diff --git a/docker-compose-parts/keycloak.yml b/docker-compose-parts/keycloak.yml index 99339b8..c27195b 100644 --- a/docker-compose-parts/keycloak.yml +++ b/docker-compose-parts/keycloak.yml @@ -6,7 +6,7 @@ services: #hostname: sso.${DOMAIN} volumes: - /etc/localtime:/etc/localtime:ro - - ${BUILD_ROOT_PATH}/init/keycloak/jsons:/opt/jboss/keycloak/imports + - ${BUILD_ROOT_PATH}/init/keycloak/jsons:/opt/jboss/keycloak/imports # Uses the environment var! - ${BUILD_ROOT_PATH}/init/keycloak/scripts/:/opt/jboss/startup-scripts/ - ${CUSTOM_PATH}/custom/system/keycloak/themes:/opt/jboss/keycloak/themes/ #- ${BUILD_ROOT_PATH}/docker/keycloak/extensions/keycloak-avatar-minio-extension/:/opt/custom/deployments @@ -14,7 +14,7 @@ services: - ${BUILD_ROOT_PATH}/docker/keycloak/extensions/keycloak-avatar-minio-extension/avatar-minio-extension-bundle/target/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear:/opt/jboss/keycloak/standalone/deployments/avatar-minio-extension-bundle-1.0.1.0-SNAPSHOT.ear #- /opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json environment: - #- KEYCLOAK_IMPORT=/opt/jboss/keycloak/imports/realm-export.json + - KEYCLOAK_IMPORT=/opt/jboss/keycloak/imports/realm.json - DB_VENDOR=POSTGRES - DB_ADDR=${KEYCLOAK_DB_ADDR} - DB_DATABASE=${KEYCLOAK_DB_DATABASE} diff --git a/init/keycloak/jsons/clients.json b/init/keycloak/jsons/clients.json new file mode 100644 index 0000000..841e07e --- /dev/null +++ b/init/keycloak/jsons/clients.json @@ -0,0 +1,286 @@ +[ { + "id" : "a92d5417-92b6-4678-9cb9-51bc0edcee8c", + "clientId" : "https://moodle.[[DOMAIN]]/auth/saml2/sp/metadata.php", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "https://moodle.[[DOMAIN]]/auth/saml2/sp/saml2-acs.php/moodle.[[DOMAIN]]" ], + "webOrigins" : [ "https://moodle.[[DOMAIN]]" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : true, + "protocol" : "saml", + "attributes" : { + "saml.force.post.binding" : "true", + "saml.encrypt" : "true", + "saml_assertion_consumer_url_post" : "https://moodle.[[DOMAIN]]/auth/saml2/sp/saml2-acs.php/moodle.[[DOMAIN]]", + "saml.server.signature" : "true", + "saml.server.signature.keyinfo.ext" : "false", + "saml.signing.certificate" : "[[SIGNING_CERTIFICATE]]", + "saml_single_logout_service_url_redirect" : "https://moodle.[[DOMAIN]]/auth/saml2/sp/saml2-logout.php/moodle.[[DOMAIN]]", + "saml.signature.algorithm" : "RSA_SHA256", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "true", + "saml.encryption.certificate" : "[[ENCRYPTION_CERTIFICATE]]", + "saml.authnstatement" : "true", + "saml_name_id_format" : "username", + "saml_signature_canonicalization_method" : "http://www.w3.org/2001/10/xml-exc-c14n#" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "id" : "9296daa3-4fc4-4b80-b007-5070f546ae13", + "name" : "X500 surname", + "protocol" : "saml", + "protocolMapper" : "saml-user-property-mapper", + "consentRequired" : false, + "config" : { + "attribute.nameformat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", + "user.attribute" : "lastName", + "friendly.name" : "surname", + "attribute.name" : "urn:oid:2.5.4.4" + } + }, { + "id" : "ccecf6e4-d20a-4211-b67c-40200a6b2c5d", + "name" : "username", + "protocol" : "saml", + "protocolMapper" : "saml-user-property-mapper", + "consentRequired" : false, + "config" : { + "attribute.nameformat" : "Basic", + "user.attribute" : "username", + "friendly.name" : "username", + "attribute.name" : "username" + } + }, { + "id" : "53858403-eba2-4f6d-81d0-cced700b5719", + "name" : "X500 givenName", + "protocol" : "saml", + "protocolMapper" : "saml-user-property-mapper", + "consentRequired" : false, + "config" : { + "attribute.nameformat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", + "user.attribute" : "firstName", + "friendly.name" : "givenName", + "attribute.name" : "urn:oid:2.5.4.42" + } + }, { + "id" : "20034db5-1d0e-4e66-b815-fb0440c6d1e2", + "name" : "X500 email", + "protocol" : "saml", + "protocolMapper" : "saml-user-property-mapper", + "consentRequired" : false, + "config" : { + "attribute.nameformat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", + "user.attribute" : "email", + "friendly.name" : "email", + "attribute.name" : "urn:oid:1.2.840.113549.1.9.1" + } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ], + "access" : { + "view" : true, + "configure" : true, + "manage" : true + } +}, { + "id" : "bef873f0-2079-4876-8657-067de27d01b7", + "clientId" : "https://nextcloud.[[DOMAIN]]/apps/user_saml/saml/metadata", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "https://nextcloud.[[DOMAIN]]/apps/user_saml/saml/acs" ], + "webOrigins" : [ "https://nextcloud.[[DOMAIN]]" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : true, + "protocol" : "saml", + "attributes" : { + "saml.assertion.signature" : "true", + "saml.force.post.binding" : "true", + "saml_assertion_consumer_url_post" : "https://nextcloud.[[DOMAIN]]/apps/user_saml/saml/acs", + "saml.server.signature" : "true", + "saml.server.signature.keyinfo.ext" : "false", + "saml.signing.certificate" : "[[SIGNING_CERTIFICATE]]", + "saml_single_logout_service_url_redirect" : "https://nextcloud.