From a793ce6d6a9ba1dd437503838cdf05f70ff1821c Mon Sep 17 00:00:00 2001
From: VanKHoiPham <van.pham@haw-hamburg.de>
Date: Mon, 27 May 2024 09:46:18 +0200
Subject: [PATCH 1/4] backend: integrate keycloak identity and access
 management

---
 .idea/.gitignore                              |  8 +++++
 .idea/compiler.xml                            | 18 ++++++++++
 .idea/encodings.xml                           |  7 ++++
 .idea/inspectionProfiles/Project_Default.xml  |  6 ++++
 .idea/jarRepositories.xml                     | 20 +++++++++++
 .idea/misc.xml                                | 17 ++++++++++
 .idea/modules.xml                             |  8 +++++
 .idea/teamagochi.iml                          | 16 +++++++++
 .idea/vcs.xml                                 |  6 ++++
 web_backend/pom.xml                           |  8 +++++
 .../java/authorization/AdminResource.java     | 18 ++++++++++
 .../java/authorization/UsersResource.java     | 34 +++++++++++++++++++
 .../src/main/resources/application.properties | 12 +++++++
 13 files changed, 178 insertions(+)
 create mode 100644 .idea/.gitignore
 create mode 100644 .idea/compiler.xml
 create mode 100644 .idea/encodings.xml
 create mode 100644 .idea/inspectionProfiles/Project_Default.xml
 create mode 100644 .idea/jarRepositories.xml
 create mode 100644 .idea/misc.xml
 create mode 100644 .idea/modules.xml
 create mode 100644 .idea/teamagochi.iml
 create mode 100644 .idea/vcs.xml
 create mode 100644 web_backend/src/main/java/authorization/AdminResource.java
 create mode 100644 web_backend/src/main/java/authorization/UsersResource.java

