diff --git a/examples/cernbox/cernbox.toml b/examples/cernbox/cernbox.toml
new file mode 100644
index 0000000000..a2091d0de1
--- /dev/null
+++ b/examples/cernbox/cernbox.toml
@@ -0,0 +1,407 @@
+## Example configuration to run a dockerized CERNBox for ScienceMesh tests
+#
+# The following variables are actualized by the scripts in tests/sciencemesh/scripts
+
+[vars]
+internal_gateway = "your.revad.org"
+provider_domain = "your.revad.org"
+external_reva_endpoint = "https://your.nginx.org" # append here any route if applicable
+wopi_endpoint = "http://your.wopi.org:8880"
+ocmshares_json_file = "/var/tmp/reva/shares_cernbox.json"
+machine_api_key = "machine-api-key"
+wopi_shared_secret = "shared-secret-2"
+
+[http]
+certfile = "/etc/tls/your.revad.ssl.crt"
+keyfile = "/etc/tls/your.revad.ssl.key"
+
+[log]
+level = "debug"
+
+[shared]
+gatewaysvc = "{{ vars.internal_gateway }}:19000"
+jwt_secret = "reva-secret"
+
+[grpc.services.gateway]
+address = ":19000"
+authregistrysvc = "{{ grpc.services.authregistry.address }}"
+appregistrysvc = "{{ grpc.services.appregistry.address }}"
+storageregistrysvc = "{{ grpc.services.storageregistry.address }}"
+preferencessvc = "{{ grpc.services.userprovider.address }}"
+userprovidersvc = "{{ grpc.services.userprovider.address }}"
+usershareprovidersvc = "{{ grpc.services.usershareprovider.address }}"
+publicshareprovidersvc = "{{ grpc.services.publicshareprovider.address }}"
+ocmcoresvc = "{{ grpc.services.ocmcore.address }}"
+ocmshareprovidersvc = "{{ grpc.services.ocmshareprovider.address }}"
+ocminvitemanagersvc = "{{ grpc.services.ocminvitemanager.address }}"
+ocmproviderauthorizersvc = "{{ grpc.services.ocmproviderauthorizer.address }}"
+datagateway = "https://{{ http.services.datagateway.address }}/data"
+
+transfer_expires = 6 # give it a moment
+commit_share_to_storage_grant = true
+commit_share_to_storage_ref = true
+
+
+### APPS ###
+
+[grpc.services.appregistry]
+driver = "static"
+
+[grpc.services.appregistry.drivers.static]
+mime_types = [
+ {"mime_type" = "text/plain", "extension" = "txt", "name" = "Text file", "description" = "Text file", "allow_creation" = true},
+ {"mime_type" = "text/markdown", "extension" = "md", "name" = "Markdown file", "description" = "Markdown file", "allow_creation" = true},
+ {"mime_type" = "application/vnd.oasis.opendocument.text", "extension" = "odt", "name" = "OpenDocument", "description" = "OpenDocument text document", "default_app" = "Collabora", "allow_creation" = true},
+ {"mime_type" = "application/vnd.oasis.opendocument.spreadsheet", "extension" = "ods", "name" = "OpenSpreadsheet", "description" = "OpenDocument spreadsheet document", "default_app" = "Collabora", "allow_creation" = true},
+ {"mime_type" = "application/vnd.oasis.opendocument.presentation", "extension" = "odp", "name" = "OpenPresentation", "description" = "OpenDocument presentation document", "default_app" = "Collabora", "allow_creation" = true},
+ {"mime_type" = "application/vnd.jupyter", "extension" = "ipynb", "name" = "Jupyter Notebook", "description" = "Jupyter Notebook"}
+]
+
+[[grpc.services.appprovider]]
+driver = "wopi"
+custom_mime_types_json = "/etc/revad/custom-mime-types-demo.json"
+mime_types = ["application/vnd.oasis.opendocument.text", "application/vnd.oasis.opendocument.spreadsheet", "application/vnd.oasis.opendocument.presentation", "text/rtf"]
+app_provider_url = "{{ grpc.services.appprovider[0].address }}"
+language = "en-GB"
+
+[grpc.services.appprovider.drivers.wopi]
+iop_secret = "{{ vars.wopi_shared_secret }}"
+wopi_url = "{{ vars.wopi_endpoint }}"
+app_name = "Collabora"
+app_url = "http://collabora.docker:9980"
+app_int_url = "http://collabora.docker:9980"
+
+
+# [[grpc.services.appprovider]]
+# driver = "wopi"
+# custom_mime_types_json = "/etc/revad/custom-mime-types-demo.json"
+# mime_types = ["text/markdown", "application/compressed-markdown", "text/plain"]
+# app_provider_url = "{{ grpc.services.appprovider[1].address }}"
+#
+# [grpc.services.appprovider.drivers.wopi]
+# iop_secret = "{{ vars.wopi_shared_secret }}"
+# wopi_url = "{{ vars.wopi_endpoint }}"
+# app_name = "CodiMD"
+# app_url = "https://codimd.docker"
+# app_int_url = "https://codimd.docker"
+
+
+### AUTH ###
+
+[grpc.services.authregistry]
+driver = "static"
+
+[grpc.services.authregistry.drivers.static.rules]
+basic = "{{ grpc.services.authprovider[0].address }}"
+bearer = "{{ grpc.services.authprovider[0].address }}"
+machine = "{{ grpc.services.authprovider[1].address }}"
+ocmshares = "{{ grpc.services.authprovider[2].address }}"
+
+[[grpc.services.authprovider]]
+auth_manager = "oidc"
+
+[grpc.services.authprovider.auth_managers.json]
+users = "/etc/revad/users.demo.json"
+
+[grpc.services.authprovider.auth_managers.oidc]
+issuer = "https://idp.docker:8443/realms/cernbox"
+uid_claim = "cern_uid"
+gid_claim = "cern_gid"
+gatewaysvc = "{{ vars.internal_gateway }}:19000"
+
+[[grpc.services.authprovider]]
+auth_manager = "machine"
+
+[grpc.services.authprovider.auth_managers.machine]
+api_key = "{{ vars.machine_api_key }}"
+gateway_addr = "{{ vars.internal_gateway }}:19000"
+
+[[grpc.services.authprovider]]
+auth_manager = "ocmshares"
+
+
+### STORAGE ###
+
+[grpc.services.storageregistry]
+driver = "static"
+
+[grpc.services.storageregistry.drivers.static]
+home_provider = "/"
+
+[grpc.services.storageregistry.drivers.static.rules]
+"/" = {"address" = "{{ grpc.services.storageprovider[0].address }}"}
+"localhome" = {"address" = "{{ grpc.services.storageprovider[0].address }}"}
+"/ocm" = {"address" = "{{ grpc.services.storageprovider[1].address }}"}
+"ocm" = {"address" = "{{ grpc.services.storageprovider[1].address }}"}
+"/sciencemesh" = { address = "{{ grpc.services.storageprovider[2].address }}" }
+"sciencemesh" = { address = "{{ grpc.services.storageprovider[2].address }}" }
+
+[[grpc.services.storageprovider]]
+driver = "localhome"
+mount_path = "/"
+mount_id = "localhome"
+expose_data_server = true
+data_server_url = "https://localhost:{{ http.services.dataprovider[0].address.port }}/data"
+enable_home_creation = true
+
+[grpc.services.storageprovider.drivers.localhome]
+user_layout = "{{.Username}}"
+
+[[grpc.services.storageprovider]]
+driver = "ocmoutcoming"
+mount_id = "ocm"
+mount_path = "/ocm"
+expose_data_server = true
+enable_home_creation = false
+data_server_url = "{{ vars.external_reva_endpoint }}/data"
+
+[grpc.services.storageprovider.drivers.ocmoutcoming]
+machine_secret = "{{ vars.machine_api_key }}"
+
+[[grpc.services.storageprovider]]
+driver = "ocmreceived"
+mount_path = "/sciencemesh"
+mount_id = "sciencemesh"
+expose_data_server = true
+# this must be accessible from the GUI, therefore the hostname will be replaced
+data_server_url = "https://your.revad.org:{{ http.services.dataprovider[2].address.port }}/data"
+
+
+### OTHER PROVIDERS ###
+
+[grpc.services.usershareprovider]
+driver = "memory"
+
+[grpc.services.publicshareprovider]
+driver = "memory"
+
+[grpc.services.preferences]
+
+[grpc.services.ocmcore]
+driver = "json"
+
+[grpc.services.ocmcore.drivers.json]
+# Note that ocmcore and ocmshareprovider should use the same file for storing the shares.
