mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5bc2538aab
meldestelle/config/docker/keycloak/meldestelle-realm.json
Stefan Mogeritsch 440ab4b141 docs: finalize Keycloak hardening and validate updated Realm config 
Documented the completed Keycloak hardening steps, including PKCE S256 support, CORS security improvements, strengthened password policy, and logout redirect URI configurations. Verified and updated the `meldestelle-realm.json` and roadmap to reflect these changes.

Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
2026-03-09 15:51:42 +01:00

398 lines
11 KiB
JSON
Raw Blame History

{
"realm": "meldestelle",
"enabled": true,
"displayName": "Meldestelle Authentication",
"displayNameHtml": "<div class=\"kc-logo-text\"><span>Meldestelle</span></div>",
"sslRequired": "external",
"registrationAllowed": false,
"registrationEmailAsUsername": false,
"rememberMe": true,
"verifyEmail": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": true,
"permanentLockout": false,
"maxFailureWaitSeconds": 900,
"minimumQuickLoginWaitSeconds": 60,
"waitIncrementSeconds": 60,
"quickLoginCheckMilliSeconds": 1000,
"maxDeltaTimeSeconds": 43200,
"failureFactor": 5,
"defaultSignatureAlgorithm": "RS256",
"offlineSessionMaxLifespan": 5184000,
"offlineSessionMaxLifespanEnabled": false,
"accessTokenLifespan": 300,
"accessTokenLifespanForImplicitFlow": 900,
"ssoSessionIdleTimeout": 1800,
"ssoSessionMaxLifespan": 36000,
"refreshTokenMaxReuse": 0,
"accessCodeLifespan": 60,
"accessCodeLifespanUserAction": 300,
"accessCodeLifespanLogin": 1800,
"actionTokenGeneratedByAdminLifespan": 43200,
"actionTokenGeneratedByUserLifespan": 300,
"oauth2DeviceCodeLifespan": 600,
"oauth2DevicePollingInterval": 5,
"internationalizationEnabled": true,
"supportedLocales": [
"de",
"en"
],
"defaultLocale": "de",
"roles": {
"realm": [
{
"name": "ADMIN",
"description": "Administrator role with full system access",
"composite": false,
"clientRole": false
},
{
"name": "USER",
"description": "Standard user role with limited access",
"composite": false,
"clientRole": false
},
{
"name": "MELD_USER",
"description": "Verified user role (Technical placeholder for REITER)",
"composite": false,
"clientRole": false
},
{
"name": "MONITORING",
"description": "Monitoring role for system health checks",
"composite": false,
"clientRole": false
},
{
"name": "GUEST",
"description": "Guest role with minimal access",
"composite": false,
"clientRole": false
}
]
},
"clients": [
{
"clientId": "api-gateway",
"name": "API Gateway Client",
"description": "OAuth2 client for the Meldestelle API Gateway",
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "K5RqonwVOaxPKaXVH4mbthSRbjRh5tOK",
"redirectUris": [
"http://localhost:8081/*",
"http://localhost:3000/*",
"https://app.meldestelle.at/*"
],
"webOrigins": [
"http://localhost:8081",
"http://localhost:3000",
"https://app.meldestelle.at",
"http://localhost:8080"
],
"protocol": "openid-connect",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": false,
"fullScopeAllowed": true,
"frontchannelLogout": true,
"attributes": {
"access.token.lifespan": "300",
"client.secret.creation.time": "0",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"backchannel.logout.revoke.offline.tokens": "false",
"post.logout.redirect.uris": "http://localhost:8081/*##http://localhost:3000/*##https://app.meldestelle.at/*"
},
"protocolMappers": [
{
"name": "realm-roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-realm-role-mapper",
"consentRequired": false,
"config": {
"multivalued": "true",
"userinfo.token.claim": "true",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "realm_access.roles",
"jsonType.label": "String"
}
},
{
"name": "client-roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-client-role-mapper",
"consentRequired": false,
"config": {
"multivalued": "true",
"userinfo.token.claim": "true",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "resource_access.${client_id}.roles",
"jsonType.label": "String"
}
},
{
"name": "username",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "username",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "preferred_username",
"jsonType.label": "String"
}
},
{
"name": "email",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "email",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email",
"jsonType.label": "String"
}
},
{
