diff --git a/docs/Reference-Adapter.md b/docs/Reference-Adapter.md
index 752bd99..a041ac1 100644
--- a/docs/Reference-Adapter.md
+++ b/docs/Reference-Adapter.md
@@ -11,7 +11,7 @@ Configuration of adapter properties in the Share-tier `share-config-custom.xml`
```xml
-
+
http://localhost:8180/auth
alfresco
alfresco-share
@@ -30,7 +30,7 @@ Note: This listing does not include the common property key prefix `keycloak.ada
| Property | Default Value | Description |
| --- | ---: | --- |
| `auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls |
-| `directAuthHost` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved or round-trips via a public gateway / proxy should be avoided |
+| `proxy-url` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved or round-trips via a public gateway / proxy should be avoided |
| `realm` | `alfresco` | Technical name of the Keycloak realm |
| `realm-public-key` | | Fixed public key of the realm (PEM string) - if not set, the public key(s) will be dynamically loaded and automatically refreshed after a configurable amount of times between JSON Web Key Store requests |
| `resource` | `alfresco` / `alfresco-share` | Technical name of the client set up in the realm |
@@ -66,15 +66,9 @@ Note: This listing does not include the common property key prefix `keycloak.ada
| `public-key-cache-ttl` | `86400` | Time-to-live in seconds for public key cache entries |
| `ignore-oauth-query-parameter` | `false` | Flag determining whether OAuth `access_token` in an URL query is to be ignored |
| `verify-token-audience` | `true` / `false` | Flag enabling validation of the audience specified in an access token, enabled by default on the Repository-tier - must be disabled if Share or any other application which authenticates users via Keycloak is not delegating user authentication using RFC 8693 OAuth 2.0 Token Exchange |
-
-## Non-Standard Adapter Properties
-
-The following properties are not supported by the Keycloak adapter library, but have been added by the addon for customisation of the adapter's behaviour.
-
-| Property | Default Value | Description |
-| --- | ---: | --- |
-| `connectionTimeout` | `-1` | Connect timeout for the Apache HTTP client used in calls to Keycloak |
-| `socketTimeout` | `-1` | General socket timeout for the Apache HTTP client used in calls to Keycloak |
+| `socket-timeout-millis` | `5000` | General socket timeout for the Apache HTTP client used in calls to Keycloak |
+| `connection-timeout-millis` | `5000` | Connect timeout for the Apache HTTP client used in calls to Keycloak |
+| `connection-ttl-millis` | `-1` | The time-to-live of connections for the Apache HTTP client used in calls to Keycloak |
## Unsupported Adapter Properties
@@ -94,4 +88,4 @@ This listing details configuration properties from the Keycloak adapter library
| `token-store` | `session` | Mode for how the Keycloak adapter stores user account information - related to clustering like previous two settings and not relevant for the integration as provided by the addon |
| `turn-off-change-session-id-on-login` | | Completely unused flag in the Keycloak adapter library |
| `policy-enforcer` | | Complex configuration object determining fine-grained access policies to the Repository / Share application. - This is currently not supported for configuration by the addon due to use of complex object structures |
-| `enable-pkce` | `false` | RFC 7636 - Flag enabling the use of the Proof Key for Code Exchange for OAuth public clients. - This has not yet implemented by the Keycloak adapter library. |
\ No newline at end of file
+| `enable-pkce` | `false` | RFC 7636 - Flag enabling the use of the Proof Key for Code Exchange for OAuth public clients. - This has not yet been implemented by the Keycloak adapter library. |
\ No newline at end of file
diff --git a/docs/Simple-Configuration.md b/docs/Simple-Configuration.md
index 8ad23ea..f1c4069 100644
--- a/docs/Simple-Configuration.md
+++ b/docs/Simple-Configuration.md
@@ -98,7 +98,7 @@ The following core configuration properties can be set (more extensive list in t
| `...groupFilter.containedInGroup.property.groupPaths` | | Comma-separated list of group paths (e.g. `/Group A/Group B,/Group A/Group C`) to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) |
| `...groupFilter.containedInGroup.property.groupIds` | | Comma-separated list of group IDs to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) |
| `keycloak.adapter.auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls |
-| `...directAuthHost` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved by the Alfresco Repository host or round-trips via a public gateway / proxy should be avoided |