[[DOMAIN]]/apps/user_saml/saml/sls", + "saml.signature.algorithm" : "RSA_SHA256", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "true", + "saml.authnstatement" : "true", + "saml_name_id_format" : "username", + "saml_signature_canonicalization_method" : "http://www.w3.org/2001/10/xml-exc-c14n#" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "id" : "e8e4acff-da2b-46aa-8bdb-ba42171671d6", + "name" : "username", + "protocol" : "saml", + "protocolMapper" : "saml-user-attribute-mapper", + "consentRequired" : false, + "config" : { + "attribute.nameformat" : "Basic", + "user.attribute" : "username", + "friendly.name" : "username", + "attribute.name" : "username" + } + }, { + "id" : "28206b59-757b-4e3c-81cb-0b6053b1fd3d", + "name" : "email", + "protocol" : "saml", + "protocolMapper" : "saml-user-property-mapper", + "consentRequired" : false, + "config" : { + "attribute.nameformat" : "Basic", + "user.attribute" : "email", + "friendly.name" : "email", + "attribute.name" : "email" + } + }, { + "id" : "e51e04b9-f71a-42de-819e-dd9285246ada", + "name" : "Roles", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "true", + "attribute.nameformat" : "Basic", + "friendly.name" : "Roles", + "attribute.name" : "Roles" + } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ], + "access" : { + "view" : true, + "configure" : true, + "manage" : true + } +}, { + "id" : "78a85fd1-869d-4ba4-8391-5708f7d1abe6", + "clientId" : "master-realm", + "name" : "master Realm", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ], + "access" : { + "view" : true, + "configure" : true, + "manage" : true + } +}, { + "id" : "630601f8-25d1-4822-8741-c93affd2cd84", + "clientId" : "php-saml", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "https://wp.[[DOMAIN]]/wp-login.php?saml_acs" ], + "webOrigins" : [ "https://wp.[[DOMAIN]]" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : true, + "protocol" : "saml", + "attributes" : { + "saml.force.post.binding" : "true", + "saml_assertion_consumer_url_post" : "https://wp.[[DOMAIN]]/wp-login.php?saml_acs", + "saml.server.signature" : "true", + "saml.server.signature.keyinfo.ext" : "false", + "saml.signing.certificate" : "[[SIGNING_CERTIFICATE]]", + "saml_single_logout_service_url_redirect" : "https://wp.[[DOMAIN]]/wp-login.php?saml_sls", + "saml.signature.algorithm" : "RSA_SHA256", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "true", + "saml.authnstatement" : "true", + "saml_name_id_format" : "username", + "saml_signature_canonicalization_method" : "http://www.w3.org/2001/10/xml-exc-c14n#" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "id" : "72c6175e-bd07-4c27-abd6-4e4ae38d834b", + "name" : "username", + "protocol" : "saml", + "protocolMapper" : "saml-user-attribute-mapper", + "consentRequired" : false, + "config" : { + "attribute.nameformat" : "Basic", + "user.attribute" : "username", + "friendly.name" : "username", + "attribute.name" : "username" + } + }, { + "id" : "abd6562f-4732-4da9-987f-b1a6ad6605fa", + "name" : "roles", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "true", + "attribute.nameformat" : "Basic", + "friendly.name" : "Roles", + "attribute.name" : "Role" + } + }, { + "id" : "50aafb71-d91c-4bc7-bb60-e1ae0222aab3", + "name" : "email", + "protocol" : "saml", + "protocolMapper" : "saml-user-property-mapper", + "consentRequired" : false, + "config" : { + "attribute.nameformat" : "Basic", + "user.attribute" : "email", + "friendly.name" : "email", + "attribute.name" : "email" + } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "roles", "profile", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ], + "access" : { + "view" : true, + "configure" : true, + "manage" : true + } +} ] \ No newline at end of file diff --git a/init/keycloak/jsons/realm.json b/init/keycloak/jsons/realm.json new file mode 100644 index 0000000..30b336c --- /dev/null +++ b/init/keycloak/jsons/realm.json @@ -0,0 +1,108 @@ +{ + "id" : "master", + "realm" : "master", + "displayName" : "Keycloak", + "displayNameHtml" : "
Keycloak
", + "notBefore" : 0, + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 60, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "enabled" : true, + "sslRequired" : "external", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "defaultRoles" : [ "offline_access", "uma_authorization" ], + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors *; object-src 'none';", + "xXSSProtection" : "1; mode=block", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "loginTheme" : "liiibrelite", + "accountTheme" : "account-avatar", + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "identityProviders" : [ ], + "identityProviderMappers" : [ ], + "internationalizationEnabled" : false, + "supportedLocales" : [ "" ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "attributes" : { + "clientOfflineSessionMaxLifespan" : "0", + "clientSessionIdleTimeout" : "0", + "clientSessionMaxLifespan" : "0", + "clientOfflineSessionIdleTimeout" : "0" + }, + "userManagedAccessAllowed" : false +} \ No newline at end of file