- {relationLabel(item.relation as RelationOption)}
+
+
+
+ {relationLabel(item.relation as RelationOption)}
+
+
+ handleInfoToggle(
+ e,
+ item.relation as RelationOption,
+ )
+ }
+ >
+
+
+ {infoRelation === item.relation && (
+
+ {relationPermitsInfo(
+ item.relation as RelationOption,
+ )}
+
+ )}
{relationDescription(item.relation as RelationOption)}
diff --git a/devfront/src/lib/devApi.ts b/devfront/src/lib/devApi.ts
index 0a6574f2..f1422f59 100644
--- a/devfront/src/lib/devApi.ts
+++ b/devfront/src/lib/devApi.ts
@@ -12,6 +12,8 @@ export type ClientSummary = {
clientSecret?: string;
tokenEndpointAuthMethod?: string;
jwksUri?: string;
+ backchannelLogoutUri?: string;
+ backchannelLogoutSessionRequired?: boolean;
redirectUris: string[];
scopes: string[];
metadata?: Record;
@@ -118,6 +120,8 @@ export type ClientUpsertRequest = {
responseTypes?: string[];
tokenEndpointAuthMethod?: string;
jwksUri?: string;
+ backchannelLogoutUri?: string;
+ backchannelLogoutSessionRequired?: boolean;
metadata?: Record;
};
diff --git a/devfront/src/locales/en.toml b/devfront/src/locales/en.toml
index 8212652f..3733475c 100644
--- a/devfront/src/locales/en.toml
+++ b/devfront/src/locales/en.toml
@@ -324,6 +324,19 @@ loaded_count = "Loaded {{count}} rows"
loading = "Loading audit logs..."
subtitle = "Shows DevFront activity history within current tenant/app scope."
+[msg.dev.request]
+admin_desc = "Manage developer access requests submitted by users."
+approved = "Approved."
+cancelled = "Approval has been cancelled."
+empty = "No requests found."
+need_cancel_notes = "Please enter a reason for cancelling approval."
+need_notes = "Please enter a rejection reason."
+rejected = "Rejected."
+user_desc = "Review your request history and submit a new access request."
+
+[msg.dev.request.modal]
+desc = "Please enter the reason for your request. It will be approved after administrator review."
+
[msg.dev.clients]
load_error = "Error loading clients: {{error}}"
loading = "Loading apps..."
@@ -362,6 +375,7 @@ create_forbidden = "You do not have permission to create this RP. Ask an adminis
save_error = "Save Error"
save_forbidden = "You do not have permission to edit this RP. Ask an administrator to grant RP General Settings or RP Admin relationship."
secret_rotated = "Secret Rotated"
+secret_not_applicable = "PKCE apps do not have a client secret."
secret_unavailable = "SECRET_NOT_AVAILABLE"
subtitle = "Manage OIDC credentials and endpoints."
@@ -375,6 +389,8 @@ note = "Keep endpoints read-only, and tie secret rotation/copy actions to audit
[msg.dev.clients.general]
load_error = "Error loading client: {{error}}"
loading = "Loading client..."
+read_only_forbidden = "You do not have permission to edit this RP's general settings."
+read_only_hint = "Only users with the `RP Admin` or `RP General Settings` relationship can edit this RP's general settings."
saved = "Saved"
save_error = "Failed to save: {{error}}"
save_forbidden = "You do not have permission to edit this RP. Ask an administrator to grant RP General Settings or RP Admin relationship."
@@ -416,11 +432,27 @@ subtitle = "Set the application name, description, and logo."
[msg.dev.clients.general.redirect]
help = "Enter the redirect URIs. You can modify them in the Federation tab after creation."
+[msg.dev.clients.general.backchannel_logout]
+uri_help = "RP endpoint that receives Baron's session termination event via server-to-server POST."
+invalid = "The Back-Channel Logout URI format is invalid. Production requires https, and local development only allows http on localhost/127.0.0.1."
+session_required_help = "Use this when the RP should process logout_token only if the sid claim is included."
+session_required_on = "On: process logout only when the logout_token contains a sid."
+session_required_off = "Off: process logout using sub even if sid is missing."
+
[msg.dev.clients.general.scopes]
empty = "No scopes registered."
subtitle = "Define the permission scopes this application can request."
tenant = "Tenant access claim"
+[msg.dev.clients.general.id_token_claims]
+subtitle = "Separate shared claims from RP-specific extension claims."
