From 047605a28242cf4564fb7b3107230dc85a8f1ce2 Mon Sep 17 00:00:00 2001 From: jasquat Date: Mon, 13 Feb 2023 16:04:57 -0500 Subject: [PATCH] updated add test users script to use realm admin w/ burnettk --- .../keycloak/bin/add_test_users_to_keycloak | 16 ++--- .../realm_exports/spiffworkflow-realm.json | 61 +++++++++++-------- 2 files changed, 42 insertions(+), 35 deletions(-) diff --git a/spiffworkflow-backend/keycloak/bin/add_test_users_to_keycloak b/spiffworkflow-backend/keycloak/bin/add_test_users_to_keycloak index 66c5b137..4ffc008c 100755 --- a/spiffworkflow-backend/keycloak/bin/add_test_users_to_keycloak +++ b/spiffworkflow-backend/keycloak/bin/add_test_users_to_keycloak @@ -21,7 +21,7 @@ if [[ -z "${1:-}" ]]; then fi KEYCLOAK_BASE_URL=http://localhost:7002 -REALM_NAME=master +REALM_NAME="$keycloak_realm" ADMIN_USERNAME="admin" ADMIN_PASSWORD="admin" SECURE=false @@ -58,7 +58,7 @@ function add_user() { data="${data}}" local http_code - http_code=$(curl --silent -o /dev/null -w '%{http_code}' --location --request POST "http://localhost:7002/admin/realms/${keycloak_realm}/users" \ + http_code=$(curl --silent -o /dev/null -w '%{http_code}' --location --request POST "${KEYCLOAK_BASE_URL}/admin/realms/${keycloak_realm}/users" \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $backend_token" \ --data-raw "$data") @@ -85,7 +85,7 @@ while read -r input_line; do http_code=$(add_user "$user_email" "$username" "$user_attribute_one") if [[ "$http_code" == "409" ]]; then - user_info=$(curl --fail --silent --location --request GET "http://localhost:7002/admin/realms/${keycloak_realm}/users?username=${username}&exact=true" \ + user_info=$(curl --fail --silent --location --request GET "${KEYCLOAK_BASE_URL}/admin/realms/${keycloak_realm}/users?username=${username}&exact=true" \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $backend_token") @@ -94,15 +94,15 @@ while read -r input_line; do >&2 echo "ERROR: Could not find user_id for user: ${user_email}" exit 1 fi - curl --fail --location --silent --request DELETE "http://localhost:7002/admin/realms/${keycloak_realm}/users/${user_id}" \ + curl --fail --location --silent --request DELETE "${KEYCLOAK_BASE_URL}/admin/realms/${keycloak_realm}/users/${user_id}" \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $backend_token" http_code=$(add_user "$user_email" "$username" "$user_attribute_one") - if [[ "$http_code" != "201" ]]; then - >&2 echo "ERROR: Failed to recreate user: ${user_email} with http_code: ${http_code}" - exit 1 - fi + fi + if [[ "$http_code" != "201" ]]; then + >&2 echo "ERROR: Failed to create user: ${user_email} with http_code: ${http_code}" + exit 1 fi fi fi diff --git a/spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-realm.json b/spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-realm.json index a14fc1ed..ddc8eefb 100644 --- a/spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-realm.json +++ b/spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-realm.json @@ -396,7 +396,7 @@ "otpPolicyLookAheadWindow" : 1, "otpPolicyPeriod" : 30, "otpPolicyCodeReusable" : false, - "otpSupportedApplications" : [ "totpAppGoogleName", "totpAppFreeOTPName" ], + "otpSupportedApplications" : [ "totpAppFreeOTPName", "totpAppGoogleName" ], "webAuthnPolicyRpEntityName" : "keycloak", "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], "webAuthnPolicyRpId" : "", @@ -435,6 +435,9 @@ "disableableCredentialTypes" : [ ], "requiredActions" : [ ], "realmRoles" : [ "default-roles-spiffworkflow" ], + "clientRoles" : { + "realm-management" : [ "realm-admin" ] + }, "notBefore" : 0, "groups" : [ ] }, { @@ -1798,8 +1801,12 @@ "id" : "02fa6179-9399-4bb1-970f-c4d8e8b5f99f", "clientId" : "admin-cli", "name" : "${client_admin-cli}", + "description" : "", + "rootUrl" : "", + "adminUrl" : "", + "baseUrl" : "", "surrogateAuthRequired" : false, - "enabled" : false, + "enabled" : true, "alwaysDisplayInConsole" : false, "clientAuthenticatorType" : "client-secret", "redirectUris" : [ ], @@ -2961,7 +2968,7 @@ "subType" : "authenticated", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "saml-role-list-mapper" ] + "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-role-list-mapper" ] } }, { "id" : "d68e938d-dde6-47d9-bdc8-8e8523eb08cd", @@ -2979,7 +2986,7 @@ "subType" : "anonymous", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper" ] + "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper" ] } }, { "id" : "3854361d-3fe5-47fb-9417-a99592e3dc5c", @@ -3069,7 +3076,7 @@ "internationalizationEnabled" : false, "supportedLocales" : [ ], "authenticationFlows" : [ { - "id" : "80c60556-1d2b-4d69-af80-39c2bc4a1a49", + "id" : "b575ba3a-ceeb-4fcc-8921-906f534107e1", "alias" : "Account verification options", "description" : "Method with which to verity the existing account", "providerId" : "basic-flow", @@ -3091,7 +3098,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "430cf235-23ab-46ae-8499-3e9417c400b2", + "id" : "2c8efabb-b397-4bb5-9c62-c7528d755e29", "alias" : "Authentication Options", "description" : "Authentication options.", "providerId" : "basic-flow", @@ -3120,7 +3127,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "d03d94a0-9c3f-4df5-9a46-50a923165916", + "id" : "7838ba09-a8a1-4478-bacb-c20abaff7d05", "alias" : "Browser - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -3142,7 +3149,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "36f2dd83-b6e2-41ac-a526-1267b894dadb", + "id" : "be4254ab-bdb7-4cca-8fa4-14956f460620", "alias" : "Direct Grant - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -3164,7 +3171,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "b8769ec8-24a4-4461-b4c6-0b4d61cb4ead", + "id" : "3dc1581f-38dc-48d1-9e73-7aa45b38eae8", "alias" : "First broker login - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -3186,7 +3193,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "f15826a5-dace-412d-8b13-1f2d15ef8a46", + "id" : "8b280bec-2423-4590-bc28-8873e4f9c2e8", "alias" : "Handle Existing Account", "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId" : "basic-flow", @@ -3208,7 +3215,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "9800c5d4-8dba-48e4-ad02-def5120cee28", + "id" : "8bc16848-7275-42a7-aaa4-30693d379600", "alias" : "Reset - Conditional OTP", "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId" : "basic-flow", @@ -3230,7 +3237,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "24774f23-171d-4b2a-88d4-b59b38a69fc9", + "id" : "727a7c7e-aceb-420a-be17-7e1aa1a19ef0", "alias" : "User creation or linking", "description" : "Flow for the existing/non-existing user alternatives", "providerId" : "basic-flow", @@ -3253,7 +3260,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "55bc01fe-1c83-479b-a8e0-32b6e30fb531", + "id" : "db654134-730a-4e50-841e-5ff9e206625f", "alias" : "Verify Existing Account by Re-authentication", "description" : "Reauthentication of existing account", "providerId" : "basic-flow", @@ -3275,7 +3282,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "04ab7db8-c926-4382-a1a9-039a78f01cb3", + "id" : "06ced0a0-aec5-43dd-8b39-7d7ea7a5faf8", "alias" : "browser", "description" : "browser based authentication", "providerId" : "basic-flow", @@ -3311,7 +3318,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "8533324e-2594-416e-a5a2-33ab83cfdf4c", + "id" : "0f8f80e3-56eb-49a1-8b7d-e22242699b78", "alias" : "clients", "description" : "Base authentication for clients", "providerId" : "client-flow", @@ -3347,7 +3354,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "07928194-2bb8-483c-8da8-5d1c64819a16", + "id" : "a67ef3ee-332a-4f40-b2dc-69a3d7967808", "alias" : "direct grant", "description" : "OpenID Connect Resource Owner Grant", "providerId" : "basic-flow", @@ -3376,7 +3383,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "38bfd170-6f72-42ba-98f6-d08c1ed781c4", + "id" : "e2e2fffa-81d3-4a4d-adb2-a0154e2f86cd", "alias" : "docker auth", "description" : "Used by Docker clients to authenticate against the IDP", "providerId" : "basic-flow", @@ -3391,7 +3398,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "fe18c892-5a0e-4359-867c-90db3052e5ee", + "id" : "fc418578-3c89-4f68-ad8f-825929669979", "alias" : "first broker login", "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId" : "basic-flow", @@ -3414,7 +3421,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "2ce40e27-3edd-462c-9d0a-e58e0bed2d1e", + "id" : "31a9e34e-c499-4842-a085-a7ea0a4cab78", "alias" : "forms", "description" : "Username, password, otp and other auth forms.", "providerId" : "basic-flow", @@ -3436,7 +3443,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "6f9a9e83-4201-40c4-9570-f07c66ca3d1d", + "id" : "ec66a031-7712-438a-91e7-564736cb3f75", "alias" : "http challenge", "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId" : "basic-flow", @@ -3458,7 +3465,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "82a9fe84-0f25-44c0-94d2-6675df95761b", + "id" : "013a75a6-ae0d-459e-80eb-1681957b769b", "alias" : "registration", "description" : "registration flow", "providerId" : "basic-flow", @@ -3474,7 +3481,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "c45f33a5-e231-4b44-a4fa-67dbc4e473e9", + "id" : "e011c6be-e1d0-4f94-80b1-2e2b2eb61832", "alias" : "registration form", "description" : "registration form", "providerId" : "form-flow", @@ -3510,7 +3517,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "13ca34b7-bbaf-467e-9dd4-04fe9e009b39", + "id" : "4f7c3405-ce05-4799-a001-cb6404c72625", "alias" : "reset credentials", "description" : "Reset credentials for a user if they forgot their password or something", "providerId" : "basic-flow", @@ -3546,7 +3553,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "c2cc51de-8615-4ca1-820c-41801125fc5f", + "id" : "7bde2ab3-96b9-4323-be48-dfae94c84df1", "alias" : "saml ecp", "description" : "SAML ECP Profile Authentication Flow", "providerId" : "basic-flow", @@ -3562,13 +3569,13 @@ } ] } ], "authenticatorConfig" : [ { - "id" : "bbc91991-c8c4-4a66-adf4-39a072121b93", + "id" : "82c6898c-ff7c-442a-9ae1-8e1972634e01", "alias" : "create unique user config", "config" : { "require.password.update.after.registration" : "false" } }, { - "id" : "fde095bb-b3d3-49dd-9370-a2937daaedde", + "id" : "5cfbdf35-1766-4eb3-a404-3560ae3f4cac", "alias" : "review profile config", "config" : { "update.profile.on.first.login" : "missing" @@ -3663,4 +3670,4 @@ "clientPolicies" : { "policies" : [ ] } -} +} \ No newline at end of file