From 7ab0bbec6a6be658825e3130de95e4e7364c466a Mon Sep 17 00:00:00 2001 From: Roman Perekhod <2403905@gmail.com> Date: Mon, 9 Mar 2026 12:27:25 +0100 Subject: [PATCH 01/11] update gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index f9988f0c791..387fa1b0157 100644 --- a/.gitignore +++ b/.gitignore @@ -57,6 +57,7 @@ protogen/buf.sha1.lock /third-party-licenses # misc +.agents/ /tmp go.work go.work.sum From 46c4cc9adf2a45de7ea54016524a1a811ec5ad3e Mon Sep 17 00:00:00 2001 From: Roman Perekhod <2403905@gmail.com> Date: Thu, 12 Mar 2026 11:26:47 +0100 Subject: [PATCH 02/11] feat: Separate the storage-users and graph to handle --- go.mod | 2 +- go.sum | 4 +-- services/gateway/pkg/revaconfig/config.go | 16 +++++++++ services/graph/pkg/config/config.go | 2 ++ services/graph/pkg/config/service.go | 2 +- services/graph/pkg/middleware/mfa.go | 23 +++++++++++++ services/graph/pkg/service/v0/driveitems.go | 5 +++ services/graph/pkg/service/v0/drives.go | 26 ++++++-------- services/graph/pkg/service/v0/graph_test.go | 6 ++-- services/graph/pkg/service/v0/service.go | 9 +++-- .../pkg/config/defaults/defaultconfig.go | 4 +++ services/proxy/pkg/middleware/create_home.go | 34 +++++++++++++++---- .../grpc/services/gateway/storageprovider.go | 22 +++++++++++- .../v2/pkg/storage/registry/spaces/spaces.go | 26 ++++++++++++-- .../owncloud/reva/v2/pkg/utils/utils.go | 5 +++ vendor/modules.txt | 2 +- 16 files changed, 152 insertions(+), 36 deletions(-) create mode 100644 services/graph/pkg/middleware/mfa.go diff --git a/go.mod b/go.mod index 50e092b2fdd..4e6d12638f7 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( github.com/open-policy-agent/opa v1.12.3 github.com/orcaman/concurrent-map v1.0.0 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 - github.com/owncloud/reva/v2 v2.0.0-20260304131727-ce3149532498 + github.com/owncloud/reva/v2 v2.0.0-20260312104210-c674fbcf5357 github.com/pkg/errors v0.9.1 github.com/pkg/xattr v0.4.12 github.com/prometheus/client_golang v1.23.2 diff --git a/go.sum b/go.sum index 796f00f0a12..90d834c7e63 100644 --- a/go.sum +++ b/go.sum @@ -742,8 +742,8 @@ github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HD github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI= github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 h1:JRidLTAKhnvyLMRtVtSF4lhBa0NSAOs6fof+d6JnKII= github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og= -github.com/owncloud/reva/v2 v2.0.0-20260304131727-ce3149532498 h1:ozyudPff1XLWSeTDW4ajT1tCoSQf18cFQRxtLWFCNbk= -github.com/owncloud/reva/v2 v2.0.0-20260304131727-ce3149532498/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ= +github.com/owncloud/reva/v2 v2.0.0-20260312104210-c674fbcf5357 h1:96t0k+pIUkCcE4mmHEX/dbqY6WJnRvkOvbBpNY+8tg0= +github.com/owncloud/reva/v2 v2.0.0-20260312104210-c674fbcf5357/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0= github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw= diff --git a/services/gateway/pkg/revaconfig/config.go b/services/gateway/pkg/revaconfig/config.go index d4589e5d7fb..b3040a9379d 100644 --- a/services/gateway/pkg/revaconfig/config.go +++ b/services/gateway/pkg/revaconfig/config.go @@ -162,6 +162,22 @@ func spacesProviders(cfg *config.Config, logger log.Logger) map[string]map[strin }, }, }, + "com.owncloud.api.storage-users-vault": { + // Use the dedicated storage provider for vault + "providerid": utils.VaultStorageProviderID, + "spaces": map[string]interface{}{ + "personal": map[string]interface{}{ + // The mount point must have the "vault/" prefix to be picked up by the vault storage provider + "mount_point": "/vault/users", + "path_template": "/vault/users/{{.Space.Owner.Id.OpaqueId}}", + }, + "project": map[string]interface{}{ + // The mount point must have the "vault/" prefix to be picked up by the vault storage provider + "mount_point": "/vault/projects", + "path_template": "/vault/projects/{{.Space.Name}}", + }, + }, + }, cfg.StorageSharesEndpoint: { "providerid": utils.ShareStorageProviderID, "spaces": map[string]interface{}{ diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index ab0072af375..fe7fd13d04a 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -39,6 +39,8 @@ type Config struct { Validation Validation `yaml:"validation"` + EnableVaultMode bool `yaml:"enable_vault_mode" env:"GRAPH_ENABLE_VAULT_MODE" desc:"Enable vault mode for the graph service runned in addition to the regular graph service. Required the running the storage-users-vault additional service." introductionVersion:"%%NEXT%%"` + Context context.Context `yaml:"-"` } diff --git a/services/graph/pkg/config/service.go b/services/graph/pkg/config/service.go index d1eac383f0b..084c350deb7 100644 --- a/services/graph/pkg/config/service.go +++ b/services/graph/pkg/config/service.go @@ -2,5 +2,5 @@ package config // Service defines the available service configuration. type Service struct { - Name string `yaml:"-"` + Name string `yaml:"name" env:"GRAPH_SERVICE_NAME" desc:"The name of the service." introductionVersion:"%%NEXT%%"` } diff --git a/services/graph/pkg/middleware/mfa.go b/services/graph/pkg/middleware/mfa.go new file mode 100644 index 00000000000..33c1206e09b --- /dev/null +++ b/services/graph/pkg/middleware/mfa.go @@ -0,0 +1,23 @@ +package middleware + +import ( + "net/http" + + "github.com/owncloud/ocis/v2/ocis-pkg/log" + "github.com/owncloud/ocis/v2/ocis-pkg/mfa" +) + +// RequireMFA middleware is used to require the user in context to have MFA satisfied +func RequireMFA(logger log.Logger) func(next http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if !mfa.Has(r.Context()) { + l := logger.SubloggerWithRequestID(r.Context()) + l.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied") + mfa.SetRequiredStatus(w) + return + } + next.ServeHTTP(w, r) + }) + } +} diff --git a/services/graph/pkg/service/v0/driveitems.go b/services/graph/pkg/service/v0/driveitems.go index 2a134500cab..7d8124397d1 100644 --- a/services/graph/pkg/service/v0/driveitems.go +++ b/services/graph/pkg/service/v0/driveitems.go @@ -158,6 +158,11 @@ func (g Graph) GetRootDriveChildren(w http.ResponseWriter, r *http.Request) { filters = append(filters, listStorageSpacesUserFilter(currentUser.GetId().GetOpaqueId())) filters = append(filters, listStorageSpacesTypeFilter("personal")) + // force vault storage space if vault mode is enabled + if g.config.EnableVaultMode { + filters = append(filters, listStorageSpacesIDFilter(utils.VaultStorageProviderID)) + } + res, err := gatewayClient.ListStorageSpaces(ctx, &storageprovider.ListStorageSpacesRequest{ Filters: filters, }) diff --git a/services/graph/pkg/service/v0/drives.go b/services/graph/pkg/service/v0/drives.go index c4657b32054..9cfc5dc364e 100644 --- a/services/graph/pkg/service/v0/drives.go +++ b/services/graph/pkg/service/v0/drives.go @@ -29,7 +29,6 @@ import ( "google.golang.org/protobuf/proto" "github.com/owncloud/ocis/v2/ocis-pkg/l10n" - "github.com/owncloud/ocis/v2/ocis-pkg/mfa" v0 "github.com/owncloud/ocis/v2/protogen/gen/ocis/messages/settings/v0" settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0" "github.com/owncloud/ocis/v2/services/graph/pkg/errorcode" @@ -133,13 +132,6 @@ func (g Graph) GetAllDrives(version APIVersion) http.HandlerFunc { // GetAllDrivesV1 attempts to retrieve the current users drives; // it includes another user's drives, if the current user has the permission. func (g Graph) GetAllDrivesV1(w http.ResponseWriter, r *http.Request) { - if !mfa.Has(r.Context()) { - logger := g.logger.SubloggerWithRequestID(r.Context()) - logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied") - mfa.SetRequiredStatus(w) - return - } - spaces, errCode := g.getDrives(r, true, APIVersion_1) if errCode != nil { errorcode.RenderError(w, r, errCode) @@ -160,13 +152,6 @@ func (g Graph) GetAllDrivesV1(w http.ResponseWriter, r *http.Request) { // it includes the grantedtoV2 property // it uses unified roles instead of the cs3 representations func (g Graph) GetAllDrivesV1Beta1(w http.ResponseWriter, r *http.Request) { - if !mfa.Has(r.Context()) { - logger := g.logger.SubloggerWithRequestID(r.Context()) - logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied") - mfa.SetRequiredStatus(w) - return - } - drives, errCode := g.getDrives(r, true, APIVersion_1_Beta_1) if errCode != nil { errorcode.RenderError(w, r, errCode) @@ -437,6 +422,11 @@ func (g Graph) createDrive(w http.ResponseWriter, r *http.Request, apiVersion AP csr.Owner = us } + // force vault storage space if vault mode is enabled + if g.config.EnableVaultMode { + csr.Opaque = utils.AppendPlainToOpaque(csr.Opaque, "storage_id", utils.VaultStorageProviderID) + } + resp, err := gatewayClient.CreateStorageSpace(ctx, &csr) if err != nil { logger.Error().Err(err).Msg("could not create drive: transport error") @@ -762,6 +752,7 @@ func (g Graph) ListStorageSpacesWithFilters(ctx context.Context, filters []*stor if err != nil { return nil, err } + lReq := &storageprovider.ListStorageSpacesRequest{ Opaque: &types.Opaque{Map: map[string]*types.OpaqueEntry{ "permissions": { @@ -776,6 +767,11 @@ func (g Graph) ListStorageSpacesWithFilters(ctx context.Context, filters []*stor Filters: filters, } + // force vault storage space if vault mode is enabled + if g.config.EnableVaultMode { + utils.AppendPlainToOpaque(lReq.Opaque, "storage_id", utils.VaultStorageProviderID) + } + gatewayClient, err := g.gatewaySelector.Next() if err != nil { return nil, err diff --git a/services/graph/pkg/service/v0/graph_test.go b/services/graph/pkg/service/v0/graph_test.go index 1112dacb2bd..f8c58e4b6cc 100644 --- a/services/graph/pkg/service/v0/graph_test.go +++ b/services/graph/pkg/service/v0/graph_test.go @@ -113,7 +113,7 @@ var _ = Describe("Graph", func() { r := httptest.NewRequest(http.MethodGet, "/graph/v1.0/me/drives", nil) r = r.WithContext(ctx) rr := httptest.NewRecorder() - svc.GetDrivesV1(rr, r) + svc.ServeHTTP(rr, r) Expect(rr.Code).To(Equal(http.StatusOK)) }) @@ -126,7 +126,7 @@ var _ = Describe("Graph", func() { r := httptest.NewRequest(http.MethodGet, "/graph/v1.0/drives", nil) r = r.WithContext(mfa.Set(ctx, true)) rr := httptest.NewRecorder() - svc.GetAllDrivesV1(rr, r) + svc.ServeHTTP(rr, r) Expect(rr.Code).To(Equal(http.StatusOK)) }) @@ -138,7 +138,7 @@ var _ = Describe("Graph", func() { r := httptest.NewRequest(http.MethodGet, "/graph/v1.0/drives", nil) rr := httptest.NewRecorder() - svc.GetAllDrivesV1(rr, r) + svc.ServeHTTP(rr, r) Expect(rr.Code).To(Equal(http.StatusForbidden)) Expect(rr.Header().Get("X-Ocis-Mfa-Required")).To(Equal("true")) }) diff --git a/services/graph/pkg/service/v0/service.go b/services/graph/pkg/service/v0/service.go index a24029616f2..33645af271a 100644 --- a/services/graph/pkg/service/v0/service.go +++ b/services/graph/pkg/service/v0/service.go @@ -203,6 +203,8 @@ func NewService(opts ...Option) (Graph, error) { //nolint:maintidx requireAdmin = options.RequireAdminMiddleware } + requireMFA := graphm.RequireMFA(options.Logger) + drivesDriveItemService, err := NewDrivesDriveItemService(options.Logger, options.GatewaySelector) if err != nil { return svc, err @@ -225,6 +227,9 @@ func NewService(opts ...Option) (Graph, error) { //nolint:maintidx m.Route(options.Config.HTTP.Root, func(r chi.Router) { r.Use(middleware.StripSlashes) + if options.Config.EnableVaultMode { + r.Use(requireMFA) + } r.Route("/v1beta1", func(r chi.Router) { r.Route("/me", func(r chi.Router) { @@ -235,7 +240,7 @@ func NewService(opts ...Option) (Graph, error) { //nolint:maintidx }) }) r.Route("/drives", func(r chi.Router) { - r.Get("/", svc.GetAllDrives(APIVersion_1_Beta_1)) + r.With(requireMFA).Get("/", svc.GetAllDrives(APIVersion_1_Beta_1)) r.Post("/", svc.CreateDriveV1Beta1) r.Route("/{driveID}", func(r chi.Router) { r.Get("/", svc.GetSingleDriveV1Beta1) @@ -331,7 +336,7 @@ func NewService(opts ...Option) (Graph, error) { //nolint:maintidx }) }) r.Route("/drives", func(r chi.Router) { - r.Get("/", svc.GetAllDrives(APIVersion_1)) + r.With(requireMFA).Get("/", svc.GetAllDrives(APIVersion_1)) r.Post("/", svc.CreateDrive) r.Route("/{driveID}", func(r chi.Router) { r.Patch("/", svc.UpdateDrive) diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go index 820590f6f29..9e3d4eb8146 100644 --- a/services/proxy/pkg/config/defaults/defaultconfig.go +++ b/services/proxy/pkg/config/defaults/defaultconfig.go @@ -273,6 +273,10 @@ func DefaultPolicies() []config.Policy { Endpoint: "/graph/", Service: "com.owncloud.web.graph", }, + { + Endpoint: "/vault/graph/", + Service: "com.owncloud.web.graph-vault", + }, { Endpoint: "/api/v0/settings", Service: "com.owncloud.web.settings", diff --git a/services/proxy/pkg/middleware/create_home.go b/services/proxy/pkg/middleware/create_home.go index a71f3825354..86038b1b05b 100644 --- a/services/proxy/pkg/middleware/create_home.go +++ b/services/proxy/pkg/middleware/create_home.go @@ -11,7 +11,6 @@ import ( "github.com/owncloud/ocis/v2/ocis-pkg/log" "github.com/owncloud/ocis/v2/services/graph/pkg/errorcode" revactx "github.com/owncloud/reva/v2/pkg/ctx" - "github.com/owncloud/reva/v2/pkg/rgrpc/status" "github.com/owncloud/reva/v2/pkg/rgrpc/todo/pool" "github.com/owncloud/reva/v2/pkg/utils" "google.golang.org/grpc/metadata" @@ -70,14 +69,35 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) { m.logger.Err(err).Msg("error selecting next gateway client") } else { createHomeRes, err := client.CreateHome(ctx, createHomeReq) - if err != nil { + switch { + case err != nil: m.logger.Err(err).Msg("error calling CreateHome") - } else if createHomeRes.Status.Code != rpc.Code_CODE_OK { - err := status.NewErrorFromCode(createHomeRes.Status.Code, "gateway") - if createHomeRes.Status.Code != rpc.Code_CODE_ALREADY_EXISTS { - m.logger.Err(err).Msg("error when calling Createhome") - } + case createHomeRes.GetStatus().GetCode() == rpc.Code_CODE_OK: + m.logger.Debug().Interface("userID", u.GetId().GetOpaqueId()).Msg("personal space created") + case createHomeRes.GetStatus().GetCode() == rpc.Code_CODE_ALREADY_EXISTS: + m.logger.Info().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", createHomeRes.GetStatus()).Msg("===== personal space already exists") + default: + m.logger.Error().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", createHomeRes.GetStatus()).Msg("===== personal space creation failed") + } + + // TODO: issue: The vault personal space can not be created after regular personal space creation. + // If the regular personal cometed out the valut creation pass + // + // Create vault personal space + // Inject storage_id into opaque for vault personal space + createHomeReq.Opaque = utils.AppendPlainToOpaque(createHomeReq.Opaque, "storage_id", utils.VaultStorageProviderID) + cpsRes, err := client.CreateHome(ctx, createHomeReq) + switch { + case err != nil: + m.logger.Err(err).Msg("error calling CreateHome for vault personal") + case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_OK: + m.logger.Debug().Interface("userID", u.GetId().GetOpaqueId()).Msg("vault personal space created") + case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_ALREADY_EXISTS: + m.logger.Info().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("=====+ vault personal space already exists") + default: + m.logger.Error().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("=====! vault personal space creation failed") } + } m.next.ServeHTTP(w, req) diff --git a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovider.go b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovider.go index dd8e9041050..98c2c6a2032 100644 --- a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovider.go +++ b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovider.go @@ -38,6 +38,7 @@ import ( typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" "google.golang.org/grpc/codes" + "github.com/golang-jwt/jwt/v5" "github.com/owncloud/reva/v2/pkg/appctx" ctxpkg "github.com/owncloud/reva/v2/pkg/ctx" "github.com/owncloud/reva/v2/pkg/errtypes" @@ -48,7 +49,6 @@ import ( "github.com/owncloud/reva/v2/pkg/share" "github.com/owncloud/reva/v2/pkg/storagespace" "github.com/owncloud/reva/v2/pkg/utils" - "github.com/golang-jwt/jwt/v5" "github.com/pkg/errors" gstatus "google.golang.org/grpc/status" ) @@ -143,6 +143,15 @@ func (s *svc) CreateHome(ctx context.Context, req *provider.CreateHomeRequest) ( }, } } + + // pass storage_id to the storage provider to handle vault storage id + if storageId := utils.ReadPlainFromOpaque(req.GetOpaque(), "storage_id"); storageId != "" { + // if spaceId := utils.ReadPlainFromOpaque(createReq.GetOpaque(), "space_id"); spaceId != "" { + // storageId = storageId + "$" + spaceId + // } + createReq.Opaque = utils.AppendPlainToOpaque(createReq.Opaque, "storage_id", storageId) + } + res, err := s.CreateStorageSpace(ctx, createReq) if err != nil { return &provider.CreateHomeResponse{ @@ -170,6 +179,11 @@ func (s *svc) CreateStorageSpace(ctx context.Context, req *provider.CreateStorag } } + if storageId := utils.ReadPlainFromOpaque(req.GetOpaque(), "storage_id"); storageId != "" { + space.Root = &provider.ResourceId{StorageId: storageId} + req.Opaque = utils.AppendPlainToOpaque(req.Opaque, "storage_id", storageId) + } + srClient, err := s.getStorageRegistryClient(ctx, s.c.StorageRegistryEndpoint) if err != nil { return &provider.CreateStorageSpaceResponse{ @@ -247,6 +261,7 @@ func (s *svc) ListStorageSpaces(ctx context.Context, req *provider.ListStorageSp filters["path"] = path } + hasFileIdFilter := false for _, f := range req.Filters { switch f.Type { case provider.ListStorageSpacesRequest_Filter_TYPE_ID: @@ -255,6 +270,7 @@ func (s *svc) ListStorageSpaces(ctx context.Context, req *provider.ListStorageSp continue } filters["storage_id"], filters["space_id"], filters["opaque_id"] = sid, spid, oid + hasFileIdFilter = true case provider.ListStorageSpacesRequest_Filter_TYPE_OWNER: filters["owner_idp"] = f.GetOwner().GetIdp() filters["owner_id"] = f.GetOwner().GetOpaqueId() @@ -270,6 +286,10 @@ func (s *svc) ListStorageSpaces(ctx context.Context, req *provider.ListStorageSp } } + if !hasFileIdFilter && utils.ReadPlainFromOpaque(req.Opaque, "storage_id") != "" { + filters["storage_id"] = utils.ReadPlainFromOpaque(req.Opaque, "storage_id") + } + c, err := s.getStorageRegistryClient(ctx, s.c.StorageRegistryEndpoint) if err != nil { return &provider.ListStorageSpacesResponse{ diff --git a/vendor/github.com/owncloud/reva/v2/pkg/storage/registry/spaces/spaces.go b/vendor/github.com/owncloud/reva/v2/pkg/storage/registry/spaces/spaces.go index ac586e96d39..3ba2ef6600c 100644 --- a/vendor/github.com/owncloud/reva/v2/pkg/storage/registry/spaces/spaces.go +++ b/vendor/github.com/owncloud/reva/v2/pkg/storage/registry/spaces/spaces.go @@ -34,6 +34,7 @@ import ( providerpb "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" registrypb "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1" typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" + "github.com/mitchellh/mapstructure" "github.com/owncloud/reva/v2/pkg/appctx" ctxpkg "github.com/owncloud/reva/v2/pkg/ctx" "github.com/owncloud/reva/v2/pkg/errtypes" @@ -44,7 +45,6 @@ import ( pkgregistry "github.com/owncloud/reva/v2/pkg/storage/registry/registry" "github.com/owncloud/reva/v2/pkg/storagespace" "github.com/owncloud/reva/v2/pkg/utils" - "github.com/mitchellh/mapstructure" "google.golang.org/grpc" ) @@ -195,6 +195,18 @@ func (r *registry) GetProvider(ctx context.Context, space *providerpb.StorageSpa if space.SpaceType != "" && spaceType != space.SpaceType { continue } + + // Filter out vault spaces if no storageId is provided + if space.GetRoot().GetStorageId() != "" { + if space.GetRoot().GetStorageId() != provider.ProviderID { + continue + } + } else { + if strings.HasPrefix(sc.MountPoint, "/vault/") { + continue + } + } + if space.Owner != nil { user := ctxpkg.ContextMustGetUser(ctx) spacePath, err = sc.SpacePath(user, space) @@ -289,7 +301,7 @@ func (r *registry) ListProviders(ctx context.Context, filters map[string]string) // return all providers return r.findAllProviders(ctx, mask), nil default: - return r.findProvidersForFilter(ctx, r.buildFilters(filters), unrestricted, mask), nil + return r.findProvidersForFilter(ctx, r.buildFilters(filters), filters["storage_id"], unrestricted, mask), nil } } @@ -340,7 +352,7 @@ func (r *registry) buildFilters(filterMap map[string]string) []*providerpb.ListS return filters } -func (r *registry) findProvidersForFilter(ctx context.Context, filters []*providerpb.ListStorageSpacesRequest_Filter, unrestricted bool, _ string) []*registrypb.ProviderInfo { +func (r *registry) findProvidersForFilter(ctx context.Context, filters []*providerpb.ListStorageSpacesRequest_Filter, storageId string, unrestricted bool, _ string) []*registrypb.ProviderInfo { var requestedSpaceType string for _, f := range filters { @@ -357,6 +369,10 @@ func (r *registry) findProvidersForFilter(ctx context.Context, filters []*provid // we have to ignore a space type filter with +grant or +mountpoint type because they can live on any provider if requestedSpaceType != "" && !strings.HasPrefix(requestedSpaceType, "+") { found := false + if storageId != "" && storageId != provider.ProviderID { + // skip mismatching storageproviders + continue + } for spaceType := range provider.Spaces { if spaceType == requestedSpaceType { found = true @@ -385,6 +401,10 @@ func (r *registry) findProvidersForFilter(ctx context.Context, filters []*provid if sc, ok = provider.Spaces[space.SpaceType]; !ok { continue } + // Filter out vault spaces if no storageId is provided + if storageId == "" && strings.HasPrefix(sc.MountPoint, "/vault/") { + continue + } spacePath, err = sc.SpacePath(currentUser, space) if err != nil { appctx.GetLogger(ctx).Error().Err(err).Interface("provider", provider).Interface("space", space).Msg("failed to execute template, continuing") diff --git a/vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go b/vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go index c1031368743..c995504cbc4 100644 --- a/vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go +++ b/vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go @@ -64,6 +64,11 @@ var ( // OCMStorageSpaceID is the space id used by the ocmreceived storageprovider OCMStorageSpaceID = "89f37a33-858b-45fa-8890-a1f2b27d90e1" + // VaultStorageProviderID is the storage id used by the vault storageprovider + VaultStorageProviderID = "bbbbbbbb-16f5-444e-8a6a-a28db41bbbbb" + // VaultStorageSpaceID is the space id used by the vault storageprovider + VaultStorageSpaceID = "bbbbbbbb-16f5-444e-8a6a-a28db41bbbbb" + // SpaceGrant is used to signal the storageprovider that the grant is on a space SpaceGrant struct{} ) diff --git a/vendor/modules.txt b/vendor/modules.txt index 16fade20f5b..f3203eac5cf 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1316,7 +1316,7 @@ github.com/orcaman/concurrent-map # github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 ## explicit; go 1.18 github.com/owncloud/libre-graph-api-go -# github.com/owncloud/reva/v2 v2.0.0-20260304131727-ce3149532498 +# github.com/owncloud/reva/v2 v2.0.0-20260312104210-c674fbcf5357 ## explicit; go 1.24.0 github.com/owncloud/reva/v2/cmd/revad/internal/grace github.com/owncloud/reva/v2/cmd/revad/runtime From 315776347d17f5ef28454fa15d152bc9c1fd9347 Mon Sep 17 00:00:00 2001 From: Roman Perekhod <2403905@gmail.com> Date: Thu, 12 Mar 2026 16:22:40 +0100 Subject: [PATCH 03/11] feat: move the space create cache --- go.mod | 2 +- go.sum | 4 +- services/gateway/pkg/config/config.go | 21 +- .../pkg/config/defaults/defaultconfig.go | 12 +- services/gateway/pkg/revaconfig/config.go | 10 - services/proxy/pkg/middleware/create_home.go | 71 ++++--- .../internal/grpc/services/gateway/gateway.go | 42 ++-- .../grpc/services/gateway/storageprovider.go | 55 +---- .../services/gateway/storageprovidercache.go | 201 +----------------- .../handlers/apps/sharing/shares/spaces.go | 16 +- .../reva/v2/pkg/storage/cache/cache.go | 49 +---- .../reva/v2/pkg/storage/cache/createhome.go | 67 ------ .../pkg/storage/cache/createpersonalspace.go | 43 ---- vendor/modules.txt | 2 +- 14 files changed, 90 insertions(+), 505 deletions(-) delete mode 100644 vendor/github.com/owncloud/reva/v2/pkg/storage/cache/createhome.go delete mode 100644 vendor/github.com/owncloud/reva/v2/pkg/storage/cache/createpersonalspace.go diff --git a/go.mod b/go.mod index 4e6d12638f7..e88471d8493 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( github.com/open-policy-agent/opa v1.12.3 github.com/orcaman/concurrent-map v1.0.0 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 - github.com/owncloud/reva/v2 v2.0.0-20260312104210-c674fbcf5357 + github.com/owncloud/reva/v2 v2.0.0-20260312212500-b4cd50a2b1fb github.com/pkg/errors v0.9.1 github.com/pkg/xattr v0.4.12 github.com/prometheus/client_golang v1.23.2 diff --git a/go.sum b/go.sum index 90d834c7e63..0411f7ad1fe 100644 --- a/go.sum +++ b/go.sum @@ -742,8 +742,8 @@ github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HD github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI= github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 h1:JRidLTAKhnvyLMRtVtSF4lhBa0NSAOs6fof+d6JnKII= github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og= -github.com/owncloud/reva/v2 v2.0.0-20260312104210-c674fbcf5357 h1:96t0k+pIUkCcE4mmHEX/dbqY6WJnRvkOvbBpNY+8tg0= -github.com/owncloud/reva/v2 v2.0.0-20260312104210-c674fbcf5357/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ= +github.com/owncloud/reva/v2 v2.0.0-20260312212500-b4cd50a2b1fb h1:HFkxvUDS+LOm2ne72/x0394YroDfdOM4tSjYoaU7Dnc= +github.com/owncloud/reva/v2 v2.0.0-20260312212500-b4cd50a2b1fb/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0= github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw= diff --git a/services/gateway/pkg/config/config.go b/services/gateway/pkg/config/config.go index 53699fccce0..92f44c19f4e 100644 --- a/services/gateway/pkg/config/config.go +++ b/services/gateway/pkg/config/config.go @@ -85,18 +85,11 @@ type StorageRegistry struct { // Cache holds cache config type Cache struct { - ProviderCacheStore string `yaml:"provider_cache_store" env:"OCIS_CACHE_STORE;GATEWAY_PROVIDER_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"pre5.0"` - ProviderCacheNodes []string `yaml:"provider_cache_nodes" env:"OCIS_CACHE_STORE_NODES;GATEWAY_PROVIDER_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"` - ProviderCacheDatabase string `yaml:"provider_cache_database" env:"OCIS_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"pre5.0"` - ProviderCacheTTL time.Duration `yaml:"provider_cache_ttl" env:"OCIS_CACHE_TTL;GATEWAY_PROVIDER_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"` - ProviderCacheDisablePersistence bool `yaml:"provider_cache_disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"5.0"` - ProviderCacheAuthUsername string `yaml:"provider_cache_auth_username" env:"OCIS_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"` - ProviderCacheAuthPassword string `yaml:"provider_cache_auth_password" env:"OCIS_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"` - CreateHomeCacheStore string `yaml:"create_home_cache_store" env:"OCIS_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"pre5.0"` - CreateHomeCacheNodes []string `yaml:"create_home_cache_nodes" env:"OCIS_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"` - CreateHomeCacheDatabase string `yaml:"create_home_cache_database" env:"OCIS_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"pre5.0"` - CreateHomeCacheTTL time.Duration `yaml:"create_home_cache_ttl" env:"OCIS_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"` - CreateHomeCacheDisablePersistence bool `yaml:"create_home_cache_disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"5.0"` - CreateHomeCacheAuthUsername string `yaml:"create_home_cache_auth_username" env:"OCIS_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"` - CreateHomeCacheAuthPassword string `yaml:"create_home_cache_auth_password" env:"OCIS_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"` + ProviderCacheStore string `yaml:"provider_cache_store" env:"OCIS_CACHE_STORE;GATEWAY_PROVIDER_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"pre5.0"` + ProviderCacheNodes []string `yaml:"provider_cache_nodes" env:"OCIS_CACHE_STORE_NODES;GATEWAY_PROVIDER_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"` + ProviderCacheDatabase string `yaml:"provider_cache_database" env:"OCIS_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"pre5.0"` + ProviderCacheTTL time.Duration `yaml:"provider_cache_ttl" env:"OCIS_CACHE_TTL;GATEWAY_PROVIDER_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"pre5.0"` + ProviderCacheDisablePersistence bool `yaml:"provider_cache_disable_persistence" env:"OCIS_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"5.0"` + ProviderCacheAuthUsername string `yaml:"provider_cache_auth_username" env:"OCIS_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"` + ProviderCacheAuthPassword string `yaml:"provider_cache_auth_password" env:"OCIS_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"5.0"` } diff --git a/services/gateway/pkg/config/defaults/defaultconfig.go b/services/gateway/pkg/config/defaults/defaultconfig.go index 5d003bb3790..4bab0339312 100644 --- a/services/gateway/pkg/config/defaults/defaultconfig.go +++ b/services/gateway/pkg/config/defaults/defaultconfig.go @@ -39,14 +39,10 @@ func DefaultConfig() *config.Config { DisableHomeCreationOnLogin: true, TransferExpires: 24 * 60 * 60, Cache: config.Cache{ - ProviderCacheStore: "noop", - ProviderCacheNodes: []string{"127.0.0.1:9233"}, - ProviderCacheDatabase: "cache-providers", - ProviderCacheTTL: 300 * time.Second, - CreateHomeCacheStore: "memory", - CreateHomeCacheNodes: []string{"127.0.0.1:9233"}, - CreateHomeCacheDatabase: "cache-createhome", - CreateHomeCacheTTL: 300 * time.Second, + ProviderCacheStore: "noop", + ProviderCacheNodes: []string{"127.0.0.1:9233"}, + ProviderCacheDatabase: "cache-providers", + ProviderCacheTTL: 300 * time.Second, }, FrontendPublicURL: "https://localhost:9200", diff --git a/services/gateway/pkg/revaconfig/config.go b/services/gateway/pkg/revaconfig/config.go index b3040a9379d..a24a9a0e371 100644 --- a/services/gateway/pkg/revaconfig/config.go +++ b/services/gateway/pkg/revaconfig/config.go @@ -75,16 +75,6 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]i "cache_auth_username": cfg.Cache.ProviderCacheAuthUsername, "cache_auth_password": cfg.Cache.ProviderCacheAuthPassword, }, - "create_personal_space_cache_config": map[string]interface{}{ - "cache_store": cfg.Cache.CreateHomeCacheStore, - "cache_nodes": cfg.Cache.CreateHomeCacheNodes, - "cache_database": cfg.Cache.CreateHomeCacheDatabase, - "cache_table": "create_personal_space", - "cache_ttl": cfg.Cache.CreateHomeCacheTTL, - "cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence, - "cache_auth_username": cfg.Cache.CreateHomeCacheAuthUsername, - "cache_auth_password": cfg.Cache.CreateHomeCacheAuthPassword, - }, }, "authregistry": map[string]interface{}{ "driver": "static", diff --git a/services/proxy/pkg/middleware/create_home.go b/services/proxy/pkg/middleware/create_home.go index 86038b1b05b..9db3d177695 100644 --- a/services/proxy/pkg/middleware/create_home.go +++ b/services/proxy/pkg/middleware/create_home.go @@ -3,11 +3,13 @@ package middleware import ( "net/http" "strconv" + "time" gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" + "github.com/jellydator/ttlcache/v3" "github.com/owncloud/ocis/v2/ocis-pkg/log" "github.com/owncloud/ocis/v2/services/graph/pkg/errorcode" revactx "github.com/owncloud/reva/v2/pkg/ctx" @@ -21,12 +23,19 @@ func CreateHome(optionSetters ...Option) func(next http.Handler) http.Handler { options := newOptions(optionSetters...) logger := options.Logger + cache := ttlcache.New( + ttlcache.WithTTL[string, string](30*time.Second), + ttlcache.WithDisableTouchOnHit[string, string](), + ) + go cache.Start() + return func(next http.Handler) http.Handler { return &createHome{ next: next, logger: logger, revaGatewaySelector: options.RevaGatewaySelector, roleQuotas: options.RoleQuotas, + cache: cache, } } } @@ -36,6 +45,7 @@ type createHome struct { logger log.Logger revaGatewaySelector pool.Selectable[gateway.GatewayAPIClient] roleQuotas map[string]uint64 + cache *ttlcache.Cache[string, string] } func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) { @@ -68,36 +78,43 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) { if err != nil { m.logger.Err(err).Msg("error selecting next gateway client") } else { - createHomeRes, err := client.CreateHome(ctx, createHomeReq) - switch { - case err != nil: - m.logger.Err(err).Msg("error calling CreateHome") - case createHomeRes.GetStatus().GetCode() == rpc.Code_CODE_OK: - m.logger.Debug().Interface("userID", u.GetId().GetOpaqueId()).Msg("personal space created") - case createHomeRes.GetStatus().GetCode() == rpc.Code_CODE_ALREADY_EXISTS: - m.logger.Info().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", createHomeRes.GetStatus()).Msg("===== personal space already exists") - default: - m.logger.Error().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", createHomeRes.GetStatus()).Msg("===== personal space creation failed") + key := "home" + u.GetId().GetOpaqueId() + if !m.cache.Has(key) { + createHomeRes, err := client.CreateHome(ctx, createHomeReq) + switch { + case err != nil: + m.logger.Err(err).Msg("error calling CreateHome") + case createHomeRes.GetStatus().GetCode() == rpc.Code_CODE_OK: + m.logger.Debug().Interface("userID", u.GetId().GetOpaqueId()).Msg("personal space created") + m.cache.Set(key, "ok", 0) + case createHomeRes.GetStatus().GetCode() == rpc.Code_CODE_ALREADY_EXISTS: + m.logger.Info().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", createHomeRes.GetStatus()).Msg("personal space already exists") + m.cache.Set(key, "ok", 0) + default: + m.logger.Error().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", createHomeRes.GetStatus()).Msg("personal space creation failed") + } } - // TODO: issue: The vault personal space can not be created after regular personal space creation. - // If the regular personal cometed out the valut creation pass - // - // Create vault personal space - // Inject storage_id into opaque for vault personal space - createHomeReq.Opaque = utils.AppendPlainToOpaque(createHomeReq.Opaque, "storage_id", utils.VaultStorageProviderID) - cpsRes, err := client.CreateHome(ctx, createHomeReq) - switch { - case err != nil: - m.logger.Err(err).Msg("error calling CreateHome for vault personal") - case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_OK: - m.logger.Debug().Interface("userID", u.GetId().GetOpaqueId()).Msg("vault personal space created") - case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_ALREADY_EXISTS: - m.logger.Info().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("=====+ vault personal space already exists") - default: - m.logger.Error().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("=====! vault personal space creation failed") + vaultKey := "vault" + u.GetId().GetOpaqueId() + if !m.cache.Has(vaultKey) { + // TODO: Should be optional + // Create vault personal space + // Inject storage_id into opaque for vault personal space + createHomeReq.Opaque = utils.AppendPlainToOpaque(createHomeReq.Opaque, "storage_id", utils.VaultStorageProviderID) + cpsRes, err := client.CreateHome(ctx, createHomeReq) + switch { + case err != nil: + m.logger.Err(err).Msg("error calling CreateHome for vault personal") + case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_OK: + m.logger.Debug().Interface("userID", u.GetId().GetOpaqueId()).Msg("vault personal space created") + m.cache.Set(vaultKey, "ok", 0) + case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_ALREADY_EXISTS: + m.logger.Info().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("vault personal space already exists") + m.cache.Set(vaultKey, "ok", 0) + default: + m.logger.Error().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("vault personal space creation failed") + } } - } m.next.ServeHTTP(w, req) diff --git a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/gateway.go b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/gateway.go index a83b653a103..8b824df4bd8 100644 --- a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/gateway.go +++ b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/gateway.go @@ -24,13 +24,13 @@ import ( "strings" gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1" + "github.com/mitchellh/mapstructure" "github.com/owncloud/reva/v2/pkg/errtypes" "github.com/owncloud/reva/v2/pkg/rgrpc" "github.com/owncloud/reva/v2/pkg/sharedconf" "github.com/owncloud/reva/v2/pkg/storage/cache" "github.com/owncloud/reva/v2/pkg/token" "github.com/owncloud/reva/v2/pkg/token/manager/registry" - "github.com/mitchellh/mapstructure" "github.com/pkg/errors" "github.com/rs/zerolog" "google.golang.org/grpc" @@ -70,13 +70,12 @@ type config struct { TokenManager string `mapstructure:"token_manager"` // ShareFolder is the location where to create shares in the recipient's storage provider. // FIXME get rid of ShareFolder, there are findByPath calls in the ocmshareporvider.go and usershareprovider.go - ShareFolder string `mapstructure:"share_folder"` - DataTransfersFolder string `mapstructure:"data_transfers_folder"` - TokenManagers map[string]map[string]interface{} `mapstructure:"token_managers"` - AllowedUserAgents map[string][]string `mapstructure:"allowed_user_agents"` // map[path][]user-agent - CreatePersonalSpaceCacheConfig cache.Config `mapstructure:"create_personal_space_cache_config"` - ProviderCacheConfig cache.Config `mapstructure:"provider_cache_config"` - UseCommonSpaceRootShareLogic bool `mapstructure:"use_common_space_root_share_logic"` + ShareFolder string `mapstructure:"share_folder"` + DataTransfersFolder string `mapstructure:"data_transfers_folder"` + TokenManagers map[string]map[string]interface{} `mapstructure:"token_managers"` + AllowedUserAgents map[string][]string `mapstructure:"allowed_user_agents"` // map[path][]user-agent + ProviderCacheConfig cache.Config `mapstructure:"provider_cache_config"` + UseCommonSpaceRootShareLogic bool `mapstructure:"use_common_space_root_share_logic"` } // sets defaults @@ -130,22 +129,13 @@ func (c *config) init() { if c.ProviderCacheConfig.Database == "" { c.ProviderCacheConfig.Database = "reva" } - - if c.CreatePersonalSpaceCacheConfig.Store == "" { - c.CreatePersonalSpaceCacheConfig.Store = "memory" - } - - if c.CreatePersonalSpaceCacheConfig.Database == "" { - c.CreatePersonalSpaceCacheConfig.Database = "reva" - } } type svc struct { - c *config - dataGatewayURL url.URL - tokenmgr token.Manager - providerCache cache.ProviderCache - createPersonalSpaceCache cache.CreatePersonalSpaceCache + c *config + dataGatewayURL url.URL + tokenmgr token.Manager + providerCache cache.ProviderCache } // New creates a new gateway svc that acts as a proxy for any grpc operation. @@ -171,11 +161,10 @@ func New(m map[string]interface{}, _ *grpc.Server, _ *zerolog.Logger) (rgrpc.Ser } s := &svc{ - c: c, - dataGatewayURL: *u, - tokenmgr: tokenManager, - providerCache: cache.GetProviderCache(c.ProviderCacheConfig), - createPersonalSpaceCache: cache.GetCreatePersonalSpaceCache(c.CreatePersonalSpaceCacheConfig), + c: c, + dataGatewayURL: *u, + tokenmgr: tokenManager, + providerCache: cache.GetProviderCache(c.ProviderCacheConfig), } return s, nil @@ -187,7 +176,6 @@ func (s *svc) Register(ss *grpc.Server) { func (s *svc) Close() error { s.providerCache.Close() - s.createPersonalSpaceCache.Close() return nil } diff --git a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovider.go b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovider.go index 98c2c6a2032..c3a8a3d825c 100644 --- a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovider.go +++ b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovider.go @@ -146,9 +146,6 @@ func (s *svc) CreateHome(ctx context.Context, req *provider.CreateHomeRequest) ( // pass storage_id to the storage provider to handle vault storage id if storageId := utils.ReadPlainFromOpaque(req.GetOpaque(), "storage_id"); storageId != "" { - // if spaceId := utils.ReadPlainFromOpaque(createReq.GetOpaque(), "space_id"); spaceId != "" { - // storageId = storageId + "$" + spaceId - // } createReq.Opaque = utils.AppendPlainToOpaque(createReq.Opaque, "storage_id", storageId) } @@ -184,7 +181,7 @@ func (s *svc) CreateStorageSpace(ctx context.Context, req *provider.CreateStorag req.Opaque = utils.AppendPlainToOpaque(req.Opaque, "storage_id", storageId) } - srClient, err := s.getStorageRegistryClient(ctx, s.c.StorageRegistryEndpoint) + srClient, err := pool.GetStorageRegistryClient(s.c.StorageRegistryEndpoint) if err != nil { return &provider.CreateStorageSpaceResponse{ Status: status.NewStatusFromErrType(ctx, "gateway could get storage registry client", err), @@ -227,7 +224,7 @@ func (s *svc) CreateStorageSpace(ctx context.Context, req *provider.CreateStorag } // just pick the first provider, we expect only one - c, err := s.getSpacesProviderClient(ctx, res.Providers[0]) + c, err := pool.GetSpacesProviderServiceClient(res.Providers[0].Address) if err != nil { return &provider.CreateStorageSpaceResponse{ Status: status.NewStatusFromErrType(ctx, "gateway could not get storage provider client", err), @@ -290,7 +287,7 @@ func (s *svc) ListStorageSpaces(ctx context.Context, req *provider.ListStorageSp filters["storage_id"] = utils.ReadPlainFromOpaque(req.Opaque, "storage_id") } - c, err := s.getStorageRegistryClient(ctx, s.c.StorageRegistryEndpoint) + c, err := pool.GetStorageRegistryClient(s.c.StorageRegistryEndpoint) if err != nil { return &provider.ListStorageSpacesResponse{ Status: status.NewStatusFromErrType(ctx, "gateway could not get storage registry client", err), @@ -344,10 +341,6 @@ func (s *svc) UpdateStorageSpace(ctx context.Context, req *provider.UpdateStorag }, nil } - if res.Status.Code == rpc.Code_CODE_OK { - id := res.StorageSpace.Root - s.providerCache.RemoveListStorageProviders(id) - } return res, nil } @@ -382,7 +375,6 @@ func (s *svc) DeleteStorageSpace(ctx context.Context, req *provider.DeleteStorag } id := &provider.ResourceId{OpaqueId: req.GetId().GetOpaqueId()} - s.providerCache.RemoveListStorageProviders(id) if dsRes.Status.Code != rpc.Code_CODE_OK { return dsRes, nil @@ -453,7 +445,7 @@ func (s *svc) GetHome(ctx context.Context, _ *provider.GetHomeRequest) (*provide return nil, errors.New("user not found in context") } - srClient, err := s.getStorageRegistryClient(ctx, s.c.StorageRegistryEndpoint) + srClient, err := pool.GetStorageRegistryClient(s.c.StorageRegistryEndpoint) if err != nil { return &provider.GetHomeResponse{ Status: status.NewStatusFromErrType(ctx, "gateway could not get storage registry client", err), @@ -1047,7 +1039,7 @@ func (s *svc) find(ctx context.Context, ref *provider.Reference) (provider.Provi return nil, nil, err } - client, err := s.getStorageProviderClient(ctx, p[0]) + client, err := pool.GetStorageProviderServiceClient(p[0].Address) return client, p[0], err } @@ -1061,7 +1053,7 @@ func (s *svc) findSpacesProvider(ctx context.Context, ref *provider.Reference) ( return nil, nil, err } - client, err := s.getSpacesProviderClient(ctx, p[0]) + client, err := pool.GetSpacesProviderServiceClient(p[0].Address) return client, p[0], err } @@ -1086,41 +1078,6 @@ func (s *svc) findAndUnwrap(ctx context.Context, ref *provider.Reference) (provi return c, p, relativeReference, nil } -func (s *svc) getSpacesProviderClient(_ context.Context, p *registry.ProviderInfo) (provider.SpacesAPIClient, error) { - c, err := pool.GetSpacesProviderServiceClient(p.Address) - if err != nil { - return nil, err - } - - return &cachedSpacesAPIClient{ - c: c, - createPersonalSpaceCache: s.createPersonalSpaceCache, - }, nil -} - -func (s *svc) getStorageProviderClient(_ context.Context, p *registry.ProviderInfo) (provider.ProviderAPIClient, error) { - c, err := pool.GetStorageProviderServiceClient(p.Address) - if err != nil { - return nil, err - } - - return &cachedAPIClient{ - c: c, - createPersonalSpaceCache: s.createPersonalSpaceCache, - }, nil -} - -func (s *svc) getStorageRegistryClient(_ context.Context, address string) (registry.RegistryAPIClient, error) { - c, err := pool.GetStorageRegistryClient(address) - if err != nil { - return nil, err - } - return &cachedRegistryClient{ - c: c, - cache: s.providerCache, - }, nil -} - func (s *svc) findSingleSpace(ctx context.Context, ref *provider.Reference) ([]*registry.ProviderInfo, error) { switch { case ref == nil: diff --git a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovidercache.go b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovidercache.go index c5fc1ba8c43..e58b4382640 100644 --- a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovidercache.go +++ b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/gateway/storageprovidercache.go @@ -22,12 +22,9 @@ import ( "context" rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" - provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" registry "github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1" ctxpkg "github.com/owncloud/reva/v2/pkg/ctx" - sdk "github.com/owncloud/reva/v2/pkg/sdk/common" "github.com/owncloud/reva/v2/pkg/storage/cache" - "github.com/owncloud/reva/v2/pkg/storagespace" "github.com/owncloud/reva/v2/pkg/utils" "github.com/pkg/errors" "google.golang.org/grpc" @@ -43,8 +40,10 @@ type cachedRegistryClient struct { } func (c *cachedRegistryClient) ListStorageProviders(ctx context.Context, in *registry.ListStorageProvidersRequest, opts ...grpc.CallOption) (*registry.ListStorageProvidersResponse, error) { - - spaceID := sdk.DecodeOpaqueMap(in.Opaque)["space_id"] + spaceID := utils.ReadPlainFromOpaque(in.GetOpaque(), "space_id") + if storageID := utils.ReadPlainFromOpaque(in.GetOpaque(), "storage_id"); storageID != "" { + spaceID = storageID + "$" + spaceID + } u, ok := ctxpkg.ContextGetUser(ctx) if !ok { @@ -83,195 +82,3 @@ func (c *cachedRegistryClient) GetStorageProviders(ctx context.Context, in *regi func (c *cachedRegistryClient) GetHome(ctx context.Context, in *registry.GetHomeRequest, opts ...grpc.CallOption) (*registry.GetHomeResponse, error) { return c.c.GetHome(ctx, in, opts...) } - -/* - Cached Spaces Provider -*/ - -type cachedSpacesAPIClient struct { - c provider.SpacesAPIClient - createPersonalSpaceCache cache.CreatePersonalSpaceCache -} - -// CreateStorageSpace creates a storage space -func (c *cachedSpacesAPIClient) CreateStorageSpace(ctx context.Context, in *provider.CreateStorageSpaceRequest, opts ...grpc.CallOption) (*provider.CreateStorageSpaceResponse, error) { - if in.Type == "personal" { - u, ok := ctxpkg.ContextGetUser(ctx) - if !ok { - return nil, errors.New("user not found in context") - } - - key := c.createPersonalSpaceCache.GetKey(u.GetId()) - if key != "" { - s := &provider.CreateStorageSpaceResponse{} - if err := c.createPersonalSpaceCache.PullFromCache(key, s); err == nil { - return s, nil - } - } - resp, err := c.c.CreateStorageSpace(ctx, in, opts...) - switch { - case err != nil: - return nil, err - case resp.Status.Code != rpc.Code_CODE_OK && resp.Status.Code != rpc.Code_CODE_ALREADY_EXISTS: - return resp, nil - case key == "": - return resp, nil - default: - return resp, c.createPersonalSpaceCache.PushToCache(key, resp) - } - } - return c.c.CreateStorageSpace(ctx, in, opts...) -} - -func (c *cachedSpacesAPIClient) ListStorageSpaces(ctx context.Context, in *provider.ListStorageSpacesRequest, opts ...grpc.CallOption) (*provider.ListStorageSpacesResponse, error) { - return c.c.ListStorageSpaces(ctx, in, opts...) -} -func (c *cachedSpacesAPIClient) UpdateStorageSpace(ctx context.Context, in *provider.UpdateStorageSpaceRequest, opts ...grpc.CallOption) (*provider.UpdateStorageSpaceResponse, error) { - return c.c.UpdateStorageSpace(ctx, in, opts...) -} -func (c *cachedSpacesAPIClient) DeleteStorageSpace(ctx context.Context, in *provider.DeleteStorageSpaceRequest, opts ...grpc.CallOption) (*provider.DeleteStorageSpaceResponse, error) { - resp, err := c.c.DeleteStorageSpace(ctx, in, opts...) - switch { - case err != nil: - return nil, err - case resp.Status.Code != rpc.Code_CODE_OK: - return resp, nil - default: - _, spaceid, _, _ := storagespace.SplitID(in.GetId().GetOpaqueId()) - _ = c.createPersonalSpaceCache.Delete(spaceid) - return resp, nil - } -} - -/* - Cached Storage Provider -*/ - -type cachedAPIClient struct { - c provider.ProviderAPIClient - createPersonalSpaceCache cache.CreatePersonalSpaceCache -} - -// CreateHome caches calls to CreateHome locally - anyways they only need to be called once per user -func (c *cachedAPIClient) CreateHome(ctx context.Context, in *provider.CreateHomeRequest, opts ...grpc.CallOption) (*provider.CreateHomeResponse, error) { - u, ok := ctxpkg.ContextGetUser(ctx) - if !ok { - return nil, errors.New("user not found in context") - } - - key := c.createPersonalSpaceCache.GetKey(u.GetId()) - if key != "" { - s := &provider.CreateHomeResponse{} - if err := c.createPersonalSpaceCache.PullFromCache(key, s); err == nil { - return s, nil - } - } - resp, err := c.c.CreateHome(ctx, in, opts...) - switch { - case err != nil: - return nil, err - case resp.Status.Code != rpc.Code_CODE_OK && resp.Status.Code != rpc.Code_CODE_ALREADY_EXISTS: - return resp, nil - case key == "": - return resp, nil - default: - return resp, c.createPersonalSpaceCache.PushToCache(key, resp) - } -} - -// methods below here are not cached, they just call the client directly - -// Stat returns the Resoure info for a given resource -func (c *cachedAPIClient) Stat(ctx context.Context, in *provider.StatRequest, opts ...grpc.CallOption) (*provider.StatResponse, error) { - return c.c.Stat(ctx, in, opts...) -} -func (c *cachedAPIClient) AddGrant(ctx context.Context, in *provider.AddGrantRequest, opts ...grpc.CallOption) (*provider.AddGrantResponse, error) { - return c.c.AddGrant(ctx, in, opts...) -} -func (c *cachedAPIClient) CreateContainer(ctx context.Context, in *provider.CreateContainerRequest, opts ...grpc.CallOption) (*provider.CreateContainerResponse, error) { - return c.c.CreateContainer(ctx, in, opts...) -} -func (c *cachedAPIClient) Delete(ctx context.Context, in *provider.DeleteRequest, opts ...grpc.CallOption) (*provider.DeleteResponse, error) { - return c.c.Delete(ctx, in, opts...) -} -func (c *cachedAPIClient) DenyGrant(ctx context.Context, in *provider.DenyGrantRequest, opts ...grpc.CallOption) (*provider.DenyGrantResponse, error) { - return c.c.DenyGrant(ctx, in, opts...) -} -func (c *cachedAPIClient) GetPath(ctx context.Context, in *provider.GetPathRequest, opts ...grpc.CallOption) (*provider.GetPathResponse, error) { - return c.c.GetPath(ctx, in, opts...) -} -func (c *cachedAPIClient) GetQuota(ctx context.Context, in *provider.GetQuotaRequest, opts ...grpc.CallOption) (*provider.GetQuotaResponse, error) { - return c.c.GetQuota(ctx, in, opts...) -} -func (c *cachedAPIClient) InitiateFileDownload(ctx context.Context, in *provider.InitiateFileDownloadRequest, opts ...grpc.CallOption) (*provider.InitiateFileDownloadResponse, error) { - return c.c.InitiateFileDownload(ctx, in, opts...) -} -func (c *cachedAPIClient) InitiateFileUpload(ctx context.Context, in *provider.InitiateFileUploadRequest, opts ...grpc.CallOption) (*provider.InitiateFileUploadResponse, error) { - return c.c.InitiateFileUpload(ctx, in, opts...) -} -func (c *cachedAPIClient) ListGrants(ctx context.Context, in *provider.ListGrantsRequest, opts ...grpc.CallOption) (*provider.ListGrantsResponse, error) { - return c.c.ListGrants(ctx, in, opts...) -} -func (c *cachedAPIClient) ListContainerStream(ctx context.Context, in *provider.ListContainerStreamRequest, opts ...grpc.CallOption) (provider.ProviderAPI_ListContainerStreamClient, error) { - return c.c.ListContainerStream(ctx, in, opts...) -} -func (c *cachedAPIClient) ListContainer(ctx context.Context, in *provider.ListContainerRequest, opts ...grpc.CallOption) (*provider.ListContainerResponse, error) { - return c.c.ListContainer(ctx, in, opts...) -} -func (c *cachedAPIClient) ListFileVersions(ctx context.Context, in *provider.ListFileVersionsRequest, opts ...grpc.CallOption) (*provider.ListFileVersionsResponse, error) { - return c.c.ListFileVersions(ctx, in, opts...) -} -func (c *cachedAPIClient) ListRecycleStream(ctx context.Context, in *provider.ListRecycleStreamRequest, opts ...grpc.CallOption) (provider.ProviderAPI_ListRecycleStreamClient, error) { - return c.c.ListRecycleStream(ctx, in, opts...) -} -func (c *cachedAPIClient) ListRecycle(ctx context.Context, in *provider.ListRecycleRequest, opts ...grpc.CallOption) (*provider.ListRecycleResponse, error) { - return c.c.ListRecycle(ctx, in, opts...) -} -func (c *cachedAPIClient) Move(ctx context.Context, in *provider.MoveRequest, opts ...grpc.CallOption) (*provider.MoveResponse, error) { - return c.c.Move(ctx, in, opts...) -} -func (c *cachedAPIClient) RemoveGrant(ctx context.Context, in *provider.RemoveGrantRequest, opts ...grpc.CallOption) (*provider.RemoveGrantResponse, error) { - return c.c.RemoveGrant(ctx, in, opts...) -} -func (c *cachedAPIClient) PurgeRecycle(ctx context.Context, in *provider.PurgeRecycleRequest, opts ...grpc.CallOption) (*provider.PurgeRecycleResponse, error) { - return c.c.PurgeRecycle(ctx, in, opts...) -} -func (c *cachedAPIClient) RestoreFileVersion(ctx context.Context, in *provider.RestoreFileVersionRequest, opts ...grpc.CallOption) (*provider.RestoreFileVersionResponse, error) { - return c.c.RestoreFileVersion(ctx, in, opts...) -} -func (c *cachedAPIClient) RestoreRecycleItem(ctx context.Context, in *provider.RestoreRecycleItemRequest, opts ...grpc.CallOption) (*provider.RestoreRecycleItemResponse, error) { - return c.c.RestoreRecycleItem(ctx, in, opts...) -} -func (c *cachedAPIClient) UpdateGrant(ctx context.Context, in *provider.UpdateGrantRequest, opts ...grpc.CallOption) (*provider.UpdateGrantResponse, error) { - return c.c.UpdateGrant(ctx, in, opts...) -} -func (c *cachedAPIClient) CreateSymlink(ctx context.Context, in *provider.CreateSymlinkRequest, opts ...grpc.CallOption) (*provider.CreateSymlinkResponse, error) { - return c.c.CreateSymlink(ctx, in, opts...) -} -func (c *cachedAPIClient) CreateReference(ctx context.Context, in *provider.CreateReferenceRequest, opts ...grpc.CallOption) (*provider.CreateReferenceResponse, error) { - return c.c.CreateReference(ctx, in, opts...) -} -func (c *cachedAPIClient) SetArbitraryMetadata(ctx context.Context, in *provider.SetArbitraryMetadataRequest, opts ...grpc.CallOption) (*provider.SetArbitraryMetadataResponse, error) { - return c.c.SetArbitraryMetadata(ctx, in, opts...) -} -func (c *cachedAPIClient) UnsetArbitraryMetadata(ctx context.Context, in *provider.UnsetArbitraryMetadataRequest, opts ...grpc.CallOption) (*provider.UnsetArbitraryMetadataResponse, error) { - return c.c.UnsetArbitraryMetadata(ctx, in, opts...) -} -func (c *cachedAPIClient) SetLock(ctx context.Context, in *provider.SetLockRequest, opts ...grpc.CallOption) (*provider.SetLockResponse, error) { - return c.c.SetLock(ctx, in, opts...) -} -func (c *cachedAPIClient) GetLock(ctx context.Context, in *provider.GetLockRequest, opts ...grpc.CallOption) (*provider.GetLockResponse, error) { - return c.c.GetLock(ctx, in, opts...) -} -func (c *cachedAPIClient) RefreshLock(ctx context.Context, in *provider.RefreshLockRequest, opts ...grpc.CallOption) (*provider.RefreshLockResponse, error) { - return c.c.RefreshLock(ctx, in, opts...) -} -func (c *cachedAPIClient) Unlock(ctx context.Context, in *provider.UnlockRequest, opts ...grpc.CallOption) (*provider.UnlockResponse, error) { - return c.c.Unlock(ctx, in, opts...) -} -func (c *cachedAPIClient) GetHome(ctx context.Context, in *provider.GetHomeRequest, opts ...grpc.CallOption) (*provider.GetHomeResponse, error) { - return c.c.GetHome(ctx, in, opts...) -} -func (c *cachedAPIClient) TouchFile(ctx context.Context, in *provider.TouchFileRequest, opts ...grpc.CallOption) (*provider.TouchFileResponse, error) { - return c.c.TouchFile(ctx, in, opts...) -} diff --git a/vendor/github.com/owncloud/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/spaces.go b/vendor/github.com/owncloud/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/spaces.go index 41c92b936c6..12093c61230 100644 --- a/vendor/github.com/owncloud/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/spaces.go +++ b/vendor/github.com/owncloud/reva/v2/internal/http/services/owncloud/ocs/handlers/apps/sharing/shares/spaces.go @@ -137,8 +137,7 @@ func (h *Handler) addSpaceMember(w http.ResponseWriter, r *http.Request, info *p response.WriteOCSError(w, r, response.MetaNotFound.StatusCode, "error getting storage provider", err) return } - - providerClient, err := h.getStorageProviderClient(p) + providerClient, err := pool.GetStorageProviderServiceClient(p.Address) if err != nil { response.WriteOCSError(w, r, response.MetaNotFound.StatusCode, "error getting storage provider client", err) return @@ -244,8 +243,7 @@ func (h *Handler) removeSpaceMember(w http.ResponseWriter, r *http.Request, spac if ref.ResourceId.OpaqueId == "" { ref.ResourceId.OpaqueId = ref.ResourceId.SpaceId } - - providerClient, err := h.getStorageProviderClient(prov) + providerClient, err := pool.GetStorageProviderServiceClient(prov.Address) if err != nil { response.WriteOCSError(w, r, response.MetaNotFound.StatusCode, "error getting storage provider client", err) return @@ -290,16 +288,6 @@ func (h *Handler) removeSpaceMember(w http.ResponseWriter, r *http.Request, spac response.WriteOCSSuccess(w, r, nil) } -func (h *Handler) getStorageProviderClient(p *registry.ProviderInfo) (provider.ProviderAPIClient, error) { - c, err := pool.GetStorageProviderServiceClient(p.Address) - if err != nil { - err = errors.Wrap(err, "shares spaces: error getting a storage provider client") - return nil, err - } - - return c, nil -} - func (h *Handler) findProvider(ctx context.Context, ref *provider.Reference) (*registry.ProviderInfo, error) { c, err := pool.GetStorageRegistryClient(h.storageRegistryAddr) if err != nil { diff --git a/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/cache.go b/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/cache.go index d91c8576ea8..1829ede4c01 100644 --- a/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/cache.go +++ b/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/cache.go @@ -34,12 +34,10 @@ import ( var ( // DefaultStatCache is the memory store. - statCaches = make(map[string]StatCache) - providerCaches = make(map[string]ProviderCache) - createHomeCaches = make(map[string]CreateHomeCache) - createPersonalSpaceCaches = make(map[string]CreatePersonalSpaceCache) - fileMetadataCaches = make(map[string]FileMetadataCache) - mutex sync.Mutex + statCaches = make(map[string]StatCache) + providerCaches = make(map[string]ProviderCache) + fileMetadataCaches = make(map[string]FileMetadataCache) + mutex sync.Mutex ) // Config contains the configuring for a cache @@ -82,19 +80,6 @@ type ProviderCache interface { GetKey(userID *userpb.UserId, spaceID string) string } -// CreateHomeCache handles removing keys from a create home cache -type CreateHomeCache interface { - Cache - RemoveCreateHome(res *provider.ResourceId) - GetKey(userID *userpb.UserId) string -} - -// CreatePersonalSpaceCache handles removing keys from a create home cache -type CreatePersonalSpaceCache interface { - Cache - GetKey(userID *userpb.UserId) string -} - // FileMetadataCache handles file metadata type FileMetadataCache interface { Cache @@ -127,32 +112,6 @@ func GetProviderCache(cfg Config) ProviderCache { return providerCaches[key] } -// GetCreateHomeCache will return an existing CreateHomeCache for the given store, nodes, database and table -// If it does not exist yet it will be created, different TTLs are ignored -func GetCreateHomeCache(cfg Config) CreateHomeCache { - mutex.Lock() - defer mutex.Unlock() - - key := strings.Join(append(append([]string{cfg.Store}, cfg.Nodes...), cfg.Database, cfg.Table), ":") - if createHomeCaches[key] == nil { - createHomeCaches[key] = NewCreateHomeCache(cfg) - } - return createHomeCaches[key] -} - -// GetCreatePersonalSpaceCache will return an existing CreatePersonalSpaceCache for the given store, nodes, database and table -// If it does not exist yet it will be created, different TTLs are ignored -func GetCreatePersonalSpaceCache(cfg Config) CreatePersonalSpaceCache { - mutex.Lock() - defer mutex.Unlock() - - key := strings.Join(append(append([]string{cfg.Store}, cfg.Nodes...), cfg.Database, cfg.Table), ":") - if createPersonalSpaceCaches[key] == nil { - createPersonalSpaceCaches[key] = NewCreatePersonalSpaceCache(cfg) - } - return createPersonalSpaceCaches[key] -} - // GetFileMetadataCache will return an existing GetFileMetadataCache for the given store, nodes, database and table // If it does not exist yet it will be created, different TTLs are ignored func GetFileMetadataCache(cfg Config) FileMetadataCache { diff --git a/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/createhome.go b/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/createhome.go deleted file mode 100644 index 3b3c67835dd..00000000000 --- a/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/createhome.go +++ /dev/null @@ -1,67 +0,0 @@ -// Copyright 2018-2021 CERN -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// In applying this license, CERN does not waive the privileges and immunities -// granted to it by virtue of its status as an Intergovernmental Organization -// or submit itself to any jurisdiction. - -package cache - -import ( - "strings" - - userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" - provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" -) - -// CreateHomeCache can invalidate all create home related cache entries -type createHomeCache struct { - cacheStore -} - -// NewCreateHomeCache creates a new CreateHomeCache -func NewCreateHomeCache(cfg Config) CreateHomeCache { - c := &createHomeCache{} - c.s = getStore(cfg) - c.database = cfg.Database - c.table = cfg.Table - c.ttl = cfg.TTL - - return c -} - -// RemoveCreateHome removes a reference from the listproviders cache -func (c createHomeCache) RemoveCreateHome(res *provider.ResourceId) { - if res == nil { - return - } - sid := res.SpaceId - - keys, err := c.List() - if err != nil { - // FIXME log error - return - } - // FIXME add context option to List, Read and Write to upstream - for _, key := range keys { - if strings.Contains(key, sid) { - _ = c.Delete(key) - continue - } - } -} - -func (c createHomeCache) GetKey(userID *userpb.UserId) string { - return userID.GetOpaqueId() -} diff --git a/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/createpersonalspace.go b/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/createpersonalspace.go deleted file mode 100644 index b7422b504e2..00000000000 --- a/vendor/github.com/owncloud/reva/v2/pkg/storage/cache/createpersonalspace.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2018-2023 CERN -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// In applying this license, CERN does not waive the privileges and immunities -// granted to it by virtue of its status as an Intergovernmental Organization -// or submit itself to any jurisdiction. - -package cache - -import ( - userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" -) - -// CreatePersonalSpaceCache can invalidate all create home related cache entries -type createPersonalSpaceCache struct { - cacheStore -} - -// NewCreatePersonalSpaceCache creates a new CreatePersonalSpaceCache -func NewCreatePersonalSpaceCache(cfg Config) CreatePersonalSpaceCache { - c := &createPersonalSpaceCache{} - c.s = getStore(cfg) - c.database = cfg.Database - c.table = cfg.Table - c.ttl = cfg.TTL - - return c -} - -func (c createPersonalSpaceCache) GetKey(userID *userpb.UserId) string { - return userID.GetOpaqueId() -} diff --git a/vendor/modules.txt b/vendor/modules.txt index f3203eac5cf..4acc3889010 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1316,7 +1316,7 @@ github.com/orcaman/concurrent-map # github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 ## explicit; go 1.18 github.com/owncloud/libre-graph-api-go -# github.com/owncloud/reva/v2 v2.0.0-20260312104210-c674fbcf5357 +# github.com/owncloud/reva/v2 v2.0.0-20260312212500-b4cd50a2b1fb ## explicit; go 1.24.0 github.com/owncloud/reva/v2/cmd/revad/internal/grace github.com/owncloud/reva/v2/cmd/revad/runtime From d3353135c3735cd592d0c11aab6bfd17b3866f0d Mon Sep 17 00:00:00 2001 From: Roman Perekhod <2403905@gmail.com> Date: Mon, 16 Mar 2026 13:17:20 +0100 Subject: [PATCH 04/11] configurate the vault srorage Postprocessing --- go.mod | 2 +- go.sum | 4 ++-- services/graph/pkg/config/config.go | 2 +- services/graph/pkg/config/service.go | 2 +- services/policies/pkg/service/event/service.go | 1 + .../pkg/postprocessing/postprocessing.go | 1 + services/storage-users/pkg/config/config.go | 1 + services/storage-users/pkg/revaconfig/drivers.go | 6 ++++-- .../services/storageprovider/storageprovider.go | 3 ++- .../owncloud/reva/v2/pkg/events/postprocessing.go | 2 ++ .../pkg/storage/utils/decomposedfs/decomposedfs.go | 14 +++++++++++++- .../storage/utils/decomposedfs/options/options.go | 9 +++++++-- vendor/modules.txt | 2 +- 13 files changed, 37 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index e88471d8493..8936ee3fdcc 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( github.com/open-policy-agent/opa v1.12.3 github.com/orcaman/concurrent-map v1.0.0 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 - github.com/owncloud/reva/v2 v2.0.0-20260312212500-b4cd50a2b1fb + github.com/owncloud/reva/v2 v2.0.0-20260316121612-b1ac85b0d63c github.com/pkg/errors v0.9.1 github.com/pkg/xattr v0.4.12 github.com/prometheus/client_golang v1.23.2 diff --git a/go.sum b/go.sum index 0411f7ad1fe..da15085ec79 100644 --- a/go.sum +++ b/go.sum @@ -742,8 +742,8 @@ github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HD github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI= github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 h1:JRidLTAKhnvyLMRtVtSF4lhBa0NSAOs6fof+d6JnKII= github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og= -github.com/owncloud/reva/v2 v2.0.0-20260312212500-b4cd50a2b1fb h1:HFkxvUDS+LOm2ne72/x0394YroDfdOM4tSjYoaU7Dnc= -github.com/owncloud/reva/v2 v2.0.0-20260312212500-b4cd50a2b1fb/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ= +github.com/owncloud/reva/v2 v2.0.0-20260316121612-b1ac85b0d63c h1:VRfZs7WElgVSnQvH7nMkjMg4Ny95/a2RbXuxfP/BEjc= +github.com/owncloud/reva/v2 v2.0.0-20260316121612-b1ac85b0d63c/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0= github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw= diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index fe7fd13d04a..813d24382b4 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -39,7 +39,7 @@ type Config struct { Validation Validation `yaml:"validation"` - EnableVaultMode bool `yaml:"enable_vault_mode" env:"GRAPH_ENABLE_VAULT_MODE" desc:"Enable vault mode for the graph service runned in addition to the regular graph service. Required the running the storage-users-vault additional service." introductionVersion:"%%NEXT%%"` + EnableVaultMode bool `yaml:"enable_vault_mode" env:"GRAPH_ENABLE_VAULT_MODE" desc:"Enable vault mode for the graph service runned in addition to the regular graph service. Required the running the storage-users-vault additional service." introductionVersion:"daledda"` Context context.Context `yaml:"-"` } diff --git a/services/graph/pkg/config/service.go b/services/graph/pkg/config/service.go index 084c350deb7..f7edce2b7dd 100644 --- a/services/graph/pkg/config/service.go +++ b/services/graph/pkg/config/service.go @@ -2,5 +2,5 @@ package config // Service defines the available service configuration. type Service struct { - Name string `yaml:"name" env:"GRAPH_SERVICE_NAME" desc:"The name of the service." introductionVersion:"%%NEXT%%"` + Name string `yaml:"name" env:"GRAPH_SERVICE_NAME" desc:"The name of the service." introductionVersion:"daledda"` } diff --git a/services/policies/pkg/service/event/service.go b/services/policies/pkg/service/event/service.go index 69f035eebd2..defbd60fa14 100644 --- a/services/policies/pkg/service/event/service.go +++ b/services/policies/pkg/service/event/service.go @@ -125,6 +125,7 @@ func (s Service) processEvent(e events.Event) error { if err := events.Publish(ctx, s.stream, events.PostprocessingStepFinished{ Outcome: outcome, UploadID: ev.UploadID, + ResourceID: ev.ResourceID, ExecutingUser: ev.ExecutingUser, Filename: ev.Filename, FinishedStep: ev.StepToStart, diff --git a/services/postprocessing/pkg/postprocessing/postprocessing.go b/services/postprocessing/pkg/postprocessing/postprocessing.go index aca4ea3e86d..d067dcbe34b 100644 --- a/services/postprocessing/pkg/postprocessing/postprocessing.go +++ b/services/postprocessing/pkg/postprocessing/postprocessing.go @@ -119,6 +119,7 @@ func (pp *Postprocessing) finished(outcome events.PostprocessingOutcome) events. UploadID: pp.ID, ExecutingUser: pp.User, Filename: pp.Filename, + ResourceID: pp.ResourceID, Outcome: outcome, ImpersonatingUser: pp.ImpersonatingUser, } diff --git a/services/storage-users/pkg/config/config.go b/services/storage-users/pkg/config/config.go index c3bfa18c90e..a2fd53113e6 100644 --- a/services/storage-users/pkg/config/config.go +++ b/services/storage-users/pkg/config/config.go @@ -215,6 +215,7 @@ type Events struct { TLSRootCaCertPath string `yaml:"tls_root_ca_cert_path" env:"OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"pre5.0"` EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;STORAGE_USERS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services." introductionVersion:"pre5.0"` NumConsumers int `yaml:"num_consumers" env:"STORAGE_USERS_EVENTS_NUM_CONSUMERS" desc:"The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OCIS_ASYNC_UPLOADS is set to false. The default and minimum value is 1." introductionVersion:"pre5.0"` + ConsumerGroup string `yaml:"consumer_group" env:"STORAGE_USERS_EVENTS_CONSUMER_GROUP" desc:"The consumer group name to use for the event consumers. The consumer group name is used to identify the consumers." introductionVersion:"daledda"` AuthUsername string `yaml:"username" env:"OCIS_EVENTS_AUTH_USERNAME;STORAGE_USERS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services." introductionVersion:"5.0"` AuthPassword string `yaml:"password" env:"OCIS_EVENTS_AUTH_PASSWORD;STORAGE_USERS_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services." introductionVersion:"5.0"` } diff --git a/services/storage-users/pkg/revaconfig/drivers.go b/services/storage-users/pkg/revaconfig/drivers.go index 311e40c7591..9d6da1c1191 100644 --- a/services/storage-users/pkg/revaconfig/drivers.go +++ b/services/storage-users/pkg/revaconfig/drivers.go @@ -198,7 +198,8 @@ func Ocis(cfg *config.Config) map[string]interface{} { "cache_auth_password": cfg.IDCache.AuthPassword, }, "events": map[string]interface{}{ - "numconsumers": cfg.Events.NumConsumers, + "numconsumers": cfg.Events.NumConsumers, + "consumer_group": cfg.Events.ConsumerGroup, }, "tokens": map[string]interface{}{ "transfer_shared_secret": cfg.Commons.TransferSecret, @@ -321,7 +322,8 @@ func S3NG(cfg *config.Config) map[string]interface{} { "cache_auth_password": cfg.IDCache.AuthPassword, }, "events": map[string]interface{}{ - "numconsumers": cfg.Events.NumConsumers, + "numconsumers": cfg.Events.NumConsumers, + "consumer_group": cfg.Events.ConsumerGroup, }, "tokens": map[string]interface{}{ "transfer_shared_secret": cfg.Commons.TransferSecret, diff --git a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/storageprovider/storageprovider.go b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/storageprovider/storageprovider.go index d790bf2c1d5..2bf7025e9b8 100644 --- a/vendor/github.com/owncloud/reva/v2/internal/grpc/services/storageprovider/storageprovider.go +++ b/vendor/github.com/owncloud/reva/v2/internal/grpc/services/storageprovider/storageprovider.go @@ -33,6 +33,7 @@ import ( rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" typesv1beta1 "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" + "github.com/mitchellh/mapstructure" "github.com/owncloud/reva/v2/pkg/appctx" "github.com/owncloud/reva/v2/pkg/conversions" ctxpkg "github.com/owncloud/reva/v2/pkg/ctx" @@ -47,7 +48,6 @@ import ( "github.com/owncloud/reva/v2/pkg/storage/fs/registry" "github.com/owncloud/reva/v2/pkg/storagespace" "github.com/owncloud/reva/v2/pkg/utils" - "github.com/mitchellh/mapstructure" "github.com/pkg/errors" "github.com/rs/zerolog" "go.opentelemetry.io/otel/attribute" @@ -787,6 +787,7 @@ func (s *Service) Stat(ctx context.Context, req *provider.StatRequest) (*provide s.addMissingStorageProviderID(md.GetId(), nil) s.addMissingStorageProviderID(md.GetParentId(), nil) s.addMissingStorageProviderID(md.GetSpace().GetRoot(), nil) + s.addMissingStorageProviderID(md.GetSpace().GetRootInfo().GetId(), nil) return &provider.StatResponse{ Status: status.NewOK(ctx), diff --git a/vendor/github.com/owncloud/reva/v2/pkg/events/postprocessing.go b/vendor/github.com/owncloud/reva/v2/pkg/events/postprocessing.go index f4268920a3d..64318cb9487 100644 --- a/vendor/github.com/owncloud/reva/v2/pkg/events/postprocessing.go +++ b/vendor/github.com/owncloud/reva/v2/pkg/events/postprocessing.go @@ -103,6 +103,7 @@ type PostprocessingStepFinished struct { UploadID string ExecutingUser *user.User Filename string + ResourceID *provider.ResourceId FinishedStep Postprocessingstep // name of the step Result interface{} // result information see VirusscanResult for example @@ -145,6 +146,7 @@ type VirusscanResult struct { type PostprocessingFinished struct { UploadID string Filename string + ResourceID *provider.ResourceId SpaceOwner *user.UserId ExecutingUser *user.User Result map[Postprocessingstep]interface{} // it is a map[step]Event diff --git a/vendor/github.com/owncloud/reva/v2/pkg/storage/utils/decomposedfs/decomposedfs.go b/vendor/github.com/owncloud/reva/v2/pkg/storage/utils/decomposedfs/decomposedfs.go index 79dcc454a76..c4c4fd1e08f 100644 --- a/vendor/github.com/owncloud/reva/v2/pkg/storage/utils/decomposedfs/decomposedfs.go +++ b/vendor/github.com/owncloud/reva/v2/pkg/storage/utils/decomposedfs/decomposedfs.go @@ -258,7 +258,7 @@ func New(o *options.Options, aspects aspects.Aspects, log *zerolog.Logger) (stor return nil, errors.New("need nats for async file processing") } - ch, err := events.Consume(fs.stream, "dcfs", _registeredEvents...) + ch, err := events.Consume(fs.stream, o.Events.ConsumerGroup, _registeredEvents...) if err != nil { return nil, err } @@ -285,6 +285,10 @@ func (fs *Decomposedfs) Postprocessing(ch <-chan events.Event) { switch ev := event.Event.