2022-12-14 18:59:40 +00:00
3 changed files with 73 additions and 65 deletions
--- a/config/keycloak/import/cerc-realm.json
+++ b/config/keycloak/import/cerc-realm.json
@ -1077,9 +1077,11 @@
  },
  "smtpServer": {},
  "accountTheme": "custom",
-  "eventsEnabled": false,
+  "eventsEnabled": true,
+  "eventsExpiration": 604800,
  "eventsListeners": [
    "api-key-registration-generation",
+    "metrics-listener",
    "jboss-logging"
  ],
  "enabledEventTypes": [
@ -1184,13 +1186,13 @@
        "subComponents": {},
        "config": {
          "allowed-protocol-mapper-types": [
-            "oidc-full-name-mapper",
            "saml-user-property-mapper",
-            "saml-role-list-mapper",
-            "saml-user-attribute-mapper",
-            "oidc-usermodel-attribute-mapper",
            "oidc-sha256-pairwise-sub-mapper",
+            "oidc-full-name-mapper",
+            "saml-role-list-mapper",
            "oidc-usermodel-property-mapper",
+            "oidc-usermodel-attribute-mapper",
+            "saml-user-attribute-mapper",
            "oidc-address-mapper"
          ]
        }
@ -1235,14 +1237,14 @@
        "subComponents": {},
        "config": {
          "allowed-protocol-mapper-types": [
-            "oidc-full-name-mapper",
            "oidc-usermodel-property-mapper",
-            "oidc-sha256-pairwise-sub-mapper",
            "saml-role-list-mapper",
-            "oidc-usermodel-attribute-mapper",
            "saml-user-property-mapper",
+            "oidc-full-name-mapper",
+            "oidc-address-mapper",
+            "oidc-sha256-pairwise-sub-mapper",
            "saml-user-attribute-mapper",
-            "oidc-address-mapper"
+            "oidc-usermodel-attribute-mapper"
          ]
        }
      },
@ -1310,7 +1312,7 @@
  "supportedLocales": [],
  "authenticationFlows": [
    {
-      "id": "ff26f4cd-37cb-4fd7-b1ca-a9c7bf18b513",
+      "id": "43505ad9-3c8d-4f11-9f90-55bcf19e621b",
      "alias": "Handle Existing Account",
      "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
      "providerId": "basic-flow",
@ -1336,7 +1338,7 @@
      ]
    },
    {
-      "id": "9f687769-523f-4644-9071-762be675a65c",
+      "id": "f5a8bcf1-b58f-4fd9-a0c1-4ec3933d9d64",
      "alias": "Handle Existing Account - Alternatives - 0",
      "description": "Subflow of Handle Existing Account with alternative executions",
      "providerId": "basic-flow",
@ -1362,7 +1364,7 @@
      ]
    },
    {
-      "id": "536c5d7c-7c05-4090-a4ad-4d52bf7b0b32",
+      "id": "b3f19451-b375-4341-8c23-f9a3b531ceb0",
      "alias": "Verify Existing Account by Re-authentication",
      "description": "Reauthentication of existing account",
      "providerId": "basic-flow",
@ -1388,7 +1390,7 @@
      ]
    },
    {
-      "id": "579f12ed-b8bb-4454-909b-7214395b0618",
+      "id": "0db81a1c-dd36-4721-89e4-19dc7e204b56",
      "alias": "Verify Existing Account by Re-authentication - auth-otp-form - Conditional",
      "description": "Flow to determine if the auth-otp-form authenticator should be used or not.",
      "providerId": "basic-flow",
@ -1414,7 +1416,7 @@
      ]
    },
    {
-      "id": "140ddee8-3a08-4871-a001-40d7445a53c8",
+      "id": "e0937686-c0c4-41b2-8abd-98b5219e1953",
      "alias": "browser",
      "description": "browser based authentication",
      "providerId": "basic-flow",
@ -1456,7 +1458,7 @@
      ]
    },
    {
-      "id": "f744beca-2c05-4525-b7c7-03a38d5fec76",
+      "id": "3508fa7b-a459-44ad-b56a-af9737ed86a5",
      "alias": "browser plus basic",
      "description": "browser based authentication",
      "providerId": "basic-flow",
@ -1506,7 +1508,7 @@
      ]
    },
    {
-      "id": "335698a5-f6ea-4cca-a5f8-5ae7544eedba",
+      "id": "79ee49ad-20f2-4967-a9bf-ddca82c1516c",
      "alias": "browser plus basic forms",
      "description": "Username, password, otp and other auth forms.",
      "providerId": "basic-flow",
@ -1532,7 +1534,7 @@
      ]
    },
    {
-      "id": "de2913c6-e3c6-4a5f-9726-a5a6cacc975d",