diff --git a/.idea/.gitignore b/.idea/.gitignore
new file mode 100644
index 00000000..13566b81
--- /dev/null
+++ b/.idea/.gitignore
@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/.idea/compiler.xml b/.idea/compiler.xml
new file mode 100644
index 00000000..c86ed3f2
--- /dev/null
+++ b/.idea/compiler.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="CompilerConfiguration">
+    <annotationProcessing>
+      <profile name="Maven default annotation processors profile" enabled="true">
+        <sourceOutputDir name="target/generated-sources/annotations" />
+        <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
+        <outputRelativeToContentRoot value="true" />
+        <module name="backend" />
+      </profile>
+    </annotationProcessing>
+  </component>
+  <component name="JavacSettings">
+    <option name="ADDITIONAL_OPTIONS_OVERRIDE">
+      <module name="backend" options="-parameters" />
+    </option>
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/encodings.xml b/.idea/encodings.xml
new file mode 100644
index 00000000..409b4958
--- /dev/null
+++ b/.idea/encodings.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="Encoding">
+    <file url="file://$PROJECT_DIR$/web_backend/src/main/java" charset="UTF-8" />
+    <file url="file://$PROJECT_DIR$/web_backend/src/main/resources" charset="UTF-8" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/inspectionProfiles/Project_Default.xml b/.idea/inspectionProfiles/Project_Default.xml
new file mode 100644
index 00000000..03d9549e
--- /dev/null
+++ b/.idea/inspectionProfiles/Project_Default.xml
@@ -0,0 +1,6 @@
+<component name="InspectionProjectProfileManager">
+  <profile version="1.0">
+    <option name="myName" value="Project Default" />
+    <inspection_tool class="Eslint" enabled="true" level="WARNING" enabled_by_default="true" />
+  </profile>
+</component>
\ No newline at end of file
diff --git a/.idea/jarRepositories.xml b/.idea/jarRepositories.xml
new file mode 100644
index 00000000..712ab9d9
--- /dev/null
+++ b/.idea/jarRepositories.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="RemoteRepositoriesConfiguration">
+    <remote-repository>
+      <option name="id" value="central" />
+      <option name="name" value="Central Repository" />
+      <option name="url" value="https://repo.maven.apache.org/maven2" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="central" />
+      <option name="name" value="Maven Central repository" />
+      <option name="url" value="https://repo1.maven.org/maven2" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="jboss.community" />
+      <option name="name" value="JBoss Community repository" />
+      <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
+    </remote-repository>
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
new file mode 100644
index 00000000..42bdbbb5
--- /dev/null
+++ b/.idea/misc.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ExternalStorageConfigurationManager" enabled="true" />
+  <component name="FrameworkDetectionExcludesConfiguration">
+    <file type="Quarkus" url="file://$PROJECT_DIR$/web_backend" />
+  </component>
+  <component name="MavenProjectsManager">
+    <option name="originalFiles">
+      <list>
+        <option value="$PROJECT_DIR$/web_backend/pom.xml" />
+      </list>
+    </option>
+  </component>
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_21" default="true" project-jdk-name="21" project-jdk-type="JavaSDK">
+    <output url="file://$PROJECT_DIR$/out" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
new file mode 100644
index 00000000..a0f6d18c
