvaCBrnyFHGGpVxF/f4oFBcVVceJOxIamuW7ZEpWP3uLMqZhs5N02jKEHsMwIDAQABAoIBADxYhRHDFr4+iF8mMYwLvHlObifhcx7t2PxYajDVTs/Z+mq07lQecauvI5p7MV0aw6y49Ze1fxQ69tbDrHhkOiwKsng+8e9Jx7RJs2xU938Wqgf6v32EXEpfcckdz3epD3LJ5UBviFQ2bOJ1RbDEgPiVJyWjcsInUngwiFYdAeZr2oWbdTovPI5bvJFi2uAjbqgMXz4FyVrQshZFpSHNVEeuRowjfmnMVjRD2KFNG4rvF7Cs6yp4/NZ0z4FtyRp+Nw0n7tb1uri2/RSPeSt0pXKRbVtiIVd6NwX4e403SSK2orF01WWSVBbw7BnDZBgwtiY38QkYy9PJp1KlwDGC8bECgYEA2gW//RAIA6+vWktD2ru4LYPZ0237W5C8nWRrGZG+jqlSQIxW5t14NTCte/Mlz1Ixyolj0n4Vqe3p3PYp5kgrpQ/2WcS4St3LQgr+apLO8LNLQpn2/CfbAYRq5MfOyXvC0fTyC39t0Zx/rz4CPbl9NEjRLYGW0+G+EkDeSD3VGM8CgYEAphlA5mi2PJttOL2nWovOhh6ZUM0spg+eSU9qDcQtmBwdhnApvv68viIDvJ/1Yhjg1xEndBUkxm6wppWrIKOJzWlrpqYxgMaesVBPIBeGjhs8CpEadCzFjBeHzLeckf9Tg5uOq/zud8i2O/2gdsW+O/mgXebPFaDKarNJ/RFBx10CgYAbqjceaXZa4WQi1QIbM06/l8eAKKiIieklH6TnbbL8b0fcoPI2AUxLk42v+L6HfCqNRLnB7/XXxjSysRnH+shu/YOJCIlKFrLAAp0d8NsJd/bI0Liibnw/yQm3VhNLRcUG10oPY3AP9QfOuNOX+X2FsOe6GoOFB1QTBOAv0ojDyQKBgQChViJOLCPnlululfl64BYI/KvbapAV9VHAz9yp5oaLG7QqI8TI+tMGtC+BBrbpRFURUl5KSUdhX59DEFoa5/8wgVfJleC7vzHh9aoF+BQA8L9PXEaf1eVFAI4t8aOpxKKwUWcx9AsGWvV4LBGzjLwNsZlt3IYF8hrrrZ8Oq7aDGQKBgQDMDce7sMLGSI2rZcPmn15DqBxKr9fmtHH1/DGGvXlYNcI2UvzI5Lq7bOK4uu87NnHoKhSjd9EsENmFc0iYxf1F9r+3BGtYYLOWClLBhM7GXiQeGFKFGpXso7I2HVZUMpUDJaTmlmF3xlAb+VchOHvfCyFvTO4xMm7wnemDQ/ZJ+g==" ], + "keySize" : [ "2048" ], + "keyUse" : [ "ENC" ], + "certificate" : [ "MIICoTCCAYkCBgGCJXQ99zANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAl6dXVsLWRlbW8wHhcNMjIwNzIyMTAyNzMxWhcNMzIwNzIyMTAyOTExWjAUMRIwEAYDVQQDDAl6dXVsLWRlbW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCNdTxTgnMOPbPn4v+QC4FkZrIGerBuxFpp+RBwN/Y7O2kRqo9m30ptC0rvH156/hWRd6lGXoWE2B+pN/CUtZ30JBmXl1eApcL/2RmjhaE2Ip9GkV19wVlNQsolZE6A913HynPe3D3JTjBkOsADnAajqoL2/tAy7gD8BFOkaOXmBGcQUOzAz064cap3ugDEKySfRc9Vs5VwBuzYo8HuM2inK4axSmjHe7G/v2wCMQxjrhj8Nr2WQFkGkKSHy/eFm0YBBO8Z/hVkvHx7TRTUGsqia4m4Ey9oIGufIUcYalXEX9/igUFxVVx4k7Ehqa5btkSlY/e4sypmGzk3TaMoQewzAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFIjuy2Aac1Y5jggKdRwZ8Xlg8S4B7RxmvNg15G8DX1m1PaAcb6aZ6lwDp78aEMxlpihn/G5mJ2MEmFL9Y95lJlCXlB0pHSGf4+vKJ6ZgZ9IUdP6tKyLsnCY+wR2Ag4444Upwd4yJGj3QBAArrdIezTOpEoPUn51j8KDJUXJXRkeJFE4Kgl5S3TmCGwvpCJQYfLjj9Lw60Evepi9fjaTjQxp16aDNHDvB/d+7VnJoZnj2ruU/N93FUaUgv4W2AAjcJj+9le8MGTIWLXezhCOgdDYRBMxTiBAwV+BbktXdQZiDvYyJp8tCxp0w9K3WNRgEX+2jS94+yYWMxKVVlHmtWA=" ], + "active" : [ "false" ], + "priority" : [ "100" ], + "enabled" : [ "false" ], + "algorithm" : [ "RSA-OAEP" ] + } + }, { + "id" : "18071daa-3312-45d7-9687-80f4b713b351", + "name" : "aes-generated", + "providerId" : "aes-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "ebdbe2a3-cac0-4ceb-a691-349f9a857a4a" ], + "secret" : [ "G77Dlvi7V6exa6LZZjv0Aw" ], + "priority" : [ "100" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "905f0ff4-552b-41cd-a293-54615e1cca5e", + "alias" : "Account verification options", + "description" : "Method with which to verity the existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-email-verification", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false + } ] + }, { + "id" : "56aefed5-e44b-418b-9acf-5c8ad5a99b38", + "alias" : "Authentication Options", + "description" : "Authentication options.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "basic-auth", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "basic-auth-otp", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-spnego", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "ee2217ce-1a43-45da-9e42-53e967301b68", + "alias" : "Browser - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "a2675999-6a95-4eda-b46b-b6c23f897bb7", + "alias" : "Direct Grant - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "7088d6ca-06a0-48bb-a2bb-dc0ecd21bae2", + "alias" : "First broker login - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "d5a6c5aa-aa28-4d8a-b5a1-2d0df85a9979", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Account verification options", + "userSetupAllowed" : false + } ] + }, { + "id" : "940b59eb-3977-4354-8ad0-a60a513a91ca", + "alias" : "Reset - Conditional OTP", + "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "653228d9-a3a7-41b1-b6c1-eaea8b2f4e87", + "alias" : "User creation or linking", + "description" : "Flow for the existing/non-existing user alternatives", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false + } ] + }, { + "id" : "9c6a2dff-b711-4bbd-8606-d8939ba4d9ca", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "First broker login - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "5c564dc9-1ea5-4977-ad52-eb6a1213b88e", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-spnego", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "identity-provider-redirector", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 25, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "forms", + "userSetupAllowed" : false + } ] + }, { + "id" : "28f28120-2107-4cd5-a2bf-a139653db782", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-secret-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-x509", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 40, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "c7ccf556-1270-4adb-8c9a-d50d0370acda", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "Direct Grant - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "2dd78821-8a10-4701-8131-22f02eeca193", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "3d5aad69-76b9-4859-8500-9ded3a096e22", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "User creation or linking", + "userSetupAllowed" : false + } ] + }, { + "id" : "ffd3082c-2a68-425c-a248-95fc076b211c", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Browser - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "1fcb0e73-4ec2-4605-9e49-cc7588a6c818", + "alias" : "http challenge", + "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "no-cookie-redirect", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Authentication Options", + "userSetupAllowed" : false + } ] + }, { + "id" : "39102862-55f7-4134-be4f-918b2cbfa169", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : true, + "flowAlias" : "registration form", + "userSetupAllowed" : false + } ] + }, { + "id" : "27a49f8e-4a94-4818-991e-eefddf680431", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-profile-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 40, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-password-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 50, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-recaptcha-action", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 60, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "c3056f11-5d2d-4e77-9a17-94168854f540", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-credential-email", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 40, + "autheticatorFlow" : true, + "flowAlias" : "Reset - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "a91298df-ebf0-4c98-8587-6c680a2c4ccd", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "e1a83662-2baf-4955-bf07-6c3d50bc1196", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "d683f0f4-7685-40e1-9521-5761fdd9e111", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" } - ], - "browserFlow": "browser", - "registrationFlow": "registration", - "directGrantFlow": "direct grant", - "resetCredentialsFlow": "reset credentials", - "clientAuthenticationFlow": "clients", - "dockerAuthenticationFlow": "docker auth", - "attributes": { - "clientOfflineSessionMaxLifespan": "0", - "clientSessionIdleTimeout": "0", - "clientSessionMaxLifespan": "0", - "clientOfflineSessionIdleTimeout": "0" + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "terms_and_conditions", + "name" : "Terms and Conditions", + "providerId" : "terms_and_conditions", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + }, { + "alias" : "delete_account", + "name" : "Delete Account", + "providerId" : "delete_account", + "enabled" : false, + "defaultAction" : false, + "priority" : 