Files
register-referentie/docs/synthetic-data.md
Edwin van den Houdt 30d8aecf8c
Some checks failed
CI / lint (pull_request) Has been cancelled
CI / build (pull_request) Has been cancelled
CI / unit (pull_request) Has been cancelled
CI / compose-smoke (pull_request) Has been cancelled
feat(infra): Keycloak with mock DigiD/eHerkenning/eIDAS/medewerker realms (closes #3)
Add infra/keycloak/docker-compose.yml (Keycloak 26.1, dev mode, --import-realm)
with four realms imported at boot (infra/keycloak/realms/*.json): digid,
eherkenning, eidas, medewerker. Each has a public big-portal OIDC client
(standard flow + direct access grants) and test users; protocol mappers inject
the identifying claims (bsn / kvk / eidas_id) and medewerker realm roles.

Add `make keycloak-up/keycloak-smoke/keycloak-down`; keycloak-smoke runs
infra/keycloak/check_realms.py (password-grant login per realm, asserts the
claim). Document credentials in docs/synthetic-data.md and a runbook.

Verified: `make keycloak-smoke` green — all four realms log in and return the
expected claims (bsn 123456782, kvk 12345678, eidas_id FR/NL..., role behandelaar).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 16:16:38 +02:00

1.4 KiB

Synthetic data

All credentials here are dev-only synthetic test data — never real personal data, never used outside local development.

Keycloak realms (S-02)

Keycloak runs at http://localhost:8180 (admin console: admin / admin). Four realms are imported at boot from infra/keycloak/realms/. Each has a public OIDC client big-portal (standard flow + direct access grants enabled, redirect URIs * for dev).

All test users share the password test123.

Realm Mimics User Identifying claim
digid DigiD (burgers) jan-burger bsn = 123456782
eherkenning eHerkenning (bedrijven) acme-ondernemer kvk = 12345678
eidas eIDAS (EU) pierre-dupont eidas_id = FR/NL/AB-1234-5678
medewerker Internal staff merel-behandelaar role behandelaar
medewerker Internal staff tom-teamlead roles behandelaar, teamlead

The identifying claims are injected via OIDC protocol mappers on big-portal (user-attribute → token claim); medewerker roles appear in realm_access.roles.

Get a token (for testing)

curl -s -X POST \
  http://localhost:8180/realms/digid/protocol/openid-connect/token \
  -d grant_type=password -d client_id=big-portal \
  -d username=jan-burger -d password=test123 -d scope=openid | jq -r .access_token

Decode the JWT payload to see the bsn claim. make keycloak-smoke checks every realm automatically.