+file = "{{ vars.ocmshares_json_file }}"
+
+[grpc.services.ocminvitemanager]
+driver = "json"
+provider_domain = "{{ vars.provider_domain }}"
+
+[grpc.services.ocmshareprovider]
+driver = "json"
+provider_domain = "{{ vars.provider_domain }}"
+webdav_endpoint = "{{ vars.external_reva_endpoint }}"
+webdav_prefix = "{{ vars.external_reva_endpoint }}/remote.php/dav/files"
+webapp_template = "{{ vars.external_reva_endpoint }}/external/sciencemesh/{{.Token}}/{relative-path-to-shared-resource}"
+
+[grpc.services.ocmshareprovider.drivers.json]
+file = "{{ vars.ocmshares_json_file }}"
+
+[grpc.services.ocmproviderauthorizer]
+driver = "json"
+
+[grpc.services.ocmproviderauthorizer.drivers.json]
+# this is used by the docker-based test deployment, not in production
+providers = "/etc/revad/providers.testnet.json"
+verify_request_hostname = true
+
+[grpc.services.userprovider]
+driver = "json"
+
+[grpc.services.userprovider.drivers.json]
+users = "/etc/revad/users.demo.json"
+
+[grpc.services.datatx]
+txdriver = "rclone"
+storagedriver = "json"
+remove_transfer_on_cancel = true
+
+[grpc.services.datatx.txdrivers.rclone]
+# rclone endpoint
+endpoint = "http://rclone.docker"
+# basic auth is used
+auth_user = "rcloneuser"
+auth_pass = "eilohtho9oTahsuongeeTh7reedahPo1Ohwi3aek"
+auth_header = "x-access-token"
+job_status_check_interval = 2000
+job_timeout = 120000
+storagedriver = "json"
+remove_transfer_job_on_cancel = true
+
+[grpc.services.datatx.storagedrivers.json]
+file = ""
+
+[grpc.services.datatx.txdrivers.rclone.storagedrivers.json]
+file = ""
+
+
+### HTTP ENDPOINTS ###
+
+[http.middlewares.auth]
+credential_chain = ["publicshares", "basic", "bearer"]
+token_strategy_chain = ["bearer", "header"]
+
+[http.middlewares.auth.credentials_by_user_agent]
+"mirall" = "basic"
+
+[http.services.appprovider]
+address = ":443"
+
+[http.services.datagateway]
+address = ":443"
+
+[[http.services.dataprovider]]
+driver = "localhome"
+
+[http.services.dataprovider.drivers.localhome]
+user_layout = "{{.Username}}"
+
+[[http.services.dataprovider]]
+address = ":443"
+driver = "ocmoutcoming"
+
+[http.services.dataprovider.drivers.ocmoutcoming]
+machine_secret = "{{ vars.machine_api_key }}"
+
+[[http.services.dataprovider]]
+driver = "ocmreceived"
+
+[http.services.sciencemesh]
+address = ":443"
+provider_domain = "{{ vars.provider_domain }}"
+mesh_directory_url = "https:/meshdir.docker/meshdir"
+ocm_mount_point = "/sciencemesh"
+
+[http.services.sciencemesh.smtp_credentials]
+disable_auth = true
+sender_mail = "sciencemesh@{{ vars.provider_domain }}"
+smtp_server = "smtp.{{ vars.provider_domain }}"
+smtp_port = 25
+
+[http.services.ocmprovider]
+address = ":443"
+ocm_prefix = "ocm"
+provider = "Reva for CERNBox"
+endpoint = "{{ vars.external_reva_endpoint }}"
+enable_webapp = true
+enable_datatx = true
+
+[http.services.ocm]
+address = ":443"
+prefix = "ocm"
+
+[http.services.ocm.config]
+host = "{{ vars.provider_domain }}"
+
+# OCS
+[http.services.ocs]
+address = ":443"
+prefix = "ocs"
+share_prefix = "/"
+home_namespace = "/"
+additional_info_attribute = "{{.Username}} ({{.Mail}})"
+cache_warmup_driver = "first-request"
+resource_info_cache_ttl = 60
+resource_info_cache_type = "memory"
+
+[http.services.ocs.config]
+version = "1.8"
+website = "reva"
+host = "https://localhost"
+contact = "cernbox@cernbox.org"
+ssl = "false"
+
+[http.services.ocs.capabilities.capabilities.core]
+poll_interval = 60
+webdav_root = "remote.php/webdav"
+status = { installed = true, maintenance = false, nwwsaDbUpgrade = false, version = "10.0.11.5", versionstring = "10.0.11", edition = "community", productname = "reva", hostname = "" }
+support_url_signing = false
+
+[http.services.ocs.capabilities.capabilities.checksums]
+supported_types = ["sha1", "md5", "adler32"]
+
+[http.services.ocs.capabilities.capabilities.files]
+private_links = false
+bigfilechunking = false
+blacklisted_files = []
+undelete = true
+versioning = true
+archivers = [
+ { enabled = true, version = "2.0.0", formats = [
+ "tar",
+ "zip",
+ ], archiver_url = "/archiver", max_num_files = "10000", max_size = "1073741824" },
+]
+favorites = true
+
+[http.services.ocs.capabilities.capabilities.dav]
+
+[http.services.ocs.capabilities.capabilities.files_sharing]
+api_enabled = true
+resharing = true
+deny_access = true
+resharing_default = false
+group_sharing = true
+auto_accept_share = true
+share_with_group_members_only = true
+share_with_membership_groups_only = true
+default_permissions = 22
+search_min_length = 3
+
+[http.services.ocs.capabilities.capabilities.files_sharing.public]
+enabled = true
+send_mail = true
+social_share = true
+upload = true
+multiple = true
+supports_upload_only = true
+password = { enforced = false, enforced_for = { read_only = false, read_write = false, upload_only = false } }
+expire_date = { enabled = true }
+can_edit = true
+can_contribute = false
+
+[http.services.ocs.capabilities.capabilities.files_sharing.user]
+send_mail = true
+profile_picture = false
+settings = [{ enabled = true, version = "1.0.0" }]
+
+[http.services.ocs.capabilities.capabilities.files_sharing.user_enumeration]
+enabled = true
+group_members_only = true
+
+[http.services.ocs.capabilities.capabilities.files_sharing.federation]
+outgoing = true
+incoming = true
+
+[http.services.ocs.capabilities.capabilities.spaces]
+enabled = false
+projects = true
+
+[http.services.ocs.capabilities.version]
+edition = "reva"
+major = 10
+minor = 0
+micro = 11
+string = "10.0.11"
+
+[http.services.ocdav]
+address = ":443"
+insecure = true
+
+[http.services.prometheus]
+address = ":443"
+
+[http.services.sysinfo]
+
+#[http.services.ui]
+#address = ":443"
+
+[http.middlewares.cors]
+allowed_origins = ["*"]
+allowed_methods = ["OPTIONS", "LOCK", "GET", "HEAD", "POST", "DELETE", "PROPPATCH", "COPY", "MOVE", "UNLOCK", "PROPFIND", "MKCOL", "REPORT", "SEARCH", "PUT"]
+allowed_headers = ["Accept", "Accept-Language", "Authorization", "Content-Language", "Content-Type", "Depth", "OCS-APIREQUEST", "Referer", "sec-ch-ua", "sec-ch-ua-mobile", "sec-ch-ua-platform", "User-Agent", "X-Requested-With"]
+debug = true
+exposed_headers = []
+
+[http.middlewares.log]
diff --git a/examples/cernbox/keycloak/cernbox.json b/examples/cernbox/keycloak/cernbox.json
new file mode 100644
index 0000000000..c7fd64f6a8
--- /dev/null
+++ b/examples/cernbox/keycloak/cernbox.json
@@ -0,0 +1,2366 @@
+{
+ "users": [
+ {
+ "id": "einstein",
+ "username": "einstein",
+ "enabled": true,
+ "email": "einstein@cern.ch",
+ "emailVerified": true,
+ "firstName": "Albert",
+ "lastName": "Einstein",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "relativity"
+ }
+ ],
+ "realmRoles": [
+ "user"
+ ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ }
+ },
+ {
+ "id": "marie",
+ "username": "marie",
+ "enabled": true,
+ "email": "marie@cern.ch",
+ "emailVerified": true,
+ "firstName": "Marie",
+ "lastName": "Curie",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "radioactivity"
+ }
+ ],
+ "realmRoles": [
+ "user"
+ ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ }
+ },
+ {
+ "id": "richard",
+ "username": "richard",
+ "enabled": true,
+ "email": "richard@cern.ch",
+ "emailVerified": true,
+ "firstName": "Richard",
+ "lastName": "Feynman",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "superfluidity"
+ }
+ ],
+ "realmRoles": [
+ "user"
+ ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ }
+ }
+ ],
+ "id": "d5f44848-3fec-4333-bcc5-2e69b96a7652",
+ "realm": "cernbox",
+ "displayName": "Keycloak",
+ "displayNameHtml": "
Keycloak
",
+ "notBefore": 0,
+ "defaultSignatureAlgorithm": "RS256",
+ "revokeRefreshToken": false,
+ "refreshTokenMaxReuse": 0,
+ "accessTokenLifespan": 60,
+ "accessTokenLifespanForImplicitFlow": 900,
+ "ssoSessionIdleTimeout": 1800,
+ "ssoSessionMaxLifespan": 36000,
+ "ssoSessionIdleTimeoutRememberMe": 0,
+ "ssoSessionMaxLifespanRememberMe": 0,
+ "offlineSessionIdleTimeout": 2592000,
+ "offlineSessionMaxLifespanEnabled": false,
+ "offlineSessionMaxLifespan": 5184000,
+ "clientSessionIdleTimeout": 0,
+ "clientSessionMaxLifespan": 0,
+ "clientOfflineSessionIdleTimeout": 0,
+ "clientOfflineSessionMaxLifespan": 0,
+ "accessCodeLifespan": 60,
+ "accessCodeLifespanUserAction": 300,
+ "accessCodeLifespanLogin": 1800,
+ "actionTokenGeneratedByAdminLifespan": 43200,
+ "actionTokenGeneratedByUserLifespan": 300,
+ "oauth2DeviceCodeLifespan": 600,
+ "oauth2DevicePollingInterval": 5,
+ "enabled": true,
+ "sslRequired": "external",
+ "registrationAllowed": false,
+ "registrationEmailAsUsername": false,
+ "rememberMe": false,
+ "verifyEmail": false,
+ "loginWithEmailAllowed": true,
+ "duplicateEmailsAllowed": false,
+ "resetPasswordAllowed": false,
+ "editUsernameAllowed": false,
+ "bruteForceProtected": false,
+ "permanentLockout": false,
+ "maxFailureWaitSeconds": 900,
+ "minimumQuickLoginWaitSeconds": 60,
+ "waitIncrementSeconds": 60,
+ "quickLoginCheckMilliSeconds": 1000,
+ "maxDeltaTimeSeconds": 43200,
+ "failureFactor": 30,
+ "roles": {
+ "realm": [
+ {
+ "id": "1dd251c9-5c68-413f-8035-34e0336922c6",
+ "name": "offline_access",
+ "description": "${role_offline-access}",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651",
+ "attributes": {}
+ },
+ {
+ "id": "e7ace27c-cfc7-4f34-8df8-bd32e0da15ce",
+ "name": "create-realm",
+ "description": "${role_create-realm}",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651",
+ "attributes": {}
+ },
+ {
+ "id": "4985b709-d1cd-4583-b733-71f51c9566d2",
+ "name": "default-roles-cernbox",
+ "description": "${role_default-roles}",
+ "composite": true,
+ "composites": {
+ "realm": [
+ "offline_access",
+ "uma_authorization"
+ ],
+ "client": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ }
+ },
+ "clientRole": false,
+ "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651",
+ "attributes": {}
+ },
+ {
+ "id": "abf70cc8-2287-44d5-be0e-0307ff3c0b40",
+ "name": "admin",
+ "description": "${role_admin}",
+ "composite": true,
+ "composites": {
+ "realm": [
+ "create-realm"
+ ],
+ "client": {
+ "cernbox-realm": [
+ "view-authorization",
+ "query-groups",
+ "view-clients",
+ "view-identity-providers",
+ "view-realm",
+ "manage-authorization",
+ "manage-identity-providers",
+ "impersonation",
+ "query-users",
+ "query-realms",
+ "view-users",
+ "view-events",
+ "manage-users",
+ "manage-clients",
+ "manage-realm",
+ "create-client",
+ "query-clients",
+ "manage-events"
+ ]
+ }
+ },
+ "clientRole": false,
+ "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651",
+ "attributes": {}
+ },
+ {
+ "id": "b2efa3fd-321d-47ae-a1c6-5efb5f0973f7",
+ "name": "uma_authorization",
+ "description": "${role_uma_authorization}",
+ "composite": false,
+ "clientRole": false,
+ "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651",
+ "attributes": {}