+empty = "No ID Token claims have been added yet."
+hint = "Use top-level for shared claims and rp_claims for RP-specific extension claims. Arrays accept JSON or comma-separated values, and objects accept JSON."
+preview_hint = "Preview the metadata.id_token_claims structure that will be saved."
+key_required = "Enter a claim key."
+reserved_key = "`rp_claims` is a reserved namespace key."
+duplicate_key = "Duplicate claim key: {{namespace}}.{{key}}"
+
[msg.dev.clients.general.security]
private_help = "Server side App: For apps that can safely store a client secret, such as Node.js or Java servers."
pkce_help = "PKCE App (SPA/Mobile): For apps that cannot safely store a client secret. PKCE is mandatory."
@@ -1288,12 +1320,45 @@ scope_badge = "Scoped to /dev"
[ui.dev.nav]
audit_logs = "Audit Logs"
clients = "Connected Application"
+developer_request = "Developer Access Request"
logout = "Logout"
[ui.dev.audit]
load_more = "Load more"
title = "Audit Logs"
+[ui.dev.request]
+admin_notes_placeholder = "Enter note (optional)..."
+cancel_approval = "Cancel Approval"
+cancel_notes_placeholder = "Enter reason for approval cancellation..."
+
+[ui.dev.request.list]
+title = "Request History"
+
+[ui.dev.request.modal]
+email = "Email"
+name = "Name"
+org = "Organization"
+phone = "Phone Number"
+reason = "Reason"
+reason_placeholder = "e.g. I need to create an OIDC client for internal service integration and testing."
+role = "Role"
+title = "Developer Access Request"
+
+[ui.dev.request.status]
+approved = "Approved"
+cancelled = "Approval Cancelled"
+pending = "Pending"
+rejected = "Rejected"
+
+[ui.dev.request.table]
+actions = "Actions"
+date = "Requested At"
+org = "Organization"
+reason = "Reason"
+status = "Status"
+user = "User"
+
[ui.dev.audit.registry]
title = "Audit registry"
@@ -1426,6 +1491,12 @@ title = "Application Identity"
label = "Redirect URIs"
placeholder = "Placeholder"
+[ui.dev.clients.general.backchannel_logout]
+uri = "Back-Channel Logout URI"
+uri_placeholder = "https://rp.example.com/oidc/backchannel-logout"
+session_required = "SID Claim Required"
+session_required_info = "Show SID Claim Required help"
+
[ui.dev.clients.general.scopes]
add = "Scope Add"
description_placeholder = "Description Placeholder"
@@ -1452,6 +1523,22 @@ hint = "Turning this on adds the tenant scope automatically and requires at leas
autocomplete_hint = "Type a tenant name to see autocomplete suggestions. Click one to add it to the allowed list."
validation_required = "Select at least one allowed tenant when tenant access restriction is enabled."
+[ui.dev.clients.general.id_token_claims]
+title = "Custom Claims"
+add = "Add Claim"
+preview_title = "Saved JSON Preview"
+namespace_label = "Claim namespace"
+namespace_top_level = "top-level"
+namespace_rp_claims = "rp_claims"
+value_type_label = "Claim value type"
+value_type_text = "Text"
+value_type_number = "Number"
+value_type_boolean = "Boolean"
+value_type_array = "Array"
+value_type_object = "Object"
+key_placeholder = "e.g. locale"
+value_placeholder = "Enter the claim value"
+
[ui.dev.clients.general.security]
private = "Server Side App"
pkce = "PKCE"
@@ -1505,6 +1592,7 @@ user_search_placeholder = "Search by name or email..."
[ui.dev.clients.relationships.option.admins]
label = "RP Admin"
description = "Full administrator relationship for RP operations."
+permits_info = "Has full administrative control over the RP, including config editing, secret management, JWKS, consents, and relationships."
[ui.dev.clients.relationships.option.creator]
label = "RP Creator"
@@ -1513,38 +1601,47 @@ description = "Marks the operator who created this RP."
[ui.dev.clients.relationships.option.config_editor]
label = "RP General Settings"
description = "Edit the name, redirect URIs, and general metadata."