60, + "config" : { } + }, { + "alias" : "update_user_locale", + "name" : "Update User Locale", + "providerId" : "update_user_locale", + "enabled" : true, + "defaultAction" : false, + "priority" : 1000, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "attributes" : { + "cibaBackchannelTokenDeliveryMode" : "poll", + "cibaExpiresIn" : "120", + "cibaAuthRequestedUserHint" : "login_hint", + "oauth2DeviceCodeLifespan" : "600", + "clientOfflineSessionMaxLifespan" : "0", + "oauth2DevicePollingInterval" : "5", + "clientSessionIdleTimeout" : "0", + "parRequestUriLifespan" : "60", + "clientSessionMaxLifespan" : "0", + "clientOfflineSessionIdleTimeout" : "0", + "cibaInterval" : "5" + }, + "keycloakVersion" : "18.0.2", + "userManagedAccessAllowed" : false, + "clientProfiles" : { + "profiles" : [ ] }, - "keycloakVersion": "12.0.1", - "userManagedAccessAllowed": false -} + "clientPolicies" : { + "policies" : [ ] + } +}
\ No newline at end of file diff --git a/doc/source/howtos/openid-with-keycloak.rst b/doc/source/howtos/openid-with-keycloak.rst index 74d3a27c0..7fb258fea 100644 --- a/doc/source/howtos/openid-with-keycloak.rst +++ b/doc/source/howtos/openid-with-keycloak.rst @@ -73,6 +73,19 @@ Finally, go back to the clients list and pick the ``zuul`` client again. Click on ``Client Scopes``, and add the ``zuul_aud`` scope to the ``Assigned Default Client Scopes``. +Configuring JWT signing algorithms +.................................. + +.. note:: + + Skip this step if you are using a keycloak version prior to 18.0. + +Due to current limitations with the pyJWT library, Zuul does not support every default +signing algorithm used by Keycloak. + +Go to `my_realm->Settings->Keys`, then choose `rsa-enc-generated` (this should be mapped +to "RSA-OAEP") if available. Then set `enabled` to false and save your changes. + (Optional) Set up a social identity provider ............................................ diff --git a/doc/source/tutorials/keycloak.rst b/doc/source/tutorials/keycloak.rst index a6c011eed..5242a4f05 100644 --- a/doc/source/tutorials/keycloak.rst +++ b/doc/source/tutorials/keycloak.rst @@ -28,6 +28,15 @@ to `/etc/hosts`. Make sure you have a line that looks like this: 127.0.0.1 localhost keycloak +If you are using podman, you need to add the following option in $HOME/.config/containers/containers.conf: + +.. code-block:: + + [containers] + no_hosts=true + +This way your /etc/hosts settings will not interfere with podman's networking. + Restart Zuul Containers ----------------------- @@ -37,14 +46,14 @@ that we can update Zuul's configuration to add authentication. .. code-block:: shell cd zuul/doc/source/examples - sudo -E docker-compose -p zuul-tutorial down + sudo -E docker-compose-compose -p zuul-tutorial down Restart the containers with a new Zuul configuration. .. code-block:: shell cd zuul/doc/source/examples - ZUUL_TUTORIAL_CONFIG="./keycloak/etc_zuul/" sudo -E docker-compose -p zuul-tutorial up -d + ZUUL_TUTORIAL_CONFIG="./keycloak/etc_zuul/" sudo -E docker-compose-compose -p zuul-tutorial up -d This tells docker-compose to use these Zuul `config files <https://opendev.org/zuul/zuul/src/branch/master/doc/source/examples/keycloak>`_. @@ -58,7 +67,7 @@ with this command: .. code-block:: shell cd zuul/doc/source/examples/keycloak - sudo -E docker-compose -p zuul-tutorial-keycloak up -d + sudo -E docker-compose-compose -p zuul-tutorial-keycloak up -d Once Keycloak is running, you can visit the web interface at http://localhost:8082/ diff --git a/playbooks/zuul-stream/fixtures/test-stream.yaml b/playbooks/zuul-stream/fixtures/test-stream.yaml index 05b75daf9..0326ae54e 100644 --- a/playbooks/zuul-stream/fixtures/test-stream.yaml +++ b/playbooks/zuul-stream/fixtures/test-stream.yaml @@ -1,3 +1,16 @@ +- name: Start zuul stream daemon + hosts: node + tasks: + + # NOTE : when new_console is set, this playbook runs with + # ZUUL_CONSOLE_PORT=19887 so that we test with the