+| `...proxy-url` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved by the Alfresco Repository host or round-trips via a public gateway / proxy should be avoided |
| `...realm` | `alfresco` | Technical name of the Keycloak realm |
| `...resource` | `alfresco` | Technical name of the client set up for the Alfresco Repository in the realm |
| `...credentials.secret` | | Shared secret for validation of authorisation codes / access tokens |
@@ -118,7 +118,7 @@ The following showcases an example configuration block:
true
-
+
http://localhost:8180/auth
alfresco
alfresco-share
diff --git a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml
index 0d6dbb9..4a4ba8a 100644
--- a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml
+++ b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml
@@ -30,9 +30,6 @@
-
-
-
diff --git a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
index 1b21679..365b73c 100644
--- a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
+++ b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties
@@ -15,14 +15,8 @@ keycloak.authentication.silentRemoteUserValidationFailure=true
keycloak.authentication.bodyBufferLimit=10485760
-# override for a direct route to the auth server host
-# useful primarily for Docker-ized deployments where container running Alfresco cannot resolve the auth server via the public DNS name
-keycloak.adapter.directAuthHost=
-# other custom adapter properties not part of default Keycloak adapter library
-keycloak.adapter.connectionTimeout=5000
-keycloak.adapter.socketTimeout=5000
-
keycloak.adapter.auth-server-url=http://localhost:8180/auth
+keycloak.adapter.proxy-url=
keycloak.adapter.realm=alfresco
keycloak.adapter.resource=alfresco
keycloak.adapter.ssl-required=none
@@ -33,7 +27,47 @@ keycloak.adapter.credentials.secret=
# for some reason, this is not a sane default in Keycloak Adapter config
keycloak.adapter.verify-token-audience=true
-# TODO default settings (identical to AdapterConfig defaults) to better align with default Alfresco subsystem property handling
+keycloak.adapter.allow-any-hostname=false
+keycloak.adapter.disable-trust-manager=false
+# TODO Try and integrate ACS keystore handling
+keycloak.adapter.truststore=
+keycloak.adapter.truststore-password=
+keycloak.adapter.client-keystore=
+keycloak.adapter.client-keystore-password=
+keycloak.adapter.client-key-password=
+keycloak.adapter.connection-pool-size=20
+keycloak.adapter.always-refresh-token=false
+keycloak.adapter.register-node-at-startup=false
+keycloak.adapter.register-node-period=-1
+keycloak.adapter.token-store=
+keycloak.adapter.adapter-state-cookie-path=
+keycloak.adapter.principal-attribute=
+keycloak.adapter.turn-off-change-session-id-on-login=
+keycloak.adapter.token-minimum-time-to-live=0
+keycloak.adapter.min-time-between-jwks-requests=10
+keycloak.adapter.public-key-cache-ttl=86400
+keycloak.adapter.enable-pkce=false
+keycloak.adapter.ignore-oauth-query-parameter=false
+keycloak.adapter.min-time-between-jwks-requests=10
+keycloak.adapter.socket-timeout-millis=5000
+keycloak.adapter.connection-timeout-millis=5000
+keycloak.adapter.connection-ttl-millis=-1
+
+keycloak.adapter.use-resource-role-mappings=false
+# note: support for handling CORS is a tertiary side-effect of Keycloak integration
+keycloak.adapter.enable-cors=false
+keycloak.adapter.cors-max-age=-1
+keycloak.adapter.cors-allowed-headers=
+keycloak.adapter.cors-allowed-methods=
+keycloak.adapter.cors-exposed-headers=
+keycloak.adapter.expose-token=false
+keycloak.adapter.bearer-only=false
+keycloak.adapter.autodetect-bearer-only=false
+# recommended to never be set to true as that would disable basic auth for any local Alfresco users
+keycloak.adapter.enable-basic-auth=false
+# keycloak.adapter.redirect-rewrite-rules.x=y
+keycloak.adapter.realm-public-key=
+
keycloak.authentication.userAuthority.default.property.realmRoleNameFilter.ref=realmFilter.aggregate
keycloak.authentication.userAuthority.default.property.realmRoleNameMapper.ref=realmMapper.aggregate
diff --git a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java
index 8a42409..3462f96 100644
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java
@@ -15,19 +15,9 @@
*/
package de.acosix.alfresco.keycloak.repo.spring;
-import java.net.InetAddress;
-import java.util.concurrent.TimeUnit;
-
import org.alfresco.httpclient.HttpClientFactory.NonBlockingHttpParamsFactory;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.httpclient.params.DefaultHttpParams;
-import org.apache.http.HttpHost;
-import org.apache.http.client.HttpClient;
-import org.apache.http.conn.params.ConnRoutePNames;
-import org.apache.http.conn.params.ConnRouteParams;
-import org.apache.http.conn.routing.HttpRoute;
-import org.apache.http.params.HttpParams;