+permits_info = "Can modify general RP settings such as Name, Redirect URIs, Post-Logout URIs, and metadata."
[ui.dev.clients.relationships.option.secret_viewer]
label = "Secret View"
description = "View the Client secret for this RP."
+permits_info = "Can view the Client Secret value in plain text."
[ui.dev.clients.relationships.option.secret_rotator]
label = "Secret Rotation"
description = "Rotate and reissue the client secret."
+permits_info = "Can regenerate the Client Secret or expire and rotate existing secrets."
[ui.dev.clients.relationships.option.jwks_viewer]
label = "JWKS View"
description = "View JWKS status, cache details, and key summaries."
+permits_info = "Can view JWKS status, cached key information, and key summaries."
[ui.dev.clients.relationships.option.jwks_operator]
label = "JWKS Operations"
description = "Run operational actions such as refresh and revoke."
+permits_info = "Can perform JWKS operations such as manual refresh and key revocation."
[ui.dev.clients.relationships.option.consent_viewer]
label = "Consent View"
description = "View consent grants for this RP."
+permits_info = "Can view the history of user consents granted to this RP."
[ui.dev.clients.relationships.option.consent_revoker]
label = "Consent Revoke"
description = "Revoke consent grants for this RP."
+permits_info = "Can revoke or cancel user consents granted to this RP."
[ui.dev.clients.relationships.option.relationship_viewer]
label = "Relationship View"
description = "View direct relations assigned to this RP."
+permits_info = "Can view the list of direct relationships and administrative roles assigned to this RP."
[ui.dev.clients.relationships.option.audit_viewer]
label = "Audit Log View"
description = "View DevFront audit logs for this RP."
+permits_info = "Can view DevFront audit logs for all configuration changes and operations on this RP."
[ui.dev.clients.relationships.option.status_operator]
label = "Status Change"
diff --git a/devfront/src/locales/ko.toml b/devfront/src/locales/ko.toml
index 72729806..912012ca 100644
--- a/devfront/src/locales/ko.toml
+++ b/devfront/src/locales/ko.toml
@@ -324,6 +324,19 @@ loaded_count = "로드된 로그 {{count}}건"
loading = "감사 로그를 불러오는 중..."
subtitle = "현재 테넌트/앱 범위의 DevFront 작업 이력을 조회합니다."
+[msg.dev.request]
+admin_desc = "사용자들의 개발자 권한 신청 내역을 관리합니다."
+approved = "승인되었습니다."
+cancelled = "승인이 취소되었습니다."
+empty = "신청 내역이 없습니다."
+need_cancel_notes = "승인 취소 사유를 입력해주세요."
+need_notes = "반려 사유를 입력해주세요."
+rejected = "반려되었습니다."
+user_desc = "내 신청 내역을 확인하고 새로운 권한을 신청할 수 있습니다."
+
+[msg.dev.request.modal]
+desc = "신청 사유를 입력해 주세요. 관리자 확인 후 승인됩니다."
+
[msg.dev.clients]
deleted = "앱이 삭제되었습니다."
delete_confirm = "정말로 이 앱을 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다."
@@ -362,6 +375,7 @@ create_forbidden = "이 RP를 생성할 권한이 없습니다.\n관리자에게
save_error = "저장 실패: {{error}}"
save_forbidden = "이 RP 설정을 수정할 권한이 없습니다.\n관리자에게 RP 일반 설정 또는 RP 관리자 관계 부여를 요청해 주세요."
secret_rotated = "Client Secret이 재발급되었습니다."
+secret_not_applicable = "PKCE 앱에는 Client Secret이 없습니다."
secret_unavailable = "SECRET_NOT_AVAILABLE"
subtitle = "OIDC 자격 증명과 엔드포인트를 관리합니다."
@@ -375,6 +389,8 @@ note = "엔드포인트는 읽기 전용으로 유지하고, 비밀키 재발행
[msg.dev.clients.general]
load_error = "클라이언트 정보를 불러오지 못했습니다: {{error}}"
loading = "클라이언트 정보를 불러오는 중..."
+read_only_forbidden = "이 RP의 일반 설정을 수정할 권한이 없습니다."