--- /dev/null
+++ b/.idea/modules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/teamagochi.iml" filepath="$PROJECT_DIR$/.idea/teamagochi.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/teamagochi.iml b/.idea/teamagochi.iml
new file mode 100644
index 00000000..544d0057
--- /dev/null
+++ b/.idea/teamagochi.iml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+  <component name="TemplatesService">
+    <option name="TEMPLATE_FOLDERS">
+      <list>
+        <option value="$MODULE_DIR$/platform/proxy/templates" />
+      </list>
+    </option>
+  </component>
+</module>
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
new file mode 100644
index 00000000..35eb1ddf
--- /dev/null
+++ b/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="" vcs="Git" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/web_backend/pom.xml b/web_backend/pom.xml
index f3f1e961..48cd365f 100644
--- a/web_backend/pom.xml
+++ b/web_backend/pom.xml
@@ -50,6 +50,14 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-rest-jackson</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-oidc</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-keycloak-authorization</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-hibernate-orm-panache</artifactId>
diff --git a/web_backend/src/main/java/authorization/AdminResource.java b/web_backend/src/main/java/authorization/AdminResource.java
new file mode 100644
index 00000000..11aae5a5
--- /dev/null
+++ b/web_backend/src/main/java/authorization/AdminResource.java
@@ -0,0 +1,18 @@
+package authorization;
+
+import io.quarkus.security.Authenticated;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+
+@Path("/api/admin")
+@Authenticated
+public class AdminResource {
+
+  @GET
+  @Produces(MediaType.TEXT_PLAIN)
+  public String admin() {
+    return "granted";
+  }
+}
\ No newline at end of file
diff --git a/web_backend/src/main/java/authorization/UsersResource.java b/web_backend/src/main/java/authorization/UsersResource.java
new file mode 100644
index 00000000..2d714bfd
--- /dev/null
+++ b/web_backend/src/main/java/authorization/UsersResource.java
@@ -0,0 +1,34 @@
+package authorization;
+
+import io.quarkus.security.identity.SecurityIdentity;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import org.jboss.resteasy.reactive.NoCache;
+
+@Path("/api/users")
+public class UsersResource {
+
+  @Inject
+  SecurityIdentity identity;
+
+  @GET
+  @Path("/me")
+  @NoCache
+  public User me() {
+    return new User(identity);
+  }
+
+  public static class User {
+
+    private final String userName;
+
+    User(SecurityIdentity identity) {
+      this.userName = identity.getPrincipal().getName();
+    }
+
+    public String getUserName() {
+      return userName;
+    }
+  }
+}
\ No newline at end of file
diff --git a/web_backend/src/main/resources/application.properties b/web_backend/src/main/resources/application.properties
index ae367fd5..f37306f6 100644
--- a/web_backend/src/main/resources/application.properties
+++ b/web_backend/src/main/resources/application.properties
@@ -18,6 +18,18 @@ quarkus.rest-client.leshan-event-api.http2=true
 # General
 %test.quarkus.http.test-timeout=5s
 
+quarkus.http.cors=true
+quarkus.http.cors.origins=*
+
+## OIDC Configuration
+quarkus.oidc.auth-server-url=http://localhost:4000/kc/realms/teamagochi
+quarkus.oidc.client-id=teamagochi-backend
+quarkus.oidc.credentials.secret=9I0F8oZ7UHIzTzMm4FgLMfgSmId9L8T5
+quarkus.oidc.tls.verification=none
+
+## Enable Policy Enforcement
+quarkus.keycloak.policy-enforcer.enable=true
+
 # Services
 quarkus.rest.path=/api
 

From 56feee8936fd4b806b8ce8b9850c5f17409d3331 Mon Sep 17 00:00:00 2001
From: ozfox <ozfox@posteo.de>
Date: Wed, 12 Jun 2024 10:36:27 +0200
Subject: [PATCH 2/4] backend: remove redundant root .idea directory

---
 .idea/.gitignore                             |  8 --------
 .idea/compiler.xml                           | 18 ------------------
 .idea/encodings.xml                          |  7 -------
 .idea/inspectionProfiles/Project_Default.xml |  6 ------
 .idea/jarRepositories.xml                    | 20 --------------------
 .idea/misc.xml                               | 17 -----------------
 .idea/modules.xml                            |  8 --------
 .idea/teamagochi.iml                         | 16 ----------------
 .idea/vcs.xml                                |  6 ------
 9 files changed, 106 deletions(-)
 delete mode 100644 .idea/.gitignore
 delete mode 100644 .idea/compiler.xml
 delete mode 100644 .idea/encodings.xml
 delete mode 100644 .idea/inspectionProfiles/Project_Default.xml
 delete mode 100644 .idea/jarRepositories.xml
 delete mode 100644 .idea/misc.xml
 delete mode 100644 .idea/modules.xml
 delete mode 100644 .idea/teamagochi.iml
 delete mode 100644 .idea/vcs.xml

diff --git a/.idea/.gitignore b/.idea/.gitignore
deleted file mode 100644
index 13566b81..00000000
--- a/.idea/.gitignore
+++ /dev/null
@@ -1,8 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
-# Editor-based HTTP Client requests
-/httpRequests/
-# Datasource local storage ignored files
-/dataSources/
-/dataSources.local.xml
diff --git a/.idea/compiler.xml b/.idea/compiler.xml
deleted file mode 100644
index c86ed3f2..00000000
--- a/.idea/compiler.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="CompilerConfiguration">
-    <annotationProcessing>
-      <profile name="Maven default annotation processors profile" enabled="true">
-        <sourceOutputDir name="target/generated-sources/annotations" />
-        <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
-        <outputRelativeToContentRoot value="true" />
-        <module name="backend" />
-      </profile>
-    </annotationProcessing>
-  </component>
-  <component name="JavacSettings">
-    <option name="ADDITIONAL_OPTIONS_OVERRIDE">
-      <module name="backend" options="-parameters" />
-    </option>
-  </component>
-</project>
\ No newline at end of file
diff --git a/.idea/encodings.xml b/.idea/encodings.xml
deleted file mode 100644
index 409b4958..00000000
--- a/.idea/encodings.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="Encoding">
-    <file url="file://$PROJECT_DIR$/web_backend/src/main/java" charset="UTF-8" />
-    <file url="file://$PROJECT_DIR$/web_backend/src/main/resources" charset="UTF-8" />
-  </component>
-</project>
\ No newline at end of file
diff --git a/.idea/inspectionProfiles/Project_Default.xml b/.idea/inspectionProfiles/Project_Default.xml
deleted file mode 100644
index 03d9549e..00000000
--- a/.idea/inspectionProfiles/Project_Default.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<component name="InspectionProjectProfileManager">
-  <profile version="1.0">
-    <option name="myName" value="Project Default" />
-    <inspection_tool class="Eslint" enabled="true" level="WARNING" enabled_by_default="true" />
-  </profile>
-</component>
\ No newline at end of file
diff --git a/.idea/jarRepositories.xml b/.idea/jarRepositories.xml
deleted file mode 100644
index 712ab9d9..00000000
--- a/.idea/jarRepositories.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="RemoteRepositoriesConfiguration">
-    <remote-repository>
-      <option name="id" value="central" />
-      <option name="name" value="Central Repository" />
-      <option name="url" value="https://repo.maven.apache.org/maven2" />
-    </remote-repository>
-    <remote-repository>
-      <option name="id" value="central" />
-      <option name="name" value="Maven Central repository" />
-      <option name="url" value="https://repo1.maven.org/maven2" />
-    </remote-repository>
-    <remote-repository>
-      <option name="id" value="jboss.community" />
-      <option name="name" value="JBoss Community repository" />
-      <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
-    </remote-repository>
-  </component>
-</project>
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
deleted file mode 100644
index 42bdbbb5..00000000
--- a/.idea/misc.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="ExternalStorageConfigurationManager" enabled="true" />
-  <component name="FrameworkDetectionExcludesConfiguration">
-    <file type="Quarkus" url="file://$PROJECT_DIR$/web_backend" />
-  </component>
-  <component name="MavenProjectsManager">
-    <option name="originalFiles">
-      <list>
-        <option value="$PROJECT_DIR$/web_backend/pom.xml" />
-      </list>
-    </option>
-  </component>
-  <component name="ProjectRootManager" version="2" languageLevel="JDK_21" default="true" project-jdk-name="21" project-jdk-type="JavaSDK">
-    <output url="file://$PROJECT_DIR$/out" />
-  </component>
-</project>
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
deleted file mode 100644
index a0f6d18c..00000000
--- a/.idea/modules.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="ProjectModuleManager">
-    <modules>
-      <module fileurl="file://$PROJECT_DIR$/.idea/teamagochi.iml" filepath="$PROJECT_DIR$/.idea/teamagochi.iml" />
-    </modules>
-  </component>
-</project>
\ No newline at end of file
diff --git a/.idea/teamagochi.iml b/.idea/teamagochi.iml
deleted file mode 100644
index 544d0057..00000000
--- a/.idea/teamagochi.iml
+++ /dev/null
@@ -1,16 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module type="JAVA_MODULE" version="4">
-  <component name="NewModuleRootManager" inherit-compiler-output="true">
-    <exclude-output />
-    <content url="file://$MODULE_DIR$" />
-    <orderEntry type="inheritedJdk" />
-    <orderEntry type="sourceFolder" forTests="false" />
-  </component>
-  <component name="TemplatesService">
-    <option name="TEMPLATE_FOLDERS">
-      <list>
-        <option value="$MODULE_DIR$/platform/proxy/templates" />
-      </list>
-    </option>
-  </component>
-</module>
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
deleted file mode 100644
index 35eb1ddf..00000000
--- a/.idea/vcs.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="VcsDirectoryMappings">
-    <mapping directory="" vcs="Git" />
-  </component>
-</project>
\ No newline at end of file

From a0dac69ecf0e0cf37763a2f7cceb67250c3ec501 Mon Sep 17 00:00:00 2001
From: ozfox <ozfox@posteo.de>
Date: Wed, 12 Jun 2024 12:29:50 +0200
Subject: [PATCH 3/4] backend: update auth config

---
 .../java/authorization/AdminResource.java     | 18 ----------
 .../java/authorization/UsersResource.java     | 34 -------------------
 .../src/main/resources/application.properties | 11 +++++-
 3 files changed, 10 insertions(+), 53 deletions(-)
 delete mode 100644 web_backend/src/main/java/authorization/AdminResource.java
 delete mode 100644 web_backend/src/main/java/authorization/UsersResource.java

diff --git a/web_backend/src/main/java/authorization/AdminResource.java b/web_backend/src/main/java/authorization/AdminResource.java
deleted file mode 100644
index 11aae5a5..00000000
--- a/web_backend/src/main/java/authorization/AdminResource.java
+++ /dev/null
@@ -1,18 +0,0 @@
-package authorization;
-
-import io.quarkus.security.Authenticated;
-import jakarta.ws.rs.GET;
-import jakarta.ws.rs.Path;
-import jakarta.ws.rs.Produces;
-import jakarta.ws.rs.core.MediaType;
-
-@Path("/api/admin")
-@Authenticated
-public class AdminResource {
-
-  @GET
-  @Produces(MediaType.TEXT_PLAIN)
-  public String admin() {
-    return "granted";
-  }
-}
\ No newline at end of file
diff --git a/web_backend/src/main/java/authorization/UsersResource.java b/web_backend/src/main/java/authorization/UsersResource.java
deleted file mode 100644
index 2d714bfd..00000000
--- a/web_backend/src/main/java/authorization/UsersResource.java
+++ /dev/null
@@ -1,34 +0,0 @@
-package authorization;
-
-import io.quarkus.security.identity.SecurityIdentity;
-import jakarta.inject.Inject;
-import jakarta.ws.rs.GET;
-import jakarta.ws.rs.Path;
-import org.jboss.resteasy.reactive.NoCache;
-
-@Path("/api/users")
-public class UsersResource {
-
-  @Inject
-  SecurityIdentity identity;
-
-  @GET
-  @Path("/me")
-  @NoCache
-  public User me() {
-    return new User(identity);
-  }
-
-  public static class User {
-
-    private final String userName;
-
-    User(SecurityIdentity identity) {
-      this.userName = identity.getPrincipal().getName();
-    }
-
-    public String getUserName() {
-      return userName;
-    }
-  }
-}
\ No newline at end of file
diff --git a/web_backend/src/main/resources/application.properties b/web_backend/src/main/resources/application.properties
index f37306f6..fb19f402 100644
--- a/web_backend/src/main/resources/application.properties
+++ b/web_backend/src/main/resources/application.properties
@@ -24,11 +24,20 @@ quarkus.http.cors.origins=*
 ## OIDC Configuration
 quarkus.oidc.auth-server-url=http://localhost:4000/kc/realms/teamagochi
 quarkus.oidc.client-id=teamagochi-backend
-quarkus.oidc.credentials.secret=9I0F8oZ7UHIzTzMm4FgLMfgSmId9L8T5
+quarkus.oidc.credentials.secret=5DACLJH84KTWBG22UpdnS9DSjVCIu5zB
 quarkus.oidc.tls.verification=none
 
 ## Enable Policy Enforcement
 quarkus.keycloak.policy-enforcer.enable=true
+quarkus.keycloak.policy-enforcer.enforcement-mode=ENFORCING
+quarkus.keycloak.policy-enforcer.lazy-load-paths=true
+
+## Policy rules
+## For enforcement modes, see https://www.keycloak.org/docs/latest/authorization_services/#resource_server_settings.
+quarkus.keycloak.policy-enforcer.paths.q.paths=/q/*
+quarkus.keycloak.policy-enforcer.paths.q.enforcement-mode=DISABLED
+#%dev.quarkus.keycloak.policy-enforcer.paths.admin.paths=/api/v1/*
+#%dev.quarkus.keycloak.policy-enforcer.paths.admin.enforcement-mode=ENFORCING
 
 # Services
 quarkus.rest.path=/api

From 2e7872f77cf15de6b4c010dbef8b60196a9b82a3 Mon Sep 17 00:00:00 2001
From: ozfox <ozfox@posteo.de>
Date: Wed, 12 Jun 2024 12:59:26 +0200
Subject: [PATCH 4/4] backend: update keycloak exports

---
 .../keycloak/import/teamagochi-realm.json     | 149 +++++++++++++++++-
 .../keycloak/import/teamagochi-users-0.json   |  17 ++
 2 files changed, 158 insertions(+), 8 deletions(-)

