From 3427f6aa7f89b6f0d0d46abd31ce384e4129b877 Mon Sep 17 00:00:00 2001 From: Eneko Date: Mon, 10 Jan 2022 22:59:24 +0100 Subject: [PATCH] Updated Readme. Public client in Keycloak --- docker/README.md | 16 +- .../keycloak/okupamicoche-realm-export.json | 543 ++++++++++-------- docker/synapse/homeserver.yaml | 4 +- 3 files changed, 325 insertions(+), 238 deletions(-) diff --git a/docker/README.md b/docker/README.md index 4984de8..01389d3 100644 --- a/docker/README.md +++ b/docker/README.md @@ -16,17 +16,14 @@ docker network create okupamicoche cd docker/keycloak docker run --name okupamicoche-keycloak -p 8443:8443 -v $(pwd)/https:/etc/x509/https \ -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin --network=okupamicoche \ --e KEYCLOAK_IMPORT=/tmp/realm.json -v $(pwd)/okupamicoche-realm-export.json:/tmp/realm.json quay.io/keycloak/keycloak:12.0.4 +-e KEYCLOAK_IMPORT=/tmp/realm.json -v $(pwd)/okupamicoche-realm-export.json:/tmp/realm.json quay.io/keycloak/keycloak:16.1.0 ``` -4. Go to https://localhost:8443/auth/admin/master/console and login with user=admin pass=admin -5. In Clients -> synapse -> Credentials push Regenerate Secret and copy the secret -6. Open docker/synapse/homeserver.yaml and paste the secret to client_secret variable (inside oidc_providers section) -7. Build Synapse container +4. Build Synapse container ``` cd docker/synape docker build -t okupamicoche-synapse . ``` -8. Generate data folder for Synapse +5. Generate data folder for Synapse ``` docker run -it --rm \ --mount type=volume,src=synapse-data,dst=/data \ @@ -34,14 +31,14 @@ docker run -it --rm \ -e SYNAPSE_REPORT_STATS=no \ okupamicoche-synapse generate ``` -9. Run dockerized Synapse +6. Run dockerized Synapse ``` docker run --name okupamicoche-synapse -p 8008:8008 --mount type=volume,src=synapse-data,dst=/data \ -e SYNAPSE_CONFIG_PATH=/homeserver.yaml \ -v $(pwd)/homeserver.yaml:/homeserver.yaml -v $(pwd)/okupamicoche-appservice.yaml:/okupamicoche-appservice.yaml \ --network=okupamicoche okupamicoche-synapse ``` -10. (Optional) Add keycloak certificate to local machine +7. (Optional) Add keycloak certificate to local machine Some clients (Quaternion, Nheko) fail with self-signed certificates. You can install the root certificate (docker/synape/keycloak-root.crt) in you local machine. For example, in Linux: ``` @@ -56,6 +53,9 @@ sudo update-ca-certificates ## Inspect containter `docker exec -t -i okupamicoche-synapse /bin/bash` +## Manage Keycloak +Go to https://localhost:8443/auth/admin and login with user=admin pass=admin + # Renew/create SSL certificates for development 1. Install mkcert from https://github.com/FiloSottile/mkcert 2. Create and install CA root certificate diff --git a/docker/keycloak/okupamicoche-realm-export.json b/docker/keycloak/okupamicoche-realm-export.json index afea9cb..0653085 100644 --- a/docker/keycloak/okupamicoche-realm-export.json +++ b/docker/keycloak/okupamicoche-realm-export.json @@ -2,6 +2,7 @@ "id": "okupamicoche", "realm": "okupamicoche", "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", "revokeRefreshToken": false, "refreshTokenMaxReuse": 0, "accessTokenLifespan": 300, @@ -22,6 +23,8 @@ "accessCodeLifespanLogin": 1800, "actionTokenGeneratedByAdminLifespan": 43200, "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, "enabled": true, "sslRequired": "external", "registrationAllowed": true, @@ -30,7 +33,7 @@ "verifyEmail": false, "loginWithEmailAllowed": true, "duplicateEmailsAllowed": false, - "resetPasswordAllowed": true, + "resetPasswordAllowed": false, "editUsernameAllowed": false, "bruteForceProtected": false, "permanentLockout": false, @@ -59,6 +62,26 @@ "clientRole": false, "containerId": "okupamicoche", "attributes": {} + }, + { + "id": "2732ebf9-a66f-424b-be11-4628daa9c935", + "name": "default-roles-okupamicoche", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "okupamicoche", + "attributes": {} } ], "client": { @@ -372,9 +395,14 @@ } }, "groups": [], - "defaultRoles": [ - "offline_access" - ], + "defaultRole": { + "id": "2732ebf9-a66f-424b-be11-4628daa9c935", + "name": "default-roles-okupamicoche", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "okupamicoche" + }, "requiredCredentials": [ "password" ], @@ -424,10 +452,6 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "secret": "**********", - "defaultRoles": [ - "manage-account", - "view-profile" - ], "redirectUris": [ "/realms/okupamicoche/account/*" ], @@ -448,7 +472,6 @@ "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "role_list", "roles", "profile", "email" @@ -503,7 +526,6 @@ ], "defaultClientScopes": [ "web-origins", - "role_list", "roles", "profile", "email" @@ -542,7 +564,6 @@ "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "role_list", "roles", "profile", "email" @@ -581,7 +602,6 @@ "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "role_list", "roles", "profile", "email" @@ -628,7 +648,6 @@ "nodeReRegistrationTimeout": -1, "defaultClientScopes": [ "web-origins", - "role_list", "roles", "profile", "email" @@ -667,7 +686,6 @@ "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", - "role_list", "roles", "profile", "email" @@ -731,7 +749,6 @@ ], "defaultClientScopes": [ "web-origins", - "role_list", "roles", "profile", "email" @@ -752,7 +769,6 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "**********", "redirectUris": [ "http://okupamicoche-synapse:8008/_synapse/client/oidc/callback" ], @@ -766,21 +782,27 @@ "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, - "publicClient": false, + "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { + "id.token.as.detached.signature": "false", "saml.assertion.signature": "false", "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", + "oauth2.device.authorization.grant.enabled": "false", "backchannel.logout.revoke.offline.tokens": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", "exclude.session.state.from.auth.response": "false", + "oidc.ciba.grant.enabled": "false", + "saml.artifact.binding": "false", "backchannel.logout.session.required": "true", "client_credentials.use_refresh_token": "false", "saml_force_name_id_format": "false", + "require.pushed.authorization.requests": "false", "saml.client.signature": "false", "tls.client.certificate.bound.access.tokens": "false", "saml.authnstatement": "false", @@ -792,7 +814,6 @@ "nodeReRegistrationTimeout": -1, "defaultClientScopes": [ "web-origins", - "role_list", "roles", "profile", "email" @@ -807,32 +828,181 @@ ], "clientScopes": [ { - "id": "e2ad2ff0-e48a-474b-a9f4-1601392e9a94", - "name": "address", - "description": "OpenID Connect built-in scope: address", + "id": "28bd517a-5240-40ed-a0a3-ca3a3a7ae253", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "64ffe8a0-eb82-4077-a57f-d86881db9085", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "5fe9e223-61c8-4f68-b6fa-dd233ebfe9b1", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "3eb67f8d-5a39-495f-9be4-0c950e4b1b60", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "b5141917-98d9-4785-aee0-423e25d29fb7", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "05e581a7-84b2-439e-9413-6b9d4cb38ed8", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", "protocol": "openid-connect", "attributes": { "include.in.token.scope": "true", "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" + "consent.screen.text": "${phoneScopeConsentText}" }, "protocolMappers": [ { - "id": "53b8cf2b-0184-4237-9e09-78b9ec47123f", - "name": "address", + "id": "fa51bd52-bb5a-41bb-86d2-0f150d24816c", + "name": "phone number