(type) { case events.PostprocessingFinished: sublog := log.With().Str("event", "PostprocessingFinished").Str("uploadid", ev.UploadID).Logger() + if ev.ResourceID != nil && ev.ResourceID.GetStorageId() != "" && ev.ResourceID.GetStorageId() != fs.o.MountID { + sublog.Debug().Msg("ignoring event for different storage") + continue + } session, err := fs.sessionStore.Get(ctx, ev.UploadID) if err != nil { sublog.Error().Err(err).Msg("Failed to get upload") @@ -450,6 +454,10 @@ func (fs *Decomposedfs) Postprocessing(ch <-chan events.Event) { session.Cleanup(true, !ev.KeepUpload, !ev.KeepUpload, true) case events.RevertRevision: sublog := log.With().Str("event", "RevertRevision").Interface("nodeid", ev.ResourceID).Logger() + if ev.ResourceID != nil && ev.ResourceID.GetStorageId() != "" && ev.ResourceID.GetStorageId() != fs.o.MountID { + sublog.Debug().Msg("ignoring event for different storage") + continue + } n, err := fs.lu.NodeFromID(ctx, ev.ResourceID) if err != nil { sublog.Error().Err(err).Msg("Failed to get node") @@ -462,6 +470,10 @@ func (fs *Decomposedfs) Postprocessing(ch <-chan events.Event) { } case events.PostprocessingStepFinished: sublog := log.With().Str("event", "PostprocessingStepFinished").Str("uploadid", ev.UploadID).Logger() + if ev.ResourceID != nil && ev.ResourceID.GetStorageId() != "" && ev.ResourceID.GetStorageId() != fs.o.MountID { + sublog.Debug().Msg("ignoring event for different storage") + continue + } if ev.FinishedStep != events.PPStepAntivirus { // atm we are only interested in antivirus results continue diff --git a/vendor/github.com/owncloud/reva/v2/pkg/storage/utils/decomposedfs/options/options.go b/vendor/github.com/owncloud/reva/v2/pkg/storage/utils/decomposedfs/options/options.go index 5c76a383eac..210f2068130 100644 --- a/vendor/github.com/owncloud/reva/v2/pkg/storage/utils/decomposedfs/options/options.go +++ b/vendor/github.com/owncloud/reva/v2/pkg/storage/utils/decomposedfs/options/options.go @@ -23,10 +23,10 @@ import ( "strings" "time" + "github.com/mitchellh/mapstructure" "github.com/owncloud/reva/v2/pkg/rgrpc/todo/pool" "github.com/owncloud/reva/v2/pkg/sharedconf" "github.com/owncloud/reva/v2/pkg/storage/cache" - "github.com/mitchellh/mapstructure" "github.com/pkg/errors" ) @@ -103,7 +103,8 @@ type AsyncPropagatorOptions struct { // EventOptions are the configurable options for events type EventOptions struct { - NumConsumers int `mapstructure:"numconsumers"` + NumConsumers int `mapstructure:"numconsumers"` + ConsumerGroup string `mapstructure:"consumer_group"` } // TokenOptions are the configurable option for tokens @@ -172,5 +173,9 @@ func New(m map[string]interface{}) (*Options, error) { o.UploadDirectory = filepath.Join(o.Root, "uploads") } + if o.Events.ConsumerGroup == "" { + o.Events.ConsumerGroup = "dcfs" + } + return o, nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 4acc3889010..0dd6b10c34c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1316,7 +1316,7 @@ github.com/orcaman/concurrent-map # github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 ## explicit; go 1.18 github.com/owncloud/libre-graph-api-go -# github.com/owncloud/reva/v2 v2.0.0-20260312212500-b4cd50a2b1fb +# github.com/owncloud/reva/v2 v2.0.0-20260316121612-b1ac85b0d63c ## explicit; go 1.24.0 github.com/owncloud/reva/v2/cmd/revad/internal/grace github.com/owncloud/reva/v2/cmd/revad/runtime From a9fa2c1e27771f8c7f71652ed8ef9664e5a9b2b4 Mon Sep 17 00:00:00 2001 From: Roman Perekhod <2403905@gmail.com> Date: Mon, 16 Mar 2026 14:59:22 +0100 Subject: [PATCH 05/11] hide the assignment of the MountID to VaultStorageProviderID behind a flag to avoid the ID mismatch --- go.mod | 2 +- go.sum | 4 ++-- services/storage-users/pkg/config/config.go | 2 ++ services/storage-users/pkg/config/defaults/defaultconfig.go | 6 ++++++ vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go | 4 +--- vendor/modules.txt | 2 +- 6 files changed, 13 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 8936ee3fdcc..d90ad2392b2 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( github.com/open-policy-agent/opa v1.12.3 github.com/orcaman/concurrent-map v1.0.0 github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 - github.com/owncloud/reva/v2 v2.0.0-20260316121612-b1ac85b0d63c + github.com/owncloud/reva/v2 v2.0.0-20260316140824-a145e1807968 github.com/pkg/errors v0.9.1 github.com/pkg/xattr v0.4.12 github.com/prometheus/client_golang v1.23.2 diff --git a/go.sum b/go.sum index da15085ec79..de0ac894349 100644 --- a/go.sum +++ b/go.sum @@ -742,8 +742,8 @@ github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HD github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI= github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 h1:JRidLTAKhnvyLMRtVtSF4lhBa0NSAOs6fof+d6JnKII= github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245/go.mod h1:z61VMGAJRtR1nbgXWiNoCkxUXP1B3Je9rMuJbnGd+Og= -github.com/owncloud/reva/v2 v2.0.0-20260316121612-b1ac85b0d63c h1:VRfZs7WElgVSnQvH7nMkjMg4Ny95/a2RbXuxfP/BEjc= -github.com/owncloud/reva/v2 v2.0.0-20260316121612-b1ac85b0d63c/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ= +github.com/owncloud/reva/v2 v2.0.0-20260316140824-a145e1807968 h1:p5NMF+1kuaZCxMJCf00akd6w+gXAVmnIz0yUzWDmWK8= +github.com/owncloud/reva/v2 v2.0.0-20260316140824-a145e1807968/go.mod h1:+rCy6oGYb2/qs5gmQa8y/pHARw634vB73MZGDY2SBIQ= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw= github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0= github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw= diff --git a/services/storage-users/pkg/config/config.go b/services/storage-users/pkg/config/config.go index a2fd53113e6..09526b90b4b 100644 --- a/services/storage-users/pkg/config/config.go +++ b/services/storage-users/pkg/config/config.go @@ -45,6 +45,8 @@ type Config struct { MachineAuthAPIKey string `yaml:"machine_auth_api_key" env:"OCIS_MACHINE_AUTH_API_KEY;STORAGE_USERS_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services." introductionVersion:"5.0"` CliMaxAttemptsRenameFile int `yaml:"max_attempts_rename_file" env:"STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE" desc:"The maximum number of attempts to rename a file when a user restores a file to an existing destination with the same name. The minimum value is 100." introductionVersion:"5.0"` + EnableVaultMode bool `yaml:"enable_vault_mode" env:"STORAGE_USERS_ENABLE_VAULT_MODE" desc:"Enable vault mode for the storage-users service runned in addition to the regular storage-users service by owerrwiting the MountID to VaultStorageProviderID. Required the running the storage-users-vault additional service." introductionVersion:"daledda"` + Context context.Context `yaml:"-"` } diff --git a/services/storage-users/pkg/config/defaults/defaultconfig.go b/services/storage-users/pkg/config/defaults/defaultconfig.go index d6de665deea..f77ef6372f5 100644 --- a/services/storage-users/pkg/config/defaults/defaultconfig.go +++ b/services/storage-users/pkg/config/defaults/defaultconfig.go @@ -8,6 +8,7 @@ import ( "github.com/owncloud/ocis/v2/ocis-pkg/shared" "github.com/owncloud/ocis/v2/ocis-pkg/structs" "github.com/owncloud/ocis/v2/services/storage-users/pkg/config" + "github.com/owncloud/reva/v2/pkg/utils" ) // FullDefaultConfig returns a fully initialized default configuration @@ -226,6 +227,11 @@ func EnsureDefaults(cfg *config.Config) { cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") { cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL} } + + // set mount id to vault storage provider id + if cfg.EnableVaultMode { + cfg.MountID = utils.VaultStorageProviderID + } } // Sanitize sanitized the configuration diff --git a/vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go b/vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go index c995504cbc4..c562636e8b0 100644 --- a/vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go +++ b/vendor/github.com/owncloud/reva/v2/pkg/utils/utils.go @@ -65,9 +65,7 @@ var ( OCMStorageSpaceID = "89f37a33-858b-45fa-8890-a1f2b27d90e1" // VaultStorageProviderID is the storage id used by the vault storageprovider - VaultStorageProviderID = "bbbbbbbb-16f5-444e-8a6a-a28db41bbbbb" - // VaultStorageSpaceID is the space id used by the vault storageprovider - VaultStorageSpaceID = "bbbbbbbb-16f5-444e-8a6a-a28db41bbbbb" + VaultStorageProviderID = "1a01c2c4-4309-4483-a845-842fd56d8622" // SpaceGrant is used to signal the storageprovider that the grant is on a space SpaceGrant struct{} diff --git a/vendor/modules.txt b/vendor/modules.txt index 0dd6b10c34c..7aaef51414a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1316,7 +1316,7 @@ github.com/orcaman/concurrent-map # github.com/owncloud/libre-graph-api-go v1.0.5-0.20260216101009-eeac018af245 ## explicit; go 1.18 github.com/owncloud/libre-graph-api-go -# github.com/owncloud/reva/v2 v2.0.0-20260316121612-b1ac85b0d63c +# github.com/owncloud/reva/v2 v2.0.0-20260316140824-a145e1807968 ## explicit; go 1.24.0 github.com/owncloud/reva/v2/cmd/revad/internal/grace github.com/owncloud/reva/v2/cmd/revad/runtime From 7314cdee3e5aabcec8cc1d81274175243c335f62 Mon Sep 17 00:00:00 2001 From: Roman Perekhod <2403905@gmail.com> Date: Mon, 16 Mar 2026 16:32:27 +0100 Subject: [PATCH 06/11] configurate the proxy to create the vault home space --- services/proxy/pkg/command/server.go | 1 + services/proxy/pkg/config/config.go | 1 + services/proxy/pkg/middleware/create_home.go | 42 ++++++++++---------- services/proxy/pkg/middleware/options.go | 9 +++++ 4 files changed, 33 insertions(+), 20 deletions(-) diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index c0a08116358..348f10a87f8 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -373,6 +373,7 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config, middleware.Logger(logger), middleware.WithRevaGatewaySelector(gatewaySelector), middleware.RoleQuotas(cfg.RoleQuotas), + middleware.CreateVaultHome(cfg.CreateVaultHome), ), // trigger space assignment when a user logs in middleware.SpaceManager( diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index 9ce6faf3f1d..7a2684c9136 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -48,6 +48,7 @@ type Config struct { ClaimSpaceManagement ClaimSpaceManagement `yaml:"claim_space_management"` MultiFactorAuthentication MFAConfig `yaml:"mfa"` MultiInstance MultiInstanceConfig `yaml:"multi_instance"` + CreateVaultHome bool `yaml:"create_vault_home" env:"PROXY_CREATE_VAULT_HOME" desc:"Set this to true to automatically create a new vault home for the user if it does not exist." introductionVersion:"daledda"` Context context.Context `json:"-" yaml:"-"` } diff --git a/services/proxy/pkg/middleware/create_home.go b/services/proxy/pkg/middleware/create_home.go index 9db3d177695..c007e45c6e8 100644 --- a/services/proxy/pkg/middleware/create_home.go +++ b/services/proxy/pkg/middleware/create_home.go @@ -24,7 +24,7 @@ func CreateHome(optionSetters ...Option) func(next http.Handler) http.Handler { logger := options.Logger cache := ttlcache.New( - ttlcache.WithTTL[string, string](30*time.Second), + ttlcache.WithTTL[string, string](60*time.Second), ttlcache.WithDisableTouchOnHit[string, string](), ) go cache.Start() @@ -35,6 +35,7 @@ func CreateHome(optionSetters ...Option) func(next http.Handler) http.Handler { logger: logger, revaGatewaySelector: options.RevaGatewaySelector, roleQuotas: options.RoleQuotas, + createVaultHome: options.CreateVaultHome, cache: cache, } } @@ -45,6 +46,7 @@ type createHome struct { logger log.Logger revaGatewaySelector pool.Selectable[gateway.GatewayAPIClient] roleQuotas map[string]uint64 + createVaultHome bool cache *ttlcache.Cache[string, string] } @@ -57,7 +59,6 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) { token := req.Header.Get("x-access-token") // we need to pass the token to authenticate the CreateHome request. - //ctx := tokenpkg.ContextSetToken(r.Context(), token) ctx := metadata.AppendToOutgoingContext(req.Context(), revactx.TokenHeader, token) createHomeReq := &provider.CreateHomeRequest{} @@ -95,24 +96,25 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) { } } - vaultKey := "vault" + u.GetId().GetOpaqueId() - if !m.cache.Has(vaultKey) { - // TODO: Should be optional - // Create vault personal space - // Inject storage_id into opaque for vault personal space - createHomeReq.Opaque = utils.AppendPlainToOpaque(createHomeReq.Opaque, "storage_id", utils.VaultStorageProviderID) - cpsRes, err := client.CreateHome(ctx, createHomeReq) - switch { - case err != nil: - m.logger.Err(err).Msg("error calling CreateHome for vault personal") - case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_OK: - m.logger.Debug().Interface("userID", u.GetId().GetOpaqueId()).Msg("vault personal space created") - m.cache.Set(vaultKey, "ok", 0) - case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_ALREADY_EXISTS: - m.logger.Info().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("vault personal space already exists") - m.cache.Set(vaultKey, "ok", 0) - default: - m.logger.Error().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("vault personal space creation failed") + if m.createVaultHome { + vaultKey := "vault" + u.GetId().GetOpaqueId() + if !m.cache.Has(vaultKey) { + // Create vault personal space + // Inject storage_id into opaque for vault personal space + createHomeReq.Opaque = utils.AppendPlainToOpaque(createHomeReq.Opaque, "storage_id", utils.VaultStorageProviderID) + cpsRes, err := client.CreateHome(ctx, createHomeReq) + switch { + case err != nil: + m.logger.Err(err).Msg("error calling CreateHome for vault personal") + case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_OK: + m.logger.Debug().Interface("userID", u.GetId().GetOpaqueId()).Msg("vault personal space created") + m.cache.Set(vaultKey, "ok", 0) + case cpsRes.GetStatus().GetCode() == rpc.Code_CODE_ALREADY_EXISTS: + m.logger.Info().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("vault personal space already exists") + m.cache.Set(vaultKey, "ok", 0) + default: + m.logger.Error().Interface("userID", u.GetId().GetOpaqueId()).Interface("status", cpsRes.GetStatus()).Msg("vault personal space creation failed") + } } } } diff --git a/services/proxy/pkg/middleware/options.go b/services/proxy/pkg/middleware/options.go index 503273a564e..243d69114c7 100644 --- a/services/proxy/pkg/middleware/options.go +++ b/services/proxy/pkg/middleware/options.go @@ -69,6 +69,8 @@ type Options struct { // RoleQuotas hold userid:quota mappings. These will be used when provisioning new users. // The users will get as much quota as is set for their role. RoleQuotas map[string]uint64 + // CreateVaultHome creates a new vault home for the user if it does not exist. + CreateVaultHome bool // TraceProvider sets the tracing provider. TraceProvider trace.TracerProvider // SkipUserInfo prevents the oidc middleware from querying the userinfo endpoint and read any claims directly from the access token instead @@ -243,6 +245,13 @@ func RoleQuotas(roleQuotas map[string]uint64) Option { } } +// CreateVaultHome sets the create vault home flag +func CreateVaultHome(createVaultHome bool) Option { + return func(o *Options) { + o.CreateVaultHome = createVaultHome + } +} + // TraceProvider sets the tracing provider. func TraceProvider(tp trace.TracerProvider) Option { return func(o *Options) { From afb600d9642d8be4cef750c4167aff20b670e9f1 Mon Sep 17 00:00:00 2001 From: Michal Klos Date: Mon, 16 Mar 2026 22:41:57 +0100 Subject: [PATCH 07/11] feat: docker compose setup --- deployments/examples/ocis_vault/README.md | 23 + .../config/keycloak/clients/android_app.json | 64 + .../config/keycloak/clients/cyberduck.json | 67 + .../keycloak/clients/desktop_client.json | 65 + .../config/keycloak/clients/ios_app.json | 64 + .../config/keycloak/clients/web.json | 72 + .../keycloak/docker-entrypoint-override.sh | 8 + .../config/keycloak/ocis-realm.dist.json | 2934 +++++++++++++++++ .../config/ocis/banned-password-list.txt | 5 + .../examples/ocis_vault/config/ocis/csp.yaml | 38 + .../examples/ocis_vault/docker-compose.yml | 229 ++ 11 files changed, 3569 insertions(+) create mode 100644 deployments/examples/ocis_vault/README.md create mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/android_app.json create mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/cyberduck.json create mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/desktop_client.json create mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/ios_app.json create mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/web.json create mode 100644 deployments/examples/ocis_vault/config/keycloak/docker-entrypoint-override.sh create mode 100644 deployments/examples/ocis_vault/config/keycloak/ocis-realm.dist.json create mode 100644 deployments/examples/ocis_vault/config/ocis/banned-password-list.txt create mode 100644 deployments/examples/ocis_vault/config/ocis/csp.yaml create mode 100644 deployments/examples/ocis_vault/docker-compose.yml diff --git a/deployments/examples/ocis_vault/README.md b/deployments/examples/ocis_vault/README.md new file mode 100644 index 00000000000..b0806fd8ab4 --- /dev/null +++ b/deployments/examples/ocis_vault/README.md @@ -0,0 +1,23 @@ +--- +document this deployment example in: docs/ocis/deployment/ocis_vault.md +--- + +Please refer to [our documentation](https://owncloud.dev/ocis/deployment/ocis_vault/) +for instructions on how to deploy this scenario. + +## Local web development + +The `ocis` service mounts the web repo from the host (`/Users/mk/dev/kiteworks/web`) +and serves its `dist/` via `WEB_ASSET_CORE_PATH`. oCIS generates `config.json` +dynamically from its own config — the one in `dist/` is ignored. + +Run the web build in watch mode: + +```bash +cd /Users/mk/dev/kiteworks/web +pnpm build:w +``` + +This is `vite build --watch` — a full production rebuild on every save (no HMR, +takes 20-60 s). Hard-refresh the browser after each rebuild to pick up changes. +No container restart needed. diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/android_app.json b/deployments/examples/ocis_vault/config/keycloak/clients/android_app.json new file mode 100644 index 00000000000..0dd4106e3f4 --- /dev/null +++ b/deployments/examples/ocis_vault/config/keycloak/clients/android_app.json @@ -0,0 +1,64 @@ +{ + "clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", + "name": "ownCloud Android app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", + "redirectUris": [ + "oc://android.owncloud.com" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/cyberduck.json b/deployments/examples/ocis_vault/config/keycloak/clients/cyberduck.json new file mode 100644 index 00000000000..85a4e72c5cd --- /dev/null +++ b/deployments/examples/ocis_vault/config/keycloak/clients/cyberduck.json @@ -0,0 +1,67 @@ +{ + "clientId": "3keLfua0olYvW1zKXTDB3OjAMPEYWEQNuiscli395GKJOiPnPURNQWGvGCJZf4Hw", + "name": "Cyberduck", + "description": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "yoqICbLIeYbpZPqDH4D8k4NKb04HqnrWBntEeVZEQ5gO1RmaUlln0Aqu1dj2UoF4", + "redirectUris": [ + "x-cyberduck-action:oauth", + "x-mountainduck-action:oauth" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/desktop_client.json b/deployments/examples/ocis_vault/config/keycloak/clients/desktop_client.json new file mode 100644 index 00000000000..0aeb310097d --- /dev/null +++ b/deployments/examples/ocis_vault/config/keycloak/clients/desktop_client.json @@ -0,0 +1,65 @@ +{ + "clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", + "name": "ownCloud Desktop Client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", + "redirectUris": [ + "http://127.0.0.1:*", + "http://localhost:*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/ios_app.json b/deployments/examples/ocis_vault/config/keycloak/clients/ios_app.json new file mode 100644 index 00000000000..ec879ec7027 --- /dev/null +++ b/deployments/examples/ocis_vault/config/keycloak/clients/ios_app.json @@ -0,0 +1,64 @@ +{ + "clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", + "name": "ownCloud iOS app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", + "redirectUris": [ + "oc://ios.owncloud.com" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/web.json b/deployments/examples/ocis_vault/config/keycloak/clients/web.json new file mode 100644 index 00000000000..b88f7c13121 --- /dev/null +++ b/deployments/examples/ocis_vault/config/keycloak/clients/web.json @@ -0,0 +1,72 @@ +{ + "clientId": "web", + "name": "", + "description": "", + "rootUrl": "https://ocis.owncloud.test", + "adminUrl": "https://ocis.owncloud.test", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://ocis.owncloud.test/*" + ], + "webOrigins": [ + "https://ocis.owncloud.test" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.url": "https://ocis.owncloud.test/backchannel_logout", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/docker-entrypoint-override.sh b/deployments/examples/ocis_vault/config/keycloak/docker-entrypoint-override.sh new file mode 100644 index 00000000000..a21bddb43c9 --- /dev/null +++ b/deployments/examples/ocis_vault/config/keycloak/docker-entrypoint-override.sh @@ -0,0 +1,8 @@ +#!/bin/bash +printenv +# replace oCIS domain in keycloak realm import +mkdir /opt/keycloak/data/import +sed -e "s/ocis.owncloud.test/${OCIS_DOMAIN}/g" /opt/keycloak/data/import-dist/ocis-realm.json > /opt/keycloak/data/import/oCIS-realm.json + +# run original docker-entrypoint +/opt/keycloak/bin/kc.sh "$@" diff --git a/deployments/examples/ocis_vault/config/keycloak/ocis-realm.dist.json b/deployments/examples/ocis_vault/config/keycloak/ocis-realm.dist.json new file mode 100644 index 00000000000..63200a3ac07 --- /dev/null +++ b/deployments/examples/ocis_vault/config/keycloak/ocis-realm.dist.json @@ -0,0 +1,2934 @@ +{ + "id": "ownCloud Infinite Scale Test", + "realm": "oCIS", + "displayName": "ownCloud Infinite Scale", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": true, + "permanentLockout": false, + "maxTemporaryLockouts": 0, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "0bb40fa2-4490-4687-9159-b1d27ec7423a", + "name": "ocisAdmin", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test", + "attributes": {} + }, + { + "id": "2d576514-4aae-46aa-9d9c-075f55f4d988", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test", + "attributes": {} + }, + { + "id": "8c79ff81-c256-48fd-b0b9-795c7941eedf", + "name": "ocisUser", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test", + "attributes": {} + }, + { + "id": "bd5f5012-48bb-4ea4-bfe6-0623e3ca0552", + "name": "ocisSpaceAdmin", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test", + "attributes": {} + }, + { + "id": "e2145b30-bf6f-49fb-af3f-1b40168bfcef", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test", + "attributes": {} + }, + { + "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", + "name": "default-roles-ocis", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test", + "attributes": {} + }, + { + "id": "7eedfa6d-a2d9-4296-b6db-e75e4e9c0963", + "name": "ocisGuest", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test", + "attributes": {} + } + ], + "client": { + "_system": [], + "realm-management": [ + { + "id": "979ce053-a671-4b50-81d5-da4bdf7404c9", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "4bec4791-e888-4dac-bc95-71720d5981b9", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "955b4406-b04f-432d-a61a-571675874341", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "baa219af-2773-4d59-b06b-485f10fbbab3", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "f280bc03-d079-478d-be06-3590580b25e9", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "db698163-84ad-46c9-958f-bb5f80ae78b5", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "36c04d89-abf7-4a2c-a808-8efa9aca1435", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "06eae953-11d5-4344-b089-ffce1e68d5d8", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "afe8aa78-2f06-43a5-8c99-cf68a1f5a86a", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "view-clients", + "query-users", + "manage-authorization", + "view-events", + "manage-users", + "query-clients", + "manage-clients", + "query-realms", + "impersonation", + "manage-realm", + "manage-identity-providers", + "view-authorization", + "create-client", + "query-groups", + "view-users", + "view-realm", + "view-identity-providers", + "manage-events" + ] + } + }, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "22ee128a-b28e-4c6a-aa8e-ad4136d74e1b", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "89d4f119-7f87-44d9-8eef-d207304de778", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "ebffeff4-6794-4003-a2ab-a79eff7d1baa", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "2361a7ff-d2b3-43f5-b360-ad0e44fba65c", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "f7bf6d7a-a861-49c6-8f6f-225c18d0a03a", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "34ccce1c-5a7e-4268-8836-2276545be900", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "430f7831-8f22-4518-bd15-2998eae45a51", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "371a31e6-4494-4b74-b3ea-d030663423ed", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "e875775b-7a3e-4a5d-9e4e-376351b78626", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + }, + { + "id": "3dce7929-ee1f-40cd-9be1-7addcae92cef", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes": {} + } + ], + "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69": [], + "web": [], + "security-admin-console": [], + "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD": [], + "admin-cli": [], + "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1": [], + "account-console": [], + "broker": [ + { + "id": "81fad68a-8dd8-4d79-9a8f-206a82460145", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "002faf0a-716c-4230-81c7-ce22d1eb832c", + "attributes": {} + } + ], + "account": [ + { + "id": "c49a49da-8ad0-44cb-b518-6d7d72cbe494", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "9dc2244e-b8a7-44f1-b173-d2b929fedcca", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "ce115327-99c9-44d4-ba7d-820397dc11e6", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "2ffdf854-084b-467a-91c6-7f07844efc9a", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "8c45ca71-32aa-4547-932d-412da5e371ed", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "cbeecf6d-9af8-4746-877b-74800a894c35", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "ea798f64-b5f8-417f-9fe0-d3cd9172884f", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + }, + { + "id": "e73aaf6d-e67b-491a-9cc3-78c32c82b42c", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "9850adad-7910-4b67-a790-da6444361618", + "attributes": {} + } + ] + } + }, + "groups": [ + { + "id": "99187f82-71b6-4f21-a255-0d87bb286607", + "name": "philosophy-haters", + "path": "/philosophy-haters", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "2129ab43-0221-40e1-871a-394a8c9b6434", + "name": "physics-lovers", + "path": "/physics-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "8246d8bc-8e35-4b11-916e-f8d7729d6a23", + "name": "polonium-lovers", + "path": "/polonium-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "fabf9b54-c27e-495e-961d-9c9f2ebfd482", + "name": "quantum-lovers", + "path": "/quantum-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "f5613e5a-84b6-4e85-bcb3-0fff9fa6a191", + "name": "radium-lovers", + "path": "/radium-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "32031f61-035e-4355-b7bf-17ff314581f3", + "name": "sailing-lovers", + "path": "/sailing-lovers", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "8520544b-eb76-449d-8498-fbe0e1e62a97", + "name": "users", + "path": "/users", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + }, + { + "id": "d0a10993-e532-49b7-b2b4-009f9b31d43a", + "name": "violin-haters", + "path": "/violin-haters", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + } + ], + "defaultRole": { + "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", + "name": "default-roles-ocis", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "ownCloud Infinite Scale Test" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "localizationTexts": {}, + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyExtraOrigins": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "webAuthnPolicyPasswordlessExtraOrigins": [], + "users": [ + { + "id": "389845cd-65b9-47fc-b723-ba75940bcbd7", + "username": "admin", + "firstName": "Admin", + "lastName": "Admin", + "email": "admin@example.org", + "emailVerified": true, + "createdTimestamp": 1611912383386, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "499e0fbe-1c10-4588-9db4-e8a1012b9246", + "type": "password", + "createdDate": 