+      "id": "802ce2dc-dd4a-45e6-837e-fecc17affe55",
      "alias": "browser plus basic forms - auth-otp-form - Conditional",
      "description": "Flow to determine if the auth-otp-form authenticator should be used or not.",
      "providerId": "basic-flow",
@ -1558,7 +1560,7 @@
      ]
    },
    {
-      "id": "2bbe9c77-e0b9-468b-a26b-ea420b826671",
+      "id": "0f4a4d19-db06-409b-baa8-a3c8a6f52a22",
      "alias": "clients",
      "description": "Base authentication for clients",
      "providerId": "client-flow",
@ -1600,7 +1602,7 @@
      ]
    },
    {
-      "id": "1714fea3-76c4-4a5e-8e23-1122cc89863a",
+      "id": "b177d3f1-dad8-4b40-ac1d-04038f0e5a7d",
      "alias": "direct grant",
      "description": "OpenID Connect Resource Owner Grant",
      "providerId": "basic-flow",
@ -1634,7 +1636,7 @@
      ]
    },
    {
-      "id": "9bf9bbbb-853a-4630-bbe0-96d357f86b59",
+      "id": "788ccbc9-c3c8-468d-8d4c-d2eb04b438a5",
      "alias": "direct grant - direct-grant-validate-otp - Conditional",
      "description": "Flow to determine if the direct-grant-validate-otp authenticator should be used or not.",
      "providerId": "basic-flow",
@ -1660,7 +1662,7 @@
      ]
    },
    {
-      "id": "b9a8e00d-1d80-47c4-bce3-ae60965e95af",
+      "id": "8edd3a8f-7d9d-4029-8fd2-21a8ead2b090",
      "alias": "docker auth",
      "description": "Used by Docker clients to authenticate against the IDP",
      "providerId": "basic-flow",
@ -1678,7 +1680,7 @@
      ]
    },
    {
-      "id": "734b1c5b-23f2-46f8-91e7-835239874868",
+      "id": "a67bc8ee-b99a-409f-adf5-a7d4c7f27512",
      "alias": "first broker login",
      "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
      "providerId": "basic-flow",
@ -1705,7 +1707,7 @@
      ]
    },
    {
-      "id": "7519566f-1a8f-41cc-ba86-18288ffca213",
+      "id": "ffe8dad9-6998-4358-ab2c-061cf7235d53",
      "alias": "first broker login - Alternatives - 0",
      "description": "Subflow of first broker login with alternative executions",
      "providerId": "basic-flow",
@ -1732,7 +1734,7 @@
      ]
    },
    {
-      "id": "fae18f00-185b-4a4b-a420-8d389bfedd31",
+      "id": "26133bdd-6657-449d-a823-73519956b272",
      "alias": "forms",
      "description": "Username, password, otp and other auth forms.",
      "providerId": "basic-flow",
@ -1758,7 +1760,7 @@
      ]
    },
    {
-      "id": "91375637-e26a-4ce3-a8b7-276a63921bf6",
+      "id": "57620e5a-f7cd-4e88-ac51-d78e91ff7868",
      "alias": "forms - auth-otp-form - Conditional",
      "description": "Flow to determine if the auth-otp-form authenticator should be used or not.",
      "providerId": "basic-flow",
@ -1784,7 +1786,7 @@
      ]
    },
    {
-      "id": "310e62a2-5cbb-4b4d-a95b-a5b9924aa632",
+      "id": "cffbb5df-de0a-49ed-9136-296a877ab175",
      "alias": "http challenge",
      "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
      "providerId": "basic-flow",
@ -1826,7 +1828,7 @@
      ]
    },
    {
-      "id": "5603a5ef-9067-4811-95a1-c2934b524521",
+      "id": "6ac5a9df-dacb-462c-9b12-207470e9fcbf",
      "alias": "registration",
      "description": "registration flow",
      "providerId": "basic-flow",
@ -1845,7 +1847,7 @@
      ]
    },
    {
-      "id": "bd200efc-bc32-473c-9fa8-faa381af46f3",
+      "id": "27e40f78-ce1e-4ad4-9b48-88a8bf9c8d92",
      "alias": "registration form",
      "description": "registration form",
      "providerId": "form-flow",
@ -1887,7 +1889,7 @@
      ]
    },
    {
-      "id": "20db9450-a77f-4e61-ac01-4acbf0d13592",
+      "id": "31340e3b-f6c7-49ce-94ac-f28213b84be6",
      "alias": "reset credentials",
      "description": "Reset credentials for a user if they forgot their password or something",
      "providerId": "basic-flow",
@ -1929,7 +1931,7 @@
      ]
    },
    {
-      "id": "2118eabb-8e7f-471b-aaf3-5c0acb1d8e67",
+      "id": "aee4a6d9-caab-463e-ad62-48aba91a4098",
      "alias": "reset credentials - reset-otp - Conditional",
      "description": "Flow to determine if the reset-otp authenticator should be used or not.",
