From 79c031f5a0b55216c9eb4c0d27a90b87be6aebc9 Mon Sep 17 00:00:00 2001 From: Arthur Deierlein Date: Mon, 25 Nov 2024 13:59:07 +0100 Subject: [PATCH] chore(dev-setup): update keycloak to v26 --- compose.yaml | 5 +-- keycloak/config.json | 72 +++++++++++++++++++++++++++++--------------- 2 files changed, 51 insertions(+), 26 deletions(-) diff --git a/compose.yaml b/compose.yaml index 8cd238958..34c9a22a1 100644 --- a/compose.yaml +++ b/compose.yaml @@ -28,7 +28,7 @@ services: - TIMED_SSO_CLIENT_ID=timed-public keycloak: - image: keycloak/keycloak:25.0 + image: keycloak/keycloak:26.0.6 depends_on: - db volumes: @@ -41,12 +41,13 @@ services: - KC_HOSTNAME_STRICT=false - KC_HOSTNAME_STRICT_HTTPS=false - KC_HTTP_RELATIVE_PATH=/auth + - KC_HTTP_ENABLED=true - KC_PROXY=edge - KC_DB_PASSWORD=keycloak - KEYCLOAK_ADMIN_PASSWORD=admin # import: docker compose exec keycloak /opt/keycloak/bin/kc.sh import --override true --file /opt/keycloak/data/import/config.json # export: docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/config.json - command: "start" + command: "start --hostname timed.localhost --proxy-headers xforwarded" caddy: image: caddy:2.6-alpine diff --git a/keycloak/config.json b/keycloak/config.json index 0f32baa66..5c9604d52 100644 --- a/keycloak/config.json +++ b/keycloak/config.json @@ -40,6 +40,7 @@ "bruteForceProtected" : false, "permanentLockout" : false, "maxTemporaryLockouts" : 0, + "bruteForceStrategy" : "MULTIPLE", "maxFailureWaitSeconds" : 900, "minimumQuickLoginWaitSeconds" : 60, "waitIncrementSeconds" : 60, @@ -598,6 +599,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, @@ -628,6 +630,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", "post.logout.redirect.uris" : "+", "pkce.code.challenge.method" : "S256" }, @@ -665,10 +668,12 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", + "client.use.lightweight.access.token.enabled" : "true", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, + "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : 0, "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "basic", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] @@ -693,6 +698,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "true", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, @@ -721,6 +727,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "true", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, @@ -751,11 +758,13 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", + "client.use.lightweight.access.token.enabled" : "true", "post.logout.redirect.uris" : "+", "pkce.code.challenge.method" : "S256" }, "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, + "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : 0, "protocolMappers" : [ { "id" : "ea06add3-caf3-4b90-b7a6-46e00779f5ef", @@ -796,6 +805,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "true", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, @@ -1161,8 +1171,9 @@ "consentRequired" : false, "config" : { "user.session.note" : "AUTH_TIME", - "id.token.claim" : "true", "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "auth_time", "jsonType.label" : "long" @@ -1366,7 +1377,7 @@ "subType" : "anonymous", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper" ] + "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper" ] } }, { "id" : "a95cc0db-8432-4f54-8692-7060275bc1bb", @@ -1375,7 +1386,7 @@ "subType" : "authenticated", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper" ] + "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper" ] } }, { "id" : "9f86543e-5ee6-4e74-93d4-27d83ba95a26", @@ -2031,19 +2042,20 @@ "firstBrokerLoginFlow" : "first broker login", "attributes" : { "cibaBackchannelTokenDeliveryMode" : "poll", - "cibaExpiresIn" : "120", "cibaAuthRequestedUserHint" : "login_hint", - "oauth2DeviceCodeLifespan" : "600", "clientOfflineSessionMaxLifespan" : "0", "oauth2DevicePollingInterval" : "5", "clientSessionIdleTimeout" : "0", - "parRequestUriLifespan" : "60", - "clientSessionMaxLifespan" : "0", "clientOfflineSessionIdleTimeout" : "0", "cibaInterval" : "5", - "realmReusableOtpCode" : "false" + "realmReusableOtpCode" : "false", + "cibaExpiresIn" : "120", + "oauth2DeviceCodeLifespan" : "600", + "parRequestUriLifespan" : "60", + "clientSessionMaxLifespan" : "0", + "organizationsEnabled" : "false" }, - "keycloakVersion" : "25.0.6", + "keycloakVersion" : "26.0.6", "userManagedAccessAllowed" : false, "organizationsEnabled" : false, "clientProfiles" : { @@ -2092,6 +2104,7 @@ "bruteForceProtected" : false, "permanentLockout" : false, "maxTemporaryLockouts" : 0, + "bruteForceStrategy" : "MULTIPLE", "maxFailureWaitSeconds" : 900, "minimumQuickLoginWaitSeconds" : 60, "waitIncrementSeconds" : 60, @@ -2445,8 +2458,8 @@ "type" : "password", "userLabel" : "My password", "createdDate" : 1714984096848, - "secretData" : "{\"value\":\"/BwRnm8T4Hwp5DQeQPEKuXq1LkT9OXBxdslYASCnSOCrR1e3G5fIax68vR/32vd2c2sMkEIclcb1wIEAc2P5zA==\",\"salt\":\"yDatpf5GUoYUPiGS3+gt2Q==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":210000,\"algorithm\":\"pbkdf2-sha512\",\"additionalParameters\":{}}" + "secretData" : "{\"value\":\"7PL8EsLJ2tCJ09D7VZgYoO7brpDXa9NOWQ7nCUJ+WPc=\",\"salt\":\"mePcve1oeX22ZkYOog3QPQ==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" } ], "disableableCredentialTypes" : [ ], "requiredActions" : [ ], @@ -2533,6 +2546,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, @@ -2563,6 +2577,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", "post.logout.redirect.uris" : "+", "pkce.code.challenge.method" : "S256" }, @@ -2600,10 +2615,12 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", + "client.use.lightweight.access.token.enabled" : "true", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, + "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : 0, "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] @@ -2628,6 +2645,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "true", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, @@ -2656,6 +2674,7 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "true", "post.logout.redirect.uris" : "+" }, "authenticationFlowBindingOverrides" : { }, @@ -2686,11 +2705,13 @@ "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", + "client.use.lightweight.access.token.enabled" : "true", "post.logout.redirect.uris" : "+", "pkce.code.challenge.method" : "S256" }, "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, + "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : 0, "protocolMappers" : [ { "id" : "fc23adbd-9cee-40c5-8499-2f64faa91382", @@ -2735,6 +2756,7 @@ "frontchannelLogout" : true, "protocol" : "openid-connect", "attributes" : { + "realm_client" : "false", "oidc.ciba.grant.enabled" : "false", "backchannel.logout.session.required" : "true", "post.logout.redirect.uris" : "https://timed.local/*##http://localhost:4200/*", @@ -3267,8 +3289,9 @@ "consentRequired" : false, "config" : { "user.session.note" : "AUTH_TIME", - "id.token.claim" : "true", "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "auth_time", "jsonType.label" : "long" @@ -3329,7 +3352,7 @@ "subType" : "authenticated", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "saml-role-list-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper" ] + "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper" ] } }, { "id" : "40b4741c-881c-4e25-a993-c63639d7ab69", @@ -3356,7 +3379,7 @@ "subType" : "anonymous", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper" ] + "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "saml-user-property-mapper" ] } }, { "id" : "8b8cf966-8bb5-4f30-a22a-cbc74c835df8", @@ -3967,19 +3990,20 @@ "firstBrokerLoginFlow" : "first broker login", "attributes" : { "cibaBackchannelTokenDeliveryMode" : "poll", - "cibaExpiresIn" : "120", "cibaAuthRequestedUserHint" : "login_hint", - "oauth2DeviceCodeLifespan" : "600", "clientOfflineSessionMaxLifespan" : "0", "oauth2DevicePollingInterval" : "5", "clientSessionIdleTimeout" : "0", - "parRequestUriLifespan" : "60", - "clientSessionMaxLifespan" : "0", "clientOfflineSessionIdleTimeout" : "0", "cibaInterval" : "5", - "realmReusableOtpCode" : "false" + "realmReusableOtpCode" : "false", + "cibaExpiresIn" : "120", + "oauth2DeviceCodeLifespan" : "600", + "parRequestUriLifespan" : "60", + "clientSessionMaxLifespan" : "0", + "organizationsEnabled" : "false" }, - "keycloakVersion" : "25.0.6", + "keycloakVersion" : "26.0.6", "userManagedAccessAllowed" : false, "organizationsEnabled" : false, "clientProfiles" : {