zuul_console + # from the Zuul checkout, and not the one started by test + # infrastructure. + - name: Start zuul_console on non-default port + zuul_console: + port: 19887 + when: new_console | default(false) + - name: Run some commands to show that logging works hosts: node tasks: @@ -51,3 +64,15 @@ - name: Print binary data command: echo -e '\x80abc' + + - name: Find any console log files + find: + paths: /tmp + patterns: 'console-*.log' + register: _tmp_files + + # We check this list in zuul-stream/functional.yaml to make sure + # we're cleaning up console log files. + - name: Dump tmp files + debug: + var: _tmp_files diff --git a/playbooks/zuul-stream/functional.yaml b/playbooks/zuul-stream/functional.yaml index ee1643fbc..7ae4704a9 100644 --- a/playbooks/zuul-stream/functional.yaml +++ b/playbooks/zuul-stream/functional.yaml @@ -7,71 +7,104 @@ # the python version of the platform is changed. python_path: "/usr/local/lib/python3.10/dist-packages" - - name: Run ansible that should succeed + - name: Run ansible that should succeed against testing console command: > /usr/lib/zuul/ansible/{{ zuul_ansible_version }}/bin/ansible-playbook + -e "new_console=true" src/opendev.org/zuul/zuul/playbooks/zuul-stream/fixtures/test-stream.yaml environment: + # Setup by test-stream.yaml so we start a new zuul_console + # from this checkout. + ZUUL_CONSOLE_PORT: 19887 ZUUL_JOB_LOG_CONFIG: "{{ ansible_user_dir}}/logging.json" ZUUL_JOBDIR: "{{ ansible_user_dir}}" PYTHONPATH: "{{ python_path }}" + register: _success_output - - name: Run ansible playbook that should fail + - name: Save raw output to file + copy: + content: '{{ _success_output.stdout }}' + dest: 'console-job-output-success-19887.txt' + + - name: Save output + shell: | + mv job-output.txt job-output-success-19887.txt + mv job-output.json job-output-success-19887.json + + - name: Check protocol version + assert: + that: + - "'[node1] Reports streaming version: 1' in _success_output.stdout" + + # Streamer puts out a line like + # [node1] Starting to log 916b2084-4bbb-80e5-248e-000000000016-1-node1 for task TASK: Print binary data + # One of the tasks in job-output shows find: results; + # the console file for this task should not be there. + - name: Validate temporary files removed + shell: | + for f in $(grep 'Starting to log' console-job-output-success-19887.txt | awk '{print $5}'); do + echo "Checking ${f}" + if grep -q '"path": "/tmp/console-'${f}'.log"' job-output-success-19887.txt; then + echo "*** /tmp/${f}.log still exists" + exit 1 + fi + done + + # NOTE(ianw) 2022-07 : we deliberatly have this second step to run + # against the console setup by the infrastructure executor in the + # job pre playbooks as a backwards compatability sanity check. + - name: Run ansible that should succeed against extant console command: > /usr/lib/zuul/ansible/{{ zuul_ansible_version }}/bin/ansible-playbook - src/opendev.org/zuul/zuul/playbooks/zuul-stream/fixtures/test-stream-failure.yaml - register: failed_results - failed_when: "failed_results.rc != 2" + -e "new_console=false" + src/opendev.org/zuul/zuul/playbooks/zuul-stream/fixtures/test-stream.yaml environment: ZUUL_JOB_LOG_CONFIG: "{{ ansible_user_dir}}/logging.json" ZUUL_JOBDIR: "{{ ansible_user_dir}}" PYTHONPATH: "{{ python_path }}" + register: _success_output - - name: Validate output - setupvar - shell: | - egrep "^.*\| node1 \|\s+\"setupvar\": {" job-output.txt - egrep "^.*\| node2 \|\s+\"setupvar\": {" job-output.txt + - name: Save raw output to file + copy: + content: '{{ _success_output.stdout }}' + dest: 'console-job-output-success-19885.txt' - - name: Validate output - shell task + - name: Save output shell: | - egrep "^.*\| node1 \| 1: lo:" job-output.txt - egrep "^.*\| node2 \| 1: lo:" job-output.txt + mv job-output.txt job-output-success-19885.txt + mv job-output.json job-output-success-19885.json - - name: Validate output - loop with items - shell: | - egrep "^.+\| node1 \| ok: Item: item1" job-output.txt - egrep "^.