studio/people
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🔧(project) configure standard OIDC flow in Keycloak

Browse Source 
Enforce Authorization Code flow, and disable Implicit flow.

Done:
- Rename client people-front to people
- Add a client secret shared with the backend
- Add allowed redirect uris
- Disable implicit flow and enable Authorization Code flow without PCKE
- Sign userinfo endpoint to return application/jwt content
This commit is contained in:
Lebaud Antoine
2024-02-14 22:35:15 +01:00
committed by aleb_the_flash
parent 63e059a4e6
commit 699854e76b
1 changed files with 32 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docker/auth/realm.json
View File

@@ -335,7 +335,6 @@
], ],
"security-admin-console": [], "security-admin-console": [],
"admin-cli": [], "admin-cli": [],
"people-front": [],
"account-console": [], "account-console": [],
"broker": [ "broker": [
{ {
@@ -348,6 +347,7 @@
"attributes": {} "attributes": {}
} }
], ],
"people": [],
"account": [ "account": [
{ {
"id": "63b1a4e1-a594-4571-99c3-7c5c3efd61ce", "id": "63b1a4e1-a594-4571-99c3-7c5c3efd61ce",
@@ -602,7 +602,9 @@
"publicClient": true, "publicClient": true,
"frontchannelLogout": false, "frontchannelLogout": false,
"protocol": "openid-connect", "protocol": "openid-connect",
"attributes": {}, "attributes": {
"post.logout.redirect.uris": "+"
},
"authenticationFlowBindingOverrides": {}, "authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false, "fullScopeAllowed": false,
"nodeReRegistrationTimeout": 0, "nodeReRegistrationTimeout": 0,
@@ -640,7 +642,9 @@
"publicClient": false, "publicClient": false,
"frontchannelLogout": false, "frontchannelLogout": false,
"protocol": "openid-connect", "protocol": "openid-connect",
"attributes": {}, "attributes": {
"post.logout.redirect.uris": "+"
},
"authenticationFlowBindingOverrides": {}, "authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false, "fullScopeAllowed": false,
"nodeReRegistrationTimeout": 0, "nodeReRegistrationTimeout": 0,
@@ -660,7 +664,7 @@
}, },
{ {
"id": "869481d0-5774-4e64-bc30-fedc7c58958f", "id": "869481d0-5774-4e64-bc30-fedc7c58958f",
"clientId": "people-front", "clientId": "people",
"name": "", "name": "",
"description": "", "description": "",
"rootUrl": "", "rootUrl": "",
@@ -670,9 +674,10 @@
"enabled": true, "enabled": true,
"alwaysDisplayInConsole": false, "alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret", "clientAuthenticatorType": "client-secret",
"secret": "ThisIsAnExampleKeyForDevPurposeOnly",
"redirectUris": [ "redirectUris": [
"",
"http://localhost:8070/*", "http://localhost:8070/*",
"http://localhost:8071/*",
"http://localhost:3200/*", "http://localhost:3200/*",
"http://localhost:8088/*", "http://localhost:8088/*",
"http://localhost:3000/*" "http://localhost:3000/*"
@@ -688,18 +693,29 @@
"consentRequired": false, "consentRequired": false,
"standardFlowEnabled": true, "standardFlowEnabled": true,
"implicitFlowEnabled": false, "implicitFlowEnabled": false,
"directAccessGrantsEnabled": true, "directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false, "serviceAccountsEnabled": false,
"publicClient": true, "publicClient": false,
"frontchannelLogout": true, "frontchannelLogout": true,
"protocol": "openid-connect", "protocol": "openid-connect",
"attributes": { "attributes": {
"access.token.lifespan": "-1",
"client.secret.creation.time": "1707820779",
"user.info.response.signature.alg": "RS256",
"post.logout.redirect.uris": "http://localhost:8070/*##http://localhost:3200/*##http://localhost:3000/*",
"oauth2.device.authorization.grant.enabled": "false",
"use.jwks.url": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"use.refresh.tokens": "true",
"tls-client-certificate-bound-access-tokens": "false",
"oidc.ciba.grant.enabled": "false", "oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true", "backchannel.logout.session.required": "true",
"post.logout.redirect.uris": "http://localhost:8070/*##http://localhost:3200/*##http://localhost:3000/*", "client_credentials.use_refresh_token": "false",
"acr.loa.map": "{}",
"require.pushed.authorization.requests": "false",
"display.on.consent.screen": "false", "display.on.consent.screen": "false",
"oauth2.device.authorization.grant.enabled": "false", "client.session.idle.timeout": "-1",
"backchannel.logout.revoke.offline.tokens": "false" "token.response.type.bearer.lower-case": "false"
}, },
"authenticationFlowBindingOverrides": {}, "authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true, "fullScopeAllowed": true,
@@ -738,7 +754,9 @@
"publicClient": false, "publicClient": false,
"frontchannelLogout": false, "frontchannelLogout": false,
"protocol": "openid-connect", "protocol": "openid-connect",
"attributes": {}, "attributes": {
"post.logout.redirect.uris": "+"
},
"authenticationFlowBindingOverrides": {}, "authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false, "fullScopeAllowed": false,
"nodeReRegistrationTimeout": 0, "nodeReRegistrationTimeout": 0,
@@ -909,7 +927,8 @@
"consentRequired": false, "consentRequired": false,
"config": { "config": {
"id.token.claim": "true", "id.token.claim": "true",
"access.token.claim": "true" "access.token.claim": "true",
"userinfo.token.claim": "true"
} }
} }
] ]
@@ -1229,6 +1248,7 @@
"consentRequired": false, "consentRequired": false,
"config": { "config": {
"multivalued": "true", "multivalued": "true",
"userinfo.token.claim": "true",
"user.attribute": "foo", "user.attribute": "foo",
"id.token.claim": "true", "id.token.claim": "true",
"access.token.claim": "true", "access.token.claim": "true",