+read_only_hint = "이 RP의 일반 설정은 `RP 관리자` 또는 `RP 일반 설정` 관계가 있는 사용자만 수정할 수 있습니다."
save_error = "저장 실패: {{error}}"
save_forbidden = "이 RP 설정을 수정할 권한이 없습니다.\n관리자에게 RP 일반 설정 또는 RP 관리자 관계 부여를 요청해 주세요."
saved = "설정이 저장되었습니다."
@@ -416,11 +432,27 @@ subtitle = "앱 이름과 설명, 로고를 설정합니다."
[msg.dev.clients.general.redirect]
help = "인증 후 리다이렉트될 URI를 입력하세요. 생성 후 연동 설정 탭에서 수정 가능합니다."
+[msg.dev.clients.general.backchannel_logout]
+uri_help = "Baron이 세션 종료 이벤트를 서버 간 POST로 전달할 RP endpoint입니다."
+invalid = "Back-Channel Logout URI 형식이 올바르지 않습니다. 운영 환경은 https, 로컬 개발 환경은 localhost/127.0.0.1의 http만 허용됩니다."
+session_required_help = "RP가 logout_token에 sid claim이 포함된 경우에만 처리하도록 요구할 때 사용합니다."
+session_required_on = "켜면: logout_token 안에 sid가 있을 때만 로그아웃 처리"
+session_required_off = "끄면: sid가 없어도 sub만으로 로그아웃 처리 가능"
+
[msg.dev.clients.general.scopes]
empty = "등록된 스코프가 없습니다."
subtitle = "이 앱이 요청할 수 있는 권한 범위를 정의합니다."
tenant = "소속 테넌트 정보 접근"
+[msg.dev.clients.general.id_token_claims]
+subtitle = "공통 claim과 RP 전용 확장 claim을 구분해서 관리합니다."
+empty = "아직 추가된 ID Token claim이 없습니다."
+hint = "top-level은 공통 claim에, rp_claims는 RP 전용 확장 claim에 사용합니다. 배열은 JSON 또는 콤마 구분 문자열, 객체는 JSON을 입력하면 됩니다."
+preview_hint = "저장될 metadata.id_token_claims 구조를 미리 확인할 수 있습니다."
+key_required = "Claim key를 입력해야 합니다."
+reserved_key = "`rp_claims`는 예약된 namespace 키입니다."
+duplicate_key = "중복된 claim key가 있습니다: {{namespace}}.{{key}}"
+
[msg.dev.clients.general.security]
pkce_help = "PKCE 앱 (SPA/모바일): 브라우저나 앱처럼 비밀키를 보관하기 어려운 경우 사용하며, PKCE가 강제됩니다."
private_help = "Server side App (서버 사이드 앱): Node.js, Java 등 비밀키를 안전하게 보관 가능한 경우 사용합니다."
@@ -1288,12 +1320,45 @@ scope_badge = "Scoped to /dev"
[ui.dev.nav]
audit_logs = "감사 로그"
clients = "연동 앱"
+developer_request = "개발자 권한 신청"
logout = "로그아웃"
[ui.dev.audit]
load_more = "더 보기"
title = "감사 로그"
+[ui.dev.request]
+admin_notes_placeholder = "메모 입력 (선택)..."
+cancel_approval = "승인 취소"
+cancel_notes_placeholder = "승인 취소 사유 입력..."
+
+[ui.dev.request.list]
+title = "신청 내역"
+
+[ui.dev.request.modal]
+email = "이메일"
+name = "성함"
+org = "소속"
+phone = "전화번호"
+reason = "신청 사유"
+reason_placeholder = "예: 자체 서비스 연동 및 테스트용 OIDC 클라이언트 생성이 필요합니다."
+role = "역할"
+title = "개발자 등록 신청"
+
+[ui.dev.request.status]
+approved = "승인됨"
+cancelled = "승인 취소됨"
+pending = "대기 중"
+rejected = "반려됨"
+
+[ui.dev.request.table]
+actions = "관리"
+date = "신청일"
+org = "소속"
+reason = "신청 사유"
+status = "상태"
+user = "사용자"
+
[ui.dev.audit.registry]
title = "Audit registry"
@@ -1425,6 +1490,12 @@ title = "애플리케이션 정보"
label = "리디렉션 URI"
placeholder = "https://app.example.com/callback, http://localhost:3000/auth/callback (콤마로 구분)"
+[ui.dev.clients.general.backchannel_logout]
+uri = "Back-Channel Logout URI"
+uri_placeholder = "https://rp.example.com/oidc/backchannel-logout"
+session_required = "SID Claim Required"
+session_required_info = "SID Claim Required 설명 보기"
+
[ui.dev.clients.general.scopes]
add = "스코프 추가"
description_placeholder = "권한에 대한 설명"
@@ -1451,6 +1522,22 @@ hint = "제한을 켜면 tenant 스코프가 자동으로 포함되며, 허용
autocomplete_hint = "테넌트 이름을 입력하면 자동 완성 후보가 나타납니다. 클릭하면 허용 목록에 추가됩니다."
