sharang/certifai
1
0
Fork 0
Code Issues 4 Pull Requests 1 Actions Packages Projects Releases Activity

Compare commits

merge into: sharang/certifai:main
Branches Tags
sharang/certifai:main sharang/certifai:feat/m7.1-realm-claims sharang/certifai:feat/compliance-scanner-link sharang/certifai:feat/litellm-usage-stats sharang/certifai:feat/keycloak-theme-social-footer sharang/certifai:feat/CAI-2 sharang/certifai:feat/CAI-4 sharang/certifai:feat/CAI-1
...
pull from: sharang/certifai:feat/m7.1-realm-claims
Branches Tags
sharang/certifai:feat/m7.1-realm-claims sharang/certifai:main sharang/certifai:feat/compliance-scanner-link sharang/certifai:feat/litellm-usage-stats sharang/certifai:feat/keycloak-theme-social-footer sharang/certifai:feat/CAI-2 sharang/certifai:feat/CAI-4 sharang/certifai:feat/CAI-1

1 Commits

Author SHA1 Message Date
Sharang Parnerkar bd6d4572e0 feat(keycloak): add tenant-context client scope + M7.1 test users
CI / Tests (push) Has been skipped
Details
CI / Format (pull_request) Successful in 4s
Details
CI / Format (push) Successful in 21s
Details
CI / Clippy (push) Successful in 2m59s
Details
CI / Security Audit (push) Has been skipped
Details
CI / Clippy (pull_request) Successful in 2m59s
Details
CI / Security Audit (pull_request) Has been skipped
Details
CI / Tests (pull_request) Has been skipped
Details
CI / Deploy (push) Has been skipped
Details
CI / Deploy (pull_request) Has been skipped
Details
CI / E2E Tests (push) Has been skipped
Details
CI / E2E Tests (pull_request) Has been skipped
Details 
Adds the breakpilot platform multi-tenancy claims to the dev realm
so M7.x products (starting with compliance-scanner-agent) can
authenticate against the local CERTifAI stack end-to-end.

New tenant-context client scope, included by default on all three
clients, with six protocol mappers backed by user attributes:

  tenant_id, tenant_slug, tenant_status, plan (strings)
  org_roles, products (multi-valued)

Five test users cover every tenant_status branch:

  admin@certifai.local  (acme, active, IT_ADMIN + CXO)
  user@certifai.local   (acme, active, USER)
  trial@acme.local      (trialco, trial)
  frozen@acme.local     (frozenco, frozen)   -> 402 on writes
  archived@acme.local   (archiveco, archived) -> 410 always

Enables Direct Access Grants on certifai-dashboard so password-
grant requests work for local API testing. This is the dev realm
only (KC_DB: dev-mem); prod realms inherit nothing from this file.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-20 17:21:04 +02:00
1 changed files with 202 additions and 6 deletions
Expand all files Collapse all files
keycloak/realm-export.json
+202 -6
View File
@@ -53,7 +53,7 @@
"description": "CERTifAI administration dashboard",
"enabled": true,
"publicClient": true,
"directAccessGrantsEnabled": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"serviceAccountsEnabled": false,
@@ -73,7 +73,8 @@
"defaultClientScopes": [
"openid",
"profile",
"email"
"email",
"tenant-context"
],
"optionalClientScopes": [
"offline_access"
@@ -106,7 +107,8 @@
"defaultClientScopes": [
"openid",
"profile",
"email"
"email",
"tenant-context"
],
"optionalClientScopes": [
"offline_access"
@@ -139,7 +141,8 @@
"defaultClientScopes": [
"openid",
"profile",
"email"
"email",
"tenant-context"
],
"optionalClientScopes": [
"offline_access"
@@ -269,6 +272,105 @@
}
}
]
},
{
"name": "tenant-context",
"description": "Breakpilot platform tenant + org claims (M7.1)",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "false"
},
"protocolMappers": [
{
"name": "tenant_id",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "tenant_id",
"claim.name": "tenant_id",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true",
"jsonType.label": "String"
}
},
{
"name": "tenant_slug",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "tenant_slug",
"claim.name": "tenant_slug",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true",
"jsonType.label": "String"
}
},
{
"name": "tenant_status",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "tenant_status",
"claim.name": "tenant_status",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true",
"jsonType.label": "String"
}
},
{
"name": "plan",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "plan",
"claim.name": "plan",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true",
"jsonType.label": "String"
}
},
{
"name": "org_roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "org_roles",
"claim.name": "org_roles",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true",
"jsonType.label": "String",
"multivalued": "true",
"aggregate.attrs": "true"
}
},
{
"name": "products",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "products",
"claim.name": "products",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true",
"jsonType.label": "String",
"multivalued": "true",
"aggregate.attrs": "true"
}
}
]
}
],
"users": [
@@ -289,7 +391,15 @@
"realmRoles": [
"admin",
"user"
]
],
"attributes": {
"tenant_id": ["00000000-0000-0000-0000-000000000001"],
"tenant_slug": ["acme"],
"tenant_status": ["active"],
"plan": ["professional"],
"org_roles": ["IT_ADMIN", "CXO"],
"products": ["compliance", "certifai"]
}
},
{
"username": "user@certifai.local",
@@ -307,7 +417,93 @@
],
"realmRoles": [
"user"
]
],
"attributes": {
"tenant_id": ["00000000-0000-0000-0000-000000000001"],
"tenant_slug": ["acme"],
"tenant_status": ["active"],
"plan": ["professional"],
"org_roles": ["USER"],
"products": ["compliance"]
}
},
{
"username": "frozen@acme.local",
"email": "frozen@acme.local",
"firstName": "Frozen",
"lastName": "Tenant",
"enabled": true,
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "frozen",
"temporary": false
}
],
"realmRoles": [
"user"
],
"attributes": {
"tenant_id": ["00000000-0000-0000-0000-000000000002"],
"tenant_slug": ["frozenco"],
"tenant_status": ["frozen"],
"plan": ["starter"],
"org_roles": ["IT_ADMIN"],
"products": ["compliance"]
}
},
{
"username": "archived@acme.local",
"email": "archived@acme.local",
"firstName": "Archived",
"lastName": "Tenant",
"enabled": true,
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "archived",
"temporary": false
}
],
"realmRoles": [
"user"
],
"attributes": {
"tenant_id": ["00000000-0000-0000-0000-000000000003"],
"tenant_slug": ["archiveco"],
"tenant_status": ["archived"],
"plan": ["starter"],
"org_roles": ["IT_ADMIN"],
"products": ["compliance"]
}
},
{
"username": "trial@acme.local",
"email": "trial@acme.local",
"firstName": "Trial",
"lastName": "Tenant",
"enabled": true,
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "trial",
"temporary": false
}
],
"realmRoles": [
"user"
],
"attributes": {
"tenant_id": ["00000000-0000-0000-0000-000000000004"],
"tenant_slug": ["trialco"],
"tenant_status": ["trial"],
"plan": ["starter"],
"org_roles": ["IT_ADMIN"],
"products": ["compliance"]
}
}
]
}