verified", "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", + "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", "userinfo.token.claim": "true", - "user.attribute.street": "street", + "user.attribute": "phoneNumberVerified", "id.token.claim": "true", - "user.attribute.region": "region", "access.token.claim": "true", - "user.attribute.locality": "locality" + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "7beb070d-94c5-42e5-a0f0-285b5da87f57", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "27512f6a-3b5c-4e68-84f1-04613450a919", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "05e18193-6686-4d7e-83f0-5263dbf8d9f0", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "52bab46c-889e-4e00-bd5d-87231dd9d1d5", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "4c02cc0b-e315-4b47-b82d-0bfe40bd1fce", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "ba092484-318b-4cc4-8437-72c427c99d0e", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "1b3c5027-10af-49e7-956b-5d3fa3fdeb44", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" } } ] @@ -880,49 +1050,6 @@ } ] }, - { - "id": "5fe9e223-61c8-4f68-b6fa-dd233ebfe9b1", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "3eb67f8d-5a39-495f-9be4-0c950e4b1b60", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - }, - { - "id": "b5141917-98d9-4785-aee0-423e25d29fb7", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - } - ] - }, { "id": "2ebaa60b-d4df-4b20-b23c-bb3aa7e15cc3", "name": "offline_access", @@ -933,49 +1060,6 @@ "display.on.consent.screen": "true" } }, - { - "id": "05e581a7-84b2-439e-9413-6b9d4cb38ed8", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "fa51bd52-bb5a-41bb-86d2-0f150d24816c", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "7beb070d-94c5-42e5-a0f0-285b5da87f57", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - } - ] - }, { "id": "e74a02c5-050a-4538-b3e4-9a2549a1ddf6", "name": "profile", @@ -1197,96 +1281,33 @@ ] }, { - "id": "ba092484-318b-4cc4-8437-72c427c99d0e", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "1b3c5027-10af-49e7-956b-5d3fa3fdeb44", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "27512f6a-3b5c-4e68-84f1-04613450a919", - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", + "id": "e2ad2ff0-e48a-474b-a9f4-1601392e9a94", + "name": "address", + "description": "OpenID Connect built-in scope: address", "protocol": "openid-connect", "attributes": { - "include.in.token.scope": "false", + "include.in.token.scope": "true", "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" + "consent.screen.text": "${addressScopeConsentText}" }, "protocolMappers": [ { - "id": "05e18193-6686-4d7e-83f0-5263dbf8d9f0", - "name": "client roles", + "id": "53b8cf2b-0184-4237-9e09-78b9ec47123f", + "name": "address", "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", + "protocolMapper": "oidc-address-mapper", "consentRequired": false, "config": { - "user.attribute": "foo", + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" + "user.attribute.locality": "locality" } - }, - { - "id": "52bab46c-889e-4e00-bd5d-87231dd9d1d5", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - }, - { - "id": "4c02cc0b-e315-4b47-b82d-0bfe40bd1fce", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" - } - } - ] - }, - { - "id": "28bd517a-5240-40ed-a0a3-ca3a3a7ae253", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "64ffe8a0-eb82-4077-a57f-d86881db9085", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} } ] } @@ -1333,14 +1354,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-address-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper", + "saml-user-attribute-mapper", + "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", - "oidc-full-name-mapper", - "saml-user-attribute-mapper" + "oidc-address-mapper" ] } }, @@ -1380,13 +1401,13 