      "providerId": "basic-flow",
@ -1955,7 +1957,7 @@
      ]
    },
    {
-      "id": "392ffdde-de05-4986-81dc-7fef5bde4334",
+      "id": "4052bdf6-9b94-42a1-b199-0c14ffe67ac5",
      "alias": "saml ecp",
      "description": "SAML ECP Profile Authentication Flow",
      "providerId": "basic-flow",
@ -1975,14 +1977,14 @@
  ],
  "authenticatorConfig": [
    {
-      "id": "8c231d46-b83f-489a-b953-8a11e1221c72",
+      "id": "4bc95f52-8c28-449c-830b-a4ffc3340399",
      "alias": "create unique user config",
      "config": {
        "require.password.update.after.registration": "false"
      }
    },
    {
-      "id": "b444f680-f162-46ea-9aa6-02db0222fdfb",
+      "id": "367a56fc-c128-43f8-85d5-50ceae63b7aa",
      "alias": "review profile config",
      "config": {
        "update.profile.on.first.login": "missing"
@ -2074,7 +2076,7 @@
    "cibaInterval": "5",
    "realmReusableOtpCode": "false"
  },
-  "keycloakVersion": "20.0.0",
+  "keycloakVersion": "20.0.2",
  "userManagedAccessAllowed": false,
  "clientProfiles": {
    "profiles": []
--- a/config/keycloak/nginx/keycloak_proxy.conf
+++ b/config/keycloak/nginx/keycloak_proxy.conf
@ -19,34 +19,34 @@ server {
        proxy_pass  http://fixturenet-eth-geth-1:8545;
    }

-    location ~ ^/ipld/eth/([^/]*)$ {
-        set $apiKey $1;
-        if ($apiKey = '') {
-          set $apiKey $http_X_API_KEY;
-        }
-        auth_request /auth;
-        proxy_buffering off;
-        rewrite /.*$ / break;
-        proxy_pass  http://ipld-eth-server:8081;
-    }
-
-    location ~ ^/ipld/gql/([^/]*)$ {
-        set $apiKey $1;
-        if ($apiKey = '') {
-          set $apiKey $http_X_API_KEY;
-        }
-        auth_request /auth;
-        proxy_buffering off;
-        rewrite /.*$ / break;
-        proxy_pass  http://ipld-eth-server:8082;
-    }
-
-    location /beacon/ {
-        set $apiKey $http_X_API_KEY;
-        auth_request /auth;
-        proxy_buffering off;
-        proxy_pass  http://fixturenet-eth-lighthouse-1:8001/;
-    }
+#    location ~ ^/ipld/eth/([^/]*)$ {
+#        set $apiKey $1;
+#        if ($apiKey = '') {
+#          set $apiKey $http_X_API_KEY;
+#        }
+#        auth_request /auth;
+#        proxy_buffering off;
+#        rewrite /.*$ / break;
+#        proxy_pass  http://ipld-eth-server:8081;
+#    }
+#
+#    location ~ ^/ipld/gql/([^/]*)$ {
+#        set $apiKey $1;
+#        if ($apiKey = '') {
+#          set $apiKey $http_X_API_KEY;
+#        }
+#        auth_request /auth;
+#        proxy_buffering off;
+#        rewrite /.*$ / break;
+#        proxy_pass  http://ipld-eth-server:8082;
+#    }
+#
+#    location /beacon/ {
+#        set $apiKey $http_X_API_KEY;
+#        auth_request /auth;
+#        proxy_buffering off;
+#        proxy_pass  http://fixturenet-eth-lighthouse-1:8001/;
+#    }

    location = /auth {
        internal;
@ -59,4 +59,8 @@ server {
        proxy_set_header X-Original-Remote-Addr $remote_addr;
        proxy_set_header X-Original-Host $host;
    }
+
+#    location = /basic_status {
+#        stub_status;
+#    }
 }
--- a/container-build/cerc-keycloak/Dockerfile
+++ b/container-build/cerc-keycloak/Dockerfile
@ -1,10 +1,12 @@
 FROM maven:3-eclipse-temurin-11-alpine AS builder
 RUN apk add --update --no-cache git
 WORKDIR /build
-RUN git clone https://github.com/cerc-io/keycloak-api-key-demo.git
-RUN cd keycloak-api-key-demo && \
-      git checkout 81d0a443c363cb55df2c90e3b13fc5a4710197ba && \
+RUN git clone https://github.com/cerc-io/keycloak-api-key-demo.git && \
+      cd keycloak-api-key-demo && \
+      git checkout '043309204aba4c3cb2f6a006c58a9a430b733b29' && \
      mvn -f api-key-module package

 FROM quay.io/keycloak/keycloak:20.0
 COPY --from=builder /build/keycloak-api-key-demo//api-key-module/target/deploy/*  /opt/keycloak/providers/
+WORKDIR /opt/keycloak/providers
+RUN curl -L https://github.com/aerogear/keycloak-metrics-spi/releases/download/2.5.3/keycloak-metrics-spi-2.5.3.jar --output keycloak-metrics-spi.jar