+\| node1 \| ok: Item: item2" job-output.txt - egrep "^.+\| node1 \| ok: Item: item3" job-output.txt - egrep "^.+\| node2 \| ok: Item: item1" job-output.txt - egrep "^.+\| node2 \| ok: Item: item2" job-output.txt - egrep "^.+\| node2 \| ok: Item: item3" job-output.txt + - name: Validate outputs + include_tasks: validate.yaml + loop: + - job-output-success-19887.txt + - job-output-success-19885.txt - - name: Validate output - loop with complex items - shell: | - egrep "^.+\| node1 \| ok: Item: Runtime" job-output.txt - egrep "^.+\| node2 \| ok: Item: Runtime" job-output.txt + # failure case - - name: Validate output - failed shell task - shell: | - egrep "^.+\| node1 \| Exception: Test module failure exception task" job-output.txt - egrep "^.+\| node2 \| Exception: Test module failure exception task" job-output.txt + - name: Run ansible playbook that should fail + command: > + /usr/lib/zuul/ansible/{{ zuul_ansible_version }}/bin/ansible-playbook + src/opendev.org/zuul/zuul/playbooks/zuul-stream/fixtures/test-stream-failure.yaml + register: failed_results + failed_when: "failed_results.rc != 2" + environment: + ZUUL_CONSOLE_PORT: 19887 + ZUUL_JOB_LOG_CONFIG: "{{ ansible_user_dir}}/logging.json" + ZUUL_JOBDIR: "{{ ansible_user_dir}}" + PYTHONPATH: "{{ python_path }}" - - name: Validate output - item loop with exception + - name: Save output shell: | - egrep "^.+\| node1 \| Exception: Test module failure exception loop" job-output.txt - egrep "^.+\| node2 \| Exception: Test module failure exception loop" job-output.txt + mv job-output.txt job-output-failure.txt + mv job-output.json job-output-failure.json - name: Validate output - failure shell task with exception shell: | - egrep "^.+\| node1 \| Exception: Test module failure exception fail-task" job-output.txt - egrep "^.+\| node2 \| Exception: Test module failure exception fail-task" job-output.txt + egrep "^.+\| node1 \| Exception: Test module failure exception fail-task" job-output-failure.txt + egrep "^.+\| node2 \| Exception: Test module failure exception fail-task" job-output-failure.txt - name: Validate output - failure item loop with exception shell: | - egrep "^.+\| node1 \| Exception: Test module failure exception fail-loop" job-output.txt - egrep "^.+\| node2 \| Exception: Test module failure exception fail-loop" job-output.txt - - - name: Validate output - binary data - shell: | - egrep "^.*\| node1 \| \\\\x80abc" job-output.txt - egrep "^.*\| node2 \| \\\\x80abc" job-output.txt + egrep "^.+\| node1 \| Exception: Test module failure exception fail-loop" job-output-failure.txt + egrep "^.+\| node2 \| Exception: Test module failure exception fail-loop" job-output-failure.txt diff --git a/playbooks/zuul-stream/post.yaml b/playbooks/zuul-stream/post.yaml index 2c717a82e..4beb8d1f9 100644 --- a/playbooks/zuul-stream/post.yaml +++ b/playbooks/zuul-stream/post.yaml @@ -10,9 +10,6 @@ state: directory delegate_to: localhost - - name: Rename job-output.txt - command: mv job-output.txt stream-job-output.txt - - name: Fetch files synchronize: src: "{{ ansible_user_dir }}/{{ item }}" @@ -21,5 +18,10 @@ with_items: - logging.json - ansible.cfg - - stream-job-output.txt - - job-output.json + - console-job-output-success-19887.txt + - job-output-success-19887.txt + - job-output-success-19887.json + - job-output-success-19885.txt + - job-output-success-19885.json + - job-output-failure.txt + - job-output-failure.json diff --git a/playbooks/zuul-stream/validate.yaml b/playbooks/zuul-stream/validate.yaml new file mode 100644 index 000000000..73ccd873a --- /dev/null +++ b/playbooks/zuul-stream/validate.yaml @@ -0,0 +1,38 @@ +- name: Validate output - setupvar + shell: | + egrep "^.*\| node1 \|\s+\"setupvar\": {" {{ item }} + egrep "^.*\| node2 \|\s+\"setupvar\": {" {{ item }} + +- name: Validate output - shell task + shell: | + egrep "^.*\| node1 \| 1: lo:" {{ item }} + egrep "^.*\| node2 \| 1: lo:" {{ item }} + +- name: Validate output - loop with items + shell: | + egrep "^.