1611912393787, + "secretData": "{\"value\":\"WUdGHYxGqrEBqg8Y3v+CKCzkzXkboMI6VmpWAYqvD7pIcP9z1zzDTqwlXrVFytoZMpcceT3Xm1hAGh7CZcSoHQ==\",\"salt\":\"pxP1MdkG//50Lv81WsQ5FA==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "uma_authorization", + "ocisAdmin", + "offline_access" + ], + "clientRoles": { + "account": [ + "manage-account", + "view-profile" + ] + }, + "notBefore": 0, + "groups": [ + "/users" + ] + }, + { + "id": "0a9f434c-4864-49cf-ac15-46ed0f49d59b", + "username": "einstein", + "firstName": "Albert", + "lastName": "Einstein", + "email": "einstein@example.org", + "emailVerified": true, + "createdTimestamp": 1611912153544, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "19efcb24-c5ec-42ed-97e1-2475ca025f40", + "type": "password", + "createdDate": 1611912169712, + "secretData": "{\"value\":\"5+ofM8OpvpiPZyi4ZJuB2Pa3jGOIcY2uXui2p8KRWCs=\",\"salt\":\"wfhXLZScHStB14ZxML9d7g==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "uma_authorization", + "ocisUser", + "offline_access" + ], + "clientRoles": { + "account": [ + "manage-account", + "view-profile" + ] + }, + "notBefore": 0, + "groups": [ + "/physics-lovers", + "/sailing-lovers", + "/users", + "/violin-haters" + ] + }, + { + "id": "b44a81e2-e3ed-4241-a9ce-44604f7ac9eb", + "username": "katherine", + "firstName": "Katherine", + "lastName": "Johnson", + "email": "katherine@example.org", + "emailVerified": true, + "createdTimestamp": 1678101111607, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "be18ccc9-b80f-4895-bf06-8e8e4605c634", + "type": "password", + "userLabel": "My password", + "createdDate": 1678101159924, + "secretData": "{\"value\":\"/E/1yfcgM8deq6V544gEsTfsXZuUnzaofmM+AK+MpAsvRoNRtEyRN1pajhIpGDtEuPa/KVBDbcALE7WMbFhO1w==\",\"salt\":\"TXapvlOYBWqabQRo+fINFQ==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "ocisSpaceAdmin", + "default-roles-ocis" + ], + "notBefore": 0, + "groups": [] + }, + { + "id": "48016357-346a-443e-bf7a-945c9448a99b", + "username": "marie", + "firstName": "Marie", + "lastName": "Curie", + "email": "marie@example.org", + "emailVerified": true, + "createdTimestamp": 1611912241951, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "ff304f90-a934-4bf1-9cfe-bd165751c110", + "type": "password", + "createdDate": 1611912318408, + "secretData": "{\"value\":\"DN7g/etlfzHfd6tfF4g50xdPGy+aUboAXmjB06R0NzhGhwhOxiUh7KNWre2pqZOiu28iGXfDFWMP2xDCNid+Mg==\",\"salt\":\"ZFYXUMBaZm/XspifJgH9Tg==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "uma_authorization", + "ocisUser", + "offline_access" + ], + "clientRoles": { + "account": [ + "manage-account", + "view-profile" + ] + }, + "notBefore": 0, + "groups": [ + "/physics-lovers", + "/polonium-lovers", + "/radium-lovers", + "/users" + ] + }, + { + "id": "d18c3689-b816-455a-9728-cd8c9797f315", + "username": "moss", + "firstName": "Maurice", + "lastName": "Moss", + "email": "moss@example.org", + "emailVerified": true, + "createdTimestamp": 1611912340085, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "273679bf-80ef-4c83-ac23-0ee569c3bece", + "type": "password", + "createdDate": 1611912354500, + "secretData": "{\"value\":\"f22la+Ghr2xDBOA1tJrMlc2GFy9ZiGcTJuto2U9KaHE=\",\"salt\":\"fjwq6/u6YI+r1xdZL0UtxA==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "uma_authorization", + "ocisAdmin", + "offline_access" + ], + "clientRoles": { + "account": [ + "manage-account", + "view-profile" + ] + }, + "notBefore": 0, + "groups": [ + "/users" + ] + }, + { + "id": "373be4c5-7f65-4e91-ba0e-bfb618c96046", + "username": "richard", + "firstName": "Richard", + "lastName": "Feynman", + "email": "richard@example.org", + "emailVerified": true, + "createdTimestamp": 1611912442173, + "enabled": true, + "totp": false, + "credentials": [ + { + "id": "2fb1bcd7-8a51-4732-b695-dc4aa14b1dca", + "type": "password", + "createdDate": 1611912452192, + "secretData": "{\"value\":\"uzN0AO66tnEoLM5SpHmJ3rNb4Gj9sXJMafn68EbDwVtQmbOR0uY7L/ePU7i5pVTvhgRN7XMj0P9Fc+iV7C+Pzw==\",\"salt\":\"PqLW9Cu52hOW9b2cVTF+Sg==\",\"additionalParameters\":{}}", + "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } + ], + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "uma_authorization", + "ocisUser", + "offline_access" + ], + "clientRoles": { + "account": [ + "manage-account", + "view-profile" + ] + }, + "notBefore": 0, + "groups": [ + "/philosophy-haters", + "/physics-lovers", + "/quantum-lovers", + "/users" + ] + } + ], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + }, + { + "clientScope": "roles", + "roles": [ + "ocisSpaceAdmin", + "ocisGuest", + "ocisUser", + "ocisAdmin" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "294b6cf4-b646-4f6c-bab2-616546ec3167", + "clientId": "_system", + "name": "_system", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "pIw3cF77kEYSYR2r1HfOzySTBLO7aYeM", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1718778122", + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "9850adad-7910-4b67-a790-da6444361618", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/oCIS/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "PY3vaoPyw7VCfHxDf41JKbGtR2WOV85S", + "redirectUris": [ + "/realms/oCIS/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1718778122", + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "basic" + ], + "optionalClientScopes": [] + }, + { + "id": "55bb4cdc-045b-422a-8830-61245949d6aa", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/oCIS/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/oCIS/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "9bf413ed-402f-438d-a72c-033f3c45dab2", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "2969b8ff-2ab3-4907-aaa7-091a7a627ccb", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "basic" + ], + "optionalClientScopes": [] + }, + { + "id": "002faf0a-716c-4230-81c7-ce22d1eb832c", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "3mksmxreyii6xcc6N2JRGLT4fehwE1HT", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1718778122", + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "basic" + ], + "optionalClientScopes": [] + }, + { + "id": "c8367556-1d13-4979-b4f6-5e2cff1f82ae", + "clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", + "name": "ownCloud Android app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", + "redirectUris": [ + "oc://android.owncloud.com" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "acr", + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "6ae0e3da-38ff-47a4-a76e-b59eec0a2de9", + "clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", + "name": "ownCloud iOS app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", + "redirectUris": [ + "oc://ios.owncloud.com" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "acr", + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [], + "optionalClientScopes": [] + }, + { + "id": "97264f49-a8c1-4585-99b6-e706339c62f8", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/oCIS/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/oCIS/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "96092024-21dd-4d31-a004-2c5b96031da3", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ], + "defaultClientScopes": [ + "basic" + ], + "optionalClientScopes": [] + }, + { + "id": "54b18eca-cf79-4263-9db9-2d79f8a1c831", + "clientId": "web", + "name": "", + "description": "", + "rootUrl": "https://ocis.owncloud.test", + "adminUrl": "https://ocis.owncloud.test", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://ocis.owncloud.test/*" + ], + "webOrigins": [ + "https://ocis.owncloud.test" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.url": "https://ocis.owncloud.test/backchannel_logout", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "acr", + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "fc7d8a8e-cb92-4cb0-b404-d723c07d8d4f", + "clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", + "name": "ownCloud Desktop Client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", + "redirectUris": [ + "http://127.0.0.1:*", + "http://localhost:*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "post.logout.redirect.uris": "+", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "groups", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "258e56a8-1eeb-49ea-957b-aff8df4656ba", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${emailScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "068bcfb6-4a17-4c20-b083-ae542a7f76c8", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean", + "userinfo.token.claim": "true" + } + }, + { + "id": "c00d6c21-2fd1-435f-9ee9-87e011048cbe", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "b3e1e47e-3912-4b55-ba89-b0198e767682", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${addressScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "876baab9-39d1-4845-abb4-561a58aa152d", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "9cae7ced-e7d9-4f7b-8e54-7402125f6ead", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "8eb1f69b-b941-4185-bca1-f916953f7cf5", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "fb587847-806f-4443-bab0-501efc0f0b46", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "947da1ff-f614-48fc-9ecb-c98cbcfd3390", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${profileScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "46fec552-2f92-408a-84cf-ba98bf8e35fd", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "c7ed5458-4d32-423e-8ea1-d112c45045d4", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "e18d1ce4-3969-4ec1-9941-a27fd7555245", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "dab85a5e-9af8-4fcd-88e4-9d3ae50dd5b6", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "7484f47e-3bb1-48d0-ba64-e8330dcefe6e", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "fcd00995-9693-4803-8f41-c84044be83ed", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "f09e7268-5284-449b-849b-cf8225523584", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "0317f4b3-3f7b-47ab-88d3-5d6f604d944d", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "db81244c-e739-461b-8822-52ceaa11bdf4", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "c6a16bf9-9370-4dff-a718-be53131bb238", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "32d76647-b542-484c-9062-edc34eb350e0", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "ac6530db-6463-446b-99da-32d5298b5fa0", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "ed10983b-8700-415e-933e-226ce3f397a6", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "8205ccd0-1266-4060-b5df-3a6eb229d91e", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "79713daf-89ca-4ed4-ad97-a88b13ee9a18", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${phoneScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "b5f4f5ed-1008-42ba-8b3b-7d8851a2a680", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + }, + { + "id": "08a246f1-2b4c-4def-af5c-aefc31b4820d", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "c3a6224b-49aa-4a25-953d-7e326d66893d", + "name": "basic", + "description": "OpenID Connect scope for add all basic claims to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "2d4f3f17-1ab7-429e-88e1-cdf08d3533c6", + "name": "auth_time", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "AUTH_TIME", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "auth_time", + "jsonType.label": "long" + } + }, + { + "id": "3e7da934-3de3-4bd1-a565-8ac62419c138", + "name": "sub", + "protocol": "openid-connect", + "protocolMapper": "oidc-sub-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "0c72b80b-28d5-48d8-b593-c99030aab58d", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "consent.screen.text": "${rolesScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "bc7f015e-329f-4e99-be6b-72382f4310c7", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "215f645f-ad0b-4523-9ece-f09f69ead5c4", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "4a10b958-d34d-413a-b349-1415d02cdcde", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "roles", + "jsonType.label": "String", + "userinfo.token.claim": "true", + "multivalued": "true" + } + } + ] + }, + { + "id": "7438d93e-b07a-4913-9419-3273be364c4b", + "name": "groups", + "description": "OpenID Connect scope for add user groups to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "5349faf2-64a6-481f-b207-39ffef2cd597", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "full.path": "false", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "lightweight.claim": "false", + "access.token.claim": "true", + "claim.name": "groups" + } + } + ] + }, + { + "id": "5ce87358-3bca-4874-a6f0-6dccae6209a8", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "consent.screen.text": "", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "bbd23c51-918d-4ea6-9ac0-db68b512fb0a", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "86883395-e439-4cab-9d8d-31d71389969c", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "b849b14b-7c9c-4b7b-9329-c56debefb47c", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + } + ] + }, + { + "id": "bdb3e320-76c8-4ad7-9d0f-a08efc060101", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "1d08316c-493b-42ab-afa3-66f621860661", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "52061d2d-7a41-4f1d-ba1b-3c4a53e739e4", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String", + "userinfo.token.claim": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr", + "basic", + "groups" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "4682fe74-f3a9-445a-a7ab-557fb532fe6b", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "c46009e5-c8b5-4051-bf7f-7b1481a9aa86", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "43edf979-28d2-46c8-9f93-48b3de185570", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-property-mapper", + "saml-role-list-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-full-name-mapper", + "saml-user-attribute-mapper" + ] + } + }, + { + "id": "6fc7d765-7da8-4985-ba0b-e83827b04bd3", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-address-mapper", + "saml-role-list-mapper", + "oidc-full-name-mapper", + "saml-user-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper" + ] + } + }, + { + "id": "e3eadb04-8862-4567-869c-a76485268159", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "c788e6bf-2f57-4a82-b32e-ac8d48a4f676", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + } + ], + "org.keycloak.userprofile.UserProfileProvider": [ + { + "id": "28d6b4ce-33d4-40c0-adef-b27e35b7e122", + "providerId": "declarative-user-profile", + "subComponents": {}, + "config": { + "kc.user.profile.config": [ + "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}],\"unmanagedAttributePolicy\":\"ENABLED\"}" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "0e3d0048-cb16-49c3-8a9a-05d83f0daeca", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEowIBAAKCAQEAtddPjTKbLAv02Zh3CTCfZHbgCi4M0dFOU1OJ8tHvxt7nuDz7DTA//V0T4WSgdMOLDNVs6J5KNO7ddF6aB1laCWwfGG/ZAxHyrIzTI+iFK5qG19jnvPGBzPbdffxKyC6TcUwTz6z01pbovLftwXyNtAqxwgJvfjdg4j7PYvabk97ketRWw1uH+Jlqa/TOFlbQuweea2w9CJJmofJ/lzgHk5JAyYm/oT0gVB/ukCSgh+So+AtZ8fzwawdS9uQZhvu3sU//M9j+liT+mv5Dq+uB+NIx24xWPW/hWgPlqBBZ0o1ZEbK4jtyxjDOTAs6w6/IT+OO8a9z0BsMC7nl1EzA1LQIDAQABAoIBABl/HknmMci8HRxSMEVLGoZRKWUerjB7QG1sQLhEhHImOL0QsS4uY5fdxaxXBNfqanmlsUwalGgV+ATZljpNO9PSDmLJnVbnXNdMivcKzXq0LjpfUPr2rU8KbDsT4CkaaBUSPZLjJZSzJeCpiijqPco5V6b5hXLf8Uc31wdWxwYKv4XYBOgXZGkHk27f6CdqjCzNYWhJYIHeBqISUMDEQoZx9YxemudbdNF8Vo/Keyj/vqYXdLwyyJf9A7DY/A6mZWp3XMQtlL0CykVjnbgm/EzYaXuwZSCY1sYHl7AhOu83AjPR7aYpkY662l1VuwaGliKk2+iIrIhYWDAOaluSBvcCgYEA/2vPm67piTw3umNca1EZqYC/Sta2d4yKthYh+gXzbWDDeVI63Kn1d2cWau0qV9SLwpY+UcTVReiqf5EHxOdhUzm7H7kcAUPydIOFX78BJ7sYa8TW/iZ+pvrAx/43EqCsdNMHcNVsqKMmJhpAozCMyG0BxFTsesuG4o3fCEBjoFcCgYEAtkDPeLZWw1ClocHcgTFSNRZF+wIYPpItS2NG0fRJk4jTv10nVoHRGflqhH3052iZkMpHMrB8YtbcOWET9nh3oJq3wB5VpQigPWjkmo00hNLQ36MbTbBuinmIPdy2SknoiojfSfgYcxmi3f8RHqPOLLkyAZjclJj6lAbq/aJklBsCgYBdV3rhPASgYF9FQDZwCY1FQoWlxd2cxsGSVXhJNI+HM0t8NK7KIVpRLl0k6lMFEemZTOqtWy9Ngv976vZZ4OzSS1C1ASLY24npRn8hRF4ZtOfxyld/PXYfc5er/p0Fs64Sa2RWucghwK2aUxG4EXABdsSkiRx6q5I5jPsqus0ttQKBgQCwvcs1cgZT5OqrIng3ZWAmkVIOKKrgSxvXxw/P3cpYY9GM+8aBUuU3/jN5BzkwDLUXv8Ip+xK1O05X6rfURmEkg8X8bq55nBLhWs6Ovq8Wu+bJacC5p4abjV49N8Qj6Oa1KiT387uqK0tRY+DzSMFRh8th1x7akDw4vzi1/PzyzwKBgG2C0QFuJqoVQlRnAB8Jid7ChliuPP+1KhZMd4mJ7yOaU1r+TKWPPIk5iNd3zkjc0UZGg/6h1WvZQazHAxn1/BMHR7ZY3zmBsCQ1TiRRfyr18v9rBRUS3GwmXgToJwl65aNO6cGAIvS/7TH2Zfmdjc5rkjWCv4U32+tpCGNtoaPC" + ], + "certificate": [ + "MIIClzCCAX8CBgGQLyjUfjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARvQ0lTMB4XDTI0MDYxOTA2MjAyM1oXDTM0MDYxOTA2MjIwM1owDzENMAsGA1UEAwwEb0NJUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXXT40ymywL9NmYdwkwn2R24AouDNHRTlNTifLR78be57g8+w0wP/1dE+FkoHTDiwzVbOieSjTu3XRemgdZWglsHxhv2QMR8qyM0yPohSuahtfY57zxgcz23X38Ssguk3FME8+s9NaW6Ly37cF8jbQKscICb343YOI+z2L2m5Pe5HrUVsNbh/iZamv0zhZW0LsHnmtsPQiSZqHyf5c4B5OSQMmJv6E9IFQf7pAkoIfkqPgLWfH88GsHUvbkGYb7t7FP/zPY/pYk/pr+Q6vrgfjSMduMVj1v4VoD5agQWdKNWRGyuI7csYwzkwLOsOvyE/jjvGvc9AbDAu55dRMwNS0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEApg4N+/dI+UimwbpW7nsJWFu/FA8GgbEEBqbbjatgqeUJNuvi0jFueiYFnO/Pppp++PQDvKKwE7XfnEuippNNKWFQnwJQf9ZRnysNlYMq+vBT37+QIps2z772pq7bway5t7YlwjBhILNGIA9mzbsFK2SnyY0V5y0qQgEaZePMP/2cq5Ur9tKMUIIsTfBgkk3YLpxgq/rwTOtxfo6me5WpD5dXT57NXV9wmtxStE9z6INvMjp7FPZO8mai97X/SfgNhuGkN+EclvYEM/5/xfNR4rhPSnlsHwX2jjVuVuJZQKKY7DlVDohKMJzLf1Ocfe44mSRkQWCeGnJpg8NrtaxYTg==" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "f92ecf31-c3c7-4c3b-af20-839fc05bcf99", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "kid": [ + "a25fabf6-4224-4e0e-876b-cbfcb0a79628" + ], + "secret": [ + "4TbJ63S8xc-vEmTtAtd0YQbO9sCqeUs9B0SpOiokavNFWwRq5hrxcyXsG1GKpCAcEheGKnjNgkNAOR3jvnKDVnq-jJd9II2G6-A6G-XH7HMG7REWi2OVDf7a5eGmdFeRNdI5kQhGceS-H03hF3Q9uI4tv1mlgoeBpVxfWrS5_dQ" + ], + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "a137a686-5876-4faf-8d1e-e3a59f55095e", + "name": "hmac-generated-hs512", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "kid": [ + "f00e19d2-5070-4730-a68a-2a14912ef7a8" + ], + "secret": [ + "nXZiaEzaQQUrFkmkq7vRPbZ54_m-u5zo5o9j-5WxtbdwCaHGNN3hGHOjq_4z4zfB4ooRVcUtzQL_48kOoRYmvJy7_w-rfIIooxN5yGU4sVJRj3wV3cVwxPqNAVLj_pAxJnTLXGC-cckpFkWw9XfIPLG-D3Nkv05WEgVSnIuNXOo" + ], + "priority": [ + "100" + ], + "algorithm": [ + "HS512" + ] + } + }, + { + "id": "992dcc80-dc41-4b00-bab8-6ec1c839f3a4", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "kid": [ + "aec7cbf7-7e70-4acd-b1b6-adc7a0d58e2f" + ], + "secret": [ + "-WfcWG4blS3bT0nsLsj-Rw" + ], + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "5392b282-096e-4994-a3ad-780eb4023d27", + "alias": "step up flow", + "description": "browser login flow with step-up mechanism", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": false, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 31, + "autheticatorFlow": true, + "flowAlias": "base step up", + "userSetupAllowed": false + } + ] + }, + { + "id": "00e79c8a-93b3-4c0d-857f-7bf5be19d0cb", + "alias": "base step up", + "description": "base step up flow", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": false, + "authenticationExecutions": [ + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 2, + "autheticatorFlow": true, + "flowAlias": "step up level 1", + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 3, + "autheticatorFlow": true, + "flowAlias": "step up level 2", + "userSetupAllowed": false + } + ] + }, + { + "id": "32ec29d9-dd12-45ce-bdbc-3e597aca4b51", + "alias": "step up level 1", + "description": "loa 1 with username and password", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": false, + "authenticationExecutions": [ + { + "authenticatorConfig": "loa level 1", + "authenticator": "conditional-level-of-authentication", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 0, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 1, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "b8c46bfb-cf9e-414a-a773-b17e0fdaa475", + "alias": "step up level 2", + "description": "loa 2 with totp", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": false, + "authenticationExecutions": [ + { + "authenticatorConfig": "loa level 2", + "authenticator": "conditional-level-of-authentication", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 0, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 1, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "8964f931-b866-4a05-ab1c-89331a566887", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "123e5711-1ee5-4f7e-ac9c-64c644daaea9", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "be73b7f5-9a66-487c-b7dd-80e0f7ac0c7c", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "597ca917-91fc-4898-a279-cd592af286e3", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "3daadb6b-4d63-4be1-a89e-ec8e41e72afa", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "5942598c-d7e9-4941-b13e-4a8a75e2c2a3", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "6e4b336e-eb5f-423c-8d32-4ab94d1122e6", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "35ac1997-b6af-44ff-ab27-c34f9be32e56", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "a3473070-fe69-4de1-a0b2-dd54b8a769d5", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "cc714857-b114-4df6-9030-b464bbb3964d", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "0ebe891c-1a72-4842-bf29-a9abe9c2a4d2", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "d97d5579-b3d4-49c4-a60e-0e1e6b1c9d79", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "009f7c28-0f41-4237-9911-9091c3d751b7", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "f9911022-b3cf-4d96-9a96-51bc53c437eb", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "c53eb19d-49e9-4252-8a10-4d5c6a12e61b", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "3b4f48d3-1706-4630-80e0-e0542780a1f7", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "5520aa89-cd76-438a-abae-7ccd3a2d7615", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "cce548d6-9bef-4449-88ea-99b949488fe7", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "0848606c-7510-4b09-ba0e-4dc2ef3d63f8", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "91a8dee7-c679-4202-866e-234eb4164cfd", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + }, + { + "id": "5b7b9811-6a2d-47ba-8722-7a4a5cb67cc3", + "alias": "loa level 2", + "config": { + "loa-condition-level": "2", + "loa-max-age": "36000" + } + }, + { + "id": "fc6ac583-5601-4c97-a57b-3b044dc4007f", + "alias": "loa level 1", + "config": { + "loa-condition-level": "1", + "loa-max-age": "36000" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "delete_credential", + "name": "Delete Credential", + "providerId": "delete_credential", + "enabled": true, + "defaultAction": false, + "priority": 100, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "step up flow", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "firstBrokerLoginFlow": "first broker login", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaAuthRequestedUserHint": "login_hint", + "clientOfflineSessionMaxLifespan": "0", + "oauth2DevicePollingInterval": "5", + "clientSessionIdleTimeout": "0", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5", + "realmReusableOtpCode": "false", + "cibaExpiresIn": "120", + "oauth2DeviceCodeLifespan": "600", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "organizationsEnabled": "false", + "acr.loa.map": "{\"regular\":\"1\",\"advanced\":\"2\"}" + }, + "keycloakVersion": "25.0.0", + "userManagedAccessAllowed": false, + "organizationsEnabled": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/ocis/banned-password-list.txt b/deployments/examples/ocis_vault/config/ocis/banned-password-list.txt new file mode 100644 index 00000000000..aff7475f220 --- /dev/null +++ b/deployments/examples/ocis_vault/config/ocis/banned-password-list.txt @@ -0,0 +1,5 @@ +password +12345678 +123 +ownCloud +ownCloud-1 diff --git a/deployments/examples/ocis_vault/config/ocis/csp.yaml b/deployments/examples/ocis_vault/config/ocis/csp.yaml new file mode 100644 index 00000000000..3bbcf892a47 --- /dev/null +++ b/deployments/examples/ocis_vault/config/ocis/csp.yaml @@ -0,0 +1,38 @@ +directives: + child-src: + - '''self''' + connect-src: + - '''self''' + - 'blob:' + - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' + # In contrary to bash and docker the default is given after the | character + - 'https://${KEYCLOAK_DOMAIN|keycloak.owncloud.test}/' + default-src: + - '''none''' + font-src: + - '''self''' + - 'data:' + frame-ancestors: + - '''none''' + frame-src: + - '''self''' + - 'blob:' + - 'https://embed.diagrams.net/' + img-src: + - '''self''' + - 'data:' + - 'blob:' + - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' + manifest-src: + - '''self''' + media-src: + - '''self''' + object-src: + - '''self''' + - 'blob:' + script-src: + - '''self''' + - '''unsafe-inline''' + style-src: + - '''self''' + - '''unsafe-inline''' diff --git a/deployments/examples/ocis_vault/docker-compose.yml b/deployments/examples/ocis_vault/docker-compose.yml new file mode 100644 index 00000000000..68318e40f24 --- /dev/null +++ b/deployments/examples/ocis_vault/docker-compose.yml @@ -0,0 +1,229 @@ +--- +version: "3.7" + +services: + traefik: + image: traefik:v2.9.1 + networks: + ocis-net: + aliases: + - ${OCIS_DOMAIN:-ocis.owncloud.test} + - ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} + command: + - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}" + # letsencrypt configuration + - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" + - "--certificatesResolvers.http.acme.storage=/certs/acme.json" + - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" + # enable dashboard + - "--api.dashboard=true" + # define entrypoints + - "--entryPoints.http.address=:80" + - "--entryPoints.http.http.redirections.entryPoint.to=https" + - "--entryPoints.http.http.redirections.entryPoint.scheme=https" + - "--entryPoints.https.address=:443" + # docker