+ }
+ ],
+ "client": {
+ "cernbox-oidc": [],
+ "security-admin-console": [],
+ "admin-cli": [],
+ "account-console": [],
+ "broker": [
+ {
+ "id": "cac7cb03-5144-41f1-bba8-70b51b34905c",
+ "name": "read-token",
+ "description": "${role_read-token}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "e1bb70a9-5439-48ca-b8d6-ef27a3b6f624",
+ "attributes": {}
+ }
+ ],
+ "cernbox-realm": [
+ {
+ "id": "efaa23b3-3208-4346-92f9-49d36b714be0",
+ "name": "query-groups",
+ "description": "${role_query-groups}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "19fa9af2-cd74-4889-9241-ccad973264de",
+ "name": "view-authorization",
+ "description": "${role_view-authorization}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "b7514426-db73-47a8-9a99-9a93821cca24",
+ "name": "view-clients",
+ "description": "${role_view-clients}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "cernbox-realm": [
+ "query-clients"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "1d65b3fc-4845-48a8-a00b-a11b5665e87c",
+ "name": "view-identity-providers",
+ "description": "${role_view-identity-providers}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "2427f9b7-2d1e-4ca4-b1d8-bcd878346016",
+ "name": "manage-authorization",
+ "description": "${role_manage-authorization}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "0b2f3aff-9562-4dc7-8b34-d0ad592307c3",
+ "name": "view-realm",
+ "description": "${role_view-realm}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "31d61639-2493-4fa5-a8e5-6222a0204cb0",
+ "name": "manage-identity-providers",
+ "description": "${role_manage-identity-providers}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "7a3514c1-1fdf-40a7-8b26-3bfd78d13d8f",
+ "name": "impersonation",
+ "description": "${role_impersonation}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "fd468050-a5f7-4da9-b476-d701e228c1ba",
+ "name": "query-realms",
+ "description": "${role_query-realms}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "9776694a-3e2d-481b-83f9-8b8468ef5cba",
+ "name": "query-users",
+ "description": "${role_query-users}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "8c752cb9-e159-473d-8bd9-3db4b578204c",
+ "name": "view-users",
+ "description": "${role_view-users}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "cernbox-realm": [
+ "query-groups",
+ "query-users"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "0226e0da-1a5f-4671-aa3f-ea628ac6840b",
+ "name": "view-events",
+ "description": "${role_view-events}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "720bdf01-f1eb-4f7d-a2f1-674b8fba8ae5",
+ "name": "manage-users",
+ "description": "${role_manage-users}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "9bc4aaf1-1db4-4125-be4d-3ea9fdfdcddc",
+ "name": "manage-clients",
+ "description": "${role_manage-clients}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "75e4d613-14b5-413b-b5ed-7323658d7237",
+ "name": "manage-realm",
+ "description": "${role_manage-realm}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "2a3cc632-ed73-42de-a876-ed8a9d67927e",
+ "name": "create-client",
+ "description": "${role_create-client}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "afc7679e-a9d4-4deb-9a32-8b19060385c0",
+ "name": "query-clients",
+ "description": "${role_query-clients}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ },
+ {
+ "id": "90b2fe49-3132-42b3-99a4-be0350d68f12",
+ "name": "manage-events",
+ "description": "${role_manage-events}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "attributes": {}
+ }
+ ],
+ "account": [
+ {
+ "id": "381fbd9e-352d-472a-88b3-b8dc1e593ed7",
+ "name": "view-profile",
+ "description": "${role_view-profile}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "attributes": {}
+ },
+ {
+ "id": "4fe6afe5-239c-4749-ad96-d607126aa370",
+ "name": "view-groups",
+ "description": "${role_view-groups}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "attributes": {}
+ },
+ {
+ "id": "0e82842e-091b-485a-b0b8-2f6679c29bda",
+ "name": "view-applications",
+ "description": "${role_view-applications}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "attributes": {}
+ },
+ {
+ "id": "467762f3-ef88-483d-8c03-3f7880b22400",
+ "name": "view-consent",
+ "description": "${role_view-consent}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "attributes": {}
+ },
+ {
+ "id": "9fea9466-3e06-4970-80e5-9f7afbd1eb80",
+ "name": "manage-account-links",
+ "description": "${role_manage-account-links}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "attributes": {}
+ },
+ {
+ "id": "873fd72b-e3f0-4825-a2d2-c88c362bb102",
+ "name": "delete-account",
+ "description": "${role_delete-account}",
+ "composite": false,
+ "clientRole": true,
+ "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "attributes": {}
+ },
+ {
+ "id": "2f726de0-782b-4678-ab2e-c40d27a74968",
+ "name": "manage-consent",
+ "description": "${role_manage-consent}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "account": [
+ "view-consent"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "attributes": {}
+ },
+ {
+ "id": "99141aca-0e6e-4e5a-97c1-5d255bece148",
+ "name": "manage-account",
+ "description": "${role_manage-account}",
+ "composite": true,
+ "composites": {
+ "client": {
+ "account": [
+ "manage-account-links"
+ ]
+ }
+ },
+ "clientRole": true,
+ "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "attributes": {}
+ }
+ ]
+ }
+ },
+ "groups": [
+ {
+ "id": "21b3d522-c35f-42da-9b35-8396c081fe13",
+ "name": "philosophy-haters",
+ "path": "/philosophy-haters",
+ "attributes": {},
+ "realmRoles": [],
+ "clientRoles": {},
+ "subGroups": []
+ },
+ {
+ "id": "a3ee97a0-52ee-4dbc-9f9b-7c0f4851ad9e",
+ "name": "physics-lovers",
+ "path": "/physics-lovers",
+ "attributes": {},
+ "realmRoles": [],
+ "clientRoles": {},
+ "subGroups": []
+ },
+ {
+ "id": "9d992aa0-be4c-4abc-9076-7493eec5cd5d",
+ "name": "polonium-lovers",
+ "path": "/polonium-lovers",
+ "attributes": {},
+ "realmRoles": [],
+ "clientRoles": {},
+ "subGroups": []
+ },
+ {
+ "id": "3807793f-1d9b-4e79-ac30-0787127529e3",
+ "name": "quantum-lovers",
+ "path": "/quantum-lovers",
+ "attributes": {},
+ "realmRoles": [],
+ "clientRoles": {},
+ "subGroups": []
+ },
+ {
+ "id": "9753c519-3a2e-4ae2-9114-eb00b3609709",
+ "name": "radium-lovers",
+ "path": "/radium-lovers",
+ "attributes": {},
+ "realmRoles": [],
+ "clientRoles": {},
+ "subGroups": []
+ },
+ {
+ "id": "dce7f132-2fce-4958-9b51-c7b493133bec",
+ "name": "sailing-lovers",
+ "path": "/sailing-lovers",
+ "attributes": {},
+ "realmRoles": [],
+ "clientRoles": {},
+ "subGroups": []
+ },
+ {
+ "id": "9f434513-d831-481f-9870-5d5504a795be",
+ "name": "violin-haters",
+ "path": "/violin-haters",
+ "attributes": {},
+ "realmRoles": [],
+ "clientRoles": {},
+ "subGroups": []
+ }
+ ],
+ "defaultRole": {
+ "id": "4985b709-d1cd-4583-b733-71f51c9566d2",
+ "name": "default-roles-cernbox",
+ "description": "${role_default-roles}",
+ "composite": true,
+ "clientRole": false,
+ "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651"
+ },
+ "requiredCredentials": [
+ "password"
+ ],
+ "otpPolicyType": "totp",
+ "otpPolicyAlgorithm": "HmacSHA1",
+ "otpPolicyInitialCounter": 0,
+ "otpPolicyDigits": 6,
+ "otpPolicyLookAheadWindow": 1,
+ "otpPolicyPeriod": 30,
+ "otpPolicyCodeReusable": false,
+ "otpSupportedApplications": [
+ "totpAppMicrosoftAuthenticatorName",
+ "totpAppFreeOTPName",
+ "totpAppGoogleName"
+ ],
+ "webAuthnPolicyRpEntityName": "keycloak",
+ "webAuthnPolicySignatureAlgorithms": [
+ "ES256"
+ ],
+ "webAuthnPolicyRpId": "",
+ "webAuthnPolicyAttestationConveyancePreference": "not specified",
+ "webAuthnPolicyAuthenticatorAttachment": "not specified",
+ "webAuthnPolicyRequireResidentKey": "not specified",
+ "webAuthnPolicyUserVerificationRequirement": "not specified",
+ "webAuthnPolicyCreateTimeout": 0,
+ "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
+ "webAuthnPolicyAcceptableAaguids": [],
+ "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
+ "webAuthnPolicyPasswordlessSignatureAlgorithms": [
+ "ES256"
+ ],
+ "webAuthnPolicyPasswordlessRpId": "",
+ "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
+ "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
+ "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+ "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
+ "webAuthnPolicyPasswordlessCreateTimeout": 0,
+ "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
+ "webAuthnPolicyPasswordlessAcceptableAaguids": [],
+ "scopeMappings": [
+ {
+ "clientScope": "offline_access",
+ "roles": [
+ "offline_access"
+ ]
+ }
+ ],
+ "clientScopeMappings": {
+ "account": [
+ {
+ "client": "account-console",
+ "roles": [
+ "manage-account",
+ "view-groups"
+ ]
+ }
+ ]
+ },
+ "clients": [
+ {
+ "id": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5",
+ "clientId": "account",
+ "name": "${client_account}",
+ "rootUrl": "${authBaseUrl}",
+ "baseUrl": "/realms/cernbox/account/",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "redirectUris": [
+ "/realms/cernbox/account/*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "post.logout.redirect.uris": "+"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "profile",
+ "roles",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "b2a1c6b7-014c-4c58-be28-4cd1575fd919",
+ "clientId": "account-console",
+ "name": "${client_account-console}",
+ "rootUrl": "${authBaseUrl}",
+ "baseUrl": "/realms/cernbox/account/",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "redirectUris": [
+ "/realms/cernbox/account/*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "post.logout.redirect.uris": "+",
+ "pkce.code.challenge.method": "S256"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "protocolMappers": [
+ {
+ "id": "d71aeba9-ff27-44de-97d8-47cdded9bf61",
+ "name": "audience resolve",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-audience-resolve-mapper",
+ "consentRequired": false,
+ "config": {}
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "profile",
+ "roles",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "026086ee-7521-4554-ab3e-c00d6a280373",
+ "clientId": "admin-cli",
+ "name": "${client_admin-cli}",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": false,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "profile",
+ "roles",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "e1bb70a9-5439-48ca-b8d6-ef27a3b6f624",
+ "clientId": "broker",
+ "name": "${client_broker}",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": true,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "profile",
+ "roles",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "acd215fa-56d6-4617-a55a-8eb8b98af4cb",
+ "clientId": "cernbox-oidc",
+ "name": "cernbox-oidc",
+ "description": "",
+ "rootUrl": "",
+ "adminUrl": "",
