Add infra/keycloak/docker-compose.yml (Keycloak 26.1, dev mode, --import-realm) with four realms imported at boot (infra/keycloak/realms/*.json): digid, eherkenning, eidas, medewerker. Each has a public big-portal OIDC client (standard flow + direct access grants) and test users; protocol mappers inject the identifying claims (bsn / kvk / eidas_id) and medewerker realm roles. Add `make keycloak-up/keycloak-smoke/keycloak-down`; keycloak-smoke runs infra/keycloak/check_realms.py (password-grant login per realm, asserts the claim). Document credentials in docs/synthetic-data.md and a runbook. Verified: `make keycloak-smoke` green — all four realms log in and return the expected claims (bsn 123456782, kvk 12345678, eidas_id FR/NL..., role behandelaar). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
44 lines
1.1 KiB
JSON
44 lines
1.1 KiB
JSON
{
|
|
"realm": "eherkenning",
|
|
"enabled": true,
|
|
"displayName": "Mock eHerkenning",
|
|
"clients": [
|
|
{
|
|
"clientId": "big-portal",
|
|
"enabled": true,
|
|
"publicClient": true,
|
|
"standardFlowEnabled": true,
|
|
"directAccessGrantsEnabled": true,
|
|
"redirectUris": ["*"],
|
|
"webOrigins": ["*"],
|
|
"protocolMappers": [
|
|
{
|
|
"name": "kvk",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-attribute-mapper",
|
|
"config": {
|
|
"user.attribute": "kvk",
|
|
"claim.name": "kvk",
|
|
"jsonType.label": "String",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"userinfo.token.claim": "true"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"users": [
|
|
{
|
|
"username": "acme-ondernemer",
|
|
"enabled": true,
|
|
"firstName": "Anita",
|
|
"lastName": "Ondernemer",
|
|
"email": "anita@acme.nl",
|
|
"emailVerified": true,
|
|
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
|
"attributes": { "kvk": ["12345678"] }
|
|
}
|
|
]
|
|
}
|