diff --git a/.dockerignore b/.dockerignore index e7aab0aca787bc9577c05a70419c467d23fa2116..7268d7a94830032bc072be125d9c3ed2724701af 100644 --- a/.dockerignore +++ b/.dockerignore @@ -12,7 +12,6 @@ .git/ .coverage **/.ipynb_checkpoints -**/.volumes nomad_lab.egg-info/ diff --git a/.gitignore b/.gitignore index 01ef733ddad3d054f62c976a5f3238bc40b2f071..b09db3aca3c519dda4714cd7b52c17b24ecc29bd 100644 --- a/.gitignore +++ b/.gitignore @@ -11,7 +11,7 @@ __pycache__ *.pyc *.egg-info/ /data/ -.volumes/ +/.volumes .pytest_cache/ .coverage* htmlcov diff --git a/docs/oasis.md b/docs/oasis.md index 86dbbc76a045d2bf9c5a1bd35441df522e381adc..e5d21e6e86c829e109fc03908ef8cff522e31b9c 100644 --- a/docs/oasis.md +++ b/docs/oasis.md @@ -9,18 +9,27 @@ central NOMAD installation. ## Quick-start - Find a linux computer. -- Make sure you have [docker](https://docs.docker.com/engine/install/) and [docker-compose](https://docs.docker.com/compose/install/) installed. You have the necessary rights to run docker. +- Make sure you have [docker](https://docs.docker.com/engine/install/) and [docker-compose](https://docs.docker.com/compose/install/) installed. - Download our basic configuration files [nomad-oasis.zip](assets/nomad-oasis.zip) - Run the following commands + ```sh unzip nomad-oasis.zip cd nomad-oasis +sudo chown -R 1000 .volumes docker-compose pull docker-compose up -d curl localhost/nomad-oasis/alive ``` + - Open [http://localhost/nomad-oasis](http://localhost/nomad-oasis) in your browser. +To run NORTH (the NOMAD Remote Tools Hub), the `hub` container needs to run docker and +the container has to be run under the docker group. You need to replace the default group +id `991` in the `docker-compose.yaml`'s `hub` section with your systems docker group id. +Run `id` if you are a docker user, or `getent group | grep docker` to find our your +systems docker gid. The user id 1000 is used as the nomad user inside all containers. + This is good as a quick test. We strongly recommend to read the following instructions carefully and adapt the configuration files accordingly. The following might also include meaningful help, if you run into problems. @@ -132,8 +141,14 @@ A few things to notice: - The NOMAD images are pulled from our gitlab at MPCDF, the other services use images from a public registry (*dockerhub*). - The NOMAD images tag determines the image version or `stable`, `latest`, or specific development branches of NOMAD. - All container will be named `nomad_oasis_*`. These names can be used later to reference the container with the `docker` cmd. -- The services are setup to restart `always`, you might want to change this to `no` while debugging errors to prevent -indefinite restarts. +- The services are setup to restart `always`, you might want to change this to `no` while debugging errors to prevent indefinite restarts. +- Make sure that the `PWD` environment variable is set. NORTH needs to create bind mounts that require absolute paths and we need to pass the current working directory to the configuration from the PWD variable (see hub service in the `docker-compose.yaml`). +- The `hub` serves needs to run docker containers. We have to use the systems docker group as a group. You might need to replace `991` with your +systems docker group id. +- The `hub` and all containers it starts are connected to the `nomad_oasis_north_network` docker network. +By default the docker [bridge network driver](https://docs.docker.com/network/) is used. NORTH tools +(and their users) will have access to this network. + #### nomad.yaml @@ -254,85 +269,48 @@ If you want to report problems with your OASIS. Please provide the logs for ### Provide and connect your own user management -You can download a basic configuration [here](assets/nomad-oasis-with-keycloak.zip). - NOMAD uses [keycloak](https://www.keycloak.org/) for its user management. NOMAD uses keycloak in two way. First, the user authentication uses the OpenID Connect/OAuth interfaces provided by keycloak. -Second, NOMD uses the keycloak realm-management API to get a list of existing users. Keycloak is highly customizable and numerous options to -connect keycloak to existing identity providers exist. +Second, NOMD uses the keycloak realm-management API to get a list of existing users. +Keycloak is highly customizable and numerous options to connect keycloak to existing +identity providers exist. This tutorial assumes that you have a some understanding about what keycloak is and how it works. -In the following, we provide basic installation steps for running your own keycloak in -the NOMAD Oasis docker-compose. First, add a keycloak service to the `docker-compose.yaml`: - -```yaml -services: - # keycloak user management - keycloak: - restart: always - image: jboss/keycloak:16.1.1 - container_name: nomad_oasis_keycloak - environment: - - PROXY_ADDRESS_FORWARDING=true - - KEYCLOAK_FRONTEND_URL=http://<your-host>/keycloak/auth - volumes: - - keycloak:/opt/jboss/keycloak/standalone/data - # Uncomment to get access to the admin console. - # ports: - # - 8080:8080 -``` +Start with the regular docker-compose installation above. Now you need to modify the +`docker-compose.yaml` to add a keycloak service. You need to modify the `nginx.conf` to add +another location for keycloak. You need to modify the `nomad.yaml` to tell nomad to +use your and not the official NOMAD keycloak. -Also add links to the `keycloak` service in the `app` and `worker` service: ```yaml -services: - app: - links: - - keycloak - worker: - links: - - keycloak +--8<-- "ops/docker-compose/nomad-oasis/docker-compose-with-keycloak.yaml" ``` A few notes: -- You have to replace `<your-host>` with a hostname usable by your users. -- The environment variables on the keycloak service allow to use keycloak behind the nginx proxy with a path prefix `keycloak`. + +- You have to change the `KEYCLOAK_FRONTEND_URL` variable to match you host and set a path prefix. +- The environment variables on the keycloak service allow to use keycloak behind the nginx proxy with a path prefix, e.g. `keycloak`. - By default, keycloak will use a simple H2 file database stored in the given volume. Keycloak offers many other options to connect SQL databases. - We will use keycloak with our nginx proxy here, but you can also host-bind the port `8080` to access keycloak directly. Second, we add a keycloak location to the nginx config: ```nginx -location /keycloak { - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - rewrite /keycloak/(.*) /$1 break; - proxy_pass http://keycloak:8080; -} +--8<-- "ops/docker-compose/nomad-oasis/nginx-with-keycloak.conf" ``` A few notes: + - Again, we are using `keycloak` as a path prefix. We configure the headers to allow keycloak to pick up the rewritten url. Third, we modify the keycloak configuration in the `nomad.yaml`: ```yaml -services: - admin_user_id: 'a9e97ae9-7568-4b44-bb9f-7a7c6be898e8' - -keycloak: - server_url: 'http://keycloak:8080/auth' - public_server_url: 'http://<your-host>/keycloak/auth' - realm_name: nomad - username: 'admin' - password: 'password' - oasis: true +--8<-- "ops/docker-compose/nomad-oasis/nomad-with-keycloak.yaml" ``` A few notes: + - There are two urls to configure for keycloak. The `server_url` is used by the nomad services to directly communicate with keycloak within the docker network. The `public_server_url` is used by the UI for perform the authentication flow. @@ -362,6 +340,7 @@ select the realm file that you can find [in this .zip](assets/nomad-oasis-with-k to import our example configuration. A few notes on the realm configuration: + - Realm and client settings are almost all default keycloak settings. - You should change the password of the admin user in the nomad realm. - The admin user in the nomad realm has the additional `view-users` client role for `realm-management` @@ -380,7 +359,7 @@ current working directory of your installation/docker-compose. This directory ca To backup the mongodb, please refer to the official [mongodb documentation](https://docs.mongodb.com/manual/core/backups/). We suggest a simple mongodump export that is backed up alongside your files. The default configuration mounts `.volumes/mongo` into the mongodb container (as `/backup`) for this purpose. You can use this to export the NOMAD mongo database. Combine this with rsync on the `.volumes` directory and everything should be set. To create a new mongodump run: ```sh -docker exec nomad_oasis_mongo mongodump -d nomad_v1 -o /backup +docker exec nomad_oasis_mongo mongodump -d nomad_oasis_v1 -o /backup ``` The elasticsearch contents can be reproduced with the information in the files and the mongodb. diff --git a/generate_docs_artifacts.sh b/generate_docs_artifacts.sh index 468c85ee92767cc08574b0e502e109d31f70475f..7151b246fd3db6d1586bba98eaeb1741607d6f8a 100755 --- a/generate_docs_artifacts.sh +++ b/generate_docs_artifacts.sh @@ -1,6 +1,5 @@ #!