11763405ab
- Add a configure_webauthn helper to sync.sh that sets the WebAuthn policy (both 2FA and passwordless variants) on a realm and enables the webauthn-register and webauthn-register-passwordless required actions so users can self-enroll passkeys via the account console. - Apply it to both master (RP "E-Cosplay Auth") and ecosplay (RP "E-Cosplay") on every sync run, idempotent. - Mirror the same policy fields and required actions in the ecosplay realm import JSON for fresh installs. Sensible defaults: ES256/RS256/EdDSA, user verification preferred, no attestation, resident key not specified. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
216 lines
6.5 KiB
JSON
216 lines
6.5 KiB
JSON
{
|
|
"realm": "ecosplay",
|
|
"displayName": "E-Cosplay",
|
|
"displayNameHtml": "<span style=\"font-weight:900;text-transform:uppercase;font-style:italic;\">E-Cosplay</span>",
|
|
"enabled": true,
|
|
|
|
"loginTheme": "ecosplay",
|
|
"accountTheme": "ecosplay",
|
|
"emailTheme": "ecosplay",
|
|
"adminTheme": "keycloak.v2",
|
|
|
|
"internationalizationEnabled": true,
|
|
"supportedLocales": ["fr"],
|
|
"defaultLocale": "fr",
|
|
|
|
"registrationAllowed": true,
|
|
"registrationEmailAsUsername": true,
|
|
"rememberMe": true,
|
|
"verifyEmail": true,
|
|
"loginWithEmailAllowed": true,
|
|
"duplicateEmailsAllowed": false,
|
|
"resetPasswordAllowed": true,
|
|
"editUsernameAllowed": false,
|
|
|
|
"bruteForceProtected": true,
|
|
"permanentLockout": false,
|
|
"maxFailureWaitSeconds": 900,
|
|
"minimumQuickLoginWaitSeconds": 60,
|
|
"waitIncrementSeconds": 60,
|
|
"quickLoginCheckMilliSeconds": 1000,
|
|
"maxDeltaTimeSeconds": 43200,
|
|
"failureFactor": 5,
|
|
|
|
"passwordPolicy": "length(10) and specialChars(1) and digits(1) and upperCase(1) and lowerCase(1) and notUsername(undefined) and notEmail(undefined)",
|
|
|
|
"accessTokenLifespan": 300,
|
|
"accessTokenLifespanForImplicitFlow": 900,
|
|
"ssoSessionIdleTimeout": 1800,
|
|
"ssoSessionMaxLifespan": 36000,
|
|
"offlineSessionIdleTimeout": 2592000,
|
|
"actionTokenGeneratedByUserLifespan": 900,
|
|
|
|
"webAuthnPolicyRpEntityName": "E-Cosplay",
|
|
"webAuthnPolicySignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
|
|
"webAuthnPolicyUserVerificationRequirement": "preferred",
|
|
"webAuthnPolicyAttestationConveyancePreference": "none",
|
|
"webAuthnPolicyRequireResidentKey": "not specified",
|
|
"webAuthnPolicyPasswordlessRpEntityName": "E-Cosplay",
|
|
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256", "RS256", "EdDSA"],
|
|
"webAuthnPolicyPasswordlessUserVerificationRequirement": "preferred",
|
|
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "none",
|
|
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
|
|
|
|
"requiredActions": [
|
|
{
|
|
"alias": "CONFIGURE_TOTP",
|
|
"name": "Configure OTP",
|
|
"providerId": "CONFIGURE_TOTP",
|
|
"enabled": true,
|
|
"defaultAction": false,
|
|
"priority": 10,
|
|
"config": {}
|
|
},
|
|
{
|
|
"alias": "webauthn-register",
|
|
"name": "Webauthn Register",
|
|
"providerId": "webauthn-register",
|
|
"enabled": true,
|
|
"defaultAction": false,
|
|
"priority": 70,
|
|
"config": {}
|
|
},
|
|
{
|
|
"alias": "webauthn-register-passwordless",
|
|
"name": "Webauthn Register Passwordless",
|
|
"providerId": "webauthn-register-passwordless",
|
|
"enabled": true,
|
|
"defaultAction": false,
|
|
"priority": 80,
|
|
"config": {}
|
|
}
|
|
],
|
|
|
|
"smtpServer": {
|
|
"host": "email-smtp.eu-west-3.amazonaws.com",
|
|
"port": "587",
|
|
"from": "auth@e-cosplay.fr",
|
|
"fromDisplayName": "E-Cosplay",
|
|
"replyTo": "noreply@e-cosplay.fr",
|
|
