From b4ca07d0c2b504ff76f847e4b33b347e060e71f3 Mon Sep 17 00:00:00 2001 From: AFaust Date: Tue, 19 Oct 2021 15:39:39 +0200 Subject: [PATCH] Use default fields for timeout + proxy --- docs/Reference-Adapter.md | 18 +-- docs/Simple-Configuration.md | 4 +- .../keycloak-authentication-context.xml | 3 - .../keycloak-authentication.properties | 50 +++++++-- .../spring/KeycloakDeploymentBeanFactory.java | 87 +-------------- .../alfresco-global.addition.properties | 4 +- repository/src/test/docker/test-realm.json | 51 ++++----- share/src/main/config/default-config.xml | 5 +- .../config/KeycloakAdapterConfigElement.java | 105 ------------------ .../KeycloakAdapterConfigElementReader.java | 21 +--- .../web/KeycloakAuthenticationFilter.java | 71 ------------ .../alfresco-global.addition.properties | 2 +- .../web-extension/share-config-custom.xml | 2 +- share/src/test/docker/test-realm.json | 40 ++++--- share/src/test/resources/default-config.xml | 2 +- 15 files changed, 104 insertions(+), 361 deletions(-) diff --git a/docs/Reference-Adapter.md b/docs/Reference-Adapter.md index 752bd99..a041ac1 100644 --- a/docs/Reference-Adapter.md +++ b/docs/Reference-Adapter.md @@ -11,7 +11,7 @@ Configuration of adapter properties in the Share-tier `share-config-custom.xml` ```xml - + http://localhost:8180/auth alfresco alfresco-share @@ -30,7 +30,7 @@ Note: This listing does not include the common property key prefix `keycloak.ada | Property | Default Value | Description | | --- | ---: | --- | | `auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls | -| `directAuthHost` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved or round-trips via a public gateway / proxy should be avoided | +| `proxy-url` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved or round-trips via a public gateway / proxy should be avoided | | `realm` | `alfresco` | Technical name of the Keycloak realm | | `realm-public-key` | | Fixed public key of the realm (PEM string) - if not set, the public key(s) will be dynamically loaded and automatically refreshed after a configurable amount of times between JSON Web Key Store requests | | `resource` | `alfresco` / `alfresco-share` | Technical name of the client set up in the realm | @@ -66,15 +66,9 @@ Note: This listing does not include the common property key prefix `keycloak.ada | `public-key-cache-ttl` | `86400` | Time-to-live in seconds for public key cache entries | | `ignore-oauth-query-parameter` | `false` | Flag determining whether OAuth `access_token` in an URL query is to be ignored | | `verify-token-audience` | `true` / `false` | Flag enabling validation of the audience specified in an access token, enabled by default on the Repository-tier - must be disabled if Share or any other application which authenticates users via Keycloak is not delegating user authentication using RFC 8693 OAuth 2.0 Token Exchange | - -## Non-Standard Adapter Properties - -The following properties are not supported by the Keycloak adapter library, but have been added by the addon for customisation of the adapter's behaviour. - -| Property | Default Value | Description | -| --- | ---: | --- | -| `connectionTimeout` | `-1` | Connect timeout for the Apache HTTP client used in calls to Keycloak | -| `socketTimeout` | `-1` | General socket timeout for the Apache HTTP client used in calls to Keycloak | +| `socket-timeout-millis` | `5000` | General socket timeout for the Apache HTTP client used in calls to Keycloak | +| `connection-timeout-millis` | `5000` | Connect timeout for the Apache HTTP client used in calls to Keycloak | +| `connection-ttl-millis` | `-1` | The time-to-live of connections for the Apache HTTP client used in calls to Keycloak | ## Unsupported Adapter Properties @@ -94,4 +88,4 @@ This listing details configuration properties from the Keycloak adapter library | `token-store` | `session` | Mode for how the Keycloak adapter stores user account information - related to clustering like previous two settings and not relevant for the integration as provided by the addon | | `turn-off-change-session-id-on-login` | | Completely unused flag in the Keycloak adapter library | | `policy-enforcer` | | Complex configuration object determining fine-grained access policies to the Repository / Share application. - This is currently not supported for configuration by the addon due to use of complex object structures | -| `enable-pkce` | `false` | RFC 7636 - Flag enabling the use of the Proof Key for Code Exchange for OAuth public clients. - This has not yet implemented by the Keycloak adapter library. | \ No newline at end of file +| `enable-pkce` | `false` | RFC 7636 - Flag enabling the use of the Proof Key for Code Exchange for OAuth public clients. - This has not yet been implemented by the Keycloak adapter library. | \ No newline at end of file diff --git a/docs/Simple-Configuration.md b/docs/Simple-Configuration.md index 8ad23ea..f1c4069 100644 --- a/docs/Simple-Configuration.md +++ b/docs/Simple-Configuration.md @@ -98,7 +98,7 @@ The following core configuration properties can be set (more extensive list in t | `...groupFilter.containedInGroup.property.groupPaths` | | Comma-separated list of group paths (e.g. `/Group A/Group B,/Group A/Group C`) to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) | | `...groupFilter.containedInGroup.property.groupIds` | | Comma-separated list of group IDs to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) | | `keycloak.adapter.auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls | -| `...directAuthHost` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved by the Alfresco Repository host or round-trips via a public gateway / proxy should be avoided | +| `...proxy-url` | | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved by the Alfresco Repository host or round-trips via a public gateway / proxy should be avoided | | `...realm` | `alfresco` | Technical name of the Keycloak realm | | `...resource` | `alfresco` | Technical name of the client set up for the Alfresco Repository in the realm | | `...credentials.secret` | | Shared secret for validation of authorisation codes / access tokens | @@ -118,7 +118,7 @@ The following showcases an example configuration block: true - + http://localhost:8180/auth alfresco alfresco-share diff --git a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml index 0d6dbb9..4a4ba8a 100644 --- a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml +++ b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml @@ -30,9 +30,6 @@ - - - diff --git a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties index 1b21679..365b73c 100644 --- a/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties +++ b/repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties @@ -15,14 +15,8 @@ keycloak.authentication.silentRemoteUserValidationFailure=true keycloak.authentication.bodyBufferLimit=10485760 -# override for a direct route to the auth server host -# useful primarily for Docker-ized deployments where container running Alfresco cannot resolve the auth server via the public DNS name -keycloak.adapter.directAuthHost= -# other custom adapter properties not part of default Keycloak adapter library -keycloak.adapter.connectionTimeout=5000 -keycloak.adapter.socketTimeout=5000 - keycloak.adapter.auth-server-url=http://localhost:8180/auth +keycloak.adapter.proxy-url= keycloak.adapter.realm=alfresco keycloak.adapter.resource=alfresco keycloak.adapter.ssl-required=none @@ -33,7 +27,47 @@ keycloak.adapter.credentials.secret= # for some reason, this is not a sane default in Keycloak Adapter config keycloak.adapter.verify-token-audience=true -# TODO default settings (identical to AdapterConfig defaults) to better align with default Alfresco subsystem property handling +keycloak.adapter.allow-any-hostname=false +keycloak.adapter.disable-trust-manager=false +# TODO Try and integrate ACS keystore handling +keycloak.adapter.truststore= +keycloak.adapter.truststore-password= +keycloak.adapter.client-keystore= +keycloak.adapter.client-keystore-password= +keycloak.adapter.client-key-password= +keycloak.adapter.connection-pool-size=20 +keycloak.adapter.always-refresh-token=false +keycloak.adapter.register-node-at-startup=false +keycloak.adapter.register-node-period=-1 +keycloak.adapter.token-store= +keycloak.adapter.adapter-state-cookie-path= +keycloak.adapter.principal-attribute= +keycloak.adapter.turn-off-change-session-id-on-login= +keycloak.adapter.token-minimum-time-to-live=0 +keycloak.adapter.min-time-between-jwks-requests=10 +keycloak.adapter.public-key-cache-ttl=86400 +keycloak.adapter.enable-pkce=false +keycloak.adapter.ignore-oauth-query-parameter=false +keycloak.adapter.min-time-between-jwks-requests=10 +keycloak.adapter.socket-timeout-millis=5000 +keycloak.adapter.connection-timeout-millis=5000 +keycloak.adapter.connection-ttl-millis=-1 + +keycloak.adapter.use-resource-role-mappings=false +# note: support for handling CORS is a tertiary side-effect of Keycloak integration +keycloak.adapter.enable-cors=false +keycloak.adapter.cors-max-age=-1 +keycloak.adapter.cors-allowed-headers= +keycloak.adapter.cors-allowed-methods= +keycloak.adapter.cors-exposed-headers= +keycloak.adapter.expose-token=false +keycloak.adapter.bearer-only=false +keycloak.adapter.autodetect-bearer-only=false +# recommended to never be set to true as that would disable basic auth for any local Alfresco users +keycloak.adapter.enable-basic-auth=false +# keycloak.adapter.redirect-rewrite-rules.x=y +keycloak.adapter.realm-public-key= + keycloak.authentication.userAuthority.default.property.realmRoleNameFilter.ref=realmFilter.aggregate keycloak.authentication.userAuthority.default.property.realmRoleNameMapper.ref=realmMapper.aggregate diff --git a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java index 8a42409..3462f96 100644 --- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java +++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java @@ -15,19 +15,9 @@ */ package de.acosix.alfresco.keycloak.repo.spring; -import java.net.InetAddress; -import java.util.concurrent.TimeUnit; - import org.alfresco.httpclient.HttpClientFactory.NonBlockingHttpParamsFactory; import org.alfresco.util.PropertyCheck; import org.apache.commons.httpclient.params.DefaultHttpParams; -import org.apache.http.HttpHost; -import org.apache.http.client.HttpClient; -import org.apache.http.conn.params.ConnRoutePNames; -import org.apache.http.conn.params.ConnRouteParams; -import org.apache.http.conn.routing.HttpRoute; -import org.apache.http.params.HttpParams; -import org.keycloak.adapters.HttpClientBuilder; import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.representations.adapters.config.AdapterConfig; @@ -48,12 +38,6 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean 0) - { - httpClientBuilder = httpClientBuilder.establishConnectionTimeout(this.connectionTimeout, TimeUnit.MILLISECONDS); - } - if (this.socketTimeout > 0) - { - httpClientBuilder = httpClientBuilder.socketTimeout(this.socketTimeout, TimeUnit.MILLISECONDS); - } - - final HttpClient client = httpClientBuilder.build(this.adapterConfig); - this.configureForcedRouteIfNecessary(client); - keycloakDeployment.setClient(client); - - return keycloakDeployment; + return KeycloakDeploymentBuilder.build(this.adapterConfig); } /** @@ -145,28 +86,4 @@ public class KeycloakDeploymentBeanFactory implements FactoryBeanalfresco - http://localhost:8180/auth alfresco alfresco-share @@ -51,8 +50,8 @@ true - 5000 - 5000 + 5000 + 5000 diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java index 004d1ad..19b9c03 100644 --- a/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java +++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java @@ -134,12 +134,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement protected final Set markedAsUnset = new HashSet<>(); - protected final ConfigValueHolder connectionTimeout = new ConfigValueHolder<>(); - - protected final ConfigValueHolder socketTimeout = new ConfigValueHolder<>(); - - protected final ConfigValueHolder directAuthHost = new ConfigValueHolder<>(); - /** * Creates a new instance of this class. */ @@ -148,57 +142,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement super(NAME); } - /** - * @return the connectionTimeout - */ - public Long getConnectionTimeout() - { - return this.connectionTimeout.getValue(); - } - - /** - * @param connectionTimeout - * the connectionTimeout to set - */ - public void setConnectionTimeout(final Long connectionTimeout) - { - this.connectionTimeout.setValue(connectionTimeout); - } - - /** - * @return the socketTimeout - */ - public Long getSocketTimeout() - { - return this.socketTimeout.getValue(); - } - - /** - * @param socketTimeout - * the socketTimeout to set - */ - public void setSocketTimeout(final Long socketTimeout) - { - this.socketTimeout.setValue(socketTimeout); - } - - /** - * @return the directAuthHost - */ - public String getDirectAuthHost() - { - return this.directAuthHost.getValue(); - } - - /** - * @param directAuthHost - * the directAuthHost to set - */ - public void setDirectAuthHost(final String directAuthHost) - { - this.directAuthHost.setValue(directAuthHost); - } - /** * Checks if a specific field is supported by this config element. * @@ -390,36 +333,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement } } - if (otherConfigElement.connectionTimeout.isUnset()) - { - combined.connectionTimeout.unset(); - } - else - { - combined.setConnectionTimeout(otherConfigElement.getConnectionTimeout() != null ? otherConfigElement.getConnectionTimeout() - : this.getConnectionTimeout()); - } - - if (otherConfigElement.socketTimeout.isUnset()) - { - combined.socketTimeout.unset(); - } - else - { - combined.setSocketTimeout( - otherConfigElement.getSocketTimeout() != null ? otherConfigElement.getSocketTimeout() : this.getSocketTimeout()); - } - - if (otherConfigElement.directAuthHost.isUnset()) - { - combined.directAuthHost.unset(); - } - else - { - combined.setDirectAuthHost( - otherConfigElement.getDirectAuthHost() != null ? otherConfigElement.getDirectAuthHost() : this.getDirectAuthHost()); - } - return combined; } @@ -435,12 +348,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement builder.append(this.configValueByField); builder.append(",markedAsUnset="); builder.append(this.markedAsUnset); - builder.append(",connectionTimeout="); - builder.append(this.connectionTimeout); - builder.append(",socketTimeout="); - builder.append(this.socketTimeout); - builder.append(",directAuthHost="); - builder.append(this.directAuthHost); builder.append("]"); return builder.toString(); } @@ -462,10 +369,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement result = prime * result + valueHash; } - result = prime * result + this.connectionTimeout.hashCode(); - result = prime * result + this.socketTimeout.hashCode(); - result = prime * result + this.directAuthHost.hashCode(); - return result; } @@ -496,14 +399,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement { return false; } - if (!EqualsHelper.nullSafeEquals(this.connectionTimeout, other.connectionTimeout)) - { - return false; - } - if (!EqualsHelper.nullSafeEquals(this.socketTimeout, other.socketTimeout)) - { - return false; - } return true; } diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java index d8db5f7..8eeb1f0 100644 --- a/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java +++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java @@ -116,26 +116,7 @@ public class KeycloakAdapterConfigElementReader implements ConfigElementReader } else { - switch (subElementName) - { - // use -1 as dummy value for empty value to signify that empty value has explicitly been set (relevant for merge/combine - // of config) - case "connectionTimeout": - final String prospectiveConnectionTimeout = subElement.getTextTrim(); - configElement.setConnectionTimeout( - prospectiveConnectionTimeout.isEmpty() ? null : Long.valueOf(prospectiveConnectionTimeout)); - break; - case "socketTimeout": - final String prospectiveSocketTimeout = subElement.getTextTrim(); - configElement.setSocketTimeout(prospectiveSocketTimeout.isEmpty() ? null : Long.valueOf(prospectiveSocketTimeout)); - break; - case "directAuthHost": - final String prospectiveDirectAuthHost = subElement.getTextTrim(); - configElement.setDirectAuthHost(prospectiveDirectAuthHost.isEmpty() ? null : prospectiveDirectAuthHost); - break; - default: - LOGGER.warn("Encountered unsupported Keycloak Adapter config element {}", subElementName); - } + LOGGER.warn("Encountered unsupported Keycloak Adapter config element {}", subElementName); } } LOGGER.debug("Read configuration element {} from XML section", configElement); diff --git a/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java b/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java index 8050d11..fdb22f4 100644 --- a/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java +++ b/share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java @@ -22,13 +22,11 @@ import java.io.IOException; import java.io.InputStream; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; -import java.net.InetAddress; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Locale; -import java.util.concurrent.TimeUnit; import java.util.function.BiFunction; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -50,17 +48,12 @@ import org.alfresco.util.EqualsHelper; import org.alfresco.util.PropertyCheck; import org.alfresco.web.site.servlet.SSOAuthenticationFilter; import org.apache.http.HttpEntity; -import org.apache.http.HttpHost; import org.apache.http.HttpResponse; import org.apache.http.NameValuePair; import org.apache.http.client.HttpClient; import org.apache.http.client.entity.UrlEncodedFormEntity; import org.apache.http.client.methods.HttpPost; -import org.apache.http.conn.params.ConnRoutePNames; -import org.apache.http.conn.params.ConnRouteParams; -import org.apache.http.conn.routing.HttpRoute; import org.apache.http.message.BasicNameValuePair; -import org.apache.http.params.HttpParams; import org.apache.http.util.EntityUtils; import org.keycloak.KeycloakSecurityContext; import org.keycloak.OAuth2Constants; @@ -68,7 +61,6 @@ import org.keycloak.TokenVerifier; import org.keycloak.adapters.AdapterDeploymentContext; import org.keycloak.adapters.AuthenticatedActionsHandler; import org.keycloak.adapters.BearerTokenRequestAuthenticator; -import org.keycloak.adapters.HttpClientBuilder; import org.keycloak.adapters.KeycloakDeployment; import org.keycloak.adapters.KeycloakDeploymentBuilder; import org.keycloak.adapters.OAuthRequestAuthenticator; @@ -512,35 +504,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I protected void initFromAdapterConfig(final KeycloakAdapterConfigElement keycloakAdapterConfig) { final AdapterConfig adapterConfiguration = keycloakAdapterConfig.buildAdapterConfiguration(); - - // disable any CORS handling (if CORS is relevant, it should be handled by Share / Surf) - adapterConfiguration.setCors(false); - // BASIC authentication should never be used - adapterConfiguration.setEnableBasicAuth(false); - this.keycloakDeployment = KeycloakDeploymentBuilder.build(adapterConfiguration); - - // even in newer version than used by ACS 6.x does Keycloak lib not allow timeout configuration - if (this.keycloakDeployment.getClient() != null) - { - final Long connectionTimeout = keycloakAdapterConfig.getConnectionTimeout(); - final Long socketTimeout = keycloakAdapterConfig.getSocketTimeout(); - - HttpClientBuilder httpClientBuilder = new HttpClientBuilder(); - if (connectionTimeout != null && connectionTimeout.longValue() >= 0) - { - httpClientBuilder = httpClientBuilder.establishConnectionTimeout(connectionTimeout.longValue(), TimeUnit.MILLISECONDS); - } - if (socketTimeout != null && socketTimeout.longValue() >= 0) - { - httpClientBuilder = httpClientBuilder.socketTimeout(socketTimeout.longValue(), TimeUnit.MILLISECONDS); - } - - final HttpClient client = httpClientBuilder.build(adapterConfiguration); - this.configureForcedRouteIfNecessary(keycloakAdapterConfig, client); - this.keycloakDeployment.setClient(client); - } - this.deploymentContext = new AdapterDeploymentContext(this.keycloakDeployment); } @@ -1863,39 +1827,4 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I } return sslPort; } - - /** - * Sets up a forced route for the Keycloak-library backing HTTP client if configured. This may be necessary to deal with situations - * where Share cannot use the public address of the authentication server (used in authentication redirects) to talk with the server - * directly, due to network isolation / addressing restrictions (e.g. in Docker-ized deployments). - * - * @param configElement - * the adapter configuration - * @param client - * the client to configure - */ - @SuppressWarnings("deprecation") - protected void configureForcedRouteIfNecessary(final KeycloakAdapterConfigElement configElement, final HttpClient client) - { - final String directAuthHost = configElement.getDirectAuthHost(); - if (directAuthHost != null && !directAuthHost.isEmpty()) - { - final HttpHost host = HttpHost.create(directAuthHost); - final HttpParams params = client.getParams(); - final InetAddress local = ConnRouteParams.getLocalAddress(params); - final HttpHost proxy = ConnRouteParams.getDefaultProxy(params); - final boolean secure = host.getSchemeName().equalsIgnoreCase("https"); - - HttpRoute route; - if (proxy == null) - { - route = new HttpRoute(host, local, secure); - } - else - { - route = new HttpRoute(host, local, proxy, secure); - } - params.setParameter(ConnRoutePNames.FORCED_ROUTE, route); - } - } } diff --git a/share/src/test/docker/alfresco/extension/alfresco-global.addition.properties b/share/src/test/docker/alfresco/extension/alfresco-global.addition.properties index 17a3aa6..a8e6a9b 100644 --- a/share/src/test/docker/alfresco/extension/alfresco-global.addition.properties +++ b/share/src/test/docker/alfresco/extension/alfresco-global.addition.properties @@ -25,7 +25,7 @@ keycloak.adapter.credentials.provider=secret keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708 # localhost in auth-server-url won't work for direct access in a Docker deployment -keycloak.adapter.directAuthHost=http://keycloak:8080 +keycloak.adapter.proxy-url=http://keycloak:8080 keycloak.roles.requiredClientScopes=alfresco-role-service diff --git a/share/src/test/docker/alfresco/web-extension/share-config-custom.xml b/share/src/test/docker/alfresco/web-extension/share-config-custom.xml index 8357e8a..bfbe289 100644 --- a/share/src/test/docker/alfresco/web-extension/share-config-custom.xml +++ b/share/src/test/docker/alfresco/web-extension/share-config-custom.xml @@ -75,7 +75,7 @@ true - http://keycloak:8080 + http://keycloak:8080 http://localhost:${docker.tests.keycloakPort}/auth test alfresco-share diff --git a/share/src/test/docker/test-realm.json b/share/src/test/docker/test-realm.json index 143ed7e..1b18443 100644 --- a/share/src/test/docker/test-realm.json +++ b/share/src/test/docker/test-realm.json @@ -683,6 +683,7 @@ "secret": "a5b3e8bc-39cc-4ddd-8c8f-1c34e7a35975", "publicClient": false, "protocol": "openid-connect", + "alwaysDisplayInConsole": true, "fullScopeAllowed": false, "defaultClientScopes": [ "roles", @@ -930,33 +931,36 @@ ] } ], + "defaultRole": { + "name": "default-roles-test", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization", + "user" + ], + "client": { + "account": [ + "view-profile", + "manage-account" + ] + } + } + }, "roles": { "realm": [ { "name": "uma_authorization", "description": "${role_uma_authorization}" }, - { - "name": "default-roles-test", - "description": "${role_default-roles}", - "composite": true, - "composites": { - "realm": [ - "offline_access", - "uma_authorization", - "user" - ], - "client": { - "account": [ - "view-profile", - "manage-account" - ] - } - } - }, { "name": "offline_access", "description": "${role_offline-access}" + }, + { + "name": "user" } ], "client": { diff --git a/share/src/test/resources/default-config.xml b/share/src/test/resources/default-config.xml index b552f56..096c14b 100644 --- a/share/src/test/resources/default-config.xml +++ b/share/src/test/resources/default-config.xml @@ -40,7 +40,7 @@ alfresco - http://keycloak:8080 + http://keycloak:8080 http://localhost:8180/auth alfresco