From 21748fb39d841a83b62835c7f735889fe2c13784 Mon Sep 17 00:00:00 2001 From: Vijay Date: Fri, 23 Feb 2024 00:29:01 +0530 Subject: [PATCH] fix: logout --- .env | 8 +- .nvmrc | 1 + README.md | 27 + docker-compose.yaml | 132 +- docker/keycloak/realm-export.json | 1854 +++++++++++++++++++++++ docker/kratos/identity.schema.json | 48 - docker/kratos/kratos.yml | 101 -- docker/kratos/oidc/identity.schema.json | 26 + docker/kratos/oidc/kratos.yml | 85 ++ docker/kratos/oidc/oidc.github.jsonnet | 17 + src/Auth/sagas.ts | 11 +- src/Config/build.ts | 8 +- src/bootstrap.tsx | 1 + webpack.config.js | 4 +- 14 files changed, 2096 insertions(+), 227 deletions(-) create mode 100644 .nvmrc create mode 100644 docker/keycloak/realm-export.json delete mode 100644 docker/kratos/identity.schema.json delete mode 100644 docker/kratos/kratos.yml create mode 100644 docker/kratos/oidc/identity.schema.json create mode 100644 docker/kratos/oidc/kratos.yml create mode 100644 docker/kratos/oidc/oidc.github.jsonnet diff --git a/.env b/.env index c360494..32a025d 100644 --- a/.env +++ b/.env @@ -5,7 +5,7 @@ DEV_PORT=3010 # Change to `true` if testing out oathkeeper otherwise just leave this false # for development of other parts of the shell -REACT_APP_AUTH_ENABLED=false +REACT_APP_AUTH_ENABLED=true # When locally testing leave these endpoints as is. # Webpack uses proxies found in `webpack.config.js` to proxy @@ -14,10 +14,14 @@ REACT_APP_AUTH_ENABLED=false # You can also point the proxy to directly kratos to bypass oathkeeper for testing. # Oathkeeper endpoint REACT_APP_AUTH_API_BASE_URL=/kratos +REACT_APP_LOGIN_URL=/kratos/self-service/login/browser +REACT_APP_LOGOUT_URL=/kratos/self-service/logout/browser +REACT_APP_AUTH_TOKEN_URL=/sessions/whoami +REACT_APP_LOGIN_PROVIDER=keycloak # If you have `REACT_APP_AUTH_ENABLED` set to `true` and you need a mock # user to develop auth UI you can enable this. -REACT_APP_AUTH_MOCK_API=true +REACT_APP_AUTH_MOCK_API=false # This is a variable made in anticipation for a api that returns information # about where remote microfrontends live. diff --git a/.nvmrc b/.nvmrc new file mode 100644 index 0000000..21cff1f --- /dev/null +++ b/.nvmrc @@ -0,0 +1 @@ +14.18.1 \ No newline at end of file diff --git a/README.md b/README.md index f63bd50..0c723c2 100644 --- a/README.md +++ b/README.md @@ -73,3 +73,30 @@ For more details read [configuring the tools](./docs/configuring-the-tools.md). - [Configuring the tools](./docs/configuring-the-tools.md) - [Environment variables](./docs/environment-variables.md) - [External API](./docs/external-api.md) + +## Local testing with Ory and Keycloak + +- Run dependencies with the following command +``` +docker compose --profile ory up -d +``` +- Wait for all the containers become healthy. +- Set a host recording in `/etc/hosts` file for keycloak +``` +127.0.0.1 keycloak +``` +- Add a user in keycloak using admin console + - Open the URL http://127.0.0.1:8080/ (Administration Console) + - Login with `admin` and `admin` + - Select realm `test-realm` on top left + - Go to users and create a new user by entering the following details + - Username + - Email + - First name + - Last name + - Password in credentials +- Run application using `yarn run start` +- Open browser on `http://127.0.0.1:3010/` (Note: do not use localhost due to some issues with redirection and cookies) +- It redirects to the keycloak login page +- Login with the new user created +- Then it should return back to the portal diff --git a/docker-compose.yaml b/docker-compose.yaml index 075cce8..23a55b4 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -3,6 +3,8 @@ version: '3.7' networks: mojaloop-net: name: mojaloop-net +volumes: + kratos-sqlite: services: reporting-hub-bop-shell: @@ -35,32 +37,21 @@ services: timeout: 20s retries: 30 interval: 15s - psql: - profiles: ["ory"] - image: 'postgres:13.2' - restart: unless-stopped - environment: - POSTGRES_USER: ory-user - POSTGRES_PASSWORD: ory-pass - POSTGRES_DB: ory-data - ports: - - '5432:5432' - networks: - - mojaloop-net + kratos-migrate: profiles: ["ory"] - depends_on: - - psql - image: 'oryd/kratos:v0.7.1-alpha.1' + image: oryd/kratos:v1.1.0 restart: on-failure - command: migrate -c /etc/config/kratos/kratos.yml sql -e --yes + command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes environment: - DSN: >- - postgres://ory-user:ory-pass@psql:5432/ory-data?sslmode=disable&max_conns=20&max_idle_conns=4 - LOG_LEVEL: debug + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc volumes: + - type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false - type: bind - source: ./docker/kratos + source: ./docker/kratos/oidc target: /etc/config/kratos networks: - mojaloop-net @@ -68,37 +59,27 @@ services: profiles: ["ory"] depends_on: - kratos-migrate - image: 'oryd/kratos:v0.7.1-alpha.1' + image: oryd/kratos:v1.1.0 restart: unless-stopped - command: serve -c /etc/config/kratos/kratos.yml --dev + command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier environment: - DSN: >- - postgres://ory-user:ory-pass@psql:5432/ory-data?sslmode=disable&max_conns=20&max_idle_conns=4 - LOG_LEVEL: trace - SERVE_PUBLIC_BASE_URL: 'http://127.0.0.1:4455/.ory/kratos/public/' + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true + - LOG_LEVEL=trace + # - SERVE_PUBLIC_BASE_URL='http://127.0.0.1:4455/.ory/kratos/public/' volumes: + - type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false - type: bind - source: ./docker/kratos + source: ./docker/kratos/oidc target: /etc/config/kratos ports: - - '4433:4433' - - '4434:4434' - networks: - - mojaloop-net - kratos-selfservice-ui-node: - profiles: ["ory"] - depends_on: - - kratos - image: 'oryd/kratos-selfservice-ui-node:v0.7.1-alpha.1' - environment: - - 'JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json' - - 'KRATOS_PUBLIC_URL=http://kratos:4433/' - - 'KRATOS_ADMIN_URL=http://kratos:4434/' - - 'KRATOS_BROWSER_URL=http://127.0.0.1:4455/.ory/kratos/public' - - PORT=4435 - - SECURITY_MODE=jwks + - '4433:4433' # public + - '4434:4434' # admin networks: - mojaloop-net + mailslurper: profiles: ["ory"] image: 'oryd/mailslurper:latest-smtps' @@ -107,35 +88,48 @@ services: - '4437:4437' networks: - mojaloop-net - oathkeeper: - profiles: ["ory"] + + keycloak: + image: quay.io/keycloak/keycloak:21.1.0 + user: root + container_name: keycloak + command: ['start-dev --import-realm'] + ports: + - "8080:8080" depends_on: - - psql - image: 'oryd/oathkeeper:v0.38.14-beta.1' - restart: unless-stopped - command: serve --config=/etc/config/oathkeeper/oathkeeper.yml - environment: - LOG_LEVEL: debug - LOG_LEAK_SENSITIVE_VALUES: 'true' - TRACING_PROVIDER: jaeger - TRACING_SERVICE_NAME: Oathkeeper - TRACING_PROVIDER_JAEGER_SAMPLING_SERVER_URL: 'http://jaeger:5778/sampling' - TRACING_PROVIDER_JAEGER_LOCAL_AGENT_ADDRESS: 'jaeger:6831' - TRACING_PROVIDER_JAEGER_SAMPLING_TYPE: const - TRACING_PROVIDER_JAEGER_SAMPLING_VALUE: 1 + mysql-keycloak: + condition: service_healthy volumes: - - type: bind - source: ./docker/oathkeeper - target: /etc/config/oathkeeper - ports: - - '4455:4455' - - '4456:4456' + - ./docker/keycloak/realm-export.json:/opt/keycloak/data/import/realm.json + environment: + - KEYCLOAK_ADMIN=admin + - KEYCLOAK_ADMIN_PASSWORD=admin + - KC_DB=mysql + - KC_DB_URL_HOST=mysql-keycloak + - KC_DB_URL_DATABASE=keycloak + - KC_DB_USERNAME=keycloak + - KC_DB_PASSWORD=password + - KC_HEALTH_ENABLED=true networks: - mojaloop-net - jaeger: - profiles: ["ory"] - image: jaegertracing/all-in-one:1.22 + healthcheck: + test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/8080;echo -e \"GET /health/ready HTTP/1.1\r\nhost: http://localhost\r\nConnection: close\r\n\r\n\" >&3;grep \"HTTP/1.1 200 OK\" <&3"] + timeout: 20s + retries: 10 + start_period: 40s + interval: 30s + + mysql-keycloak: + image: mysql:8.3.0 + container_name: mysql-keycloak ports: - - 16686:16686 + - "3306:3306" + environment: + - MYSQL_DATABASE=keycloak + - MYSQL_USER=keycloak + - MYSQL_PASSWORD=password + - MYSQL_ROOT_PASSWORD=root_password + healthcheck: + test: "mysqladmin ping -u root -p$${MYSQL_ROOT_PASSWORD}" networks: - - mojaloop-net + - mojaloop-net \ No newline at end of file diff --git a/docker/keycloak/realm-export.json b/docker/keycloak/realm-export.json new file mode 100644 index 0000000..9e44a3c --- /dev/null +++ b/docker/keycloak/realm-export.json @@ -0,0 +1,1854 @@ +{ + "id": "c930b00c-d40f-475e-a0bb-9c6339ce04ee", + "realm": "test-realm", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "defaultRole": { + "id": "72f24ddc-ee43-4d6e-afd1-7f9e5d539267", + "name": "default-roles-test-realm", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "c930b00c-d40f-475e-a0bb-9c6339ce04ee" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppMicrosoftAuthenticatorName", + "totpAppGoogleName", + "totpAppFreeOTPName" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "8ff86129-4073-463b-9bdc-5c614e49431f", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/test-realm/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/test-realm/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "94fbd8ec-25b1-4ec7-a486-ec87beb8b1e6", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/test-realm/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/test-realm/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "990cdbe0-d287-4bdf-8256-d8079fb3617e", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "2789a634-4fab-4133-863a-7ba448f20d65", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "52db40b9-1dcd-4319-9209-f59cdf22d9fb", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "e8251baf-28c3-4493-93f0-587d281bed0c", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "89f6cbd1-7c0d-4776-a9f9-343b16fddc99", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/test-realm/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/test-realm/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "17485c64-d7aa-4170-b668-2ddce2d3ad2e", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "23c4aa79-f93f-4304-9818-5846cab685e7", + "clientId": "test-client", + "secret": "test123", + "name": "", + "description": "", + "rootUrl": "http://localhost:5173", + "adminUrl": "http://localhost:5173", + "baseUrl": "http://localhost:5173", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "*" + ], + "webOrigins": [ + "http://localhost:5173" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": true, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "post.logout.redirect.uris": "http://localhost:5173", + "display.on.consent.screen": "true", + "consent.screen.text": "Your privacy is a big deal to us. By clicking 'Agree,' you're giving us the green light to provide you with our awesome services while respecting your privacy.", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "7ff8a8c8-da6b-44ce-8f6a-1c45bc625b82", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "5b5e9953-c29a-41bf-9649-a4ed702a6117", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "b53a90ca-9b53-47f9-8c6f-d39e682d4c99", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "7c2e6041-f3c6-4344-8860-628ac0ac95aa", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "1c967c40-9d85-4c25-ac7c-be7a2a4ce059", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "0acb3980-138d-467c-9bc5-5ff8dc85ff29", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "732220e3-3ae3-4bbd-ba22-d4e96a311905", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "e845d760-64aa-497e-913a-54410b314031", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "2fc56bc2-a3c6-42ec-a082-b2dbf63771a3", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "4a2c8e4d-df2b-47d4-bfb1-887206844e16", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "fd1c68ae-1314-48ff-a460-157508b6ff25", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "4de9e299-d19b-4d17-a202-d1236d7820af", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "9acab6f2-2ddf-495f-a7e0-9fd633e49900", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "99ecc3ee-ffcb-4ae8-a186-d86be9089f48", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "2cc533ce-23a7-4bb0-beed-f17d64331321", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "dc2db320-aed2-4870-ba31-c0448606faf4", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "80671011-4986-4e5a-a9c0-ba49028d7084", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "00339e8e-61fb-4eed-b065-34c104de14f6", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "37081c97-e56d-40fc-b00d-c8f3fa5984fa", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "e73bfa6e-c4bd-43c6-b69f-aad4574e23c8", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "98ffa273-2499-455c-a81b-952e001f8143", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "ecced0a3-7ae5-4a0a-bfa0-63e6e67ad70c", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "4b2ee5ce-f824-4320-931d-e855d96cb91b", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "6dd6ac1d-4095-414e-8504-df1d3c8f0388", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "da8c6eec-d935-4cf9-8ab4-36a82d7ee221", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "a01b2f30-8d22-4dde-b05c-e87c21626d5d", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "8bb28ee8-81f4-4540-8a52-58a7e3078ac3", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "dc6c2614-d7a8-4279-8148-81fd0947f47c", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "81f9b3b6-648a-4faa-9dd0-d1ac6a7004bd", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "fad1bcb4-8773-4acc-92e5-b9efba8428ef", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "6678fe31-5d19-422d-9700-73a72d2164d5", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "55ecdb84-0020-4fff-9bbb-ec1a6133c853", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "c781fecf-014a-4e2b-a3b0-e7cdc2af8e24", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "6b8dd150-3675-4e4f-81b5-713cde18c1f9", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "0465c8e8-8f62-466e-9bd3-faa03609f619", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "9c7bee73-777a-4aac-bb57-5805188908d1", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "faf1ee47-2a79-4a01-b749-16b22c1b8018", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ] + } + ], + "defaultDefaultClientScopes": [ + "profile", + "role_list", + "roles", + "web-origins", + "email", + "acr" + ], + "defaultOptionalClientScopes": [ + "microprofile-jwt", + "address", + "phone", + "offline_access" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "6b8b8b91-79c0-4310-aac2-027818b90453", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-address-mapper", + "saml-user-attribute-mapper", + "saml-user-property-mapper", + "oidc-full-name-mapper" + ] + } + }, + { + "id": "3f45773e-efbb-4bc6-91ec-f96c060eb0ec", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "1b4cd63c-b5d3-44d3-b6cd-60061a41204d", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "7f5c899d-28c0-46d0-92f6-2e91313257fe", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "eed699ad-1bd2-40ce-b4ab-5fac1cd45899", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "f7999b3e-b48f-4a61-ab11-bba403f5f239", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "oidc-full-name-mapper", + "oidc-address-mapper", + "oidc-usermodel-property-mapper", + "saml-user-attribute-mapper", + "saml-user-property-mapper", + "oidc-usermodel-attribute-mapper" + ] + } + }, + { + "id": "a087e3e4-a4bb-4591-b128-47ba13195a02", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "1b02a74d-2b17-