+ "baseUrl": "",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "redirectUris": [
+ "https://cernbox1.docker/*",
+ "https://cernbox2.docker/*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": true,
+ "directAccessGrantsEnabled": true,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": true,
+ "protocol": "openid-connect",
+ "attributes": {
+ "oidc.ciba.grant.enabled": "false",
+ "oauth2.device.authorization.grant.enabled": "false",
+ "display.on.consent.screen": "false",
+ "backchannel.logout.session.required": "true",
+ "backchannel.logout.revoke.offline.tokens": "false"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": true,
+ "nodeReRegistrationTimeout": -1,
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "profile",
+ "roles",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "5a911287-7ef9-43c3-9eea-401a137c83b8",
+ "clientId": "cernbox-realm",
+ "name": "cernbox Realm",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "redirectUris": [],
+ "webOrigins": [],
+ "notBefore": 0,
+ "bearerOnly": true,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": false,
+ "frontchannelLogout": false,
+ "attributes": {},
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "profile",
+ "roles",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ },
+ {
+ "id": "2299ba69-8859-4d59-b8ba-60d384b614d8",
+ "clientId": "security-admin-console",
+ "name": "${client_security-admin-console}",
+ "rootUrl": "${authAdminUrl}",
+ "baseUrl": "/admin/cernbox/console/",
+ "surrogateAuthRequired": false,
+ "enabled": true,
+ "alwaysDisplayInConsole": false,
+ "clientAuthenticatorType": "client-secret",
+ "redirectUris": [
+ "/admin/cernbox/console/*"
+ ],
+ "webOrigins": [
+ "*"
+ ],
+ "notBefore": 0,
+ "bearerOnly": false,
+ "consentRequired": false,
+ "standardFlowEnabled": true,
+ "implicitFlowEnabled": false,
+ "directAccessGrantsEnabled": false,
+ "serviceAccountsEnabled": false,
+ "publicClient": true,
+ "frontchannelLogout": false,
+ "protocol": "openid-connect",
+ "attributes": {
+ "post.logout.redirect.uris": "+",
+ "pkce.code.challenge.method": "S256"
+ },
+ "authenticationFlowBindingOverrides": {},
+ "fullScopeAllowed": false,
+ "nodeReRegistrationTimeout": 0,
+ "protocolMappers": [
+ {
+ "id": "64cf2e6f-7ae8-415e-bc2a-22e15b3b8845",
+ "name": "locale",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "locale",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "locale",
+ "jsonType.label": "String"
+ }
+ }
+ ],
+ "defaultClientScopes": [
+ "web-origins",
+ "acr",
+ "profile",
+ "roles",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "address",
+ "phone",
+ "offline_access",
+ "microprofile-jwt"
+ ]
+ }
+ ],
+ "clientScopes": [
+ {
+ "id": "f5343f9d-c533-4a6b-b7cf-b243f3387212",
+ "name": "microprofile-jwt",
+ "description": "Microprofile - JWT built-in scope",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "false"
+ },
+ "protocolMappers": [
+ {
+ "id": "881c1d36-008a-4961-9986-61f99e49e4e7",
+ "name": "groups",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "multivalued": "true",
+ "user.attribute": "foo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "groups",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "ffe50a2d-8a86-4b7b-94b2-a1482894f6f1",
+ "name": "upn",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "upn",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "0ac8f26d-382c-4d35-b63a-a06b90642a6c",
+ "name": "profile",
+ "description": "OpenID Connect built-in scope: profile",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${profileScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "d61366bf-6d3c-440b-9d15-d146ee97d278",
+ "name": "middle name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "middleName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "middle_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "953283ab-f632-4cca-b71e-c68456e37e69",
+ "name": "website",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "website",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "website",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "8ffcb8e2-d342-4434-8cfa-066629984272",
+ "name": "zoneinfo",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "zoneinfo",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "zoneinfo",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "49e5f7e1-614a-4ac8-b59c-7e7ca4be8c75",
+ "name": "full name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-full-name-mapper",
+ "consentRequired": false,
+ "config": {
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "userinfo.token.claim": "true"
+ }
+ },
+ {
+ "id": "3377051b-b951-4120-a577-e9c8371dfe53",
+ "name": "birthdate",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "birthdate",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "birthdate",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d89e8483-bdd2-4074-8f09-a30ae5297492",
+ "name": "profile",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "profile",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "profile",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "526a9d58-b944-4607-883c-cb853e7bf0d4",
+ "name": "username",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "username",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "preferred_username",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "4db59ddf-4955-4aca-854a-83fea782de39",
+ "name": "picture",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "picture",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "picture",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "2d4f9809-38ad-4e88-b6d5-6990417b17e3",
+ "name": "nickname",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "nickname",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "nickname",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "869c9612-3fba-4618-80ba-b166bfa2df31",
+ "name": "gender",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "gender",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "gender",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "3c9425f1-edf1-4daa-b78f-e925aa4a6e5f",
+ "name": "given name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "firstName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "given_name",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "d97c24af-3dbd-453f-aa41-d0ee4ffced63",
+ "name": "locale",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "locale",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "locale",
+ "jsonType.label": "String"
+ }
+ },
+ {
+ "id": "284f7309-06e7-4a9f-8974-a0695418e3bc",
+ "name": "updated at",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "updatedAt",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "updated_at",
+ "jsonType.label": "long"
+ }
+ },
+ {
+ "id": "053b3b02-3c69-490d-9382-be565e3cc6a0",
+ "name": "family name",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "lastName",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "family_name",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "02b6c73f-cc0b-416f-9c7f-c99fd68f7ce4",
+ "name": "phone",
+ "description": "OpenID Connect built-in scope: phone",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${phoneScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "57dfff04-f55d-4e47-96d1-482f61f7d439",
+ "name": "phone number verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumberVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number_verified",
+ "jsonType.label": "boolean"
+ }
+ },
+ {
+ "id": "51c7f33d-1b01-4be6-96a5-7544e55a5cd1",
+ "name": "phone number",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-attribute-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "phoneNumber",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "phone_number",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "f7fed9dc-6317-44e6-9b5d-56c0fa13a287",
+ "name": "web-origins",
+ "description": "OpenID Connect scope for add allowed web origins to the access token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "false",
+ "consent.screen.text": ""
+ },
+ "protocolMappers": [
+ {
+ "id": "b7eb5197-7719-4b8e-a5ab-6a362b5a2d24",
+ "name": "allowed web origins",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-allowed-origins-mapper",
+ "consentRequired": false,
+ "config": {}
+ }
+ ]
+ },
+ {
+ "id": "d498fcee-d13b-4bba-85c3-c95f2acddf02",
+ "name": "email",
+ "description": "OpenID Connect built-in scope: email",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${emailScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "1fbd2ac9-3d32-4095-b366-e75cd7aaaf76",
+ "name": "email verified",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "emailVerified",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email_verified",
+ "jsonType.label": "boolean"
+ }
+ },
+ {
+ "id": "ff61a997-a211-4978-9212-5c27b886582e",
+ "name": "email",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-property-mapper",
+ "consentRequired": false,
+ "config": {
+ "userinfo.token.claim": "true",
+ "user.attribute": "email",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "email",
+ "jsonType.label": "String"
+ }
+ }
+ ]
+ },
+ {
+ "id": "c79cedd3-a3ee-4f8a-96d7-81e514e8cbe9",
+ "name": "address",
+ "description": "OpenID Connect built-in scope: address",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${addressScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "6a2e64d1-d27e-4663-9d5e-ac0d78a3c5ea",
+ "name": "address",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-address-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute.formatted": "formatted",
+ "user.attribute.country": "country",
+ "user.attribute.postal_code": "postal_code",
+ "userinfo.token.claim": "true",
+ "user.attribute.street": "street",
+ "id.token.claim": "true",
+ "user.attribute.region": "region",
+ "access.token.claim": "true",
+ "user.attribute.locality": "locality"
+ }
+ }
+ ]
+ },
+ {
+ "id": "71c4630e-b700-4874-a6d5-16c58a59853a",
+ "name": "roles",
+ "description": "OpenID Connect scope for add user roles to the access token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "true",
+ "consent.screen.text": "${rolesScopeConsentText}"
+ },
+ "protocolMappers": [
+ {
+ "id": "3e22efbe-796f-4956-87a8-7472fd49bfa3",
+ "name": "client roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-client-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "resource_access.${client_id}.roles",
+ "jsonType.label": "String",
+ "multivalued": "true"
+ }
+ },
+ {
+ "id": "a1884484-24d0-46b6-9040-ec38c2ec5571",
+ "name": "audience resolve",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-audience-resolve-mapper",
+ "consentRequired": false,
+ "config": {}
+ },
+ {
+ "id": "0d05297b-71e5-4185-b81a-7c95f2c0eb3b",
+ "name": "realm roles",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-usermodel-realm-role-mapper",
+ "consentRequired": false,
+ "config": {
+ "user.attribute": "foo",
+ "access.token.claim": "true",
+ "claim.name": "realm_access.roles",
+ "jsonType.label": "String",
+ "multivalued": "true"
+ }
+ }
+ ]
+ },
+ {
+ "id": "d3f84c0a-6962-4d49-ae88-a7f2a41aaed4",
+ "name": "role_list",
+ "description": "SAML role list",
+ "protocol": "saml",
+ "attributes": {
+ "consent.screen.text": "${samlRoleListScopeConsentText}",
+ "display.on.consent.screen": "true"
+ },
+ "protocolMappers": [
+ {
+ "id": "679fda99-b976-4c81-adc3-2cd1c687c59e",
+ "name": "role list",
+ "protocol": "saml",
+ "protocolMapper": "saml-role-list-mapper",
+ "consentRequired": false,
+ "config": {
+ "single": "false",
+ "attribute.nameformat": "Basic",
+ "attribute.name": "Role"
+ }
+ }
+ ]
+ },
+ {
+ "id": "603e8df0-3016-410b-9816-abb32d0e3071",
+ "name": "offline_access",
+ "description": "OpenID Connect built-in scope: offline_access",
+ "protocol": "openid-connect",
+ "attributes": {
+ "consent.screen.text": "${offlineAccessScopeConsentText}",
+ "display.on.consent.screen": "true"
+ }
+ },
+ {
+ "id": "4e34e7a6-ae0e-47b0-b3c5-02a608306dd2",
+ "name": "acr",
+ "description": "OpenID Connect scope for add acr (authentication context class reference) to the token",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "false",
+ "display.on.consent.screen": "false"
+ },
+ "protocolMappers": [
+ {
+ "id": "53e7d18c-7aae-4516-b1c8-89f91b7b86a7",
+ "name": "acr loa level",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-acr-mapper",
+ "consentRequired": false,
+ "config": {
+ "id.token.claim": "true",
+ "access.token.claim": "true"
+ }
+ }
+ ]
+ }
+ ],
+ "defaultDefaultClientScopes": [
+ "role_list",
+ "profile",
+ "email",
+ "roles",
+ "web-origins",
+ "acr"
+ ],
+ "defaultOptionalClientScopes": [
+ "offline_access",
+ "address",
+ "phone",
+ "microprofile-jwt"
+ ],
+ "browserSecurityHeaders": {
+ "contentSecurityPolicyReportOnly": "",
+ "xContentTypeOptions": "nosniff",
+ "xRobotsTag": "none",
+ "xFrameOptions": "SAMEORIGIN",
+ "xXSSProtection": "1; mode=block",
+ "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+ "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+ },
+ "smtpServer": {},
+ "eventsEnabled": false,
+ "eventsListeners": [
+ "jboss-logging"
+ ],
+ "enabledEventTypes": [],
+ "adminEventsEnabled": false,
+ "adminEventsDetailsEnabled": false,
+ "identityProviders": [],
+ "identityProviderMappers": [],
+ "components": {
+ "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
+ {
+ "id": "47d66138-4145-480c-875d-363b5bc31838",
+ "name": "Allowed Protocol Mapper Types",
+ "providerId": "allowed-protocol-mappers",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "allowed-protocol-mapper-types": [
+ "oidc-full-name-mapper",
+ "saml-role-list-mapper",
+ "oidc-usermodel-attribute-mapper",
+ "saml-user-attribute-mapper",
+ "saml-user-property-mapper",
+ "oidc-usermodel-property-mapper",
+ "oidc-sha256-pairwise-sub-mapper",
+ "oidc-address-mapper"
+ ]
+ }
+ },
+ {
+ "id": "96d7ddd5-fe73-4217-a753-a4e202a8adb7",
+ "name": "Full Scope Disabled",
+ "providerId": "scope",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {}
+ },
+ {
+ "id": "a74b31e3-b126-4fc5-8825-96debd1f2471",
+ "name": "Consent Required",
+ "providerId": "consent-required",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {}
+ },
+ {
+ "id": "82f1d154-61a3-4b6a-b1f3-811a2e86aa85",
+ "name": "Allowed Client Scopes",
+ "providerId": "allowed-client-templates",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "allow-default-scopes": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "b262c386-dc0f-42cd-aefb-72d0c34a24dc",
+ "name": "Allowed Client Scopes",
+ "providerId": "allowed-client-templates",
+ "subType": "authenticated",
+ "subComponents": {},
+ "config": {
+ "allow-default-scopes": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "da1c03ae-7796-476b-b80b-76be91c5cd77",
+ "name": "Max Clients Limit",
+ "providerId": "max-clients",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "max-clients": [
+ "200"
+ ]
+ }
+ },
+ {
+ "id": "26eec102-eae6-463c-91e3-7333c627394c",
+ "name": "Trusted Hosts",
+ "providerId": "trusted-hosts",
+ "subType": "anonymous",
+ "subComponents": {},
+ "config": {
+ "host-sending-registration-request-must-match": [
+ "true"
+ ],
+ "client-uris-must-match": [
+ "true"
+ ]
+ }
+ },
+ {
+ "id": "648e6fc9-8363-4a1d-9f0a-d67a13c9edc9",
+ "name": "Allowed Protocol Mapper Types",
+ "providerId": "allowed-protocol-mappers",
+ "subType": "authenticated",
+ "subComponents": {},
+ "config": {
+ "allowed-protocol-mapper-types": [
+ "saml-user-attribute-mapper",
+ "oidc-full-name-mapper",
+ "oidc-address-mapper",
+ "saml-role-list-mapper",
+ "oidc-usermodel-property-mapper",
+ "saml-user-property-mapper",
+ "oidc-sha256-pairwise-sub-mapper",
+ "oidc-usermodel-attribute-mapper"
+ ]
+ }
+ }
+ ],
+ "org.keycloak.keys.KeyProvider": [
+ {
+ "id": "cc8a50f7-176a-4776-9201-5050dc802f0e",
+ "name": "rsa-generated",
+ "providerId": "rsa-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ]
+ }
+ },
+ {
+ "id": "ce297a71-1c56-4b0f-87c0-8818c2977e2a",
+ "name": "hmac-generated",
+ "providerId": "hmac-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ],
+ "algorithm": [
+ "HS256"
+ ]
+ }
+ },
+ {
+ "id": "85ce5401-1789-4e98-a14b-06ba935be78b",
+ "name": "aes-generated",
+ "providerId": "aes-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ]
+ }
+ },
+ {
+ "id": "c99a1812-0f86-4120-8538-4c53f7be670f",
+ "name": "rsa-enc-generated",
+ "providerId": "rsa-enc-generated",
+ "subComponents": {},
+ "config": {
+ "priority": [
+ "100"
+ ],
+ "algorithm": [
+ "RSA-OAEP"
+ ]
+ }
+ }
+ ]
+ },
+ "internationalizationEnabled": false,
+ "supportedLocales": [],
+ "authenticationFlows": [
+ {
+ "id": "4d4d9b4d-a081-4008-ad19-b81e3a8a9ab6",
+ "alias": "Account verification options",
+ "description": "Method with which to verity the existing account",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-email-verification",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Verify Existing Account by Re-authentication",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "03928ec0-305d-4bba-a832-156a37250460",
+ "alias": "Authentication Options",
+ "description": "Authentication options.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "basic-auth",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "basic-auth-otp",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "auth-spnego",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 30,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "a94107c0-ae9e-4459-9b54-bdee3e5a2b2b",
+ "alias": "Browser - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "auth-otp-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "356c5010-27d7-4c7a-a055-3880d3dc41fd",
+ "alias": "Direct Grant - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "direct-grant-validate-otp",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "b6d4fff4-9930-4030-95ce-09f5f18f6846",
+ "alias": "First broker login - Conditional OTP",
+ "description": "Flow to determine if the OTP is required for the authentication",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "auth-otp-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "2c021c56-981a-4b35-945f-20e15305ef0a",
+ "alias": "Handle Existing Account",
+ "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-confirm-link",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Account verification options",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "28d90136-9d52-41d4-b6a5-c410879516d7",
+ "alias": "Reset - Conditional OTP",
+ "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "conditional-user-configured",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "reset-otp",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "ed8520ee-e733-40ad-8ad0-f66b803a85a6",
+ "alias": "User creation or linking",
+ "description": "Flow for the existing/non-existing user alternatives",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticatorConfig": "create unique user config",
+ "authenticator": "idp-create-user-if-unique",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Handle Existing Account",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "beb2fdfe-e8ad-4fe7-b0a3-1cbc7cd232e5",
+ "alias": "Verify Existing Account by Re-authentication",
+ "description": "Reauthentication of existing account",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "idp-username-password-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "First broker login - Conditional OTP",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "3583e59f-8e55-41fa-8eb2-61dffa918f69",
+ "alias": "browser",
+ "description": "browser based authentication",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "auth-cookie",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "auth-spnego",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "identity-provider-redirector",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 25,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "autheticatorFlow": true,
+ "flowAlias": "forms",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "da4eaa2e-2f57-4f3b-bf87-8bdeb25e6cc8",
+ "alias": "clients",
+ "description": "Base authentication for clients",
+ "providerId": "client-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "client-secret",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "client-jwt",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "client-secret-jwt",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 30,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "client-x509",
+ "authenticatorFlow": false,
+ "requirement": "ALTERNATIVE",
+ "priority": 40,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "61da9559-fcc0-411b-862c-1ecff20403a0",
+ "alias": "direct grant",
+ "description": "OpenID Connect Resource Owner Grant",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "direct-grant-validate-username",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "direct-grant-validate-password",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 30,
+ "autheticatorFlow": true,
+ "flowAlias": "Direct Grant - Conditional OTP",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "75f9bd37-f7fb-44d2-a3c7-ee022e31080d",
+ "alias": "docker auth",
+ "description": "Used by Docker clients to authenticate against the IDP",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "docker-http-basic-authenticator",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "0daeca0e-d7dc-40b9-8116-83307bf06c06",
+ "alias": "first broker login",
+ "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticatorConfig": "review profile config",
+ "authenticator": "idp-review-profile",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "User creation or linking",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "fad12cb4-3a42-4cad-b589-3ff705ae41c0",
+ "alias": "forms",
+ "description": "Username, password, otp and other auth forms.",
+ "providerId": "basic-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "auth-username-password-form",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Browser - Conditional OTP",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "6674479a-9f99-430c-a774-6b44e36f45b1",
+ "alias": "http challenge",
+ "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "no-cookie-redirect",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": true,
+ "flowAlias": "Authentication Options",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "fa0fc72c-92eb-42f2-942a-0e687b9ad184",
+ "alias": "registration",
+ "description": "registration flow",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "registration-page-form",
+ "authenticatorFlow": true,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": true,
+ "flowAlias": "registration form",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "b07a2cd8-d159-449c-b239-5b077e075d6e",
+ "alias": "registration form",
+ "description": "registration form",
+ "providerId": "form-flow",
+ "topLevel": false,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "registration-user-creation",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "registration-profile-action",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 40,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "registration-password-action",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 50,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "registration-recaptcha-action",
+ "authenticatorFlow": false,
+ "requirement": "DISABLED",
+ "priority": 60,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "711099a9-985d-4978-a45c-88f03ac0097a",
+ "alias": "reset credentials",
+ "description": "Reset credentials for a user if they forgot their password or something",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "reset-credentials-choose-user",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "reset-credential-email",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 20,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticator": "reset-password",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 30,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ },
+ {
+ "authenticatorFlow": true,
+ "requirement": "CONDITIONAL",
+ "priority": 40,
+ "autheticatorFlow": true,
+ "flowAlias": "Reset - Conditional OTP",
+ "userSetupAllowed": false
+ }
+ ]
+ },
+ {
+ "id": "13954e50-cc94-48d8-a181-7e0aa8f4b105",
+ "alias": "saml ecp",
+ "description": "SAML ECP Profile Authentication Flow",
+ "providerId": "basic-flow",
+ "topLevel": true,
+ "builtIn": true,
+ "authenticationExecutions": [
+ {
+ "authenticator": "http-basic-authenticator",
+ "authenticatorFlow": false,
+ "requirement": "REQUIRED",
+ "priority": 10,
+ "autheticatorFlow": false,
+ "userSetupAllowed": false
+ }
+ ]
+ }
+ ],
+ "authenticatorConfig": [
+ {
+ "id": "88978291-3ecf-4139-a7e7-589bcce17e8d",
+ "alias": "create unique user config",
+ "config": {
+ "require.password.update.after.registration": "false"
+ }
+ },
+ {
+ "id": "785a91df-7692-43f1-9dd6-6bfcb0375e69",
+ "alias": "review profile config",
+ "config": {
+ "update.profile.on.first.login": "missing"
+ }
+ }
+ ],
+ "requiredActions": [
+ {
+ "alias": "CONFIGURE_TOTP",
+ "name": "Configure OTP",
+ "providerId": "CONFIGURE_TOTP",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 10,
+ "config": {}
+ },
+ {
+ "alias": "TERMS_AND_CONDITIONS",
+ "name": "Terms and Conditions",
+ "providerId": "TERMS_AND_CONDITIONS",
+ "enabled": false,
+ "defaultAction": false,
+ "priority": 20,
+ "config": {}
+ },
+ {
+ "alias": "UPDATE_PASSWORD",
+ "name": "Update Password",
+ "providerId": "UPDATE_PASSWORD",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 30,
+ "config": {}
+ },
+ {
+ "alias": "UPDATE_PROFILE",
+ "name": "Update Profile",
+ "providerId": "UPDATE_PROFILE",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 40,
+ "config": {}
+ },
+ {
+ "alias": "VERIFY_EMAIL",
+ "name": "Verify Email",
+ "providerId": "VERIFY_EMAIL",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 50,
+ "config": {}
+ },
+ {
+ "alias": "delete_account",
+ "name": "Delete Account",
+ "providerId": "delete_account",
+ "enabled": false,
+ "defaultAction": false,
+ "priority": 60,
+ "config": {}
+ },
+ {
+ "alias": "webauthn-register",
+ "name": "Webauthn Register",
+ "providerId": "webauthn-register",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 70,
+ "config": {}
+ },
+ {
+ "alias": "webauthn-register-passwordless",
+ "name": "Webauthn Register Passwordless",
+ "providerId": "webauthn-register-passwordless",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 80,
+ "config": {}
+ },
+ {
+ "alias": "update_user_locale",
+ "name": "Update User Locale",
+ "providerId": "update_user_locale",
+ "enabled": true,
+ "defaultAction": false,
+ "priority": 1000,
+ "config": {}
+ }
+ ],
+ "browserFlow": "browser",
+ "registrationFlow": "registration",
+ "directGrantFlow": "direct grant",
+ "resetCredentialsFlow": "reset credentials",
+ "clientAuthenticationFlow": "clients",
+ "dockerAuthenticationFlow": "docker auth",
+ "attributes": {
+ "cibaBackchannelTokenDeliveryMode": "poll",
+ "cibaExpiresIn": "120",
+ "cibaAuthRequestedUserHint": "login_hint",
+ "parRequestUriLifespan": "60",
+ "cibaInterval": "5",
+ "realmReusableOtpCode": "false"
+ },
+ "keycloakVersion": "21.1.1",
+ "userManagedAccessAllowed": false,
+ "clientProfiles": {
+ "profiles": []
+ },
+ "clientPolicies": {
+ "policies": []
+ }
+}
diff --git a/examples/cernbox/nginx/mime.types b/examples/cernbox/nginx/mime.types
new file mode 100644
index 0000000000..0908f64c42
--- /dev/null
+++ b/examples/cernbox/nginx/mime.types
@@ -0,0 +1,96 @@
+ types {
+ text/html html htm shtml;
+ text/css css;
+ text/xml xml;
+ image/gif gif;
+ image/jpeg jpeg jpg;
+ application/javascript js mjs;
+ application/atom+xml atom;
+ application/rss+xml rss;
+
+ text/mathml mml;
+ text/plain txt;
+ text/vnd.sun.j2me.app-descriptor jad;
+ text/vnd.wap.wml wml;
+ text/x-component htc;
+
+ image/png png;
+ image/svg+xml svg svgz;
+ image/tiff tif tiff;
+ image/vnd.wap.wbmp wbmp;
+ image/webp webp;
+ image/x-icon ico;
+ image/x-jng jng;
+ image/x-ms-bmp bmp;
+
+ font/woff woff;
+ font/woff2 woff2;
+
+ application/java-archive jar war ear;
+ application/json json;
+ application/mac-binhex40 hqx;
+ application/msword doc;
+ application/pdf pdf;
+ application/postscript ps eps ai;
+ application/rtf rtf;
+ application/vnd.apple.mpegurl m3u8;
+ application/vnd.google-earth.kml+xml kml;
+ application/vnd.google-earth.kmz kmz;
+ application/vnd.ms-excel xls;
+ application/vnd.ms-fontobject eot;
+ application/vnd.ms-powerpoint ppt;
+ application/vnd.oasis.opendocument.graphics odg;
+ application/vnd.oasis.opendocument.presentation odp;
+ application/vnd.oasis.opendocument.spreadsheet ods;
+ application/vnd.oasis.opendocument.text odt;
+ application/vnd.openxmlformats-officedocument.presentationml.presentation
+ pptx;
+ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+ xlsx;
+ application/vnd.openxmlformats-officedocument.wordprocessingml.document
+ docx;
+ application/vnd.wap.wmlc wmlc;
+ application/x-7z-compressed 7z;
+ application/x-cocoa cco;
+ application/x-java-archive-diff jardiff;
+ application/x-java-jnlp-file jnlp;
+ application/x-makeself run;
+ application/x-perl pl pm;
+ application/x-pilot prc pdb;
+ application/x-rar-compressed rar;
+ application/x-redhat-package-manager rpm;
+ application/x-sea sea;
+ application/x-shockwave-flash swf;
+ application/x-stuffit sit;
+ application/x-tcl tcl tk;
+ application/x-x509-ca-cert der pem crt;
+ application/x-xpinstall xpi;
+ application/xhtml+xml xhtml;
+ application/xspf+xml xspf;
+ application/zip zip;
+
+ application/octet-stream bin exe dll;
+ application/octet-stream deb;
+ application/octet-stream dmg;
+ application/octet-stream iso img;
+ application/octet-stream msi msp msm;
+
+ audio/midi mid midi kar;
+ audio/mpeg mp3;
+ audio/ogg ogg;
+ audio/x-m4a m4a;
+ audio/x-realaudio ra;
+
+ video/3gpp 3gpp 3gp;
+ video/mp2t ts;
+ video/mp4 mp4;
+ video/mpeg mpeg mpg;
+ video/quicktime mov;
+ video/webm webm;
+ video/x-flv flv;
+ video/x-m4v m4v;
+ video/x-mng mng;
+ video/x-ms-asf asx asf;
+ video/x-ms-wmv wmv;
+ video/x-msvideo avi;
+}
diff --git a/examples/cernbox/nginx/nginx.conf b/examples/cernbox/nginx/nginx.conf
new file mode 100644
index 0000000000..7d82347969
--- /dev/null
+++ b/examples/cernbox/nginx/nginx.conf
@@ -0,0 +1,167 @@
+
+user nginx;
+worker_processes auto;
+
+pid /var/run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ map $status $loggable {
+ ~^[23] 0;
+ default 1;
+ }
+
+ access_log /var/log/nginx/access.log combined if=$loggable;
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ client_max_body_size 8G;
+ #gzip on;
+
+ # avoid nginx buffering all the payload, only available in > 1.7
+ proxy_buffering off;
+ proxy_request_buffering off;
+
+ include /etc/nginx/conf.d/*.conf;
+
+ upstream revad {
+ server your.revad.org:443;
+ }
+
+ server {
+ listen 80;
+ server_name localhost;
+ return 301 https://$host$request_uri;
+ }
+
+ # https://ssl-config.mozilla.org/#server=nginx&version=1.20.1&config=intermediate&openssl=1.0.2k&guideline=5.6
+ server {
+ listen 443 ssl http2;
+ server_name localhost;
+
+ ssl_certificate your.cert.pem;
+ ssl_certificate_key your.key.pem;
+
+ ssl_session_timeout 5m;
+
+ ssl_protocols TLSv1.2;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ proxy_connect_timeout 1200;
+ proxy_send_timeout 1200;
+ proxy_read_timeout 1200;
+ send_timeout 1200;
+ proxy_buffering off;
+ proxy_request_buffering off;
+
+ location ^~ /data {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ~ /s/[^/]*/download {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /ocs/ {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /dav/ {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /webdav/ {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /remote.php/ {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /preferences {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /otg {
+ return 204;
+ }
+
+ location ^~ /app/ {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /ocm/ {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ~ ^/sciencemesh/ {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /ocm-provider {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ^~ /status.php {
+ proxy_pass https://revad;
+ proxy_set_header Host $host;
+ }
+
+ location ~ ^/(js|css|icons|fonts|assets)/ {