"envelopeFrom": "auth@e-cosplay.fr",
|
|
"auth": "true",
|
|
"starttls": "true",
|
|
"ssl": "false",
|
|
"user": "AKIAWTT2T22CWBRBBDYN",
|
|
"password": "BBdgb6KxRQ8mNcpWFJsZCJxbSGNdgLhKFiITMErfBlQP"
|
|
},
|
|
|
|
"groups": [
|
|
{ "name": "gp_asso" },
|
|
{ "name": "gp_contest" },
|
|
{ "name": "gp_mail" },
|
|
{ "name": "gp_mailling" },
|
|
{ "name": "gp_member" },
|
|
{ "name": "gp_ndd" },
|
|
{ "name": "gp_sign" },
|
|
{ "name": "gp_ticket" },
|
|
{ "name": "super_admin_asso" },
|
|
{ "name": "superadmin" }
|
|
],
|
|
|
|
"users": [
|
|
{
|
|
"username": "jovann@e-cosplay.fr",
|
|
"email": "jovann@e-cosplay.fr",
|
|
"firstName": "Jovann",
|
|
"lastName": "Serreau",
|
|
"enabled": true,
|
|
"emailVerified": true,
|
|
"credentials": [
|
|
{
|
|
"type": "password",
|
|
"value": "Shoko1997@",
|
|
"temporary": false
|
|
}
|
|
],
|
|
"requiredActions": ["CONFIGURE_TOTP"],
|
|
"groups": ["/super_admin_asso", "/superadmin"],
|
|
"clientRoles": {
|
|
"realm-management": ["realm-admin"]
|
|
}
|
|
}
|
|
],
|
|
|
|
"clients": [
|
|
{
|
|
"clientId": "ecosplay_web",
|
|
"name": "E-Cosplay Web",
|
|
"description": "Application web principale e-cosplay.fr (login site interne)",
|
|
"enabled": true,
|
|
"publicClient": false,
|
|
"secret": "change-me-in-admin-console",
|
|
"redirectUris": [
|
|
"https://www.e-cosplay.fr/oauth/keycloak",
|
|
"https://cos.local/oauth/keycloak"
|
|
],
|
|
"webOrigins": [
|
|
"https://www.e-cosplay.fr",
|
|
"https://cos.local"
|
|
],
|
|
"protocol": "openid-connect",
|
|
"standardFlowEnabled": true,
|
|
"implicitFlowEnabled": false,
|
|
"directAccessGrantsEnabled": false,
|
|
"serviceAccountsEnabled": false,
|
|
"frontchannelLogout": true,
|
|
"attributes": {
|
|
"post.logout.redirect.uris": "https://www.e-cosplay.fr/*##https://cos.local/*",
|
|
"pkce.code.challenge.method": "S256"
|
|
}
|
|
},
|
|
{
|
|
"clientId": "ecosplay_code",
|
|
"name": "E-Cosplay Code",
|
|
"description": "Forge de code (Gitea) - login SSO via ecosplay_code provider (Gitea ne supporte pas PKCE)",
|
|
"enabled": true,
|
|
"publicClient": false,
|
|
"secret": "change-me-in-admin-console",
|
|
"redirectUris": [
|
|
"https://code.e-cosplay.fr/user/oauth2/ecosplay_code/callback",
|
|
"https://cos.local/user/oauth2/ecosplay_code/callback"
|
|
],
|
|
"webOrigins": [
|
|
"https://code.e-cosplay.fr",
|
|
"https://cos.local"
|
|
],
|
|
"protocol": "openid-connect",
|
|
"standardFlowEnabled": true,
|
|
"implicitFlowEnabled": false,
|
|
"directAccessGrantsEnabled": false,
|
|
"serviceAccountsEnabled": false,
|
|
"frontchannelLogout": true,
|
|
"attributes": {
|
|
"post.logout.redirect.uris": "https://code.e-cosplay.fr/*##https://cos.local/*"
|
|
}
|
|
},
|
|
{
|
|
"clientId": "eticket",
|
|
"name": "E-Ticket",
|
|
"description": "Application billetterie ticket.e-cosplay.fr",
|
|
"enabled": true,
|
|
"publicClient": false,
|
|
"secret": "change-me-in-admin-console",
|
|
"redirectUris": [
|
|
"https://ticket.e-cosplay.fr/api/auth/login/sso/validate",
|
|
"https://cos.local/api/auth/login/sso/validate",
|
|
"https://ticket.e-cosplay.fr/connection/sso/check",
|
|
"https://cos.local/connection/sso/check"
|
|
],
|
|
"webOrigins": [
|
|
"https://ticket.e-cosplay.fr",
|
|
"https://cos.local"
|
|
],
|
|
"protocol": "openid-connect",
|
|
"standardFlowEnabled": true,
|
|
"implicitFlowEnabled": false,
|
|
"directAccessGrantsEnabled": false,
|
|
"serviceAccountsEnabled": false,
|
|
"frontchannelLogout": true,
|
|
"attributes": {
|
|
"post.logout.redirect.uris": "https://ticket.e-cosplay.fr/*##https://cos.local/*",
|
|
"pkce.code.challenge.method": "S256"
|
|
}
|
|
}
|
|
]
|
|
}
|