Add infra/keycloak/docker-compose.yml (Keycloak 26.1, dev mode, --import-realm) with four realms imported at boot (infra/keycloak/realms/*.json): digid, eherkenning, eidas, medewerker. Each has a public big-portal OIDC client (standard flow + direct access grants) and test users; protocol mappers inject the identifying claims (bsn / kvk / eidas_id) and medewerker realm roles. Add `make keycloak-up/keycloak-smoke/keycloak-down`; keycloak-smoke runs infra/keycloak/check_realms.py (password-grant login per realm, asserts the claim). Document credentials in docs/synthetic-data.md and a runbook. Verified: `make keycloak-smoke` green — all four realms log in and return the expected claims (bsn 123456782, kvk 12345678, eidas_id FR/NL..., role behandelaar). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
45 lines
1.2 KiB
JSON
45 lines
1.2 KiB
JSON
{
|
|
"realm": "medewerker",
|
|
"enabled": true,
|
|
"displayName": "Medewerkers",
|
|
"roles": {
|
|
"realm": [
|
|
{ "name": "behandelaar", "description": "Behandelt registratieaanvragen" },
|
|
{ "name": "teamlead", "description": "Teamleider behandeling" }
|
|
]
|
|
},
|
|
"clients": [
|
|
{
|
|
"clientId": "big-portal",
|
|
"enabled": true,
|
|
"publicClient": true,
|
|
"standardFlowEnabled": true,
|
|
"directAccessGrantsEnabled": true,
|
|
"redirectUris": ["*"],
|
|
"webOrigins": ["*"]
|
|
}
|
|
],
|
|
"users": [
|
|
{
|
|
"username": "merel-behandelaar",
|
|
"enabled": true,
|
|
"firstName": "Merel",
|
|
"lastName": "Behandelaar",
|
|
"email": "merel@big.example.nl",
|
|
"emailVerified": true,
|
|
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
|
"realmRoles": ["behandelaar"]
|
|
},
|
|
{
|
|
"username": "tom-teamlead",
|
|
"enabled": true,
|
|
"firstName": "Tom",
|
|
"lastName": "Teamlead",
|
|
"email": "tom@big.example.nl",
|
|
"emailVerified": true,
|
|
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
|
"realmRoles": ["behandelaar", "teamlead"]
|
|
}
|
|
]
|
|
}
|