"name": "full-name",
"protocol": "openid-connect",
"protocolMapper": "oidc-full-name-mapper",
"consentRequired": false,
"config": {
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true"
}
}
]
},
{
"clientId": "web-app",
"name": "Web Application Client",
"description": "Public client for web frontend",
"enabled": true,
"publicClient": true,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"redirectUris": [
"http://localhost:8080/*",
"http://localhost:4000/*",
"http://localhost:3000/*",
"https://app.meldestelle.at/*"
],
"webOrigins": [
"http://localhost:8080",
"http://localhost:4000",
"http://localhost:3000",
"https://app.meldestelle.at"
],
"protocol": "openid-connect",
"attributes": {
"pkce.code.challenge.method": "S256",
"post.logout.redirect.uris": "http://localhost:8080/*##http://localhost:4000/*##http://localhost:3000/*##https://app.meldestelle.at/*"
}
},
{
"clientId": "postman-client",
"name": "Postman Test Client",
"description": "Confidential client for backend testing via Postman",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "postman-secret-123",
"redirectUris": [
"https://oauth.pstmn.io/v1/callback"
],
"webOrigins": [],
"protocol": "openid-connect",
"bearerOnly": false,
"publicClient": false,
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"fullScopeAllowed": true
},
{
"clientId": "frontend-client",
"name": "Meldestelle Desktop & Mobile Client",
"description": "Public PKCE client for the KMP Compose Desktop/Mobile application",
"enabled": true,
"publicClient": true,
"protocol": "openid-connect",
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"authorizationServicesEnabled": false,
"attributes": {
"pkce.code.challenge.method": "S256",
"post.logout.redirect.uris": "meldestelle://callback##http://localhost:*##https://app.meldestelle.at/*"
},
"redirectUris": [
"meldestelle://callback",
"http://localhost:*",
"https://app.meldestelle.at/*"
],
"webOrigins": [
"http://localhost:8080",
"http://localhost:4000",
"https://app.meldestelle.at"
],
"defaultClientScopes": [
"web-origins",
"acr",
"roles",
"profile",
"basic",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
],
"users": [
{
"username": "admin",
"enabled": true,
"emailVerified": true,
"firstName": "System",
"lastName": "Administrator",
"email": "admin@meldestelle.local",
"credentials": [
{
"type": "password",
"value": "password",
"temporary": false
}
],
"realmRoles": [
"ADMIN",
"USER",
"MELD_USER"
],
"clientRoles": {
"api-gateway": [
"ADMIN"
]
}
}
],
"groups": [],
"defaultRoles": [
"USER",
"GUEST"
],
"requiredCredentials": [
"password"
],
"passwordPolicy": "length(10) and digits(1) and upperCase(1) and specialChars(1) and notUsername(undefined)",
"otpPolicyType": "totp",
"otpPolicyAlgorithm": "HmacSHA1",
"otpPolicyInitialCounter": 0,
"otpPolicyDigits": 6,
"otpPolicyLookAheadWindow": 1,
"otpPolicyPeriod": 30,
"otpSupportedApplications": [
"FreeOTP",
"Google Authenticator"
],
"webAuthnPolicyRpEntityName": "meldestelle",
"webAuthnPolicySignatureAlgorithms": [
"ES256",
"RS256"
],
"smtpServer": {},
"eventsEnabled": true,
"eventsListeners": [
"jboss-logging"
],
"enabledEventTypes": [
"LOGIN",
"LOGIN_ERROR",
"LOGOUT",
"REGISTER",
"REGISTER_ERROR",
"UPDATE_PASSWORD",
"UPDATE_PASSWORD_ERROR"
],
"adminEventsEnabled": true,
"adminEventsDetailsEnabled": true,
"identityProviders": [],
"identityProviderMappers": [],
"components": {
"org.keycloak.keys.KeyProvider": [
{
"name": "rsa-generated",
"providerId": "rsa-generated",
"subComponents": {},
"config": {
"priority": [
"100"
]
}
},
{
"name": "hmac-generated",
"providerId": "hmac-generated",
"subComponents": {},
"config": {
"priority": [
"100"
],
"algorithm": [
"HS256"
]
}
},
{
"name": "aes-generated",
"providerId": "aes-generated",
"subComponents": {},
"config": {
"priority": [
"100"
]
}
}
]
},
"authenticationFlows": [],
"authenticatorConfig": [],
"requiredActions": [],
"browserFlow": "browser",
"registrationFlow": "registration",
"directGrantFlow": "direct grant",
"resetCredentialsFlow": "reset credentials",
"clientAuthenticationFlow": "clients",
"dockerAuthenticationFlow": "docker auth",
"attributes": {
"frontendUrl": "",
"acr.loa.map": "{}",
"clientOfflineSessionMaxLifespan": "0",
"clientSessionIdleTimeout": "0",
"clientSessionMaxLifespan": "0",
"clientOfflineSessionIdleTimeout": "0"
}
}
Reference in New Issue View Git Blame Copy Permalink