From 6cc2a2c58d6f589ab3f0c367d4002fdb044e5d4a Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 14 Jul 2021 18:07:53 +0200 Subject: [PATCH 1/3] add migration deployment --- .../oc10_ocis_parallel/latest.yml | 52 + deployments/examples/oc10_ocis_parallel/.env | 58 + .../examples/oc10_ocis_parallel/README.md | 6 + .../config/keycloak/clients/android_app.json | 63 + .../keycloak/clients/desktop_client.json | 64 + .../config/keycloak/clients/ios_app.json | 64 + .../config/keycloak/clients/oc10-web.json | 69 + .../config/keycloak/clients/oc10.json | 69 + .../config/keycloak/clients/ocis-web.json | 65 + .../keycloak/docker-entrypoint-override.sh | 12 + .../config/keycloak/owncloud-realm.dist.json | 2204 +++++++++++++++++ .../config/ldap/ldif/10_owncloud_schema.ldif | 10 + .../config/ldap/ldif/20_users.ldif | 68 + .../config/ldap/ldif/30_groups.ldif | 95 + .../config/oc10/10-custom-config.sh | 39 + .../config/oc10/ldap-config.tmpl.json | 53 + .../config/oc10/ldap-sync-cron | 1 + .../config/oc10/oidc.config.php | 23 + .../config/oc10/web-config.tmpl.json | 35 + .../config/oc10/web.config.php | 15 + .../config/ocis/entrypoint-override.sh | 22 + .../config/ocis/proxy-config.dist.json | 93 + .../oc10_ocis_parallel/docker-compose.yml | 342 +++ .../oc10_ocis_parallel/keycloak-export.sh | 13 + .../docker-compose-additions.yml | 12 + docs/ocis/deployment/_index.md | 1 + docs/ocis/deployment/continuous_deployment.md | 18 + docs/ocis/deployment/oc10_ocis_parallel.md | 168 ++ 28 files changed, 3734 insertions(+) create mode 100644 deployments/continuous-deployment-config/oc10_ocis_parallel/latest.yml create mode 100644 deployments/examples/oc10_ocis_parallel/.env create mode 100644 deployments/examples/oc10_ocis_parallel/README.md create mode 100644 deployments/examples/oc10_ocis_parallel/config/keycloak/clients/android_app.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/keycloak/clients/desktop_client.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ios_app.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10-web.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ocis-web.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/keycloak/docker-entrypoint-override.sh create mode 100644 deployments/examples/oc10_ocis_parallel/config/keycloak/owncloud-realm.dist.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/ldap/ldif/10_owncloud_schema.ldif create mode 100644 deployments/examples/oc10_ocis_parallel/config/ldap/ldif/20_users.ldif create mode 100644 deployments/examples/oc10_ocis_parallel/config/ldap/ldif/30_groups.ldif create mode 100755 deployments/examples/oc10_ocis_parallel/config/oc10/10-custom-config.sh create mode 100755 deployments/examples/oc10_ocis_parallel/config/oc10/ldap-config.tmpl.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/oc10/ldap-sync-cron create mode 100644 deployments/examples/oc10_ocis_parallel/config/oc10/oidc.config.php create mode 100644 deployments/examples/oc10_ocis_parallel/config/oc10/web-config.tmpl.json create mode 100644 deployments/examples/oc10_ocis_parallel/config/oc10/web.config.php create mode 100755 deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh create mode 100644 deployments/examples/oc10_ocis_parallel/config/ocis/proxy-config.dist.json create mode 100644 deployments/examples/oc10_ocis_parallel/docker-compose.yml create mode 100644 deployments/examples/oc10_ocis_parallel/keycloak-export.sh create mode 100644 deployments/examples/oc10_ocis_parallel/monitoring_tracing/docker-compose-additions.yml create mode 100644 docs/ocis/deployment/oc10_ocis_parallel.md diff --git a/deployments/continuous-deployment-config/oc10_ocis_parallel/latest.yml b/deployments/continuous-deployment-config/oc10_ocis_parallel/latest.yml new file mode 100644 index 00000000000..85bb9cd4017 --- /dev/null +++ b/deployments/continuous-deployment-config/oc10_ocis_parallel/latest.yml @@ -0,0 +1,52 @@ +--- +- name: continuous-deployment-oc10-ocis-parallel + server: + server_type: cx21 + image: ubuntu-20.04 + location: nbg1 + initial_ssh_key_names: + - owncloud-ocis@drone.owncloud.com + labels: + owner: wkloucek + for: oCIS-continuous-deployment-examples + rebuild: $REBUILD + rebuild_carry_paths: + - /var/lib/docker/volumes/ocis_certs + + domains: + - "*.oc10-ocis-parallel.latest.owncloud.works" + + vars: + ssh_authorized_keys: + - https://github.com/butonic.keys + - https://github.com/C0rby.keys + - https://github.com/fschade.keys + - https://github.com/kulmann.keys + - https://github.com/micbar.keys + - https://github.com/pascalwengerter.keys + - https://github.com/paulcod3.keys + - https://github.com/refs.keys + - https://github.com/wkloucek.keys + docker_compose_projects: + - name: ocis + git_url: https://github.com/owncloud/ocis.git + ref: master + docker_compose_path: deployments/examples/oc10_ocis_parallel + env: + INSECURE: "false" + TRAEFIK_ACME_MAIL: wkloucek@owncloud.com + OCIS_DOCKER_TAG: latest + CLOUD_DOMAIN: cloud.oc10-ocis-parallel.latest.owncloud.works + KEYCLOAK_DOMAIN: keycloak.oc10-ocis-parallel.latest.owncloud.works + LDAP_MANAGER_DOMAIN: ldap.oc10-ocis-parallel.latest.owncloud.works + COMPOSE_FILE: docker-compose.yml:monitoring_tracing/docker-compose-additions.yml + - name: monitoring + git_url: https://github.com/owncloud-devops/monitoring-tracing-client.git + ref: master + env: + NETWORK_NAME: ocis-net + TELEMETRY_SERVE_DOMAIN: telemetry.oc10-ocis-parallel.latest.owncloud.works + JAEGER_COLLECTOR: jaeger-collector.infra.owncloud.works:443 + TELEGRAF_SPECIFIC_CONFIG: ocis_single_container + OCIS_URL: cloud.oc10-ocis-parallel.latest.owncloud.works + OCIS_DEPLOYMENT_ID: continuous-deployment-oc10-ocis-parallel-latest diff --git a/deployments/examples/oc10_ocis_parallel/.env b/deployments/examples/oc10_ocis_parallel/.env new file mode 100644 index 00000000000..f7a43e3a456 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/.env @@ -0,0 +1,58 @@ +# If you're on a internet facing server please comment out following line. +# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. +INSECURE=true + +### Traefik settings ### +TRAEFIK_LOG_LEVEL= +# Serve Treafik dashboard. Defaults to "false". +TRAEFIK_DASHBOARD= +# Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" +TRAEFIK_DOMAIN= +# Basic authentication for the dashboard. Defaults to user "admin" and password "admin" +TRAEFIK_BASIC_AUTH_USERS= +# Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server +TRAEFIK_ACME_MAIL= + +### shared oCIS / oC10 settings ### +# Domain of oCIS / oC10, where you can find the frontend. Defaults to "cloud.owncloud.test" +CLOUD_DOMAIN= + +### oCIS settings ### +# oCIS version. Defaults to "latest" +OCIS_DOCKER_TAG= +# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" +OCIS_JWT_SECRET= +# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" +STORAGE_TRANSFER_SECRET= + +### oCIS settings ### +# oC10 version. Defaults to "latest" +OC10_DOCKER_TAG= +# client secret which the openidconnect app uses to authenticate to Keycloak. Defaults to "oc10-oidc-secret" +OC10_OIDC_CLIENT_SECRET= +# app which will be shown when opening the ownCloud 10 UI. Defaults to "files" but also could be set to "web" +OWNCLOUD_DEFAULT_APP= +# if set to "false" (default) links will be opened in the classic UI, if set to "true" ownCloud Web is used +OWNCLOUD_WEB_REWRITE_LINKS= + +### LDAP settings ### +# password for the LDAP admin user "cn=admin,dc=owncloud,dc=com", defaults to "admin" +LDAP_ADMIN_PASSWORD= +# Domain of the LDAP management frontend. Defaults to "ldap.owncloud.test" +LDAP_MANAGER_DOMAIN= + +### Keycloak ### +# Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test" +KEYCLOAK_DOMAIN= +# Realm which to be used with oCIS. Defaults to "oCIS" +KEYCLOAK_REALM= +# Admin user login name. Defaults to "admin" +KEYCLOAK_ADMIN_USER= +# Admin user login password. Defaults to "admin" +KEYCLOAK_ADMIN_PASSWORD= + + +# If you want to use debugging and tracing with this stack, +# you need uncomment following line. Please see documentation at +# https://owncloud.dev/ocis/deployment/monitoring-tracing/ +#COMPOSE_FILE=docker-compose.yml:monitoring_tracing/docker-compose-additions.yml diff --git a/deployments/examples/oc10_ocis_parallel/README.md b/deployments/examples/oc10_ocis_parallel/README.md new file mode 100644 index 00000000000..32b7d508153 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/README.md @@ -0,0 +1,6 @@ +--- +document this deployment example in docs/ocis/deployment/oc10_ocis_parallel.md +--- + +Please refer to [our documentation](https://owncloud.dev/ocis/deployment/oc10_ocis_parallel/) +for instructions on how to deploy this scenario. diff --git a/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/android_app.json b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/android_app.json new file mode 100644 index 00000000000..9e13b0763fa --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/android_app.json @@ -0,0 +1,63 @@ +{ + "clientId": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", + "name": "ownCloud Android app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret" : "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", + "redirectUris": [ + "oc://android.owncloud.com" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "role_list", + "profile", + "roles", + "owncloud", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} diff --git a/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/desktop_client.json b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/desktop_client.json new file mode 100644 index 00000000000..5094e22baa5 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/desktop_client.json @@ -0,0 +1,64 @@ +{ + "clientId": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", + "name": "ownCloud desktop client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret" : "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", + "redirectUris": [ + "http://127.0.0.1:*", + "http://localhost:*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "role_list", + "profile", + "roles", + "owncloud", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} diff --git a/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ios_app.json b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ios_app.json new file mode 100644 index 00000000000..50991c9a47d --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ios_app.json @@ -0,0 +1,64 @@ +{ + "clientId": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", + "name": "ownCloud iOS app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret" : "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", + "redirectUris": [ + "oc://ios.owncloud.com", + "oc.ios://ios.owncloud.com" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "role_list", + "profile", + "roles", + "owncloud", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} diff --git a/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10-web.json b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10-web.json new file mode 100644 index 00000000000..3520f87d551 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10-web.json @@ -0,0 +1,69 @@ +{ + "clientId": "oc10-web", + "rootUrl": "https://cloud.owncloud.test", + "adminUrl": "https://cloud.owncloud.test", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://cloud.owncloud.test/*" + ], + "webOrigins": [ + "https://cloud.owncloud.test" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "id.token.as.detached.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", + "exclude.session.state.from.auth.response": "false", + "oidc.ciba.grant.enabled": "false", + "saml.artifact.binding": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "owncloud", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10.json b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10.json new file mode 100644 index 00000000000..6b5d441bb99 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/oc10.json @@ -0,0 +1,69 @@ +{ + "clientId": "oc10", + "rootUrl": "https://cloud.owncloud.test", + "adminUrl": "https://cloud.owncloud.test", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://cloud.owncloud.test/*" + ], + "webOrigins": [ + "https://cloud.owncloud.test" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "id.token.as.detached.signature": "false", + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", + "exclude.session.state.from.auth.response": "false", + "oidc.ciba.grant.enabled": "false", + "saml.artifact.binding": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "owncloud", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ocis-web.json b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ocis-web.json new file mode 100644 index 00000000000..0e6ea758d41 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/keycloak/clients/ocis-web.json @@ -0,0 +1,65 @@ +{ + "clientId": "ocis-web", + "rootUrl": "https://cloud.owncloud.test", + "adminUrl": "https://cloud.owncloud.test", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://cloud.owncloud.test/*" + ], + "webOrigins": [ + "https://cloud.owncloud.test" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "exclude.session.state.from.auth.response": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "owncloud", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} \ No newline at end of file diff --git a/deployments/examples/oc10_ocis_parallel/config/keycloak/docker-entrypoint-override.sh b/deployments/examples/oc10_ocis_parallel/config/keycloak/docker-entrypoint-override.sh new file mode 100644 index 00000000000..a892bccb703 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/keycloak/docker-entrypoint-override.sh @@ -0,0 +1,12 @@ +#!/bin/bash +printenv +# replace owncloud domain in keycloak realm import +cp /opt/jboss/keycloak/owncloud-realm.dist.json /opt/jboss/keycloak/owncloud-realm.json +sed -i "s/cloud.owncloud.test/${CLOUD_DOMAIN}/g" /opt/jboss/keycloak/owncloud-realm.json +sed -i "s/oc10-oidc-secret/${OC10_OIDC_CLIENT_SECRET}/g" /opt/jboss/keycloak/owncloud-realm.json +sed -i "s/ldap-bind-credential/${LDAP_ADMIN_PASSWORD}/g" /opt/jboss/keycloak/owncloud-realm.json + + + +# run original docker-entrypoint +/opt/jboss/tools/docker-entrypoint.sh diff --git a/deployments/examples/oc10_ocis_parallel/config/keycloak/owncloud-realm.dist.json b/deployments/examples/oc10_ocis_parallel/config/keycloak/owncloud-realm.dist.json new file mode 100644 index 00000000000..608b58bb3cd --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/keycloak/owncloud-realm.dist.json @@ -0,0 +1,2204 @@ +{ + "id" : "owncloud", + "realm" : "owncloud", + "displayName" : "ownCloud", + "notBefore" : 0, + "defaultSignatureAlgorithm" : "RS256", + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 300, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "oauth2DeviceCodeLifespan" : 600, + "oauth2DevicePollingInterval" : 5, + "enabled" : true, + "sslRequired" : "external", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "2d576514-4aae-46aa-9d9c-075f55f4d988", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "owncloud", + "attributes" : { } + }, { + "id" : "cec7efb8-43d8-48ec-b1a4-c6956bc11ba3", + "name" : "default-roles-ocis", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "account" : [ "manage-account", "view-profile" ] + } + }, + "clientRole" : false, + "containerId" : "owncloud", + "attributes" : { } + }, { + "id" : "e2145b30-bf6f-49fb-af3f-1b40168bfcef", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "owncloud", + "attributes" : { } + } ], + "client" : { + "oc10" : [ ], + "_system" : [ ], + "realm-management" : [ { + "id" : "979ce053-a671-4b50-81d5-da4bdf7404c9", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "4bec4791-e888-4dac-bc95-71720d5981b9", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "955b4406-b04f-432d-a61a-571675874341", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "baa219af-2773-4d59-b06b-485f10fbbab3", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "f280bc03-d079-478d-be06-3590580b25e9", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "db698163-84ad-46c9-958f-bb5f80ae78b5", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "36c04d89-abf7-4a2c-a808-8efa9aca1435", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "06eae953-11d5-4344-b089-ffce1e68d5d8", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "afe8aa78-2f06-43a5-8c99-cf68a1f5a86a", + "name" : "realm-admin", + "description" : "${role_realm-admin}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "view-clients", "query-users", "manage-authorization", "view-events", "manage-users", "query-clients", "manage-clients", "query-realms", "impersonation", "manage-realm", "manage-identity-providers", "view-authorization", "create-client", "query-groups", "view-users", "view-realm", "view-identity-providers", "manage-events" ] + } + }, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "22ee128a-b28e-4c6a-aa8e-ad4136d74e1b", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "89d4f119-7f87-44d9-8eef-d207304de778", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "ebffeff4-6794-4003-a2ab-a79eff7d1baa", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "2361a7ff-d2b3-43f5-b360-ad0e44fba65c", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "f7bf6d7a-a861-49c6-8f6f-225c18d0a03a", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "34ccce1c-5a7e-4268-8836-2276545be900", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "430f7831-8f22-4518-bd15-2998eae45a51", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-groups", "query-users" ] + } + }, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "371a31e6-4494-4b74-b3ea-d030663423ed", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "e875775b-7a3e-4a5d-9e4e-376351b78626", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + }, { + "id" : "3dce7929-ee1f-40cd-9be1-7addcae92cef", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "attributes" : { } + } ], + "ocis-web" : [ ], + "security-admin-console" : [ ], + "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD" : [ ], + "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1" : [ ], + "account-console" : [ ], + "broker" : [ { + "id" : "81fad68a-8dd8-4d79-9a8f-206a82460145", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "002faf0a-716c-4230-81c7-ce22d1eb832c", + "attributes" : { } + } ], + "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69" : [ ], + "admin-cli" : [ ], + "oc10-web" : [ ], + "account" : [ { + "id" : "c49a49da-8ad0-44cb-b518-6d7d72cbe494", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] + } + }, + "clientRole" : true, + "containerId" : "9850adad-7910-4b67-a790-da6444361618", + "attributes" : { } + }, { + "id" : "9dc2244e-b8a7-44f1-b173-d2b929fedcca", + "name" : "view-consent", + "description" : "${role_view-consent}", + "composite" : false, + "clientRole" : true, + "containerId" : "9850adad-7910-4b67-a790-da6444361618", + "attributes" : { } + }, { + "id" : "ce115327-99c9-44d4-ba7d-820397dc11e6", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "9850adad-7910-4b67-a790-da6444361618", + "attributes" : { } + }, { + "id" : "8c45ca71-32aa-4547-932d-412da5e371ed", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "9850adad-7910-4b67-a790-da6444361618", + "attributes" : { } + }, { + "id" : "cbeecf6d-9af8-4746-877b-74800a894c35", + "name" : "view-applications", + "description" : "${role_view-applications}", + "composite" : false, + "clientRole" : true, + "containerId" : "9850adad-7910-4b67-a790-da6444361618", + "attributes" : { } + }, { + "id" : "ea798f64-b5f8-417f-9fe0-d3cd9172884f", + "name" : "delete-account", + "description" : "${role_delete-account}", + "composite" : false, + "clientRole" : true, + "containerId" : "9850adad-7910-4b67-a790-da6444361618", + "attributes" : { } + }, { + "id" : "e73aaf6d-e67b-491a-9cc3-78c32c82b42c", + "name" : "manage-consent", + "description" : "${role_manage-consent}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "view-consent" ] + } + }, + "clientRole" : true, + "containerId" : "9850adad-7910-4b67-a790-da6444361618", + "attributes" : { } + } ] + } + }, + "groups" : [ ], + "defaultRole" : { + "id" : "cec7efb8-43d8-48ec-b1a4-c6956bc11ba3", + "name" : "default-roles-ocis", + "description" : "${role_default-roles}", + "composite" : true, + "clientRole" : false, + "containerId" : "owncloud" + }, + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "users" : [], + "clientScopeMappings" : { + "account" : [ { + "client" : "account-console", + "roles" : [ "manage-account" ] + } ] + }, + "clients" : [ { + "id" : "294b6cf4-b646-4f6c-bab2-616546ec3167", + "clientId" : "_system", + "name" : "_system", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "bde4651e-faf6-4390-b58e-3e9e8e623d57", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "9850adad-7910-4b67-a790-da6444361618", + "clientId" : "account", + "name" : "${client_account}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/owncloud/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "1f414d17-2751-4fde-af10-a7c2deb3261f", + "redirectUris" : [ "/realms/owncloud/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ ], + "optionalClientScopes" : [ ] + }, { + "id" : "55bb4cdc-045b-422a-8830-61245949d6aa", + "clientId" : "account-console", + "name" : "${client_account-console}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/owncloud/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "f63c75e2-0902-4722-acd8-6a9e870be610", + "redirectUris" : [ "/realms/owncloud/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "9bf413ed-402f-438d-a72c-033f3c45dab2", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + } ], + "defaultClientScopes" : [ ], + "optionalClientScopes" : [ ] + }, { + "id" : "2969b8ff-2ab3-4907-aaa7-091a7a627ccb", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "27a24954-b795-426e-ada4-96b1d5140997", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ ], + "optionalClientScopes" : [ ] + }, { + "id" : "002faf0a-716c-4230-81c7-ce22d1eb832c", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "d989c5d2-0d2c-4284-a761-62c9228dbc31", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ ], + "optionalClientScopes" : [ ] + }, { + "id" : "c8367556-1d13-4979-b4f6-5e2cff1f82ae", + "clientId" : "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", + "name" : "ownCloud Android app", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", + "redirectUris" : [ "oc://android.owncloud.com" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "saml.encrypt" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "exclude.session.state.from.auth.response" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "owncloud", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "6ae0e3da-38ff-47a4-a76e-b59eec0a2de9", + "clientId" : "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", + "name" : "ownCloud iOS app", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", + "redirectUris" : [ "oc://ios.owncloud.com", "oc.ios://ios.owncloud.com" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "saml.encrypt" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "exclude.session.state.from.auth.response" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "owncloud", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "d7a10629-dba5-4fdb-8da6-3e6e88cc297b", + "clientId" : "oc10", + "rootUrl" : "https://cloud.owncloud.test", + "adminUrl" : "https://cloud.owncloud.test", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "oc10-oidc-secret", + "redirectUris" : [ "https://cloud.owncloud.test/*" ], + "webOrigins" : [ "https://cloud.owncloud.test" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "id.token.as.detached.signature" : "false", + "saml.multivalued.roles" : "false", + "saml.force.post.binding" : "false", + "saml.encrypt" : "false", + "oauth2.device.authorization.grant.enabled" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "use.refresh.tokens" : "true", + "exclude.session.state.from.auth.response" : "false", + "oidc.ciba.grant.enabled" : "false", + "saml.artifact.binding" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "owncloud", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "c43eb0d3-c0e2-4af4-b45d-16aabddc1e44", + "clientId" : "oc10-web", + "rootUrl" : "https://cloud.owncloud.test", + "adminUrl" : "https://cloud.owncloud.test", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "https://cloud.owncloud.test/*" ], + "webOrigins" : [ "https://cloud.owncloud.test" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "id.token.as.detached.signature" : "false", + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "saml.encrypt" : "false", + "oauth2.device.authorization.grant.enabled" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "use.refresh.tokens" : "true", + "exclude.session.state.from.auth.response" : "false", + "oidc.ciba.grant.enabled" : "false", + "saml.artifact.binding" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "owncloud", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "54b18eca-cf79-4263-9db9-2d79f8a1c831", + "clientId" : "ocis-web", + "rootUrl" : "https://cloud.owncloud.test", + "adminUrl" : "https://cloud.owncloud.test", + "baseUrl" : "", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "9cbeb996-67a8-4ade-a86a-d2b2f3bc2568", + "redirectUris" : [ "https://cloud.owncloud.test/*" ], + "webOrigins" : [ "https://cloud.owncloud.test" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "saml.encrypt" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "exclude.session.state.from.auth.response" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "owncloud", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "7848ee94-cc9b-40db-946f-a86ac73dc9b7", + "clientId" : "realm-management", + "name" : "${client_realm-management}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "81a35a01-a005-4a8b-9ebc-4b0f4b874731", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ ], + "optionalClientScopes" : [ ] + }, { + "id" : "97264f49-a8c1-4585-99b6-e706339c62f8", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "rootUrl" : "${authAdminUrl}", + "baseUrl" : "/admin/owncloud/console/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "27ccdbd6-c1de-4f13-90f3-0461132f467d", + "redirectUris" : [ "/admin/owncloud/console/*" ], + "webOrigins" : [ "+" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "96092024-21dd-4d31-a004-2c5b96031da3", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ ], + "optionalClientScopes" : [ ] + }, { + "id" : "fc7d8a8e-cb92-4cb0-b404-d723c07d8d4f", + "clientId" : "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", + "name" : "ownCloud desktop client", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", + "redirectUris" : [ "http://127.0.0.1:*", "http://localhost:*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "saml.encrypt" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "exclude.session.state.from.auth.response" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "defaultClientScopes" : [ "web-origins", "profile", "roles", "owncloud", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "258e56a8-1eeb-49ea-957b-aff8df4656ba", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "068bcfb6-4a17-4c20-b083-ae542a7f76c8", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "c00d6c21-2fd1-435f-9ee9-87e011048cbe", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "b3e1e47e-3912-4b55-ba89-b0198e767682", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "876baab9-39d1-4845-abb4-561a58aa152d", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "9cae7ced-e7d9-4f7b-8e54-7402125f6ead", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } + }, { + "id" : "8eb1f69b-b941-4185-bca1-f916953f7cf5", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "fb587847-806f-4443-bab0-501efc0f0b46", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + }, { + "id" : "947da1ff-f614-48fc-9ecb-c98cbcfd3390", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${profileScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "46fec552-2f92-408a-84cf-ba98bf8e35fd", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + }, { + "id" : "c7ed5458-4d32-423e-8ea1-d112c45045d4", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + }, { + "id" : "e18d1ce4-3969-4ec1-9941-a27fd7555245", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + }, { + "id" : "dab85a5e-9af8-4fcd-88e4-9d3ae50dd5b6", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "7484f47e-3bb1-48d0-ba64-e8330dcefe6e", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + }, { + "id" : "fcd00995-9693-4803-8f41-c84044be83ed", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + }, { + "id" : "f09e7268-5284-449b-849b-cf8225523584", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "0317f4b3-3f7b-47ab-88d3-5d6f604d944d", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "db81244c-e739-461b-8822-52ceaa11bdf4", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "String" + } + }, { + "id" : "c6a16bf9-9370-4dff-a718-be53131bb238", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + }, { + "id" : "32d76647-b542-484c-9062-edc34eb350e0", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "ac6530db-6463-446b-99da-32d5298b5fa0", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "ed10983b-8700-415e-933e-226ce3f397a6", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "8205ccd0-1266-4060-b5df-3a6eb229d91e", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "79713daf-89ca-4ed4-ad97-a88b13ee9a18", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "b5f4f5ed-1008-42ba-8b3b-7d8851a2a680", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + }, { + "id" : "08a246f1-2b4c-4def-af5c-aefc31b4820d", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + } ] + }, { + "id" : "0c72b80b-28d5-48d8-b593-c99030aab58d", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${rolesScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "bc7f015e-329f-4e99-be6b-72382f4310c7", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "215f645f-ad0b-4523-9ece-f09f69ead5c4", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + }, { + "id" : "4a10b958-d34d-413a-b349-1415d02cdcde", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + } ] + }, { + "id" : "6f3b9b42-acdd-4abf-93ef-d82dfe347374", + "name" : "owncloud", + "description" : "ownCloud scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "a4998f18-cb81-43fe-9467-4e513fcca673", + "name" : "ownCloudSelector", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "ownCloudSelector", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "ocis\\.routing\\.policy", + "jsonType.label" : "String" + } + }, { + "id" : "702101f3-c85f-45d9-8b03-ec5db0caecc7", + "name" : "owncloudUUID", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "multivalued" : "false", + "user.attribute" : "owncloudUUID", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "ocis\\.user\\.uuid", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "5ce87358-3bca-4874-a6f0-6dccae6209a8", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" + }, + "protocolMappers" : [ { + "id" : "bbd23c51-918d-4ea6-9ac0-db68b512fb0a", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] + }, { + "id" : "bdb3e320-76c8-4ad7-9d0f-a08efc060101", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "1d08316c-493b-42ab-afa3-66f621860661", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + }, { + "id" : "52061d2d-7a41-4f1d-ba1b-3c4a53e739e4", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + } ] + } ], + "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins" ], + "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection" : "1; mode=block", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "identityProviders" : [ ], + "identityProviderMappers" : [ ], + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "4682fe74-f3a9-445a-a7ab-557fb532fe6b", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "c46009e5-c8b5-4051-bf7f-7b1481a9aa86", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "43edf979-28d2-46c8-9f93-48b3de185570", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper" ] + } + }, { + "id" : "6fc7d765-7da8-4985-ba0b-e83827b04bd3", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "5a9aef85-98a6-4e90-b30f-8aa715e1f5e6", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "saml-user-property-mapper" ] + } + }, { + "id" : "e3eadb04-8862-4567-869c-a76485268159", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "c788e6bf-2f57-4a82-b32e-ac8d48a4f676", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + } ], + "org.keycloak.storage.UserStorageProvider" : [ { + "id" : "8eeefe7e-b558-4175-ac32-0f39420e0297", + "name" : "openldap", + "providerId" : "ldap", + "subComponents" : { + "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" : [ { + "id" : "bab3b411-f302-4904-a0b2-49a7bea51336", + "name" : "username", + "providerId" : "user-attribute-ldap-mapper", + "subComponents" : { }, + "config" : { + "ldap.attribute" : [ "uid" ], + "is.mandatory.in.ldap" : [ "true" ], + "always.read.value.from.ldap" : [ "false" ], + "read.only" : [ "true" ], + "user.model.attribute" : [ "username" ] + } + }, { + "id" : "2dcf821f-6ea8-4cf4-922a-555f73b00861", + "name" : "creation date", + "providerId" : "user-attribute-ldap-mapper", + "subComponents" : { }, + "config" : { + "ldap.attribute" : [ "createTimestamp" ], + "is.mandatory.in.ldap" : [ "false" ], + "read.only" : [ "true" ], + "always.read.value.from.ldap" : [ "true" ], + "user.model.attribute" : [ "createTimestamp" ] + } + }, { + "id" : "98525e6b-0ec0-49e6-96a7-9ec25fc3a896", + "name" : "modify date", + "providerId" : "user-attribute-ldap-mapper", + "subComponents" : { }, + "config" : { + "ldap.attribute" : [ "modifyTimestamp" ], + "is.mandatory.in.ldap" : [ "false" ], + "always.read.value.from.ldap" : [ "true" ], + "read.only" : [ "true" ], + "user.model.attribute" : [ "modifyTimestamp" ] + } + }, { + "id" : "9a89ddf8-6390-4d79-bc02-c498399cdead", + "name" : "first name", + "providerId" : "user-attribute-ldap-mapper", + "subComponents" : { }, + "config" : { + "ldap.attribute" : [ "givenName" ], + "is.mandatory.in.ldap" : [ "true" ], + "is.binary.attribute" : [ "false" ], + "always.read.value.from.ldap" : [ "true" ], + "read.only" : [ "true" ], + "user.model.attribute" : [ "firstName" ] + } + }, { + "id" : "7a8e65a6-3490-488e-9308-8ba7f70565fd", + "name" : "last name", + "providerId" : "user-attribute-ldap-mapper", + "subComponents" : { }, + "config" : { + "ldap.attribute" : [ "sn" ], + "is.mandatory.in.ldap" : [ "true" ], + "always.read.value.from.ldap" : [ "true" ], + "read.only" : [ "true" ], + "user.model.attribute" : [ "lastName" ] + } + }, { + "id" : "797d5476-61d0-41bc-9fcb-6412915918c6", + "name" : "email", + "providerId" : "user-attribute-ldap-mapper", + "subComponents" : { }, + "config" : { + "ldap.attribute" : [ "mail" ], + "is.mandatory.in.ldap" : [ "false" ], + "always.read.value.from.ldap" : [ "false" ], + "read.only" : [ "true" ], + "user.model.attribute" : [ "email" ] + } + }, { + "id" : "836ed908-8ebe-49bd-b12f-8cece55e3ab9", + "name" : "ownCloudSelector", + "providerId" : "user-attribute-ldap-mapper", + "subComponents" : { }, + "config" : { + "ldap.attribute" : [ "ownCloudSelector" ], + "is.mandatory.in.ldap" : [ "false" ], + "is.binary.attribute" : [ "false" ], + "read.only" : [ "true" ], + "always.read.value.from.ldap" : [ "true" ], + "user.model.attribute" : [ "ownCloudSelector" ] + } + }, { + "id" : "68de0cfd-68d1-48dd-9cdc-c5993ee2fdc0", + "name" : "id", + "providerId" : "user-attribute-ldap-mapper", + "subComponents" : { }, + "config" : { + "ldap.attribute" : [ "owncloudUUID" ], + "is.mandatory.in.ldap" : [ "false" ], + "is.binary.attribute" : [ "false" ], + "read.only" : [ "true" ], + "always.read.value.from.ldap" : [ "false" ], + "user.model.attribute" : [ "owncloudUUID" ] + } + } ] + }, + "config" : { + "pagination" : [ "true" ], + "fullSyncPeriod" : [ "60" ], + "connectionPooling" : [ "true" ], + "usersDn" : [ "ou=users,dc=owncloud,dc=com" ], + "cachePolicy" : [ "DEFAULT" ], + "useKerberosForPasswordAuthentication" : [ "false" ], + "importEnabled" : [ "true" ], + "enabled" : [ "true" ], + "changedSyncPeriod" : [ "60" ], + "bindCredential" : [ "ldap-bind-credential" ], + "bindDn" : [ "cn=admin,dc=owncloud,dc=com" ], + "usernameLDAPAttribute" : [ "uid" ], + "lastSync" : [ "1627039770" ], + "vendor" : [ "other" ], + "uuidLDAPAttribute" : [ "entryUUID" ], + "allowKerberosAuthentication" : [ "false" ], + "connectionUrl" : [ "ldap://openldap" ], + "syncRegistrations" : [ "false" ], + "authType" : [ "simple" ], + "customUserSearchFilter" : [ "(&(objectclass=inetOrgPerson)(objectClass=owncloud))" ], + "debug" : [ "false" ], + "searchScope" : [ "2" ], + "useTruststoreSpi" : [ "ldapsOnly" ], + "trustEmail" : [ "true" ], + "priority" : [ "0" ], + "userObjectClasses" : [ "inetOrgPerson, organizationalPerson" ], + "rdnLDAPAttribute" : [ "uid" ], + "editMode" : [ "READ_ONLY" ], + "validatePasswordPolicy" : [ "false" ], + "batchSizeForSync" : [ "1000" ] + } + } ], + "org.keycloak.keys.KeyProvider" : [ { + "id" : "0e3d0048-cb16-49c3-8a9a-05d83f0daeca", + "name" : "rsa-generated", + "providerId" : "rsa-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEpAIBAAKCAQEAnmakcvYpYSHw5b+d9KRA3h3rZRvin749w7TveBHYQkgmWiKkiAtTVbV99CkXJPrgZtG+dB6LknnWKcojXYUzlRF/zm4vZ61beSt8ZXoafYPR91mfhkGjBdLdwS/LINaGyT/YNSztsz6fEdpo73NzVzLfDVx+8AHcZL05Tqtcb39vM/kVVPIdwKnxkka6y9cLa3d1QnK7A2LW4rnYaaK++19mYFMtWLl0kC2cGiSD9rtiJ9vNp3hvXXqLVE2z7cpe/LNfu50ISpNP/2XSh1WnPUfF1BJvd4H1knIU4yaMOiU3I2LCCAp97GIK+hLJJ+t0lFbCzTydiuWCb3mwjSxQ5wIDAQABAoIBADANQSviwxDFRBfeNiOlxEvdVbB5chk1k/UPqWmKOEl7K69CPRlMHj6s7QWphWzhcjueuyDstzh7H13UBUB0jP5WrafIwza3Xz111KnQDcMvvv1DQeJvfO3iVwUo430VtxPL+2G+PGmYwJag5B5nroCwXPvnqFZUqjAhOwZDc6oayhkc57oLLsawq0jbWueSQPCIgs4fiYrfxQfkY1a5UZw8jNR0+Mmi4HKGi5rf+z7BPF8LJMcBz3JyueTL4Lv8shzOVCZTWY+O1zq1bJL+neD9KpUlWlpuS5JcQe7jKMXzEJbvgc3pvPcWTf6WV458nGEHnPm8iNKSjA8Ot7rfW2ECgYEA55QyZ3nX5ZKPf9ozWStd94dIRj9cAmSyTG3xChT5SPCLsjXHIzfJf7bloEvz5XAEr/1w62ZjhRDC2YXCtxYqeuUyi4Ff/n8a1Lnirb2CNseHGI5FCYwec5CSHlYQ0YN8k2tu+435+kZT+sC+kwbBUxa3nNdjaPz3x79eq7hI65ECgYEArxrm+co462yZxL2eBuYvVvFQClgbz84sr35ijL+ofbWosezypnFlDii0SYKpOFc+h54lWjX5eCUoinL68WjauRPT5YnCCtN80t00Cfyb3Y5E5kKzLMaeG/o6dMdZsk29/rEdD6Lm8zoOJweiPewPKz4xCk9Ltbfm0bqxaFjsiPcCgYEA0TC063ZMSaxABo1ULyuWoaBJ8HMRqXPPAG2b/LB/k5z/hEdCERU25zCPc2LI+ixbf6LgmzSNl8lRSm+jOgJC82sRYqXG0j19PkaAdtOmydcpuUvjH0G8zEX/SHoUjT5KjVzSD1jsRGG9QNlWDbhfcLAnwv1qZo+FQKIlYdeBv5ECgYAHuA7gigqSTjpFEvrJYRJLKd4WZqXrNjKAFfkwLS63Q+/I0CIuNid3RVIVP35ILohiIBWTcXeq1TCBUepABBhIOliH8Net9H63KOsnWYxhaukcoWoWmjbUEubKyRLqKkUq2hHm4458wF1pWQvM4QAWLuqogrBatV2mdy1k5S6gJwKBgQC3IY2x11n4OOyPXu52znqRaQMExgwAPYWaze4wx7TFE+YHsmTde8yxpL95yYAf1bzHpD2I3s//U1EmW2n2IDUERueCJ9yka9kFK8LQyzj5sIjvNWOm/s2yysZNN2LUeIgc8A3tHCLtEJ1oVr3s1CiTkmKFgVnQ7HS8GhNY2qxq8g==" ], + "certificate" : [ "MIICxzCCAa8CBgF3TRRx/zANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBxvd25DbG91ZCBJbmZpbml0ZSBTY2FsZSBUZXN0MB4XDTIxMDEyOTA3MzcwMVoXDTMxMDEyOTA3Mzg0MVowJzElMCMGA1UEAwwcb3duQ2xvdWQgSW5maW5pdGUgU2NhbGUgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ5mpHL2KWEh8OW/nfSkQN4d62Ub4p++PcO073gR2EJIJloipIgLU1W1ffQpFyT64GbRvnQei5J51inKI12FM5URf85uL2etW3krfGV6Gn2D0fdZn4ZBowXS3cEvyyDWhsk/2DUs7bM+nxHaaO9zc1cy3w1cfvAB3GS9OU6rXG9/bzP5FVTyHcCp8ZJGusvXC2t3dUJyuwNi1uK52GmivvtfZmBTLVi5dJAtnBokg/a7Yifbzad4b116i1RNs+3KXvyzX7udCEqTT/9l0odVpz1HxdQSb3eB9ZJyFOMmjDolNyNiwggKfexiCvoSySfrdJRWws08nYrlgm95sI0sUOcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQfVVpSE+n2E2ckp2DV9DvHYZckuHGtKx9/yP4QtkcN+A6lIDK8LsNpOmcwiepseO1C+ngekN1U9pfQ3HOLg32ft38H8CrZdY9SpmK2fWM3f+18UqZaZvr26FK+GSX4lqa+WoVqMkyW6RynS/drRp1sRRQnKKDuS5Pcu5U03v7wQU9t5h83Lexh3ZhCO5YRywQ9+clc1RtAmBMu/E8g6/CZWRIRbaEyKo2KcBV1uU3gLwlbkj8wv4BhCS7JHS/+jnQqVIXeIcD/z4u0RElJHcNtZ+d4sgby2Rd1+wbKes9gFrZoucq9ghdsOi4Q5WBN4ZcRhPrw0v2mhEc1ADCmxzjQ==" ], + "priority" : [ "100" ] + } + }, { + "id" : "f92ecf31-c3c7-4c3b-af20-839fc05bcf99", + "name" : "hmac-generated", + "providerId" : "hmac-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "f1889839-fdb1-4c3a-98b6-13305f1b0f74" ], + "secret" : [ "UVX0V-qlIGdVswACK-jwOsjn7EV5Uc12drTs7XCegEIlXkjtg_m2VGg2rJZgg12wxjCXm69kpTZ8lmfGxiuZdw" ], + "priority" : [ "100" ], + "algorithm" : [ "HS256" ] + } + }, { + "id" : "992dcc80-dc41-4b00-bab8-6ec1c839f3a4", + "name" : "aes-generated", + "providerId" : "aes-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "3fef4998-39b3-46d3-9803-c480f4105b0a" ], + "secret" : [ "ZHHvfx76H3grDuKPGRtxCw" ], + "priority" : [ "100" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "119765a0-fded-4f23-97a4-e17288561bc4", + "alias" : "Account verification options", + "description" : "Method with which to verity the existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-email-verification", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "09cf953e-836f-4262-a0b4-7adf042fbff1", + "alias" : "Authentication Options", + "description" : "Authentication options.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "basic-auth", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "basic-auth-otp", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-spnego", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "75d42db9-3f2f-46c0-8c36-1eda77bd9724", + "alias" : "Browser - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "896137f6-c466-4fd6-98d7-3b9957ad7f51", + "alias" : "Direct Grant - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "621278bb-9a86-4bbc-a1b7-ec4aa2abcef2", + "alias" : "First broker login - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "701dce46-ca08-464e-ac94-bae172c1b6ae", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "flowAlias" : "Account verification options", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "f762984a-5a3c-46c2-8d2b-24bdf2fea99c", + "alias" : "Reset - Conditional OTP", + "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "9b41ec7d-4032-41e8-8a85-17762d3bb659", + "alias" : "User creation or linking", + "description" : "Flow for the existing/non-existing user alternatives", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "e3e1597b-094d-49e5-a70a-509f58877407", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "flowAlias" : "First broker login - Conditional OTP", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "72e113d4-5208-4878-9497-abb20b490f10", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-spnego", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "identity-provider-redirector", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 25, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "flowAlias" : "forms", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "499c08d4-a6f3-4224-884f-ecc267673f77", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-secret-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-x509", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "06222772-bc31-48b1-a66b-788d38da3374", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "direct-grant-validate-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 30, + "flowAlias" : "Direct Grant - Conditional OTP", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "63eac825-2e35-4b6d-b2ca-0cc45f847cbe", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "284eb009-07f4-43d6-84f5-b4f4b86f6f0c", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "flowAlias" : "User creation or linking", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "7b45327f-0d27-4d98-b761-c9743f374bdb", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "flowAlias" : "Browser - Conditional OTP", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "6387adf3-2635-4b42-804a-cb3f3526613f", + "alias" : "http challenge", + "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "no-cookie-redirect", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "flowAlias" : "Authentication Options", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "2b0a6071-c7cd-41e7-ba45-527e9d9fa8e2", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 10, + "flowAlias" : "registration form", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "18b8a9aa-e6ee-4749-ad48-a9cdef9e1fe8", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-profile-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-password-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 50, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-recaptcha-action", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 60, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "4cbd03a6-cd4f-48d8-82d1-1076123e1484", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-credential-email", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 40, + "flowAlias" : "Reset - Conditional OTP", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "0b920743-39c0-43ab-9274-db65bdb3cbe2", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "c8a68b1e-8663-48ee-b9f6-e3c103ca9aa7", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "db9a414e-18c5-4226-813e-1fab5f89e200", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" + } + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "terms_and_conditions", + "name" : "Terms and Conditions", + "providerId" : "terms_and_conditions", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + }, { + "alias" : "delete_account", + "name" : "Delete Account", + "providerId" : "delete_account", + "enabled" : false, + "defaultAction" : false, + "priority" : 60, + "config" : { } + }, { + "alias" : "update_user_locale", + "name" : "Update User Locale", + "providerId" : "update_user_locale", + "enabled" : true, + "defaultAction" : false, + "priority" : 1000, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "attributes" : { + "cibaBackchannelTokenDeliveryMode" : "poll", + "cibaExpiresIn" : "120", + "cibaAuthRequestedUserHint" : "login_hint", + "oauth2DeviceCodeLifespan" : "600", + "clientOfflineSessionMaxLifespan" : "0", + "oauth2DevicePollingInterval" : "5", + "clientSessionIdleTimeout" : "0", + "clientSessionMaxLifespan" : "0", + "clientOfflineSessionIdleTimeout" : "0", + "cibaInterval" : "5" + }, + "keycloakVersion" : "14.0.0", + "userManagedAccessAllowed" : false, + "clientProfiles" : { + "profiles" : [ ] + }, + "clientPolicies" : { + "policies" : [ ] + } +} diff --git a/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/10_owncloud_schema.ldif b/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/10_owncloud_schema.ldif new file mode 100644 index 00000000000..bff48c367e5 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/10_owncloud_schema.ldif @@ -0,0 +1,10 @@ +# This LDIF files describes the ownCloud schema and can be used to +# add two optional attributes: ownCloudQuota and ownCloudUUID +# The ownCloudUUID is used to store a unique, non-reassignable, persistent identifier for users and groups +dn: cn=owncloud,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: owncloud +olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.1 NAME 'ownCloudQuota' DESC 'User Quota (e.g. 2 GB)' EQUALITY caseExactMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.2 NAME 'ownCloudUUID' DESC 'A non-reassignable and persistent account ID)' EQUALITY uuidMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.3 NAME 'ownCloudSelector' DESC 'A selector attribute for a route in the ownCloud Infinte Scale proxy)' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +olcObjectClasses: ( 1.3.6.1.4.1.39430.1.2.1 NAME 'ownCloud' DESC 'ownCloud LDAP Schema' AUXILIARY MAY ( ownCloudQuota $ ownCloudUUID $ ownCloudSelector ) ) diff --git a/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/20_users.ldif b/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/20_users.ldif new file mode 100644 index 00000000000..8cf9f8007b2 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/20_users.ldif @@ -0,0 +1,68 @@ +dn: ou=users,dc=owncloud,dc=com +objectClass: organizationalUnit +ou: users + +# Start dn with uid (user identifier / login), not cn (Firstname + Surname) +dn: uid=einstein,ou=users,dc=owncloud,dc=com +objectClass: inetOrgPerson +objectClass: organizationalPerson +objectClass: ownCloud +objectClass: person +objectClass: posixAccount +objectClass: top +uid: einstein +givenName: Albert +sn: Einstein +cn: einstein +displayName: Albert Einstein +description: A German-born theoretical physicist who developed the theory of relativity, one of the two pillars of modern physics (alongside quantum mechanics). +mail: einstein@example.org +uidNumber: 20000 +gidNumber: 30000 +homeDirectory: /home/einstein +ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx +userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ== +ownCloudSelector: ocis + + +dn: uid=marie,ou=users,dc=owncloud,dc=com +objectClass: inetOrgPerson +objectClass: organizationalPerson +objectClass: ownCloud +objectClass: person +objectClass: posixAccount +objectClass: top +uid: marie +givenName: Marie +sn: Curie +cn: marie +displayName: Marie Skłodowska Curie +description: A Polish and naturalized-French physicist and chemist who conducted pioneering research on radioactivity. +mail: marie@example.org +uidNumber: 20001 +gidNumber: 30000 +homeDirectory: /home/marie +ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj +userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ== +ownCloudSelector: oc10 + +dn: uid=richard,ou=users,dc=owncloud,dc=com +objectClass: inetOrgPerson +objectClass: organizationalPerson +objectClass: ownCloud +objectClass: person +objectClass: posixAccount +objectClass: top +uid: richard +givenName: Richard +sn: Feynman +cn: richard +displayName: Richard Phillips Feynman +description: An American theoretical physicist, known for his work in the path integral formulation of quantum mechanics, the theory of quantum electrodynamics, the physics of the superfluidity of supercooled liquid helium, as well as his work in particle physics for which he proposed the parton model. +mail: richard@example.org +uidNumber: 20002 +gidNumber: 30000 +homeDirectory: /home/richard +ownCloudUUID:: OTMyYjQ1NDAtOGQxNi00ODFlLThlZjQtNTg4ZTRiNmIxNTFj +userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ== +ownCloudSelector: ocis diff --git a/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/30_groups.ldif b/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/30_groups.ldif new file mode 100644 index 00000000000..f1c820c8693 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/ldap/ldif/30_groups.ldif @@ -0,0 +1,95 @@ +dn: ou=groups,dc=owncloud,dc=com +objectClass: organizationalUnit +ou: groups + +dn: cn=users,ou=groups,dc=owncloud,dc=com +objectClass: groupOfUniqueNames +objectClass: posixGroup +objectClass: ownCloud +objectClass: top +cn: users +description: Users +gidNumber: 30000 +ownCloudUUID:: NTA5YTlkY2QtYmIzNy00ZjRmLWEwMWEtMTlkY2EyN2Q5Y2Zh +uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com +uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com +uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com + +dn: cn=sailing-lovers,ou=groups,dc=owncloud,dc=com +objectClass: groupOfUniqueNames +objectClass: posixGroup +objectClass: ownCloud +objectClass: top +cn: sailing-lovers +description: Sailing lovers +gidNumber: 30001 +ownCloudUUID:: NjA0MGFhMTctOWM2NC00ZmVmLTliZDAtNzcyMzRkNzFiYWQw +uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com + +dn: cn=violin-haters,ou=groups,dc=owncloud,dc=com +objectClass: groupOfUniqueNames +objectClass: posixGroup +objectClass: ownCloud +objectClass: top +cn: violin-haters +description: Violin haters +gidNumber: 30002 +ownCloudUUID:: ZGQ1OGU1ZWMtODQyZS00OThiLTg4MDAtNjFmMmVjNmY5MTFm +uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com + +dn: cn=radium-lovers,ou=groups,dc=owncloud,dc=com +objectClass: groupOfUniqueNames +objectClass: posixGroup +objectClass: ownCloud +objectClass: top +cn: radium-lovers +description: Radium lovers +gidNumber: 30003 +ownCloudUUID:: N2I4N2ZkNDktMjg2ZS00YTVmLWJhZmQtYzUzNWQ1ZGQ5OTdh +uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com + +dn: cn=polonium-lovers,ou=groups,dc=owncloud,dc=com +objectClass: groupOfUniqueNames +objectClass: posixGroup +objectClass: ownCloud +objectClass: top +cn: polonium-lovers +description: Polonium lovers +gidNumber: 30004 +ownCloudUUID:: Y2VkYzIxYWEtNDA3Mi00NjE0LTg2NzYtZmE5MTY1ZjU5OGZm +uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com + +dn: cn=quantum-lovers,ou=groups,dc=owncloud,dc=com +objectClass: groupOfUniqueNames +objectClass: posixGroup +objectClass: ownCloud +objectClass: top +cn: quantum-lovers +description: Quantum lovers +gidNumber: 30005 +ownCloudUUID:: YTE3MjYxMDgtMDFmOC00YzMwLTg4ZGYtMmIxYTlkMWNiYTFh +uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com + +dn: cn=philosophy-haters,ou=groups,dc=owncloud,dc=com +objectClass: groupOfUniqueNames +objectClass: posixGroup +objectClass: ownCloud +objectClass: top +cn: philosophy-haters +description: Philosophy haters +gidNumber: 30006 +ownCloudUUID:: MTY3Y2JlZTItMDUxOC00NTVhLWJmYjItMDMxZmUwNjIxZTVk +uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com + +dn: cn=physics-lovers,ou=groups,dc=owncloud,dc=com +objectClass: groupOfUniqueNames +objectClass: posixGroup +objectClass: ownCloud +objectClass: top +cn: physics-lovers +description: Physics lovers +gidNumber: 30007 +ownCloudUUID:: MjYyOTgyYzEtMjM2Mi00YWZhLWJmZGYtOGNiZmVmNjRhMDZl +uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com +uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com +uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com diff --git a/deployments/examples/oc10_ocis_parallel/config/oc10/10-custom-config.sh b/deployments/examples/oc10_ocis_parallel/config/oc10/10-custom-config.sh new file mode 100755 index 00000000000..0a1113220cd --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/oc10/10-custom-config.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +echo "Writing custom config files..." + +# openidconnect +gomplate \ + -f /etc/templates/oidc.config.php \ + -o ${OWNCLOUD_VOLUME_CONFIG}/oidc.config.php + +occ market:upgrade --major openidconnect # we need a release including https://github.com/owncloud/openidconnect/pull/180 +occ app:enable openidconnect + +# user LDAP +gomplate \ + -f /etc/templates/ldap-config.tmpl.json \ + -o ${OWNCLOUD_VOLUME_CONFIG}/ldap-config.json + +CONFIG=$(cat ${OWNCLOUD_VOLUME_CONFIG}/ldap-config.json) +occ config:import <<< $CONFIG + +occ ldap:test-config "s01" +occ app:enable user_ldap +/bin/bash -c 'occ user:sync "OCA\User_LDAP\User_Proxy" -r -m remove' + +cp /tmp/ldap-sync-cron /etc/cron.d +chown root:root /etc/cron.d/ldap-sync-cron + +# ownCloud Web +gomplate \ + -f /etc/templates/web.config.php \ + -o ${OWNCLOUD_VOLUME_CONFIG}/web.config.php + +gomplate \ + -f /etc/templates/web-config.tmpl.json \ + -o ${OWNCLOUD_VOLUME_CONFIG}/config.json + +occ market:upgrade --major web +occ app:enable web + +true diff --git a/deployments/examples/oc10_ocis_parallel/config/oc10/ldap-config.tmpl.json b/deployments/examples/oc10_ocis_parallel/config/oc10/ldap-config.tmpl.json new file mode 100755 index 00000000000..93c65670ff0 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/oc10/ldap-config.tmpl.json @@ -0,0 +1,53 @@ +{ + "apps": { + "user_ldap": { + "s01has_memberof_filter_support": "0", + "s01home_folder_naming_rule": "", + "s01last_jpegPhoto_lookup": "0", + "s01ldap_agent_password": "{{ .Env.STORAGE_LDAP_BIND_PASSWORD | base64.Encode }}", + "s01ldap_attributes_for_group_search": "", + "s01ldap_attributes_for_user_search": "{{ .Env.LDAP_USERATTRIBUTEFILTERS }}", + "s01ldap_backup_host": "", + "s01ldap_backup_port": "", + "s01ldap_base_groups": "{{ .Env.LDAP_BASE_DN }}", + "s01ldap_base_users": "{{ .Env.LDAP_BASE_DN }}", + "s01ldap_base": "{{ .Env.LDAP_BASE_DN }}", + "s01ldap_cache_ttl": "60", + "s01ldap_configuration_active": "1", + "s01ldap_display_name": "{{ .Env.LDAP_USER_SCHEMA_DISPLAYNAME }}", + "s01ldap_dn": "{{ .Env.STORAGE_LDAP_BIND_DN }}", + "s01ldap_dynamic_group_member_url": "", + "s01ldap_email_attr": "{{ .Env.LDAP_USER_SCHEMA_MAIL }}", + "s01ldap_experienced_admin": "1", + "s01ldap_expert_username_attr": "{{ .Env.LDAP_USER_SCHEMA_NAME_ATTR }}", + "s01ldap_expert_uuid_group_attr": "", + "s01ldap_expert_uuid_user_attr": "{{ .Env.LDAP_USER_SCHEMA_UID }}", + "s01ldap_group_display_name": "{{ .Env.LDAP_GROUP_SCHEMA_DISPLAYNAME }}", + "s01ldap_group_filter_mode": "0", + "s01ldap_group_filter": "{{ .Env.LDAP_GROUPFILTER }}", + "s01ldap_group_member_assoc_attribute": "{{ .Env.LDAP_GROUP_MEMBER_ASSOC_ATTR }}", + "s01ldap_groupfilter_groups": "", + "s01ldap_groupfilter_objectclass": "", + "s01ldap_host": "{{ .Env.LDAP_HOST }}", + "s01ldap_login_filter_mode": "0", + "s01ldap_login_filter": "{{ .Env.LDAP_LOGINFILTER }}", + "s01ldap_loginfilter_attributes": "", + "s01ldap_loginfilter_email": "1", + "s01ldap_loginfilter_username": "1", + "s01ldap_nested_groups": "0", + "s01ldap_override_main_server": "", + "s01ldap_paging_size": "100", + "s01ldap_port": "{{ .Env.LDAP_PORT }}", + "s01ldap_quota_attr": "", + "s01ldap_quota_def": "", + "s01ldap_tls": "0", + "s01ldap_turn_off_cert_check": "0", + "s01ldap_user_display_name_2": "", + "s01ldap_user_filter_mode": "0", + "s01ldap_userfilter_groups": "", + "s01ldap_userfilter_objectclass": "", + "s01ldap_userlist_filter": "{{ .Env.LDAP_USERFILTER }}", + "s01use_memberof_to_detect_membership": "1" + } + } +} diff --git a/deployments/examples/oc10_ocis_parallel/config/oc10/ldap-sync-cron b/deployments/examples/oc10_ocis_parallel/config/oc10/ldap-sync-cron new file mode 100644 index 00000000000..19d70b872a4 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/oc10/ldap-sync-cron @@ -0,0 +1 @@ +*/1 * * * * www-data /bin/bash -c 'occ user:sync "OCA\User_LDAP\User_Proxy" -r -m remove' diff --git a/deployments/examples/oc10_ocis_parallel/config/oc10/oidc.config.php b/deployments/examples/oc10_ocis_parallel/config/oc10/oidc.config.php new file mode 100644 index 00000000000..caa33a0bf0f --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/oc10/oidc.config.php @@ -0,0 +1,23 @@ + [ + 'provider-url' => getenv('IDP_OIDC_ISSUER'), + 'client-id' => 'oc10', + 'client-secret' => getenv('IDP_OIDC_CLIENT_SECRET'), + 'loginButtonName' => 'OpenId Connect', + 'search-attribute' => 'preferred_username', + 'mode' => 'userid', + 'autoRedirectOnLoginPage' => true, + 'insecure' => true, + 'post_logout_redirect_uri' => 'https://' . getenv('CLOUD_DOMAIN'), + ], + ]; + return $config; +} + +$CONFIG = getOIDCConfigFromEnv(); diff --git a/deployments/examples/oc10_ocis_parallel/config/oc10/web-config.tmpl.json b/deployments/examples/oc10_ocis_parallel/config/oc10/web-config.tmpl.json new file mode 100644 index 00000000000..2022239d229 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/oc10/web-config.tmpl.json @@ -0,0 +1,35 @@ +{ + "server": "https://{{ .Env.CLOUD_DOMAIN }}", + "theme": "owncloud", + "openIdConnect": { + "metadata_url": "{{ .Env.IDP_OIDC_ISSUER }}/.well-known/openid-configuration", + "authority": "{{ .Env.IDP_OIDC_ISSUER }}", + "client_id": "oc10-web", + "response_type": "code", + "scope": "openid profile email" + }, + "apps": ["files", "media-viewer", "search"], + "applications": [ + { + "icon": "switch_ui", + "target": "_self", + "title": { + "en": "Classic Design", + "de": "Dateien", + "fr": "Fichiers", + "zh_CN": "文件" + }, + "url": "https://{{ .Env.CLOUD_DOMAIN }}/index.php/apps/files" + }, + { + "icon": "application", + "menu": "user", + "target": "_self", + "title": { + "de": "Einstellungen", + "en": "Settings" + }, + "url": "https://{{ .Env.CLOUD_DOMAIN }}/index.php/settings/personal" + } + ] +} diff --git a/deployments/examples/oc10_ocis_parallel/config/oc10/web.config.php b/deployments/examples/oc10_ocis_parallel/config/oc10/web.config.php new file mode 100644 index 00000000000..dca68d440bc --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/oc10/web.config.php @@ -0,0 +1,15 @@ + 'https://' . getenv('CLOUD_DOMAIN') . '/index.php/apps/web', + 'web.rewriteLinks' => getenv('OWNCLOUD_WEB_REWRITE_LINKS') == 'true', + + ]; + return $config; +} + +$CONFIG = getWebConfigFromEnv(); diff --git a/deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh b/deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh new file mode 100755 index 00000000000..547ece0141b --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/ocis/entrypoint-override.sh @@ -0,0 +1,22 @@ +#!/bin/sh +set -e + +mkdir -p /var/tmp/ocis/.config/ +cp /config/proxy-config.dist.json /var/tmp/ocis/.config/proxy-config.json +# TODO: remove replace logic when log level configuration is fixed +sed -i 's/PROXY_LOG_LEVEL/${PROXY_LOG_LEVEL}/g' /var/tmp/ocis/.config/proxy-config.json + +ocis server & +sleep 10 + +# idp, glauth and accounts are not needed -> replaced by Keycloak and OpenLDAP +ocis kill idp +ocis kill glauth +ocis kill accounts + +# workaround for loading proxy configuration +ocis kill proxy +sleep 10 +ocis proxy server & + +wait diff --git a/deployments/examples/oc10_ocis_parallel/config/ocis/proxy-config.dist.json b/deployments/examples/oc10_ocis_parallel/config/ocis/proxy-config.dist.json new file mode 100644 index 00000000000..23269f43231 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/config/ocis/proxy-config.dist.json @@ -0,0 +1,93 @@ +{ + "log": { + "level": "PROXY_LOG_LEVEL" + }, + "policy_selector": { + "claims": { + "default_policy": "oc10", + "unauthenticated_policy": "oc10" + } + }, + "policies": [ + { + "name": "ocis", + "routes": [ + { + "endpoint": "/", + "backend": "http://localhost:9100" + }, + { + "endpoint": "/.well-known/", + "backend": "http://localhost:9130" + }, + { + "type": "regex", + "endpoint": "/ocs/v[12].php/cloud/user/signing-key", + "backend": "http://localhost:9110" + }, + { + "endpoint": "/ocs/", + "backend": "http://localhost:9140" + }, + { + "type": "query", + "endpoint": "/remote.php/?preview=1", + "backend": "http://localhost:9115" + }, + { + "endpoint": "/remote.php/", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/dav/", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/webdav/", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/status.php", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/index.php/", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/data", + "backend": "http://localhost:9140" + }, + { + "endpoint": "/graph/", + "backend": "http://localhost:9120" + }, + { + "endpoint": "/graph-explorer/", + "backend": "http://localhost:9135" + }, + { + "endpoint": "/api/v0/settings", + "backend": "http://localhost:9190" + }, + { + "endpoint": "/settings.js", + "backend": "http://localhost:9190" + } + ] + }, + { + "name": "oc10", + "routes": [ + { + "endpoint": "/", + "backend": "http://oc10:8080" + }, + { + "endpoint": "/data", + "backend": "http://localhost:9140" + } + ] + } + ] +} diff --git a/deployments/examples/oc10_ocis_parallel/docker-compose.yml b/deployments/examples/oc10_ocis_parallel/docker-compose.yml new file mode 100644 index 00000000000..1684003ef49 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/docker-compose.yml @@ -0,0 +1,342 @@ +--- +version: "3.7" + +services: + traefik: + image: traefik:v2.5 + networks: + ocis-net: + aliases: + - ${CLOUD_DOMAIN:-cloud.owncloud.test} + - ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} + command: + - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}" + # letsencrypt configuration + - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" + - "--certificatesResolvers.http.acme.storage=/certs/acme.json" + - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" + # enable dasbhoard + - "--api.dashboard=true" + # define entrypoints + - "--entryPoints.http.address=:80" + - "--entryPoints.http.http.redirections.entryPoint.to=https" + - "--entryPoints.http.http.redirections.entryPoint.scheme=https" + - "--entryPoints.https.address=:443" + # docker provider (get configuration from container labels) + - "--providers.docker.endpoint=unix:///var/run/docker.sock" + - "--providers.docker.exposedByDefault=false" + ports: + - "80:80" + - "443:443" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "certs:/certs" + labels: + - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" + - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$apr1$4vqie50r$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin + - "traefik.http.routers.traefik.entrypoints=https" + - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)" + - "traefik.http.routers.traefik.middlewares=traefik-auth" + - "traefik.http.routers.traefik.tls.certresolver=http" + - "traefik.http.routers.traefik.service=api@internal" + logging: + driver: "local" + restart: always + + ocis: + image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest} + entrypoint: + - /bin/sh + - /entrypoint-override.sh + networks: + ocis-net: + user: "33:33" # equals the user "www-data" for oC10 + environment: + # Keycloak IDP specific configuration + PROXY_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} + WEB_OIDC_AUTHORITY: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} + WEB_OIDC_CLIENT_ID: ocis-web + WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud}/.well-known/openid-configuration + STORAGE_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test} + STORAGE_LDAP_IDP: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} + WEB_OIDC_SCOPE: openid profile email owncloud + # LDAP bind + STORAGE_LDAP_HOSTNAME: openldap + STORAGE_LDAP_PORT: 636 + STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" + STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + # LDAP user settings + PROXY_AUTOPROVISION_ACCOUNTS: "true" # automatically create users when they login + PROXY_ACCOUNT_BACKEND_TYPE: cs3 # proxy should get users from CS3APIS (which gets it from LDAP) + PROXY_USER_OIDC_CLAIM: ocis.user.uuid # claim was added in Keycloak + PROXY_USER_CS3_CLAIM: userid # equals STORAGE_LDAP_USER_SCHEMA_UID + STORAGE_LDAP_BASE_DN: "dc=owncloud,dc=com" + STORAGE_LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn" + STORAGE_LDAP_GROUP_SCHEMA_GID_NUMBER: "gidnumber" + STORAGE_LDAP_GROUP_SCHEMA_GID: "cn" + STORAGE_LDAP_GROUP_SCHEMA_MAIL: "mail" + STORAGE_LDAP_GROUPATTRIBUTEFILTER: "(&(objectclass=posixGroup)(objectclass=owncloud)({{attr}}={{value}}))" + STORAGE_LDAP_GROUPFILTER: "(&(objectclass=groupOfUniqueNames)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))" + STORAGE_LDAP_GROUPMEMBERFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))" + STORAGE_LDAP_USERGROUPFILTER: "(&(objectclass=posixGroup)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))" + STORAGE_LDAP_USER_SCHEMA_CN: "cn" + STORAGE_LDAP_USER_SCHEMA_DISPLAYNAME: "displayname" + STORAGE_LDAP_USER_SCHEMA_GID_NUMBER: "gidnumber" + STORAGE_LDAP_USER_SCHEMA_MAIL: "mail" + STORAGE_LDAP_USER_SCHEMA_UID_NUMBER: "uidnumber" + STORAGE_LDAP_USER_SCHEMA_UID: "ownclouduuid" + STORAGE_LDAP_LOGINFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(uid={{login}})(mail={{login}})))" + STORAGE_LDAP_USERATTRIBUTEFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)({{attr}}={{value}}))" + STORAGE_LDAP_USERFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(ownclouduuid={{.OpaqueId}})(uid={{.OpaqueId}})))" + STORAGE_LDAP_USERFINDFILTER: "(&(objectclass=posixAccount)(objectclass=owncloud)(|(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)))" + # ownCloud storage driver + STORAGE_HOME_DRIVER: owncloudsql + STORAGE_USERS_DRIVER: owncloudsql + STORAGE_DRIVER_OWNCLOUDSQL_DATADIR: /mnt/data/files + STORAGE_DRIVER_OWNCLOUDSQL_UPLOADINFO_DIR: /tmp + STORAGE_DRIVER_OWNCLOUDSQL_SHARE_FOLDER: "/Shares" + STORAGE_DRIVER_OWNCLOUDSQL_ENABLE_HOME: "false" + STORAGE_DRIVER_OWNCLOUDSQL_LAYOUT: "{{.Username}}" + STORAGE_DRIVER_OWNCLOUDSQL_DBUSERNAME: owncloud + STORAGE_DRIVER_OWNCLOUDSQL_DBPASSWORD: owncloud + STORAGE_DRIVER_OWNCLOUDSQL_DBHOST: oc10-db + STORAGE_DRIVER_OWNCLOUDSQL_DBPORT: 3306 + STORAGE_DRIVER_OWNCLOUDSQL_DBNAME: owncloud + STORAGE_DRIVER_OWNCLOUDSQL_REDIS_ADDR: redis:6379 # TODO: redis is not yet supported + # ownCloud storage readonly + OCIS_STORAGE_READ_ONLY: "false" # TODO: conflict with OWNCLOUDSQL -> https://github.com/owncloud/ocis/issues/2303 + # General oCIS config + OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose + PROXY_LOG_LEVEL: ${PROXY_LOG_LEVEL:-error} + OCIS_URL: https://${CLOUD_DOMAIN:-cloud.owncloud.test} + PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates + PROXY_TLS: "false" # do not use SSL between Traefik and oCIS + PROXY_CONFIG_FILE: "/var/tmp/ocis/.config/proxy-config.json" + # change default secrets + OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} + STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} + volumes: + - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh + - ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json + - ocis-data:/var/tmp/ocis + # shared volume with oC10 + - oc10-data:/mnt/data + labels: + - "traefik.enable=true" + - "traefik.http.routers.ocis.entrypoints=https" + - "traefik.http.routers.ocis.rule=Host(`${CLOUD_DOMAIN:-cloud.owncloud.test}`)" + - "traefik.http.routers.ocis.tls.certresolver=http" + - "traefik.http.routers.ocis.service=ocis" + - "traefik.http.services.ocis.loadbalancer.server.port=9200" + logging: + driver: "local" + restart: always + + oc10: + image: owncloud/server:${OC10_DOCKER_TAG:-latest} + networks: + ocis-net: + environment: + # make ownCloud Web the default frontend + OWNCLOUD_DEFAULT_APP: ${OWNCLOUD_DEFAULT_APP:-files} # can be switched to "web" + OWNCLOUD_WEB_REWRITE_LINKS: ${OWNCLOUD_WEB_REWRITE_LINKS:-false} + # script / config variables + IDP_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-owncloud} + IDP_OIDC_CLIENT_SECRET: ${OC10_OIDC_CLIENT_SECRET:-oc10-oidc-secret} + CLOUD_DOMAIN: ${CLOUD_DOMAIN:-cloud.owncloud.test} + # LDAP bind configuration + LDAP_HOST: "openldap" + LDAP_PORT: 389 + STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" + STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + # LDAP user configuration + LDAP_BASE_DN: "dc=owncloud,dc=com" + LDAP_USER_SCHEMA_DISPLAYNAME: "displayname" + LDAP_LOGINFILTER: "(&(objectclass=owncloud)(|(uid=%uid)(mail=%uid)))" + LDAP_GROUP_SCHEMA_DISPLAYNAME: "cn" + LDAP_USER_SCHEMA_NAME_ATTR: "uid" + LDAP_GROUPFILTER: "(&(objectclass=groupOfUniqueNames)(objectclass=owncloud))" + LDAP_USER_SCHEMA_UID: "ownclouduuid" + LDAP_USERATTRIBUTEFILTERS: "" #"ownclouduuid;cn;uid;mail" + LDAP_USER_SCHEMA_MAIL: "mail" + LDAP_USERFILTER: "(&(objectclass=owncloud))" + LDAP_GROUP_MEMBER_ASSOC_ATTR: "uniqueMember" + # ownCloud config + OWNCLOUD_DB_TYPE: mysql + OWNCLOUD_DB_NAME: owncloud + OWNCLOUD_DB_USERNAME: owncloud + OWNCLOUD_DB_PASSWORD: owncloud + OWNCLOUD_DB_HOST: oc10-db + OWNCLOUD_ADMIN_USERNAME: admin + OWNCLOUD_ADMIN_PASSWORD: admin + OWNCLOUD_MYSQL_UTF8MB4: "true" + OWNCLOUD_REDIS_ENABLED: "true" + OWNCLOUD_REDIS_HOST: redis + OWNCLOUD_TRUSTED_PROXIES: ${CLOUD_DOMAIN:-cloud.owncloud.test} + OWNCLOUD_OVERWRITE_PROTOCOL: https + OWNCLOUD_OVERWRITE_HOST: ${CLOUD_DOMAIN:-cloud.owncloud.test} + OWNCLOUD_APPS_ENABLE: "openidconnect,oauth2,user_ldap,graphapi" + OWNCLOUD_LOG_LEVEL: 0 + OWNCLOUD_LOG_FILE: /dev/stdout + volumes: + # oidc, ldap and web config + - ./config/oc10/oidc.config.php:/etc/templates/oidc.config.php + - ./config/oc10/ldap-config.tmpl.json:/etc/templates/ldap-config.tmpl.json + - ./config/oc10/ldap-sync-cron:/tmp/ldap-sync-cron + - ./config/oc10/web.config.php:/etc/templates/web.config.php + - ./config/oc10/web-config.tmpl.json:/etc/templates/web-config.tmpl.json + # config load script + - ./config/oc10/10-custom-config.sh:/etc/pre_server.d/10-custom-config.sh + # data persistence + - oc10-data:/mnt/data + logging: + driver: "local" + restart: always + + keycloak: + image: quay.io/keycloak/keycloak:latest + networks: + ocis-net: + entrypoint: ["/bin/sh", "/opt/jboss/tools/docker-entrypoint-override.sh"] + volumes: + - ./config/keycloak/docker-entrypoint-override.sh:/opt/jboss/tools/docker-entrypoint-override.sh + - ./config/keycloak/owncloud-realm.dist.json:/opt/jboss/keycloak/owncloud-realm.dist.json + environment: + CLOUD_DOMAIN: ${CLOUD_DOMAIN:-cloud.owncloud.test} + OC10_OIDC_CLIENT_SECRET: ${OC10_OIDC_CLIENT_SECRET:-oc10-oidc-secret} + LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + DB_VENDOR: POSTGRES + DB_ADDR: keycloak-db + DB_DATABASE: keycloak + DB_USER: keycloak + DB_SCHEMA: public + DB_PASSWORD: keycloak + KEYCLOAK_USER: ${KEYCLOAK_ADMIN_USER:-admin} + KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} + PROXY_ADDRESS_FORWARDING: "true" + KEYCLOAK_IMPORT: /opt/jboss/keycloak/owncloud-realm.json + labels: + - "traefik.enable=true" + - "traefik.http.routers.keycloak.entrypoints=https" + - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}`)" + - "traefik.http.routers.keycloak.tls.certresolver=http" + - "traefik.http.routers.keycloak.service=keycloak" + - "traefik.http.services.keycloak.loadbalancer.server.port=8080" + # let /.well-known/openid-configuration be served by Keycloak + # so that clients (Desktop, iOS and Android) can detect OIDC, 302 redirect is not valid according RFC + # https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/#set-up-service-discovery + - "traefik.http.middlewares.idp-headers.headers.customrequestheaders.X-Forwarded-Host=${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}" + - "traefik.http.middlewares.idp-prefix.addprefix.prefix=/auth/realms/${KEYCLOAK_REALM:-owncloud}" + - "traefik.http.middlewares.idp-override.chain.middlewares=idp-headers,idp-prefix" + - "traefik.http.routers.idp-wellknown.entrypoints=https" + - "traefik.http.routers.idp-wellknown.tls.certresolver=http" + - "traefik.http.routers.idp-wellknown.rule=Host(`${CLOUD_DOMAIN:-cloud.owncloud.test}`) && Path(`/.well-known/openid-configuration`)" + - "traefik.http.routers.idp-wellknown.middlewares=idp-override" + - "traefik.http.routers.idp-wellknown.service=keycloak" + logging: + driver: "local" + restart: always + + openldap: + image: osixia/openldap:latest + networks: + ocis-net: + command: --copy-service --loglevel debug + environment: + LDAP_TLS_VERIFY_CLIENT: never + LDAP_DOMAIN: owncloud.com + LDAP_ORGANISATION: ownCloud + LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + LDAP_RFC2307BIS_SCHEMA: "true" + LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" + volumes: + - ./config/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom + logging: + driver: "local" + restart: always + + ldap-manager: + image: osixia/phpldapadmin:0.9.0 + networks: + ocis-net: + environment: + PHPLDAPADMIN_LDAP_HOSTS: openldap + PHPLDAPADMIN_HTTPS: "false" + labels: + - "traefik.enable=true" + - "traefik.http.routers.ldap-manager.entrypoints=https" + - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.owncloud.test}`)" + - "traefik.http.routers.ldap-manager.tls.certresolver=http" + - "traefik.http.routers.ldap-manager.service=ldap-manager" + - "traefik.http.services.ldap-manager.loadbalancer.server.port=80" + logging: + driver: "local" + restart: always + + keycloak-db: + image: postgres:alpine + networks: + ocis-net: + volumes: + - keycloak-postgres-data:/var/lib/postgresql/data + environment: + POSTGRES_DB: keycloak + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: keycloak + logging: + driver: "local" + restart: always + + oc10-db: + image: mariadb:10.6 + networks: + ocis-net: + environment: + - MYSQL_ROOT_PASSWORD=owncloud + - MYSQL_USER=owncloud + - MYSQL_PASSWORD=owncloud + - MYSQL_DATABASE=owncloud + command: + [ + "--max-allowed-packet=128M", + "--innodb-log-file-size=64M", + "--innodb-read-only-compressed=OFF", + ] + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-u", "root", "--password=owncloud"] + interval: 10s + timeout: 5s + retries: 5 + volumes: + - oc10-mysql-data:/var/lib/mysql + logging: + driver: "local" + restart: always + + redis: + networks: + ocis-net: + image: redis:6 + command: ["--databases", "1"] + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5 + volumes: + - oc10-redis-data:/data + logging: + driver: "local" + restart: always + +volumes: + certs: + ocis-data: + keycloak-postgres-data: + oc10-mysql-data: + oc10-redis-data: + oc10-data: + oc10-tmp: + +networks: + ocis-net: diff --git a/deployments/examples/oc10_ocis_parallel/keycloak-export.sh b/deployments/examples/oc10_ocis_parallel/keycloak-export.sh new file mode 100644 index 00000000000..214c08dded0 --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/keycloak-export.sh @@ -0,0 +1,13 @@ +#! /bin/bash +docker-compose exec keycloak \ + sh -c "cd /opt/jboss/keycloak && \ + timeout 60 bin/standalone.sh \ + -Djboss.httin/standalone.sh \ + -Djboss.socket.binding.port-offset=100 \ + -Dkeycloak.migration.action=export \ + -Dkeycloak.migration.provider=singleFile \ + -Dkeycloak.migration.realmName=owncloud \ + -Dkeycloak.migration.file=owncloud-realm.json" + +docker-compose exec keycloak \ + cp /opt/jboss/keycloak/owncloud-realm.json /opt/jboss/keycloak/owncloud-realm.dist.json diff --git a/deployments/examples/oc10_ocis_parallel/monitoring_tracing/docker-compose-additions.yml b/deployments/examples/oc10_ocis_parallel/monitoring_tracing/docker-compose-additions.yml new file mode 100644 index 00000000000..16d1d47df8d --- /dev/null +++ b/deployments/examples/oc10_ocis_parallel/monitoring_tracing/docker-compose-additions.yml @@ -0,0 +1,12 @@ +--- +version: "3.7" + +services: + ocis: + environment: + OCIS_TRACING_ENABLED: "true" + OCIS_TRACING_ENDPOINT: jaeger-agent:6831 + +networks: + ocis-net: + external: true diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index d2155cb0fa2..c42f5a9a7c3 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -20,6 +20,7 @@ oCIS deployments are super simple, yet there are many configurations possible fo - [oCIS setup with Traefik for SSL termination]({{< ref "ocis_traefik" >}}) - [oCIS setup with Keycloak as identity provider]({{< ref "ocis_keycloak" >}}) - [oCIS setup with WOPI server to open office documents in your browser]({{< ref "ocis_wopi" >}}) +- [Parallel deployment of oC10 and oCIS]({{< ref "oc10_ocis_parallel" >}}) - [oCIS with S3 storage backend (MinIO)]({{< ref "ocis_s3" >}}) - [oCIS with the Hello extension example]({{< ref "ocis_hello" >}}) diff --git a/docs/ocis/deployment/continuous_deployment.md b/docs/ocis/deployment/continuous_deployment.md index aca42a9cd14..1961aee698a 100644 --- a/docs/ocis/deployment/continuous_deployment.md +++ b/docs/ocis/deployment/continuous_deployment.md @@ -73,6 +73,24 @@ Credentials: - oCIS: [ocis.ocis-keycloak.released.owncloud.works](https://ocis.ocis-keycloak.released.owncloud.works) - Keycloak: [keycloak.ocis-keycloak.released.owncloud.works](https://keycloak.ocis-keycloak.released.owncloud.works) +# Parallel deployment of oC10 and oCIS + +Credentials: + +- oC10 / oCIS: see [default demo users]({{< ref "../getting-started#login-to-owncloud-web" >}}) +- Keycloak: + - username: admin + - password: admin +- LDAP management: + - username: cn=admin,dc=owncloud,dc=com + - password: admin + +## Latest + +- oC10 / oCIS: [cloud.oc10-ocis-parallel.latest.owncloud.works](https://cloud.oc10-ocis-parallel.latest.owncloud.works) +- LDAP management: [ldap.oc10-ocis-parallel.latest.owncloud.works](https://ldap.oc10-ocis-parallel.latest.owncloud.works) +- Keycloak: [keycloak.oc10-ocis-parallel.latest.owncloud.works](https://keycloak.oc10-ocis-parallel.latest.owncloud.works) + # oCIS with Hello extension Credentials: diff --git a/docs/ocis/deployment/oc10_ocis_parallel.md b/docs/ocis/deployment/oc10_ocis_parallel.md new file mode 100644 index 00000000000..8a4e80948d1 --- /dev/null +++ b/docs/ocis/deployment/oc10_ocis_parallel.md @@ -0,0 +1,168 @@ +--- +title: "Parallel deployment of oC10 and oCIS" +date: 2020-10-12T14:04:00+01:00 +weight: 24 +geekdocRepo: https://github.com/owncloud/ocis +geekdocEditPath: edit/master/docs/ocis/deployment +geekdocFilePath: oc10_ocis_parallel.md +--- + +{{< toc >}} + +## Overview + +- This setup reflects [stage 6 of the oC10 to oCIS migration plan]({{< ref "migration#stage-6-parallel-deployment" >}}) +- Traefik generating self signed certificates for local setup or obtaining valid SSL certificates for a server setup +- OpenLDAP server with demo users +- LDAP admin interface to edit users +- Keycloak as OpenID Connect provider in federation with the LDAP server +- ownCloud 10 with MariaDB and Redis + - ownCloud 10 is configured to synchronize users from the LDAP server + - ownCloud 10 is used to use OpenID Connect for authentication with Keycloak +- oCIS running behind Traefik as reverse proxy + - oCIS is using the ownCloud storage driver on the same files and same database as ownCloud 10 + - oCIS is using Keycloak as OpenID Connect provider + - oCIS is using the LDAP server as user backend +- All requests to both oCIS and oC10 are routed through the oCIS proxy and will be routed based on an OIDC claim to one of them. Therefore admins can change on a user basis in the LDAP which backend is used. + +[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/oc10_ocis_parallel) + +## Server Deployment + +### Requirements + +- Linux server with docker and docker-compose installed +- four domains set up and pointing to your server + - cloud.\* for serving oCIS + - keycloak.\* for serving Keycloak + - ldap .\* for serving the LDAP managment UI + - traefik.\* for serving the Traefik dashboard + +See also [example server setup]({{< ref "preparing_server" >}}) + +### Install this example + +- Clone oCIS repository + + `git clone https://github.com/owncloud/ocis.git` + +- Go to the deployment example + + `cd ocis/deployment/examples/oc10_ocis_parallel` + +- Open the `.env` file in a text editor + The file by default looks like this: + + ```bash + # If you're on a internet facing server please comment out following line. + # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. + INSECURE=true + + ### Traefik settings ### + TRAEFIK_LOG_LEVEL= + # Serve Treafik dashboard. Defaults to "false". + TRAEFIK_DASHBOARD= + # Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" + TRAEFIK_DOMAIN= + # Basic authentication for the dashboard. Defaults to user "admin" and password "admin" + TRAEFIK_BASIC_AUTH_USERS= + # Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server + TRAEFIK_ACME_MAIL= + + ### shared oCIS / oC10 settings ### + # Domain of oCIS / oC10, where you can find the frontend. Defaults to "cloud.owncloud.test" + CLOUD_DOMAIN= + + ### oCIS settings ### + # oCIS version. Defaults to "latest" + OCIS_DOCKER_TAG= + # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" + OCIS_JWT_SECRET= + # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" + STORAGE_TRANSFER_SECRET= + + ### oCIS settings ### + # oC10 version. Defaults to "latest" + OC10_DOCKER_TAG= + # client secret which the openidconnect app uses to authenticate to Keycloak. Defaults to "oc10-oidc-secret" + OC10_OIDC_CLIENT_SECRET= + # app which will be shown when opening the ownCloud 10 UI. Defaults to "files" but also could be set to "web" + OWNCLOUD_DEFAULT_APP= + # if set to "false" (default) links will be opened in the classic UI, if set to "true" ownCloud Web is used + OWNCLOUD_WEB_REWRITE_LINKS= + + ### LDAP settings ### + # password for the LDAP admin user "cn=admin,dc=owncloud,dc=com", defaults to "admin" + LDAP_ADMIN_PASSWORD= + # Domain of the LDAP management frontend. Defaults to "ldap.owncloud.test" + LDAP_MANAGER_DOMAIN= + + ### Keycloak ### + # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test" + KEYCLOAK_DOMAIN= + # Realm which to be used with oC10 and oCIS. Defaults to "owncloud" + KEYCLOAK_REALM= + # Admin user login name. Defaults to "admin" + KEYCLOAK_ADMIN_USER= + # Admin user login password. Defaults to "admin" + KEYCLOAK_ADMIN_PASSWORD= + ``` + + You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. + + If you want to use the Traefik dashboard, set TRAEFIK_DASHBOARD to `true` (default is `false` and therefore not active). If you activate it, you must set a domain for the Traefik dashboard in `TRAEFIK_DOMAIN=` eg. `TRAEFIK_DOMAIN=traefik.owncloud.test`. + + The Traefik dashboard is secured by basic auth. Default credentials are the user `admin` with the password `admin`. To set your own credentials, generate a htpasswd (eg. by using [an online tool](https://htpasswdgenerator.de/) or a cli tool). + + Traefik will issue certificates with LetsEncrypt and therefore you must set an email address in `TRAEFIK_ACME_MAIL=`. + + By default oCIS will be started in the `latest` version. If you want to start a specific version of oCIS set the version to `OCIS_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated). + + Set your domain for the oC10 and oCIS frontend in `CLOUD_DOMAIN=`, eg. `CLOUD_DOMAIN=cloud.owncloud.test`. + + You also must override the default secrets in `STORAGE_TRANSFER_SECRET` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "./#secure-an-ocis-instance" >}}). + + By default ownCloud 10 will be started in the `latest` version. If you want to start a specific version of oCIS set the version to `OC10_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated). + + You can switch the default application of ownCloud 10 by setting`OWNCLOUD_DEFAULT_APP=files` in oder to have the classic UI as frontend, which is also the default. If you prefer ownCloud Web as the default application in ownCloud 10 just set `OWNCLOUD_DEFAULT_APP=web`. + + In oder to change the default link open action which defaults to the classic UI (`OWNCLOUD_WEB_REWRITE_LINKS=false`) you can set it to `OWNCLOUD_WEB_REWRITE_LINKS=true`. This will lead to links being opened in ownCloud Web. + + The OpenLDAP server in this example deployment has an admin users, which is also used as bind user in order to keep theses examples simple. You can change the default password "admin" to a different one by setting it to `LDAP_ADMIN_PASSWORD=...`. + + Set your domain for the LDAP manager UI in `LDAP_MANAGER_DOMAIN=`, eg. `ldap.owncloud.test`. + + Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` eg. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`. + + Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the ownCloud realm `KEYCLOAK_REALM=owncloud`. The ownCloud realm will be automatically imported on startup and includes our demo users. + + You probably should secure your Keycloak admin account by setting `KEYCLOAK_ADMIN_USER=` and `KEYCLOAK_ADMIN_PASSWORD=` to values other than `admin`. + + Now you have configured everything and can save the file. + +- Start the docker stack + + `docker-compose up -d` + +- You now can visit the cloud, oC10 or oCIS depending on the user configuration. Marie defaults to oC10 and Richard and Einstein default to oCIS, but you can change the ownCloud selector at any time in the LDAP management UI. + +## Local setup + +For a more simple local ocis setup see [Getting started]({{< ref "../getting-started" >}}) + +This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer. + +On Linux and macOS you can add them to your `/etc/hosts` files like this: + +``` +127.0.0.1 cloud.owncloud.test +127.0.0.1 keycloak.owncloud.test +127.0.0.1 ldap.owncloud.test +127.0.0.1 traefik.owncloud.test +``` + +After that you're ready to start the application stack: + +`docker-compose up -d` + +You now can visit the cloud, oC10 or oCIS depending on the user configuration. Marie defaults to oC10 and Richard and Einstein default to oCIS, but you can change the ownCloud selector at any time in the LDAP management UI. From 17935aa2adbfcd1e656005232faf083ef9bb4f73 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Mon, 27 Sep 2021 13:58:47 +0200 Subject: [PATCH 2/3] add hint about non working deployment --- docs/ocis/deployment/oc10_ocis_parallel.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/ocis/deployment/oc10_ocis_parallel.md b/docs/ocis/deployment/oc10_ocis_parallel.md index 8a4e80948d1..1d4cb29e411 100644 --- a/docs/ocis/deployment/oc10_ocis_parallel.md +++ b/docs/ocis/deployment/oc10_ocis_parallel.md @@ -9,6 +9,10 @@ geekdocFilePath: oc10_ocis_parallel.md {{< toc >}} +{{< hint warning >}} +This deployment example might not fully working yet. See [github.com/owncloud/ocis/issues/2549](https://github.com/owncloud/ocis/issues/2549) for more information. +{{< /hint >}} + ## Overview - This setup reflects [stage 6 of the oC10 to oCIS migration plan]({{< ref "migration#stage-6-parallel-deployment" >}}) From 4bb5d006e426e2d8640c97aba1f366910ce23668 Mon Sep 17 00:00:00 2001 From: Willy Kloucek <34452982+wkloucek@users.noreply.github.com> Date: Mon, 27 Sep 2021 14:11:24 +0200 Subject: [PATCH 3/3] Update docs/ocis/deployment/oc10_ocis_parallel.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jörn Friedrich Dreyer --- docs/ocis/deployment/oc10_ocis_parallel.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ocis/deployment/oc10_ocis_parallel.md b/docs/ocis/deployment/oc10_ocis_parallel.md index 1d4cb29e411..42c46c2744f 100644 --- a/docs/ocis/deployment/oc10_ocis_parallel.md +++ b/docs/ocis/deployment/oc10_ocis_parallel.md @@ -10,7 +10,7 @@ geekdocFilePath: oc10_ocis_parallel.md {{< toc >}} {{< hint warning >}} -This deployment example might not fully working yet. See [github.com/owncloud/ocis/issues/2549](https://github.com/owncloud/ocis/issues/2549) for more information. +This deployment example currently has known issues. See [github.com/owncloud/ocis/issues/2549](https://github.com/owncloud/ocis/issues/2549) for more information. {{< /hint >}} ## Overview