diff --git a/mii-process-feasibility-docker-test-setup/dic-1/bpe/plugin/README.md b/mii-process-feasibility-docker-test-setup/dic-1/bpe/plugin/README.md deleted file mode 100644 index 777e443..0000000 --- a/mii-process-feasibility-docker-test-setup/dic-1/bpe/plugin/README.md +++ /dev/null @@ -1 +0,0 @@ -Empty folder for plugin jars \ No newline at end of file diff --git a/mii-process-feasibility-docker-test-setup/dic-2/bpe/log/README.md b/mii-process-feasibility-docker-test-setup/dic-2/bpe/log/README.md deleted file mode 100644 index 2fd366f..0000000 --- a/mii-process-feasibility-docker-test-setup/dic-2/bpe/log/README.md +++ /dev/null @@ -1 +0,0 @@ -Empty folder for log files \ No newline at end of file diff --git a/mii-process-feasibility-docker-test-setup/dic-2/bpe/plugin/README.md b/mii-process-feasibility-docker-test-setup/dic-2/bpe/plugin/README.md deleted file mode 100644 index 777e443..0000000 --- a/mii-process-feasibility-docker-test-setup/dic-2/bpe/plugin/README.md +++ /dev/null @@ -1 +0,0 @@ -Empty folder for plugin jars \ No newline at end of file diff --git a/mii-process-feasibility-docker-test-setup/dic-3/bpe/plugin/README.md b/mii-process-feasibility-docker-test-setup/dic-3/bpe/plugin/README.md deleted file mode 100644 index 777e443..0000000 --- a/mii-process-feasibility-docker-test-setup/dic-3/bpe/plugin/README.md +++ /dev/null @@ -1 +0,0 @@ -Empty folder for plugin jars \ No newline at end of file diff --git a/mii-process-feasibility-docker-test-setup/dic-3/keycloak/realm-test.json b/mii-process-feasibility-docker-test-setup/dic-3/keycloak/realm-test.json new file mode 100644 index 0000000..7331910 --- /dev/null +++ b/mii-process-feasibility-docker-test-setup/dic-3/keycloak/realm-test.json @@ -0,0 +1,2056 @@ +{ + "id" : "test", + "realm" : "test", + "displayName" : "Keycloak", + "displayNameHtml" : "
Keycloak
", + "notBefore" : 0, + "defaultSignatureAlgorithm" : "RS256", + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 3600, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "oauth2DeviceCodeLifespan" : 600, + "oauth2DevicePollingInterval" : 5, + "enabled" : true, + "sslRequired" : "external", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxTemporaryLockouts" : 0, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "cfab484f-be62-43ac-ac58-4a3ca0b76895", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "test", + "attributes" : { } + }, { + "id" : "a405bd09-e663-4e3c-9d77-a9d965d1250a", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "test", + "attributes" : { } + }, { + "id" : "76043e61-4a56-4b14-b70a-54f411d73f70", + "name" : "default-roles-test", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "account" : [ "view-profile", "manage-account" ] + } + }, + "clientRole" : false, + "containerId" : "test", + "attributes" : { } + }, { + "id" : "ddf3601e-7689-4e9a-8dce-69a964a14d8c", + "name" : "admin", + "description" : "${role_admin}", + "composite" : true, + "composites" : { + "realm" : [ "create-realm" ], + "client" : { + "test-realm" : [ "view-users", "manage-events", "view-realm", "view-clients", "view-events", "query-realms", "query-users", "impersonation", "view-authorization", "manage-clients", "manage-identity-providers", "query-groups", "query-clients", "create-client", "manage-authorization", "view-identity-providers", "manage-users", "manage-realm" ] + } + }, + "clientRole" : false, + "containerId" : "test", + "attributes" : { } + }, { + "id" : "319558ae-0ae5-4110-b688-5f30f94f652e", + "name" : "create-realm", + "description" : "${role_create-realm}", + "composite" : false, + "clientRole" : false, + "containerId" : "test", + "attributes" : { } + } ], + "client" : { + "realm-management" : [ { + "id" : "62e4743e-a905-42a8-96d6-a8d5fdd844ea", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "6c73cf21-93e7-453d-8ba2-b3c7154c4367", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "d232c025-2d26-40ee-8196-cf52f171097b", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "6d7f5457-8f9a-4ffa-825a-fde1a755e09e", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "e6841db6-8b7e-4884-b2b4-65d950eaf8ac", + "name" : "realm-admin", + "description" : "${role_realm-admin}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "manage-events", "view-identity-providers", "manage-identity-providers", "query-realms", "view-users", "manage-authorization", "view-clients", "view-realm", "create-client", "query-groups", "query-clients", "view-events", "manage-realm", "query-users", "view-authorization", "manage-clients", "manage-users", "impersonation" ] + } + }, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "b4a8f2f3-eed6-4957-b2c0-3f0eda65ccac", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-groups", "query-users" ] + } + }, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "cf664a6f-60d6-4603-8242-f7c8aa7aabb4", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "4912268a-99a5-4d06-bac1-49153e9e6330", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "0660daed-6bb8-432c-8d65-4b7ccf3938e7", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "22510f81-7b5d-4ab4-b31f-a168a6d04f1d", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "9d4ba117-e4ac-4dda-80cd-5753f1443247", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "0ac7902c-0cfe-4ece-b694-a2e56b1a436a", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "2f91a5d6-4d8b-4e86-bc2b-98dafa5897a4", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "518da31b-1771-4fa0-ac0c-5bd9420776e9", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "bb608a9a-af7e-49d5-9306-c4925525129d", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "89e04b7d-dda2-47a5-8610-951601c52048", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "1e319aff-9893-482d-945d-d428ee73c014", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "9f68e090-fc30-43e9-8a6a-2e0f08c8b6a2", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + }, { + "id" : "6b633c77-15e4-4788-8920-9b3ea1f803a0", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "attributes" : { } + } ], + "security-admin-console" : [ ], + "admin-cli" : [ ], + "account-console" : [ ], + "broker" : [ { + "id" : "77f7ce3c-d305-45ff-810a-06fffe9285dd", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "738bfb28-835b-4707-b3fa-e8d620c4a2ad", + "attributes" : { } + } ], + "account" : [ { + "id" : "4cb842f2-27bd-4368-b99c-f505aa8b3247", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "attributes" : { } + }, { + "id" : "6f3de551-2a00-4a4f-a304-0b8b5ddb7bcb", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "attributes" : { } + }, { + "id" : "47a5291d-d89e-4c93-9a56-3b33b5944ace", + "name" : "view-consent", + "description" : "${role_view-consent}", + "composite" : false, + "clientRole" : true, + "containerId" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "attributes" : { } + }, { + "id" : "92c23878-9e1d-4bd2-a73b-01d35c3a4a57", + "name" : "view-groups", + "description" : "${role_view-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "attributes" : { } + }, { + "id" : "7ae6416a-3d1c-4fa5-8f6c-199672eb696b", + "name" : "manage-consent", + "description" : "${role_manage-consent}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "view-consent" ] + } + }, + "clientRole" : true, + "containerId" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "attributes" : { } + }, { + "id" : "4ac84e04-1a77-4121-bb6e-18ed6948ad93", + "name" : "delete-account", + "description" : "${role_delete-account}", + "composite" : false, + "clientRole" : true, + "containerId" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "attributes" : { } + }, { + "id" : "54be8eec-70da-44f4-95a0-b4eb62800c8a", + "name" : "view-applications", + "description" : "${role_view-applications}", + "composite" : false, + "clientRole" : true, + "containerId" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "attributes" : { } + }, { + "id" : "8de14797-ac52-4001-8bad-ac66f326485e", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] + } + }, + "clientRole" : true, + "containerId" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "attributes" : { } + } ], + "test-realm" : [ { + "id" : "154e52c7-8957-475e-9e32-193daf180c5a", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "test-realm" : [ "query-groups", "query-users" ] + } + }, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "51de37c7-d9e9-44dc-8264-a5c34731101b", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "c6952b26-9c30-4ae4-96ad-bd8fc8803cde", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "test-realm" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "11eef5a3-1b86-4f4b-81d2-73c21dee786a", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "c3a9ac36-2296-4c3c-9cad-4b2d3b2a8c92", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "e8d45b32-ee65-4d35-bb29-f49022dde86c", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "13a73a25-f362-4ff5-a8d2-97f1f451d8c7", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "25a98a91-87b0-42dc-9e25-18a0fb9a4f63", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "7c7d7e5b-a9a9-4b5e-a2b9-0efbfc205da0", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "d10d7200-2fa0-4ff9-81d2-0e6f1d1bcc19", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "ca756c34-6506-4461-a5ec-6ffabf008074", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "701964cd-ea25-4df7-87fe-090de21d2495", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "4526b5eb-206a-4843-a7c1-8cb59745c042", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "b70afed2-5c61-400e-867b-036bcdec58e3", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "06557d0f-4267-429d-96d8-92ccdaea9c22", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "3822acc8-a18d-41f7-ba08-f6fe287cd1d7", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "c6b461b5-a5c6-41f5-ab8f-742bfcf11cdd", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + }, { + "id" : "8b022167-a28f-4642-8e9b-b11fdf8e9b9c", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "attributes" : { } + } ] + } + }, + "groups" : [ ], + "defaultRole" : { + "id" : "76043e61-4a56-4b14-b70a-54f411d73f70", + "name" : "default-roles-test", + "description" : "${role_default-roles}", + "composite" : true, + "clientRole" : false, + "containerId" : "test" + }, + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpPolicyCodeReusable" : false, + "otpSupportedApplications" : [ "totpAppFreeOTPName", "totpAppGoogleName", "totpAppMicrosoftAuthenticatorName" ], + "localizationTexts" : { }, + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyExtraOrigins" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessExtraOrigins" : [ ], + "users" : [ { + "id" : "b0ef6edd-d503-4c74-a5ac-587fc56ea8ec", + "username" : "admin", + "emailVerified" : false, + "createdTimestamp" : 1619179992044, + "enabled" : true, + "totp" : false, + "credentials" : [ { + "id" : "a364bc10-e50d-46e7-9a4b-a2e81cfb97ef", + "type" : "password", + "createdDate" : 1619179992264, + "secretData" : "{\"value\":\"HFaSOho+7v2/pNE05AzCJs+MGKga2UuZFpCJwrEwyRWXq8xhYI+QZlsrsvkXbg8yye0ajxvKMhoQ8StOIw92hQ==\",\"salt\":\"0FxKxt+bGWwoWSZptMOXlw==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "offline_access", "uma_authorization", "admin" ], + "clientRoles" : { + "account" : [ "view-profile", "manage-account" ] + }, + "notBefore" : 0, + "groups" : [ ] + }, { + "id" : "18fb5db1-ebae-4824-ba72-a412330fe026", + "username" : "john", + "firstName" : "John", + "lastName" : "Doe", + "emailVerified" : false, + "createdTimestamp" : 1710947689953, + "enabled" : true, + "totp" : false, + "credentials" : [ { + "id" : "beee2f20-4a46-41e3-ace8-c56dca1e351f", + "type" : "password", + "createdDate" : 1710947723777, + "secretData" : "{\"value\":\"XmSnkmkJIk2SiZmdURejFJeEV+Jrvwqfi4NIKBwvcHXpRKtyaUFRSZb+cLuy4YyhhGXK/jn7sIbY3lNg/OwJNA==\",\"salt\":\"Fe3FD77W0p8xSfIckS7BpQ==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":210000,\"algorithm\":\"pbkdf2-sha512\",\"additionalParameters\":{}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-test" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "id" : "72a7f37e-b33f-4908-9ad9-33be0d4c1620", + "username" : "service-account-account", + "emailVerified" : false, + "createdTimestamp" : 1619180273352, + "enabled" : true, + "totp" : false, + "serviceAccountClientId" : "account", + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "offline_access", "uma_authorization" ], + "clientRoles" : { + "account" : [ "view-profile", "manage-account" ] + }, + "notBefore" : 0, + "groups" : [ ] + } ], + "scopeMappings" : [ { + "clientScope" : "offline_access", + "roles" : [ "offline_access" ] + } ], + "clientScopeMappings" : { + "account" : [ { + "client" : "account-console", + "roles" : [ "manage-account", "view-groups" ] + } ] + }, + "clients" : [ { + "id" : "a0f23909-cbba-4950-95c5-1a166b4b3c54", + "clientId" : "account", + "name" : "${client_account}", + "description" : "", + "rootUrl" : "${authBaseUrl}", + "adminUrl" : "", + "baseUrl" : "/realms/test/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "test", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : true, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "saml.encrypt" : "false", + "post.logout.redirect.uris" : "+", + "oauth2.device.authorization.grant.enabled" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "exclude.session.state.from.auth.response" : "false", + "oidc.ciba.grant.enabled" : "false", + "backchannel.logout.session.required" : "false", + "client_credentials.use_refresh_token" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "df9007ce-cdcc-4cd3-be23-74cc3a81e518", + "name" : "Client IP Address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientAddress", + "userinfo.token.claim" : "true", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientAddress", + "jsonType.label" : "String" + } + }, { + "id" : "49dfb8da-2cf1-4348-a587-e11c8a2dd5e3", + "name" : "Client ID", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientId", + "userinfo.token.claim" : "true", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientId", + "jsonType.label" : "String" + } + }, { + "id" : "facf237e-6601-4712-a854-e52134dd5122", + "name" : "Client Host", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientHost", + "userinfo.token.claim" : "true", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientHost", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "a13c25c1-0378-466f-98eb-48006045968f", + "clientId" : "account-console", + "name" : "${client_account-console}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/test/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "102c2a26-30b5-4dfe-a540-6bd925ceaa67", + "redirectUris" : [ "/realms/test/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+", + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "ccf3fe06-0eb7-4e2b-8323-7f53649d40d4", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + } ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "502c9394-9181-4ddc-b573-f0b545b2ca9c", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "2fe5724f-0328-4fe7-a4b7-37a0badf610f", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "ed0e9e16-d955-44d4-ab4c-0c6e8480bf12", + "clientId" : "test-realm", + "name" : "test Realm", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "test", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "738bfb28-835b-4707-b3fa-e8d620c4a2ad", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "b2569a8e-0483-44aa-aa82-c2b3ee9462fc", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "b9e2f2c2-46ba-4d57-9f93-f336ad52a3bf", + "clientId" : "realm-management", + "name" : "${client_realm-management}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ ], + "optionalClientScopes" : [ ] + }, { + "id" : "9f6340e7-176f-44f0-ae0f-a04cc5c54921", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "rootUrl" : "${authAdminUrl}", + "baseUrl" : "/admin/test/console/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "50f03c48-3691-4c39-a3c3-3d02219525dc", + "redirectUris" : [ "/admin/test/console/*" ], + "webOrigins" : [ "+" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+", + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "69d66f56-d567-451f-b979-7be216edd68a", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "9809d86e-9b9d-4c77-96d9-483f79bbadf7", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "5cb5d135-4ec0-48ee-b8f3-1d2eea8972a5", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "cd8a5107-e52c-4642-942e-d05bff239e3c", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "f3bb04c6-97c8-47e0-b383-8e7e586d2ab8", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } + }, { + "id" : "f3f3fa4a-0e7e-4ffa-a994-6297c23f908d", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" + }, + "protocolMappers" : [ { + "id" : "91fa2894-4e7e-404b-864e-c917f90ac77b", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] + }, { + "id" : "3b1fce21-ed51-4f05-942c-93cecb81025c", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${profileScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "351876fb-061f-4c8d-838c-082928bd80f7", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "a4d2a8c3-36d2-4f5a-91eb-a570e7cc0d3c", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "String" + } + }, { + "id" : "7492477a-d4c6-4a9e-89b2-6335a5f89ada", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + }, { + "id" : "fe14acb2-1948-49d6-9b2c-ba20b64cf017", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + }, { + "id" : "28db7700-4226-4307-a22a-0deb6f857513", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + }, { + "id" : "ec4bdc29-7979-45f0-9071-4b680fda049a", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "84d327bb-bd09-4428-b6e3-e5ba4d896074", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + }, { + "id" : "6258fd50-c687-4a42-8b7c-964b75581042", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + }, { + "id" : "9db28236-3a1a-4e8d-b5cd-13f689f180a0", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "ae46ed2c-2154-45ef-90a7-fa50e80dc935", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "9a4a3bd9-b8ee-4ebc-94b4-b4da3881ae18", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "ebc6c1fe-d2cb-441f-8803-c4ec8506168c", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "cb2a2a4d-a3d2-4660-9438-714f64c4f831", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + }, { + "id" : "7e28b8ae-83b8-4f06-9184-932a06b5e619", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "8dc47e1e-202a-4aa4-945d-1e4a80763482", + "name" : "acr", + "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "7ac4dd59-25b7-42cc-a8c9-68301983dce9", + "name" : "acr loa level", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-acr-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "introspection.token.claim" : "true", + "access.token.claim" : "true" + } + } ] + }, { + "id" : "bd5a5fc6-85c8-4e4b-b147-0dbbfd5add27", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "94fa890b-976e-48ce-8640-6b6781e7bf6c", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + }, { + "id" : "deb58ea8-1660-43ac-9097-34d38b3c9126", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + } ] + }, { + "id" : "06ee6c91-072f-461f-be27-791a6556324f", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "efccbda2-dd10-426b-809a-f46cb921c7a9", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + }, { + "id" : "73bccc6d-2d3f-4c85-8d25-c6868f2b70b8", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "f4cb8558-578a-41bb-815a-91f2514b71cb", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${rolesScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "63a2ee31-2194-49cc-9724-ccb9c57d8fa2", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "da083c4e-081c-4f8f-8526-5fa49d71a111", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + }, { + "id" : "8d7c0a1a-42cc-4efe-a322-3c56ded3424e", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + } ] + }, { + "id" : "992bf614-54e3-414a-8d56-e47d7e37fc11", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "a1999995-852d-4c55-b2bc-e096aba293f2", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "f0cb84ff-70eb-42ee-8439-da9cfd3c62ca", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "dba527ed-7819-4a95-8102-0c9032f25067", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + } ], + "defaultDefaultClientScopes" : [ "profile", "email", "role_list", "web-origins", "roles", "acr" ], + "defaultOptionalClientScopes" : [ "microprofile-jwt", "address", "phone", "offline_access" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "referrerPolicy" : "no-referrer", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection" : "1; mode=block", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "identityProviders" : [ ], + "identityProviderMappers" : [ ], + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "da2969b9-5e9b-448c-86ea-36cc860a3927", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "c2436a16-6e52-4161-949c-5747d4819497", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "3a935ca4-e98e-4ec1-ad6e-91023fc1eb4e", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "86ea8008-be05-4317-9ca9-b711ea4a8c13", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] + } + }, { + "id" : "8b7ad61a-9124-4a0d-aa25-57d99eaaba1b", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "4c31d0d7-6787-4c0f-8b41-799ff1e4b1e3", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "saml-user-property-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper" ] + } + }, { + "id" : "fe477953-0991-4166-9239-8d020e9bb8f6", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "c3d4ebb9-7e9d-4cc8-97e2-3c3ce73da642", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "oidc-usermodel-property-mapper" ] + } + } ], + "org.keycloak.userprofile.UserProfileProvider" : [ { + "id" : "27ee9f9c-a76b-4ed5-9dea-52a5108b85d8", + "providerId" : "declarative-user-profile", + "subComponents" : { }, + "config" : { + "kc.user.profile.config" : [ "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}],\"unmanagedAttributePolicy\":\"ENABLED\"}" ] + } + } ], + "org.keycloak.keys.KeyProvider" : [ { + "id" : "16e1431e-e111-4466-a89e-3eaba25f9419", + "name" : "hmac-generated-hs512", + "providerId" : "hmac-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "d352b3e0-4ad7-4698-8831-63fa4cc5e6b7" ], + "secret" : [ "njkg8Vd2htEmKQdm9nntcgvQEuY8Tegl0d0LaB7hSpkQz0tpfbkAip1Myzs8ULQ8Y4ZMb7ddb5dgLQXJFFILh9ji1RbM3W3ZkD4m9CU14-O7tjwL0mNk_ER99393X9f6jUDMmll2lqEmFkxBUJr5G0Sqi1MyhSaXjaQfFlWpfrY" ], + "priority" : [ "100" ], + "algorithm" : [ "HS512" ] + } + }, { + "id" : "185b5cbc-c208-4b30-8ea4-e26d46827d8a", + "name" : "fallback-RS256", + "providerId" : "rsa-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEpAIBAAKCAQEAsRMbt+R+Fkym/pDoprcMQG+QuaHI0IheBXUoSl160A2TIeF6vJzbpRex1sNbTBUcfpeYesrWoevpzmk43uDWcMtLSo2cDr6pt8Gfa97V5LH1tVF+RcdwebirKdzH0kh6t8RTxN81cnl564LWz5VJvHCCPJcSvegUM6gprHVIwtlpEMzsoC2lFQNjCjfEl2aY5LPuvD9bWjeeDK/J4s5wKgr2Y9A12zjTvGKJkKDEam/4cKVapi+sGNNafrAX0DcrEM0G2S1S+FefjIOqF50mOKhRJbNkUcbK/g/VKDBCdowzmvvR6MZx0rBi7RrHhaq8KToXoYcOIvMOKAvpDc1gjwIDAQABAoIBAB9AvyCqzHJFHyhJDTb3kcsBpeqNmnLrzqRp9C2D6Dw2WSSetln52W5/Cx1bp457H2dcfEYX7N/xUnfi7G2yA0cvKl/DNKsJjczn+KpCT0ApBLP26TGJrNle9Z7S39XGgxpSJXLW7okA1brygdVrhPMkbGgjReSMxJwFby2IGcqB53oAeCgZEKkW4ZqOh/cwKjJkLCgLRT9pgh875wniKDFeKnEx5sbNZ9dWPoqmy55TfjqjTGA3cdnWThnGNgGxiN3fG2ZAPFxNAUpaBnlHPiaPGZJwv2lDisAKzP+MnA5+wz1Wx0ncEs08Aw5ngtFpljC5zktNhkmCRGlJOFLGmQkCgYEA5rpd4rg5uwtN7OKCksATRRjkLWEVgqoggW4ejnJ6LSQ+VY6OdV77nC1ftOEeddYouYtfcRAfhxhKtHPJI14IRzhGevvQcN65jnUhaoYk5N6bKHK349l0jhK5UmZAyCdQpY7N+iNAQLOrIqSL87I0B+jd8QGFu8IssR+gnEw0f40CgYEAxHhL+mxc+tUn2JxAZJiIyh+M8vLvTRCGRMW9gxtQ6w8K47rYiY93veIMU/2gk9PLYhUcU4Uz14MQfuldiuamydTw1wn3e7pgLD1EQ29Ck2vcr+nLz5G6z55wfiV4rqvb1xSnu0u5Y/k5Kopo9G2U20kDfWyNbQvXpnRSCKgJW4sCgYEAt0ji3gCUs7Y2L/B741G7vQ8Z68aMjODSs56jnWrpDUUWU2bMWgaa/6S3u3t9dAQtE7/YkHtLYEj2x0SXSoYfM1xL+NRi79auNrFrWzC2zCzdupLu64xJ37aWCxP5cEZy9SFtFMC+AOf5Ear/FhbA6GufKx2Xe+CzGf1S2/ZZWd0CgYEAlaiVJ8NX6HJqkeQkYPyYZm82LPLFOsz1mnmObMpoD0Y8I1D3FYJF0kzY2zn+Ed1pteMi2rRC002xSRt2+BHOxzv/4a5j6MoF7G0XDM85xZaKWy4a5Ji71t94DX95uISNR/8h7dg29mKoGzGn1VmL5KZvlCEWchRtRwygWJu31RUCgYBbKIVikkdS1ZxexPmXAISKZ+cO+RUffLjs6RLgE/Bt1LZLCK4gA3y3HaBfkcF4LSoXjwF35mDAQ32ZP24afasHjTwcREv1vBzhvKEppWpsaZC7pr9IJfYHhPxhHbkHD2BdxKRMg/jQ5N7cLjuqenR0DY1C4mTcYSA1W1DqezrmrQ==" ], + "certificate" : [ "MIICmzCCAYMCBgF4/qYe7zANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjEwNDIzMTIxMTQzWhcNMzEwNDIzMTIxMzIzWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxExu35H4WTKb+kOimtwxAb5C5ocjQiF4FdShKXXrQDZMh4Xq8nNulF7HWw1tMFRx+l5h6ytah6+nOaTje4NZwy0tKjZwOvqm3wZ9r3tXksfW1UX5Fx3B5uKsp3MfSSHq3xFPE3zVyeXnrgtbPlUm8cII8lxK96BQzqCmsdUjC2WkQzOygLaUVA2MKN8SXZpjks+68P1taN54Mr8niznAqCvZj0DXbONO8YomQoMRqb/hwpVqmL6wY01p+sBfQNysQzQbZLVL4V5+Mg6oXnSY4qFEls2RRxsr+D9UoMEJ2jDOa+9HoxnHSsGLtGseFqrwpOhehhw4i8w4oC+kNzWCPAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACl0r90/fEbh6Ka8wKlV/8vtqv2TScgC+u1YSdXbA6AgoNhCOLo6+8IA6thV6pV918lzylIB1BpB4eaxN9R0EawErAYOJflw3zeUM2lbu5CIv6xe5MOcRGTqvQGFlPfiY07ug3aS15M0V6oNNdPYHgM6712Wyslsl1Bx/Weim/KeRqrjU1aedeC5GTi1znQqF+w9cc9WNEH4QVvDmzM6rmSrSTE4NkCxl3qNhKbISsZrb3mWQq9Xlli7RWSWLYnaN7/6X+PViWgMI1zugjqt4tOKKoRM7yeqHFqk98TpcG8DfAxFlnUBuQCDnKE5ntH6draRVft4K+N+fhL3B2PyG0M=" ], + "priority" : [ "-100" ], + "algorithm" : [ "RS256" ] + } + }, { + "id" : "5769f531-07cd-4e4e-a565-3d8731daafdd", + "name" : "fallback-HS256", + "providerId" : "hmac-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "73170ee0-e952-4573-8d9c-d6a9fb2c193e" ], + "secret" : [ "jlNrWr4_mB4AOXdLF7izVHaOT7rmfssy0_5hXWWVBN1G3vosStn_mO27HwdRBiALb-Ri24X83sBj_JjwJ_s3QpyJQqejTDm61_H6zCFcmD1c89-iNZc_45hSbDj38wX4rfmB7F67r254cHh5q2TcdJvqDJfuViGPS1TiRGoxWb4" ], + "priority" : [ "-100" ], + "algorithm" : [ "HS256" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "f9e9054d-fedc-43b1-b0ff-8fbf84d665f9", + "alias" : "Account verification options", + "description" : "Method with which to verity the existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-email-verification", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false + } ] + }, { + "id" : "67760bda-4d3f-462d-a81d-5b99fdbd9057", + "alias" : "Browser - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "ad30bc5a-daeb-4e39-b11c-4d209227378e", + "alias" : "Direct Grant - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "d66d7cc2-f395-4e6f-b1f2-f3c650cc1223", + "alias" : "First broker login - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "985ffbbb-267f-4cb6-a09b-454ebb9e5b60", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Account verification options", + "userSetupAllowed" : false + } ] + }, { + "id" : "5bdd0a60-8aeb-4e11-9455-ae01eed15bda", + "alias" : "Reset - Conditional OTP", + "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "7793fa6d-5be1-498b-9337-170426960cb6", + "alias" : "User creation or linking", + "description" : "Flow for the existing/non-existing user alternatives", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false + } ] + }, { + "id" : "38468f69-d630-4b00-ab5b-169e7a413b44", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "First broker login - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "c7324105-a924-4689-8f04-c7ea0f8effd2", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-spnego", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "identity-provider-redirector", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 25, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "forms", + "userSetupAllowed" : false + } ] + }, { + "id" : "88e04d13-4d71-4ff6-b521-7bbebb3329f5", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-secret-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-x509", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 40, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "c5c23ac7-c748-48d2-8090-7c21197238af", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "Direct Grant - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "a3201f31-10e7-4b6c-85a7-169851b5e3b4", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "fa162a5a-0fb5-404f-8aa3-893fec90e1c9", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "User creation or linking", + "userSetupAllowed" : false + } ] + }, { + "id" : "784b94b0-b050-406a-83fb-e83eea2e282b", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Browser - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "9b62475b-9803-48ef-8c37-4786889773a4", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : true, + "flowAlias" : "registration form", + "userSetupAllowed" : false + } ] + }, { + "id" : "8c4579e2-0870-48c3-9b7b-faf6e1e7cb58", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-password-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 50, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-recaptcha-action", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 60, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "d8526a3d-2a46-429d-95b1-e0eec86a0130", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-credential-email", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 40, + "autheticatorFlow" : true, + "flowAlias" : "Reset - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "1cd0d9f7-bef8-4cfc-b1fe-bedb4aad0a7a", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "fdc6ae68-fe17-43fe-b7b8-0fcc04d822ce", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "c84572ec-5ca1-4730-817a-b7a4ca89bf79", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" + } + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "TERMS_AND_CONDITIONS", + "name" : "Terms and Conditions", + "providerId" : "TERMS_AND_CONDITIONS", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + }, { + "alias" : "delete_account", + "name" : "Delete Account", + "providerId" : "delete_account", + "enabled" : false, + "defaultAction" : false, + "priority" : 