provider (get configuration from container labels) + - "--providers.docker.endpoint=unix:///var/run/docker.sock" + - "--providers.docker.exposedByDefault=false" + # access log + - "--accessLog=true" + - "--accessLog.format=json" + - "--accessLog.fields.headers.names.X-Request-Id=keep" + ports: + - "80:80" + - "443:443" + volumes: + - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro" + - "certs:/certs" + labels: + - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" + - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin + - "traefik.http.routers.traefik.entrypoints=https" + - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" + - "traefik.http.routers.traefik.middlewares=traefik-auth" + - "traefik.http.routers.traefik.tls.certresolver=http" + - "traefik.http.routers.traefik.service=api@internal" + logging: + driver: ${LOG_DRIVER:-local} + restart: always + + ocis: + image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + entrypoint: + - /bin/sh + # run ocis init to initialize a configuration file with random secrets + # it will fail on subsequent runs, because the config file already exists + # therefore we ignore the error and then start the ocis server + command: [ "-c", "ocis init || true; exec ocis server" ] + environment: + # Keycloak IDP specific configuration + PROXY_AUTOPROVISION_ACCOUNTS: "true" + PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc" + OCIS_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/realms/${KEYCLOAK_REALM:-oCIS} + PROXY_OIDC_REWRITE_WELLKNOWN: "true" + WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web} + # general config + OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} + OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} + OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" + PROXY_TLS: "false" # do not use SSL between Traefik and oCIS + PROXY_USER_OIDC_CLAIM: "preferred_username" + PROXY_USER_CS3_CLAIM: "username" + # INSECURE: needed if oCIS / Traefik is using self generated certificates + OCIS_INSECURE: "${INSECURE:-false}" + OCIS_ADMIN_USER_ID: "" + OCIS_EXCLUDE_RUN_SERVICES: "idp" + GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" + GRAPH_USERNAME_MATCH: "none" + # password policies + OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" + PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml + KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} + OCIS_MFA_ENABLED: ${OCIS_MFA_ENABLED:-false} + WEB_OIDC_SCOPE: "openid profile email acr" + # Vault: expose internal services so sidecar containers can reach them + NATS_NATS_HOST: 0.0.0.0 + OCIS_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 + # Vault: auto-create vault home space on first user login + PROXY_CREATE_VAULT_HOME: "true" + # Local web development: serve web assets from the host + WEB_ASSET_CORE_PATH: /web/dist + volumes: + - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt + - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml + - ocis-config:/etc/ocis + - ocis-data:/var/lib/ocis + - /Users/mk/dev/kiteworks/web:/web + labels: + - "traefik.enable=true" + - "traefik.http.routers.ocis.entrypoints=https" + - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)" + - "traefik.http.routers.ocis.tls.certresolver=http" + - "traefik.http.routers.ocis.service=ocis" + - "traefik.http.services.ocis.loadbalancer.server.port=9200" + logging: + driver: ${LOG_DRIVER:-local} + restart: always + + graph-vault: + image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + depends_on: + ocis: + condition: service_started + command: ["graph", "server"] + environment: + OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} + OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" + GRAPH_ENABLE_VAULT_MODE: "true" + OCIS_GATEWAY_GRPC_ADDR: ocis:9142 + GRAPH_HTTP_ADDR: 0.0.0.0:9125 + GRAPH_DEBUG_ADDR: 0.0.0.0:9126 + GRAPH_HTTP_ROOT: /vault/graph + GRAPH_SERVICE_NAME: graph-vault + MICRO_REGISTRY_ADDRESS: ocis:9233 + OCIS_EVENTS_ENDPOINT: ocis:9233 + OCIS_CACHE_STORE_NODES: ocis:9233 + GRAPH_SPACES_STORAGE_USERS_ADDRESS: com.owncloud.api.storage-users-vault + OCIS_INSECURE: "${INSECURE:-false}" + volumes: + - ocis-data:/var/lib/ocis + - ocis-config:/etc/ocis + logging: + driver: ${LOG_DRIVER:-local} + restart: always + + storage-users-vault: + image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + depends_on: + ocis: + condition: service_started + command: ["storage-users", "server"] + environment: + OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} + OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" + OCIS_GATEWAY_GRPC_ADDR: ocis:9142 + STORAGE_USERS_ENABLE_VAULT_MODE: "true" + STORAGE_USERS_SERVICE_NAME: storage-users-vault + STORAGE_USERS_GRPC_ADDR: 0.0.0.0:9170 + STORAGE_USERS_HTTP_ADDR: 0.0.0.0:9168 + STORAGE_USERS_DATA_SERVER_URL: http://storage-users-vault:9168/data + STORAGE_USERS_DEBUG_ADDR: 0.0.0.0:9169 + STORAGE_USERS_OCIS_ROOT: /var/lib/ocis/storage/users-vault + STORAGE_USERS_EVENTS_CONSUMER_GROUP: vault-dcfs + MICRO_REGISTRY_ADDRESS: ocis:9233 + OCIS_EVENTS_ENDPOINT: ocis:9233 + OCIS_CACHE_STORE_NODES: ocis:9233 + OCIS_INSECURE: "${INSECURE:-false}" + volumes: + - ocis-data:/var/lib/ocis + - ocis-config:/etc/ocis + logging: + driver: ${LOG_DRIVER:-local} + restart: always + + postgres: + image: postgres:alpine + networks: + ocis-net: + volumes: + - keycloak_postgres_data:/var/lib/postgresql/data + environment: + POSTGRES_DB: keycloak + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: keycloak + logging: + driver: ${LOG_DRIVER:-local} + restart: always + + keycloak: + image: quay.io/keycloak/keycloak:26.2.5 + networks: + ocis-net: + command: ["start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"] + entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"] + volumes: + - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh" + - "./config/keycloak/ocis-realm.dist.json:/opt/keycloak/data/import-dist/ocis-realm.json" + environment: + OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} + KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} + KC_DB: postgres + KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak" + KC_DB_USERNAME: keycloak + KC_DB_PASSWORD: keycloak + KC_FEATURES: impersonation,opentelemetry + KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN_USER:-admin} + KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} + # as replacement of --proxy=edge + KC_PROXY_HEADERS: xforwarded + KC_HTTP_ENABLED: true + # tracing + KC_TRACING_ENABLED: ${KEYCLOAK_TRACING:-false} + KC_TRACING_ENDPOINT: http://jaeger:4317 + labels: + - "traefik.enable=true" + - "traefik.http.routers.keycloak.entrypoints=https" + - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)" + - "traefik.http.routers.keycloak.tls.certresolver=http" + - "traefik.http.routers.keycloak.service=keycloak" + - "traefik.http.services.keycloak.loadbalancer.server.port=8080" + depends_on: + - postgres + logging: + driver: ${LOG_DRIVER:-local} + restart: always + +volumes: + certs: + ocis-config: + ocis-data: + keycloak_postgres_data: + +networks: + ocis-net: From 2b6a399f5bcf2860b37e20d4b1b615ecb3a63211 Mon Sep 17 00:00:00 2001 From: Michal Klos Date: Wed, 18 Mar 2026 09:30:04 +0100 Subject: [PATCH 08/11] feat: vault based on keycloak --- deployments/examples/ocis_keycloak/.env | 3 + deployments/examples/ocis_keycloak/README.md | 13 + deployments/examples/ocis_keycloak/vault.yml | 74 + deployments/examples/ocis_vault/README.md | 23 - .../config/keycloak/clients/android_app.json | 64 - .../config/keycloak/clients/cyberduck.json | 67 - .../keycloak/clients/desktop_client.json | 65 - .../config/keycloak/clients/ios_app.json | 64 - .../config/keycloak/clients/web.json | 72 - .../keycloak/docker-entrypoint-override.sh | 8 - .../config/keycloak/ocis-realm.dist.json | 2934 ----------------- .../config/ocis/banned-password-list.txt | 5 - .../examples/ocis_vault/config/ocis/csp.yaml | 38 - .../examples/ocis_vault/docker-compose.yml | 229 -- 14 files changed, 90 insertions(+), 3569 deletions(-) create mode 100644 deployments/examples/ocis_keycloak/vault.yml delete mode 100644 deployments/examples/ocis_vault/README.md delete mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/android_app.json delete mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/cyberduck.json delete mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/desktop_client.json delete mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/ios_app.json delete mode 100644 deployments/examples/ocis_vault/config/keycloak/clients/web.json delete mode 100644 deployments/examples/ocis_vault/config/keycloak/docker-entrypoint-override.sh delete mode 100644 deployments/examples/ocis_vault/config/keycloak/ocis-realm.dist.json delete mode 100644 deployments/examples/ocis_vault/config/ocis/banned-password-list.txt delete mode 100644 deployments/examples/ocis_vault/config/ocis/csp.yaml delete mode 100644 deployments/examples/ocis_vault/docker-compose.yml diff --git a/deployments/examples/ocis_keycloak/.env b/deployments/examples/ocis_keycloak/.env index 147d87389d1..7daaabc2201 100644 --- a/deployments/examples/ocis_keycloak/.env +++ b/deployments/examples/ocis_keycloak/.env @@ -41,3 +41,6 @@ KEYCLOAK_TRACING= # you need uncomment following line. Please see documentation at # https://owncloud.dev/ocis/deployment/monitoring-tracing/ #COMPOSE_FILE=docker-compose.yml:monitoring_tracing/docker-compose-additions.yml + +# To add vault support to this stack, uncomment the following line: +#COMPOSE_FILE=docker-compose.yml:vault.yml diff --git a/deployments/examples/ocis_keycloak/README.md b/deployments/examples/ocis_keycloak/README.md index 0837071b7c9..1d792db46de 100644 --- a/deployments/examples/ocis_keycloak/README.md +++ b/deployments/examples/ocis_keycloak/README.md @@ -4,3 +4,16 @@ document this deployment example in: docs/ocis/deployment/ocis_keycloak.md Please refer to [our documentation](https://owncloud.dev/ocis/deployment/ocis_keycloak/) for instructions on how to deploy this scenario. + + +## Vault + +Adds vault sidecar services (`graph-vault`, `storage-users-vault`) to `ocis_keycloak`. + +### Running + +Uncomment in `.env` or run directly: + +```bash +docker compose -f docker-compose.yml -f vault.yml up -d +``` diff --git a/deployments/examples/ocis_keycloak/vault.yml b/deployments/examples/ocis_keycloak/vault.yml new file mode 100644 index 00000000000..408e014518b --- /dev/null +++ b/deployments/examples/ocis_keycloak/vault.yml @@ -0,0 +1,74 @@ +--- +version: "3.7" + +services: + ocis: + environment: + # Vault: expose internal services so sidecar containers can reach them + NATS_NATS_HOST: 0.0.0.0 + OCIS_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 + # Vault: auto-create vault home space on first user login + PROXY_CREATE_VAULT_HOME: "true" + + graph-vault: + image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + depends_on: + ocis: + condition: service_started + command: ["graph", "server"] + environment: + OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} + OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" + GRAPH_ENABLE_VAULT_MODE: "true" + OCIS_GATEWAY_GRPC_ADDR: ocis:9142 + GRAPH_HTTP_ADDR: 0.0.0.0:9125 + GRAPH_DEBUG_ADDR: 0.0.0.0:9126 + GRAPH_HTTP_ROOT: /vault/graph + GRAPH_SERVICE_NAME: graph-vault + MICRO_REGISTRY_ADDRESS: ocis:9233 + OCIS_EVENTS_ENDPOINT: ocis:9233 + OCIS_CACHE_STORE_NODES: ocis:9233 + GRAPH_SPACES_STORAGE_USERS_ADDRESS: com.owncloud.api.storage-users-vault + OCIS_INSECURE: "${INSECURE:-false}" + volumes: + - ocis-data:/var/lib/ocis + - ocis-config:/etc/ocis + logging: + driver: ${LOG_DRIVER:-local} + restart: always + + storage-users-vault: + image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} + networks: + ocis-net: + depends_on: + ocis: + condition: service_started + command: ["storage-users", "server"] + environment: + OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} + OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" + OCIS_GATEWAY_GRPC_ADDR: ocis:9142 + STORAGE_USERS_ENABLE_VAULT_MODE: "true" + STORAGE_USERS_SERVICE_NAME: storage-users-vault + STORAGE_USERS_GRPC_ADDR: 0.0.0.0:9170 + STORAGE_USERS_HTTP_ADDR: 0.0.0.0:9168 + STORAGE_USERS_DATA_SERVER_URL: http://storage-users-vault:9168/data + STORAGE_USERS_DEBUG_ADDR: 0.0.0.0:9169 + STORAGE_USERS_OCIS_ROOT: /var/lib/ocis/storage/users-vault + STORAGE_USERS_EVENTS_CONSUMER_GROUP: vault-dcfs + MICRO_REGISTRY_ADDRESS: ocis:9233 + OCIS_EVENTS_ENDPOINT: ocis:9233 + OCIS_CACHE_STORE_NODES: ocis:9233 + OCIS_INSECURE: "${INSECURE:-false}" + volumes: + - ocis-data:/var/lib/ocis + - ocis-config:/etc/ocis + logging: + driver: ${LOG_DRIVER:-local} + restart: always + +networks: + ocis-net: diff --git a/deployments/examples/ocis_vault/README.md b/deployments/examples/ocis_vault/README.md deleted file mode 100644 index b0806fd8ab4..00000000000 --- a/deployments/examples/ocis_vault/README.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -document this deployment example in: docs/ocis/deployment/ocis_vault.md ---- - -Please refer to [our documentation](https://owncloud.dev/ocis/deployment/ocis_vault/) -for instructions on how to deploy this scenario. - -## Local web development - -The `ocis` service mounts the web repo from the host (`/Users/mk/dev/kiteworks/web`) -and serves its `dist/` via `WEB_ASSET_CORE_PATH`. oCIS generates `config.json` -dynamically from its own config — the one in `dist/` is ignored. - -Run the web build in watch mode: - -```bash -cd /Users/mk/dev/kiteworks/web -pnpm build:w -``` - -This is `vite build --watch` — a full production rebuild on every save (no HMR, -takes 20-60 s). Hard-refresh the browser after each rebuild to pick up changes. -No container restart needed. diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/android_app.json b/deployments/examples/ocis_vault/config/keycloak/clients/android_app.json deleted file mode 100644 index 0dd4106e3f4..00000000000 --- a/deployments/examples/ocis_vault/config/keycloak/clients/android_app.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", - "name": "ownCloud Android app", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", - "redirectUris": [ - "oc://android.owncloud.com" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } -} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/cyberduck.json b/deployments/examples/ocis_vault/config/keycloak/clients/cyberduck.json deleted file mode 100644 index 85a4e72c5cd..00000000000 --- a/deployments/examples/ocis_vault/config/keycloak/clients/cyberduck.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "clientId": "3keLfua0olYvW1zKXTDB3OjAMPEYWEQNuiscli395GKJOiPnPURNQWGvGCJZf4Hw", - "name": "Cyberduck", - "description": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "yoqICbLIeYbpZPqDH4D8k4NKb04HqnrWBntEeVZEQ5gO1RmaUlln0Aqu1dj2UoF4", - "redirectUris": [ - "x-cyberduck-action:oauth", - "x-mountainduck-action:oauth" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } -} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/desktop_client.json b/deployments/examples/ocis_vault/config/keycloak/clients/desktop_client.json deleted file mode 100644 index 0aeb310097d..00000000000 --- a/deployments/examples/ocis_vault/config/keycloak/clients/desktop_client.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", - "name": "ownCloud Desktop Client", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", - "redirectUris": [ - "http://127.0.0.1:*", - "http://localhost:*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } -} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/ios_app.json b/deployments/examples/ocis_vault/config/keycloak/clients/ios_app.json deleted file mode 100644 index ec879ec7027..00000000000 --- a/deployments/examples/ocis_vault/config/keycloak/clients/ios_app.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", - "name": "ownCloud iOS app", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", - "redirectUris": [ - "oc://ios.owncloud.com" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } -} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/clients/web.json b/deployments/examples/ocis_vault/config/keycloak/clients/web.json deleted file mode 100644 index b88f7c13121..00000000000 --- a/deployments/examples/ocis_vault/config/keycloak/clients/web.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "clientId": "web", - "name": "", - "description": "", - "rootUrl": "https://ocis.owncloud.test", - "adminUrl": "https://ocis.owncloud.test", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "https://ocis.owncloud.test/*" - ], - "webOrigins": [ - "https://ocis.owncloud.test" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.url": "https://ocis.owncloud.test/backchannel_logout", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ], - "access": { - "view": true, - "configure": true, - "manage": true - } -} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/keycloak/docker-entrypoint-override.sh b/deployments/examples/ocis_vault/config/keycloak/docker-entrypoint-override.sh deleted file mode 100644 index a21bddb43c9..00000000000 --- a/deployments/examples/ocis_vault/config/keycloak/docker-entrypoint-override.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -printenv -# replace oCIS domain in keycloak realm import -mkdir /opt/keycloak/data/import -sed -e "s/ocis.owncloud.test/${OCIS_DOMAIN}/g" /opt/keycloak/data/import-dist/ocis-realm.json > /opt/keycloak/data/import/oCIS-realm.json - -# run original docker-entrypoint -/opt/keycloak/bin/kc.sh "$@" diff --git a/deployments/examples/ocis_vault/config/keycloak/ocis-realm.dist.json b/deployments/examples/ocis_vault/config/keycloak/ocis-realm.dist.json deleted file mode 100644 index 63200a3ac07..00000000000 --- a/deployments/examples/ocis_vault/config/keycloak/ocis-realm.dist.json +++ /dev/null @@ -1,2934 +0,0 @@ -{ - "id": "ownCloud Infinite Scale Test", - "realm": "oCIS", - "displayName": "ownCloud Infinite Scale", - "notBefore": 0, - "defaultSignatureAlgorithm": "RS256", - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 1800, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "enabled": true, - "sslRequired": "external", - "registrationAllowed": false, - "registrationEmailAsUsername": false, - "rememberMe": false, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": false, - "editUsernameAllowed": false, - "bruteForceProtected": true, - "permanentLockout": false, - "maxTemporaryLockouts": 0, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "roles": { - "realm": [ - { - "id": "0bb40fa2-4490-4687-9159-b1d27ec7423a", - "name": "ocisAdmin", - "description": "", - "composite": false, - "clientRole": false, - "containerId": "ownCloud Infinite Scale Test", - "attributes": {} - }, - { - "id": "2d576514-4aae-46aa-9d9c-075f55f4d988", - "name": "uma_authorization", - "description": "${role_uma_authorization}", - "composite": false, - "clientRole": false, - "containerId": "ownCloud Infinite Scale Test", - "attributes": {} - }, - { - "id": "8c79ff81-c256-48fd-b0b9-795c7941eedf", - "name": "ocisUser", - "description": "", - "composite": false, - "clientRole": false, - "containerId": "ownCloud Infinite Scale Test", - "attributes": {} - }, - { - "id": "bd5f5012-48bb-4ea4-bfe6-0623e3ca0552", - "name": "ocisSpaceAdmin", - "description": "", - "composite": false, - "clientRole": false, - "containerId": "ownCloud Infinite Scale Test", - "attributes": {} - }, - { - "id": "e2145b30-bf6f-49fb-af3f-1b40168bfcef", - "name": "offline_access", - "description": "${role_offline-access}", - "composite": false, - "clientRole": false, - "containerId": "ownCloud Infinite Scale Test", - "attributes": {} - }, - { - "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", - "name": "default-roles-ocis", - "description": "${role_default-roles}", - "composite": true, - "composites": { - "realm": [ - "offline_access", - "uma_authorization" - ], - "client": { - "account": [ - "manage-account", - "view-profile" - ] - } - }, - "clientRole": false, - "containerId": "ownCloud Infinite Scale Test", - "attributes": {} - }, - { - "id": "7eedfa6d-a2d9-4296-b6db-e75e4e9c0963", - "name": "ocisGuest", - "description": "", - "composite": false, - "clientRole": false, - "containerId": "ownCloud Infinite Scale Test", - "attributes": {} - } - ], - "client": { - "_system": [], - "realm-management": [ - { - "id": "979ce053-a671-4b50-81d5-da4bdf7404c9", - "name": "view-clients", - "description": "${role_view-clients}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-clients" - ] - } - }, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "4bec4791-e888-4dac-bc95-71720d5981b9", - "name": "query-users", - "description": "${role_query-users}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "955b4406-b04f-432d-a61a-571675874341", - "name": "manage-authorization", - "description": "${role_manage-authorization}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "baa219af-2773-4d59-b06b-485f10fbbab3", - "name": "view-events", - "description": "${role_view-events}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "f280bc03-d079-478d-be06-3590580b25e9", - "name": "manage-users", - "description": "${role_manage-users}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "db698163-84ad-46c9-958f-bb5f80ae78b5", - "name": "query-clients", - "description": "${role_query-clients}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "36c04d89-abf7-4a2c-a808-8efa9aca1435", - "name": "manage-clients", - "description": "${role_manage-clients}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "06eae953-11d5-4344-b089-ffce1e68d5d8", - "name": "query-realms", - "description": "${role_query-realms}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "afe8aa78-2f06-43a5-8c99-cf68a1f5a86a", - "name": "realm-admin", - "description": "${role_realm-admin}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "view-clients", - "query-users", - "manage-authorization", - "view-events", - "manage-users", - "query-clients", - "manage-clients", - "query-realms", - "impersonation", - "manage-realm", - "manage-identity-providers", - "view-authorization", - "create-client", - "query-groups", - "view-users", - "view-realm", - "view-identity-providers", - "manage-events" - ] - } - }, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "22ee128a-b28e-4c6a-aa8e-ad4136d74e1b", - "name": "impersonation", - "description": "${role_impersonation}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "89d4f119-7f87-44d9-8eef-d207304de778", - "name": "manage-realm", - "description": "${role_manage-realm}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "ebffeff4-6794-4003-a2ab-a79eff7d1baa", - "name": "manage-identity-providers", - "description": "${role_manage-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "2361a7ff-d2b3-43f5-b360-ad0e44fba65c", - "name": "view-authorization", - "description": "${role_view-authorization}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "f7bf6d7a-a861-49c6-8f6f-225c18d0a03a", - "name": "create-client", - "description": "${role_create-client}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "34ccce1c-5a7e-4268-8836-2276545be900", - "name": "query-groups", - "description": "${role_query-groups}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "430f7831-8f22-4518-bd15-2998eae45a51", - "name": "view-users", - "description": "${role_view-users}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-groups", - "query-users" - ] - } - }, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "371a31e6-4494-4b74-b3ea-d030663423ed", - "name": "view-realm", - "description": "${role_view-realm}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "e875775b-7a3e-4a5d-9e4e-376351b78626", - "name": "view-identity-providers", - "description": "${role_view-identity-providers}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - }, - { - "id": "3dce7929-ee1f-40cd-9be1-7addcae92cef", - "name": "manage-events", - "description": "${role_manage-events}", - "composite": false, - "clientRole": true, - "containerId": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "attributes": {} - } - ], - "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69": [], - "web": [], - "security-admin-console": [], - "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD": [], - "admin-cli": [], - "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1": [], - "account-console": [], - "broker": [ - { - "id": "81fad68a-8dd8-4d79-9a8f-206a82460145", - "name": "read-token", - "description": "${role_read-token}", - "composite": false, - "clientRole": true, - "containerId": "002faf0a-716c-4230-81c7-ce22d1eb832c", - "attributes": {} - } - ], - "account": [ - { - "id": "c49a49da-8ad0-44cb-b518-6d7d72cbe494", - "name": "manage-account", - "description": "${role_manage-account}", - "composite": true, - "composites": { - "client": { - "account": [ - "manage-account-links" - ] - } - }, - "clientRole": true, - "containerId": "9850adad-7910-4b67-a790-da6444361618", - "attributes": {} - }, - { - "id": "9dc2244e-b8a7-44f1-b173-d2b929fedcca", - "name": "view-consent", - "description": "${role_view-consent}", - "composite": false, - "clientRole": true, - "containerId": "9850adad-7910-4b67-a790-da6444361618", - "attributes": {} - }, - { - "id": "ce115327-99c9-44d4-ba7d-820397dc11e6", - "name": "manage-account-links", - "description": "${role_manage-account-links}", - "composite": false, - "clientRole": true, - "containerId": "9850adad-7910-4b67-a790-da6444361618", - "attributes": {} - }, - { - "id": "2ffdf854-084b-467a-91c6-7f07844efc9a", - "name": "view-groups", - "description": "${role_view-groups}", - "composite": false, - "clientRole": true, - "containerId": "9850adad-7910-4b67-a790-da6444361618", - "attributes": {} - }, - { - "id": "8c45ca71-32aa-4547-932d-412da5e371ed", - "name": "view-profile", - "description": "${role_view-profile}", - "composite": false, - "clientRole": true, - "containerId": "9850adad-7910-4b67-a790-da6444361618", - "attributes": {} - }, - { - "id": "cbeecf6d-9af8-4746-877b-74800a894c35", - "name": "view-applications", - "description": "${role_view-applications}", - "composite": false, - "clientRole": true, - "containerId": "9850adad-7910-4b67-a790-da6444361618", - "attributes": {} - }, - { - "id": "ea798f64-b5f8-417f-9fe0-d3cd9172884f", - "name": "delete-account", - "description": "${role_delete-account}", - "composite": false, - "clientRole": true, - "containerId": "9850adad-7910-4b67-a790-da6444361618", - "attributes": {} - }, - { - "id": "e73aaf6d-e67b-491a-9cc3-78c32c82b42c", - "name": "manage-consent", - "description": "${role_manage-consent}", - "composite": true, - "composites": { - "client": { - "account": [ - "view-consent" - ] - } - }, - "clientRole": true, - "containerId": "9850adad-7910-4b67-a790-da6444361618", - "attributes": {} - } - ] - } - }, - "groups": [ - { - "id": "99187f82-71b6-4f21-a255-0d87bb286607", - "name": "philosophy-haters", - "path": "/philosophy-haters", - "subGroups": [], - "attributes": {}, - "realmRoles": [], - "clientRoles": {} - }, - { - "id": "2129ab43-0221-40e1-871a-394a8c9b6434", - "name": "physics-lovers", - "path": "/physics-lovers", - "subGroups": [], - "attributes": {}, - "realmRoles": [], - "clientRoles": {} - }, - { - "id": "8246d8bc-8e35-4b11-916e-f8d7729d6a23", - "name": "polonium-lovers", - "path": "/polonium-lovers", - "subGroups": [], - "attributes": {}, - "realmRoles": [], - "clientRoles": {} - }, - { - "id": "fabf9b54-c27e-495e-961d-9c9f2ebfd482", - "name": "quantum-lovers", - "path": "/quantum-lovers", - "subGroups": [], - "attributes": {}, - "realmRoles": [], - "clientRoles": {} - }, - { - "id": "f5613e5a-84b6-4e85-bcb3-0fff9fa6a191", - "name": "radium-lovers", - "path": "/radium-lovers", - "subGroups": [], - "attributes": {}, - "realmRoles": [], - "clientRoles": {} - }, - { - "id": "32031f61-035e-4355-b7bf-17ff314581f3", - "name": "sailing-lovers", - "path": "/sailing-lovers", - "subGroups": [], - "attributes": {}, - "realmRoles": [], - "clientRoles": {} - }, - { - "id": "8520544b-eb76-449d-8498-fbe0e1e62a97", - "name": "users", - "path": "/users", - "subGroups": [], - "attributes": {}, - "realmRoles": [], - "clientRoles": {} - }, - { - "id": "d0a10993-e532-49b7-b2b4-009f9b31d43a", - "name": "violin-haters", - "path": "/violin-haters", - "subGroups": [], - "attributes": {}, - "realmRoles": [], - "clientRoles": {} - } - ], - "defaultRole": { - "id": "82e13ea7-aac4-4d2c-9fc7-cff8333dbe19", - "name": "default-roles-ocis", - "description": "${role_default-roles}", - "composite": true, - "clientRole": false, - "containerId": "ownCloud Infinite Scale Test" - }, - "requiredCredentials": [ - "password" - ], - "otpPolicyType": "totp", - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyInitialCounter": 0, - "otpPolicyDigits": 6, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpPolicyCodeReusable": false, - "otpSupportedApplications": [ - "totpAppFreeOTPName", - "totpAppGoogleName", - "totpAppMicrosoftAuthenticatorName" - ], - "localizationTexts": {}, - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyExtraOrigins": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "webAuthnPolicyPasswordlessExtraOrigins": [], - "users": [ - { - "id": "389845cd-65b9-47fc-b723-ba75940bcbd7", - "username": "admin", - "firstName": "Admin", - "lastName": "Admin", - "email": "admin@example.org", - "emailVerified": true, - "createdTimestamp": 1611912383386, - "enabled": true, - "totp": false, - "credentials": [ - { - "id": "499e0fbe-1c10-4588-9db4-e8a1012b9246", - "type": "password", - "createdDate": 1611912393787, - "secretData": "{\"value\":\"WUdGHYxGqrEBqg8Y3v+CKCzkzXkboMI6VmpWAYqvD7pIcP9z1zzDTqwlXrVFytoZMpcceT3Xm1hAGh7CZcSoHQ==\",\"salt\":\"pxP1MdkG//50Lv81WsQ5FA==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "uma_authorization", - "ocisAdmin", - "offline_access" - ], - "clientRoles": { - "account": [ - "manage-account", - "view-profile" - ] - }, - "notBefore": 0, - "groups": [ - "/users" - ] - }, - { - "id": "0a9f434c-4864-49cf-ac15-46ed0f49d59b", - "username": "einstein", - "firstName": "Albert", - "lastName": "Einstein", - "email": "einstein@example.org", - "emailVerified": true, - "createdTimestamp": 1611912153544, - "enabled": true, - "totp": false, - "credentials": [ - { - "id": "19efcb24-c5ec-42ed-97e1-2475ca025f40", - "type": "password", - "createdDate": 1611912169712, - "secretData": "{\"value\":\"5+ofM8OpvpiPZyi4ZJuB2Pa3jGOIcY2uXui2p8KRWCs=\",\"salt\":\"wfhXLZScHStB14ZxML9d7g==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "uma_authorization", - "ocisUser", - "offline_access" - ], - "clientRoles": { - "account": [ - "manage-account", - "view-profile" - ] - }, - "notBefore": 0, - "groups": [ - "/physics-lovers", - "/sailing-lovers", - "/users", - "/violin-haters" - ] - }, - { - "id": "b44a81e2-e3ed-4241-a9ce-44604f7ac9eb", - "username": "katherine", - "firstName": "Katherine", - "lastName": "Johnson", - "email": "katherine@example.org", - "emailVerified": true, - "createdTimestamp": 1678101111607, - "enabled": true, - "totp": false, - "credentials": [ - { - "id": "be18ccc9-b80f-4895-bf06-8e8e4605c634", - "type": "password", - "userLabel": "My password", - "createdDate": 1678101159924, - "secretData": "{\"value\":\"/E/1yfcgM8deq6V544gEsTfsXZuUnzaofmM+AK+MpAsvRoNRtEyRN1pajhIpGDtEuPa/KVBDbcALE7WMbFhO1w==\",\"salt\":\"TXapvlOYBWqabQRo+fINFQ==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "ocisSpaceAdmin", - "default-roles-ocis" - ], - "notBefore": 0, - "groups": [] - }, - { - "id": "48016357-346a-443e-bf7a-945c9448a99b", - "username": "marie", - "firstName": "Marie", - "lastName": "Curie", - "email": "marie@example.org", - "emailVerified": true, - "createdTimestamp": 1611912241951, - "enabled": true, - "totp": false, - "credentials": [ - { - "id": "ff304f90-a934-4bf1-9cfe-bd165751c110", - "type": "password", - "createdDate": 1611912318408, - "secretData": "{\"value\":\"DN7g/etlfzHfd6tfF4g50xdPGy+aUboAXmjB06R0NzhGhwhOxiUh7KNWre2pqZOiu28iGXfDFWMP2xDCNid+Mg==\",\"salt\":\"ZFYXUMBaZm/XspifJgH9Tg==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "uma_authorization", - "ocisUser", - "offline_access" - ], - "clientRoles": { - "account": [ - "manage-account", - "view-profile" - ] - }, - "notBefore": 0, - "groups": [ - "/physics-lovers", - "/polonium-lovers", - "/radium-lovers", - "/users" - ] - }, - { - "id": "d18c3689-b816-455a-9728-cd8c9797f315", - "username": "moss", - "firstName": "Maurice", - "lastName": "Moss", - "email": "moss@example.org", - "emailVerified": true, - "createdTimestamp": 1611912340085, - "enabled": true, - "totp": false, - "credentials": [ - { - "id": "273679bf-80ef-4c83-ac23-0ee569c3bece", - "type": "password", - "createdDate": 1611912354500, - "secretData": "{\"value\":\"f22la+Ghr2xDBOA1tJrMlc2GFy9ZiGcTJuto2U9KaHE=\",\"salt\":\"fjwq6/u6YI+r1xdZL0UtxA==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "uma_authorization", - "ocisAdmin", - "offline_access" - ], - "clientRoles": { - "account": [ - "manage-account", - "view-profile" - ] - }, - "notBefore": 0, - "groups": [ - "/users" - ] - }, - { - "id": "373be4c5-7f65-4e91-ba0e-bfb618c96046", - "username": "richard", - "firstName": "Richard", - "lastName": "Feynman", - "email": "richard@example.org", - "emailVerified": true, - "createdTimestamp": 1611912442173, - "enabled": true, - "totp": false, - "credentials": [ - { - "id": "2fb1bcd7-8a51-4732-b695-dc4aa14b1dca", - "type": "password", - "createdDate": 1611912452192, - "secretData": "{\"value\":\"uzN0AO66tnEoLM5SpHmJ3rNb4Gj9sXJMafn68EbDwVtQmbOR0uY7L/ePU7i5pVTvhgRN7XMj0P9Fc+iV7C+Pzw==\",\"salt\":\"PqLW9Cu52hOW9b2cVTF+Sg==\",\"additionalParameters\":{}}", - "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" - } - ], - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "uma_authorization", - "ocisUser", - "offline_access" - ], - "clientRoles": { - "account": [ - "manage-account", - "view-profile" - ] - }, - "notBefore": 0, - "groups": [ - "/philosophy-haters", - "/physics-lovers", - "/quantum-lovers", - "/users" - ] - } - ], - "scopeMappings": [ - { - "clientScope": "offline_access", - "roles": [ - "offline_access" - ] - }, - { - "clientScope": "roles", - "roles": [ - "ocisSpaceAdmin", - "ocisGuest", - "ocisUser", - "ocisAdmin" - ] - } - ], - "clientScopeMappings": { - "account": [ - { - "client": "account-console", - "roles": [ - "manage-account", - "view-groups" - ] - } - ] - }, - "clients": [ - { - "id": "294b6cf4-b646-4f6c-bab2-616546ec3167", - "clientId": "_system", - "name": "_system", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "pIw3cF77kEYSYR2r1HfOzySTBLO7aYeM", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "client.secret.creation.time": "1718778122", - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "9850adad-7910-4b67-a790-da6444361618", - "clientId": "account", - "name": "${client_account}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/oCIS/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "PY3vaoPyw7VCfHxDf41JKbGtR2WOV85S", - "redirectUris": [ - "/realms/oCIS/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "client.secret.creation.time": "1718778122", - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "basic" - ], - "optionalClientScopes": [] - }, - { - "id": "55bb4cdc-045b-422a-8830-61245949d6aa", - "clientId": "account-console", - "name": "${client_account-console}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/oCIS/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/realms/oCIS/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+", - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "9bf413ed-402f-438d-a72c-033f3c45dab2", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "profile", - "roles", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "2969b8ff-2ab3-4907-aaa7-091a7a627ccb", - "clientId": "admin-cli", - "name": "${client_admin-cli}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "basic" - ], - "optionalClientScopes": [] - }, - { - "id": "002faf0a-716c-4230-81c7-ce22d1eb832c", - "clientId": "broker", - "name": "${client_broker}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "3mksmxreyii6xcc6N2JRGLT4fehwE1HT", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "client.secret.creation.time": "1718778122", - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "basic" - ], - "optionalClientScopes": [] - }, - { - "id": "c8367556-1d13-4979-b4f6-5e2cff1f82ae", - "clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", - "name": "ownCloud Android app", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", - "redirectUris": [ - "oc://android.owncloud.com" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "acr", - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "6ae0e3da-38ff-47a4-a76e-b59eec0a2de9", - "clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", - "name": "ownCloud iOS app", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", - "redirectUris": [ - "oc://ios.owncloud.com" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "acr", - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "7848ee94-cc9b-40db-946f-a86ac73dc9b7", - "clientId": "realm-management", - "name": "${client_realm-management}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [], - "optionalClientScopes": [] - }, - { - "id": "97264f49-a8c1-4585-99b6-e706339c62f8", - "clientId": "security-admin-console", - "name": "${client_security-admin-console}", - "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/oCIS/console/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "/admin/oCIS/console/*" - ], - "webOrigins": [ - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "post.logout.redirect.uris": "+", - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "id": "96092024-21dd-4d31-a004-2c5b96031da3", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - } - ], - "defaultClientScopes": [ - "basic" - ], - "optionalClientScopes": [] - }, - { - "id": "54b18eca-cf79-4263-9db9-2d79f8a1c831", - "clientId": "web", - "name": "", - "description": "", - "rootUrl": "https://ocis.owncloud.test", - "adminUrl": "https://ocis.owncloud.test", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "redirectUris": [ - "https://ocis.owncloud.test/*" - ], - "webOrigins": [ - "https://ocis.owncloud.test" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "oidc.ciba.grant.enabled": "false", - "backchannel.logout.url": "https://ocis.owncloud.test/backchannel_logout", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "acr", - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "fc7d8a8e-cb92-4cb0-b404-d723c07d8d4f", - "clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", - "name": "ownCloud Desktop Client", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", - "redirectUris": [ - "http://127.0.0.1:*", - "http://localhost:*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "post.logout.redirect.uris": "+", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "profile", - "roles", - "groups", - "basic", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - } - ], - "clientScopes": [ - { - "id": "258e56a8-1eeb-49ea-957b-aff8df4656ba", - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "consent.screen.text": "${emailScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "068bcfb6-4a17-4c20-b083-ae542a7f76c8", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean", - "userinfo.token.claim": "true" - } - }, - { - "id": "c00d6c21-2fd1-435f-9ee9-87e011048cbe", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - } - ] - }, - { - "id": "b3e1e47e-3912-4b55-ba89-b0198e767682", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "consent.screen.text": "${addressScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "876baab9-39d1-4845-abb4-561a58aa152d", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "id": "9cae7ced-e7d9-4f7b-8e54-7402125f6ead", - "name": "offline_access", - "description": "OpenID Connect built-in scope: offline_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - }, - { - "id": "8eb1f69b-b941-4185-bca1-f916953f7cf5", - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "fb587847-806f-4443-bab0-501efc0f0b46", - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "id": "947da1ff-f614-48fc-9ecb-c98cbcfd3390", - "name": "profile", - "description": "OpenID Connect built-in scope: profile", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "consent.screen.text": "${profileScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "46fec552-2f92-408a-84cf-ba98bf8e35fd", - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "lastName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "family_name", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "c7ed5458-4d32-423e-8ea1-d112c45045d4", - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "middleName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "e18d1ce4-3969-4ec1-9941-a27fd7555245", - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "dab85a5e-9af8-4fcd-88e4-9d3ae50dd5b6", - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "7484f47e-3bb1-48d0-ba64-e8330dcefe6e", - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "profile", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "profile", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "fcd00995-9693-4803-8f41-c84044be83ed", - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "website", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "f09e7268-5284-449b-849b-cf8225523584", - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - }, - { - "id": "0317f4b3-3f7b-47ab-88d3-5d6f604d944d", - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "nickname", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "nickname", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "db81244c-e739-461b-8822-52ceaa11bdf4", - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "c6a16bf9-9370-4dff-a718-be53131bb238", - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "gender", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "gender", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "32d76647-b542-484c-9062-edc34eb350e0", - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "birthdate", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "birthdate", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "ac6530db-6463-446b-99da-32d5298b5fa0", - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "zoneinfo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "ed10983b-8700-415e-933e-226ce3f397a6", - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "8205ccd0-1266-4060-b5df-3a6eb229d91e", - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - } - ] - }, - { - "id": "79713daf-89ca-4ed4-ad97-a88b13ee9a18", - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "consent.screen.text": "${phoneScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "b5f4f5ed-1008-42ba-8b3b-7d8851a2a680", - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - }, - { - "id": "08a246f1-2b4c-4def-af5c-aefc31b4820d", - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean", - "userinfo.token.claim": "true" - } - } - ] - }, - { - "id": "c3a6224b-49aa-4a25-953d-7e326d66893d", - "name": "basic", - "description": "OpenID Connect scope for add all basic claims to the token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "2d4f3f17-1ab7-429e-88e1-cdf08d3533c6", - "name": "auth_time", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "AUTH_TIME", - "introspection.token.claim": "true", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "auth_time", - "jsonType.label": "long" - } - }, - { - "id": "3e7da934-3de3-4bd1-a565-8ac62419c138", - "name": "sub", - "protocol": "openid-connect", - "protocolMapper": "oidc-sub-mapper", - "consentRequired": false, - "config": { - "introspection.token.claim": "true", - "access.token.claim": "true" - } - } - ] - }, - { - "id": "0c72b80b-28d5-48d8-b593-c99030aab58d", - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "consent.screen.text": "${rolesScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "bc7f015e-329f-4e99-be6b-72382f4310c7", - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "id": "215f645f-ad0b-4523-9ece-f09f69ead5c4", - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - }, - { - "id": "4a10b958-d34d-413a-b349-1415d02cdcde", - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "roles", - "jsonType.label": "String", - "userinfo.token.claim": "true", - "multivalued": "true" - } - } - ] - }, - { - "id": "7438d93e-b07a-4913-9419-3273be364c4b", - "name": "groups", - "description": "OpenID Connect scope for add user groups to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "gui.order": "", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "id": "5349faf2-64a6-481f-b207-39ffef2cd597", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "false", - "introspection.token.claim": "true", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "lightweight.claim": "false", - "access.token.claim": "true", - "claim.name": "groups" - } - } - ] - }, - { - "id": "5ce87358-3bca-4874-a6f0-6dccae6209a8", - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "consent.screen.text": "", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "bbd23c51-918d-4ea6-9ac0-db68b512fb0a", - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "id": "86883395-e439-4cab-9d8d-31d71389969c", - "name": "acr", - "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "b849b14b-7c9c-4b7b-9329-c56debefb47c", - "name": "acr loa level", - "protocol": "openid-connect", - "protocolMapper": "oidc-acr-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - } - ] - }, - { - "id": "bdb3e320-76c8-4ad7-9d0f-a08efc060101", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "1d08316c-493b-42ab-afa3-66f621860661", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - }, - { - "id": "52061d2d-7a41-4f1d-ba1b-3c4a53e739e4", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String", - "userinfo.token.claim": "true" - } - } - ] - } - ], - "defaultDefaultClientScopes": [ - "role_list", - "profile", - "email", - "roles", - "web-origins", - "acr", - "basic", - "groups" - ], - "defaultOptionalClientScopes": [ - "offline_access", - "address", - "phone", - "microprofile-jwt" - ], - "browserSecurityHeaders": { - "contentSecurityPolicyReportOnly": "", - "xContentTypeOptions": "nosniff", - "referrerPolicy": "no-referrer", - "xRobotsTag": "none", - "xFrameOptions": "SAMEORIGIN", - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "strictTransportSecurity": "max-age=31536000; includeSubDomains" - }, - "smtpServer": {}, - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "enabledEventTypes": [], - "adminEventsEnabled": false, - "adminEventsDetailsEnabled": false, - "identityProviders": [], - "identityProviderMappers": [], - "components": { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "id": "4682fe74-f3a9-445a-a7ab-557fb532fe6b", - "name": "Consent Required", - "providerId": "consent-required", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "id": "c46009e5-c8b5-4051-bf7f-7b1481a9aa86", - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, - { - "id": "43edf979-28d2-46c8-9f93-48b3de185570", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-property-mapper", - "saml-role-list-mapper", - "oidc-address-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-property-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-full-name-mapper", - "saml-user-attribute-mapper" - ] - } - }, - { - "id": "6fc7d765-7da8-4985-ba0b-e83827b04bd3", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6", - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-user-attribute-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-address-mapper", - "saml-role-list-mapper", - "oidc-full-name-mapper", - "saml-user-property-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-property-mapper" - ] - } - }, - { - "id": "e3eadb04-8862-4567-869c-a76485268159", - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "id": "c788e6bf-2f57-4a82-b32e-ac8d48a4f676", - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", - "subComponents": {}, - "config": {} - } - ], - "org.keycloak.userprofile.UserProfileProvider": [ - { - "id": "28d6b4ce-33d4-40c0-adef-b27e35b7e122", - "providerId": "declarative-user-profile", - "subComponents": {}, - "config": { - "kc.user.profile.config": [ - "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}],\"unmanagedAttributePolicy\":\"ENABLED\"}" - ] - } - } - ], - "org.keycloak.keys.KeyProvider": [ - { - "id": "0e3d0048-cb16-49c3-8a9a-05d83f0daeca", - "name": "rsa-generated", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "privateKey": [ - "MIIEowIBAAKCAQEAtddPjTKbLAv02Zh3CTCfZHbgCi4M0dFOU1OJ8tHvxt7nuDz7DTA//V0T4WSgdMOLDNVs6J5KNO7ddF6aB1laCWwfGG/ZAxHyrIzTI+iFK5qG19jnvPGBzPbdffxKyC6TcUwTz6z01pbovLftwXyNtAqxwgJvfjdg4j7PYvabk97ketRWw1uH+Jlqa/TOFlbQuweea2w9CJJmofJ/lzgHk5JAyYm/oT0gVB/ukCSgh+So+AtZ8fzwawdS9uQZhvu3sU//M9j+liT+mv5Dq+uB+NIx24xWPW/hWgPlqBBZ0o1ZEbK4jtyxjDOTAs6w6/IT+OO8a9z0BsMC7nl1EzA1LQIDAQABAoIBABl/HknmMci8HRxSMEVLGoZRKWUerjB7QG1sQLhEhHImOL0QsS4uY5fdxaxXBNfqanmlsUwalGgV+ATZljpNO9PSDmLJnVbnXNdMivcKzXq0LjpfUPr2rU8KbDsT4CkaaBUSPZLjJZSzJeCpiijqPco5V6b5hXLf8Uc31wdWxwYKv4XYBOgXZGkHk27f6CdqjCzNYWhJYIHeBqISUMDEQoZx9YxemudbdNF8Vo/Keyj/vqYXdLwyyJf9A7DY/A6mZWp3XMQtlL0CykVjnbgm/EzYaXuwZSCY1sYHl7AhOu83AjPR7aYpkY662l1VuwaGliKk2+iIrIhYWDAOaluSBvcCgYEA/2vPm67piTw3umNca1EZqYC/Sta2d4yKthYh+gXzbWDDeVI63Kn1d2cWau0qV9SLwpY+UcTVReiqf5EHxOdhUzm7H7kcAUPydIOFX78BJ7sYa8TW/iZ+pvrAx/43EqCsdNMHcNVsqKMmJhpAozCMyG0BxFTsesuG4o3fCEBjoFcCgYEAtkDPeLZWw1ClocHcgTFSNRZF+wIYPpItS2NG0fRJk4jTv10nVoHRGflqhH3052iZkMpHMrB8YtbcOWET9nh3oJq3wB5VpQigPWjkmo00hNLQ36MbTbBuinmIPdy2SknoiojfSfgYcxmi3f8RHqPOLLkyAZjclJj6lAbq/aJklBsCgYBdV3rhPASgYF9FQDZwCY1FQoWlxd2cxsGSVXhJNI+HM0t8NK7KIVpRLl0k6lMFEemZTOqtWy9Ngv976vZZ4OzSS1C1ASLY24npRn8hRF4ZtOfxyld/PXYfc5er/p0Fs64Sa2RWucghwK2aUxG4EXABdsSkiRx6q5I5jPsqus0ttQKBgQCwvcs1cgZT5OqrIng3ZWAmkVIOKKrgSxvXxw/P3cpYY9GM+8aBUuU3/jN5BzkwDLUXv8Ip+xK1O05X6rfURmEkg8X8bq55nBLhWs6Ovq8Wu+bJacC5p4abjV49N8Qj6Oa1KiT387uqK0tRY+DzSMFRh8th1x7akDw4vzi1/PzyzwKBgG2C0QFuJqoVQlRnAB8Jid7ChliuPP+1KhZMd4mJ7yOaU1r+TKWPPIk5iNd3zkjc0UZGg/6h1WvZQazHAxn1/BMHR7ZY3zmBsCQ1TiRRfyr18v9rBRUS3GwmXgToJwl65aNO6cGAIvS/7TH2Zfmdjc5rkjWCv4U32+tpCGNtoaPC" - ], - "certificate": [ - "MIIClzCCAX8CBgGQLyjUfjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARvQ0lTMB4XDTI0MDYxOTA2MjAyM1oXDTM0MDYxOTA2MjIwM1owDzENMAsGA1UEAwwEb0NJUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXXT40ymywL9NmYdwkwn2R24AouDNHRTlNTifLR78be57g8+w0wP/1dE+FkoHTDiwzVbOieSjTu3XRemgdZWglsHxhv2QMR8qyM0yPohSuahtfY57zxgcz23X38Ssguk3FME8+s9NaW6Ly37cF8jbQKscICb343YOI+z2L2m5Pe5HrUVsNbh/iZamv0zhZW0LsHnmtsPQiSZqHyf5c4B5OSQMmJv6E9IFQf7pAkoIfkqPgLWfH88GsHUvbkGYb7t7FP/zPY/pYk/pr+Q6vrgfjSMduMVj1v4VoD5agQWdKNWRGyuI7csYwzkwLOsOvyE/jjvGvc9AbDAu55dRMwNS0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEApg4N+/dI+UimwbpW7nsJWFu/FA8GgbEEBqbbjatgqeUJNuvi0jFueiYFnO/Pppp++PQDvKKwE7XfnEuippNNKWFQnwJQf9ZRnysNlYMq+vBT37+QIps2z772pq7bway5t7YlwjBhILNGIA9mzbsFK2SnyY0V5y0qQgEaZePMP/2cq5Ur9tKMUIIsTfBgkk3YLpxgq/rwTOtxfo6me5WpD5dXT57NXV9wmtxStE9z6INvMjp7FPZO8mai97X/SfgNhuGkN+EclvYEM/5/xfNR4rhPSnlsHwX2jjVuVuJZQKKY7DlVDohKMJzLf1Ocfe44mSRkQWCeGnJpg8NrtaxYTg==" - ], - "priority": [ - "100" - ] - } - }, - { - "id": "f92ecf31-c3c7-4c3b-af20-839fc05bcf99", - "name": "hmac-generated", - "providerId": "hmac-generated", - "subComponents": {}, - "config": { - "kid": [ - "a25fabf6-4224-4e0e-876b-cbfcb0a79628" - ], - "secret": [ - "4TbJ63S8xc-vEmTtAtd0YQbO9sCqeUs9B0SpOiokavNFWwRq5hrxcyXsG1GKpCAcEheGKnjNgkNAOR3jvnKDVnq-jJd9II2G6-A6G-XH7HMG7REWi2OVDf7a5eGmdFeRNdI5kQhGceS-H03hF3Q9uI4tv1mlgoeBpVxfWrS5_dQ" - ], - "priority": [ - "100" - ], - "algorithm": [ - "HS256" - ] - } - }, - { - "id": "a137a686-5876-4faf-8d1e-e3a59f55095e", - "name": "hmac-generated-hs512", - "providerId": "hmac-generated", - "subComponents": {}, - "config": { - "kid": [ - "f00e19d2-5070-4730-a68a-2a14912ef7a8" - ], - "secret": [ - "nXZiaEzaQQUrFkmkq7vRPbZ54_m-u5zo5o9j-5WxtbdwCaHGNN3hGHOjq_4z4zfB4ooRVcUtzQL_48kOoRYmvJy7_w-rfIIooxN5yGU4sVJRj3wV3cVwxPqNAVLj_pAxJnTLXGC-cckpFkWw9XfIPLG-D3Nkv05WEgVSnIuNXOo" - ], - "priority": [ - "100" - ], - "algorithm": [ - "HS512" - ] - } - }, - { - "id": "992dcc80-dc41-4b00-bab8-6ec1c839f3a4", - "name": "aes-generated", - "providerId": "aes-generated", - "subComponents": {}, - "config": { - "kid": [ - "aec7cbf7-7e70-4acd-b1b6-adc7a0d58e2f" - ], - "secret": [ - "-WfcWG4blS3bT0nsLsj-Rw" - ], - "priority": [ - "100" - ] - } - } - ] - }, - "internationalizationEnabled": false, - "supportedLocales": [], - "authenticationFlows": [ - { - "id": "5392b282-096e-4994-a3ad-780eb4023d27", - "alias": "step up flow", - "description": "browser login flow with step-up mechanism", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": false, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 25, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "identity-provider-redirector", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 31, - "autheticatorFlow": true, - "flowAlias": "base step up", - "userSetupAllowed": false - } - ] - }, - { - "id": "00e79c8a-93b3-4c0d-857f-7bf5be19d0cb", - "alias": "base step up", - "description": "base step up flow", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": false, - "authenticationExecutions": [ - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 2, - "autheticatorFlow": true, - "flowAlias": "step up level 1", - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 3, - "autheticatorFlow": true, - "flowAlias": "step up level 2", - "userSetupAllowed": false - } - ] - }, - { - "id": "32ec29d9-dd12-45ce-bdbc-3e597aca4b51", - "alias": "step up level 1", - "description": "loa 1 with username and password", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": false, - "authenticationExecutions": [ - { - "authenticatorConfig": "loa level 1", - "authenticator": "conditional-level-of-authentication", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 0, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 1, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "b8c46bfb-cf9e-414a-a773-b17e0fdaa475", - "alias": "step up level 2", - "description": "loa 2 with totp", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": false, - "authenticationExecutions": [ - { - "authenticatorConfig": "loa level 2", - "authenticator": "conditional-level-of-authentication", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 0, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 1, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "8964f931-b866-4a05-ab1c-89331a566887", - "alias": "Account verification options", - "description": "Method with which to verity the existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false - } - ] - }, - { - "id": "123e5711-1ee5-4f7e-ac9c-64c644daaea9", - "alias": "Browser - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "be73b7f5-9a66-487c-b7dd-80e0f7ac0c7c", - "alias": "Direct Grant - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "597ca917-91fc-4898-a279-cd592af286e3", - "alias": "First broker login - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-otp-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "3daadb6b-4d63-4be1-a89e-ec8e41e72afa", - "alias": "Handle Existing Account", - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Account verification options", - "userSetupAllowed": false - } - ] - }, - { - "id": "5942598c-d7e9-4941-b13e-4a8a75e2c2a3", - "alias": "Reset - Conditional OTP", - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-otp", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "6e4b336e-eb5f-423c-8d32-4ab94d1122e6", - "alias": "User creation or linking", - "description": "Flow for the existing/non-existing user alternatives", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "create unique user config", - "authenticator": "idp-create-user-if-unique", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Handle Existing Account", - "userSetupAllowed": false - } - ] - }, - { - "id": "35ac1997-b6af-44ff-ab27-c34f9be32e56", - "alias": "Verify Existing Account by Re-authentication", - "description": "Reauthentication of existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "a3473070-fe69-4de1-a0b2-dd54b8a769d5", - "alias": "browser", - "description": "browser based authentication", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "auth-spnego", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "identity-provider-redirector", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 25, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "ALTERNATIVE", - "priority": 30, - "autheticatorFlow": true, - "flowAlias": "forms", - "userSetupAllowed": false - } - ] - }, - { - "id": "cc714857-b114-4df6-9030-b464bbb3964d", - "alias": "clients", - "description": "Base authentication for clients", - "providerId": "client-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-secret-jwt", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "client-x509", - "authenticatorFlow": false, - "requirement": "ALTERNATIVE", - "priority": 40, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "0ebe891c-1a72-4842-bf29-a9abe9c2a4d2", - "alias": "direct grant", - "description": "OpenID Connect Resource Owner Grant", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "direct-grant-validate-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 30, - "autheticatorFlow": true, - "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "d97d5579-b3d4-49c4-a60e-0e1e6b1c9d79", - "alias": "docker auth", - "description": "Used by Docker clients to authenticate against the IDP", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "009f7c28-0f41-4237-9911-9091c3d751b7", - "alias": "first broker login", - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "review profile config", - "authenticator": "idp-review-profile", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "User creation or linking", - "userSetupAllowed": false - } - ] - }, - { - "id": "f9911022-b3cf-4d96-9a96-51bc53c437eb", - "alias": "forms", - "description": "Username, password, otp and other auth forms.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 20, - "autheticatorFlow": true, - "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "c53eb19d-49e9-4252-8a10-4d5c6a12e61b", - "alias": "registration", - "description": "registration flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "authenticatorFlow": true, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": true, - "flowAlias": "registration form", - "userSetupAllowed": false - } - ] - }, - { - "id": "3b4f48d3-1706-4630-80e0-e0542780a1f7", - "alias": "registration form", - "description": "registration form", - "providerId": "form-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "registration-password-action", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 50, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "registration-recaptcha-action", - "authenticatorFlow": false, - "requirement": "DISABLED", - "priority": 60, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - }, - { - "id": "5520aa89-cd76-438a-abae-7ccd3a2d7615", - "alias": "reset credentials", - "description": "Reset credentials for a user if they forgot their password or something", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-credential-email", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 20, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticator": "reset-password", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 30, - "autheticatorFlow": false, - "userSetupAllowed": false - }, - { - "authenticatorFlow": true, - "requirement": "CONDITIONAL", - "priority": 40, - "autheticatorFlow": true, - "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false - } - ] - }, - { - "id": "cce548d6-9bef-4449-88ea-99b949488fe7", - "alias": "saml ecp", - "description": "SAML ECP Profile Authentication Flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "authenticatorFlow": false, - "requirement": "REQUIRED", - "priority": 10, - "autheticatorFlow": false, - "userSetupAllowed": false - } - ] - } - ], - "authenticatorConfig": [ - { - "id": "0848606c-7510-4b09-ba0e-4dc2ef3d63f8", - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" - } - }, - { - "id": "91a8dee7-c679-4202-866e-234eb4164cfd", - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" - } - }, - { - "id": "5b7b9811-6a2d-47ba-8722-7a4a5cb67cc3", - "alias": "loa level 2", - "config": { - "loa-condition-level": "2", - "loa-max-age": "36000" - } - }, - { - "id": "fc6ac583-5601-4c97-a57b-3b044dc4007f", - "alias": "loa level 1", - "config": { - "loa-condition-level": "1", - "loa-max-age": "36000" - } - } - ], - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "name": "Configure OTP", - "providerId": "CONFIGURE_TOTP", - "enabled": true, - "defaultAction": false, - "priority": 10, - "config": {} - }, - { - "alias": "TERMS_AND_CONDITIONS", - "name": "Terms and Conditions", - "providerId": "TERMS_AND_CONDITIONS", - "enabled": false, - "defaultAction": false, - "priority": 20, - "config": {} - }, - { - "alias": "UPDATE_PASSWORD", - "name": "Update Password", - "providerId": "UPDATE_PASSWORD", - "enabled": true, - "defaultAction": false, - "priority": 30, - "config": {} - }, - { - "alias": "UPDATE_PROFILE", - "name": "Update Profile", - "providerId": "UPDATE_PROFILE", - "enabled": true, - "defaultAction": false, - "priority": 40, - "config": {} - }, - { - "alias": "VERIFY_EMAIL", - "name": "Verify Email", - "providerId": "VERIFY_EMAIL", - "enabled": true, - "defaultAction": false, - "priority": 50, - "config": {} - }, - { - "alias": "delete_account", - "name": "Delete Account", - "providerId": "delete_account", - "enabled": false, - "defaultAction": false, - "priority": 60, - "config": {} - }, - { - "alias": "delete_credential", - "name": "Delete Credential", - "providerId": "delete_credential", - "enabled": true, - "defaultAction": false, - "priority": 100, - "config": {} - }, - { - "alias": "update_user_locale", - "name": "Update User Locale", - "providerId": "update_user_locale", - "enabled": true, - "defaultAction": false, - "priority": 1000, - "config": {} - } - ], - "browserFlow": "step up flow", - "registrationFlow": "registration", - "directGrantFlow": "direct grant", - "resetCredentialsFlow": "reset credentials", - "clientAuthenticationFlow": "clients", - "dockerAuthenticationFlow": "docker auth", - "firstBrokerLoginFlow": "first broker login", - "attributes": { - "cibaBackchannelTokenDeliveryMode": "poll", - "cibaAuthRequestedUserHint": "login_hint", - "clientOfflineSessionMaxLifespan": "0", - "oauth2DevicePollingInterval": "5", - "clientSessionIdleTimeout": "0", - "clientOfflineSessionIdleTimeout": "0", - "cibaInterval": "5", - "realmReusableOtpCode": "false", - "cibaExpiresIn": "120", - "oauth2DeviceCodeLifespan": "600", - "parRequestUriLifespan": "60", - "clientSessionMaxLifespan": "0", - "organizationsEnabled": "false", - "acr.loa.map": "{\"regular\":\"1\",\"advanced\":\"2\"}" - }, - "keycloakVersion": "25.0.0", - "userManagedAccessAllowed": false, - "organizationsEnabled": false, - "clientProfiles": { - "profiles": [] - }, - "clientPolicies": { - "policies": [] - } -} \ No newline at end of file diff --git a/deployments/examples/ocis_vault/config/ocis/banned-password-list.txt b/deployments/examples/ocis_vault/config/ocis/banned-password-list.txt deleted file mode 100644 index aff7475f220..00000000000 --- a/deployments/examples/ocis_vault/config/ocis/banned-password-list.txt +++ /dev/null @@ -1,5 +0,0 @@ -password -12345678 -123 -ownCloud -ownCloud-1 diff --git a/deployments/examples/ocis_vault/config/ocis/csp.yaml b/deployments/examples/ocis_vault/config/ocis/csp.yaml deleted file mode 100644 index 3bbcf892a47..00000000000 --- a/deployments/examples/ocis_vault/config/ocis/csp.yaml +++ /dev/null @@ -1,38 +0,0 @@ -directives: - child-src: - - '''self''' - connect-src: - - '''self''' - - 'blob:' - - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' - # In contrary to bash and docker the default is given after the | character - - 'https://${KEYCLOAK_DOMAIN|keycloak.owncloud.test}/' - default-src: - - '''none''' - font-src: - - '''self''' - - 'data:' - frame-ancestors: - - '''none''' - frame-src: - - '''self''' - - 'blob:' - - 'https://embed.diagrams.net/' - img-src: - - '''self''' - - 'data:' - - 'blob:' - - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/' - manifest-src: - - '''self''' - media-src: - - '''self''' - object-src: - - '''self''' - - 'blob:' - script-src: - - '''self''' - - '''unsafe-inline''' - style-src: - - '''self''' - - '''unsafe-inline''' diff --git a/deployments/examples/ocis_vault/docker-compose.yml b/deployments/examples/ocis_vault/docker-compose.yml deleted file mode 100644 index 68318e40f24..00000000000 --- a/deployments/examples/ocis_vault/docker-compose.yml +++ /dev/null @@ -1,229 +0,0 @@ ---- -version: "3.7" - -services: - traefik: - image: traefik:v2.9.1 - networks: - ocis-net: - aliases: - - ${OCIS_DOMAIN:-ocis.owncloud.test} - - ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} - command: - - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}" - # letsencrypt configuration - - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" - - "--certificatesResolvers.http.acme.storage=/certs/acme.json" - - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" - # enable dashboard - - "--api.dashboard=true" - # define entrypoints - - "--entryPoints.http.address=:80" - - "--entryPoints.http.http.redirections.entryPoint.to=https" - - "--entryPoints.http.http.redirections.entryPoint.scheme=https" - - "--entryPoints.https.address=:443" - # docker provider (get configuration from container labels) - - "--providers.docker.endpoint=unix:///var/run/docker.sock" - - "--providers.docker.exposedByDefault=false" - # access log - - "--accessLog=true" - - "--accessLog.format=json" - - "--accessLog.fields.headers.names.X-Request-Id=keep" - ports: - - "80:80" - - "443:443" - volumes: - - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro" - - "certs:/certs" - labels: - - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" - - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin - - "traefik.http.routers.traefik.entrypoints=https" - - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" - - "traefik.http.routers.traefik.middlewares=traefik-auth" - - "traefik.http.routers.traefik.tls.certresolver=http" - - "traefik.http.routers.traefik.service=api@internal" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - ocis: - image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} - networks: - ocis-net: - entrypoint: - - /bin/sh - # run ocis init to initialize a configuration file with random secrets - # it will fail on subsequent runs, because the config file already exists - # therefore we ignore the error and then start the ocis server - command: [ "-c", "ocis init || true; exec ocis server" ] - environment: - # Keycloak IDP specific configuration - PROXY_AUTOPROVISION_ACCOUNTS: "true" - PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc" - OCIS_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/realms/${KEYCLOAK_REALM:-oCIS} - PROXY_OIDC_REWRITE_WELLKNOWN: "true" - WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web} - # general config - OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} - OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} - OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" - PROXY_TLS: "false" # do not use SSL between Traefik and oCIS - PROXY_USER_OIDC_CLAIM: "preferred_username" - PROXY_USER_CS3_CLAIM: "username" - # INSECURE: needed if oCIS / Traefik is using self generated certificates - OCIS_INSECURE: "${INSECURE:-false}" - OCIS_ADMIN_USER_ID: "" - OCIS_EXCLUDE_RUN_SERVICES: "idp" - GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" - GRAPH_USERNAME_MATCH: "none" - # password policies - OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" - PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml - KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} - OCIS_MFA_ENABLED: ${OCIS_MFA_ENABLED:-false} - WEB_OIDC_SCOPE: "openid profile email acr" - # Vault: expose internal services so sidecar containers can reach them - NATS_NATS_HOST: 0.0.0.0 - OCIS_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 - # Vault: auto-create vault home space on first user login - PROXY_CREATE_VAULT_HOME: "true" - # Local web development: serve web assets from the host - WEB_ASSET_CORE_PATH: /web/dist - volumes: - - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml - - ocis-config:/etc/ocis - - ocis-data:/var/lib/ocis - - /Users/mk/dev/kiteworks/web:/web - labels: - - "traefik.enable=true" - - "traefik.http.routers.ocis.entrypoints=https" - - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)" - - "traefik.http.routers.ocis.tls.certresolver=http" - - "traefik.http.routers.ocis.service=ocis" - - "traefik.http.services.ocis.loadbalancer.server.port=9200" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - graph-vault: - image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} - networks: - ocis-net: - depends_on: - ocis: - condition: service_started - command: ["graph", "server"] - environment: - OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} - OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" - GRAPH_ENABLE_VAULT_MODE: "true" - OCIS_GATEWAY_GRPC_ADDR: ocis:9142 - GRAPH_HTTP_ADDR: 0.0.0.0:9125 - GRAPH_DEBUG_ADDR: 0.0.0.0:9126 - GRAPH_HTTP_ROOT: /vault/graph - GRAPH_SERVICE_NAME: graph-vault - MICRO_REGISTRY_ADDRESS: ocis:9233 - OCIS_EVENTS_ENDPOINT: ocis:9233 - OCIS_CACHE_STORE_NODES: ocis:9233 - GRAPH_SPACES_STORAGE_USERS_ADDRESS: com.owncloud.api.storage-users-vault - OCIS_INSECURE: "${INSECURE:-false}" - volumes: - - ocis-data:/var/lib/ocis - - ocis-config:/etc/ocis - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - storage-users-vault: - image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} - networks: - ocis-net: - depends_on: - ocis: - condition: service_started - command: ["storage-users", "server"] - environment: - OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} - OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" - OCIS_GATEWAY_GRPC_ADDR: ocis:9142 - STORAGE_USERS_ENABLE_VAULT_MODE: "true" - STORAGE_USERS_SERVICE_NAME: storage-users-vault - STORAGE_USERS_GRPC_ADDR: 0.0.0.0:9170 - STORAGE_USERS_HTTP_ADDR: 0.0.0.0:9168 - STORAGE_USERS_DATA_SERVER_URL: http://storage-users-vault:9168/data - STORAGE_USERS_DEBUG_ADDR: 0.0.0.0:9169 - STORAGE_USERS_OCIS_ROOT: /var/lib/ocis/storage/users-vault - STORAGE_USERS_EVENTS_CONSUMER_GROUP: vault-dcfs - MICRO_REGISTRY_ADDRESS: ocis:9233 - OCIS_EVENTS_ENDPOINT: ocis:9233 - OCIS_CACHE_STORE_NODES: ocis:9233 - OCIS_INSECURE: "${INSECURE:-false}" - volumes: - - ocis-data:/var/lib/ocis - - ocis-config:/etc/ocis - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - postgres: - image: postgres:alpine - networks: - ocis-net: - volumes: - - keycloak_postgres_data:/var/lib/postgresql/data - environment: - POSTGRES_DB: keycloak - POSTGRES_USER: keycloak - POSTGRES_PASSWORD: keycloak - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - keycloak: - image: quay.io/keycloak/keycloak:26.2.5 - networks: - ocis-net: - command: ["start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"] - entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"] - volumes: - - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh" - - "./config/keycloak/ocis-realm.dist.json:/opt/keycloak/data/import-dist/ocis-realm.json" - environment: - OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test} - KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} - KC_DB: postgres - KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak" - KC_DB_USERNAME: keycloak - KC_DB_PASSWORD: keycloak - KC_FEATURES: impersonation,opentelemetry - KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN_USER:-admin} - KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} - # as replacement of --proxy=edge - KC_PROXY_HEADERS: xforwarded - KC_HTTP_ENABLED: true - # tracing - KC_TRACING_ENABLED: ${KEYCLOAK_TRACING:-false} - KC_TRACING_ENDPOINT: http://jaeger:4317 - labels: - - "traefik.enable=true" - - "traefik.http.routers.keycloak.entrypoints=https" - - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)" - - "traefik.http.routers.keycloak.tls.certresolver=http" - - "traefik.http.routers.keycloak.service=keycloak" - - "traefik.http.services.keycloak.loadbalancer.server.port=8080" - depends_on: - - postgres - logging: - driver: ${LOG_DRIVER:-local} - restart: always - -volumes: - certs: - ocis-config: - ocis-data: - keycloak_postgres_data: - -networks: - ocis-net: From 7ade73d9f3f4e0797b01be1383708fc30d296206 Mon Sep 17 00:00:00 2001 From: Michal Klos Date: Wed, 18 Mar 2026 09:31:25 +0100 Subject: [PATCH 09/11] feat: mfa for vault --- .../examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json | 2 +- deployments/examples/ocis_keycloak/vault.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json b/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json index 63200a3ac07..0bae69707d9 100644 --- a/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json +++ b/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json @@ -2277,7 +2277,7 @@ "requirement": "REQUIRED", "priority": 1, "autheticatorFlow": false, - "userSetupAllowed": false + "userSetupAllowed": true } ] }, diff --git a/deployments/examples/ocis_keycloak/vault.yml b/deployments/examples/ocis_keycloak/vault.yml index 408e014518b..bcc7e299c1f 100644 --- a/deployments/examples/ocis_keycloak/vault.yml +++ b/deployments/examples/ocis_keycloak/vault.yml @@ -9,6 +9,8 @@ services: OCIS_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # Vault: auto-create vault home space on first user login PROXY_CREATE_VAULT_HOME: "true" + # MFA: guard Admin Settings with step-up auth (LOA2) + # OCIS_MFA_ENABLED: "true" graph-vault: image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} From f0ffd13d82d6a7c4597b6d8bc59724497138d609 Mon Sep 17 00:00:00 2001 From: Michal Klos Date: Wed, 18 Mar 2026 09:32:14 +0100 Subject: [PATCH 10/11] feat: health checks, when keycloak + traefik takes long to up (404) --- .../examples/ocis_keycloak/docker-compose.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index f9881577a3c..36461ab9cd5 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -109,6 +109,11 @@ services: POSTGRES_DB: keycloak POSTGRES_USER: keycloak POSTGRES_PASSWORD: keycloak + healthcheck: + test: ["CMD-SHELL", "pg_isready -U keycloak"] + interval: 5s + timeout: 5s + retries: 10 logging: driver: ${LOG_DRIVER:-local} restart: always @@ -138,6 +143,13 @@ services: # tracing KC_TRACING_ENABLED: ${KEYCLOAK_TRACING:-false} KC_TRACING_ENDPOINT: http://jaeger:4317 + KC_HEALTH_ENABLED: "true" + healthcheck: + test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/9000 && echo -e 'GET /health/ready HTTP/1.0\\r\\n\\r\\n' >&3 && grep -q '\"status\": \"UP\"' <&3"] + interval: 10s + timeout: 5s + retries: 18 + start_period: 30s labels: - "traefik.enable=true" - "traefik.http.routers.keycloak.entrypoints=https" @@ -146,7 +158,8 @@ services: - "traefik.http.routers.keycloak.service=keycloak" - "traefik.http.services.keycloak.loadbalancer.server.port=8080" depends_on: - - postgres + postgres: + condition: service_healthy logging: driver: ${LOG_DRIVER:-local} restart: always From f79b6a382f66d975dfe81dccae94fa07c65bb7f8 Mon Sep 17 00:00:00 2001 From: Michal Klos Date: Thu, 19 Mar 2026 10:10:15 +0100 Subject: [PATCH 11/11] feat: local web dist --- .../examples/ocis_keycloak/docker-compose.yml | 2 ++ deployments/examples/ocis_keycloak/vault.yml | 30 +------------------ 2 files changed, 3 insertions(+), 29 deletions(-) diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 36461ab9cd5..b8af057da3d 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -83,11 +83,13 @@ services: KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} OCIS_MFA_ENABLED: ${OCIS_MFA_ENABLED:-false} WEB_OIDC_SCOPE: "openid profile email acr" + # WEB_ASSET_CORE_PATH: /web/dist # local web dist volumes: - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml - ocis-config:/etc/ocis - ocis-data:/var/lib/ocis + # - /Users/mk/dev/kiteworks/web/dist:/web/dist # local web dist labels: - "traefik.enable=true" - "traefik.http.routers.ocis.entrypoints=https" diff --git a/deployments/examples/ocis_keycloak/vault.yml b/deployments/examples/ocis_keycloak/vault.yml index bcc7e299c1f..1d7ef0e5436 100644 --- a/deployments/examples/ocis_keycloak/vault.yml +++ b/deployments/examples/ocis_keycloak/vault.yml @@ -9,38 +9,10 @@ services: OCIS_GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # Vault: auto-create vault home space on first user login PROXY_CREATE_VAULT_HOME: "true" + GRAPH_ENABLE_VAULT_MODE: "true" # MFA: guard Admin Settings with step-up auth (LOA2) # OCIS_MFA_ENABLED: "true" - graph-vault: - image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} - networks: - ocis-net: - depends_on: - ocis: - condition: service_started - command: ["graph", "server"] - environment: - OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} - OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" - GRAPH_ENABLE_VAULT_MODE: "true" - OCIS_GATEWAY_GRPC_ADDR: ocis:9142 - GRAPH_HTTP_ADDR: 0.0.0.0:9125 - GRAPH_DEBUG_ADDR: 0.0.0.0:9126 - GRAPH_HTTP_ROOT: /vault/graph - GRAPH_SERVICE_NAME: graph-vault - MICRO_REGISTRY_ADDRESS: ocis:9233 - OCIS_EVENTS_ENDPOINT: ocis:9233 - OCIS_CACHE_STORE_NODES: ocis:9233 - GRAPH_SPACES_STORAGE_USERS_ADDRESS: com.owncloud.api.storage-users-vault - OCIS_INSECURE: "${INSECURE:-false}" - volumes: - - ocis-data:/var/lib/ocis - - ocis-config:/etc/ocis - logging: - driver: ${LOG_DRIVER:-local} - restart: always - storage-users-vault: image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} networks: