diff --git a/README.md b/README.md index 4d1a682..f6ead60 100644 --- a/README.md +++ b/README.md @@ -56,14 +56,13 @@ fastapi-oidc + keycloak. ### Standard usage ```python3 -from typing import Optional - from fastapi import Depends from fastapi import FastAPI from fastapi import Security from fastapi import status from fastapi_oidc import Auth +from fastapi_oidc import GrantType from fastapi_oidc import KeycloakIDToken auth = Auth( @@ -71,18 +70,14 @@ auth = Auth( issuer="http://localhost:8080/auth/realms/my-realm", # optional, verification only client_id="my-client", # optional, verification only scopes=["email"], # optional, verification only + grant_types=[GrantType.IMPLICIT], # optional, docs only idtoken_model=KeycloakIDToken, # optional, verification only ) app = FastAPI( title="Example", version="dev", - dependencies=[Depends(auth.implicit_scheme)], - # multiple available schemes: - # - oidc_scheme (displays all schemes supported by the auth server in docs) - # - password_scheme - # - implicit_scheme - # - authcode_scheme + dependencies=[Depends(auth)], ) @app.get("/protected") diff --git a/docs/index.rst b/docs/index.rst index 2a05b81..4ab4587 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -12,7 +12,7 @@ Easily used with authenticators such as: - `Okta `_ -FastAPI's generated interactive documentation supports the grant flows +FastAPI's generated interactive documentation supports the grant types ``authorization_code``, ``implicit``, ``password`` and ``client_credentials``. .. toctree:: @@ -46,14 +46,13 @@ Basic configuration for verifying OIDC tokens. .. code-block:: python3 - from typing import Optional - from fastapi import Depends from fastapi import FastAPI from fastapi import Security from fastapi import status from fastapi_oidc import Auth + from fastapi_oidc import GrantType from fastapi_oidc import KeycloakIDToken auth = Auth( @@ -61,18 +60,14 @@ Basic configuration for verifying OIDC tokens. issuer="http://localhost:8080/auth/realms/my-realm", # optional, verification only client_id="my-client", # optional, verification only scopes=["email"], # optional, verification only + grant_types=[GrantType.IMPLICIT], # optional, docs only idtoken_model=KeycloakIDToken, # optional, verification only ) app = FastAPI( title="Example", version="dev", - dependencies=[Depends(auth.implicit_scheme)], - # multiple available schemes: - # - oidc_scheme (displays all schemes supported by the auth server in docs) - # - password_scheme - # - implicit_scheme - # - authcode_scheme + dependencies=[Depends(auth)], ) @app.get("/protected") @@ -85,11 +80,16 @@ API Reference Auth ---- - .. automodule:: fastapi_oidc.auth :members: -Types ------------- -.. automodule:: fastapi_oidc.types +Grant Types +----------- +.. automodule:: fastapi_oidc.grant_types + :members: + :undoc-members: + +IDToken Types +------------- +.. automodule:: fastapi_oidc.idtoken_types :members: diff --git a/example/app/__init__.py b/example/app/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/example/app/main.py b/example/app/main.py new file mode 100644 index 0000000..c8bd27a --- /dev/null +++ b/example/app/main.py @@ -0,0 +1,61 @@ +from typing import Optional + +import uvicorn +from fastapi import Depends +from fastapi import FastAPI +from fastapi import Security +from fastapi import status +from fastapi.middleware.cors import CORSMiddleware +from starlette.responses import RedirectResponse + +from fastapi_oidc import Auth +from fastapi_oidc import KeycloakIDToken + +auth = Auth( + openid_connect_url="http://localhost:8080/auth/realms/my-realm/.well-known/openid-configuration", + issuer="http://localhost:8080/auth/realms/my-realm", # optional, verification only + client_id="my-client", # optional, verification only + scopes=["email"], # optional, verification only + idtoken_model=KeycloakIDToken, # optional, verification only +) + +app = FastAPI( + title="Example", + version="dev", + dependencies=[Depends(auth)], +) + +# CORS errors instead of seeing internal exceptions +# https://stackoverflow.com/questions/63606055/why-do-i-get-cors-error-reason-cors-request-did-not-succeed +cors = CORSMiddleware( + app=app, + allow_origins=["*"], + allow_credentials=True, + allow_methods=["*"], + allow_headers=["*"], +) + + +@app.get("/", status_code=status.HTTP_303_SEE_OTHER) +def redirect_to_docs(): + return RedirectResponse(url="/docs") + + +@app.get("/protected") +def protected(id_token: KeycloakIDToken = Security(auth.required)): + print(id_token) + return dict(message=f"You are {id_token.email}") + + +@app.get("/mixed") +def mixed(id_token: Optional[KeycloakIDToken] = Security(auth.optional)): + if id_token is None: + return dict(message="Welcome guest user!") + else: + return dict(message=f"Welcome {id_token.email}!") + + +if __name__ == "__main__": + uvicorn.run( + "example.main:cors", host="0.0.0.0", port=8000, loop="asyncio", reload=True + ) diff --git a/example/docker-compose.yml b/example/docker-compose.yml new file mode 100644 index 0000000..a88cf6a --- /dev/null +++ b/example/docker-compose.yml @@ -0,0 +1,47 @@ +version: '3' + +services: + +# test-fastapi-keycloak: +# build: +# context: . +# dockerfile: Dockerfile +# restart: always +# depends_on: +# - keycloak +# # keycloak: +# # condition: service_healthy +# network_mode: host + + keycloak: + image: jboss/keycloak:15.0.2 + volumes: + - ./my-realm-export.json:/tmp/my-realm-export.json + environment: + - DB_VENDOR=POSTGRES + - DB_ADDR=keycloak-postgres + - DB_DATABASE=keycloak + - DB_USER=keycloak + - DB_SCHEMA=public + - DB_PASSWORD=password + - KEYCLOAK_USER=admin + - KEYCLOAK_PASSWORD=admin + - KEYCLOAK_IMPORT=/tmp/my-realm-export.json + ports: + - 8080:8080 + depends_on: + - keycloak-postgres + # healthcheck: + # test: ["CMD", "curl", "-f", "http://keycloak:8080"] + # interval: 10s + # timeout: 10s + # retries: 2 + + keycloak-postgres: + image: postgres:13.4-alpine3.14 + volumes: + - ./data/keycloak-postgres:/var/lib/postgresql/data/ + environment: + - POSTGRES_USER=keycloak + - POSTGRES_PASSWORD=password + - POSTGRES_DB=keycloak diff --git a/example/my-realm-export.json b/example/my-realm-export.json new file mode 100644 index 0000000..c9dc76b --- /dev/null +++ b/example/my-realm-export.json @@ -0,0 +1,1904 @@ +{ + "id": "my-realm", + "realm": "my-realm", + "displayName": "my-realm", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "defaultRole": { + "id": "55f12764-04c4-426c-a118-12362d7749c6", + "name": "default-roles-my-realm", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "my-realm" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpSupportedApplications": [ + "FreeOTP", + "Google Authenticator" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users": [ + { + "id": "800e1a6c-8433-4b41-8458-e8464951907b", + "createdTimestamp": 1631478531903, + "username": "service-account-my-client", + "enabled": true, + "totp": false, + "emailVerified": false, + "serviceAccountClientId": "my-client", + "disableableCredentialTypes": [], + "requiredActions": [], + "notBefore": 0 + } + ], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account" + ] + } + ] + }, + "clients": [ + { + "id": "eb5e6bbd-a283-49f7-bb63-059ad3578698", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/my-realm/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/my-realm/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "0650dc0f-075a-4261-a186-f33d36d5e0a4", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/my-realm/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/my-realm/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "591d444f-66fb-452d-81c2-bd7bc606e849", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "46724daa-196b-4e3a-86d6-b9f5e85a3803", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "64e5b3fa-71a0-4b85-a293-820fb873eae3", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "3e07b533-0056-443c-baae-da3afcdc80df", + "clientId": "my-client", + "name": "my-client", + "rootUrl": "", + "adminUrl": "http://localhost:8000", + "baseUrl": "http://localhost:8000", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "http://localhost:8000/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": true, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "id.token.as.detached.signature": "false", + "saml.assertion.signature": "false", + "saml.force.post.binding": "false", + "saml.multivalued.roles": "false", + "saml.encrypt": "false", + "login_theme": "keycloak", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "saml.server.signature": "false", + "saml.server.signature.keyinfo.ext": "false", + "use.refresh.tokens": "true", + "exclude.session.state.from.auth.response": "false", + "oidc.ciba.grant.enabled": "false", + "saml.artifact.binding": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "saml_force_name_id_format": "false", + "require.pushed.authorization.requests": "false", + "saml.client.signature": "false", + "tls.client.certificate.bound.access.tokens": "false", + "saml.authnstatement": "false", + "display.on.consent.screen": "false", + "saml.onetimeuse.condition": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "be302cb6-636c-4b33-95fa-7ff6f40b8aa0", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "66506703-a12f-4772-a59c-b658417f0c6a", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "a07f0846-7b5c-4c38-a5f0-8debe722fe76", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientId", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientId", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "my-client", + "web-origins", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "681ae5dc-43be-4e23-bc98-879b923665cb", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "f9b9c185-ad9f-437c-a212-aa28066256ee", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/my-realm/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/my-realm/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "39ad5969-f278-4d64-a137-cb7d0da8ed97", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "8bf18d01-0b25-443a-8f90-b3117fcd1e26", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "c2ab5391-575c-465b-bc45-c9e90a91447a", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "b4101272-aaf7-4686-9381-7b9128bff99e", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "aeaafae1-be8e-4ce1-9758-9cf741e9f4a9", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "e62c85b0-71bf-4ee7-9c12-f292c84342d2", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "57a12976-afdb-4d9e-ad44-27dc167685e8", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "7e679baf-48a7-4443-ae57-403cc7e6eed5", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "0a20998a-ff2f-4f4f-ad68-00f6c63f5b9c", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "String" + } + }, + { + "id": "66cea2e3-d0e6-47ce-90fe-f055b0977b38", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "3e79cd88-052d-4497-9298-3b7c030e44f3", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "0c88515a-6704-439e-93b3-a38ddfebef06", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "65c6a6e4-02c7-40b0-ba16-5738418799aa", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "8adf8123-3bcc-417f-b552-c8f2ea16d014", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "4f6f9fcc-a8d2-4cad-b082-ad855cad5de0", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "8a010573-60bc-453f-a3f3-6d720dbc00a7", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "f78bf0ae-d4a3-47b8-ab20-3d66f932c2ae", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "69a11e94-1967-499d-bc33-350faddd43d8", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "f6437a1d-8708-45d9-b906-18ae39e67b31", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "b2137860-47b0-4422-8dc4-6fb4aa4ad6fd", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "4bf90b24-ea6c-48a7-9f1c-7d56759ae5a0", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "856f3ba4-33ee-4826-ad79-621782c238c8", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "5868c995-8766-4e53-b2da-0e5b7c85e615", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "bb0b701a-2d01-4934-9204-cdd3a2c33998", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "c9aebc7f-fd61-44ea-b171-8ad3a8dd8c7b", + "name": "my-client", + "description": "", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "9a243689-827e-4bf6-9bd0-adba7652e5ad", + "name": "my-client", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "included.client.audience": "my-client", + "id.token.claim": "false", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "5bda6b3c-0e8d-4ee0-89c6-b1ce1c9f5260", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "9dd6a2d9-c83a-4ab9-b3c3-b8a80c2d2871", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "f4bac387-a8df-4835-8563-9c6490cc747d", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "25b134de-58d6-4875-8514-a92ed8240ef7", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "f103d677-8c99-4993-af2d-9ea792ac08ad", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "e233ff38-f427-4dde-ba16-0cdd90274c42", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "16fb7be4-cd66-43c5-a42e-211d070e19b6", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "210e166a-c971-43ab-8a61-3b5e39a9b660", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "d9180b06-8bca-43fe-a992-d5591914c6ec", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "0fb2e6f2-4445-4e02-a579-1e3d993d37ef", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "a598ff77-47ea-4894-ba35-148f913801f7", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "40a7ca68-5056-4ec8-8992-c6100b109368", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "ab2db503-e939-4dcb-bda1-694ea7c09ffa", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "8b2e5b87-76b9-4365-b030-db4d0b6650dd", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "1ac9e52f-feaa-4e30-9853-a532b34301da", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "52f22454-cd9e-4def-b344-cdb618f6182c", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "5d351e09-2d37-4824-a623-96c5a075b5ca", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "saml-role-list-mapper", + "saml-user-property-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper" + ] + } + }, + { + "id": "87f33232-61fe-4ff9-bbee-52f9238442c2", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "1ee16f47-7e34-4715-aaa5-112ad03dbcf0", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "5e76d56e-22a6-4bdc-b80e-708fe34fb5d5", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-address-mapper", + "saml-role-list-mapper", + "oidc-full-name-mapper", + "saml-user-attribute-mapper", + "oidc-usermodel-property-mapper", + "saml-user-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-attribute-mapper" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "d8798eff-533d-4b51-9681-2a1dbebc0200", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "4c7306e4-0d18-4e94-bc0a-ff6c66ef0a45", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "a4da375f-5f6f-46ef-b72b-05e1ed5ca317", + "name": "rsa-enc-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "keyUse": [ + "enc" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "5ebc2583-6b45-4918-a766-89f0238c14c2", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "keyUse": [ + "sig" + ], + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "92970034-bdd0-4373-87e9-7b3e7f7bc3da", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "1f5085c0-737c-477e-b968-244a2e29adfb", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "cf6cefcb-5c64-4d06-a874-5dfc58b4d1c0", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "3b7c8e33-8348-41c1-8837-5642a1e6559c", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "886e091f-f508-4885-b58e-3fa853358478", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "e9112f88-708e-48ee-8cef-1fdcbe123582", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "flowAlias": "Account verification options", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "58fd75b4-ce07-43ab-8b9c-41afed9065b1", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "0ee563c4-2504-4923-83b3-ea54a29d6174", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "e2ff33d3-f0d5-4760-85ab-7ac64633899a", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "70679892-9c8b-49ec-917b-66879f4f2142", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "flowAlias": "forms", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "95abca5d-f66f-4751-8522-72a5049293c6", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "f2c0d366-1ca6-4fb9-8b4d-d873b0750a64", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "c723e258-c482-46f4-8e4a-b7a14f5cb449", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "144b5c5d-0f1e-437c-91f7-e67c54021030", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "flowAlias": "User creation or linking", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "6872a04c-e6f5-4499-aefc-5517b18496e6", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "d8a6aa7e-4d9f-4d7f-87ad-cd71323a35cb", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "flowAlias": "Authentication Options", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "bc6160f9-428b-4246-99c7-61f0c1b2eaf2", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "flowAlias": "registration form", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "e2ae961b-86a5-4ace-96f3-eb39a3a84a22", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + }, + { + "id": "5f3e587b-79e0-431f-9105-79be847494f1", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "userSetupAllowed": false, + "autheticatorFlow": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false, + "autheticatorFlow": true + } + ] + }, + { + "id": "529a5e99-1ade-48c2-9e4f-53f9a898c8d8", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "userSetupAllowed": false, + "autheticatorFlow": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "d93706ec-192d-412a-b36e-1c1d256f8609", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "f95a1f32-0044-466c-a60d-10bf47cecd2f", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "terms_and_conditions", + "name": "Terms and