/bin/sh rm -rf docs/assets/nomad-oasis* cd ops/docker-compose -zip -r ../../docs/assets/nomad-oasis.zip nomad-oasis -x "nomad-oasis/.volumes**" -zip -r ../../docs/assets/nomad-oasis-with-keycloak.zip nomad-oasis-with-keycloak -x "nomad-oasis-with-keycloak/.volumes/\*" +zip -r ../../docs/assets/nomad-oasis.zip nomad-oasis -x "**-with-keycloak**" -x "**.empty" cd ../.. \ No newline at end of file diff --git a/nomad/config.py b/nomad/config.py index ce2467f363fb045490229d352c0d4b4704bfcb99..f51b76015b71a75342334921112d05210543f0d7 100644 --- a/nomad/config.py +++ b/nomad/config.py @@ -131,15 +131,10 @@ fs = NomadConfig( local_tmp='/tmp', prefix_size=2, archive_version_suffix='v1', - working_directory=os.getcwd() + working_directory=os.getcwd(), + external_working_directory=None ) -try: - fs.staging_external = os.path.abspath(fs.staging) - fs.public_external = os.path.abspath(fs.public) -except Exception: - pass - elastic = NomadConfig( host='localhost', port=9200, @@ -256,17 +251,27 @@ def _check_config(): if keycloak.public_server_url is None: keycloak.public_server_url = keycloak.server_url - if fs.staging_external is None: - fs.staging_external = fs.staging + def set_external_path(source_obj, source_key, target_obj, target_key, overwrite=False): + source_value = getattr(source_obj, source_key) + target_value = getattr(target_obj, target_key) + + if target_value and not overwrite: + return - if fs.staging_external is not None and not os.path.isabs(fs.staging_external): - fs.staging_external = os.path.abspath(fs.staging_external) + if not source_value: + return + + if fs.external_working_directory and not os.path.isabs(source_value): + target_value = os.path.join(fs.external_working_directory, source_value) + else: + target_value = source_value - if north.users_fs is not None and not os.path.isabs(north.users_fs): - north.users_fs = os.path.abspath(north.users_fs) + setattr(target_obj, target_key, target_value) - if north.shared_fs is not None and not os.path.isabs(north.shared_fs): - north.shared_fs = os.path.abspath(north.shared_fs) + set_external_path(fs, 'staging', fs, 'staging_external') + set_external_path(fs, 'public', fs, 'public_external') + set_external_path(north, 'users_fs', north, 'users_fs', overwrite=True) + set_external_path(north, 'shared_fs', north, 'shared_fs', overwrite=True) mail = NomadConfig( diff --git a/ops/docker-compose/nomad-oasis-with-keycloak/nomad-realm.json b/ops/docker-compose/nomad-oasis-with-keycloak/nomad-realm.json deleted file mode 100644 index 6c891437bc515181f39bde5fb6999736def3d60c..0000000000000000000000000000000000000000 --- a/ops/docker-compose/nomad-oasis-with-keycloak/nomad-realm.json +++ /dev/null @@ -1,1766 +0,0 @@ -{ - "id" : "nomad", - "realm" : "nomad", - "notBefore" : 0, - "defaultSignatureAlgorithm" : "RS256", - "revokeRefreshToken" : false, - "refreshTokenMaxReuse" : 0, - "accessTokenLifespan" : 300, - "accessTokenLifespanForImplicitFlow" : 900, - "ssoSessionIdleTimeout" : 1800, - "ssoSessionMaxLifespan" : 36000, - "ssoSessionIdleTimeoutRememberMe" : 0, - "ssoSessionMaxLifespanRememberMe" : 0, - "offlineSessionIdleTimeout" : 2592000, - "offlineSessionMaxLifespanEnabled" : false, - "offlineSessionMaxLifespan" : 5184000, - "clientSessionIdleTimeout" : 0, - "clientSessionMaxLifespan" : 0, - "clientOfflineSessionIdleTimeout" : 0, - "clientOfflineSessionMaxLifespan" : 0, - "accessCodeLifespan" : 60, - "accessCodeLifespanUserAction" : 300, - "accessCodeLifespanLogin" : 1800, - "actionTokenGeneratedByAdminLifespan" : 43200, - "actionTokenGeneratedByUserLifespan" : 300, - "oauth2DeviceCodeLifespan" : 600, - "oauth2DevicePollingInterval" : 5, - "enabled" : true, - "sslRequired" : "external", - "registrationAllowed" : false, - "registrationEmailAsUsername" : false, - "rememberMe" : false, - "verifyEmail" : false, - "loginWithEmailAllowed" : true, - "duplicateEmailsAllowed" : false, - "resetPasswordAllowed" : false, - "editUsernameAllowed" : false, - "bruteForceProtected" : false, - "permanentLockout" : false, - "maxFailureWaitSeconds" : 900, - "minimumQuickLoginWaitSeconds" : 60, - "waitIncrementSeconds" : 60, - "quickLoginCheckMilliSeconds" : 1000, - "maxDeltaTimeSeconds" : 43200, - "failureFactor" : 30, - "roles" : { - "realm" : [ { - "id" : "e381187b-ddc2-46d5-84bf-0c7c3441d5dc", - "name" : "offline_access", - "description" : "${role_offline-access}", - "composite" : false, - "clientRole" : false, - "containerId" : "nomad", - "attributes" : { } - }, { - "id" : "5dc61a81-2ecd-4db7-b804-393fd76a086d", - "name" : "uma_authorization", - "description" : "${role_uma_authorization}", - "composite" : false, - "clientRole" : false, - "containerId" : "nomad", - "attributes" : { } - }, { - "id" : "afed8081-9dfb-4c66-af28-0d026fc26a3b", - "name" : "default-roles-nomad", - "description" : "${role_default-roles}", - "composite" : true, - "composites" : { - "realm" : [ "offline_access", "uma_authorization" ] - }, - "clientRole" : false, - "containerId" : "nomad", - "attributes" : { } - } ], - "client" : { - "realm-management" : [ { - "id" : "f6867dc5-043f-4a89-9425-860d21adb43c", - "name" : "query-users", - "description" : "${role_query-users}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "78a6bba6-97a5-4450-a43d-f8c3c9ff0d88", - "name" : "query-clients", - "description" : "${role_query-clients}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "9b50c728-81c5-48ea-8a14-074cc5dda73c", - "name" : "view-clients", - "description" : "${role_view-clients}", - "composite" : true, - "composites" : { - "client" : { - "realm-management" : [ "query-clients" ] - } - }, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "e6cf8f34-f7f4-4927-933d-688b20456a16", - "name" : "view-identity-providers", - "description" : "${role_view-identity-providers}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "63046ea1-9e2c-4228-a335-758c991c7b12", - "name" : "view-users", - "description" : "${role_view-users}", - "composite" : true, - "composites" : { - "client" : { - "realm-management" : [ "query-users", "query-groups" ] - } - }, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "99494699-9300-49c1-99e4-11560cc7da02", - "name" : "manage-identity-providers", - "description" : "${role_manage-identity-providers}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "ae41e691-f07c-42cc-b80f-eba326f4a2cc", - "name" : "query-groups", - "description" : "${role_query-groups}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "cabfdce1-375b-47e0-b105-801249feed0f", - "name" : "manage-authorization", - "description" : "${role_manage-authorization}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "8ad3d036-d201-4381-ad8d-b147823d2018", - "name" : "impersonation", - "description" : "${role_impersonation}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "dfcc4cf0-d60a-4a6f-9565-28b308d939d7", - "name" : "manage-users", - "description" : "${role_manage-users}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "91871ac3-7b9f-4121-a607-866bb5f92d0e", - "name" : "view-realm", - "description" : "${role_view-realm}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "2163319d-74ee-4bcb-abf3-687d976d64b5", - "name" : "create-client", - "description" : "${role_create-client}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "7b29f0ac-a495-4c7a-80b1-96d6204432e7", - "name" : "query-realms", - "description" : "${role_query-realms}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "d3dd5dd0-9260-4878-98a2-197289296dc1", - "name" : "manage-clients", - "description" : "${role_manage-clients}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "fa4d9aca-addc-4773-8ace-c7d859290bfd", - "name" : "view-events", - "description" : "${role_view-events}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "253ce1cd-9978-4391-9ac7-3405981fe2d5", - "name" : "manage-realm", - "description" : "${role_manage-realm}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "84334fee-627c-4faf-a21a-9c2757cf7030", - "name" : "view-authorization", - "description" : "${role_view-authorization}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "cbbb61b3-61d8-4d7a-9883-657956eabe20", - "name" : "realm-admin", - "description" : "${role_realm-admin}", - "composite" : true, - "composites" : { - "client" : { - "realm-management" : [ "query-users", "query-clients", "view-clients", "view-identity-providers", "view-users", "manage-identity-providers", "query-groups", "manage-authorization", "impersonation", "view-realm", "manage-users", "create-client", "query-realms", "manage-clients", "view-events", "manage-realm", "view-authorization", "manage-events" ] - } - }, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - }, { - "id" : "2ccc6fe5-6d03-4471-8b64-2e4ea99204bd", - "name" : "manage-events", - "description" : "${role_manage-events}", - "composite" : false, - "clientRole" : true, - "containerId" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "attributes" : { } - } ], - "security-admin-console" : [ ], - "admin-cli" : [ ], - "account-console" : [ ], - "broker" : [ ], - "nomad_public" : [ ], - "account" : [ { - "id" : "65cfacb6-d2ef-4e29-9d3b-d7aee90c89b0", - "name" : "manage-account", - "composite" : false, - "clientRole" : true, - "containerId" : "862a3def-d459-4637-a782-36cdb33e30d0", - "attributes" : { } - }, { - "id" : "b267a8ae-4a72-44f0-aa5b-b30a97eb8a00", - "name" : "delete-account", - "description" : "${role_delete-account}", - "composite" : false, - "clientRole" : true, - "containerId" : "862a3def-d459-4637-a782-36cdb33e30d0", - "attributes" : { } - } ] - } - }, - "groups" : [ ], - "defaultRole" : { - "id" : "afed8081-9dfb-4c66-af28-0d026fc26a3b", - "name" : "default-roles-nomad", - "description" : "${role_default-roles}", - "composite" : true, - "clientRole" : false, - "containerId" : "nomad" - }, - "requiredCredentials" : [ "password" ], - "otpPolicyType" : "totp", - "otpPolicyAlgorithm" : "HmacSHA1", - "otpPolicyInitialCounter" : 0, - "otpPolicyDigits" : 6, - "otpPolicyLookAheadWindow" : 1, - "otpPolicyPeriod" : 30, - "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], - "webAuthnPolicyRpEntityName" : "keycloak", - "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], - "webAuthnPolicyRpId" : "", - "webAuthnPolicyAttestationConveyancePreference" : "not specified", - "webAuthnPolicyAuthenticatorAttachment" : "not specified", - "webAuthnPolicyRequireResidentKey" : "not specified", - "webAuthnPolicyUserVerificationRequirement" : "not specified", - "webAuthnPolicyCreateTimeout" : 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, - "webAuthnPolicyAcceptableAaguids" : [ ], - "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], - "webAuthnPolicyPasswordlessRpId" : "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", - "webAuthnPolicyPasswordlessCreateTimeout" : 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, - "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], - "users" : [ { - "id" : "a9e97ae9-7568-4b44-bb9f-7a7c6be898e8", - "createdTimestamp" : 1646122967909, - "username" : "admin", - "enabled" : true, - "totp" : false, - "emailVerified" : true, - "firstName" : "Admin", - "lastName" : "Administrator", - "credentials" : [ { - "id" : "8a67ac2a-98e8-4a70-93cb-40efeef12454", - "type" : "password", - "createdDate" : 1646122987134, - "secretData" : "{\"value\":\"dBfgf/1z8FS+GOvWaaoIXV2mf8AfUTMWM9dUHF3msvwFM8Ypy78fo0fp+5pc/40Pce0YdqHghAarvJwBQWkylw==\",\"salt\":\"7Utui336SDaMh9KDXk56hg==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-nomad" ], - "clientRoles" : { - "realm-management" : [ "view-users" ] - }, - "notBefore" : 0, - "groups" : [ ] - }, { - "id" : "fec95f93-4bde-4efa-8d47-8f9dbc170b94", - "createdTimestamp" : 1646120364248, - "username" : "test", - "enabled" : true, - "totp" : false, - "emailVerified" : true, - "firstName" : "Test", - "lastName" : "Tester", - "credentials" : [ { - "id" : "d504f921-40f2-49d8-8cb7-fb73d064607a", - "type" : "password", - "createdDate" : 1646120375623, - "secretData" : "{\"value\":\"2GRDpoQ3ZOwr/Pp+R5ZycokHvrmVwIQfE72GP9smQrrPNzxY+yVLyOmRjKpevrobfDSZdjiBDLV14OTSwHsjRA==\",\"salt\":\"4MnNMfVWtIrirLCY6QAFeg==\",\"additionalParameters\":{}}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "default-roles-nomad" ], - "notBefore" : 0, - "groups" : [ ] - } ], - "scopeMappings" : [ { - "clientScope" : "offline_access", - "roles" : [ "offline_access" ] - } ], - "clientScopeMappings" : { - "account" : [ { - "client" : "account-console", - "roles" : [ "manage-account" ] - } ] - }, - "clients" : [ { - "id" : "862a3def-d459-4637-a782-36cdb33e30d0", - "clientId" : "account", - "name" : "${client_account}", - "rootUrl" : "${authBaseUrl}", - "baseUrl" : "/realms/nomad/account/", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ "/realms/nomad/account/*" ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "2eb5d18c-e42f-469d-916e-083b05aed5f7", - "clientId" : "account-console", - "name" : "${client_account-console}", - "rootUrl" : "${authBaseUrl}", - "baseUrl" : "/realms/nomad/account/", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ "/realms/nomad/account/*" ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "pkce.code.challenge.method" : "S256" - }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "protocolMappers" : [ { - "id" : "9573d615-bc37-400e-abec-afe3242f4a95", - "name" : "audience resolve", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-audience-resolve-mapper", - "consentRequired" : false, - "config" : { } - } ], - "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "ddd86e52-3661-447a-8c90-5cf77f6f0510", - "clientId" : "admin-cli", - "name" : "${client_admin-cli}", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : false, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : true, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "c966ada9-c39c-4c64-91ca-4def358ef6c7", - "clientId" : "broker", - "name" : "${client_broker}", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : true, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : false, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "393e409f-5de9-44cf-8cdd-e76a2fab4f0f", - "clientId" : "nomad_public", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ "http://*", "https://*" ], - "webOrigins" : [ "*" ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : true, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "id.token.as.detached.signature" : "false", - "saml.assertion.signature" : "false", - "saml.force.post.binding" : "false", - "saml.multivalued.roles" : "false", - "saml.encrypt" : "false", - "oauth2.device.authorization.grant.enabled" : "false", - "backchannel.logout.revoke.offline.tokens" : "false", - "saml.server.signature" : "false", - "saml.server.signature.keyinfo.ext" : "false", - "use.refresh.tokens" : "true", - "exclude.session.state.from.auth.response" : "false", - "oidc.ciba.grant.enabled" : "false", - "saml.artifact.binding" : "false", - "backchannel.logout.session.required" : "true", - "client_credentials.use_refresh_token" : "false", - "saml_force_name_id_format" : "false", - "require.pushed.authorization.requests" : "false", - "saml.client.signature" : "false", - "tls.client.certificate.bound.access.tokens" : "false", - "saml.authnstatement" : "false", - "display.on.consent.screen" : "false", - "saml.onetimeuse.condition" : "false" - }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : true, - "nodeReRegistrationTimeout" : -1, - "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "2a6ce415-cba7-44ad-bbb3-92f7eb3319b0", - "clientId" : "realm-management", - "name" : "${client_realm-management}", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ ], - "webOrigins" : [ ], - "notBefore" : 0, - "bearerOnly" : true, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : false, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - }, { - "id" : "463e0e93-45c8-400e-867b-9e848bbb1ec8", - "clientId" : "security-admin-console", - "name" : "${client_security-admin-console}", - "rootUrl" : "${authAdminUrl}", - "baseUrl" : "/admin/nomad/console/", - "surrogateAuthRequired" : false, - "enabled" : true, - "alwaysDisplayInConsole" : false, - "clientAuthenticatorType" : "client-secret", - "redirectUris" : [ "/admin/nomad/console/*" ], - "webOrigins" : [ "+" ], - "notBefore" : 0, - "bearerOnly" : false, - "consentRequired" : false, - "standardFlowEnabled" : true, - "implicitFlowEnabled" : false, - "directAccessGrantsEnabled" : false, - "serviceAccountsEnabled" : false, - "publicClient" : true, - "frontchannelLogout" : false, - "protocol" : "openid-connect", - "attributes" : { - "pkce.code.challenge.method" : "S256" - }, - "authenticationFlowBindingOverrides" : { }, - "fullScopeAllowed" : false, - "nodeReRegistrationTimeout" : 0, - "protocolMappers" : [ { - "id" : "5d1f1be8-4a02-402a-9002-a20f20c6f15d", - "name" : "locale", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "locale", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "locale", - "jsonType.label" : "String" - } - } ], - "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], - "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] - } ], - "clientScopes" : [ { - "id" : "fd8c6e0d-e620-4744-9a84-b898dfadc357", - "name" : "address", - "description" : "OpenID Connect built-in scope: address", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${addressScopeConsentText}" - }, - "protocolMappers" : [ { - "id" : "54c44f64-5020-4da6-891e-e344189af038", - "name" : "address", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-address-mapper", - "consentRequired" : false, - "config" : { - "user.attribute.formatted" : "formatted", - "user.attribute.country" : "country", - "user.attribute.postal_code" : "postal_code", - "userinfo.token.claim" : "true", - "user.attribute.street" : "street", - "id.token.claim" : "true", - "user.attribute.region" : "region", - "access.token.claim" : "true", - "user.attribute.locality" : "locality" - } - } ] - }, { - "id" : "d02b9b99-ccfd-461f-8a90-a6c7d3176eec", - "name" : "email", - "description" : "OpenID Connect built-in scope: email", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${emailScopeConsentText}" - }, - "protocolMappers" : [ { - "id" : "9257f22f-da61-4119-8764-7dcedff339ef", - "name" : "email", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "email", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "email", - "jsonType.label" : "String" - } - }, { - "id" : "7329643d-714d-4aaa-bbfd-5f31c08872f3", - "name" : "email verified", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "emailVerified", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "email_verified", - "jsonType.label" : "boolean" - } - } ] - }, { - "id" : "dd239559-a3a6-40a0-9687-1d68c7213dd1", - "name" : "microprofile-jwt", - "description" : "Microprofile - JWT built-in scope", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "false" - }, - "protocolMappers" : [ { - "id" : "bc53433c-52e0-4225-ae35-db79e27a507b", - "name" : "upn", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "username", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "upn", - "jsonType.label" : "String" - } - }, { - "id" : "1205e628-0f87-47da-8df2-b9fbf11957e4", - "name" : "groups", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-realm-role-mapper", - "consentRequired" : false, - "config" : { - "multivalued" : "true", - "userinfo.token.claim" : "true", - "user.attribute" : "foo", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "groups", - "jsonType.label" : "String" - } - } ] - }, { - "id" : "a5874193-2a69-48b0-89ba-cab7f249f212", - "name" : "roles", - "description" : "OpenID Connect scope for add user roles to the access token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${rolesScopeConsentText}" - }, - "protocolMappers" : [ { - "id" : "689f9eec-18fb-4fb0-a617-2eea10df7eac", - "name" : "client roles", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-client-role-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "foo", - "access.token.claim" : "true", - "claim.name" : "resource_access.${client_id}.roles", - "jsonType.label" : "String", - "multivalued" : "true" - } - }, { - "id" : "ee411f23-e314-4c23-8f77-5a053edb5a25", - "name" : "audience resolve", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-audience-resolve-mapper", - "consentRequired" : false, - "config" : { } - }, { - "id" : "73d5f256-f8d5-4116-848e-c4307dc8e573", - "name" : "realm roles", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-realm-role-mapper", - "consentRequired" : false, - "config" : { - "user.attribute" : "foo", - "access.token.claim" : "true", - "claim.name" : "realm_access.roles", - "jsonType.label" : "String", - "multivalued" : "true" - } - } ] - }, { - "id" : "73413190-a001-4eb3-9a43-0f6fd413849c", - "name" : "offline_access", - "description" : "OpenID Connect built-in scope: offline_access", - "protocol" : "openid-connect", - "attributes" : { - "consent.screen.text" : "${offlineAccessScopeConsentText}", - "display.on.consent.screen" : "true" - } - }, { - "id" : "3d836e4c-d83a-4b05-9ccc-56bfb9544383", - "name" : "phone", - "description" : "OpenID Connect built-in scope: phone", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${phoneScopeConsentText}" - }, - "protocolMappers" : [ { - "id" : "f94762eb-6f8d-42b7-83c9-8d778751e560", - "name" : "phone number verified", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "phoneNumberVerified", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "phone_number_verified", - "jsonType.label" : "boolean" - } - }, { - "id" : "3da6e0c1-02d5-45a9-a47e-b2d15232abcb", - "name" : "phone number", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "phoneNumber", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "phone_number", - "jsonType.label" : "String" - } - } ] - }, { - "id" : "0d3e896b-116f-4ee7-ac89-c23ea9191406", - "name" : "profile", - "description" : "OpenID Connect built-in scope: profile", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "display.on.consent.screen" : "true", - "consent.screen.text" : "${profileScopeConsentText}" - }, - "protocolMappers" : [ { - "id" : "58901944-aa7c-40e2-b7a4-81bed8fd50a2", - "name" : "family name", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "lastName", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "family_name", - "jsonType.label" : "String" - } - }, { - "id" : "d4df7357-888f-4019-9eaf-411ad1ae042a", - "name" : "profile", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "profile", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "profile", - "jsonType.label" : "String" - } - }, { - "id" : "0e9ecf9d-2356-48c2-b736-a413d46fa443", - "name" : "gender", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "gender", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "gender", - "jsonType.label" : "String" - } - }, { - "id" : "9e632492-75d5-43e4-83e7-7f9c8a7d9bd3", - "name" : "nickname", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "nickname", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "nickname", - "jsonType.label" : "String" - } - }, { - "id" : "bd7dca9d-a7a2-4313-b4fc-5d0451e28da3", - "name" : "website", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "website", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "website", - "jsonType.label" : "String" - } - }, { - "id" : "686e761f-5a37-4708-847c-061323c1a4b4", - "name" : "birthdate", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "birthdate", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "birthdate", - "jsonType.label" : "String" - } - }, { - "id" : "b564b19d-afce-4123-864d-7080a1c9928a", - "name" : "locale", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "locale", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "locale", - "jsonType.label" : "String" - } - }, { - "id" : "5c39a140-1cf6-4d1a-a17d-d361e8845501", - "name" : "middle name", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "middleName", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "middle_name", - "jsonType.label" : "String" - } - }, { - "id" : "448471b7-4284-4a1f-8e96-2eceb5d2d8ef", - "name" : "username", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "username", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "preferred_username", - "jsonType.label" : "String" - } - }, { - "id" : "bc299c67-c323-4b73-b3ca-59c6a2476c33", - "name" : "zoneinfo", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "zoneinfo", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "zoneinfo", - "jsonType.label" : "String" - } - }, { - "id" : "1599a6cc-43eb-4c5e-bb02-3777941e5599", - "name" : "given name", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "firstName", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "given_name", - "jsonType.label" : "String" - } - }, { - "id" : "f2b41acd-2b8a-42d2-aa86-27d4e6a6601e", - "name" : "updated at", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "updatedAt", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "updated_at", - "jsonType.label" : "String" - } - }, { - "id" : "d8da144c-ade1-440e-b29c-1bdb3e6fe2a8", - "name" : "picture", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "userinfo.token.claim" : "true", - "user.attribute" : "picture", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "picture", - "jsonType.label" : "String" - } - }, { - "id" : "1e58faf4-9a17-4e1f-9c10-2227a1654ca1", - "name" : "full name", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-full-name-mapper", - "consentRequired" : false, - "config" : { - "id.token.claim" : "true", - "access.token.claim" : "true", - "userinfo.token.claim" : "true" - } - } ] - }, { - "id" : "195f8258-092b-4496-a424-ba0cbe29b07a", - "name" : "role_list", - "description" : "SAML role list", - "protocol" : "saml", - "attributes" : { - "consent.screen.text" : "${samlRoleListScopeConsentText}", - "display.on.consent.screen" : "true" - }, - "protocolMappers" : [ { - "id" : "9ac33624-3e70-4811-9690-02ab7f9df11c", - "name" : "role list", - "protocol" : "saml", - "protocolMapper" : "saml-role-list-mapper", - "consentRequired" : false, - "config" : { - "single" : "false", - "attribute.nameformat" : "Basic", - "attribute.name" : "Role" - } - } ] - }, { - "id" : "a7ffc72d-abf3-4ff2-8e30-138dbbf69daf", - "name" : "web-origins", - "description" : "OpenID Connect scope for add allowed web origins to the access token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "display.on.consent.screen" : "false", - "consent.screen.text" : "" - }, - "protocolMappers" : [ { - "id" : "96fda695-d0c9-4c4d-8d10-d743db823171", - "name" : "allowed web origins", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-allowed-origins-mapper", - "consentRequired" : false, - "config" : { } - } ] - } ], - "defaultDefaultClientScopes" : [ "profile", "role_list", "roles", "web-origins", "email" ], - "defaultOptionalClientScopes" : [ "phone", "offline_access", "microprofile-jwt", "address" ], - "browserSecurityHeaders" : { - "contentSecurityPolicyReportOnly" : "", - "xContentTypeOptions" : "nosniff", - "xRobotsTag" : "none", - "xFrameOptions" : "SAMEORIGIN", - "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection" : "1; mode=block", - "strictTransportSecurity" : "max-age=31536000; includeSubDomains" - }, - "smtpServer" : { }, - "eventsEnabled" : false, - "eventsListeners" : [ "jboss-logging" ], - "enabledEventTypes" : [ ], - "adminEventsEnabled" : false, - "adminEventsDetailsEnabled" : false, - "identityProviders" : [ ], - "identityProviderMappers" : [ ], - "components" : { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { - "id" : "1362d370-b308-44da-aafe-bd5b8596374f", - "name" : "Trusted Hosts", - "providerId" : "trusted-hosts", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { - "host-sending-registration-request-must-match" : [ "true" ], - "client-uris-must-match" : [ "true" ] - } - }, { - "id" : "178bef49-1704-45ae-8068-a4a0467b9576", - "name" : "Allowed Protocol Mapper Types", - "providerId" : "allowed-protocol-mappers", - "subType" : "authenticated", - "subComponents" : { }, - "config" : { - "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper" ] - } - }, { - "id" : "9f75353a-2e3b-4265-8398-86a7a18fc99b", - "name" : "Allowed Protocol Mapper Types", - "providerId" : "allowed-protocol-mappers", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { - "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper" ] - } - }, { - "id" : "a99d6cf7-b503-43dc-bd5a-67098287083f", - "name" : "Allowed Client Scopes", - "providerId" : "allowed-client-templates", - "subType" : "authenticated", - "subComponents" : { }, - "config" : { - "allow-default-scopes" : [ "true" ] - } - }, { - "id" : "2ef4d127-6000-4f34-8443-70ba9fdb195a", - "name" : "Full Scope Disabled", - "providerId" : "scope", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { } - }, { - "id" : "295701ce-c3a3-4966-a80c-b21e69ce40fb", - "name" : "Allowed Client Scopes", - "providerId" : "allowed-client-templates", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { - "allow-default-scopes" : [ "true" ] - } - }, { - "id" : "c5cc72ca-05b2-450f-bc98-e21fd47f26e5", - "name" : "Max Clients Limit", - "providerId" : "max-clients", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { - "max-clients" : [ "200" ] - } - }, { - "id" : "0501e34c-7022-4704-b684-13b421062bf5", - "name" : "Consent Required", - "providerId" : "consent-required", - "subType" : "anonymous", - "subComponents" : { }, - "config" : { } - } ], - "org.keycloak.keys.KeyProvider" : [ { - "id" : "cdce0855-bfac-4c2e-92d3-acb5b5561db9", - "name" : "hmac-generated", - "providerId" : "hmac-generated", - "subComponents" : { }, - "config" : { - "kid" : [ "2bfa7e0f-7b48-4021-aff1-f1c5f933e4d2" ], - "secret" : [ "zuA4826GqP_ewqBcuDSYPtuvLc2Yv7G_j4B3FcFoKuk_LThre6YWEr0joJSDMewtAFcLwY81_WUekf8OoGHwfA" ], - "priority" : [ "100" ], - "algorithm" : [ "HS256" ] - } - }, { - "id" : "8dfe077a-7cdd-4bd7-b057-6dca64b00fc8", - "name" : "rsa-generated", - "providerId" : "rsa-generated", - "subComponents" : { }, - "config" : { - "privateKey" : [ "MIIEowIBAAKCAQEAjXiq7B4BtXCfyh3o+DJ7JjXDbTk1unIqUCrFV/ojjPUw70dfZ3oUoqiW1mcyXg0dlElCbgReZzKQf93MTyzkxapHJyHSEjppxafIkmYh9LS8WEHiGjuzDz2Gp0ITrl7OzBhtU3JYXnZbcmhiGh6V6FmCCX6vp2jAZmmcJmGD7EW26Rk6LkYQovPHYNzFCvst212mPpdLjuHhqyv1OcGWqSTWgxsf0jP//Pu5Y3kCSWut8aDvI/3rHHvk821MHTSWndweVLmgQKGDhLmKkiF0WBLgdl3cd5pDk3FfgUkchyvaZWKO2dW6FrUuciKuAngNdmLo3ZyzACnDrisx49noFwIDAQABAoIBAFOaMJ/SZ74abUNbA5bQ9jexY+jC+z5QQzMW44JHHwUozJ9KtVWILnOlX2YanAg6hfVgibJMQKGJnx0BLMDJTfSF2QCGGweMn38f1Qa29nAO8pLRdFV+XCWwfUeQY+MSwfCYqtq6YwCHvyjQCNFYq8wgQRltVU6AN9sNpCqGTBiuhLGDd0D7Qc6R+PR5ae80wH4SYLgC4lBxEBesK/JY+8L3EDowRhSxdDuFYTSRxk9o+B+/S2oUa4pZqRhMMXQ/qnW7UVC7V9TCIeEgMmiMJWyt2evPV8KEaWzJXcH9WOTYZOThEsnWjOIVYr/klmjrnbNp7I/80jEC0MxGQxLvaskCgYEAyvcgk3KR37rhhEivh9PwLH2UphWg9UtUbyooMGXJRiANyZT710IcsTek/Be9BeCzqxL/m8LUBKp+iMs+JMSr/6XjkLUCX59vXAgpQzr+nPTdX3drkZWzh1w0i9jnKROcnCyBB2QVJAQl+ylbFrtQGIEYzcO1wUZlEJ8lbAo2DpUCgYEAsnAMzoySKfr4i6tuv5tnu55R3N3QvlmUzq0P7xAMjcVtdlNTOtxIB98uFTq9dEYxV2nydMjAJ8YUyiQ/02pSAzmi7uIzqaz39/Bbj2Q1AzTkAuzJdWR5i2Eo6eyyVhyLDCLbRzsZZoW3tS0dS2ypRy/RM686E9PzXhe78x74LPsCgYAver4pH/0V7F7DFknRqXeewMXcUGT13OhklOUP5U+/UtJG3M5JHdMeddjnjBoQ3O7Kz0fyRRJaARRWpczkxwlBZaoleOKUQfTH/7S/YHadev6qTYJhbTaxLJWyPUxeJJNXSWXpt7TmVv4XkiYX3Duxb8nAoM7M5s3PpJsZeg4JPQKBgA6rf6ILlIi3BXAWLAi8sg6OuZQ6+Ept+vny6HhzDVUqghFUUGdqbNGY26ULK0A/9RaGs1Q+nO2oL1VfHZA4EX4KYwbYuf6dJdXQgPaM+n7E/mnvJbDtDcETv9VbjF3gAt6Ajx6QEUqIe839Y4cr687ac4yYP2IZ7swxj1YxmZ25AoGBALlyVn1DWAia3JekmcQhkPOOPEhLo9qHhdU5Bt8ZUQUXmiQGShw+2g6LjwEvXts09s2ElZCykvWuz/mYPRZAhNsikszqfQrdsZydfDc1BrwABgkjjZeVuCLDyLD9cV6oJiTSYLoaIDPpnxTWSawcduMZDrVYtC2BuOPAeQVSH/ME" ], - "certificate" : [ "MIICmTCCAYECBgF/QSDAnTANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVub21hZDAeFw0yMjAyMjgxNjE3MTlaFw0zMjAyMjgxNjE4NTlaMBAxDjAMBgNVBAMMBW5vbWFkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjXiq7B4BtXCfyh3o+DJ7JjXDbTk1unIqUCrFV/ojjPUw70dfZ3oUoqiW1mcyXg0dlElCbgReZzKQf93MTyzkxapHJyHSEjppxafIkmYh9LS8WEHiGjuzDz2Gp0ITrl7OzBhtU3JYXnZbcmhiGh6V6FmCCX6vp2jAZmmcJmGD7EW26Rk6LkYQovPHYNzFCvst212mPpdLjuHhqyv1OcGWqSTWgxsf0jP//Pu5Y3kCSWut8aDvI/3rHHvk821MHTSWndweVLmgQKGDhLmKkiF0WBLgdl3cd5pDk3FfgUkchyvaZWKO2dW6FrUuciKuAngNdmLo3ZyzACnDrisx49noFwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAjCDiS5p59kOKonyNsBKMBu+QNrvmtQP1oZ38pjErd9KorJOXg3fDp2at0nnwb/XhhHGDlptDZz3HjFZNy0ZEZZFvLshsOT8hrXUMaFe7lVChjCNuRbRRiDC0OzmDIxpVb7hytLhsn5Z7Ib9V0+itbifi0nE2i/DOZDyat1HbzhTV3bNWA1u4mQfLDAN7Rw2Cek/Iej/lTEjkyQ2HL6Bb04Xqdbf+Hyg4Juk2w05ndGYfQ9egMu/YjeqnEstGU5N3gL6wte6LnlRj5JHm6synYZIESIv6E2bI4z5uCBrnxw8R0LuavEZgQecmZWLVFkKfF//RSQHiyx7LzYDsPMMJg" ], - "priority" : [ "100" ] - } - }, { - "id" : "d1a2ce66-0873-40b3-a242-d9205bd573ba", - "name" : "rsa-enc-generated", - "providerId" : "rsa-enc-generated", - "subComponents" : { }, - "config" : { - "privateKey" : [ "MIIEpAIBAAKCAQEApEVFqx8g1GFfYXcXY2Cx0cSEwelAjFAQG2qrbYJ9c+5Rjvilylb8JWXMB3J68uupSBXdULtHeTTsVHU5BGmx+SQauN01nT427HVB3uKd9LlK3xEIHZoYBnzq8p6maumCpPM+ULI3jmtFutCSfalIN80NW3+KVsAF9Va0CXhrhA62bZYaeZ28CN2/XTpZbCfVtfePggA28G9ooIe6O2V3Qb05M83gxBA7ySgkX6UEnc2x3L4nMN9kEzu7OpBM9wPSnQtaSCLIy+qrKzY3iAgieb6eC17MmvJXpJD9X/hnDJ5FmOAI7EtEBT29hYPkOuwlwIo1kTBwLaf6PZGIgOVJDQIDAQABAoIBAFfhq2zp4VFdqn5lDQEgeOElRnTLCbpHFubkAUQ73EvKQp2/TkrakFidhjKxvy74fn7PG7CWEJ26f3iLoe5HcWw9MYKW7Zjq8M09yfiouiJzgqel3/aeOp419CfKUnO96yO98iePwIMTxqEz9jr99mHL9IpvyB2y6z0enoC2iKaDrLeJjtveLRI94ZvhCY0vzU3qUSRLn11R54U+yko6Pw2WaqloskuauUz3EtEXsHG6TyYwxwDSL+nrMokgn+8imj9ZVRCnVcYSdmuDc3xVJ6siMkiVcfeqBrskSaDN+ib45SK/AjWJbRoQKhOgY4IBuoqWEyW9NKiYbFEe0VM4KGECgYEA+iRddfBrBEz+ogVKNNs9MWo6bhLy6AWz27/JkkgWPGW9/TBx4cg76ZWAkNFBXhE7YxWfNoS3XjZXof2Arkc962O3IkK1PLZMQE3SqiitqeHoNz6Gw8TkiT2RhF87pHSbt1Ik+VXd4z6J5TYwDCZbue3GOZFRX3gTlsM/JuSx4FUCgYEAqB4YoxgrciADReXrYumXaF+/cd0CBcUzXN56H56FFYyy2dorLDM4CCqN2sY/8wen3OJqJRBppNqCiCWXtpQ+BLU/L/P9JrMGLSM40PMysTFU9rkLRdjhMrl7yI1+Df11H66jXh6EMrMjwyMKR6UxFKmLM7vRd4RHZs2pK/NindkCgYEAmVI03xdv4QD4ioLHi0Jeba15BwMiVEk6hxU1Di6VQovyOgC5rPS4lGIInbtFX80cI42bOyV554tTh30EpM4SC/fgxmUxBXePoVKSL64jVB+d4E6498H1epF8YjClNBYtY947v4B8Ms+gYhgmtyvDyWEOwTZrNCM7jos6aDKBPMkCgYAmrl4O0JXWeWUnZQJmzMZIfpdG9Intl/T8bjf9JHUMg0X3eAos7k/7GQdwieLW4TEPUo0HoCIeiyQzfSrOGIe4f5ddSi86A0Dti8gb04kbWfVpmyPr2z3ddO31NBEH2QRk2MK/+heCrtMQp/RKjcigL25W5eUJMcdX8QP2l9Zd6QKBgQDZguHPF4QNIeTREiE3EUnjonahhX+lIk9vaH5LjPblsNqAyt2R6W4WkKfdUBG9wQDw2gc5NdbXA6vwpDZixNPivJFlnQc86ZsGc+S+OdMv+sZDUPWqcHHQW2ZZxNC/G/hiL5yRerN4qy1B0NRjTireUf35/F3UJW3eEAxT+YKgCw==" ], - "certificate" : [ "MIICmTCCAYECBgF/QSDBBTANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVub21hZDAeFw0yMjAyMjgxNjE3MTlaFw0zMjAyMjgxNjE4NTlaMBAxDjAMBgNVBAMMBW5vbWFkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEVFqx8g1GFfYXcXY2Cx0cSEwelAjFAQG2qrbYJ9c+5Rjvilylb8JWXMB3J68uupSBXdULtHeTTsVHU5BGmx+SQauN01nT427HVB3uKd9LlK3xEIHZoYBnzq8p6maumCpPM+ULI3jmtFutCSfalIN80NW3+KVsAF9Va0CXhrhA62bZYaeZ28CN2/XTpZbCfVtfePggA28G9ooIe6O2V3Qb05M83gxBA7ySgkX6UEnc2x3L4nMN9kEzu7OpBM9wPSnQtaSCLIy+qrKzY3iAgieb6eC17MmvJXpJD9X/hnDJ5FmOAI7EtEBT29hYPkOuwlwIo1kTBwLaf6PZGIgOVJDQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBXsiFpxSgZuinNZi+WFcrx9bAwwNeWm99xsvKMn0H6CaKzkI8g8rWE+6MYtPDRTEJS/pyF/ciDxuoj7clJRmkztic1lSXQDEsCvp6tOxJbB0Al7TqXWXvA7cIwcVVwexAacDMS8HGkaHljZQFLpcGqFChVAPClo1hasTzBJFqvmEH+wduE3WFVXnt09Svssm5Qffq5Zhbe6QjwPwQ6t5DnMfv1r9qexInbehJraW7yzSWNAxzgWJ+g1jTfwjU2aPhcs46AbY1Z+tlFkoGPbn3BjY9QKP9tDxOSGD6zWUhjUb6Sq3kpC2KBKRq5ct1U+Cj5ZtQAEIF9rJBBZH7o2jhb" ], - "priority" : [ "100" ], - "algorithm" : [ "RSA-OAEP" ] - } - }, { - "id" : "13eb673f-c2aa-4fac-abda-a198ef88d2ab", - "name" : "aes-generated", - "providerId" : "aes-generated", - "subComponents" : { }, - "config" : { - "kid" : [ "ca6841b9-fd34-4871-b891-7a6b90cf91f9" ], - "secret" : [ "0zDqA_iJFKXPulZT-0Sc1A" ], - "priority" : [ "100" ] - } - } ] - }, - "internationalizationEnabled" : false, - "supportedLocales" : [ ], - "authenticationFlows" : [ { - "id" : "84a1df97-5c7e-49af-a0fa-b09d9fa11a61", - "alias" : "Account verification options", - "description" : "Method with which to verity the existing account", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "idp-email-verification", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "ALTERNATIVE", - "priority" : 20, - "flowAlias" : "Verify Existing Account by Re-authentication", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "b68325e8-161c-4f73-acdc-a5f1f85c4c5a", - "alias" : "Authentication Options", - "description" : "Authentication options.", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "basic-auth", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "basic-auth-otp", - "authenticatorFlow" : false, - "requirement" : "DISABLED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "auth-spnego", - "authenticatorFlow" : false, - "requirement" : "DISABLED", - "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - }, { - "id" : "04aa1aff-cb73-43a0-95a0-e80c7016cc9a", - "alias" : "Browser - Conditional OTP", - "description" : "Flow to determine if the OTP is required for the authentication", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "conditional-user-configured", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "auth-otp-form", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - }, { - "id" : "1404fe20-c960-474a-a336-32fbc15c1c8e", - "alias" : "Direct Grant - Conditional OTP", - "description" : "Flow to determine if the OTP is required for the authentication", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "conditional-user-configured", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "direct-grant-validate-otp", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - }, { - "id" : "66724cac-7ae8-4ea0-89f2-122092e9f937", - "alias" : "First broker login - Conditional OTP", - "description" : "Flow to determine if the OTP is required for the authentication", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "conditional-user-configured", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "auth-otp-form", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - }, { - "id" : "ac70d6b0-e66e-4e55-bde6-f27e644c79d4", - "alias" : "Handle Existing Account", - "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "idp-confirm-link", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "REQUIRED", - "priority" : 20, - "flowAlias" : "Account verification options", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "eee7ba09-70c4-45f8-8e82-12ac52583845", - "alias" : "Reset - Conditional OTP", - "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "conditional-user-configured", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "reset-otp", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - }, { - "id" : "e656fb93-625e-475a-957c-7e2f09ed13b2", - "alias" : "User creation or linking", - "description" : "Flow for the existing/non-existing user alternatives", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticatorConfig" : "create unique user config", - "authenticator" : "idp-create-user-if-unique", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "ALTERNATIVE", - "priority" : 20, - "flowAlias" : "Handle Existing Account", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "bcf932f5-b991-491f-94fd-21e8f3a2d9e9", - "alias" : "Verify Existing Account by Re-authentication", - "description" : "Reauthentication