+\| node1 \| ok: Item: item1" {{ item }} + egrep "^.+\| node1 \| ok: Item: item2" {{ item }} + egrep "^.+\| node1 \| ok: Item: item3" {{ item }} + egrep "^.+\| node2 \| ok: Item: item1" {{ item }} + egrep "^.+\| node2 \| ok: Item: item2" {{ item }} + egrep "^.+\| node2 \| ok: Item: item3" {{ item }} + +- name: Validate output - loop with complex items + shell: | + egrep "^.+\| node1 \| ok: Item: Runtime" {{ item }} + egrep "^.+\| node2 \| ok: Item: Runtime" {{ item }} + +- name: Validate output - failed shell task + shell: | + egrep "^.+\| node1 \| Exception: Test module failure exception task" {{ item }} + egrep "^.+\| node2 \| Exception: Test module failure exception task" {{ item }} + +- name: Validate output - item loop with exception + shell: | + egrep "^.+\| node1 \| Exception: Test module failure exception loop" {{ item }} + egrep "^.+\| node2 \| Exception: Test module failure exception loop" {{ item }} + +- name: Validate output - binary data + shell: | + egrep "^.*\| node1 \| \\\\x80abc" {{ item }} + egrep "^.*\| node2 \| \\\\x80abc" {{ item }} diff --git a/tests/remote/test_remote_zuul_stream.py b/tests/remote/test_remote_zuul_stream.py index 1f6b7fff7..1c705127e 100644 --- a/tests/remote/test_remote_zuul_stream.py +++ b/tests/remote/test_remote_zuul_stream.py @@ -29,7 +29,7 @@ class FunctionalZuulStreamMixIn: self.log_console_port = 19000 + int( self.ansible_core_version.split('.')[1]) self.executor_server.log_console_port = self.log_console_port - self.wait_timeout = 120 + self.wait_timeout = 180 self.fake_nodepool.remote_ansible = True ansible_remote = os.environ.get('ZUUL_REMOTE_IPV4') diff --git a/tests/unit/test_scheduler.py b/tests/unit/test_scheduler.py index 5e0385be3..66c508fea 100644 --- a/tests/unit/test_scheduler.py +++ b/tests/unit/test_scheduler.py @@ -226,6 +226,18 @@ class TestSchedulerZoneFallback(ZuulTestCase): def test_jobs_executed(self): "Test that jobs are executed and a change is merged per zone" self.hold_jobs_in_queue = True + + # Validate that the reported executor stats are correct. Since + # the executor accepts zoned and unzoned job it should be counted + # in both metrics. + self.assertReportedStat( + 'zuul.executors.online', value='1', kind='g') + self.assertReportedStat( + 'zuul.executors.unzoned.online', value='1', kind='g') + self.assertReportedStat( + 'zuul.executors.zone.test-provider_vpn.online', + value='1', kind='g') + A = self.fake_gerrit.addFakeChange('org/project', 'master', 'A') A.addApproval('Code-Review', 2) self.fake_gerrit.addEvent(A.addApproval('Approved', 1)) diff --git a/web/public/openapi.yaml b/web/public/openapi.yaml index 312a1907e..b101c66e0 100644 --- a/web/public/openapi.yaml +++ b/web/public/openapi.yaml @@ -474,11 +474,9 @@ components: description: The event id type: string item_ahead: - description: The list of events ahead - items: - type: string - type: array - item_behind: + description: The event ahead + type: string + items_behind: description: The list of events behind items: type: string diff --git a/zuul/ansible/base/callback/zuul_stream.py b/zuul/ansible/base/callback/zuul_stream.py index 720261cb2..f31983ed6 100644 --- a/zuul/ansible/base/callback/zuul_stream.py +++ b/zuul/ansible/base/callback/zuul_stream.py @@ -48,6 +48,7 @@ from zuul.ansible import paths from zuul.ansible import logconfig LOG_STREAM_PORT = int(os.environ.get("ZUUL_CONSOLE_PORT", 19885)) +LOG_STREAM_VERSION = 0 def zuul_filter_result(result): @@ -103,6 +104,7 @@ class CallbackModule(default.CallbackModule): self._items_done = False self._deferred_result = None self._playbook_name = None + self._zuul_console_version = 0 def configure_logger(self): # ansible appends timestamp, user and pid to the log lines emitted @@ -129,9 +131,7 @@ class CallbackModule(default.CallbackModule): else: self._display.display(msg) - def _read_log(self, host, ip, port, log_id, task_name, hosts): - self._log("[%s] Starting to log %s