474b-a223-bae037c6c591", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "032ff2c7-1cc9-4fc7-84bf-228ca0cb9419", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "a5e38e27-902d-46cc-b563-28a6917d2104", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "cf7a23eb-b0ea-443e-8c91-785612ab2ecd", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "da8b2407-4b97-4fc3-82f6-07fbecb951e5", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "a2a377bc-ddef-4dd5-b321-e4299fc14d70", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "7068d070-e20a-45f5-9cf7-be1c3d6c9331", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "ed052b3b-51ee-4e3a-aca4-c4653346c6bc", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "2baa3ba6-6ca6-4d96-87f9-7bc209278902", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "6a3b9f29-0b4c-4a5d-aea9-27de1b583d80", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "5da6a5b3-9787-4e6f-a578-061ded48b252", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "bca2c184-4e98-4e34-9844-88766bdd5386", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "9fe083ef-1d47-4b40-a2cb-ac89851b043f", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "c1ecff77-b1af-412a-91a8-27391c8f00fa", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "39710f75-42ab-4521-8138-57ddfa024b76", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "06bd0499-24a6-4144-a136-cc3a5b078219", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "fe6aaa46-7dd2-482f-8f25-47980c23fab6", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "2e537cfe-59ba-40cd-b975-51a91948b39e", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "c2362d6e-1c66-40fa-89fe-973aa3940ed4", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "c6a0746c-34e4-422a-b640-15886aeff5c2", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "497b3c65-773f-4bd2-a631-20ea07af2d4c", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Authentication Options", + "userSetupAllowed": false + } + ] + }, + { + "id": "084447cd-52e0-425c-ab15-edff815e53df", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "e225659c-d1e3-4cb8-9f2e-0807e8e6d16a", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "6df98ddd-5d29-4665-9bab-313f4c538e73", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "ec7bdcc0-73a2-4cf4-8e18-e69939e0382f", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "cb17fe65-15ad-4ed9-bbf0-47c75dcb0828", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "cfdbf306-6840-423a-8612-bb1953a526c9", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "parRequestUriLifespan": "60", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "21.1.0", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} diff --git a/docker/kratos/identity.schema.json b/docker/kratos/identity.schema.json deleted file mode 100644 index 3efc158..0000000 --- a/docker/kratos/identity.schema.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { - "email": { - "type": "string", - "format": "email", - "title": "E-Mail", - "minLength": 3, - "ory.sh/kratos": { - "credentials": { - "password": { - "identifier": true - } - }, - "verification": { - "via": "email" - }, - "recovery": { - "via": "email" - } - } - }, - "name": { - "type": "object", - "properties": { - "first": { - "type": "string" - }, - "last": { - "type": "string" - } - } - } - }, - "required": [ - "email" - ], - "additionalProperties": false - } - } - } - \ No newline at end of file diff --git a/docker/kratos/kratos.yml b/docker/kratos/kratos.yml deleted file mode 100644 index a85b849..0000000 --- a/docker/kratos/kratos.yml +++ /dev/null @@ -1,101 +0,0 @@ -courier: - smtp: - connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true - -hashers: - algorithm: bcrypt - bcrypt: - cost: 12 - -identity: - default_schema_url: file:///etc/config/kratos/identity.schema.json - -log: - level: debug - format: text - leak_sensitive_values: true - -secrets: - cookie: - - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE - -selfservice: - default_browser_return_url: http://127.0.0.1:4455/ - # Important to configure! - whitelisted_return_urls: - - http://127.0.0.1:4455 - - http://127.0.0.1:3010 - - http://localhost:3010 - - http://127.0.0.1:8080 - - http://localhost:8080 - methods: - password: - enabled: true - flows: - error: - ui_url: http://127.0.0.1:4455/error - settings: - ui_url: http://127.0.0.1:4455/settings - privileged_session_max_age: 15m - recovery: - enabled: true - ui_url: http://127.0.0.1:4455/recovery - verification: - enabled: true - ui_url: http://127.0.0.1:4455/verify - after: - default_browser_return_url: http://127.0.0.1:4455/ - logout: - after: - default_browser_return_url: http://127.0.0.1:4455/auth/login - login: - ui_url: http://127.0.0.1:4455/auth/login - after: - # Important to configure! - default_browser_return_url: http://127.0.0.1:8080 - lifespan: 10m - registration: - lifespan: 10m - ui_url: http://127.0.0.1:4455/auth/registration - after: - password: - hooks: - - hook: session - -serve: - public: - base_url: http://127.0.0.1:4433/ - cors: - # Important to configure! - allowed_origins: - - http://127.0.0.1:3010 - - http://localhost:3010 - - http://127.0.0.1:8080 - - http://localhost:8080 - - http://127.0.0.1:4455 - allowed_methods: - - POST - - GET - - PUT - - PATCH - - DELETE - allowed_headers: - - Authorization - - Cookie - - Content-Type - - X-Session-Token - exposed_headers: - - Content-Type - - Set-Cookie - allow_credentials: true - options_passthrough: false - debug: true - enabled: true - host: "0.0.0.0" - port: 4433 - admin: - base_url: http://kratos:4434/ - host: "0.0.0.0" - port: 4434 - -sqa-opt-out: false diff --git a/docker/kratos/oidc/identity.schema.json b/docker/kratos/oidc/identity.schema.json new file mode 100644 index 0000000..0c1b464 --- /dev/null +++ b/docker/kratos/oidc/identity.schema.json @@ -0,0 +1,26 @@ +{ + "$id": "https://mojaloop.io/kratos-schema/identity.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Person", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { + "email": { + "title": "E-Mail", + "type": "string", + "format": "email" + }, + "subject": { + "title": "Subject", + "type": "string" + }, + "name": { + "title": "Name", + "type": "string" + } + } + } + } +} diff --git a/docker/kratos/oidc/kratos.yml b/docker/kratos/oidc/kratos.yml new file mode 100644 index 0000000..1adf9ef --- /dev/null +++ b/docker/kratos/oidc/kratos.yml @@ -0,0 +1,85 @@ +version: v0.13.0 + +dsn: memory + +serve: + public: + base_url: http://127.0.0.1:4433/ + cors: + enabled: true + admin: + base_url: http://kratos:4434/ + +selfservice: + default_browser_return_url: http://127.0.0.1:4455/ + allowed_return_urls: + - http://127.0.0.1:4455 + - http://localhost:3010 + - http://127.0.0.1:3010 + - http://localhost:19006/Callback + - exp://localhost:8081/--/Callback + + methods: + password: + enabled: false + oidc: + enabled: true + config: + providers: + - id: keycloak + provider: generic + client_id: test-client + client_secret: test123 + mapper_url: base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICBlbWFpbDogY2xhaW1zLmVtYWlsLAogICAgICBuYW1lOiBjbGFpbXMuZW1haWwsCiAgICAgIHN1YmplY3Q6IGNsYWltcy5zdWIKICAgIH0sCiAgfSwKfQ== + issuer_url: http://keycloak:8080/realms/test-realm + scope: + - openid + - profile + - email + + flows: + error: + ui_url: http://127.0.0.1:4455/error + + logout: + after: + default_browser_return_url: http://localhost:8080/oidc/logout + + login: + ui_url: http://127.0.0.1:4455/login + lifespan: 10m + after: + oidc: + default_browser_return_url: http://localhost:3010 + +log: + level: debug + format: text + leak_sensitive_values: true + +secrets: + cookie: + - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE + cipher: + - 32-LONG-SECRET-NOT-SECURE-AT-ALL + +ciphers: + algorithm: xchacha20-poly1305 + +hashers: + algorithm: bcrypt + bcrypt: + cost: 8 + +identity: + default_schema_id: default + schemas: + - id: default + url: file:///etc/config/kratos/identity.schema.json + +courier: + smtp: + connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true + +feature_flags: + use_continue_with_transitions: true diff --git a/docker/kratos/oidc/oidc.github.jsonnet b/docker/kratos/oidc/oidc.github.jsonnet new file mode 100644 index 0000000..06b92bf --- /dev/null +++ b/docker/kratos/oidc/oidc.github.jsonnet @@ -0,0 +1,17 @@ +local claims = { + email_verified: false +} + std.extVar('claims'); + +{ + identity: { + traits: { + // Allowing unverified email addresses enables account + // enumeration attacks, especially if the value is used for + // e.g. verification or as a password login identifier. + // + // Therefore we only return the email if it (a) exists and (b) is marked verified + // by GitHub. + [if "email" in claims && claims.email_verified then "email" else null]: claims.email, + }, + }, +} diff --git a/src/Auth/sagas.ts b/src/Auth/sagas.ts index c94173e..825d0c7 100644 --- a/src/Auth/sagas.ts +++ b/src/Auth/sagas.ts @@ -86,7 +86,16 @@ function* doAuth() { function* logout() { const logoutEndpoint: string = yield select(selectors.getLogoutEndpoint); - window.location.href = logoutEndpoint; + const loginProvider: string = yield select(selectors.getLoginProvider); + if (loginProvider) { + fetch(logoutEndpoint, { headers: { accept: 'application/json' } }) + .then((response) => response.json()) + .then((jsonResponse) => { + window.location.assign(`${jsonResponse.logout_url}&return_to=${window.location.href}`); + }); + } else { + window.location.assign(`${logoutEndpoint}?return_to=${window.location.href}`); + } } function* doAuthSaga() { diff --git a/src/Config/build.ts b/src/Config/build.ts index ef2764b..6f808c2 100644 --- a/src/Config/build.ts +++ b/src/Config/build.ts @@ -5,10 +5,10 @@ export default async (): Promise => { const baseUrl = `${protocol}//${host}`; // Using the same protocol as we've been loaded from to avoid Mixed Content error. const defaults = { - loginEndpoint: `${process.env.REACT_APP_AUTH_API_BASE_URL}/self-service/login`, - loginProvider: '', - logoutEndpoint: `${process.env.REACT_APP_AUTH_API_BASE_URL}/self-service/logout/browser`, - authTokenEndpoint: `${process.env.REACT_APP_AUTH_API_BASE_URL}/sessions/whoami`, + loginEndpoint: `${process.env.REACT_APP_LOGIN_URL}`, + loginProvider: `${process.env.REACT_APP_LOGIN_PROVIDER}`, + logoutEndpoint: `${process.env.REACT_APP_LOGOUT_URL}`, + authTokenEndpoint: `${process.env.REACT_APP_AUTH_TOKEN_URL}`, isAuthEnabled: process.env.REACT_APP_AUTH_ENABLED !== 'false', basename: baseUrl, authApiBaseUrl: `${process.env.REACT_APP_AUTH_API_BASE_URL}`, diff --git a/src/bootstrap.tsx b/src/bootstrap.tsx index c7b5161..2f05154 100644 --- a/src/bootstrap.tsx +++ b/src/bootstrap.tsx @@ -28,6 +28,7 @@ async function boot() { remoteMockApi: config.remoteMockApi, }, auth: { + loginProvider: config.loginProvider, loginEndpoint: config.loginEndpoint, logoutEndpoint: config.logoutEndpoint, authTokenEndpoint: config.authTokenEndpoint, diff --git a/webpack.config.js b/webpack.config.js index ee44d11..9852b26 100644 --- a/webpack.config.js +++ b/webpack.config.js @@ -18,7 +18,7 @@ const config = { module.exports = { entry: './src/index', - devtool: 'cheap-module-source-map', + devtool: 'eval-cheap-module-source-map', devServer: { disableHostCheck: true, // Enable gzip compression of generated files. @@ -86,7 +86,7 @@ module.exports = { '/kratos': { // For local testing update `target` to point to your // locally hosted or port-forwarded `@ory/oathkeeper` or `@ory/kratos` service - target: 'http://localhost:port/.ory/kratos/public', + target: 'http://localhost:4433', pathRewrite: { '^/kratos': '' }, secure: false, },