validation_required = "테넌트 접근 제한을 사용할 경우 허용 테넌트를 하나 이상 선택해야 합니다."
+[ui.dev.clients.general.id_token_claims]
+title = "커스텀 클레임"
+add = "Claim 추가"
+preview_title = "저장 JSON 미리보기"
+namespace_label = "Claim 네임스페이스"
+namespace_top_level = "top-level"
+namespace_rp_claims = "rp_claims"
+value_type_label = "Claim 값 타입"
+value_type_text = "텍스트"
+value_type_number = "숫자"
+value_type_boolean = "불리언"
+value_type_array = "배열"
+value_type_object = "객체"
+key_placeholder = "예: locale"
+value_placeholder = "Claim 값을 입력하세요"
+
[ui.dev.clients.general.security]
private = "Server side App"
pkce = "PKCE"
@@ -1504,6 +1591,7 @@ user_search_placeholder = "이름 또는 이메일 검색..."
[ui.dev.clients.relationships.option.admins]
label = "RP 관리자"
description = "RP 운영 전반을 관리할 수 있는 관리자 관계입니다."
+permits_info = "RP 설정 수정, 시크릿 조회/재발급, JWKS 관리, 동의 조회/회수, 관계 조회/수정 등 모든 운영 권한을 가집니다."
[ui.dev.clients.relationships.option.creator]
label = "RP 생성자"
@@ -1512,38 +1600,47 @@ description = "이 RP를 생성한 운영 주체를 표시합니다."
[ui.dev.clients.relationships.option.config_editor]
label = "RP 일반 설정"
description = "이름, Redirect URI, 메타데이터 같은 일반 설정을 수정합니다."
+permits_info = "RP 이름, Redirect URIs, 로그아웃 URI, 메타데이터 등 일반 설정을 수정할 수 있습니다."
[ui.dev.clients.relationships.option.secret_viewer]
label = "시크릿 조회"
description = "이 RP의 Client secret을 조회합니다."
+permits_info = "RP의 Client Secret 값을 평문으로 확인할 수 있습니다."
[ui.dev.clients.relationships.option.secret_rotator]
label = "시크릿 재발급"
description = "Client secret 재발급과 회전을 수행합니다."
+permits_info = "새로운 Client Secret을 발급하거나 기존 시크릿을 만료시키고 회전시킬 수 있습니다."
[ui.dev.clients.relationships.option.jwks_viewer]
label = "JWKS 조회"
description = "JWKS 상태, 캐시 정보, 키 요약을 조회합니다."
+permits_info = "RP의 공개키 설정(JWKS) 상태와 캐시된 키 정보를 조회할 수 있습니다."
[ui.dev.clients.relationships.option.jwks_operator]
label = "JWKS 운영"
description = "JWKS refresh, revoke 같은 운영 작업을 수행합니다."
+permits_info = "JWKS 캐시를 강제로 갱신하거나 등록된 키를 회수하는 등 키 관리를 수행할 수 있습니다."
[ui.dev.clients.relationships.option.consent_viewer]
label = "동의 조회"
description = "이 RP의 consent 내역을 조회합니다."
+permits_info = "사용자가 이 RP에 부여한 개인정보 제공 동의 내역을 조회할 수 있습니다."
[ui.dev.clients.relationships.option.consent_revoker]
label = "동의 회수"
description = "이 RP의 consent를 회수합니다."
+permits_info = "사용자의 동의 내역을 강제로 취소하거나 회수할 수 있습니다."
[ui.dev.clients.relationships.option.relationship_viewer]
label = "관계 조회"
description = "이 RP에 부여된 direct relation을 조회합니다."