-import org.keycloak.adapters.HttpClientBuilder;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.representations.adapters.config.AdapterConfig;
@@ -48,12 +38,6 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean 0)
- {
- httpClientBuilder = httpClientBuilder.establishConnectionTimeout(this.connectionTimeout, TimeUnit.MILLISECONDS);
- }
- if (this.socketTimeout > 0)
- {
- httpClientBuilder = httpClientBuilder.socketTimeout(this.socketTimeout, TimeUnit.MILLISECONDS);
- }
-
- final HttpClient client = httpClientBuilder.build(this.adapterConfig);
- this.configureForcedRouteIfNecessary(client);
- keycloakDeployment.setClient(client);
-
- return keycloakDeployment;
+ return KeycloakDeploymentBuilder.build(this.adapterConfig);
}
/**
@@ -145,28 +86,4 @@ public class KeycloakDeploymentBeanFactory implements FactoryBeanalfresco
-
http://localhost:8180/auth
alfresco
alfresco-share
@@ -51,8 +50,8 @@
true
- 5000
- 5000
+ 5000
+ 5000
diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java
index 004d1ad..19b9c03 100644
--- a/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java
+++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java
@@ -134,12 +134,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
protected final Set markedAsUnset = new HashSet<>();
- protected final ConfigValueHolder connectionTimeout = new ConfigValueHolder<>();
-
- protected final ConfigValueHolder socketTimeout = new ConfigValueHolder<>();
-
- protected final ConfigValueHolder directAuthHost = new ConfigValueHolder<>();
-
/**
* Creates a new instance of this class.
*/
@@ -148,57 +142,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
super(NAME);
}
- /**
- * @return the connectionTimeout
- */
- public Long getConnectionTimeout()
- {
- return this.connectionTimeout.getValue();
- }
-
- /**
- * @param connectionTimeout
- * the connectionTimeout to set
- */
- public void setConnectionTimeout(final Long connectionTimeout)
- {
- this.connectionTimeout.setValue(connectionTimeout);
- }
-
- /**
- * @return the socketTimeout
- */
- public Long getSocketTimeout()
- {
- return this.socketTimeout.getValue();
- }
-
- /**
- * @param socketTimeout
- * the socketTimeout to set
- */
- public void setSocketTimeout(final Long socketTimeout)
- {
- this.socketTimeout.setValue(socketTimeout);
- }
-
- /**
- * @return the directAuthHost
- */
- public String getDirectAuthHost()
- {
- return this.directAuthHost.getValue();
- }
-
- /**
- * @param directAuthHost
- * the directAuthHost to set
- */
- public void setDirectAuthHost(final String directAuthHost)
- {
- this.directAuthHost.setValue(directAuthHost);
- }
-
/**
* Checks if a specific field is supported by this config element.
*
@@ -390,36 +333,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
}
}
- if (otherConfigElement.connectionTimeout.isUnset())
- {
- combined.connectionTimeout.unset();
- }
- else
- {
- combined.setConnectionTimeout(otherConfigElement.getConnectionTimeout() != null ? otherConfigElement.getConnectionTimeout()
- : this.getConnectionTimeout());
- }
-
- if (otherConfigElement.socketTimeout.isUnset())
- {
- combined.socketTimeout.unset();
- }
- else
- {
- combined.setSocketTimeout(
- otherConfigElement.getSocketTimeout() != null ? otherConfigElement.getSocketTimeout() : this.getSocketTimeout());
- }
-
- if (otherConfigElement.directAuthHost.isUnset())
- {
- combined.directAuthHost.unset();
- }
- else
- {
- combined.setDirectAuthHost(
- otherConfigElement.getDirectAuthHost() != null ? otherConfigElement.getDirectAuthHost() : this.getDirectAuthHost());
- }
-
return combined;
}
@@ -435,12 +348,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
builder.append(this.configValueByField);
builder.append(",markedAsUnset=");
builder.append(this.markedAsUnset);
- builder.append(",connectionTimeout=");
- builder.append(this.connectionTimeout);
- builder.append(",socketTimeout=");
- builder.append(this.socketTimeout);
- builder.append(",directAuthHost=");
- builder.append(this.directAuthHost);
builder.append("]");
return builder.toString();
}
@@ -462,10 +369,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
result = prime * result + valueHash;
}
- result = prime * result + this.connectionTimeout.hashCode();
- result = prime * result + this.socketTimeout.hashCode();
- result = prime * result + this.directAuthHost.hashCode();
-
return result;
}
@@ -496,14 +399,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
{
return false;
}
- if (!EqualsHelper.nullSafeEquals(this.connectionTimeout, other.connectionTimeout))
- {
- return false;
- }
- if (!EqualsHelper.nullSafeEquals(this.socketTimeout, other.socketTimeout))
- {
- return false;
- }
return true;
}
diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java
index d8db5f7..8eeb1f0 100644
--- a/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java
+++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java
@@ -116,26 +116,7 @@ public class KeycloakAdapterConfigElementReader implements ConfigElementReader
}
else
{
- switch (subElementName)
- {
- // use -1 as dummy value for empty value to signify that empty value has explicitly been set (relevant for merge/combine
- // of config)
- case "connectionTimeout":
- final String prospectiveConnectionTimeout = subElement.getTextTrim();
- configElement.setConnectionTimeout(
- prospectiveConnectionTimeout.isEmpty() ? null : Long.valueOf(prospectiveConnectionTimeout));
- break;
- case "socketTimeout":
- final String prospectiveSocketTimeout = subElement.getTextTrim();
- configElement.setSocketTimeout(prospectiveSocketTimeout.isEmpty() ? null : Long.valueOf(prospectiveSocketTimeout));
- break;
- case "directAuthHost":
- final String prospectiveDirectAuthHost = subElement.getTextTrim();
- configElement.setDirectAuthHost(prospectiveDirectAuthHost.isEmpty() ? null : prospectiveDirectAuthHost);
- break;
- default:
- LOGGER.warn("Encountered unsupported Keycloak Adapter config element {}", subElementName);
- }
+ LOGGER.warn("Encountered unsupported Keycloak Adapter config element {}", subElementName);
}
}
LOGGER.debug("Read configuration element {} from XML section", configElement);
diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
index 8050d11..fdb22f4 100644
--- a/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
+++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java
@@ -22,13 +22,11 @@ import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
-import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
-import java.util.concurrent.TimeUnit;
import java.util.function.BiFunction;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -50,17 +48,12 @@ import org.alfresco.util.EqualsHelper;
import org.alfresco.util.PropertyCheck;
import org.alfresco.web.site.servlet.SSOAuthenticationFilter;
import org.apache.http.HttpEntity;
-import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
-import org.apache.http.conn.params.ConnRoutePNames;
-import org.apache.http.conn.params.ConnRouteParams;
-import org.apache.http.conn.routing.HttpRoute;
import org.apache.http.message.BasicNameValuePair;
-import org.apache.http.params.HttpParams;
import org.apache.http.util.EntityUtils;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.OAuth2Constants;
@@ -68,7 +61,6 @@ import org.keycloak.TokenVerifier;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.BearerTokenRequestAuthenticator;
-import org.keycloak.adapters.HttpClientBuilder;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.OAuthRequestAuthenticator;
@@ -512,35 +504,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
protected void initFromAdapterConfig(final KeycloakAdapterConfigElement keycloakAdapterConfig)
{
final AdapterConfig adapterConfiguration = keycloakAdapterConfig.buildAdapterConfiguration();
-
- // disable any CORS handling (if CORS is relevant, it should be handled by Share / Surf)
- adapterConfiguration.setCors(false);
- // BASIC authentication should never be used
- adapterConfiguration.setEnableBasicAuth(false);
-
this.keycloakDeployment = KeycloakDeploymentBuilder.build(adapterConfiguration);
-
- // even in newer version than used by ACS 6.x does Keycloak lib not allow timeout configuration
- if (this.keycloakDeployment.getClient() != null)
- {
- final Long connectionTimeout = keycloakAdapterConfig.getConnectionTimeout();
- final Long socketTimeout = keycloakAdapterConfig.getSocketTimeout();
-
- HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
- if (connectionTimeout != null && connectionTimeout.longValue() >= 0)
- {
- httpClientBuilder = httpClientBuilder.establishConnectionTimeout(connectionTimeout.longValue(), TimeUnit.MILLISECONDS);
- }
- if (socketTimeout != null && socketTimeout.longValue() >= 0)
- {
- httpClientBuilder = httpClientBuilder.socketTimeout(socketTimeout.longValue(), TimeUnit.MILLISECONDS);
- }
-
- final HttpClient client = httpClientBuilder.build(adapterConfiguration);
- this.configureForcedRouteIfNecessary(keycloakAdapterConfig, client);
- this.keycloakDeployment.setClient(client);
- }
-
this.deploymentContext = new AdapterDeploymentContext(this.keycloakDeployment);
}
@@ -1863,39 +1827,4 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
}
return sslPort;
}
-
- /**
- * Sets up a forced route for the Keycloak-library backing HTTP client if configured. This may be necessary to deal with situations
- * where Share cannot use the public address of the authentication server (used in authentication redirects) to talk with the server
- * directly, due to network isolation / addressing restrictions (e.g. in Docker-ized deployments).