diff --git a/platform/data/keycloak/import/teamagochi-realm.json b/platform/data/keycloak/import/teamagochi-realm.json
index 37b5ea82..7e5e8067 100644
--- a/platform/data/keycloak/import/teamagochi-realm.json
+++ b/platform/data/keycloak/import/teamagochi-realm.json
@@ -163,7 +163,7 @@
         "composite" : true,
         "composites" : {
           "client" : {
-            "realm-management" : [ "query-clients", "view-authorization", "manage-events", "query-realms", "view-clients", "manage-clients", "manage-identity-providers", "manage-authorization", "view-realm", "query-users", "manage-users", "view-users", "view-events", "impersonation", "query-groups", "view-identity-providers", "manage-realm", "create-client" ]
+            "realm-management" : [ "query-clients", "manage-events", "query-realms", "view-authorization", "view-clients", "manage-clients", "manage-authorization", "manage-identity-providers", "query-users", "view-realm", "manage-users", "view-users", "view-events", "impersonation", "query-groups", "manage-realm", "view-identity-providers", "create-client" ]
           }
         },
         "clientRole" : true,
@@ -260,6 +260,14 @@
         "containerId" : "170a66cb-fab5-46c2-a431-52a4e2bca0c2",
         "attributes" : { }
       } ],
+      "teamagochi-backend" : [ {
+        "id" : "ec5e0914-ed24-4c17-a935-20218b2ae0a4",
+        "name" : "uma_protection",
+        "composite" : false,
+        "clientRole" : true,
+        "containerId" : "572af9f9-5d8e-4bba-a3b4-b011538224a1",
+        "attributes" : { }
+      } ],
       "account" : [ {
         "id" : "9a0b1513-1734-46d4-ab19-9bda18db493e",
         "name" : "delete-account",
@@ -487,7 +495,9 @@
     "publicClient" : true,
     "frontchannelLogout" : false,
     "protocol" : "openid-connect",
-    "attributes" : { },
+    "attributes" : {
+      "post.logout.redirect.uris" : "+"
+    },
     "authenticationFlowBindingOverrides" : { },
     "fullScopeAllowed" : false,
     "nodeReRegistrationTimeout" : 0,
@@ -513,7 +523,9 @@
     "publicClient" : false,
     "frontchannelLogout" : false,
     "protocol" : "openid-connect",
-    "attributes" : { },
+    "attributes" : {
+      "post.logout.redirect.uris" : "+"
+    },
     "authenticationFlowBindingOverrides" : { },
     "fullScopeAllowed" : false,
     "nodeReRegistrationTimeout" : 0,
@@ -539,7 +551,9 @@
     "publicClient" : false,
     "frontchannelLogout" : false,
     "protocol" : "openid-connect",
-    "attributes" : { },
+    "attributes" : {
+      "post.logout.redirect.uris" : "+"
+    },
     "authenticationFlowBindingOverrides" : { },
     "fullScopeAllowed" : false,
     "nodeReRegistrationTimeout" : 0,
@@ -592,6 +606,123 @@
     } ],
     "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ],
     "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+  }, {
+    "id" : "572af9f9-5d8e-4bba-a3b4-b011538224a1",
+    "clientId" : "teamagochi-backend",
+    "name" : "Teamagochi Backend-Application",
+    "description" : "",
+    "surrogateAuthRequired" : false,
+    "enabled" : true,
+    "alwaysDisplayInConsole" : false,
+    "clientAuthenticatorType" : "client-secret",
+    "secret" : "5DACLJH84KTWBG22UpdnS9DSjVCIu5zB",
+    "redirectUris" : [ "*" ],
+    "webOrigins" : [ ],
+    "notBefore" : 0,
+    "bearerOnly" : false,
+    "consentRequired" : false,
+    "standardFlowEnabled" : true,
+    "implicitFlowEnabled" : false,
+    "directAccessGrantsEnabled" : true,
+    "serviceAccountsEnabled" : true,
+    "authorizationServicesEnabled" : true,
+    "publicClient" : false,
+    "frontchannelLogout" : false,
+    "protocol" : "openid-connect",
+    "attributes" : {
+      "oidc.ciba.grant.enabled" : "false",
+      "client.secret.creation.time" : "1718119262",
+      "backchannel.logout.session.required" : "true",
+      "post.logout.redirect.uris" : "+",
+      "oauth2.device.authorization.grant.enabled" : "false",
+      "backchannel.logout.revoke.offline.tokens" : "false"
+    },
+    "authenticationFlowBindingOverrides" : { },
+    "fullScopeAllowed" : true,
+    "nodeReRegistrationTimeout" : -1,
+    "protocolMappers" : [ {
+      "id" : "25f931c8-a8cf-4186-ab17-74719cb0e8ea",
+      "name" : "Client ID",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "user.session.note" : "clientId",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "clientId",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "bc569e0e-2594-45b5-9c37-cc7dfb8814ec",
+      "name" : "Client IP Address",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "user.session.note" : "clientAddress",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "clientAddress",