+permits_info = "이 RP에 어떤 사용자가 어떤 관리 권한을 가지고 있는지 목록을 조회할 수 있습니다."
[ui.dev.clients.relationships.option.audit_viewer]
label = "감사 로그 조회"
description = "이 RP의 DevFront 감사 로그를 조회합니다."
+permits_info = "이 RP에서 발생한 모든 설정 변경 및 운영 작업에 대한 감사 로그를 조회할 수 있습니다."
[ui.dev.clients.relationships.option.status_operator]
label = "상태 변경"
diff --git a/devfront/src/locales/template.toml b/devfront/src/locales/template.toml
index 3ce81004..f53a4586 100644
--- a/devfront/src/locales/template.toml
+++ b/devfront/src/locales/template.toml
@@ -191,11 +191,17 @@ delete_confirm = ""
delete_success = ""
empty = ""
fetch_error = ""
+import_empty = ""
+import_error = ""
+import_result = ""
missing_id = ""
not_found = ""
remove_sub_confirm = ""
subtitle = ""
+[msg.admin.tenants.import_preview]
+description = ""
+
[msg.admin.tenants.admins]
add_success = ""
empty = ""
@@ -255,9 +261,13 @@ parsed_count = ""
update_success = ""
[msg.admin.users.create]
+appointment_required = ""
error = ""
+external_tenant_required = ""
password_required = ""
+personal_tenant_failed = ""
success = ""
+tenant_resolve_failed = ""
[msg.admin.users.create.account]
subtitle = ""
@@ -269,6 +279,7 @@ field_required = ""
name_required = ""
password_auto_help = ""
password_manual_help = ""
+picker_description = ""
role_help = ""
[msg.admin.users.create.password_generated]
@@ -291,7 +302,9 @@ password_hint = ""
[msg.admin.users.list]
delete_confirm = ""
empty = ""
+export_error = ""
fetch_error = ""
+status_error = ""
subtitle = ""
[msg.admin.users.list.columns]
@@ -337,14 +350,6 @@ user_desc = ""
[msg.dev.request.modal]
desc = ""
-email = ""
-name = ""
-org = ""
-phone = ""
-reason = ""
-reason_placeholder = ""
-role = ""
-title = ""
[msg.dev.request.status]
approved = ""
@@ -408,6 +413,7 @@ create_forbidden = ""
save_error = ""
save_forbidden = ""
secret_rotated = ""
+secret_not_applicable = ""
secret_unavailable = ""
subtitle = ""
@@ -421,11 +427,22 @@ note = ""
[msg.dev.clients.general]
load_error = ""
loading = ""
+read_only_forbidden = ""
+read_only_hint = ""
saved = ""
save_error = ""
save_forbidden = ""
status_changed = ""
+[msg.dev.clients.general.id_token_claims]
+subtitle = ""
+empty = ""
+hint = ""
+preview_hint = ""
+key_required = ""
+reserved_key = ""
+duplicate_key = ""
+
[msg.dev.clients.relationships]
subtitle = ""
add_description = ""
@@ -462,6 +479,13 @@ subtitle = ""
[msg.dev.clients.general.redirect]
help = ""
+[msg.dev.clients.general.backchannel_logout]
+uri_help = ""
+invalid = ""
+session_required_help = ""
+session_required_on = ""
+session_required_off = ""
+
[msg.dev.clients.general.scopes]
empty = ""
subtitle = ""
@@ -987,6 +1011,9 @@ user = ""
[ui.admin.tenants]
add = ""
+csv_template = ""
+export = ""
+import = ""
title = ""
[ui.admin.tenants.admins]
@@ -1116,6 +1143,15 @@ search_placeholder = ""
title = ""
tree_search_placeholder = ""
+[ui.admin.tenants.import_preview]
+candidates = ""
+confirm = ""
+create_new = ""
+fixed_id = ""
+match = ""
+no_candidates = ""
+title = ""
+
[ui.admin.tenants.sub.table]
action = ""
name = ""
@@ -1124,6 +1160,7 @@ status = ""
[ui.admin.tenants.table]
actions = ""
+id = ""
members = ""
name = ""
slug = ""
@@ -1223,6 +1260,7 @@ empty = ""
fetch_error = ""
search_placeholder = ""
subtitle = ""
+toggle_status = ""
title = ""
[ui.admin.users.list.breadcrumb]
@@ -1508,6 +1546,12 @@ title = ""
label = ""
placeholder = ""
+[ui.dev.clients.general.backchannel_logout]
+uri = ""
+uri_placeholder = ""
+session_required = ""
+session_required_info = ""
+
[ui.dev.clients.general.scopes]
add = ""
description_placeholder = ""
@@ -1534,6 +1578,22 @@ hint = ""
autocomplete_hint = ""
validation_required = ""
