From d6f3b67526de5774d1e724d0e337ba8dfe875239 Mon Sep 17 00:00:00 2001 From: Giuseppe Lo Presti Date: Fri, 19 Apr 2024 11:42:16 +0200 Subject: [PATCH] [docs-only] add back config examples for sciencemesh and cernbox (#4640) --- examples/cernbox/cernbox.toml | 407 +++ examples/cernbox/keycloak/cernbox.json | 2366 +++++++++++++++++ examples/cernbox/nginx/mime.types | 96 + examples/cernbox/nginx/nginx.conf | 167 ++ examples/cernbox/users.demo.json | 80 + examples/cernbox/web.json | 73 + .../sciencemesh/custom-mime-types-demo.json | 3 + examples/sciencemesh/metrics.json | 5 + examples/sciencemesh/providers.testnet.json | 34 + examples/sciencemesh/sciencemesh-apps.toml | 49 + examples/sciencemesh/sciencemesh.toml | 290 ++ 11 files changed, 3570 insertions(+) create mode 100644 examples/cernbox/cernbox.toml create mode 100644 examples/cernbox/keycloak/cernbox.json create mode 100644 examples/cernbox/nginx/mime.types create mode 100644 examples/cernbox/nginx/nginx.conf create mode 100644 examples/cernbox/users.demo.json create mode 100644 examples/cernbox/web.json create mode 100644 examples/sciencemesh/custom-mime-types-demo.json create mode 100644 examples/sciencemesh/metrics.json create mode 100644 examples/sciencemesh/providers.testnet.json create mode 100644 examples/sciencemesh/sciencemesh-apps.toml create mode 100644 examples/sciencemesh/sciencemesh.toml diff --git a/examples/cernbox/cernbox.toml b/examples/cernbox/cernbox.toml new file mode 100644 index 0000000000..a2091d0de1 --- /dev/null +++ b/examples/cernbox/cernbox.toml @@ -0,0 +1,407 @@ +## Example configuration to run a dockerized CERNBox for ScienceMesh tests +# +# The following variables are actualized by the scripts in tests/sciencemesh/scripts + +[vars] +internal_gateway = "your.revad.org" +provider_domain = "your.revad.org" +external_reva_endpoint = "https://your.nginx.org" # append here any route if applicable +wopi_endpoint = "http://your.wopi.org:8880" +ocmshares_json_file = "/var/tmp/reva/shares_cernbox.json" +machine_api_key = "machine-api-key" +wopi_shared_secret = "shared-secret-2" + +[http] +certfile = "/etc/tls/your.revad.ssl.crt" +keyfile = "/etc/tls/your.revad.ssl.key" + +[log] +level = "debug" + +[shared] +gatewaysvc = "{{ vars.internal_gateway }}:19000" +jwt_secret = "reva-secret" + +[grpc.services.gateway] +address = ":19000" +authregistrysvc = "{{ grpc.services.authregistry.address }}" +appregistrysvc = "{{ grpc.services.appregistry.address }}" +storageregistrysvc = "{{ grpc.services.storageregistry.address }}" +preferencessvc = "{{ grpc.services.userprovider.address }}" +userprovidersvc = "{{ grpc.services.userprovider.address }}" +usershareprovidersvc = "{{ grpc.services.usershareprovider.address }}" +publicshareprovidersvc = "{{ grpc.services.publicshareprovider.address }}" +ocmcoresvc = "{{ grpc.services.ocmcore.address }}" +ocmshareprovidersvc = "{{ grpc.services.ocmshareprovider.address }}" +ocminvitemanagersvc = "{{ grpc.services.ocminvitemanager.address }}" +ocmproviderauthorizersvc = "{{ grpc.services.ocmproviderauthorizer.address }}" +datagateway = "https://{{ http.services.datagateway.address }}/data" + +transfer_expires = 6 # give it a moment +commit_share_to_storage_grant = true +commit_share_to_storage_ref = true + + +### APPS ### + +[grpc.services.appregistry] +driver = "static" + +[grpc.services.appregistry.drivers.static] +mime_types = [ + {"mime_type" = "text/plain", "extension" = "txt", "name" = "Text file", "description" = "Text file", "allow_creation" = true}, + {"mime_type" = "text/markdown", "extension" = "md", "name" = "Markdown file", "description" = "Markdown file", "allow_creation" = true}, + {"mime_type" = "application/vnd.oasis.opendocument.text", "extension" = "odt", "name" = "OpenDocument", "description" = "OpenDocument text document", "default_app" = "Collabora", "allow_creation" = true}, + {"mime_type" = "application/vnd.oasis.opendocument.spreadsheet", "extension" = "ods", "name" = "OpenSpreadsheet", "description" = "OpenDocument spreadsheet document", "default_app" = "Collabora", "allow_creation" = true}, + {"mime_type" = "application/vnd.oasis.opendocument.presentation", "extension" = "odp", "name" = "OpenPresentation", "description" = "OpenDocument presentation document", "default_app" = "Collabora", "allow_creation" = true}, + {"mime_type" = "application/vnd.jupyter", "extension" = "ipynb", "name" = "Jupyter Notebook", "description" = "Jupyter Notebook"} +] + +[[grpc.services.appprovider]] +driver = "wopi" +custom_mime_types_json = "/etc/revad/custom-mime-types-demo.json" +mime_types = ["application/vnd.oasis.opendocument.text", "application/vnd.oasis.opendocument.spreadsheet", "application/vnd.oasis.opendocument.presentation", "text/rtf"] +app_provider_url = "{{ grpc.services.appprovider[0].address }}" +language = "en-GB" + +[grpc.services.appprovider.drivers.wopi] +iop_secret = "{{ vars.wopi_shared_secret }}" +wopi_url = "{{ vars.wopi_endpoint }}" +app_name = "Collabora" +app_url = "http://collabora.docker:9980" +app_int_url = "http://collabora.docker:9980" + + +# [[grpc.services.appprovider]] +# driver = "wopi" +# custom_mime_types_json = "/etc/revad/custom-mime-types-demo.json" +# mime_types = ["text/markdown", "application/compressed-markdown", "text/plain"] +# app_provider_url = "{{ grpc.services.appprovider[1].address }}" +# +# [grpc.services.appprovider.drivers.wopi] +# iop_secret = "{{ vars.wopi_shared_secret }}" +# wopi_url = "{{ vars.wopi_endpoint }}" +# app_name = "CodiMD" +# app_url = "https://codimd.docker" +# app_int_url = "https://codimd.docker" + + +### AUTH ### + +[grpc.services.authregistry] +driver = "static" + +[grpc.services.authregistry.drivers.static.rules] +basic = "{{ grpc.services.authprovider[0].address }}" +bearer = "{{ grpc.services.authprovider[0].address }}" +machine = "{{ grpc.services.authprovider[1].address }}" +ocmshares = "{{ grpc.services.authprovider[2].address }}" + +[[grpc.services.authprovider]] +auth_manager = "oidc" + +[grpc.services.authprovider.auth_managers.json] +users = "/etc/revad/users.demo.json" + +[grpc.services.authprovider.auth_managers.oidc] +issuer = "https://idp.docker:8443/realms/cernbox" +uid_claim = "cern_uid" +gid_claim = "cern_gid" +gatewaysvc = "{{ vars.internal_gateway }}:19000" + +[[grpc.services.authprovider]] +auth_manager = "machine" + +[grpc.services.authprovider.auth_managers.machine] +api_key = "{{ vars.machine_api_key }}" +gateway_addr = "{{ vars.internal_gateway }}:19000" + +[[grpc.services.authprovider]] +auth_manager = "ocmshares" + + +### STORAGE ### + +[grpc.services.storageregistry] +driver = "static" + +[grpc.services.storageregistry.drivers.static] +home_provider = "/" + +[grpc.services.storageregistry.drivers.static.rules] +"/" = {"address" = "{{ grpc.services.storageprovider[0].address }}"} +"localhome" = {"address" = "{{ grpc.services.storageprovider[0].address }}"} +"/ocm" = {"address" = "{{ grpc.services.storageprovider[1].address }}"} +"ocm" = {"address" = "{{ grpc.services.storageprovider[1].address }}"} +"/sciencemesh" = { address = "{{ grpc.services.storageprovider[2].address }}" } +"sciencemesh" = { address = "{{ grpc.services.storageprovider[2].address }}" } + +[[grpc.services.storageprovider]] +driver = "localhome" +mount_path = "/" +mount_id = "localhome" +expose_data_server = true +data_server_url = "https://localhost:{{ http.services.dataprovider[0].address.port }}/data" +enable_home_creation = true + +[grpc.services.storageprovider.drivers.localhome] +user_layout = "{{.Username}}" + +[[grpc.services.storageprovider]] +driver = "ocmoutcoming" +mount_id = "ocm" +mount_path = "/ocm" +expose_data_server = true +enable_home_creation = false +data_server_url = "{{ vars.external_reva_endpoint }}/data" + +[grpc.services.storageprovider.drivers.ocmoutcoming] +machine_secret = "{{ vars.machine_api_key }}" + +[[grpc.services.storageprovider]] +driver = "ocmreceived" +mount_path = "/sciencemesh" +mount_id = "sciencemesh" +expose_data_server = true +# this must be accessible from the GUI, therefore the hostname will be replaced +data_server_url = "https://your.revad.org:{{ http.services.dataprovider[2].address.port }}/data" + + +### OTHER PROVIDERS ### + +[grpc.services.usershareprovider] +driver = "memory" + +[grpc.services.publicshareprovider] +driver = "memory" + +[grpc.services.preferences] + +[grpc.services.ocmcore] +driver = "json" + +[grpc.services.ocmcore.drivers.json] +# Note that ocmcore and ocmshareprovider should use the same file for storing the shares. +file = "{{ vars.ocmshares_json_file }}" + +[grpc.services.ocminvitemanager] +driver = "json" +provider_domain = "{{ vars.provider_domain }}" + +[grpc.services.ocmshareprovider] +driver = "json" +provider_domain = "{{ vars.provider_domain }}" +webdav_endpoint = "{{ vars.external_reva_endpoint }}" +webdav_prefix = "{{ vars.external_reva_endpoint }}/remote.php/dav/files" +webapp_template = "{{ vars.external_reva_endpoint }}/external/sciencemesh/{{.Token}}/{relative-path-to-shared-resource}" + +[grpc.services.ocmshareprovider.drivers.json] +file = "{{ vars.ocmshares_json_file }}" + +[grpc.services.ocmproviderauthorizer] +driver = "json" + +[grpc.services.ocmproviderauthorizer.drivers.json] +# this is used by the docker-based test deployment, not in production +providers = "/etc/revad/providers.testnet.json" +verify_request_hostname = true + +[grpc.services.userprovider] +driver = "json" + +[grpc.services.userprovider.drivers.json] +users = "/etc/revad/users.demo.json" + +[grpc.services.datatx] +txdriver = "rclone" +storagedriver = "json" +remove_transfer_on_cancel = true + +[grpc.services.datatx.txdrivers.rclone] +# rclone endpoint +endpoint = "http://rclone.docker" +# basic auth is used +auth_user = "rcloneuser" +auth_pass = "eilohtho9oTahsuongeeTh7reedahPo1Ohwi3aek" +auth_header = "x-access-token" +job_status_check_interval = 2000 +job_timeout = 120000 +storagedriver = "json" +remove_transfer_job_on_cancel = true + +[grpc.services.datatx.storagedrivers.json] +file = "" + +[grpc.services.datatx.txdrivers.rclone.storagedrivers.json] +file = "" + + +### HTTP ENDPOINTS ### + +[http.middlewares.auth] +credential_chain = ["publicshares", "basic", "bearer"] +token_strategy_chain = ["bearer", "header"] + +[http.middlewares.auth.credentials_by_user_agent] +"mirall" = "basic" + +[http.services.appprovider] +address = ":443" + +[http.services.datagateway] +address = ":443" + +[[http.services.dataprovider]] +driver = "localhome" + +[http.services.dataprovider.drivers.localhome] +user_layout = "{{.Username}}" + +[[http.services.dataprovider]] +address = ":443" +driver = "ocmoutcoming" + +[http.services.dataprovider.drivers.ocmoutcoming] +machine_secret = "{{ vars.machine_api_key }}" + +[[http.services.dataprovider]] +driver = "ocmreceived" + +[http.services.sciencemesh] +address = ":443" +provider_domain = "{{ vars.provider_domain }}" +mesh_directory_url = "https:/meshdir.docker/meshdir" +ocm_mount_point = "/sciencemesh" + +[http.services.sciencemesh.smtp_credentials] +disable_auth = true +sender_mail = "sciencemesh@{{ vars.provider_domain }}" +smtp_server = "smtp.{{ vars.provider_domain }}" +smtp_port = 25 + +[http.services.ocmprovider] +address = ":443" +ocm_prefix = "ocm" +provider = "Reva for CERNBox" +endpoint = "{{ vars.external_reva_endpoint }}" +enable_webapp = true +enable_datatx = true + +[http.services.ocm] +address = ":443" +prefix = "ocm" + +[http.services.ocm.config] +host = "{{ vars.provider_domain }}" + +# OCS +[http.services.ocs] +address = ":443" +prefix = "ocs" +share_prefix = "/" +home_namespace = "/" +additional_info_attribute = "{{.Username}} ({{.Mail}})" +cache_warmup_driver = "first-request" +resource_info_cache_ttl = 60 +resource_info_cache_type = "memory" + +[http.services.ocs.config] +version = "1.8" +website = "reva" +host = "https://localhost" +contact = "cernbox@cernbox.org" +ssl = "false" + +[http.services.ocs.capabilities.capabilities.core] +poll_interval = 60 +webdav_root = "remote.php/webdav" +status = { installed = true, maintenance = false, nwwsaDbUpgrade = false, version = "10.0.11.5", versionstring = "10.0.11", edition = "community", productname = "reva", hostname = "" } +support_url_signing = false + +[http.services.ocs.capabilities.capabilities.checksums] +supported_types = ["sha1", "md5", "adler32"] + +[http.services.ocs.capabilities.capabilities.files] +private_links = false +bigfilechunking = false +blacklisted_files = [] +undelete = true +versioning = true +archivers = [ + { enabled = true, version = "2.0.0", formats = [ + "tar", + "zip", + ], archiver_url = "/archiver", max_num_files = "10000", max_size = "1073741824" }, +] +favorites = true + +[http.services.ocs.capabilities.capabilities.dav] + +[http.services.ocs.capabilities.capabilities.files_sharing] +api_enabled = true +resharing = true +deny_access = true +resharing_default = false +group_sharing = true +auto_accept_share = true +share_with_group_members_only = true +share_with_membership_groups_only = true +default_permissions = 22 +search_min_length = 3 + +[http.services.ocs.capabilities.capabilities.files_sharing.public] +enabled = true +send_mail = true +social_share = true +upload = true +multiple = true +supports_upload_only = true +password = { enforced = false, enforced_for = { read_only = false, read_write = false, upload_only = false } } +expire_date = { enabled = true } +can_edit = true +can_contribute = false + +[http.services.ocs.capabilities.capabilities.files_sharing.user] +send_mail = true +profile_picture = false +settings = [{ enabled = true, version = "1.0.0" }] + +[http.services.ocs.capabilities.capabilities.files_sharing.user_enumeration] +enabled = true +group_members_only = true + +[http.services.ocs.capabilities.capabilities.files_sharing.federation] +outgoing = true +incoming = true + +[http.services.ocs.capabilities.capabilities.spaces] +enabled = false +projects = true + +[http.services.ocs.capabilities.version] +edition = "reva" +major = 10 +minor = 0 +micro = 11 +string = "10.0.11" + +[http.services.ocdav] +address = ":443" +insecure = true + +[http.services.prometheus] +address = ":443" + +[http.services.sysinfo] + +#[http.services.ui] +#address = ":443" + +[http.middlewares.cors] +allowed_origins = ["*"] +allowed_methods = ["OPTIONS", "LOCK", "GET", "HEAD", "POST", "DELETE", "PROPPATCH", "COPY", "MOVE", "UNLOCK", "PROPFIND", "MKCOL", "REPORT", "SEARCH", "PUT"] +allowed_headers = ["Accept", "Accept-Language", "Authorization", "Content-Language", "Content-Type", "Depth", "OCS-APIREQUEST", "Referer", "sec-ch-ua", "sec-ch-ua-mobile", "sec-ch-ua-platform", "User-Agent", "X-Requested-With"] +debug = true +exposed_headers = [] + +[http.middlewares.log] diff --git a/examples/cernbox/keycloak/cernbox.json b/examples/cernbox/keycloak/cernbox.json new file mode 100644 index 0000000000..c7fd64f6a8 --- /dev/null +++ b/examples/cernbox/keycloak/cernbox.json @@ -0,0 +1,2366 @@ +{ + "users": [ + { + "id": "einstein", + "username": "einstein", + "enabled": true, + "email": "einstein@cern.ch", + "emailVerified": true, + "firstName": "Albert", + "lastName": "Einstein", + "credentials": [ + { + "type": "password", + "value": "relativity" + } + ], + "realmRoles": [ + "user" + ], + "clientRoles": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + { + "id": "marie", + "username": "marie", + "enabled": true, + "email": "marie@cern.ch", + "emailVerified": true, + "firstName": "Marie", + "lastName": "Curie", + "credentials": [ + { + "type": "password", + "value": "radioactivity" + } + ], + "realmRoles": [ + "user" + ], + "clientRoles": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + { + "id": "richard", + "username": "richard", + "enabled": true, + "email": "richard@cern.ch", + "emailVerified": true, + "firstName": "Richard", + "lastName": "Feynman", + "credentials": [ + { + "type": "password", + "value": "superfluidity" + } + ], + "realmRoles": [ + "user" + ], + "clientRoles": { + "account": [ + "view-profile", + "manage-account" + ] + } + } + ], + "id": "d5f44848-3fec-4333-bcc5-2e69b96a7652", + "realm": "cernbox", + "displayName": "Keycloak", + "displayNameHtml": "
Keycloak
", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 60, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "1dd251c9-5c68-413f-8035-34e0336922c6", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651", + "attributes": {} + }, + { + "id": "e7ace27c-cfc7-4f34-8df8-bd32e0da15ce", + "name": "create-realm", + "description": "${role_create-realm}", + "composite": false, + "clientRole": false, + "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651", + "attributes": {} + }, + { + "id": "4985b709-d1cd-4583-b733-71f51c9566d2", + "name": "default-roles-cernbox", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + "clientRole": false, + "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651", + "attributes": {} + }, + { + "id": "abf70cc8-2287-44d5-be0e-0307ff3c0b40", + "name": "admin", + "description": "${role_admin}", + "composite": true, + "composites": { + "realm": [ + "create-realm" + ], + "client": { + "cernbox-realm": [ + "view-authorization", + "query-groups", + "view-clients", + "view-identity-providers", + "view-realm", + "manage-authorization", + "manage-identity-providers", + "impersonation", + "query-users", + "query-realms", + "view-users", + "view-events", + "manage-users", + "manage-clients", + "manage-realm", + "create-client", + "query-clients", + "manage-events" + ] + } + }, + "clientRole": false, + "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651", + "attributes": {} + }, + { + "id": "b2efa3fd-321d-47ae-a1c6-5efb5f0973f7", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651", + "attributes": {} + } + ], + "client": { + "cernbox-oidc": [], + "security-admin-console": [], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "cac7cb03-5144-41f1-bba8-70b51b34905c", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "e1bb70a9-5439-48ca-b8d6-ef27a3b6f624", + "attributes": {} + } + ], + "cernbox-realm": [ + { + "id": "efaa23b3-3208-4346-92f9-49d36b714be0", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "19fa9af2-cd74-4889-9241-ccad973264de", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "b7514426-db73-47a8-9a99-9a93821cca24", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "cernbox-realm": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "1d65b3fc-4845-48a8-a00b-a11b5665e87c", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "2427f9b7-2d1e-4ca4-b1d8-bcd878346016", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "0b2f3aff-9562-4dc7-8b34-d0ad592307c3", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "31d61639-2493-4fa5-a8e5-6222a0204cb0", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "7a3514c1-1fdf-40a7-8b26-3bfd78d13d8f", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "fd468050-a5f7-4da9-b476-d701e228c1ba", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "9776694a-3e2d-481b-83f9-8b8468ef5cba", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "8c752cb9-e159-473d-8bd9-3db4b578204c", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "cernbox-realm": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "0226e0da-1a5f-4671-aa3f-ea628ac6840b", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "720bdf01-f1eb-4f7d-a2f1-674b8fba8ae5", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "9bc4aaf1-1db4-4125-be4d-3ea9fdfdcddc", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "75e4d613-14b5-413b-b5ed-7323658d7237", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "2a3cc632-ed73-42de-a876-ed8a9d67927e", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "afc7679e-a9d4-4deb-9a32-8b19060385c0", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + }, + { + "id": "90b2fe49-3132-42b3-99a4-be0350d68f12", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "attributes": {} + } + ], + "account": [ + { + "id": "381fbd9e-352d-472a-88b3-b8dc1e593ed7", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "attributes": {} + }, + { + "id": "4fe6afe5-239c-4749-ad96-d607126aa370", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "attributes": {} + }, + { + "id": "0e82842e-091b-485a-b0b8-2f6679c29bda", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "attributes": {} + }, + { + "id": "467762f3-ef88-483d-8c03-3f7880b22400", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "attributes": {} + }, + { + "id": "9fea9466-3e06-4970-80e5-9f7afbd1eb80", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "attributes": {} + }, + { + "id": "873fd72b-e3f0-4825-a2d2-c88c362bb102", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "attributes": {} + }, + { + "id": "2f726de0-782b-4678-ab2e-c40d27a74968", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "attributes": {} + }, + { + "id": "99141aca-0e6e-4e5a-97c1-5d255bece148", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "attributes": {} + } + ] + } + }, + "groups": [ + { + "id": "21b3d522-c35f-42da-9b35-8396c081fe13", + "name": "philosophy-haters", + "path": "/philosophy-haters", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "a3ee97a0-52ee-4dbc-9f9b-7c0f4851ad9e", + "name": "physics-lovers", + "path": "/physics-lovers", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "9d992aa0-be4c-4abc-9076-7493eec5cd5d", + "name": "polonium-lovers", + "path": "/polonium-lovers", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "3807793f-1d9b-4e79-ac30-0787127529e3", + "name": "quantum-lovers", + "path": "/quantum-lovers", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "9753c519-3a2e-4ae2-9114-eb00b3609709", + "name": "radium-lovers", + "path": "/radium-lovers", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "dce7f132-2fce-4958-9b51-c7b493133bec", + "name": "sailing-lovers", + "path": "/sailing-lovers", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + }, + { + "id": "9f434513-d831-481f-9870-5d5504a795be", + "name": "violin-haters", + "path": "/violin-haters", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + } + ], + "defaultRole": { + "id": "4985b709-d1cd-4583-b733-71f51c9566d2", + "name": "default-roles-cernbox", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "d5f44848-3fec-4333-bcc5-2e69b96a7651" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppMicrosoftAuthenticatorName", + "totpAppFreeOTPName", + "totpAppGoogleName" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "2c60f6c5-2ffb-4d0b-be37-997d79f2eac5", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/cernbox/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/cernbox/account/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "b2a1c6b7-014c-4c58-be28-4cd1575fd919", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/cernbox/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/cernbox/account/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "d71aeba9-ff27-44de-97d8-47cdded9bf61", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "026086ee-7521-4554-ab3e-c00d6a280373", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "e1bb70a9-5439-48ca-b8d6-ef27a3b6f624", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "acd215fa-56d6-4617-a55a-8eb8b98af4cb", + "clientId": "cernbox-oidc", + "name": "cernbox-oidc", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://cernbox1.docker/*", + "https://cernbox2.docker/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": true, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "5a911287-7ef9-43c3-9eea-401a137c83b8", + "clientId": "cernbox-realm", + "name": "cernbox Realm", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "2299ba69-8859-4d59-b8ba-60d384b614d8", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/cernbox/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/cernbox/console/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "64cf2e6f-7ae8-415e-bc2a-22e15b3b8845", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "f5343f9d-c533-4a6b-b7cf-b243f3387212", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "881c1d36-008a-4961-9986-61f99e49e4e7", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "ffe50a2d-8a86-4b7b-94b2-a1482894f6f1", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "0ac8f26d-382c-4d35-b63a-a06b90642a6c", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "d61366bf-6d3c-440b-9d15-d146ee97d278", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "953283ab-f632-4cca-b71e-c68456e37e69", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "8ffcb8e2-d342-4434-8cfa-066629984272", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "49e5f7e1-614a-4ac8-b59c-7e7ca4be8c75", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "3377051b-b951-4120-a577-e9c8371dfe53", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "d89e8483-bdd2-4074-8f09-a30ae5297492", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "526a9d58-b944-4607-883c-cb853e7bf0d4", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "4db59ddf-4955-4aca-854a-83fea782de39", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "2d4f9809-38ad-4e88-b6d5-6990417b17e3", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "869c9612-3fba-4618-80ba-b166bfa2df31", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "3c9425f1-edf1-4daa-b78f-e925aa4a6e5f", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "d97c24af-3dbd-453f-aa41-d0ee4ffced63", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "284f7309-06e7-4a9f-8974-a0695418e3bc", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "053b3b02-3c69-490d-9382-be565e3cc6a0", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "02b6c73f-cc0b-416f-9c7f-c99fd68f7ce4", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "57dfff04-f55d-4e47-96d1-482f61f7d439", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "51c7f33d-1b01-4be6-96a5-7544e55a5cd1", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "f7fed9dc-6317-44e6-9b5d-56c0fa13a287", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "b7eb5197-7719-4b8e-a5ab-6a362b5a2d24", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "d498fcee-d13b-4bba-85c3-c95f2acddf02", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "1fbd2ac9-3d32-4095-b366-e75cd7aaaf76", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "ff61a997-a211-4978-9212-5c27b886582e", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "c79cedd3-a3ee-4f8a-96d7-81e514e8cbe9", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "6a2e64d1-d27e-4663-9d5e-ac0d78a3c5ea", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "71c4630e-b700-4874-a6d5-16c58a59853a", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "3e22efbe-796f-4956-87a8-7472fd49bfa3", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "a1884484-24d0-46b6-9040-ec38c2ec5571", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "0d05297b-71e5-4185-b81a-7c95f2c0eb3b", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "d3f84c0a-6962-4d49-ae88-a7f2a41aaed4", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "679fda99-b976-4c81-adc3-2cd1c687c59e", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "603e8df0-3016-410b-9816-abb32d0e3071", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "4e34e7a6-ae0e-47b0-b3c5-02a608306dd2", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "53e7d18c-7aae-4516-b1c8-89f91b7b86a7", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "xXSSProtection": "1; mode=block", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "47d66138-4145-480c-875d-363b5bc31838", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-full-name-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-attribute-mapper", + "saml-user-property-mapper", + "oidc-usermodel-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-address-mapper" + ] + } + }, + { + "id": "96d7ddd5-fe73-4217-a753-a4e202a8adb7", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "a74b31e3-b126-4fc5-8825-96debd1f2471", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "82f1d154-61a3-4b6a-b1f3-811a2e86aa85", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "b262c386-dc0f-42cd-aefb-72d0c34a24dc", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "da1c03ae-7796-476b-b80b-76be91c5cd77", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "26eec102-eae6-463c-91e3-7333c627394c", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "648e6fc9-8363-4a1d-9f0a-d67a13c9edc9", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-full-name-mapper", + "oidc-address-mapper", + "saml-role-list-mapper", + "oidc-usermodel-property-mapper", + "saml-user-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-attribute-mapper" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "cc8a50f7-176a-4776-9201-5050dc802f0e", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "ce297a71-1c56-4b0f-87c0-8818c2977e2a", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "85ce5401-1789-4e98-a14b-06ba935be78b", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "c99a1812-0f86-4120-8538-4c53f7be670f", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "4d4d9b4d-a081-4008-ad19-b81e3a8a9ab6", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "03928ec0-305d-4bba-a832-156a37250460", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "a94107c0-ae9e-4459-9b54-bdee3e5a2b2b", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "356c5010-27d7-4c7a-a055-3880d3dc41fd", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "b6d4fff4-9930-4030-95ce-09f5f18f6846", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "2c021c56-981a-4b35-945f-20e15305ef0a", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "28d90136-9d52-41d4-b6a5-c410879516d7", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "ed8520ee-e733-40ad-8ad0-f66b803a85a6", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "beb2fdfe-e8ad-4fe7-b0a3-1cbc7cd232e5", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "3583e59f-8e55-41fa-8eb2-61dffa918f69", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "da4eaa2e-2f57-4f3b-bf87-8bdeb25e6cc8", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "61da9559-fcc0-411b-862c-1ecff20403a0", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "75f9bd37-f7fb-44d2-a3c7-ee022e31080d", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "0daeca0e-d7dc-40b9-8116-83307bf06c06", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "fad12cb4-3a42-4cad-b589-3ff705ae41c0", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "6674479a-9f99-430c-a774-6b44e36f45b1", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Authentication Options", + "userSetupAllowed": false + } + ] + }, + { + "id": "fa0fc72c-92eb-42f2-942a-0e687b9ad184", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "b07a2cd8-d159-449c-b239-5b077e075d6e", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "711099a9-985d-4978-a45c-88f03ac0097a", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "13954e50-cc94-48d8-a181-7e0aa8f4b105", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "88978291-3ecf-4139-a7e7-589bcce17e8d", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "785a91df-7692-43f1-9dd6-6bfcb0375e69", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "parRequestUriLifespan": "60", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "21.1.1", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} diff --git a/examples/cernbox/nginx/mime.types b/examples/cernbox/nginx/mime.types new file mode 100644 index 0000000000..0908f64c42 --- /dev/null +++ b/examples/cernbox/nginx/mime.types @@ -0,0 +1,96 @@ + types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js mjs; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/examples/cernbox/nginx/nginx.conf b/examples/cernbox/nginx/nginx.conf new file mode 100644 index 0000000000..7d82347969 --- /dev/null +++ b/examples/cernbox/nginx/nginx.conf @@ -0,0 +1,167 @@ + +user nginx; +worker_processes auto; + +pid /var/run/nginx.pid; + +# Load dynamic modules. See /usr/share/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + map $status $loggable { + ~^[23] 0; + default 1; + } + + access_log /var/log/nginx/access.log combined if=$loggable; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + client_max_body_size 8G; + #gzip on; + + # avoid nginx buffering all the payload, only available in > 1.7 + proxy_buffering off; + proxy_request_buffering off; + + include /etc/nginx/conf.d/*.conf; + + upstream revad { + server your.revad.org:443; + } + + server { + listen 80; + server_name localhost; + return 301 https://$host$request_uri; + } + + # https://ssl-config.mozilla.org/#server=nginx&version=1.20.1&config=intermediate&openssl=1.0.2k&guideline=5.6 + server { + listen 443 ssl http2; + server_name localhost; + + ssl_certificate your.cert.pem; + ssl_certificate_key your.key.pem; + + ssl_session_timeout 5m; + + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + proxy_connect_timeout 1200; + proxy_send_timeout 1200; + proxy_read_timeout 1200; + send_timeout 1200; + proxy_buffering off; + proxy_request_buffering off; + + location ^~ /data { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ~ /s/[^/]*/download { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /ocs/ { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /dav/ { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /webdav/ { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /remote.php/ { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /preferences { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /otg { + return 204; + } + + location ^~ /app/ { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /ocm/ { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ~ ^/sciencemesh/ { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /ocm-provider { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ^~ /status.php { + proxy_pass https://revad; + proxy_set_header Host $host; + } + + location ~ ^/(js|css|icons|fonts|assets)/ { + root /var/www/web; + add_header Cache-Control "public, max-age=31536000, immutable"; + etag off; + gzip_static on; + } + + location ^~ /cernbox { + root /var/www; + add_header Cache-Control "no-cache"; + add_header Access-Control-Allow-Origin "https://idp.docker:8443" always; + etag off; + gzip_static on; + } + + location / { + root /var/www/web; + add_header Cache-Control "no-cache"; + add_header Access-Control-Allow-Origin "https://idp.docker:8443" always; + etag off; + gzip_static on; + try_files $uri /index.html; + } + +# location / { +# proxy_pass https://revad/ui; +# proxy_set_header Host $host; +# } + } +} diff --git a/examples/cernbox/users.demo.json b/examples/cernbox/users.demo.json new file mode 100644 index 0000000000..8452f49a08 --- /dev/null +++ b/examples/cernbox/users.demo.json @@ -0,0 +1,80 @@ +[ + { + "id": { + "opaque_id": "4c510ada-c86b-4815-8820-42cdf82c3d51", + "idp": "cernbox", + "type": 1 + }, + "username": "einstein", + "secret": "relativity", + "mail": "einstein@cern.ch", + "display_name": "Albert Einstein", + "groups": ["sailing-lovers", "violin-haters", "physics-lovers"], + "opaque": { + "map": { + "gid": { + "_comment": "decodes to 987", + "decoder":"plain", + "value":"OTg3" + }, + "uid":{ + "_comment": "decodes to 123", + "decoder":"plain", + "value":"MTIz" + } + } + } + }, + { + "id": { + "opaque_id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", + "idp": "cernbox", + "type": 1 + }, + "username": "marie", + "secret": "radioactivity", + "mail": "marie@cern.ch", + "display_name": "Marie Curie", + "groups": ["radium-lovers", "polonium-lovers", "physics-lovers"], + "opaque": { + "map": { + "gid": { + "_comment": "decodes to 987", + "decoder":"plain", + "value":"OTg3" + }, + "uid":{ + "_comment": "decodes to 456", + "decoder":"plain", + "value":"NDU2" + } + } + } + }, + { + "id": { + "opaque_id": "932b4540-8d16-481e-8ef4-588e4b6b151c", + "idp": "cernbox", + "type": 1 + }, + "username": "richard", + "secret": "superfluidity", + "mail": "richard@cern.ch", + "display_name": "Richard Feynman", + "groups": ["quantum-lovers", "philosophy-haters", "physics-lovers"], + "opaque": { + "map": { + "gid": { + "_comment": "decodes to 135", + "decoder":"plain", + "value":"MTM1" + }, + "uid":{ + "_comment": "decodes to 246", + "decoder":"plain", + "value":"MjQ2" + } + } + } + } +] diff --git a/examples/cernbox/web.json b/examples/cernbox/web.json new file mode 100644 index 0000000000..d712acca60 --- /dev/null +++ b/examples/cernbox/web.json @@ -0,0 +1,73 @@ +{ + "server": "https://your.nginx.org", + "theme": "https://your.nginx.org/cernbox/theme-cernbox-0.2.0/theme.json", + "version": "0.0.0", + "openIdConnect": { + "metadata_url": "https://idp.docker:8443/realms/cernbox/.well-known/openid-configuration", + "authority": "https://idp.docker:8443/realms/cernbox", + "client_id": "cernbox-oidc", + "response_type": "code", + "scope": "openid profile email" + }, + "options": { + "contextHelpers": true, + "enableAdvancedTable": true, + "cernFeatures": true, + "hoverableQuickActions": true, + "disableFeedbackLink": true, + "homeFolder": "/{{.Id}}", + "previewFileMimeTypes" : [ + "image/gif", + "image/png", + "image/jpeg" + ], + "openAppsInTab": true, + "editor": { + "autosaveEnabled": true, + "autosaveInterval": 120 + }, + "breadcrumbItemMaxLength": 30, + "routing": { + "idBased": false + }, + "upload": { + "xhr": { + "timeout": 3600000 + } + } + }, + "apps": [ + "files", + "search", + "preview", + "external", + "pdf-viewer", + "sciencemesh-app" + ], + "external_apps": [ + { + "id": "jupyter", + "path": "/cernbox/jupyter-2.0.0/main.js" + }, + { + "id": "rootjs", + "path": "/cernbox/rootjs-2.0.0/main.js" + }, + { + "id": "ifc-js", + "path": "/cernbox/ifc-js-2.0.2/main.js" + }, + { + "id": "top-bar", + "path": "/cernbox/top-bar-1.0.0/main.js" + }, + { + "id": "text-editor", + "path": "web-app-text-editor", + "config": { + "primaryExtensions": ["txt"], + "extraExtensions": ["htm", "html", "css", "js", "ts", "php", "yml", "toml", "qml", "pl", "pm", "sh", "tcsh", "zsh", "conf", "ini", "inf", "make", "cmake", "mk", "in"] + } + } + ] +} diff --git a/examples/sciencemesh/custom-mime-types-demo.json b/examples/sciencemesh/custom-mime-types-demo.json new file mode 100644 index 0000000000..390947ec09 --- /dev/null +++ b/examples/sciencemesh/custom-mime-types-demo.json @@ -0,0 +1,3 @@ +{ + ".zmd": "application/compressed-markdown" +} diff --git a/examples/sciencemesh/metrics.json b/examples/sciencemesh/metrics.json new file mode 100644 index 0000000000..da85d866d9 --- /dev/null +++ b/examples/sciencemesh/metrics.json @@ -0,0 +1,5 @@ +{ + "cs3_org_sciencemesh_site_total_num_users": 0, + "cs3_org_sciencemesh_site_total_num_groups": 0, + "cs3_org_sciencemesh_site_total_amount_storage": 0 +} \ No newline at end of file diff --git a/examples/sciencemesh/providers.testnet.json b/examples/sciencemesh/providers.testnet.json new file mode 100644 index 0000000000..1960fdd63c --- /dev/null +++ b/examples/sciencemesh/providers.testnet.json @@ -0,0 +1,34 @@ +[ + { "domain": "revad1.docker", "services": [ + { "endpoint": { "type": { "name": "OCM" }, "path": "https://revad1.docker/ocm/" }, "host": "revad1.docker" }, + { "endpoint": { "type": { "name": "Webdav" }, "path": "https://revad1.docker/remote.php/webdav/" }, "host": "revad1.docker" } + ] }, + { "domain": "revad2.docker", "services": [ + { "endpoint": { "type": { "name": "OCM" }, "path": "https://revad2.docker/ocm/" }, "host": "revad2.docker" }, + { "endpoint": { "type": { "name": "Webdav" }, "path": "https://revad2.docker/remote.php/webdav/" }, "host": "revad2.docker" } + ] }, + { "domain": "revanextcloud1.docker", "services": [ + { "endpoint": { "type": { "name": "OCM" }, "path": "https://revanextcloud1.docker/ocm/" }, "host": "revanextcloud1.docker" }, + { "endpoint": { "type": { "name": "Webdav" }, "path": "https://nc1.docker/remote.php/webdav/" }, "host": "nextcloud1.docker" } + ] }, + { "domain": "revanextcloud2.docker", "services": [ + { "endpoint": { "type": { "name": "OCM" }, "path": "https://revanextcloud2.docker/ocm/" }, "host": "revanextcloud2.docker" }, + { "endpoint": { "type": { "name": "Webdav" }, "path": "https://nc2.docker/remote.php/webdav/" }, "host": "nextcloud2.docker" } + ] }, + { "domain": "revaowncloud1.docker", "services": [ + { "endpoint": { "type": { "name": "OCM" }, "path": "https://revaowncloud1.docker/ocm/" }, "host": "revaowncloud1.docker" }, + { "endpoint": { "type": { "name": "Webdav" }, "path": "https://owncloud1.docker/remote.php/webdav/" }, "host": "owncloud1.docker" } + ] }, + { "domain": "revaowncloud2.docker", "services": [ + { "endpoint": { "type": { "name": "OCM" }, "path": "https://revaowncloud2.docker/ocm/" }, "host": "revaowncloud2.docker" }, + { "endpoint": { "type": { "name": "Webdav" }, "path": "https://owncloud2.docker/remote.php/dav/" }, "host": "owncloud2.docker" } + ] }, + { "domain": "revacernbox1.docker", "services": [ + { "endpoint": { "type": { "name": "OCM" }, "path": "https://revacernbox1.docker/ocm/" }, "host": "revacernbox1.docker" }, + { "endpoint": { "type": { "name": "Webdav" }, "path": "https://cernbox1.docker/remote.php/dav/" }, "host": "cernbox1.docker" } + ] }, + { "domain": "revacernbox2.docker", "services": [ + { "endpoint": { "type": { "name": "OCM" }, "path": "https://revacernbox2.docker/ocm/" }, "host": "revacernbox2.docker" }, + { "endpoint": { "type": { "name": "Webdav" }, "path": "https://cernbox2.docker/remote.php/dav/" }, "host": "cernbox2.docker" } + ] } +] diff --git a/examples/sciencemesh/sciencemesh-apps.toml b/examples/sciencemesh/sciencemesh-apps.toml new file mode 100644 index 0000000000..00bef3e888 --- /dev/null +++ b/examples/sciencemesh/sciencemesh-apps.toml @@ -0,0 +1,49 @@ +## Example configuration for the ScienceMesh app in ownCloud 10 / Nextcloud - Apps support +# +## This configuration file is to be used to enable Apps support in ScienceMesh. +## To contextualize this configuration for your deployment, please follow these steps: +# +# 1. In the [vars] section below, replace `your.revad.org` with your actual domain +# 2. Populate `wopi_endpoint` with your wopiserver endpoint +# 3. Define a shared secret, and match it with the secret defined in the wopiserver + + +[vars] +internal_gateway = "your.revad.org" +provider_domain = "your.revad.org" +wopi_endpoint = "http://your.wopi.org:8880" +wopi_shared_secret = "shared-secret-2" + +[log] +level = "debug" + +[shared] +gatewaysvc = "{{ vars.provider_domain }}:19000" + +[[grpc.services.appprovider]] +driver = "wopi" +custom_mime_types_json = "/etc/revad/custom-mime-types-demo.json" +mime_types = ["application/vnd.oasis.opendocument.text", "application/vnd.oasis.opendocument.spreadsheet", "application/vnd.oasis.opendocument.presentation", "text/rtf"] +app_provider_url = "{{ grpc.services.appprovider[0].address }}" +language = "en-GB" + +[grpc.services.appprovider.drivers.wopi] +iop_secret = "{{ vars.wopi_shared_secret }}" +wopi_url = "{{ vars.wopi_endpoint }}" +app_name = "Collabora" +app_url = "http://collabora.docker:9980" +app_int_url = "http://collabora.docker:9980" + + +# [[grpc.services.appprovider]] +# driver = "wopi" +# custom_mime_types_json = "/etc/revad/custom-mime-types-demo.json" +# mime_types = ["text/markdown", "application/compressed-markdown", "text/plain"] +# app_provider_url = "{{ grpc.services.appprovider[1].address }}" +# +# [grpc.services.appprovider.drivers.wopi] +# iop_secret = "{{ vars.wopi_shared_secret }}" +# wopi_url = "{{ vars.wopi_endpoint }}" +# app_name = "CodiMD" +# app_url = "https://codimd.docker" +# app_int_url = "https://codimd.docker" diff --git a/examples/sciencemesh/sciencemesh.toml b/examples/sciencemesh/sciencemesh.toml new file mode 100644 index 0000000000..c39ee95d6a --- /dev/null +++ b/examples/sciencemesh/sciencemesh.toml @@ -0,0 +1,290 @@ +## Example configuration for the ScienceMesh app in ownCloud 10 / Nextcloud +# +## To contextualize this configuration for your deployment, please follow these steps: +# +# 1. In the [vars] section below, replace `your.revad.org` with your actual domain +# 2. If you have a Kubernetes deployment with an ingress and a route: +# 2.1. Set the `external_reva_endpoint` var to your actual externally-visible route to reva +# 3. Replace `your.efss.org` with the actual endpoint of your EFSS system +# 4. Define appropriate secrets in the [vars] section: the `efss_shared_secret` must match the `oc_appconfig.configvalue` in your EFSS DB for `oc_appconfig.app_id` = `sciencemesh` +# 5. Provide appropriate SSL full chain certificate and key files in the [http] section +# +# If you want to terminate the SSL connection to reva at your reverse proxy system +# (e.g. at your Kubernetes ingress), then you can configure reva to use http instead. +# For that, you need to follow these steps: +# +# 1. Remove the `certfile` and `keyfile` entries from the [http] section +# 2. Replace the https port `443` with a port number of your choice everywhere you find it +# 3. Look for `data_server_url` and replace the `https://localhost` address as indicated + + +[vars] +internal_gateway = "your.revad.org" +provider_domain = "your.revad.org" +external_reva_endpoint = "https://your.revad.org" # append here any route if applicable +efss_sciencemesh_endpoint = "https://your.efss.org/index.php/apps/sciencemesh/" +machine_api_key = "machine-api-key" +efss_shared_secret = "shared-secret-1" + +[http] +certfile = "/etc/tls/your.revad.ssl.crt" +keyfile = "/etc/tls/your.revad.ssl.key" + +[log] +level = "debug" + +[shared] +gatewaysvc = "{{ vars.internal_gateway }}:19000" + +[grpc.services.gateway] +address = ":19000" +authregistrysvc = "{{ grpc.services.authregistry.address }}" +appregistrysvc = "{{ grpc.services.appregistry.address }}" +storageregistrysvc = "{{ grpc.services.storageregistry.address }}" +preferencessvc = "{{ grpc.services.userprovider.address }}" +userprovidersvc = "{{ grpc.services.userprovider.address }}" +usershareprovidersvc = "{{ grpc.services.usershareprovider.address }}" +ocmcoresvc = "{{ grpc.services.ocmcore.address }}" +ocmshareprovidersvc = "{{ grpc.services.ocmshareprovider.address }}" +ocminvitemanagersvc = "{{ grpc.services.ocminvitemanager.address }}" +ocmproviderauthorizersvc = "{{ grpc.services.ocmproviderauthorizer.address }}" +datagateway = "https://{{ http.services.datagateway.address }}/data" + +transfer_expires = 6 # give it a moment +commit_share_to_storage_grant = true +commit_share_to_storage_ref = true + + +[grpc.services.appregistry] +driver = "static" + +[grpc.services.appregistry.drivers.static] +mime_types = [ + {"mime_type" = "text/plain", "extension" = "txt", "name" = "Text file", "description" = "Text file", "allow_creation" = true}, + {"mime_type" = "text/markdown", "extension" = "md", "name" = "Markdown file", "description" = "Markdown file", "allow_creation" = true}, + {"mime_type" = "application/vnd.oasis.opendocument.text", "extension" = "odt", "name" = "OpenDocument", "description" = "OpenDocument text document", "default_app" = "Collabora", "allow_creation" = true}, + {"mime_type" = "application/vnd.oasis.opendocument.spreadsheet", "extension" = "ods", "name" = "OpenSpreadsheet", "description" = "OpenDocument spreadsheet document", "default_app" = "Collabora", "allow_creation" = true}, + {"mime_type" = "application/vnd.oasis.opendocument.presentation", "extension" = "odp", "name" = "OpenPresentation", "description" = "OpenDocument presentation document", "default_app" = "Collabora", "allow_creation" = true}, + {"mime_type" = "application/vnd.jupyter", "extension" = "ipynb", "name" = "Jupyter Notebook", "description" = "Jupyter Notebook"} +] + + +### AUTH PROVIDERS ### + +[grpc.services.authregistry] +driver = "static" + +[grpc.services.authregistry.drivers.static.rules] +basic = "{{ grpc.services.authprovider[0].address }}" +machine = "{{ grpc.services.authprovider[1].address }}" +ocmshares = "{{ grpc.services.authprovider[2].address }}" + +[[grpc.services.authprovider]] +auth_manager = "nextcloud" + +[grpc.services.authprovider.auth_managers.nextcloud] +endpoint = "{{ vars.efss_sciencemesh_endpoint }}" +shared_secret = "{{ vars.efss_shared_secret }}" +mock_http = false + +[[grpc.services.authprovider]] +auth_manager = "machine" + +[grpc.services.authprovider.auth_managers.machine] +api_key = "{{ vars.machine_api_key }}" +gateway_addr = "{{ vars.internal_gateway }}:19000" + +[[grpc.services.authprovider]] +auth_manager = "ocmshares" + + +### STORAGE PROVIDERS ### + +[grpc.services.storageregistry] +driver = "static" + +[grpc.services.storageregistry.drivers.static] +home_provider = "/home" + +[grpc.services.storageregistry.drivers.static.rules] +"/home" = {"address" = "{{ grpc.services.storageprovider[0].address }}"} +"nextcloud" = {"address" = "{{ grpc.services.storageprovider[0].address }}"} +"/ocm" = {"address" = "{{ grpc.services.storageprovider[1].address }}"} +"ocm" = {"address" = "{{ grpc.services.storageprovider[1].address }}"} + +[[grpc.services.storageprovider]] +driver = "nextcloud" +mount_id = "nextcloud" +expose_data_server = true +enable_home_creation = false +# replace https://localhost with http://localhost if reva does not serve https traffic +data_server_url = "https://localhost:{{ http.services.dataprovider[0].address.port }}/data" + +[grpc.services.storageprovider.drivers.nextcloud] +endpoint = "{{ vars.efss_sciencemesh_endpoint }}" +shared_secret = "{{ vars.efss_shared_secret }}" +mock_http = false + +[[grpc.services.storageprovider]] +driver = "ocmoutcoming" +mount_id = "ocm" +mount_path = "/ocm" +expose_data_server = true +enable_home_creation = false +data_server_url = "{{ vars.external_reva_endpoint }}/data" + +[grpc.services.storageprovider.drivers.ocmoutcoming] +machine_secret = "{{ vars.machine_api_key }}" + + +### OTHER PROVIDERS ### + +[grpc.services.usershareprovider] +driver = "memory" + +[grpc.services.ocmcore] +driver = "nextcloud" + +[grpc.services.ocmcore.drivers.nextcloud] +host = "{{ vars.external_reva_endpoint }}" +endpoint = "{{ vars.efss_sciencemesh_endpoint }}" +shared_secret = "{{ vars.efss_shared_secret }}" +mock_http = false + +[grpc.services.ocminvitemanager] +# TODO the driver should be "nextcloud" once it is implemented +driver = "json" +provider_domain = "{{ vars.provider_domain }}" + +[grpc.services.ocmshareprovider] +driver = "nextcloud" +provider_domain = "{{ vars.provider_domain }}" +webdav_endpoint = "{{ vars.external_reva_endpoint }}" +webdav_prefix = "{{ vars.external_reva_endpoint }}/remote.php/dav/files" +webapp_template = "{{ vars.external_reva_endpoint }}/external/sciencemesh/{{.Token}}/{relative-path-to-shared-resource}" + +[grpc.services.ocmshareprovider.drivers.nextcloud] +webdav_host = "{{ vars.external_reva_endpoint }}" +endpoint = "{{ vars.efss_sciencemesh_endpoint }}" +shared_secret = "{{ vars.efss_shared_secret }}" +mock_http = false +mount_id = "nextcloud" + +[grpc.services.ocmproviderauthorizer] +driver = "mentix" + +[grpc.services.ocmproviderauthorizer.drivers.mentix] +url = "https://iop.sciencemesh.uni-muenster.de/iop/mentix/cs3" +verify_request_hostname = true +insecure = false +timeout = 10 +refresh = 900 + +[grpc.services.ocmproviderauthorizer.drivers.json] +# this is used by the docker-based test deployment, not in production +providers = "/etc/revad/providers.testnet.json" +verify_request_hostname = true + +[grpc.services.userprovider] +driver = "nextcloud" + +[grpc.services.userprovider.drivers.nextcloud] +endpoint = "{{ vars.efss_sciencemesh_endpoint }}" +shared_secret = "{{ vars.efss_shared_secret }}" +mock_http = false + +[grpc.services.datatx] +txdriver = "rclone" +storagedriver = "json" +remove_transfer_on_cancel = true + +[grpc.services.datatx.txdrivers.rclone] +# rclone endpoint +endpoint = "http://rclone.docker" +# basic auth is used +auth_user = "rcloneuser" +auth_pass = "eilohtho9oTahsuongeeTh7reedahPo1Ohwi3aek" +auth_header = "x-access-token" +job_status_check_interval = 2000 +job_timeout = 120000 +storagedriver = "json" +remove_transfer_job_on_cancel = true + +[grpc.services.datatx.storagedrivers.json] +file = "" + +[grpc.services.datatx.txdrivers.rclone.storagedrivers.json] +file = "" + + +### HTTP ENDPOINTS ### + +[http.services.appprovider] +address = ":443" +insecure = true + +[http.services.datagateway] +address = ":443" + +[[http.services.dataprovider]] +driver = "nextcloud" + +[http.services.dataprovider.drivers.nextcloud] +endpoint = "{{ vars.efss_sciencemesh_endpoint }}" +shared_secret = "{{ vars.efss_shared_secret }}" +mock_http = false + +[[http.services.dataprovider]] +address = ":443" +driver = "ocmoutcoming" + +[http.services.dataprovider.drivers.ocmoutcoming] +machine_secret = "{{ vars.machine_api_key }}" + +[http.services.sciencemesh] +address = ":443" +provider_domain = "{{ vars.provider_domain }}" +mesh_directory_url = "https://sciencemesh.cesnet.cz/iop/meshdir" +ocm_mount_point = "/sciencemesh" + +[http.services.sciencemesh.smtp_credentials] +disable_auth = true +sender_mail = "sciencemesh@{{ vars.provider_domain }}" +smtp_server = "smtp.{{ vars.provider_domain }}" +smtp_port = 25 + +[http.services.ocmprovider] +address = ":443" +ocm_prefix = "ocm" +provider = "Reva for ownCloud/Nextcloud" +endpoint = "{{ vars.external_reva_endpoint }}" +enable_webapp = true +enable_datatx = true + +[http.services.ocm] +address = ":443" +prefix = "ocm" + +[http.services.ocm.config] +host = "{{ vars.provider_domain }}" + +[http.services.ocs] +address = ":443" +prefix = "ocs" + +[http.services.ocdav] +address = ":443" + +[http.services.prometheus] +address = ":443" + +[http.services.metrics] +address = ":443" +metrics_data_driver_type = "json" +metrics_data_location = "/etc/revad/metrics.json" +metrics_record_interval = 5000 + +[http.services.sysinfo] + +[http.middlewares.cors] +[http.middlewares.log]