+        "jsonType.label" : "String"
+      }
+    }, {
+      "id" : "47020231-057a-4f04-b94b-4bf8b66abea5",
+      "name" : "Client Host",
+      "protocol" : "openid-connect",
+      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
+      "consentRequired" : false,
+      "config" : {
+        "user.session.note" : "clientHost",
+        "userinfo.token.claim" : "true",
+        "id.token.claim" : "true",
+        "access.token.claim" : "true",
+        "claim.name" : "clientHost",
+        "jsonType.label" : "String"
+      }
+    } ],
+    "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ],
+    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ],
+    "authorizationSettings" : {
+      "allowRemoteResourceManagement" : true,
+      "policyEnforcementMode" : "ENFORCING",
+      "resources" : [ {
+        "name" : "User Resource",
+        "type" : "urn:teamagochi-backend:resources:user",
+        "ownerManagedAccess" : false,
+        "displayName" : "",
+        "attributes" : { },
+        "_id" : "6cc44cd6-f46b-49bf-b124-3ad96a879862",
+        "uris" : [ "/*" ],
+        "icon_uri" : ""
+      } ],
+      "policies" : [ {
+        "id" : "b6fc530d-8dff-43a3-bf6e-27eff806517e",
+        "name" : "Any User",
+        "description" : "Any user granted with the default roles can access something",
+        "type" : "role",
+        "logic" : "POSITIVE",
+        "decisionStrategy" : "UNANIMOUS",
+        "config" : {
+          "roles" : "[{\"id\":\"default-roles-teamagochi\",\"required\":false}]"
+        }
+      }, {
+        "id" : "c9a1d39b-133a-487f-b30f-1a7032ecefc7",
+        "name" : "User Resource Permission",
+        "description" : "Any User (Policy)",
+        "type" : "resource",
+        "logic" : "POSITIVE",
+        "decisionStrategy" : "UNANIMOUS",
+        "config" : {
+          "resources" : "[\"User Resource\"]",
+          "applyPolicies" : "[\"Any User\"]"
+        }
+      } ],
+      "scopes" : [ ],
+      "decisionStrategy" : "UNANIMOUS"
+    }
   }, {
     "id" : "2f665b71-cea9-4830-a171-1980e9fc4ee6",
     "clientId" : "teamagochi-webapp",
@@ -888,6 +1019,7 @@
       "config" : {
         "introspection.token.claim" : "true",
         "multivalued" : "true",
+        "userinfo.token.claim" : "true",
         "user.attribute" : "foo",
         "id.token.claim" : "true",
         "access.token.claim" : "true",
@@ -1062,7 +1194,8 @@
       "config" : {
         "id.token.claim" : "true",
         "introspection.token.claim" : "true",
-        "access.token.claim" : "true"
+        "access.token.claim" : "true",
+        "userinfo.token.claim" : "true"
       }
     } ]
   }, {
@@ -1171,7 +1304,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-full-name-mapper" ]
       }
     }, {
       "id" : "59a69e26-7bca-418b-bdb0-c538d42c7f99",
@@ -1180,7 +1313,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "saml-role-list-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper" ]
+        "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper" ]
       }
     }, {
       "id" : "75f731da-45cd-43ad-a244-67d8f59fd1c2",
@@ -1844,8 +1977,8 @@
   "attributes" : {
     "cibaBackchannelTokenDeliveryMode" : "poll",
     "cibaAuthRequestedUserHint" : "login_hint",
-    "oauth2DevicePollingInterval" : "5",
     "clientOfflineSessionMaxLifespan" : "0",
+    "oauth2DevicePollingInterval" : "5",
     "clientSessionIdleTimeout" : "0",
     "clientOfflineSessionIdleTimeout" : "0",
     "cibaInterval" : "5",
diff --git a/platform/data/keycloak/import/teamagochi-users-0.json b/platform/data/keycloak/import/teamagochi-users-0.json
index 9ba45d96..17ee8e5f 100644
--- a/platform/data/keycloak/import/teamagochi-users-0.json
+++ b/platform/data/keycloak/import/teamagochi-users-0.json
@@ -1,6 +1,23 @@
 {
   "realm" : "teamagochi",
   "users" : [ {
+    "id" : "0a02ff2c-b109-4f06-ad78-cc19eb50e6d5",
+    "username" : "service-account-teamagochi-backend",
+    "emailVerified" : false,
+    "createdTimestamp" : 1718119156026,
+    "enabled" : true,
+    "totp" : false,
+    "serviceAccountClientId" : "teamagochi-backend",
+    "credentials" : [ ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-teamagochi" ],
+    "clientRoles" : {
+      "teamagochi-backend" : [ "uma_protection" ]
+    },
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
     "id" : "e1fd1cdf-924c-4c13-b5de-2594ac8f1231",
     "username" : "testmanager01",
     "email" : "testmanager01@teamagochi.local",