for task %s" - % (host, log_id, task_name), job=False, executor=True) + def _read_log_connect(self, host, ip, port): logger_retries = 0 while True: try: @@ -141,6 +141,7 @@ class CallbackModule(default.CallbackModule): # logs continously. Without this we can easily trip the 5 # second timeout. s.settimeout(None) + return s except socket.timeout: self._log( "Timeout exception waiting for the logger. " @@ -151,7 +152,7 @@ class CallbackModule(default.CallbackModule): "Timeout exception waiting for the logger. " "Please check connectivity to [%s:%s]" % (ip, port)) - return + return None except Exception: if logger_retries % 10 == 0: self._log("[%s] Waiting on logger" % host, @@ -159,31 +160,77 @@ class CallbackModule(default.CallbackModule): logger_retries += 1 time.sleep(0.1) continue - msg = "%s\n" % log_id - s.send(msg.encode("utf-8")) - buff = s.recv(4096) - buffering = True - while buffering: - if b'\n' in buff: - (line, buff) = buff.split(b'\n', 1) - # We can potentially get binary data here. In order to - # being able to handle that use the backslashreplace - # error handling method. This decodes unknown utf-8 - # code points to escape sequences which exactly represent - # the correct data without throwing a decoding exception. - done = self._log_streamline( - host, line.decode("utf-8", "backslashreplace")) - if done: - return + + def _read_log(self, host, ip, port, log_id, task_name, hosts): + self._log("[%s] Starting to log %s for task %s" + % (host, log_id, task_name), job=False, executor=True) + + s = self._read_log_connect(host, ip, port) + if s is None: + # Can't connect; _read_log_connect() already logged an + # error for us, just bail + return + + # Find out what version we are running against + s.send(f'v:{LOG_STREAM_VERSION}\n'.encode('utf-8')) + buff = s.recv(1024).decode('utf-8').strip() + + # NOTE(ianw) 2022-07-21 : zuul_console from < 6.3.0 do not + # understand this protocol. They will assume the send + # above is a log request and send back the not found + # message in a loop. So to handle this we disconnect and + # reconnect. When we decide to remove this, we can remove + # anything in the "version 0" path. + if buff == '[Zuul] Log not found': + s.close() + s = self._read_log_connect(host, ip, port) + if s is None: + return + else: + self._zuul_console_version = int(buff) + self._log('[%s] Reports streaming version: %d' % + (host, self._zuul_console_version), + job=False, executor=True) + + if self._zuul_console_version >= 1: + msg = 's:%s\n' % log_id + else: + msg = '%s\n' % log_id + + s.send(msg.encode("utf-8")) + buff = s.recv(4096) + buffering = True + while buffering: + if b'\n' in buff: + (line, buff) = buff.split(b'\n', 1) + # We can potentially get binary data here. In order to + # being able to handle that use the backslashreplace + # error handling method. This decodes unknown utf-8 + # code points to escape sequences which exactly represent + # the correct data without throwing a decoding exception. + done = self._log_streamline( + host, line.decode("utf-8", "backslashreplace")) + if done: + if self._zuul_console_version > 0: + try: + # reestablish connection and tell console to + # clean up + s = self._read_log_connect(host, ip, port) + s.send(f'f:{log_id}\n'.encode('utf-8')) + s.close() + except Exception: + # Don't worry if this fails + pass + return + else: + more = s.recv(4096) + if not more: + buffering = False else: - more = s.recv(4096) - if not more: - buffering = False - else: - buff += more - if buff: - self._log_streamline( - host, buff.decode("utf-8", "backslashreplace")) + buff += more + if buff: + self._log_streamline( + host, buff.decode("utf-8", "backslashreplace")) def _log_streamline(self, host, line): if "[Zuul] Task exit code" in line: diff --git a/zuul/ansible/base/library/zuul_console.py b/zuul/ansible/base/library/zuul_console.py index 9dffbbc3a..aa999cac1 100755 --- a/zuul/ansible/base/library/zuul_console.py +++ b/zuul/ansible/base/library/zuul_console.py @@ -24,6 +24,14 @@ import subprocess import threading import time +# This is the version we report to the zuul_stream callback. It is +# expected that this (zuul_console) process can be long-lived, so if +# there are updates this ensures a later streaming callback can still +# talk to us. +ZUUL_CONSOLE_PROTO_VERSION = 1 +# This is the template for the file name of the log-file written out +# by the command.py override command in the executor's Ansible +# install. LOG_STREAM_FILE = '/tmp/console-{log_uuid}.log' LOG_STREAM_PORT = 19885 @@ -162,15 +170,49 @@ class Server(object): ret = buffer.decode('utf-8') x = ret.find('\n') if x > 0: - return ret[:x] + return ret[:x].strip() except UnicodeDecodeError: pass - def handleOneConnection(self, conn): - log_uuid = self.get_command(conn) + def _clean_uuid(self, log_uuid): # use path split to make use the input isn't trying to be clever # and construct some path like /tmp/console-/../../something - log_uuid = os.path.split(log_uuid.rstrip())[-1] + return os.path.split(log_uuid)[-1] + + def handleOneConnection(self, conn): + # V1 protocol + # ----------- + # v:<ver> get version number, <ver> is remote version + # s:<uuid> send logs for <uuid> + # f:<uuid> finalise/cleanup <uuid> + while True: + command = self.get_command(conn) + if command.startswith('v:'): + # NOTE(ianw) : remote sends its version. We currently + # don't have anything to do with this value, so ignore + # for now. + cmd = '%s\n' % (ZUUL_CONSOLE_PROTO_VERSION) + conn.send(cmd.encode('utf-8')) + continue + elif command.startswith('f:'): + log_uuid = self._clean_uuid(command[2:]) + try: + os.unlink(self.path.format(log_uuid=log_uuid)) + except Exception: + # something might have cleaned /tmp + pass + continue + elif command.startswith('s:'): + log_uuid = self._clean_uuid(command[2:]) + break + else: + # NOTE(ianw): 2022-07-21 In releases < 6.3.0 the streaming + # side would just send a raw uuid and nothing else; so by + # default assume that is what is coming in here. We can + # remove this fallback when we decide it is no longer + # necessary. + log_uuid = self._clean_uuid(command) + break # FIXME: this won't notice disconnects until it tries to send console = None diff --git a/zuul/driver/smtp/smtpreporter.py b/zuul/driver/smtp/smtpreporter.py index 4815026ab..a5d8938c1 100644 --- a/zuul/driver/smtp/smtpreporter.py +++ b/zuul/driver/smtp/smtpreporter.py @@ -42,7 +42,7 @@ class SMTPReporter(BaseReporter): if 'subject' in self.config: subject = self.config['subject'].format( - change=item.change) + change=item.change, pipeline=item.pipeline.getSafeAttributes()) else: subject = "Report for change {change} against {ref}".format( change=item.change, ref=item.change.ref) diff --git a/zuul/executor/server.py b/zuul/executor/server.py index eac7fa7e5..e00612e9e 100644 --- a/zuul/executor/server.py +++ b/zuul/executor/server.py @@ -3157,6 +3157,10 @@ class ExecutorServer(BaseMergeServer): self.allow_unzoned = get_default(self.config, 'executor', 'allow_unzoned', False) + # If this executor has no zone configured it is implicitly unzoned + if self.zone is None: + self.allow_unzoned = True + # Those attributes won't change, so it's enough to set them once on the # component info. self.component_info.zone = self.zone diff --git a/zuul/scheduler.py b/zuul/scheduler.py index 272235757..dfc922cf1 100644 --- a/zuul/scheduler.py +++ b/zuul/scheduler.py @@ -438,12 +438,12 @@ class Scheduler(threading.Thread): mergers_online = 0 for executor_component in self.component_registry.all("executor"): - if executor_component.allow_unzoned or not executor_component.zone: + if executor_component.allow_unzoned: if executor_component.state == BaseComponent.RUNNING: executors_unzoned_online += 1 if executor_component.accepting_work: executors_unzoned_accepting += 1 - else: + if executor_component.zone: zone_stats = zoned_executor_stats.setdefault( executor_component.zone, executor_stats_default.copy()) |