60, + "config" : { } + }, { + "alias" : "update_user_locale", + "name" : "Update User Locale", + "providerId" : "update_user_locale", + "enabled" : true, + "defaultAction" : false, + "priority" : 1000, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "firstBrokerLoginFlow" : "first broker login", + "attributes" : { + "cibaBackchannelTokenDeliveryMode" : "poll", + "cibaExpiresIn" : "120", + "cibaAuthRequestedUserHint" : "login_hint", + "oauth2DeviceCodeLifespan" : "600", + "clientOfflineSessionMaxLifespan" : "0", + "oauth2DevicePollingInterval" : "5", + "clientSessionIdleTimeout" : "0", + "parRequestUriLifespan" : "60", + "clientSessionMaxLifespan" : "0", + "clientOfflineSessionIdleTimeout" : "0", + "cibaInterval" : "5", + "realmReusableOtpCode" : "false" + }, + "keycloakVersion" : "24.0.1", + "userManagedAccessAllowed" : false, + "clientProfiles" : { + "profiles" : [ ] + }, + "clientPolicies" : { + "policies" : [ ] + } +} diff --git a/mii-process-feasibility-docker-test-setup/dic-3-store-proxy/nginx.conf b/mii-process-feasibility-docker-test-setup/dic-3/proxy/nginx.conf similarity index 63% rename from mii-process-feasibility-docker-test-setup/dic-3-store-proxy/nginx.conf rename to mii-process-feasibility-docker-test-setup/dic-3/proxy/nginx.conf index 504f9ca..dbf6bff 100644 --- a/mii-process-feasibility-docker-test-setup/dic-3-store-proxy/nginx.conf +++ b/mii-process-feasibility-docker-test-setup/dic-3/proxy/nginx.conf @@ -27,18 +27,35 @@ http { ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=63072000" always; + # DNS resolver needed for Docker + resolver 127.0.0.11 valid=10s; + server { listen 443 ssl; listen [::]:443 ssl; http2 on; + server_name dic-3-store-proxy; location / { - auth_basic "dic_3_store_auth"; - auth_basic_user_file /run/secrets/dic_3_store_proxy.htpasswd; + set $store_upstream dic-3-store:8080; + proxy_pass http://$store_upstream; - proxy_set_header X-ClientCert $ssl_client_escaped_cert; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 43200s; + } + } - proxy_pass http://172.10.0.117:8080; + server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name dic-3-keycloak-proxy; + + location / { + set $keycloak_upstream dic-3-keycloak:8080; + proxy_pass http://$keycloak_upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; diff --git a/mii-process-feasibility-docker-test-setup/dic-4/bpe/plugin/README.md b/mii-process-feasibility-docker-test-setup/dic-4/bpe/plugin/README.md deleted file mode 100644 index 777e443..0000000 --- a/mii-process-feasibility-docker-test-setup/dic-4/bpe/plugin/README.md +++ /dev/null @@ -1 +0,0 @@ -Empty folder for plugin jars \ No newline at end of file diff --git a/mii-process-feasibility-docker-test-setup/docker-compose.yml b/mii-process-feasibility-docker-test-setup/docker-compose.yml index 88f35a7..297f11e 100755 --- a/mii-process-feasibility-docker-test-setup/docker-compose.yml +++ b/mii-process-feasibility-docker-test-setup/docker-compose.yml @@ -1,9 +1,8 @@ -version: '3.8' services: # ---- Static cURL binary for health check in HAPI container hapi-curl-download: - image: alpine:3.18 + image: alpine:3.20 command: > sh -c "wget https://github.com/moparisthebest/static-curl/releases/download/v8.1.2/curl-amd64 -O /opt/bin/curl && chmod +x /opt/bin/curl" @@ -38,15 +37,10 @@ services: read_only: true networks: zars-fhir-frontend: - ipv4_address: 172.10.0.66 dic-1-fhir-frontend: - ipv4_address: 172.10.0.82 dic-2-fhir-frontend: - ipv4_address: 172.10.0.98 dic-3-fhir-frontend: - ipv4_address: 172.10.0.114 dic-4-fhir-frontend: - ipv4_address: 172.10.0.130 internet: aliases: - zars @@ -94,7 +88,7 @@ services: # ---- ZARS - FHIR Inbox ---------------------------------------------------- zars-fhir-app: - image: ghcr.io/datasharingframework/fhir:1.3.1 + image: ghcr.io/datasharingframework/fhir:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -151,7 +145,6 @@ services: - http://dsf.dev/fhir/CodeSystem/practitioner-role|DSF_ADMIN networks: zars-fhir-frontend: - ipv4_address: 172.10.0.69 zars-fhir-backend: internet: depends_on: @@ -163,7 +156,7 @@ services: # ---- ZARS - BPE ----------------------------------------------------------- zars-bpe-app: - image: ghcr.io/datasharingframework/bpe:1.3.1 + image: ghcr.io/datasharingframework/bpe:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -209,6 +202,7 @@ services: DEV_DSF_BPE_DB_USER_CAMUNDA_GROUP: zars_camunda_users DEV_DSF_BPE_DB_USER_CAMUNDA_USERNAME: zars_camunda_server_user DEV_DSF_BPE_FHIR_SERVER_BASE_URL: https://zars/fhir + DEV_DSF_BPE_PROCESS_EXCLUDED: medizininformatik-initiativede_feasibilityExecute|0.0 networks: zars-bpe-frontend: zars-bpe-backend: @@ -223,7 +217,7 @@ services: # ---- DIC-1 - FHIR --------------------------------------------------------- dic-1-fhir-app: - image: ghcr.io/datasharingframework/fhir:1.3.1 + image: ghcr.io/datasharingframework/fhir:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -277,7 +271,6 @@ services: - PERMANENT_DELETE networks: dic-1-fhir-frontend: - ipv4_address: 172.10.0.83 dic-1-fhir-backend: internet: depends_on: @@ -289,7 +282,7 @@ services: # ---- DIC-1 - BPE ---------------------------------------------------------- dic-1-bpe-app: - image: ghcr.io/datasharingframework/bpe:1.3.1 + image: ghcr.io/datasharingframework/bpe:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -305,10 +298,6 @@ services: - app_dic_1_client_certificate_private_key.pem - app_client_certificate_private_key.pem.password volumes: - - type: bind - source: ./dic-1/bpe/plugin - target: /opt/bpe/plugin - read_only: true - type: bind source: ./dic-1/bpe/process target: /opt/bpe/process @@ -335,6 +324,7 @@ services: DEV_DSF_BPE_DB_USER_CAMUNDA_GROUP: dic_1_camunda_users DEV_DSF_BPE_DB_USER_CAMUNDA_USERNAME: dic_1_camunda_server_user DEV_DSF_BPE_FHIR_SERVER_BASE_URL: https://dic-1/fhir + DEV_DSF_BPE_PROCESS_EXCLUDED: medizininformatik-initiativede_feasibilityRequest|0.0 DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_FLARE_BASE_URL: http://dic-1-store:8080/ DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_FLARE_TIMEOUT_CONNECT: 2000 DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_EVALUATION_STRATEGY: structured-query @@ -419,7 +409,7 @@ services: # ---- DIC-2 - FHIR --------------------------------------------------------- dic-2-fhir-app: - image: ghcr.io/datasharingframework/fhir:1.3.1 + image: ghcr.io/datasharingframework/fhir:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -473,7 +463,6 @@ services: - PERMANENT_DELETE networks: dic-2-fhir-frontend: - ipv4_address: 172.10.0.99 dic-2-fhir-backend: internet: depends_on: @@ -485,7 +474,7 @@ services: # ---- DIC-2 - BPE ---------------------------------------------------------- dic-2-bpe-app: - image: ghcr.io/datasharingframework/bpe:1.3.1 + image: ghcr.io/datasharingframework/bpe:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -501,10 +490,6 @@ services: - app_dic_2_client_certificate_private_key.pem - app_client_certificate_private_key.pem.password volumes: - - type: bind - source: ./dic-2/bpe/plugin - target: /opt/bpe/plugin - read_only: true - type: bind source: ./dic-2/bpe/process target: /opt/bpe/process @@ -531,6 +516,7 @@ services: DEV_DSF_BPE_DB_USER_CAMUNDA_GROUP: dic_2_camunda_users DEV_DSF_BPE_DB_USER_CAMUNDA_USERNAME: dic_2_camunda_server_user DEV_DSF_BPE_FHIR_SERVER_BASE_URL: https://dic-2/fhir + DEV_DSF_BPE_PROCESS_EXCLUDED: medizininformatik-initiativede_feasibilityRequest|0.0 DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_BASE_URL: http://dic-2-store:8080/fhir DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_EVALUATION_STRATEGY: cql DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_EVALUATION_OBFUSCATE: "true" @@ -574,7 +560,7 @@ services: # ---- DIC-3 - FHIR --------------------------------------------------------- dic-3-fhir-app: - image: ghcr.io/datasharingframework/fhir:1.3.1 + image: ghcr.io/datasharingframework/fhir:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -628,7 +614,6 @@ services: - PERMANENT_DELETE networks: dic-3-fhir-frontend: - ipv4_address: 172.10.0.115 dic-3-fhir-backend: internet: depends_on: @@ -637,7 +622,7 @@ services: # ---- DIC-3 - BPE ---------------------------------------------------------- dic-3-bpe-app: - image: ghcr.io/datasharingframework/bpe:1.3.1 + image: ghcr.io/datasharingframework/bpe:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -654,10 +639,6 @@ services: - app_dic_3_client_certificate_private_key.pem - app_client_certificate_private_key.pem.password volumes: - - type: bind - source: ./dic-3/bpe/plugin - target: /opt/bpe/plugin - read_only: true - type: bind source: ./dic-3/bpe/process target: /opt/bpe/process @@ -668,7 +649,10 @@ services: - type: bind source: ./dic-3/bpe/cache target: /opt/bpe/cache + ports: + - 5005:5005 environment: + EXTRA_JVM_ARGS: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 TZ: Europe/Berlin DEV_DSF_SERVER_AUTH_TRUST_CLIENT_CERTIFICATE_CAS: /run/secrets/app_client_trust_certificates.pem DEV_DSF_BPE_DB_LIQUIBASE_PASSWORD_FILE: /run/secrets/db_liquibase.password @@ -684,10 +668,12 @@ services: DEV_DSF_BPE_DB_USER_CAMUNDA_GROUP: dic_3_camunda_users DEV_DSF_BPE_DB_USER_CAMUNDA_USERNAME: dic_3_camunda_server_user DEV_DSF_BPE_FHIR_SERVER_BASE_URL: https://dic-3/fhir + DEV_DSF_BPE_PROCESS_EXCLUDED: medizininformatik-initiativede_feasibilityRequest|0.0 DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_TRUST_STORE_PATH: /run/secrets/dic_3_store_proxy_self_signed_ca.p12 DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_TRUST_STORE_PASSWORD: "testpw" - DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_AUTH_BASIC_USERNAME: test - DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_AUTH_BASIC_PASSWORD: PF4Q4pEpXFkYToPSDre5tFr9P9MkqeDc + DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_AUTH_OAUTH_ISSUER_URL: "https://dic-3-keycloak-proxy/realms/test" + DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_AUTH_OAUTH_CLIENT_ID: "account" + DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_AUTH_OAUTH_CLIENT_PASSWORD: "test" DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_BASE_URL: https://dic-3-store-proxy/fhir DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_EVALUATION_STRATEGY: cql DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_EVALUATION_OBFUSCATE: "false" @@ -702,12 +688,35 @@ services: dic-3-fhir-app: condition: service_healthy restart: true - dedicated-dic-3-store-proxy: + dic-3-store-proxy: + condition: service_healthy + dic-3-keycloak: condition: service_healthy # ---- DIC-3 - DEDICATED PROXY WITH SELF SIGNED CERT ------------------------ - dedicated-dic-3-store-proxy: - image: nginx:1.25.1 + dic-3-keycloak: + image: "keycloak/keycloak:25.0.1" + command: ["start", "--import-realm"] + healthcheck: + test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/9000;echo -e \"GET /health/ready HTTP/1.1\r\nhost: localhost\r\nConnection: close\r\n\r\n\" >&3;grep \"HTTP/1.1 200 OK\" <&3"] + interval: "5s" + timeout: "5s" + retries: 3 + start_period: "30s" + networks: + dic-3-keycloak: + environment: + KC_HOSTNAME: "https://dic-3-keycloak-proxy" + KC_HOSTNAME_ADMIN: "https://dic-3-keycloak-proxy" + KC_HTTP_RELATIVE_PATH: "/" + KC_PROXY_HEADERS: "xforwarded" + KC_HTTP_ENABLED: "true" + KC_HEALTH_ENABLED: "true" + KC_LOG_LEVEL: "info" + volumes: + - "./dic-3/keycloak/realm-test.json:/opt/keycloak/data/import/realm-test.json" + dic-3-store-proxy: + image: nginx:1.27.1 restart: on-failure healthcheck: test: ["CMD-SHELL", "curl -ks https://localhost || exit 1"] @@ -722,16 +731,17 @@ services: - dic_3_store_proxy.htpasswd volumes: - type: bind - source: ./dic-3-store-proxy/nginx.conf + source: ./dic-3/proxy/nginx.conf target: /etc/nginx/nginx.conf read_only: true networks: dic-3-fhir-frontend: - ipv4_address: 172.10.0.116 dic-3-bpe-backend: + dic-3-keycloak: internet: aliases: - dic-3-store-proxy + - dic-3-keycloak-proxy environment: TZ: Europe/Berlin depends_on: @@ -739,22 +749,27 @@ services: # ---- DIC-3 - FHIR Data Store ---------------------------------------------- dic-3-store: - image: samply/blaze:0.24 + image: samply/blaze:0.30.0 restart: on-failure healthcheck: test: [ "CMD", "curl", "http://localhost:8080/health" ] interval: 10s timeout: 15s retries: 5 + secrets: + - dic_3_store_proxy_self_signed_ca.p12 ports: - "8072:8080" environment: - BASE_URL: http://localhost:8072 + BASE_URL: https://dic-3-store-proxy LOG_LEVEL: debug + OPENID_PROVIDER_URL: "https://dic-3-keycloak-proxy/realms/test" + OPENID_CLIENT_TRUST_STORE: "/run/secrets/dic_3_store_proxy_self_signed_ca.p12" + OPENID_CLIENT_TRUST_STORE_PASS: "testpw" networks: dic-3-fhir-frontend: - ipv4_address: 172.10.0.117 dic-3-bpe-backend: + internet: volumes: - type: volume source: dic-3-store-data @@ -762,7 +777,7 @@ services: # ---- DIC-4 - FHIR --------------------------------------------------------- dic-4-fhir-app: - image: ghcr.io/datasharingframework/fhir:1.3.1 + image: ghcr.io/datasharingframework/fhir:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -816,7 +831,6 @@ services: - PERMANENT_DELETE networks: dic-4-fhir-frontend: - ipv4_address: 172.10.0.131 dic-4-fhir-backend: internet: depends_on: @@ -825,7 +839,7 @@ services: # ---- DIC-4 - BPE ---------------------------------------------------------- dic-4-bpe-app: - image: ghcr.io/datasharingframework/bpe:1.3.1 + image: ghcr.io/datasharingframework/bpe:1.5.2 restart: on-failure healthcheck: test: [ "CMD-SHELL", "./healthcheck.sh" ] @@ -841,10 +855,6 @@ services: - app_dic_4_client_certificate_private_key.pem - app_client_certificate_private_key.pem.password volumes: - - type: bind - source: ./dic-4/bpe/plugin - target: /opt/bpe/plugin - read_only: true - type: bind source: ./dic-4/bpe/process target: /opt/bpe/process @@ -871,6 +881,7 @@ services: DEV_DSF_BPE_DB_USER_CAMUNDA_GROUP: dic_4_camunda_users DEV_DSF_BPE_DB_USER_CAMUNDA_USERNAME: dic_4_camunda_server_user DEV_DSF_BPE_FHIR_SERVER_BASE_URL: https://dic-4/fhir + DEV_DSF_BPE_PROCESS_EXCLUDED: medizininformatik-initiativede_feasibilityRequest|0.0 DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_CLIENT_STORE_BASE_URL: http://dic-4-store:8080/fhir DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_EVALUATION_STRATEGY: cql DE_MEDIZININFORMATIK_INITIATIVE_FEASIBILITY_DSF_PROCESS_EVALUATION_OBFUSCATE: "false" @@ -1045,67 +1056,148 @@ secrets: networks: internet: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.0/26 zars-fhir-frontend: driver: bridge ipam: driver: default config: - - subnet: 172.10.0.64/28 + - subnet: 172.10.0.64/29 zars-fhir-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.72/29 zars-bpe-frontend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.80/29 zars-bpe-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.88/29 dic-1-fhir-frontend: driver: bridge ipam: driver: default config: - - subnet: 172.10.0.80/28 + - subnet: 172.10.0.96/29 dic-1-fhir-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.104/29 dic-1-bpe-frontend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.112/29 dic-1-bpe-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.120/29 dic-2-fhir-frontend: driver: bridge ipam: driver: default config: - - subnet: 172.10.0.96/28 + - subnet: 172.10.0.128/29 dic-2-fhir-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.136/29 dic-2-bpe-frontend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.144/29 dic-2-bpe-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.152/29 dic-3-fhir-frontend: driver: bridge ipam: driver: default config: - - subnet: 172.10.0.112/28 + - subnet: 172.10.0.160/29 dic-3-fhir-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.168/29 dic-3-bpe-frontend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.176/29 dic-3-bpe-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.184/29 + dic-3-keycloak: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.192/29 dic-4-fhir-frontend: driver: bridge ipam: driver: default config: - - subnet: 172.10.0.128/28 + - subnet: 172.10.0.200/29 dic-4-fhir-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.208/29 dic-4-bpe-frontend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.216/29 dic-4-bpe-backend: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.10.0.224/29 volumes: hapi-curl-binary: - name: "hapi-curl-binary" dic-1-store-data: - name: "dic-1-store-data" dic-2-store-data: - name: "dic-2-store-data" dic-3-store-data: - name: "dic-3-store-data" dic-4-store-data: - name: "dic-4-store-data" db-data: name: "db-data-mii-dsf-process-feasibility" diff --git a/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-1.conf b/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-1.conf index 73455b9..95e8c59 100644 --- a/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-1.conf +++ b/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-1.conf @@ -1,16 +1,21 @@ server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name dic-1; + # DNS resolver needed for Docker + resolver 127.0.0.11 valid=10s; + location / { proxy_set_header X-ClientCert $ssl_client_escaped_cert; - proxy_pass http://172.10.0.83:8080; + set $upstream dic-1-fhir-app:8080; + proxy_pass http://$upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_read_timeout 43200s; + proxy_read_timeout 43200s; } } diff --git a/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-2.conf b/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-2.conf index 8ed5082..7cd91c6 100644 --- a/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-2.conf +++ b/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-2.conf @@ -1,16 +1,21 @@ server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name dic-2; + # DNS resolver needed for Docker + resolver 127.0.0.11 valid=10s; + location / { proxy_set_header X-ClientCert $ssl_client_escaped_cert; - proxy_pass http://172.10.0.99:8080; + set $upstream dic-2-fhir-app:8080; + proxy_pass http://$upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_read_timeout 43200s; + proxy_read_timeout 43200s; } } diff --git a/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-3.conf b/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-3.conf index 1e14375..fa50353 100644 --- a/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-3.conf +++ b/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-3.conf @@ -1,16 +1,21 @@ server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name dic-3; + # DNS resolver needed for Docker + resolver 127.0.0.11 valid=10s; + location / { proxy_set_header X-ClientCert $ssl_client_escaped_cert; - proxy_pass http://172.10.0.115:8080; + set $upstream dic-3-fhir-app:8080; + proxy_pass http://$upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_read_timeout 43200s; + proxy_read_timeout 43200s; } } diff --git a/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-4.conf b/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-4.conf index 5656ded..5a9b3ff 100644 --- a/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-4.conf +++ b/mii-process-feasibility-docker-test-setup/proxy/conf.d/dic-4.conf @@ -1,16 +1,21 @@ server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name dic-4; + # DNS resolver needed for Docker + resolver 127.0.0.11 valid=10s; + location / { proxy_set_header X-ClientCert $ssl_client_escaped_cert; - proxy_pass http://172.10.0.131:8080; + set $upstream dic-4-fhir-app:8080; + proxy_pass http://$upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_read_timeout 43200s; + proxy_read_timeout 43200s; } } diff --git a/mii-process-feasibility-docker-test-setup/proxy/conf.d/zars.conf b/mii-process-feasibility-docker-test-setup/proxy/conf.d/zars.conf index 48db0b6..2de7f61 100644 --- a/mii-process-feasibility-docker-test-setup/proxy/conf.d/zars.conf +++ b/mii-process-feasibility-docker-test-setup/proxy/conf.d/zars.conf @@ -1,16 +1,21 @@ server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; server_name zars; + # DNS resolver needed for Docker + resolver 127.0.0.11 valid=10s; + location / { proxy_set_header X-ClientCert $ssl_client_escaped_cert; - proxy_pass http://172.10.0.69:8080; + set $upstream zars-fhir-app:8080; + proxy_pass http://$upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_read_timeout 43200s; + proxy_read_timeout 43200s; } } diff --git a/mii-process-feasibility-docker-test-setup/rebuild.sh b/mii-process-feasibility-docker-test-setup/rebuild.sh index 562382e..1668282 100755 --- a/mii-process-feasibility-docker-test-setup/rebuild.sh +++ b/mii-process-feasibility-docker-test-setup/rebuild.sh @@ -3,8 +3,8 @@ set -e BASE_DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" -mvn -f ../mii-process-feasibility/pom.xml clean package -mvn -f ../mii-process-feasibility-tools/mii-process-feasibility-test-data-generator/pom.xml clean package +mvn -f "${BASE_DIR}/../mii-process-feasibility/pom.xml" clean package +mvn -f "${BASE_DIR}/../mii-process-feasibility-tools/mii-process-feasibility-test-data-generator/pom.xml" clean package # Create a self signed CA openssl req -x509 -sha256 -days 365 -nodes -newkey rsa:2048 -keyout ${BASE_DIR}/secrets/dic_3_store_proxy_self_signed_ca_key.pem \ @@ -29,12 +29,15 @@ keytool -importcert -file ${BASE_DIR}/secrets/dic_3_store_proxy_self_signed_ca.p # Issue certificate using said self signed CA openssl req -nodes -sha256 -new -newkey rsa:2048 -keyout ${BASE_DIR}/secrets/dic_3_store_proxy_cert_key.pem \ -out ${BASE_DIR}/secrets/dic_3_store_proxy_cert_csr.pem \ - -subj "/C=DE/ST=Berlin/L=Berlin/O=Bar/CN=dic-3-store-proxy" + -subj "/C=DE/ST=Berlin/L=Berlin/O=Bar/CN=dic-3-store-proxy" \ + -addext "basicConstraints=CA:false" \ + -addext "subjectAltName = DNS:dic-3-store-proxy, DNS:dic-3-keycloak-proxy" openssl x509 -req -days 365 -sha256 -in ${BASE_DIR}/secrets/dic_3_store_proxy_cert_csr.pem \ -CA ${BASE_DIR}/secrets/dic_3_store_proxy_self_signed_ca.pem \ -CAkey ${BASE_DIR}/secrets/dic_3_store_proxy_self_signed_ca_key.pem \ -CAcreateserial \ + -copy_extensions=copyall \ -out ${BASE_DIR}/secrets/dic_3_store_proxy_cert.pem rm -f ${BASE_DIR}/secrets/dic_3_store_proxy_self_signed_ca.srl diff --git a/mii-process-feasibility/src/main/java/de/medizininformatik_initiative/process/feasibility/client/store/OAuthInterceptor.java b/mii-process-feasibility/src/main/java/de/medizininformatik_initiative/process/feasibility/client/store/OAuthInterceptor.java index 5f354f8..4daa78d 100644 --- a/mii-process-feasibility/src/main/java/de/medizininformatik_initiative/process/feasibility/client/store/OAuthInterceptor.java +++ b/mii-process-feasibility/src/main/java/de/medizininformatik_initiative/process/feasibility/client/store/OAuthInterceptor.java @@ -16,6 +16,7 @@ import com.nimbusds.oauth2.sdk.id.ClientID; import com.nimbusds.oauth2.sdk.id.Issuer; import com.nimbusds.oauth2.sdk.token.AccessToken; +import com.nimbusds.oauth2.sdk.util.tls.TLSUtils; import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; import org.joda.time.DateTime; @@ -24,6 +25,11 @@ import java.net.Proxy; import java.net.Proxy.Type; import java.net.URI; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; import java.util.Base64; import java.util.Optional; @@ -38,11 +44,13 @@ final class OAuthInterceptor implements IClientInterceptor { private Optional proxyAuthHeader; private Issuer issuer; private ClientSecretBasic clientAuth; + private KeyStore trustStore; public OAuthInterceptor(String oauthClientId, String oauthClientSecret, String oauthIssuerUrl, - Optional proxyHost, Optional proxyPort, Optional proxyUsername, - Optional proxyPassword) { + KeyStore trustStore, Optional proxyHost, Optional proxyPort, + Optional proxyUsername, Optional proxyPassword) { super(); + this.trustStore = trustStore; clientAuth = new ClientSecretBasic(new ClientID(oauthClientId), new Secret(oauthClientSecret)); issuer = new Issuer(oauthIssuerUrl); proxy = proxyHost.map( @@ -71,24 +79,34 @@ public String getToken() { token = successResponse.getTokens().getAccessToken(); tokenExpiry = DateTime.now().plus(token.getLifetime() * 1000); - } catch (GeneralException | IOException e) { - throw new OAuth2ClientException("OAuth2 access token tokenRequest failed", e); + } catch (Exception e) { + throw new OAuth2ClientException("Requesting OAuth2 access token failed: " + e.getMessage(), e); } } return token.getValue(); } - private HTTPRequest getTokenRequest() throws GeneralException, IOException { + private HTTPRequest getTokenRequest() throws GeneralException, IOException, KeyManagementException, + UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException { if (tokenRequest == null) { HTTPRequest request = new TokenRequest(getTokenUri(), clientAuth, new ClientCredentialsGrant()) .toHTTPRequest(); - tokenRequest = setProxy(request); + tokenRequest = setProxy(setSSLSocketFactory(request)); } return tokenRequest; } private URI getTokenUri() throws GeneralException, IOException { - return OIDCProviderMetadata.resolve(issuer, r -> { setProxy(r); }).getTokenEndpointURI(); + return OIDCProviderMetadata.resolve(issuer, r -> setProxy(setSSLSocketFactory(r))).getTokenEndpointURI(); + } + + private HTTPRequest setSSLSocketFactory(HTTPRequest request) { + try { + request.setSSLSocketFactory(TLSUtils.createSSLSocketFactory(trustStore)); + } catch (KeyManagementException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) { + throw new IllegalArgumentException("Could not configure TLS with given trust store.", e); + } + return request; } private HTTPRequest setProxy(HTTPRequest request) { diff --git a/mii-process-feasibility/src/main/java/de/medizininformatik_initiative/process/feasibility/client/store/StoreClientSpringConfig.java b/mii-process-feasibility/src/main/java/de/medizininformatik_initiative/process/feasibility/client/store/StoreClientSpringConfig.java index b6a0240..541f991 100644 --- a/mii-process-feasibility/src/main/java/de/medizininformatik_initiative/process/feasibility/client/store/StoreClientSpringConfig.java +++ b/mii-process-feasibility/src/main/java/de/medizininformatik_initiative/process/feasibility/client/store/StoreClientSpringConfig.java @@ -16,6 +16,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; +import java.security.KeyStore; import java.util.Optional; import javax.net.ssl.SSLContext; @@ -87,7 +88,8 @@ public class StoreClientSpringConfig { @Bean @Qualifier("store-client") IGenericClient client(@Qualifier("store-client") FhirContext fhirContext, - @Qualifier("store-client") RestfulClientFactory clientFactory) { + @Qualifier("store-client") RestfulClientFactory clientFactory, + @Qualifier("base-client-trust") KeyStore trustStore) { logger.info("Setting up store client for direct access using {}.", EvaluationStrategy.CQL); @@ -122,7 +124,7 @@ IGenericClient client(@Qualifier("store-client") FhirContext fhirContext, Optional.ofNullable(oauthProxyPassword).map(p -> "'***'").orElse("none")); } client.registerInterceptor(new OAuthInterceptor(oauthClientId, oauthClientSecret, oauthIssuerUrl, - Optional.ofNullable(oauthProxyHost), Optional.ofNullable(oauthProxyPort), + trustStore, Optional.ofNullable(oauthProxyHost), Optional.ofNullable(oauthProxyPort), Optional.ofNullable(oauthProxyUsername), Optional.ofNullable(oauthProxyPassword))); } diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplBaseIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplBaseIT.java index 2246277..740b1d6 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplBaseIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplBaseIT.java @@ -12,13 +12,13 @@ public abstract class FlareWebserviceClientImplBaseIT { protected static final Network DEFAULT_CONTAINER_NETWORK = Network.newNetwork(); - public static GenericContainer fhirServer = new GenericContainer<>(DockerImageName.parse("samply/blaze:0.24")) + public static GenericContainer fhirServer = new GenericContainer<>(DockerImageName.parse("samply/blaze:0.30")) .withExposedPorts(8080) .withNetwork(DEFAULT_CONTAINER_NETWORK) .withNetworkAliases("fhir-server") .withEnv("LOG_LEVEL", "debug"); - public static GenericContainer flare = new GenericContainer<>(DockerImageName.parse("ghcr.io/medizininformatik-initiative/flare:2.1.0")) + public static GenericContainer flare = new GenericContainer<>(DockerImageName.parse("ghcr.io/medizininformatik-initiative/flare:2.3.0")) .withExposedPorts(8080) .withNetwork(DEFAULT_CONTAINER_NETWORK) .withNetworkAliases("flare") diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthIT.java index 61865c9..9fe86f4 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthIT.java @@ -31,7 +31,7 @@ public class FlareWebserviceClientImplFwdProxyBasicAuthIT extends FlareWebservic @Container public static GenericContainer forwardProxy = new GenericContainer<>( - DockerImageName.parse("ubuntu/squid:6.1-23.10_edge")) + DockerImageName.parse("ubuntu/squid:6.6-24.04_edge")) .withExposedPorts(8080) .withFileSystemBind(squidProxyConf.getPath(), "/etc/squid/squid.conf", READ_ONLY) .withFileSystemBind(passwordFile.getPath(), "/etc/squid/passwd", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthRevProxyBearerTokenAuthIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthRevProxyBearerTokenAuthIT.java index fb66554..432288e 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthRevProxyBearerTokenAuthIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthRevProxyBearerTokenAuthIT.java @@ -35,7 +35,7 @@ public class FlareWebserviceClientImplFwdProxyBasicAuthRevProxyBearerTokenAuthIT @Container public static GenericContainer proxy = new GenericContainer<>( - DockerImageName.parse("nginx:1.25.1")) + DockerImageName.parse("nginx:1.27.1")) .withExposedPorts(8080) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) @@ -47,7 +47,7 @@ public class FlareWebserviceClientImplFwdProxyBasicAuthRevProxyBearerTokenAuthIT .dependsOn(flare); @Container public static GenericContainer forwardProxy = new GenericContainer<>( - DockerImageName.parse("ubuntu/squid:6.1-23.10_edge")) + DockerImageName.parse("ubuntu/squid:6.6-24.04_edge")) .withExposedPorts(8080) .withFileSystemBind(squidProxyConf.getPath(), "/etc/squid/squid.conf", READ_ONLY) .withFileSystemBind(forwardProxyPasswordFile.getPath(), "/etc/squid/passwd", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthRevProxyTlsIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthRevProxyTlsIT.java index 08950ef..848446c 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthRevProxyTlsIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyBasicAuthRevProxyTlsIT.java @@ -37,7 +37,7 @@ public class FlareWebserviceClientImplFwdProxyBasicAuthRevProxyTlsIT extends Fla @Container public static GenericContainer proxy = new GenericContainer<>( - DockerImageName.parse("nginx:1.25.1")) + DockerImageName.parse("nginx:1.27.1")) .withExposedPorts(8443) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) @@ -52,7 +52,7 @@ public class FlareWebserviceClientImplFwdProxyBasicAuthRevProxyTlsIT extends Fla @Container public static GenericContainer forwardProxy = new GenericContainer<>( - DockerImageName.parse("ubuntu/squid:6.1-23.10_edge")) + DockerImageName.parse("ubuntu/squid:6.6-24.04_edge")) .withExposedPorts(8080) .withFileSystemBind(squidProxyConf.getPath(), "/etc/squid/squid.conf", READ_ONLY) .withFileSystemBind(passwordFile.getPath(), "/etc/squid/passwd", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyIT.java index 30aed43..2545bfe 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdProxyIT.java @@ -30,7 +30,7 @@ public class FlareWebserviceClientImplFwdProxyIT extends FlareWebserviceClientIm @Container public static GenericContainer forwardProxy = new GenericContainer<>( - DockerImageName.parse("ubuntu/squid:6.1-23.10_edge")) + DockerImageName.parse("ubuntu/squid:6.6-24.04_edge")) .withExposedPorts(8080) .withFileSystemBind(squidProxyConf.getPath(), "/etc/squid/squid.conf", READ_ONLY) .withNetwork(DEFAULT_CONTAINER_NETWORK) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdRevProxyBasicAuthIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdRevProxyBasicAuthIT.java index 469a143..594e120 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdRevProxyBasicAuthIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplFwdRevProxyBasicAuthIT.java @@ -35,7 +35,7 @@ public class FlareWebserviceClientImplFwdRevProxyBasicAuthIT extends FlareWebser @Container public static GenericContainer proxy = new GenericContainer<>( - DockerImageName.parse("nginx:1.25.1")) + DockerImageName.parse("nginx:1.27.1")) .withExposedPorts(8080) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) @@ -48,7 +48,7 @@ public class FlareWebserviceClientImplFwdRevProxyBasicAuthIT extends FlareWebser .dependsOn(flare); @Container public static GenericContainer forwardProxy = new GenericContainer<>( - DockerImageName.parse("ubuntu/squid:6.1-23.10_edge")) + DockerImageName.parse("ubuntu/squid:6.6-24.04_edge")) .withExposedPorts(8080) .withFileSystemBind(squidProxyConf.getPath(), "/etc/squid/squid.conf", READ_ONLY) .withFileSystemBind(forwardProxyPasswordFile.getPath(), "/etc/squid/passwd", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyBasicAuthIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyBasicAuthIT.java index e5ee1a8..a08745b 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyBasicAuthIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyBasicAuthIT.java @@ -35,7 +35,7 @@ public class FlareWebserviceClientImplRevProxyBasicAuthIT extends FlareWebservic @Container public static GenericContainer proxy = new GenericContainer<>( - DockerImageName.parse("nginx:1.25.1")) + DockerImageName.parse("nginx:1.27.1")) .withExposedPorts(8080) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyBearerTokenAuthIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyBearerTokenAuthIT.java index 521c4eb..c9a04ce 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyBearerTokenAuthIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyBearerTokenAuthIT.java @@ -34,7 +34,7 @@ public class FlareWebserviceClientImplRevProxyBearerTokenAuthIT extends FlareWeb @Container public static GenericContainer proxy = new GenericContainer<>( - DockerImageName.parse("nginx:1.25.1")) + DockerImageName.parse("nginx:1.27.1")) .withExposedPorts(8080) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsBasicAuthIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsBasicAuthIT.java index 0034c1c..b773c1f 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsBasicAuthIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsBasicAuthIT.java @@ -38,7 +38,7 @@ public class FlareWebserviceClientImplRevProxyTlsBasicAuthIT extends FlareWebser @Container public static GenericContainer proxy = new GenericContainer<>( - DockerImageName.parse("nginx:1.25.1")) + DockerImageName.parse("nginx:1.27.1")) .withExposedPorts(8443) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsClientCertIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsClientCertIT.java index f47bd5e..ec9bdf1 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsClientCertIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsClientCertIT.java @@ -36,7 +36,7 @@ public class FlareWebserviceClientImplRevProxyTlsClientCertIT extends FlareWebse @Container public static GenericContainer proxy = new GenericContainer<>( - DockerImageName.parse("nginx:1.25.1")) + DockerImageName.parse("nginx:1.27.1")) .withExposedPorts(8443) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsIT.java index a620bd4..6bbb1fc 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplRevProxyTlsIT.java @@ -35,7 +35,7 @@ public class FlareWebserviceClientImplRevProxyTlsIT extends FlareWebserviceClien @Container public static GenericContainer proxy = new GenericContainer<>( - DockerImageName.parse("nginx:1.25.1")) + DockerImageName.parse("nginx:1.27.1")) .withExposedPorts(8443) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplTimeoutsIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplTimeoutsIT.java index 391fefe..84b9e9e 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplTimeoutsIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/flare/FlareWebserviceClientImplTimeoutsIT.java @@ -44,7 +44,7 @@ public class FlareWebserviceClientImplTimeoutsIT extends FlareWebserviceClientIm @Autowired protected FlareWebserviceClient flareClient; @Container - public static ToxiproxyContainer toxiproxy = new ToxiproxyContainer("ghcr.io/shopify/toxiproxy:2.7.0") + public static ToxiproxyContainer toxiproxy = new ToxiproxyContainer("ghcr.io/shopify/toxiproxy:2.9.0") .withNetwork(DEFAULT_CONTAINER_NETWORK) .dependsOn(flare); private static ToxiproxyClient toxiproxyClient; diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/store/OAuthInterceptorIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/store/OAuthInterceptorIT.java index 844f164..04bb6e3 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/store/OAuthInterceptorIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/store/OAuthInterceptorIT.java @@ -9,15 +9,29 @@ import org.testcontainers.junit.jupiter.Testcontainers; import org.testcontainers.utility.DockerImageName; +import java.io.File; +import java.io.IOException; +import java.net.URISyntaxException; import java.net.URL; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; import java.util.Optional; import static org.assertj.core.api.Assertions.assertThat; +import static org.testcontainers.containers.BindMode.READ_ONLY; @Testcontainers public class OAuthInterceptorIT { protected static final Network DEFAULT_CONTAINER_NETWORK = Network.newNetwork(); + private static URL nginxConf = getResource("nginx.conf"); + private static URL nginxTestProxyConfTemplate = getResource("keycloak_reverse_proxy.conf.template"); + private static URL indexFile = getResource("index.html"); + private static URL serverCertChain = getResource("../certs/server_cert_chain.pem"); + private static URL serverCertKey = getResource("../certs/server_cert_key.pem"); + private static URL trustStoreFile = getResource("../certs/ca.p12"); @Container public static KeycloakContainer keycloak = new KeycloakContainer("quay.io/keycloak/keycloak:25.0") @@ -25,32 +39,58 @@ public class OAuthInterceptorIT { .withNetworkAliases("keycloak") .withAdminUsername("admin") .withAdminPassword("admin") + .withEnv("KC_PROXY_HEADERS", "xforwarded") .withRealmImportFile("de/medizininformatik_initiative/process/feasibility/client/store/realm-test.json") .withReuse(true); + @Container + public static GenericContainer proxy = new GenericContainer<>( + DockerImageName.parse("nginx:1.27.1")) + .withExposedPorts(8443) + .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) + .withFileSystemBind(indexFile.getPath(), "/usr/share/nginx/html/index.html", READ_ONLY) + .withFileSystemBind(nginxTestProxyConfTemplate.getPath(), + "/etc/nginx/templates/default.conf.template", READ_ONLY) + .withFileSystemBind(serverCertChain.getPath(), "/etc/nginx/certs/server_cert.pem", READ_ONLY) + .withFileSystemBind(serverCertKey.getPath(), "/etc/nginx/certs/server_cert_key.pem", READ_ONLY) + .withNetwork(DEFAULT_CONTAINER_NETWORK) + .withNetworkAliases("proxy") + .dependsOn(keycloak); + @Container public static GenericContainer forwardProxyNoAuth = new GenericContainer<>( - DockerImageName.parse("ubuntu/squid:6.1-23.10_edge")) + DockerImageName.parse("ubuntu/squid:6.6-24.04_edge")) .withNetwork(DEFAULT_CONTAINER_NETWORK) .withExposedPorts(8080) - .withFileSystemBind(getResource("forward_proxy.conf").getPath(), "/etc/squid/squid.conf", + .withFileSystemBind(getResource("keycloak_forward_proxy.conf").getPath(), "/etc/squid/squid.conf", BindMode.READ_ONLY); @Container public static GenericContainer forwardProxyBasicAuth = new GenericContainer<>( - DockerImageName.parse("ubuntu/squid:6.1-23.10_edge")) + DockerImageName.parse("ubuntu/squid:6.6-24.04_edge")) .withNetwork(DEFAULT_CONTAINER_NETWORK) .withExposedPorts(8080) - .withFileSystemBind(getResource("forward_proxy_basic_auth.conf").getPath(), "/etc/squid/squid.conf", - BindMode.READ_ONLY) - .withFileSystemBind(getResource("forward_proxy.htpasswd").getPath(), "/etc/squid/passwd", + .withFileSystemBind(getResource("keycloak_forward_proxy_basic_auth.conf").getPath(), + "/etc/squid/squid.conf", BindMode.READ_ONLY) + .withFileSystemBind(getResource("keycloak_forward_proxy.htpasswd").getPath(), "/etc/squid/passwd", BindMode.READ_ONLY); @Test - public void getToken() { + public void getToken() throws Exception { String issuerUrl = "http://" + keycloak.getHost() + ":" + keycloak.getFirstMappedPort() + "/realms/test"; - OAuthInterceptor interceptor = new OAuthInterceptor("account", "test", issuerUrl, Optional.empty(), - Optional.empty(), Optional.empty(), Optional.empty()); + OAuthInterceptor interceptor = new OAuthInterceptor("account", "test", issuerUrl, getTrustStore(), + Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty()); + + String token = interceptor.getToken(); + + assertThat(token).isNotNull(); + } + + @Test + public void getTokenTls() throws Exception { + String issuerUrl = "https://" + proxy.getHost() + ":" + proxy.getFirstMappedPort() + "/realms/test"; + OAuthInterceptor interceptor = new OAuthInterceptor("account", "test", issuerUrl, getTrustStore(), + Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty()); String token = interceptor.getToken(); @@ -58,9 +98,22 @@ public void getToken() { } @Test - public void getTokenViaProxyNoAuth() { + public void getTokenViaForwardProxyNoAuth() throws Exception { String issuerUrl = "http://keycloak:8080/realms/test"; - OAuthInterceptor interceptor = new OAuthInterceptor("account", "test", issuerUrl, + OAuthInterceptor interceptor = new OAuthInterceptor("account", "test", issuerUrl, getTrustStore(), + Optional.of(forwardProxyNoAuth.getHost()), + Optional.of(forwardProxyNoAuth.getFirstMappedPort()), + Optional.empty(), Optional.empty()); + + String token = interceptor.getToken(); + + assertThat(token).isNotNull(); + } + + @Test + public void getTokenViaForwardProxyNoAuthTls() throws Exception { + String issuerUrl = "https://proxy:8443/realms/test"; + OAuthInterceptor interceptor = new OAuthInterceptor("account", "test", issuerUrl, getTrustStore(), Optional.of(forwardProxyNoAuth.getHost()), Optional.of(forwardProxyNoAuth.getFirstMappedPort()), Optional.empty(), Optional.empty()); @@ -70,10 +123,11 @@ public void getTokenViaProxyNoAuth() { assertThat(token).isNotNull(); } + /* Forward proxy with basic authentication only works for non-tls connections by default since Java 8u111. */ @Test - public void getTokenViaProxyBasicAuth() { + public void getTokenViaForwardProxyBasicAuth() throws Exception { String issuerUrl = "http://keycloak:8080/realms/test"; - OAuthInterceptor interceptor = new OAuthInterceptor("account", "test", issuerUrl, + OAuthInterceptor interceptor = new OAuthInterceptor("account", "test", issuerUrl, getTrustStore(), Optional.of(forwardProxyBasicAuth.getHost()), Optional.of(forwardProxyBasicAuth.getFirstMappedPort()), Optional.of("test"), @@ -84,6 +138,11 @@ public void getTokenViaProxyBasicAuth() { assertThat(token).isNotNull(); } + private static KeyStore getTrustStore() + throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, URISyntaxException { + return KeyStore.getInstance(new File(trustStoreFile.toURI()), "changeit".toCharArray()); + } + private static URL getResource(final String name) { return OAuthInterceptorIT.class.getResource(name); } diff --git a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/store/StoreClientIT.java b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/store/StoreClientIT.java index fdb1435..f4ce6e3 100644 --- a/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/store/StoreClientIT.java +++ b/mii-process-feasibility/src/test/java/de/medizininformatik_initiative/process/feasibility/client/store/StoreClientIT.java @@ -53,7 +53,7 @@ public class StoreClientIT { private static final Network DEFAULT_CONTAINER_NETWORK = Network.newNetwork(); @Container - public GenericContainer fhirServer = new GenericContainer<>(DockerImageName.parse("samply/blaze:0.27")) + public GenericContainer fhirServer = new GenericContainer<>(DockerImageName.parse("samply/blaze:0.30")) .withExposedPorts(8080) .withNetwork(DEFAULT_CONTAINER_NETWORK) .withNetworkAliases("fhir-server") @@ -201,7 +201,7 @@ public void testRequestToReverseProxyWithClientCert() throws KeyStoreException, var serverCertChain = getResource("../certs/server_cert_chain.pem"); var serverCertKey = getResource("../certs/server_cert_key.pem"); - NginxContainer nginx = new NginxContainer<>("nginx:1.25.1") + NginxContainer nginx = new NginxContainer<>("nginx:1.27.1") .withExposedPorts(80) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(staticFhirMetadata.getPath(), "/static/fhir_metadata.json", READ_ONLY) @@ -249,7 +249,7 @@ public void testRequestToReverseProxyWithCredentials() { var indexFile = getResource("index.html"); var passwordFile = getResource(".htpasswd"); - NginxContainer nginx = new NginxContainer<>("nginx:1.25.1") + NginxContainer nginx = new NginxContainer<>("nginx:1.27.1") .withExposedPorts(80) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(staticFhirMetadata.getPath(), "/static/fhir_metadata.json", READ_ONLY) @@ -282,7 +282,7 @@ public void testRequestWithForwardProxy() { var nginxConf = this.getClass().getResource("nginx.conf"); var forwardProxyConfigTemplate = getResource("forward_proxy.conf.template"); - NginxContainer nginx = new NginxContainer<>("nginx:1.25.1") + NginxContainer nginx = new NginxContainer<>("nginx:1.27.1") .withExposedPorts(80) .withFileSystemBind(nginxConf.getPath(), "/etc/nginx/nginx.conf", READ_ONLY) .withFileSystemBind(forwardProxyConfigTemplate.getPath(), "/etc/nginx/templates/default.conf.template", READ_ONLY) diff --git a/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/forward_proxy.conf b/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_forward_proxy.conf similarity index 100% rename from mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/forward_proxy.conf rename to mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_forward_proxy.conf diff --git a/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/forward_proxy.htpasswd b/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_forward_proxy.htpasswd similarity index 100% rename from mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/forward_proxy.htpasswd rename to mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_forward_proxy.htpasswd diff --git a/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/forward_proxy_basic_auth.conf b/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_forward_proxy_basic_auth.conf similarity index 100% rename from mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/forward_proxy_basic_auth.conf rename to mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_forward_proxy_basic_auth.conf diff --git a/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_reverse_proxy.conf.template b/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_reverse_proxy.conf.template new file mode 100644 index 0000000..2b0aca2 --- /dev/null +++ b/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/keycloak_reverse_proxy.conf.template @@ -0,0 +1,25 @@ +server { + listen 8443 ssl; + listen [::]:8443 ssl; + http2 on; + + ssl_certificate /etc/nginx/certs/server_cert.pem; + ssl_certificate_key /etc/nginx/certs/server_cert_key.pem; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + + # DNS resolver needed for Docker + resolver 127.0.0.11 valid=10s; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_set_header X-Forwarded-Host $x_forwarded_host; + proxy_set_header X-Forwarded-Port $x_forwarded_port; + + location / { + set $upstream keycloak:8080; + proxy_pass http://$upstream; + proxy_read_timeout 43200s; + } +} diff --git a/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/nginx.conf b/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/nginx.conf index 516202d..fc03138 100644 --- a/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/nginx.conf +++ b/mii-process-feasibility/src/test/resources/de/medizininformatik_initiative/process/feasibility/client/store/nginx.conf @@ -21,5 +21,35 @@ http { sendfile on; keepalive_timeout 65; + # Check if a X-Forwarded-Proto header (set by reverse-proxy) is already present. If not take the scheme used to call our nginx server. + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; # Note that if the reverse-proxy does not add a X-Forwarded-Proto header, it may be incorrect if the protocol used by the reverse proxy is not the same as the one on which your nginx server is listening. In this case you have no solution than harcode the correct value. + } + + # Check if a X-Forwarded-Host header (set by reverse-proxy) is already present. If not take the value of the 'Host' header. + map $http_x_forwarded_host $x_forwarded_host { + default $http_x_forwarded_host; + "" $http_host; + } + + # Set the default port of each scheme/protocol (80 for http, 443 for https) + map $x_forwarded_proto $default_http_port { + default 80; + "https" 443; + } + + # Extract the real port of the client request url (unfortunatly nginx has no variable to get this info) + map $http_host $request_port { + default $default_http_port; # If port not explicitely defined in url take the default one associated to the calling scheme/protocol (80 for http, 443 for https) + "~^[^\:]+:(?

\d+)$" $p; + } + + # Check if a X-Forwarded-Port header (set by reverse-proxy) is already present. If not take the port from the client request url + map $http_x_forwarded_port $x_forwarded_port { + default $http_x_forwarded_port; + "" $request_port; + } + include /etc/nginx/conf.d/*.conf; }