Add infra/keycloak/docker-compose.yml (Keycloak 26.1, dev mode, --import-realm) with four realms imported at boot (infra/keycloak/realms/*.json): digid, eherkenning, eidas, medewerker. Each has a public big-portal OIDC client (standard flow + direct access grants) and test users; protocol mappers inject the identifying claims (bsn / kvk / eidas_id) and medewerker realm roles. Add `make keycloak-up/keycloak-smoke/keycloak-down`; keycloak-smoke runs infra/keycloak/check_realms.py (password-grant login per realm, asserts the claim). Document credentials in docs/synthetic-data.md and a runbook. Verified: `make keycloak-smoke` green — all four realms log in and return the expected claims (bsn 123456782, kvk 12345678, eidas_id FR/NL..., role behandelaar). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.4 KiB
1.4 KiB
Synthetic data
All credentials here are dev-only synthetic test data — never real personal data, never used outside local development.
Keycloak realms (S-02)
Keycloak runs at http://localhost:8180 (admin console: admin / admin). Four realms
are imported at boot from infra/keycloak/realms/. Each has a public OIDC client
big-portal (standard flow + direct access grants enabled, redirect URIs * for dev).
All test users share the password test123.
| Realm | Mimics | User | Identifying claim |
|---|---|---|---|
digid |
DigiD (burgers) | jan-burger |
bsn = 123456782 |
eherkenning |
eHerkenning (bedrijven) | acme-ondernemer |
kvk = 12345678 |
eidas |
eIDAS (EU) | pierre-dupont |
eidas_id = FR/NL/AB-1234-5678 |
medewerker |
Internal staff | merel-behandelaar |
role behandelaar |
medewerker |
Internal staff | tom-teamlead |
roles behandelaar, teamlead |
The identifying claims are injected via OIDC protocol mappers on big-portal
(user-attribute → token claim); medewerker roles appear in realm_access.roles.
Get a token (for testing)
curl -s -X POST \
http://localhost:8180/realms/digid/protocol/openid-connect/token \
-d grant_type=password -d client_id=big-portal \
-d username=jan-burger -d password=test123 -d scope=openid | jq -r .access_token
Decode the JWT payload to see the bsn claim. make keycloak-smoke checks every realm
automatically.