Add infra/keycloak/docker-compose.yml (Keycloak 26.1, dev mode, --import-realm) with four realms imported at boot (infra/keycloak/realms/*.json): digid, eherkenning, eidas, medewerker. Each has a public big-portal OIDC client (standard flow + direct access grants) and test users; protocol mappers inject the identifying claims (bsn / kvk / eidas_id) and medewerker realm roles. Add `make keycloak-up/keycloak-smoke/keycloak-down`; keycloak-smoke runs infra/keycloak/check_realms.py (password-grant login per realm, asserts the claim). Document credentials in docs/synthetic-data.md and a runbook. Verified: `make keycloak-smoke` green — all four realms log in and return the expected claims (bsn 123456782, kvk 12345678, eidas_id FR/NL..., role behandelaar). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
36 lines
1.4 KiB
Markdown
36 lines
1.4 KiB
Markdown
# Synthetic data
|
|
|
|
All credentials here are **dev-only** synthetic test data — never real personal data,
|
|
never used outside local development.
|
|
|
|
## Keycloak realms (S-02)
|
|
|
|
Keycloak runs at <http://localhost:8180> (admin console: **admin / admin**). Four realms
|
|
are imported at boot from `infra/keycloak/realms/`. Each has a public OIDC client
|
|
**`big-portal`** (standard flow + direct access grants enabled, redirect URIs `*` for dev).
|
|
|
|
All test users share the password **`test123`**.
|
|
|
|
| Realm | Mimics | User | Identifying claim |
|
|
|---|---|---|---|
|
|
| `digid` | DigiD (burgers) | `jan-burger` | `bsn` = `123456782` |
|
|
| `eherkenning` | eHerkenning (bedrijven) | `acme-ondernemer` | `kvk` = `12345678` |
|
|
| `eidas` | eIDAS (EU) | `pierre-dupont` | `eidas_id` = `FR/NL/AB-1234-5678` |
|
|
| `medewerker` | Internal staff | `merel-behandelaar` | role `behandelaar` |
|
|
| `medewerker` | Internal staff | `tom-teamlead` | roles `behandelaar`, `teamlead` |
|
|
|
|
The identifying claims are injected via OIDC protocol mappers on `big-portal`
|
|
(user-attribute → token claim); `medewerker` roles appear in `realm_access.roles`.
|
|
|
|
## Get a token (for testing)
|
|
|
|
```bash
|
|
curl -s -X POST \
|
|
http://localhost:8180/realms/digid/protocol/openid-connect/token \
|
|
-d grant_type=password -d client_id=big-portal \
|
|
-d username=jan-burger -d password=test123 -d scope=openid | jq -r .access_token
|
|
```
|
|
|
|
Decode the JWT payload to see the `bsn` claim. `make keycloak-smoke` checks every realm
|
|
automatically.
|