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "saml-role-list-mapper", - "oidc-usermodel-property-mapper", "saml-user-property-mapper", - "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", + "saml-role-list-mapper", + "oidc-full-name-mapper", "oidc-usermodel-attribute-mapper" ] } @@ -1431,6 +1452,14 @@ } } ], + "org.keycloak.userprofile.UserProfileProvider": [ + { + "id": "5df33c15-1073-4049-a516-01995375568e", + "providerId": "declarative-user-profile", + "subComponents": {}, + "config": {} + } + ], "org.keycloak.keys.KeyProvider": [ { "id": "8585d227-9fb6-4d2e-830f-debea055c39b", @@ -1474,7 +1503,7 @@ "supportedLocales": [], "authenticationFlows": [ { - "id": "2c7b19fc-a948-46c1-891f-922c9dfd64e0", + "id": "cb85d6a7-d037-4e20-ad57-69ad33a1bb35", "alias": "Account verification options", "description": "Method with which to verity the existing account", "providerId": "basic-flow", @@ -1483,12 +1512,14 @@ "authenticationExecutions": [ { "authenticator": "idp-email-verification", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 20, "flowAlias": "Verify Existing Account by Re-authentication", @@ -1498,7 +1529,7 @@ ] }, { - "id": "2ca7ea17-5f85-4dc1-99ea-6e84db2d39fe", + "id": "224a176d-619c-4289-a5c2-e48f74d8830c", "alias": "Authentication Options", "description": "Authentication options.", "providerId": "basic-flow", @@ -1507,6 +1538,7 @@ "authenticationExecutions": [ { "authenticator": "basic-auth", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -1514,6 +1546,7 @@ }, { "authenticator": "basic-auth-otp", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 20, "userSetupAllowed": false, @@ -1521,6 +1554,7 @@ }, { "authenticator": "auth-spnego", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 30, "userSetupAllowed": false, @@ -1529,7 +1563,7 @@ ] }, { - "id": "c247ec35-e6e6-48e7-9f44-6bc2a795d3a8", + "id": "2bd2d846-4df3-4383-8233-99202dc72cda", "alias": "Browser - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1538,6 +1572,7 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -1545,6 +1580,7 @@ }, { "authenticator": "auth-otp-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, @@ -1553,7 +1589,7 @@ ] }, { - "id": "69775aac-fb56-4c37-b1e6-37460e1a5e07", + "id": "efee3a08-24fa-4aff-bd60-15b46c3c03e9", "alias": "Direct Grant - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1562,6 +1598,7 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -1569,6 +1606,7 @@ }, { "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, @@ -1577,7 +1615,7 @@ ] }, { - "id": "f8dec0f7-9b88-40a3-89aa-484f3e497a31", + "id": "7962a626-a464-48fe-9d9a-baebf2ee1bd3", "alias": "First broker login - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1586,6 +1624,7 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -1593,6 +1632,7 @@ }, { "authenticator": "auth-otp-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, @@ -1601,7 +1641,7 @@ ] }, { - "id": "9051d7c8-0eaa-4823-8f3a-3bb2f8622c6d", + "id": "097e3c21-a54d-4ced-a010-626381a5812a", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", @@ -1610,12 +1650,14 @@ "authenticationExecutions": [ { "authenticator": "idp-confirm-link", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 20, "flowAlias": "Account verification options", @@ -1625,7 +1667,7 @@ ] }, { - "id": "11189a08-8540-4bc6-9d50-9c2754425ebd", + "id": "62c82456-7da8-4bc1-9add-9ea94c1bafe5", "alias": "Reset - Conditional OTP", "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId": "basic-flow", @@ -1634,6 +1676,7 @@ "authenticationExecutions": [ { "authenticator": "conditional-user-configured", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -1641,6 +1684,7 @@ }, { "authenticator": "reset-otp", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, @@ -1649,7 +1693,7 @@ ] }, { - "id": "3be2e84c-d981-416b-aab6-ea3124b680e5", + "id": "2ecd89f2-5eff-47c9-b273-e604fbee05a6", "alias": "User creation or linking", "description": "Flow for the existing/non-existing user