{"id":23122738,"url":"https://github.com/folio-org/mod-roles-keycloak","last_synced_at":"2025-04-04T04:21:03.061Z","repository":{"id":211890926,"uuid":"730152575","full_name":"folio-org/mod-roles-keycloak","owner":"folio-org","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-18T09:55:51.000Z","size":770,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-10-21T03:59:23.629Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/folio-org.png","metadata":{"files":{"readme":"README.md","changelog":"NEWS.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-11T10:13:20.000Z","updated_at":"2024-10-15T16:33:09.000Z","dependencies_parsed_at":"2024-04-08T13:25:52.459Z","dependency_job_id":"e865b927-8107-466b-9c57-e1999aa810cf","html_url":"https://github.com/folio-org/mod-roles-keycloak","commit_stats":null,"previous_names":["folio-org/mod-roles-keycloak"],"tags_count":21,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/folio-org%2Fmod-roles-keycloak","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/folio-org%2Fmod-roles-keycloak/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/folio-org%2Fmod-roles-keycloak/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/folio-org%2Fmod-roles-keycloak/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/folio-org","download_url":"https://codeload.github.com/folio-org/mod-roles-keycloak/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247118828,"owners_count":20886633,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-17T07:30:09.080Z","updated_at":"2025-04-04T04:21:03.049Z","avatar_url":"https://github.com/folio-org.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# mod-roles-keycloak\n\nCopyright (C) 2023-2023 The Open Library Foundation\n\nThis software is distributed under the terms of the Apache License, Version 2.0. See the file \"[LICENSE](LICENSE)\" for\nmore information.\n\n## Table of contents\n\n* [Introduction](#introduction)\n* [Environment Variables](#environment-variables)\n\n## Introduction\n\nFor now, `mod-roles-keycloak` proxies requests to Keycloak. Service helps manage roles and policies: creating,\nupdating, deleting and searching. The service can be used to associate roles with the user.`mod-roles-keycloak` stores\nmetadata about who and when created a record.\n\n## Environment Variables\n\n| Name | Default value | Required | Description |\n|:--------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------|:--------:|:---------------------------------------------------------------------------------------------------------------------------------|\n| DB_HOST | localhost | false | Postgres hostname |\n| DB_PORT | 5432 | false | Postgres port |\n| DB_USERNAME | postgres | false | Postgres username |\n| DB_PASSWORD | postgres | false | Postgres username password |\n| DB_DATABASE | postgres | false | Postgres database name |\n| KC_URL | keycloak:8080 | false | Keycloak URL used to perform HTTP requests by `KeycloakClient`. |\n| KC_ADMIN_CLIENT_ID | folio-backend-admin-client | true | Admin client for issuing admin tokens |\n| KC_LOGIN_CLIENT_SUFFIX | -login-application | false | Client name suffix for storing policies in Keycloak |\n| KC_USER_ID_CACHE_TTL | 180s | false | Time to live in sec for cached `keycloakUserId` by folio `userId` |\n| KAFKA_CAPABILITIES_TOPIC_PATTERN | `(${application.environment}\\.)(.*\\.)mgr-tenant-entitlements.capability` | false | Topic pattern for `capability` topic filled by mgr-tenants-entitlement |\n| CAPABILITY_TOPIC_RETRY_DELAY | 1s | false | `capability` topic retry delay if tenant is not initialized |\n| CAPABILITY_TOPIC_RETRY_ATTEMPTS | 9223372036854775807 | false | `capability` topic retry attempts if tenant is not initialized (default value is Long.MAX_VALUE ~= infinite amount of retries) |\n| FOLIO_PERMISSIONS_MAPPING_SOURCE_PATH | [folio permission mapping json file](https://raw.githubusercontent.com/folio-org/folio-permissions-mappings/refs/heads/master/mappings-overrides.json) | false | Link or path to resource that contains folio permission mappings. File path or URL can be used. |\n| CACHE_PERMISSION_MAPPINGS_TTL | 60 | false | TTL for cache of permission mapping overrides, in seconds |\n\nSee also configurations from https://github.com/folio-org/folio-spring-support/tree/release/v8.1/folio-spring-system-user - FOLIO_ENVIRONMENT, FOLIO_OKAPI_URL, FOLIO_SYSTEM_USER_USERNAME, FOLIO_SYSTEM_USER_PASSWORD.\n\n### Secure storage environment variables\n\n#### AWS-SSM\n\nRequired when `SECRET_STORE_TYPE=AWS_SSM`\n\n| Name | Default value | Description |\n|:-----------------------------------------------|:--------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| SECRET_STORE_AWS_SSM_REGION | - | The AWS region to pass to the AWS SSM Client Builder. If not set, the AWS Default Region Provider Chain is used to determine which region to use. |\n| SECRET_STORE_AWS_SSM_USE_IAM | true | If true, will rely on the current IAM role for authorization instead of explicitly providing AWS credentials (access_key/secret_key) |\n| SECRET_STORE_AWS_SSM_ECS_CREDENTIALS_ENDPOINT | - | The HTTP endpoint to use for retrieving AWS credentials. This is ignored if useIAM is true |\n| SECRET_STORE_AWS_SSM_ECS_CREDENTIALS_PATH | - | The path component of the credentials endpoint URI. This value is appended to the credentials endpoint to form the URI from which credentials can be obtained. |\n\n#### Vault\n\nRequired when `SECRET_STORE_TYPE=VAULT`\n\n| Name | Default value | Description |\n|:----------------------------------------|:--------------|:------------------------------------------------------------------------------------|\n| SECRET_STORE_VAULT_TOKEN | - | token for accessing vault, may be a root token |\n| SECRET_STORE_VAULT_ADDRESS | - | the address of your vault |\n| SECRET_STORE_VAULT_ENABLE_SSL | false | whether or not to use SSL |\n| SECRET_STORE_VAULT_PEM_FILE_PATH | - | the path to an X.509 certificate in unencrypted PEM format, using UTF-8 encoding |\n| SECRET_STORE_VAULT_KEYSTORE_PASSWORD | - | the password used to access the JKS keystore (optional) |\n| SECRET_STORE_VAULT_KEYSTORE_FILE_PATH | - | the path to a JKS keystore file containing a client cert and private key |\n| SECRET_STORE_VAULT_TRUSTSTORE_FILE_PATH | - | the path to a JKS truststore file containing Vault server certs that can be trusted |\n\n### Keycloak environment variables\n\nKeycloak all configuration properties: https://www.keycloak.org/server/all-config\n\n| Name | Description |\n|:----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| KC_HOSTNAME | Keycloak hostname, will be added to returned endpoints, for example for openid-configuration |\n| KC_ADMIN | Initial admin username |\n| KC_ADMIN_PASSWORD | Initial admin password |\n| KC_DB | Database type |\n| KC_DB_URL_DATABASE | Sets the database name of the default JDBC URL of the chosen vendor. If the DB_URL option is set, this option is ignored. |\n| KC_DB_URL_HOST | Sets the hostname of the default JDBC URL of the chosen vendor. If the DB_URL option is set, this option is ignored. |\n| KC_DB_URL_PORT | Sets the port of the default JDBC URL of the chosen vendor. If the DB_URL option is set, this option is ignored. |\n| KC_DB_USERNAME | Database Username |\n| KC_DB_PASSWORD | Database Password |\n| KC_PROXY | The proxy address forwarding mode if the server is behind a reverse proxy. Possible values are: edge, reencrypt, passthrough. https://www.keycloak.org/server/reverseproxy |\n| KC_HOSTNAME_STRICT | Disables dynamically resolving the hostname from request headers. Should always be set to true in production, unless proxy verifies the Host header. |\n| KC_HOSTNAME_PORT | The port used by the proxy when exposing the hostname. Set this option if the proxy uses a port other than the default HTTP and HTTPS ports. Defaults to -1. |\n| KC_CLIENT_TLS_ENABLED | Enables TLS for keycloak clients. |\n| KC_CLIENT_TLS_TRUSTSTORE_PATH | Truststore file path for keycloak clients. |\n| KC_CLIENT_TLS_TRUSTSTORE_PASSWORD | Truststore password for keycloak clients. |\n| KC_CLIENT_TLS_TRUSTSTORE_TYPE | Truststore file type for keycloak clients. |\n\n## Loading of client IDs/secrets\n\nThe module pulls client_secret for client_id from AWS Parameter store, Vault or other reliable secret storages when they\nare required for login. The credentials are cached for 3600s.\n\n## Custom permission-capability mappings\n\nIn order to avoid issues resulting from mapping permissions to capabilities (such as overlapping capabilities in cases\nof incorrect permission naming etc) mod-roles-keycloak provides a way to define a custom mapping from permission\nto capability - via file mappings-overrides.json, placed in folio-permissions folder (see src/main/resources).\n\nOne can define custom mapping of a module-descriptor permission to Eureka capability in this file. For example:\n```\n{\n \"some.nonstandard.named.permission\": {\n \"resource\": \"Nonstandard entity\",\n \"action\": \"execute\",\n \"type\": \"procedural\"\n },\n ...\n}\n```\n\nSee [Permissions naming convention](https://folio-org.atlassian.net/wiki/spaces/FOLIJET/pages/156368925/Permissions+naming+convention) for more\ninformation regarding permission properties such as \"action\", permission naming conventions and other permission related\ninformation.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffolio-org%2Fmod-roles-keycloak","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffolio-org%2Fmod-roles-keycloak","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffolio-org%2Fmod-roles-keycloak/lists"}