Conditions", + "providerId": "terms_and_conditions", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "clientOfflineSessionMaxLifespan": "0", + "clientSessionIdleTimeout": "0", + "userProfileEnabled": "false", + "clientSessionMaxLifespan": "0", + "parRequestUriLifespan": "60", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5" + }, + "keycloakVersion": "15.0.2", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} \ No newline at end of file diff --git a/fastapi_oidc/__init__.py b/fastapi_oidc/__init__.py index f910504..5c7f384 100644 --- a/fastapi_oidc/__init__.py +++ b/fastapi_oidc/__init__.py @@ -1,4 +1,5 @@ from fastapi_oidc.auth import Auth # noqa -from fastapi_oidc.types import IDToken # noqa -from fastapi_oidc.types import KeycloakIDToken # noqa -from fastapi_oidc.types import OktaIDToken # noqa +from fastapi_oidc.grant_types import GrantType # noqa +from fastapi_oidc.idtoken_types import IDToken # noqa +from fastapi_oidc.idtoken_types import KeycloakIDToken # noqa +from fastapi_oidc.idtoken_types import OktaIDToken # noqa diff --git a/fastapi_oidc/auth.py b/fastapi_oidc/auth.py index 3967d66..8e1965c 100644 --- a/fastapi_oidc/auth.py +++ b/fastapi_oidc/auth.py @@ -7,7 +7,7 @@ .. code-block:: python3 - # This assumes you've already configured get_auth in your_app.py + # This assumes you've already configured Auth in your_app/auth.py from your_app.auth import auth @app.get("/auth") @@ -23,13 +23,14 @@ def test_auth(authenticated_user: IDToken = Depends(auth.required)): from fastapi import HTTPException from fastapi import Request from fastapi import status +from fastapi.openapi.models import OAuthFlowAuthorizationCode +from fastapi.openapi.models import OAuthFlowClientCredentials +from fastapi.openapi.models import OAuthFlowImplicit +from fastapi.openapi.models import OAuthFlowPassword from fastapi.openapi.models import OAuthFlows from fastapi.security import HTTPAuthorizationCredentials from fastapi.security import HTTPBearer from fastapi.security import OAuth2 -from fastapi.security import OAuth2AuthorizationCodeBearer -from fastapi.security import OAuth2PasswordBearer -from fastapi.security import OpenIdConnect from fastapi.security import SecurityScopes from jose import ExpiredSignatureError from jose import JWTError @@ -37,21 +38,18 @@ def test_auth(authenticated_user: IDToken = Depends(auth.required)): from jose.exceptions import JWTClaimsError from fastapi_oidc import discovery -from fastapi_oidc.types import IDToken +from fastapi_oidc.grant_types import GrantType +from fastapi_oidc.idtoken_types import IDToken -class OAuth2Facade(OAuth2): - async def __call__(self, request: Request) -> Optional[str]: - return None - - -class Auth: +class Auth(OAuth2): def __init__( self, openid_connect_url: str, issuer: Optional[str] = None, client_id: Optional[str] = None, scopes: List[str] = list(), + grant_types: List[GrantType] = [GrantType.IMPLICIT], signature_cache_ttl: int = 3600, idtoken_model: Type = IDToken, ): @@ -64,6 +62,7 @@ def __init__( issuer (URL): (Optional) The issuer URL from your auth server. client_id (str): (Optional) The client_id configured by your auth server. scopes (Dict[str, str]): (Optional) A dictionary of scopes and their descriptions. + grant_types (List[GrantType]): (Optional) Grant types shown in docs. signature_cache_ttl (int): (Optional) How many seconds your app should cache the authorization server's public signatures. idtoken_model (Type): (Optional) The model to use for validating the ID Token. @@ -82,39 +81,45 @@ def __init__( oidc_discoveries = self.discover.auth_server( openid_connect_url=self.openid_connect_url ) - scopes_dict = { - scope: "" for scope in self.discover.supported_scopes(oidc_discoveries) - } + # scopes_dict = { + # scope: "" for scope in self.discover.supported_scopes(oidc_discoveries) + # } + + flows = OAuthFlows() + if GrantType.AUTHORIZATION_CODE in grant_types: + flows.authorizationCode = OAuthFlowAuthorizationCode( + authorizationUrl=self.discover.authorization_url(oidc_discoveries), + tokenUrl=self.discover.token_url(oidc_discoveries), + # scopes=scopes_dict, + ) - self.oidc_scheme = OpenIdConnect( - openIdConnectUrl=openid_connect_url, - auto_error=False, - ) - self.password_scheme = OAuth2PasswordBearer( - tokenUrl=self.discover.token_url(oidc_discoveries), - scopes=scopes_dict, - auto_error=False, - ) - self.implicit_scheme = OAuth2Facade( - flows=OAuthFlows( - implicit={ - "authorizationUrl": self.discover.authorization_url( - oidc_discoveries - ), - "scopes": scopes_dict, - } - ), - scheme_name="OAuth2ImplicitBearer", - auto_error=False, - ) - self.authcode_scheme = OAuth2AuthorizationCodeBearer( - authorizationUrl=self.discover.authorization_url(oidc_discoveries), - tokenUrl=self.discover.token_url(oidc_discoveries), - # refreshUrl=self.discover.refresh_url(oidc_discoveries), - scopes=scopes_dict, + if GrantType.CLIENT_CREDENTIALS in grant_types: + flows.clientCredentials = OAuthFlowClientCredentials( + tokenUrl=self.discover.token_url(oidc_discoveries), + # scopes=scopes_dict, + ) + + if GrantType.PASSWORD in grant_types: + flows.password = OAuthFlowPassword( + tokenUrl=self.discover.token_url(oidc_discoveries), + # scopes=scopes_dict, + ) + + if GrantType.IMPLICIT in grant_types: + flows.implicit = OAuthFlowImplicit( + authorizationUrl=self.discover.authorization_url(oidc_discoveries), + # scopes=scopes_dict, + ) + + super().__init__( + scheme_name="OIDC", + flows=flows, auto_error=False, ) + async def __call__(self, request: Request) -> Optional[str]: + return None + def required( self, security_scopes: SecurityScopes, @@ -201,7 +206,11 @@ def authenticate_user( raises: HTTPException(status_code=401, detail=f"Unauthorized: {err}") """ - if authorization_credentials is None: + + if ( + authorization_credentials is None + or authorization_credentials.scheme.lower() != "bearer" + ): if auto_error: raise HTTPException( status.HTTP_401_UNAUTHORIZED, detail="Missing bearer token" diff --git a/fastapi_oidc/grant_types.py b/fastapi_oidc/grant_types.py new file mode 100644 index 0000000..e04a136 --- /dev/null +++ b/fastapi_oidc/grant_types.py @@ -0,0 +1,10 @@ +from enum import Enum + + +class GrantType(str, Enum): + """Grant types shown in docs.""" + + AUTHORIZATION_CODE = "authorization_code" + CLIENT_CREDENTIALS = "client_credentials" + IMPLICIT = "implicit" + PASSWORD = "password" # nosec diff --git a/fastapi_oidc/types.py b/fastapi_oidc/idtoken_types.py similarity index 100% rename from fastapi_oidc/types.py rename to fastapi_oidc/idtoken_types.py diff --git a/pyproject.toml b/pyproject.toml index 155fcdb..277855b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -37,4 +37,4 @@ build-backend = "poetry.masonry.api" profile = "black" force_single_line = "True" known_first_party = [] -known_third_party = ["cachetools", "cryptography", "fastapi", "jose", "jwt", "pydantic", "pytest", "requests"] \ No newline at end of file +known_third_party = ["cachetools", "cryptography", "fastapi", "jose", "jwt", "pydantic", "pytest", "requests", "starlette", "uvicorn"] \ No newline at end of file diff --git a/tests/test_auth.py b/tests/test_auth.py index b052d2a..cf37cb5 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -3,7 +3,7 @@ import fastapi_oidc from fastapi_oidc import Auth -from fastapi_oidc.types import IDToken +from fastapi_oidc.idtoken_types import IDToken def test__authenticate_user( @@ -21,7 +21,7 @@ def test__authenticate_user( id_token = auth.required( security_scopes=SecurityScopes(scopes=[]), authorization_credentials=HTTPAuthorizationCredentials( - scheme="hello", credentials=token + scheme="Bearer", credentials=token ), ) @@ -46,7 +46,7 @@ def test__authenticate_user_no_aud( id_token = auth.required( security_scopes=SecurityScopes(scopes=[]), authorization_credentials=HTTPAuthorizationCredentials( - scheme="hello", credentials=token + scheme="Bearer", credentials=token ), ) @@ -71,7 +71,7 @@ class CustomToken(IDToken): custom_token = auth.required( security_scopes=SecurityScopes(scopes=[]), authorization_credentials=HTTPAuthorizationCredentials( - scheme="hello", credentials=token + scheme="Bearer", credentials=token ), ) diff --git a/tests/test_types.py b/tests/test_types.py index fb754d9..d715443 100644 --- a/tests/test_types.py +++ b/tests/test_types.py @@ -1,12 +1,12 @@ import pydantic import pytest -from fastapi_oidc import types +from fastapi_oidc import idtoken_types def test_IDToken_raises_with_bad_field_types(): with pytest.raises(pydantic.ValidationError): - types.IDToken( + idtoken_types.IDToken( iss="ClearAirTurbulence", sub="ValueJudgement", aud="SoberCounsel", @@ -17,7 +17,7 @@ def test_IDToken_raises_with_bad_field_types(): def test_IDToken_only_requires_fields_in_OIDC_spec(): # Call IDToken with minimal types defined in spec - assert types.IDToken( + assert idtoken_types.IDToken( iss="ClearAirTurbulence", sub="ValueJudgement", aud="SoberCounsel", @@ -27,7 +27,7 @@ def test_IDToken_only_requires_fields_in_OIDC_spec(): def test_IDToken_takes_arbitrary_extra_fields(): - assert types.IDToken( + assert idtoken_types.IDToken( iss="ClearAirTurbulence", sub="ValueJudgement", aud="SoberCounsel",