alternatives", "providerId": "basic-flow", @@ -1659,12 +1703,14 @@ { "authenticatorConfig": "create unique user config", "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 20, "flowAlias": "Handle Existing Account", @@ -1674,7 +1720,7 @@ ] }, { - "id": "1c5c4840-e883-433f-9f1f-3e9cc28a6460", + "id": "caa930c8-5148-4cd8-80fb-b86e278956c0", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", @@ -1683,12 +1729,14 @@ "authenticationExecutions": [ { "authenticator": "idp-username-password-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 20, "flowAlias": "First broker login - Conditional OTP", @@ -1698,7 +1746,7 @@ ] }, { - "id": "522d282b-647e-41b6-8a04-21ec6c4a9c09", + "id": "d3e94b4f-18fa-468b-b9ca-9dfc2b8bdf12", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", @@ -1707,6 +1755,7 @@ "authenticationExecutions": [ { "authenticator": "auth-cookie", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, "userSetupAllowed": false, @@ -1714,6 +1763,7 @@ }, { "authenticator": "auth-spnego", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 20, "userSetupAllowed": false, @@ -1721,12 +1771,14 @@ }, { "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 25, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "ALTERNATIVE", "priority": 30, "flowAlias": "forms", @@ -1736,7 +1788,7 @@ ] }, { - "id": "06edd8d5-2e4b-4f0d-a4e6-118661b357ed", + "id": "ae0c485f-1a3e-4b1e-a631-44ab0a1e9631", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", @@ -1745,6 +1797,7 @@ "authenticationExecutions": [ { "authenticator": "client-secret", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 10, "userSetupAllowed": false, @@ -1752,6 +1805,7 @@ }, { "authenticator": "client-jwt", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 20, "userSetupAllowed": false, @@ -1759,6 +1813,7 @@ }, { "authenticator": "client-secret-jwt", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 30, "userSetupAllowed": false, @@ -1766,6 +1821,7 @@ }, { "authenticator": "client-x509", + "authenticatorFlow": false, "requirement": "ALTERNATIVE", "priority": 40, "userSetupAllowed": false, @@ -1774,7 +1830,7 @@ ] }, { - "id": "11bfafda-d435-451e-8c80-ff2769415284", + "id": "7cd997d6-cca0-4492-b7b0-e62aa0765f54", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", @@ -1783,6 +1839,7 @@ "authenticationExecutions": [ { "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -1790,12 +1847,14 @@ }, { "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 30, "flowAlias": "Direct Grant - Conditional OTP", @@ -1805,7 +1864,7 @@ ] }, { - "id": "0317377f-2841-4fa4-8893-2430d1bcde21", + "id": "c18843f3-b2db-4339-b9d6-4b5925bfbe17", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", @@ -1814,6 +1873,7 @@ "authenticationExecutions": [ { "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -1822,7 +1882,7 @@ ] }, { - "id": "d393fac0-2c0e-4b0f-98e8-64d2014939fa", + "id": "2bfbfe79-e2a0-47fd-b727-0a56cefe3270", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", @@ -1832,12 +1892,14 @@ { "authenticatorConfig": "review profile config", "authenticator": "idp-review-profile", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 20, "flowAlias": "User creation or linking", @@ -1847,7 +1909,7 @@ ] }, { - "id": "59a0d530-5706-46fb-8051-541545f18485", + "id": "fd1f9061-6001-4040-9f69-7445e690c68e", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", @@ -1856,12 +1918,14 @@ "authenticationExecutions": [ { "authenticator": "auth-username-password-form", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 20, "flowAlias": "Browser - Conditional OTP", @@ -1871,7 +1935,7 @@ ] }, { - "id": "5490ab9e-90a2-4957-a528-65729951e4ed", + "id": "18e1f892-6b90-41e3-89c1-3ef55c8496dc", "alias": "http challenge", "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId": "basic-flow", @@ -1880,12 +1944,14 @@ "authenticationExecutions": [ { "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 20, "flowAlias": "Authentication Options", @@ -1895,7 +1961,7 @@ ] }, { - "id": "5c291b1f-5aec-4517-9ab9-6684a1b0cd43", + "id": "63926211-474b-4e11-b2b8-9b2da2851606", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", @@ -1904,6 +1970,7 @@ "authenticationExecutions": [ { "authenticator": "registration-page-form", + "authenticatorFlow": true, "requirement": "REQUIRED", "priority": 10, "flowAlias": "registration form", @@ -1913,7 +1980,7 @@ ] }, { - "id": "cffff895-e0e1-4336-b1d5-a28ebed6a746", + "id": "429f7a06-ac0b-47a6-955f-b7b11b5e5471", "alias": "registration form", "description": "registration form", "providerId": "form-flow", @@ -1922,6 +1989,7 @@ "authenticationExecutions": [ { "authenticator": "registration-user-creation", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, @@ -1929,6 +1997,7 @@ }, { "authenticator": "registration-profile-action", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 40, "userSetupAllowed": false, @@ -1936,6 +2005,7 @@ }, { "authenticator": "registration-password-action", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 50, "userSetupAllowed": false, @@ -1943,6 +2013,7 @@ }, { "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, "requirement": "DISABLED", "priority": 60, "userSetupAllowed": false, @@ -1951,7 +2022,7 @@ ] }, { - "id": "4bb6f0cf-185b-464e-a601-a2dcb8ad0c2f", + "id": "791e9182-bdda-49e9-9998-90b5a5aa4a8b", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", @@ -1960,6 +2031,7 @@ "authenticationExecutions": [ { "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -1967,6 +2039,7 @@ }, { "authenticator": "reset-credential-email", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, @@ -1974,12 +2047,14 @@ }, { "authenticator": "reset-password", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 30, "userSetupAllowed": false, "autheticatorFlow": false }, { + "authenticatorFlow": true, "requirement": "CONDITIONAL", "priority": 40, "flowAlias": "Reset - Conditional OTP", @@ -1989,7 +2064,7 @@ ] }, { - "id": "11a546d9-ecfe-451b-991b-cf48388ce9c2", + "id": "3f38b0e8-a01e-429d-a790-667e74369ef4", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", @@ -1998,6 +2073,7 @@ "authenticationExecutions": [ { "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, @@ -2008,14 +2084,14 @@ ], "authenticatorConfig": [ { - "id": "d524c689-b060-4dae-8c9c-a8c46e3b657a", + "id": "79e94af4-ad5b-46fb-b832-d8307215657b", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { - "id": "51bd306d-4ec7-4c28-9d62-1bc47b16030c", + "id": "abd786e3-1893-4a79-8c15-a06ec69b1fec", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" @@ -2094,11 +2170,24 @@ "clientAuthenticationFlow": "clients", "dockerAuthenticationFlow": "docker auth", "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", "clientSessionIdleTimeout": "0", + "parRequestUriLifespan": "60", "clientSessionMaxLifespan": "0", - "clientOfflineSessionIdleTimeout": "0" + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5" }, - "keycloakVersion": "12.0.4", - "userManagedAccessAllowed": false + "keycloakVersion": "16.1.0", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } } \ No newline at end of file diff --git a/docker/synapse/homeserver.yaml b/docker/synapse/homeserver.yaml index b2d83c1..72c2553 100644 --- a/docker/synapse/homeserver.yaml +++ b/docker/synapse/homeserver.yaml @@ -26,10 +26,8 @@ oidc_providers: - idp_id: keycloak idp_name: Keycloak issuer: "https://okupamicoche-keycloak:8443/auth/realms/okupamicoche" -# client_id: "okupamicoche-frontend-angular" -# client_secret: "PUBLIC-CLIENT-WITH-NO-PASSWORD" client_id: "synapse" - client_secret: "c2900355-e9b0-421d-a328-7de04cdd0f1a" +# client_secret: "PUBLIC-CLIENT-WITH-NO-PASSWORD" scopes: [ "openid", "profile" ] user_mapping_provider: config: