Update Keycloak configuration and enable persistent storage

Updated Keycloak settings in `realm-hemhub.json` to include additional roles, user attributes, client scopes, and OpenID Connect configurations. Modified `application.yml` to replace `issuer-uri` with `jwk-set-uri` for JWT handling. Enhanced `docker-compose.yml` to include persistent volumes, updated Keycloak image, and environment variables for better container interoperability.
2025-10-06 17:06:36 +02:00
parent 699fb3836b
commit 0993164062
3 changed files with 185 additions and 25 deletions
--- a/keycloak/realm-hemhub.json
+++ b/keycloak/realm-hemhub.json
@ -2,55 +2,205 @@
  "realm": "hemhub",
  "enabled": true,
  "displayName": "HemHub",
+  "registrationAllowed": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": true,
+  "editUsernameAllowed": false,
+
+  "roles": {
+    "realm": [
+      { "name": "OWNER" },
+      { "name": "MEMBER" },
+      { "name": "ADMIN" }
+    ]
+  },
+
  "users": [
    {
      "username": "maria",
      "email": "maria@example.com",
+      "firstName": "Maria",
+      "lastName": "Andersson",
      "enabled": true,
      "emailVerified": true,
      "attributes": { "household_id": ["H-ANDERSSON"] },
-      "credentials": [{ "type": "password", "value": "Passw0rd!", "temporary": false }],
+      "credentials": [{ "type": "password", "value": "Passw0rd", "temporary": false }],
      "realmRoles": ["OWNER","MEMBER"]
    },
    {
      "username": "ulf",
      "email": "ulf@example.com",
+      "firstName": "Ulf",
+      "lastName": "Svensson",
      "enabled": true,
      "emailVerified": true,
      "attributes": { "household_id": ["H-ANDERSSON"] },
-      "credentials": [{ "type": "password", "value": "Passw0rd!", "temporary": false }],
+      "credentials": [{ "type": "password", "value": "Passw0rd", "temporary": false }],
      "realmRoles": ["MEMBER"]
    }
  ],
-  "roles": {
-    "realm": [
-      {"name":"OWNER","composite":false},
-      {"name":"MEMBER","composite":false},
-      {"name":"ADMIN","composite":false}
-    ]
-  },
+
+  "clientScopes": [
+    {
+      "name": "roles",
+      "description": "OpenID Connect scope for add user roles to the access token",
+      "protocol": "openid-connect",
+      "attributes": { "include.in.token.scope": "true" },
+      "protocolMappers": [
+        {
+          "name": "realm roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String",
+            "multivalued": "true",
+            "usermodel.realmRoleMapping.rolePrefix": "",
+            "access.token.claim": "true",
+            "id.token.claim": "false"
+          }
+        }
+      ]
+    },
+    {
+      "name": "profile",
+      "description": "Standard OpenID Connect profile claims",
+      "protocol": "openid-connect",
+      "attributes": { "include.in.token.scope": "true" },
+      "protocolMappers": [
+        {
+          "name": "preferred username",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "config": {
+            "user.attribute": "username",
+            "claim.name": "preferred_username",
+            "jsonType.label": "String",
+            "access.token.claim": "true",
+            "id.token.claim": "true"
+          }
+        },
+        {
+          "name": "given name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "config": {
+            "user.attribute": "firstName",
+            "claim.name": "given_name",
+            "jsonType.label": "String",
+            "access.token.claim": "true",
+            "id.token.claim": "true"
+          }
+        },
+        {
+          "name": "family name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "config": {
+            "user.attribute": "lastName",
+            "claim.name": "family_name",
+            "jsonType.label": "String",
+            "access.token.claim": "true",
+            "id.token.claim": "true"
+          }
+        },
+        {
+          "name": "name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-full-name-mapper",
+          "config": {
+            "access.token.claim": "true",
+            "id.token.claim": "true"
+          }
+        }
+      ]
+    },
+    {
+      "name": "email",
+      "description": "Standard OpenID Connect email claims",
+      "protocol": "openid-connect",
+      "attributes": { "include.in.token.scope": "true" },
+      "protocolMappers": [
+        {
+          "name": "email",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "config": {
+            "user.attribute": "email",
+            "claim.name": "email",
+            "jsonType.label": "String",
+            "access.token.claim": "true",
+            "id.token.claim": "true"
+          }
+        },
+        {
+          "name": "email verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "config": {
+            "user.attribute": "emailVerified",
+            "claim.name": "email_verified",
+            "jsonType.label": "boolean",
+            "access.token.claim": "true",
+            "id.token.claim": "true"
+          }
+        }
+      ]
+    },
+    {
+      "name": "hemhub-extra",
+      "description": "Custom claims for HemHub",
+      "protocol": "openid-connect",
+      "attributes": { "include.in.token.scope": "true" },
+      "protocolMappers": [
+        {
+          "name": "household_id",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "config": {
+            "user.attribute": "household_id",
+            "claim.name": "household_id",
+            "jsonType.label": "String",
+            "access.token.claim": "true",
+            "id.token.claim": "true"
+          }
+        }
+      ]
+    }
+  ],
+
+  "defaultDefaultClientScopes": [ "roles", "profile", "email", "hemhub-extra" ],
+  "defaultOptionalClientScopes": [ "offline_access" ],
+
  "clients": [
    {
      "clientId": "hemhub-public",
+      "name": "HemHub Public",
+      "enabled": true,
      "publicClient": true,
-      "redirectUris": ["http://localhost:5173/*","http://localhost:8080/swagger-ui/*"],
+      "protocol": "openid-connect",
      "standardFlowEnabled": true,
-      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
-      "attributes": { "pkce.code.challenge.method": "S256" }
+      "serviceAccountsEnabled": false,
+      "attributes": { "pkce.code.challenge.method": "S256" },
+      "redirectUris": [
+        "http://localhost:8080/swagger-ui/*",
+        "http://localhost:5173/*"
+      ],
+      "webOrigins": ["*"]
    },
    {
      "clientId": "hemhub-service",
-      "serviceAccountsEnabled": true,
-      "secret": "dev-secret",
+      "name": "HemHub Service",
+      "enabled": true,
      "publicClient": false,
-      "redirectUris": [],
+      "protocol": "openid-connect",
+      "standardFlowEnabled": false,
      "directAccessGrantsEnabled": false,
-      "standardFlowEnabled": false
+      "serviceAccountsEnabled": true,
+      "secret": "dev-secret"
    }
-  ],
-  "clientScopes": [
-    {"name":"roles","protocol":"openid-connect"}
-  ],
-  "defaultDefaultClientScopes": ["roles", "profile", "email"]
+  ]
 }