- *
- * @param configElement
- * the adapter configuration
- * @param client
- * the client to configure
- */
- @SuppressWarnings("deprecation")
- protected void configureForcedRouteIfNecessary(final KeycloakAdapterConfigElement configElement, final HttpClient client)
- {
- final String directAuthHost = configElement.getDirectAuthHost();
- if (directAuthHost != null && !directAuthHost.isEmpty())
- {
- final HttpHost host = HttpHost.create(directAuthHost);
- final HttpParams params = client.getParams();
- final InetAddress local = ConnRouteParams.getLocalAddress(params);
- final HttpHost proxy = ConnRouteParams.getDefaultProxy(params);
- final boolean secure = host.getSchemeName().equalsIgnoreCase("https");
-
- HttpRoute route;
- if (proxy == null)
- {
- route = new HttpRoute(host, local, secure);
- }
- else
- {
- route = new HttpRoute(host, local, proxy, secure);
- }
- params.setParameter(ConnRoutePNames.FORCED_ROUTE, route);
- }
- }
}
diff --git a/share/src/test/docker/alfresco/extension/alfresco-global.addition.properties b/share/src/test/docker/alfresco/extension/alfresco-global.addition.properties
index 17a3aa6..a8e6a9b 100644
--- a/share/src/test/docker/alfresco/extension/alfresco-global.addition.properties
+++ b/share/src/test/docker/alfresco/extension/alfresco-global.addition.properties
@@ -25,7 +25,7 @@ keycloak.adapter.credentials.provider=secret
keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708
# localhost in auth-server-url won't work for direct access in a Docker deployment
-keycloak.adapter.directAuthHost=http://keycloak:8080
+keycloak.adapter.proxy-url=http://keycloak:8080
keycloak.roles.requiredClientScopes=alfresco-role-service
diff --git a/share/src/test/docker/alfresco/web-extension/share-config-custom.xml b/share/src/test/docker/alfresco/web-extension/share-config-custom.xml
index 8357e8a..bfbe289 100644
--- a/share/src/test/docker/alfresco/web-extension/share-config-custom.xml
+++ b/share/src/test/docker/alfresco/web-extension/share-config-custom.xml
@@ -75,7 +75,7 @@
true
- http://keycloak:8080
+ http://keycloak:8080
http://localhost:${docker.tests.keycloakPort}/auth
test
alfresco-share
diff --git a/share/src/test/docker/test-realm.json b/share/src/test/docker/test-realm.json
index 143ed7e..1b18443 100644
--- a/share/src/test/docker/test-realm.json
+++ b/share/src/test/docker/test-realm.json
@@ -683,6 +683,7 @@
"secret": "a5b3e8bc-39cc-4ddd-8c8f-1c34e7a35975",
"publicClient": false,
"protocol": "openid-connect",
+ "alwaysDisplayInConsole": true,
"fullScopeAllowed": false,
"defaultClientScopes": [
"roles",
@@ -930,33 +931,36 @@
]
}
],
+ "defaultRole": {
+ "name": "default-roles-test",
+ "description": "${role_default-roles}",
+ "composite": true,
+ "composites": {
+ "realm": [
+ "offline_access",
+ "uma_authorization",
+ "user"
+ ],
+ "client": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ }
+ }
+ },
"roles": {
"realm": [
{
"name": "uma_authorization",
"description": "${role_uma_authorization}"
},
- {
- "name": "default-roles-test",
- "description": "${role_default-roles}",
- "composite": true,
- "composites": {
- "realm": [
- "offline_access",
- "uma_authorization",
- "user"
- ],
- "client": {
- "account": [
- "view-profile",
- "manage-account"
- ]
- }
- }
- },
{
"name": "offline_access",
"description": "${role_offline-access}"
+ },
+ {
+ "name": "user"
}
],
"client": {
diff --git a/share/src/test/resources/default-config.xml b/share/src/test/resources/default-config.xml
index b552f56..096c14b 100644
--- a/share/src/test/resources/default-config.xml
+++ b/share/src/test/resources/default-config.xml
@@ -40,7 +40,7 @@
alfresco
- http://keycloak:8080
+ http://keycloak:8080
http://localhost:8180/auth
alfresco