+ root /var/www/web;
+ add_header Cache-Control "public, max-age=31536000, immutable";
+ etag off;
+ gzip_static on;
+ }
+
+ location ^~ /cernbox {
+ root /var/www;
+ add_header Cache-Control "no-cache";
+ add_header Access-Control-Allow-Origin "https://idp.docker:8443" always;
+ etag off;
+ gzip_static on;
+ }
+
+ location / {
+ root /var/www/web;
+ add_header Cache-Control "no-cache";
+ add_header Access-Control-Allow-Origin "https://idp.docker:8443" always;
+ etag off;
+ gzip_static on;
+ try_files $uri /index.html;
+ }
+
+# location / {
+# proxy_pass https://revad/ui;
+# proxy_set_header Host $host;
+# }
+ }
+}
diff --git a/examples/cernbox/users.demo.json b/examples/cernbox/users.demo.json
new file mode 100644
index 0000000000..8452f49a08
--- /dev/null
+++ b/examples/cernbox/users.demo.json
@@ -0,0 +1,80 @@
+[
+ {
+ "id": {
+ "opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51",
+ "idp": "cernbox",
+ "type": 1
+ },
+ "username": "einstein",
+ "secret": "relativity",
+ "mail": "einstein@cern.ch",
+ "display_name": "Albert Einstein",
+ "groups": ["sailing-lovers", "violin-haters", "physics-lovers"],
+ "opaque": {
+ "map": {
+ "gid": {
+ "_comment": "decodes to 987",
+ "decoder":"plain",
+ "value":"OTg3"
+ },
+ "uid":{
+ "_comment": "decodes to 123",
+ "decoder":"plain",
+ "value":"MTIz"
+ }
+ }
+ }
+ },
+ {
+ "id": {
+ "opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c",
+ "idp": "cernbox",
+ "type": 1
+ },
+ "username": "marie",
+ "secret": "radioactivity",
+ "mail": "marie@cern.ch",
+ "display_name": "Marie Curie",
+ "groups": ["radium-lovers", "polonium-lovers", "physics-lovers"],
+ "opaque": {
+ "map": {
+ "gid": {
+ "_comment": "decodes to 987",
+ "decoder":"plain",
+ "value":"OTg3"
+ },
+ "uid":{
+ "_comment": "decodes to 456",
+ "decoder":"plain",
+ "value":"NDU2"
+ }
+ }
+ }
+ },
+ {
+ "id": {
+ "opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c",
+ "idp": "cernbox",
+ "type": 1
+ },
+ "username": "richard",
+ "secret": "superfluidity",
+ "mail": "richard@cern.ch",
+ "display_name": "Richard Feynman",
+ "groups": ["quantum-lovers", "philosophy-haters", "physics-lovers"],
+ "opaque": {
+ "map": {
+ "gid": {
+ "_comment": "decodes to 135",
+ "decoder":"plain",
+ "value":"MTM1"
+ },
+ "uid":{
+ "_comment": "decodes to 246",
+ "decoder":"plain",
+ "value":"MjQ2"
+ }
+ }
+ }
+ }
+]
diff --git a/examples/cernbox/web.json b/examples/cernbox/web.json
new file mode 100644
index 0000000000..d712acca60
--- /dev/null
+++ b/examples/cernbox/web.json
@@ -0,0 +1,73 @@
+{
+ "server": "https://your.nginx.org",
+ "theme": "https://your.nginx.org/cernbox/theme-cernbox-0.2.0/theme.json",
+ "version": "0.0.0",
+ "openIdConnect": {
+ "metadata_url": "https://idp.docker:8443/realms/cernbox/.well-known/openid-configuration",
+ "authority": "https://idp.docker:8443/realms/cernbox",
+ "client_id": "cernbox-oidc",
+ "response_type": "code",
+ "scope": "openid profile email"
+ },
+ "options": {
+ "contextHelpers": true,
+ "enableAdvancedTable": true,
+ "cernFeatures": true,
+ "hoverableQuickActions": true,
+ "disableFeedbackLink": true,
+ "homeFolder": "/{{.Id}}",
+ "previewFileMimeTypes" : [
+ "image/gif",
+ "image/png",
+ "image/jpeg"
+ ],
+ "openAppsInTab": true,
+ "editor": {
+ "autosaveEnabled": true,
+ "autosaveInterval": 120
+ },
+ "breadcrumbItemMaxLength": 30,
+ "routing": {
+ "idBased": false
+ },
+ "upload": {
+ "xhr": {
+ "timeout": 3600000
+ }
+ }
+ },
+ "apps": [
+ "files",
+ "search",
+ "preview",
+ "external",
+ "pdf-viewer",
+ "sciencemesh-app"
+ ],
+ "external_apps": [
+ {
+ "id": "jupyter",
+ "path": "/cernbox/jupyter-2.0.0/main.js"
+ },
+ {
+ "id": "rootjs",
+ "path": "/cernbox/rootjs-2.0.0/main.js"
+ },
+ {
+ "id": "ifc-js",
+ "path": "/cernbox/ifc-js-2.0.2/main.js"
+ },
+ {
+ "id": "top-bar",
+ "path": "/cernbox/top-bar-1.0.0/main.js"
+ },
+ {
+ "id": "text-editor",
+ "path": "web-app-text-editor",
+ "config": {
+ "primaryExtensions": ["txt"],
+ "extraExtensions": ["htm", "html", "css", "js", "ts", "php", "yml", "toml", "qml", "pl", "pm", "sh", "tcsh", "zsh", "conf", "ini", "inf", "make", "cmake", "mk", "in"]
+ }
+ }
+ ]
+}
diff --git a/examples/sciencemesh/custom-mime-types-demo.json b/examples/sciencemesh/custom-mime-types-demo.json
new file mode 100644
index 0000000000..390947ec09
--- /dev/null
+++ b/examples/sciencemesh/custom-mime-types-demo.json
@@ -0,0 +1,3 @@
+{
+ ".zmd": "application/compressed-markdown"
+}
diff --git a/examples/sciencemesh/metrics.json b/examples/sciencemesh/metrics.json
new file mode 100644
index 0000000000..da85d866d9
--- /dev/null
+++ b/examples/sciencemesh/metrics.json
@@ -0,0 +1,5 @@
+{
+ "cs3_org_sciencemesh_site_total_num_users": 0,
+ "cs3_org_sciencemesh_site_total_num_groups": 0,
+ "cs3_org_sciencemesh_site_total_amount_storage": 0
+}
\ No newline at end of file
diff --git a/examples/sciencemesh/providers.testnet.json b/examples/sciencemesh/providers.testnet.json
new file mode 100644
index 0000000000..1960fdd63c
--- /dev/null
+++ b/examples/sciencemesh/providers.testnet.json
@@ -0,0 +1,34 @@
+[
+ { "domain": "revad1.docker", "services": [
+ { "endpoint": { "type": { "name": "OCM" }, "path": "https://revad1.docker/ocm/" }, "host": "revad1.docker" },
+ { "endpoint": { "type": { "name": "Webdav" }, "path": "https://revad1.docker/remote.php/webdav/" }, "host": "revad1.docker" }
+ ] },
+ { "domain": "revad2.docker", "services": [
+ { "endpoint": { "type": { "name": "OCM" }, "path": "https://revad2.docker/ocm/" }, "host": "revad2.docker" },
+ { "endpoint": { "type": { "name": "Webdav" }, "path": "https://revad2.docker/remote.php/webdav/" }, "host": "revad2.docker" }
+ ] },
+ { "domain": "revanextcloud1.docker", "services": [
+ { "endpoint": { "type": { "name": "OCM" }, "path": "https://revanextcloud1.docker/ocm/" }, "host": "revanextcloud1.docker" },
+ { "endpoint": { "type": { "name": "Webdav" }, "path": "https://nc1.docker/remote.php/webdav/" }, "host": "nextcloud1.docker" }
+ ] },
+ { "domain": "revanextcloud2.docker", "services": [
+ { "endpoint": { "type": { "name": "OCM" }, "path": "https://revanextcloud2.docker/ocm/" }, "host": "revanextcloud2.docker" },
+ { "endpoint": { "type": { "name": "Webdav" }, "path": "https://nc2.docker/remote.php/webdav/" }, "host": "nextcloud2.docker" }
+ ] },
+ { "domain": "revaowncloud1.docker", "services": [
+ { "endpoint": { "type": { "name": "OCM" }, "path": "https://revaowncloud1.docker/ocm/" }, "host": "revaowncloud1.docker" },
+ { "endpoint": { "type": { "name": "Webdav" }, "path": "https://owncloud1.docker/remote.php/webdav/" }, "host": "owncloud1.docker" }
+ ] },
+ { "domain": "revaowncloud2.docker", "services": [
+ { "endpoint": { "type": { "name": "OCM" }, "path": "https://revaowncloud2.docker/ocm/" }, "host": "revaowncloud2.docker" },
+ { "endpoint": { "type": { "name": "Webdav" }, "path": "https://owncloud2.docker/remote.php/dav/" }, "host": "owncloud2.docker" }
+ ] },
+ { "domain": "revacernbox1.docker", "services": [
+ { "endpoint": { "type": { "name": "OCM" }, "path": "https://revacernbox1.docker/ocm/" }, "host": "revacernbox1.docker" },
+ { "endpoint": { "type": { "name": "Webdav" }, "path": "https://cernbox1.docker/remote.php/dav/" }, "host": "cernbox1.docker" }
+ ] },
+ { "domain": "revacernbox2.docker", "services": [
+ { "endpoint": { "type": { "name": "OCM" }, "path": "https://revacernbox2.docker/ocm/" }, "host": "revacernbox2.docker" },
+ { "endpoint": { "type": { "name": "Webdav" }, "path": "https://cernbox2.docker/remote.php/dav/" }, "host": "cernbox2.docker" }
+ ] }
+]
diff --git a/examples/sciencemesh/sciencemesh-apps.toml b/examples/sciencemesh/sciencemesh-apps.toml
new file mode 100644
index 0000000000..00bef3e888
--- /dev/null
+++ b/examples/sciencemesh/sciencemesh-apps.toml
@@ -0,0 +1,49 @@
+## Example configuration for the ScienceMesh app in ownCloud 10 / Nextcloud - Apps support
+#
+## This configuration file is to be used to enable Apps support in ScienceMesh.
+## To contextualize this configuration for your deployment, please follow these steps:
+#
+# 1. In the [vars] section below, replace `your.revad.org` with your actual domain
+# 2. Populate `wopi_endpoint` with your wopiserver endpoint
+# 3. Define a shared secret, and match it with the secret defined in the wopiserver
+
+
+[vars]
+internal_gateway = "your.revad.org"
+provider_domain = "your.revad.org"
+wopi_endpoint = "http://your.wopi.org:8880"
+wopi_shared_secret = "shared-secret-2"
+
+[log]
+level = "debug"
+
+[shared]
+gatewaysvc = "{{ vars.provider_domain }}:19000"
+
+[[grpc.services.appprovider]]
+driver = "wopi"
+custom_mime_types_json = "/etc/revad/custom-mime-types-demo.json"
+mime_types = ["application/vnd.oasis.opendocument.text", "application/vnd.oasis.opendocument.spreadsheet", "application/vnd.oasis.opendocument.presentation", "text/rtf"]
+app_provider_url = "{{ grpc.services.appprovider[0].address }}"
+language = "en-GB"
+
+[grpc.services.appprovider.drivers.wopi]
+iop_secret = "{{ vars.wopi_shared_secret }}"
+wopi_url = "{{ vars.wopi_endpoint }}"
+app_name = "Collabora"
+app_url = "http://collabora.docker:9980"
+app_int_url = "http://collabora.docker:9980"
+
+
+# [[grpc.services.appprovider]]
+# driver = "wopi"
+# custom_mime_types_json = "/etc/revad/custom-mime-types-demo.json"
+# mime_types = ["text/markdown", "application/compressed-markdown", "text/plain"]
+# app_provider_url = "{{ grpc.services.appprovider[1].address }}"
+#
+# [grpc.services.appprovider.drivers.wopi]
+# iop_secret = "{{ vars.wopi_shared_secret }}"
+# wopi_url = "{{ vars.wopi_endpoint }}"
+# app_name = "CodiMD"
+# app_url = "https://codimd.docker"
+# app_int_url = "https://codimd.docker"
diff --git a/examples/sciencemesh/sciencemesh.toml b/examples/sciencemesh/sciencemesh.toml
new file mode 100644
index 0000000000..c39ee95d6a
--- /dev/null
+++ b/examples/sciencemesh/sciencemesh.toml
@@ -0,0 +1,290 @@
+## Example configuration for the ScienceMesh app in ownCloud 10 / Nextcloud
+#
+## To contextualize this configuration for your deployment, please follow these steps:
+#
+# 1. In the [vars] section below, replace `your.revad.org` with your actual domain
+# 2. If you have a Kubernetes deployment with an ingress and a route:
+# 2.1. Set the `external_reva_endpoint` var to your actual externally-visible route to reva
+# 3. Replace `your.efss.org` with the actual endpoint of your EFSS system
+# 4. Define appropriate secrets in the [vars] section: the `efss_shared_secret` must match the `oc_appconfig.configvalue` in your EFSS DB for `oc_appconfig.app_id` = `sciencemesh`
+# 5. Provide appropriate SSL full chain certificate and key files in the [http] section
+#
+# If you want to terminate the SSL connection to reva at your reverse proxy system
+# (e.g. at your Kubernetes ingress), then you can configure reva to use http instead.