of existing account", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "idp-username-password-form", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "CONDITIONAL", - "priority" : 20, - "flowAlias" : "First broker login - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "3c27f1b2-4de0-43fb-9dd6-b9cfc7ea261b", - "alias" : "browser", - "description" : "browser based authentication", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "auth-cookie", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "auth-spnego", - "authenticatorFlow" : false, - "requirement" : "DISABLED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "identity-provider-redirector", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 25, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "ALTERNATIVE", - "priority" : 30, - "flowAlias" : "forms", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "698ec8c5-6614-4c49-8a66-aff08c9e4e98", - "alias" : "clients", - "description" : "Base authentication for clients", - "providerId" : "client-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "client-secret", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "client-jwt", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "client-secret-jwt", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "client-x509", - "authenticatorFlow" : false, - "requirement" : "ALTERNATIVE", - "priority" : 40, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - }, { - "id" : "6f4d39fb-87d7-4f90-8fdf-4409e503abcc", - "alias" : "direct grant", - "description" : "OpenID Connect Resource Owner Grant", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "direct-grant-validate-username", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "direct-grant-validate-password", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "CONDITIONAL", - "priority" : 30, - "flowAlias" : "Direct Grant - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "c2f6d3b3-9601-4a57-9d08-8b8e8b041c16", - "alias" : "docker auth", - "description" : "Used by Docker clients to authenticate against the IDP", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "docker-http-basic-authenticator", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - }, { - "id" : "4b367e11-18d6-444d-b3f2-82d380db0380", - "alias" : "first broker login", - "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticatorConfig" : "review profile config", - "authenticator" : "idp-review-profile", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "REQUIRED", - "priority" : 20, - "flowAlias" : "User creation or linking", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "9100bd6f-54dd-49cf-8383-3261a225d860", - "alias" : "forms", - "description" : "Username, password, otp and other auth forms.", - "providerId" : "basic-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "auth-username-password-form", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "CONDITIONAL", - "priority" : 20, - "flowAlias" : "Browser - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "e4628a1f-7766-45a5-9927-14c97f2453ab", - "alias" : "http challenge", - "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "no-cookie-redirect", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "REQUIRED", - "priority" : 20, - "flowAlias" : "Authentication Options", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "4d2291c7-6419-4e3c-924e-b9fa2126fed4", - "alias" : "registration", - "description" : "registration flow", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "registration-page-form", - "authenticatorFlow" : true, - "requirement" : "REQUIRED", - "priority" : 10, - "flowAlias" : "registration form", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "4c65809b-958a-4896-bc43-fe6a61978ae0", - "alias" : "registration form", - "description" : "registration form", - "providerId" : "form-flow", - "topLevel" : false, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "registration-user-creation", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "registration-profile-action", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 40, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "registration-password-action", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 50, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "registration-recaptcha-action", - "authenticatorFlow" : false, - "requirement" : "DISABLED", - "priority" : 60, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - }, { - "id" : "47ba43c5-7234-45b8-acf7-5ef4e2d17ff1", - "alias" : "reset credentials", - "description" : "Reset credentials for a user if they forgot their password or something", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "reset-credentials-choose-user", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "reset-credential-email", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 20, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticator" : "reset-password", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 30, - "userSetupAllowed" : false, - "autheticatorFlow" : false - }, { - "authenticatorFlow" : true, - "requirement" : "CONDITIONAL", - "priority" : 40, - "flowAlias" : "Reset - Conditional OTP", - "userSetupAllowed" : false, - "autheticatorFlow" : true - } ] - }, { - "id" : "d9d46b17-fef3-44ba-ab2c-cd937b90c59e", - "alias" : "saml ecp", - "description" : "SAML ECP Profile Authentication Flow", - "providerId" : "basic-flow", - "topLevel" : true, - "builtIn" : true, - "authenticationExecutions" : [ { - "authenticator" : "http-basic-authenticator", - "authenticatorFlow" : false, - "requirement" : "REQUIRED", - "priority" : 10, - "userSetupAllowed" : false, - "autheticatorFlow" : false - } ] - } ], - "authenticatorConfig" : [ { - "id" : "2e3a90b3-e860-4d4f-9a4a-bff169e1a185", - "alias" : "create unique user config", - "config" : { - "require.password.update.after.registration" : "false" - } - }, { - "id" : "509b7231-830f-46ca-950f-2f38f4835b81", - "alias" : "review profile config", - "config" : { - "update.profile.on.first.login" : "missing" - } - } ], - "requiredActions" : [ { - "alias" : "CONFIGURE_TOTP", - "name" : "Configure OTP", - "providerId" : "CONFIGURE_TOTP", - "enabled" : true, - "defaultAction" : false, - "priority" : 10, - "config" : { } - }, { - "alias" : "terms_and_conditions", - "name" : "Terms and Conditions", - "providerId" : "terms_and_conditions", - "enabled" : false, - "defaultAction" : false, - "priority" : 20, - "config" : { } - }, { - "alias" : "UPDATE_PASSWORD", - "name" : "Update Password", - "providerId" : "UPDATE_PASSWORD", - "enabled" : true, - "defaultAction" : false, - "priority" : 30, - "config" : { } - }, { - "alias" : "UPDATE_PROFILE", - "name" : "Update Profile", - "providerId" : "UPDATE_PROFILE", - "enabled" : true, - "defaultAction" : false, - "priority" : 40, - "config" : { } - }, { - "alias" : "VERIFY_EMAIL", - "name" : "Verify Email", - "providerId" : "VERIFY_EMAIL", - "enabled" : true, - "defaultAction" : false, - "priority" : 50, - "config" : { } - }, { - "alias" : "delete_account", - "name" : "Delete Account", - "providerId" : "delete_account", - "enabled" : false, - "defaultAction" : false, - "priority" : 60, - "config" : { } - }, { - "alias" : "update_user_locale", - "name" : "Update User Locale", - "providerId" : "update_user_locale", - "enabled" : true, - "defaultAction" : false, - "priority" : 1000, - "config" : { } - } ], - "browserFlow" : "browser", - "registrationFlow" : "registration", - "directGrantFlow" : "direct grant", - "resetCredentialsFlow" : "reset credentials", - "clientAuthenticationFlow" : "clients", - "dockerAuthenticationFlow" : "docker auth", - "attributes" : { - "cibaBackchannelTokenDeliveryMode" : "poll", - "cibaExpiresIn" : "120", - "cibaAuthRequestedUserHint" : "login_hint", - "oauth2DeviceCodeLifespan" : "600", - "clientOfflineSessionMaxLifespan" : "0", - "oauth2DevicePollingInterval" : "5", - "clientSessionIdleTimeout" : "0", - "parRequestUriLifespan" : "60", - "clientSessionMaxLifespan" : "0", - "clientOfflineSessionIdleTimeout" : "0", - "cibaInterval" : "5" - }, - "keycloakVersion" : "16.1.1", - "userManagedAccessAllowed" : false, - "clientProfiles" : { - "profiles" : [ ] - }, - "clientPolicies" : { - "policies" : [ ] - } -} \ No newline at end of file diff --git a/ops/docker-compose/nomad-oasis/.gitignore b/ops/docker-compose/nomad-oasis/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..2ad6b83594b805d0810f090a912fae2b6b4da61a --- /dev/null +++ b/ops/docker-compose/nomad-oasis/.gitignore @@ -0,0 +1,14 @@ +.volumes/fs/north/*/* +!.volumes/fs/north/*/.empty + +.volumes/fs/public/* +!.volumes/fs/public/.empty + +.volumes/fs/staging/* +!.volumes/fs/staging/.empty + +.volumes/fs/tmp/* +!.volumes/fs/tmp/.empty + +.volumes/mongo/* +!.volumes/mongo/.empty \ No newline at end of file diff --git a/ops/docker-compose/nomad-oasis/.volumes/fs/north/shared/.empty b/ops/docker-compose/nomad-oasis/.volumes/fs/north/shared/.empty new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/ops/docker-compose/nomad-oasis/.volumes/fs/north/users/.empty b/ops/docker-compose/nomad-oasis/.volumes/fs/north/users/.empty new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/ops/docker-compose/nomad-oasis/.volumes/fs/public/.empty b/ops/docker-compose/nomad-oasis/.volumes/fs/public/.empty new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/ops/docker-compose/nomad-oasis/.volumes/fs/staging/.empty b/ops/docker-compose/nomad-oasis/.volumes/fs/staging/.empty new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/ops/docker-compose/nomad-oasis/.volumes/fs/tmp/.empty b/ops/docker-compose/nomad-oasis/.volumes/fs/tmp/.empty new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/ops/docker-compose/nomad-oasis/.volumes/mongo/.empty b/ops/docker-compose/nomad-oasis/.volumes/mongo/.empty new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/ops/docker-compose/nomad-oasis-with-keycloak/docker-compose.yml b/ops/docker-compose/nomad-oasis/docker-compose-with-keycloak.yaml similarity index 96% rename from ops/docker-compose/nomad-oasis-with-keycloak/docker-compose.yml rename to ops/docker-compose/nomad-oasis/docker-compose-with-keycloak.yaml index 587e77f53f2f4295072726437af69b16a5edb54f..d4e9af56c20b75a8dafc5c48ddf51b2b9d60820b 100644 --- a/ops/docker-compose/nomad-oasis-with-keycloak/docker-compose.yml +++ b/ops/docker-compose/nomad-oasis/docker-compose-with-keycloak.yaml @@ -60,7 +60,7 @@ services: # nomad worker (processing) worker: restart: always - image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.0 + image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.1 container_name: nomad_oasis_worker environment: <<: *nomad_backend_env @@ -78,12 +78,13 @@ services: # nomad app (api + gui) app: restart: always - image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.0 + image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.1 container_name: nomad_oasis_app environment: <<: *nomad_backend_env NOMAD_SERVICE: nomad_oasis_app NOMAD_SERVICES_API_PORT: 80 + NOMAD_FS_EXTERNAL_WORKING_DIRECTORY: '$PWD' links: - rabbitmq - elastic @@ -97,7 +98,7 @@ services: # nomad remote tools hub (JupyterHUB, e.g. for AI Toolkit) hub: restart: always - image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.0 + image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.1 container_name: nomad_oasis_hub environment: <<: *nomad_backend_env @@ -107,6 +108,7 @@ services: NOMAD_NORTH_HUB_IP: '0.0.0.0' NOMAD_NORTH_HUB_HOST: 'hub' NOMAD_SERVICES_API_HOST: app + NOMAD_FS_EXTERNAL_WORKING_DIRECTORY: '$PWD' links: - app volumes: @@ -114,7 +116,7 @@ services: - /var/run/docker.sock:/var/run/docker.sock - ./.volumes/fs:/app/.volumes/fs command: python -m nomad.cli admin run hub - user: "1000:991" + user: 1000:991 # nomad gui (a reverse proxy for nomad) gui: diff --git a/ops/docker-compose/nomad-oasis/docker-compose.yaml b/ops/docker-compose/nomad-oasis/docker-compose.yaml index 3519cb71fb36492ede2ad9a3b9aac000106ad7d4..f8d9024c37ad03e6f90c54f3c64e30cc5d3bc59e 100644 --- a/ops/docker-compose/nomad-oasis/docker-compose.yaml +++ b/ops/docker-compose/nomad-oasis/docker-compose.yaml @@ -46,7 +46,7 @@ services: # nomad worker (processing) worker: restart: always - image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.0 + image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.1 container_name: nomad_oasis_worker environment: <<: *nomad_backend_env @@ -63,12 +63,13 @@ services: # nomad app (api + gui) app: restart: always - image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.0 + image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.1 container_name: nomad_oasis_app environment: <<: *nomad_backend_env NOMAD_SERVICE: nomad_oasis_app NOMAD_SERVICES_API_PORT: 80 + NOMAD_FS_EXTERNAL_WORKING_DIRECTORY: '$PWD' links: - rabbitmq - elastic @@ -81,24 +82,26 @@ services: # nomad remote tools hub (JupyterHUB, e.g. for AI Toolkit) hub: restart: always - image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.0 + image: gitlab-registry.mpcdf.mpg.de/nomad-lab/nomad-fair:v1.1.1 container_name: nomad_oasis_hub environment: <<: *nomad_backend_env NOMAD_SERVICE: nomad_oasis_hub - NOMAD_NORTH_DOCKER_NETWORK: nomad_oasis_network + NOMAD_NORTH_DOCKER_NETWORK: nomad_oasis_north_network NOMAD_NORTH_HUB_IP_CONNECT: hub NOMAD_NORTH_HUB_IP: '0.0.0.0' NOMAD_NORTH_HUB_HOST: 'hub' NOMAD_SERVICES_API_HOST: app + NOMAD_FS_EXTERNAL_WORKING_DIRECTORY: '$PWD' links: - app volumes: - ./nomad.yaml:/app/nomad.yaml - /var/run/docker.sock:/var/run/docker.sock - ./.volumes/fs:/app/.volumes/fs + networks: ['defautl', 'north'] command: python -m nomad.cli admin run hub - user: "1000:991" + user: 1000:991 # nomad gui (a reverse proxy for nomad) gui: @@ -122,4 +125,6 @@ volumes: networks: default: - name: nomad_oasis_network \ No newline at end of file + name: nomad_oasis_network + north: + name: nomad_oasis_north_network diff --git a/ops/docker-compose/nomad-oasis-with-keycloak/nginx.conf b/ops/docker-compose/nomad-oasis/nginx-with-keycloak.conf similarity index 100% rename from ops/docker-compose/nomad-oasis-with-keycloak/nginx.conf rename to ops/docker-compose/nomad-oasis/nginx-with-keycloak.conf diff --git a/ops/docker-compose/nomad-oasis/nginx.conf b/ops/docker-compose/nomad-oasis/nginx.conf index 6b321a1bff0ba2357e3e0b7bbfb948ddf2d2ac24..407acc03e897cad56a7b25c74adfee108de12f9f 100644 --- a/ops/docker-compose/nomad-oasis/nginx.conf +++ b/ops/docker-compose/nomad-oasis/nginx.conf @@ -47,7 +47,7 @@ server { proxy_pass http://app:8000; } - location ~ /hub/ { + location ~ /north/ { proxy_pass http://hub:9000; proxy_set_header X-Real-IP $remote_addr; @@ -62,4 +62,4 @@ server { proxy_buffering off; } -} \ No newline at end of file +} diff --git a/ops/docker-compose/nomad-oasis-with-keycloak/nomad.yaml b/ops/docker-compose/nomad-oasis/nomad-with-keycloak.yaml similarity index 95% rename from ops/docker-compose/nomad-oasis-with-keycloak/nomad.yaml rename to ops/docker-compose/nomad-oasis/nomad-with-keycloak.yaml index e99d50eae4dfef5ea2c2e50994389781e4f38b94..b4ea0040176aabbc37997b70b15f840531da65b7 100644 --- a/ops/docker-compose/nomad-oasis-with-keycloak/nomad.yaml +++ b/ops/docker-compose/nomad-oasis/nomad-with-keycloak.yaml @@ -8,6 +8,7 @@ oasis: north: jupyterhub_crypt_key: '978bfb2e13a8448a253c629d8dd84ff89587f30e635b753153960930cad9d36d' + hub_ip_connect: '172.17.0.1' keycloak: server_url: 'http://keycloak:8080/auth/' diff --git a/ops/docker-compose/nomad-oasis/nomad.yaml b/ops/docker-compose/nomad-oasis/nomad.yaml index 27cc366f2ab55674aab085b6a572a1532651ab80..02156b446a22bb26c2b500008136682a5fd8232c 100644 --- a/ops/docker-compose/nomad-oasis/nomad.yaml +++ b/ops/docker-compose/nomad-oasis/nomad.yaml @@ -16,8 +16,8 @@ meta: maintainer_email: 'me@my-oasis.org' mongo: - db_name: nomad_v1 + db_name: nomad_oasis_v1 elastic: - entries_index: nomad_v1_entries - materials_index: nomad_v1_materials \ No newline at end of file + entries_index: nomad_oasis_entries_v1 + materials_index: nomad_oasis_materials_v1 \ No newline at end of file