+# For that, you need to follow these steps:
+#
+# 1. Remove the `certfile` and `keyfile` entries from the [http] section
+# 2. Replace the https port `443` with a port number of your choice everywhere you find it
+# 3. Look for `data_server_url` and replace the `https://localhost` address as indicated
+
+
+[vars]
+internal_gateway = "your.revad.org"
+provider_domain = "your.revad.org"
+external_reva_endpoint = "https://your.revad.org" # append here any route if applicable
+efss_sciencemesh_endpoint = "https://your.efss.org/index.php/apps/sciencemesh/"
+machine_api_key = "machine-api-key"
+efss_shared_secret = "shared-secret-1"
+
+[http]
+certfile = "/etc/tls/your.revad.ssl.crt"
+keyfile = "/etc/tls/your.revad.ssl.key"
+
+[log]
+level = "debug"
+
+[shared]
+gatewaysvc = "{{ vars.internal_gateway }}:19000"
+
+[grpc.services.gateway]
+address = ":19000"
+authregistrysvc = "{{ grpc.services.authregistry.address }}"
+appregistrysvc = "{{ grpc.services.appregistry.address }}"
+storageregistrysvc = "{{ grpc.services.storageregistry.address }}"
+preferencessvc = "{{ grpc.services.userprovider.address }}"
+userprovidersvc = "{{ grpc.services.userprovider.address }}"
+usershareprovidersvc = "{{ grpc.services.usershareprovider.address }}"
+ocmcoresvc = "{{ grpc.services.ocmcore.address }}"
+ocmshareprovidersvc = "{{ grpc.services.ocmshareprovider.address }}"
+ocminvitemanagersvc = "{{ grpc.services.ocminvitemanager.address }}"
+ocmproviderauthorizersvc = "{{ grpc.services.ocmproviderauthorizer.address }}"
+datagateway = "https://{{ http.services.datagateway.address }}/data"
+
+transfer_expires = 6 # give it a moment
+commit_share_to_storage_grant = true
+commit_share_to_storage_ref = true
+
+
+[grpc.services.appregistry]
+driver = "static"
+
+[grpc.services.appregistry.drivers.static]
+mime_types = [
+ {"mime_type" = "text/plain", "extension" = "txt", "name" = "Text file", "description" = "Text file", "allow_creation" = true},
+ {"mime_type" = "text/markdown", "extension" = "md", "name" = "Markdown file", "description" = "Markdown file", "allow_creation" = true},
+ {"mime_type" = "application/vnd.oasis.opendocument.text", "extension" = "odt", "name" = "OpenDocument", "description" = "OpenDocument text document", "default_app" = "Collabora", "allow_creation" = true},
+ {"mime_type" = "application/vnd.oasis.opendocument.spreadsheet", "extension" = "ods", "name" = "OpenSpreadsheet", "description" = "OpenDocument spreadsheet document", "default_app" = "Collabora", "allow_creation" = true},
+ {"mime_type" = "application/vnd.oasis.opendocument.presentation", "extension" = "odp", "name" = "OpenPresentation", "description" = "OpenDocument presentation document", "default_app" = "Collabora", "allow_creation" = true},
+ {"mime_type" = "application/vnd.jupyter", "extension" = "ipynb", "name" = "Jupyter Notebook", "description" = "Jupyter Notebook"}
+]
+
+
+### AUTH PROVIDERS ###
+
+[grpc.services.authregistry]
+driver = "static"
+
+[grpc.services.authregistry.drivers.static.rules]
+basic = "{{ grpc.services.authprovider[0].address }}"
+machine = "{{ grpc.services.authprovider[1].address }}"
+ocmshares = "{{ grpc.services.authprovider[2].address }}"
+
+[[grpc.services.authprovider]]
+auth_manager = "nextcloud"
+
+[grpc.services.authprovider.auth_managers.nextcloud]
+endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
+shared_secret = "{{ vars.efss_shared_secret }}"
+mock_http = false
+
+[[grpc.services.authprovider]]
+auth_manager = "machine"
+
+[grpc.services.authprovider.auth_managers.machine]
+api_key = "{{ vars.machine_api_key }}"
+gateway_addr = "{{ vars.internal_gateway }}:19000"
+
+[[grpc.services.authprovider]]
+auth_manager = "ocmshares"
+
+
+### STORAGE PROVIDERS ###
+
+[grpc.services.storageregistry]
+driver = "static"
+
+[grpc.services.storageregistry.drivers.static]
+home_provider = "/home"
+
+[grpc.services.storageregistry.drivers.static.rules]
+"/home" = {"address" = "{{ grpc.services.storageprovider[0].address }}"}
+"nextcloud" = {"address" = "{{ grpc.services.storageprovider[0].address }}"}
+"/ocm" = {"address" = "{{ grpc.services.storageprovider[1].address }}"}
+"ocm" = {"address" = "{{ grpc.services.storageprovider[1].address }}"}
+
+[[grpc.services.storageprovider]]
+driver = "nextcloud"
+mount_id = "nextcloud"
+expose_data_server = true
+enable_home_creation = false
+# replace https://localhost with http://localhost if reva does not serve https traffic
+data_server_url = "https://localhost:{{ http.services.dataprovider[0].address.port }}/data"
+
+[grpc.services.storageprovider.drivers.nextcloud]
+endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
+shared_secret = "{{ vars.efss_shared_secret }}"
+mock_http = false
+
+[[grpc.services.storageprovider]]
+driver = "ocmoutcoming"
+mount_id = "ocm"
+mount_path = "/ocm"
+expose_data_server = true
+enable_home_creation = false
+data_server_url = "{{ vars.external_reva_endpoint }}/data"
+
+[grpc.services.storageprovider.drivers.ocmoutcoming]
+machine_secret = "{{ vars.machine_api_key }}"
+
+
+### OTHER PROVIDERS ###
+
+[grpc.services.usershareprovider]
+driver = "memory"
+
+[grpc.services.ocmcore]
+driver = "nextcloud"
+
+[grpc.services.ocmcore.drivers.nextcloud]
+host = "{{ vars.external_reva_endpoint }}"
+endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
+shared_secret = "{{ vars.efss_shared_secret }}"
+mock_http = false
+
+[grpc.services.ocminvitemanager]
+# TODO the driver should be "nextcloud" once it is implemented
+driver = "json"
+provider_domain = "{{ vars.provider_domain }}"
+
+[grpc.services.ocmshareprovider]
+driver = "nextcloud"
+provider_domain = "{{ vars.provider_domain }}"
+webdav_endpoint = "{{ vars.external_reva_endpoint }}"
+webdav_prefix = "{{ vars.external_reva_endpoint }}/remote.php/dav/files"
+webapp_template = "{{ vars.external_reva_endpoint }}/external/sciencemesh/{{.Token}}/{relative-path-to-shared-resource}"
+
+[grpc.services.ocmshareprovider.drivers.nextcloud]
+webdav_host = "{{ vars.external_reva_endpoint }}"
+endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
+shared_secret = "{{ vars.efss_shared_secret }}"
+mock_http = false
+mount_id = "nextcloud"
+
+[grpc.services.ocmproviderauthorizer]
+driver = "mentix"
+
+[grpc.services.ocmproviderauthorizer.drivers.mentix]
+url = "https://iop.sciencemesh.uni-muenster.de/iop/mentix/cs3"
+verify_request_hostname = true
+insecure = false
+timeout = 10
+refresh = 900
+
+[grpc.services.ocmproviderauthorizer.drivers.json]
+# this is used by the docker-based test deployment, not in production
+providers = "/etc/revad/providers.testnet.json"
+verify_request_hostname = true
+
+[grpc.services.userprovider]
+driver = "nextcloud"
+
+[grpc.services.userprovider.drivers.nextcloud]
+endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
+shared_secret = "{{ vars.efss_shared_secret }}"
+mock_http = false
+
+[grpc.services.datatx]
+txdriver = "rclone"
+storagedriver = "json"
+remove_transfer_on_cancel = true
+
+[grpc.services.datatx.txdrivers.rclone]
+# rclone endpoint
+endpoint = "http://rclone.docker"
+# basic auth is used
+auth_user = "rcloneuser"
+auth_pass = "eilohtho9oTahsuongeeTh7reedahPo1Ohwi3aek"
+auth_header = "x-access-token"
+job_status_check_interval = 2000
+job_timeout = 120000
+storagedriver = "json"
+remove_transfer_job_on_cancel = true
+
+[grpc.services.datatx.storagedrivers.json]
+file = ""
+
+[grpc.services.datatx.txdrivers.rclone.storagedrivers.json]
+file = ""
+
+
+### HTTP ENDPOINTS ###
+
+[http.services.appprovider]
+address = ":443"
+insecure = true
+
+[http.services.datagateway]
+address = ":443"
+
+[[http.services.dataprovider]]
+driver = "nextcloud"
+
+[http.services.dataprovider.drivers.nextcloud]
+endpoint = "{{ vars.efss_sciencemesh_endpoint }}"
+shared_secret = "{{ vars.efss_shared_secret }}"
+mock_http = false
+
+[[http.services.dataprovider]]
+address = ":443"
+driver = "ocmoutcoming"
+
+[http.services.dataprovider.drivers.ocmoutcoming]
+machine_secret = "{{ vars.machine_api_key }}"
+
+[http.services.sciencemesh]
+address = ":443"
+provider_domain = "{{ vars.provider_domain }}"
+mesh_directory_url = "https://sciencemesh.cesnet.cz/iop/meshdir"
+ocm_mount_point = "/sciencemesh"
+
+[http.services.sciencemesh.smtp_credentials]
+disable_auth = true
+sender_mail = "sciencemesh@{{ vars.provider_domain }}"
+smtp_server = "smtp.{{ vars.provider_domain }}"
+smtp_port = 25
+
+[http.services.ocmprovider]
+address = ":443"
+ocm_prefix = "ocm"
+provider = "Reva for ownCloud/Nextcloud"
+endpoint = "{{ vars.external_reva_endpoint }}"
+enable_webapp = true
+enable_datatx = true
+
+[http.services.ocm]
+address = ":443"
+prefix = "ocm"
+
+[http.services.ocm.config]
+host = "{{ vars.provider_domain }}"
+
+[http.services.ocs]
+address = ":443"
+prefix = "ocs"
+
+[http.services.ocdav]
+address = ":443"
+
+[http.services.prometheus]
+address = ":443"
+
+[http.services.metrics]
+address = ":443"
+metrics_data_driver_type = "json"
+metrics_data_location = "/etc/revad/metrics.json"
+metrics_record_interval = 5000
+
+[http.services.sysinfo]
+
+[http.middlewares.cors]
+[http.middlewares.log]