+[ui.dev.clients.general.id_token_claims]
+title = ""
+add = ""
+preview_title = ""
+namespace_label = ""
+namespace_top_level = ""
+namespace_rp_claims = ""
+value_type_label = ""
+value_type_text = ""
+value_type_number = ""
+value_type_boolean = ""
+value_type_array = ""
+value_type_object = ""
+key_placeholder = ""
+value_placeholder = ""
+
[ui.dev.clients.general.security]
private = ""
pkce = ""
@@ -1586,50 +1646,62 @@ user_search_placeholder = ""
[ui.dev.clients.relationships.option.admins]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.creator]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.config_editor]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.secret_viewer]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.secret_rotator]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.jwks_viewer]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.jwks_operator]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.consent_viewer]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.consent_revoker]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.relationship_viewer]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.audit_viewer]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.relationships.option.status_operator]
label = ""
description = ""
+permits_info = ""
[ui.dev.clients.help]
docs_body = ""
diff --git a/devfront/tests/devfront-clients-lifecycle.spec.ts b/devfront/tests/devfront-clients-lifecycle.spec.ts
index 3d6b5224..b2d0a296 100644
--- a/devfront/tests/devfront-clients-lifecycle.spec.ts
+++ b/devfront/tests/devfront-clients-lifecycle.spec.ts
@@ -129,6 +129,159 @@ test.describe("DevFront clients lifecycle", () => {
).toHaveValue(/https:\/\/after\.example\.com\/callback/);
});
+ test("id token claims should be persisted and restored", async ({ page }) => {
+ const state = {
+ clients: [
+ makeClient("client-claims", {
+ name: "Claims app",
+ metadata: {},
+ }),
+ ],
+ consents: [] as Consent[],
+ auditLogsByCursor: undefined,
+ };
+ await installDevApiMock(page, state);
+
+ await page.goto("/clients/client-claims/settings");
+ await page.getByRole("button", { name: /Claim 추가|Add Claim/i }).click();
+ await page.getByPlaceholder(/e\.g\. locale|예: locale/i).fill("locale");
+ await page
+ .getByLabel(/Claim namespace|Claim 네임스페이스/i)
+ .first()
+ .selectOption("top_level");
+ await page
+ .getByLabel(/Claim value type|Claim 값 타입/i)
+ .first()
+ .selectOption("text");
+ await page
+ .getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i)
+ .first()
+ .fill("ko-KR");
+
+ await page.getByRole("button", { name: /Claim 추가|Add Claim/i }).click();
+ await page
+ .getByPlaceholder(/e\.g\. locale|예: locale/i)
+ .nth(1)
+ .fill("tier");
+ await page
+ .getByLabel(/Claim namespace|Claim 네임스페이스/i)
+ .nth(1)
+ .selectOption("rp_claims");
+ await page
+ .getByLabel(/Claim value type|Claim 값 타입/i)
+ .nth(1)
+ .selectOption("number");
+ await page
+ .getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i)
+ .nth(1)
+ .fill("2");
+
+ await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
+
+ await expect
+ .poll(() => state.clients[0]?.metadata?.id_token_claims)
+ .toBeDefined();
+ await expect
+ .poll(
+ () =>
+ (
+ state.clients[0]?.metadata?.id_token_claims as
+ | Array<{
+ namespace?: string;
+ key?: string;
+ value?: string;
+ valueType?: string;
+ }>
+ | undefined
+ )?.length,
+ )
+ .toBe(2);
+ await expect
+ .poll(
+ () =>
+ (
+ state.clients[0]?.metadata?.id_token_claims as
+ | Array<{
+ namespace?: string;
+ key?: string;
+ value?: string;
+ valueType?: string;
+ }>
+ | undefined
+ )?.[0]?.namespace,
+ )
+ .toBe("top_level");
+ await expect
+ .poll(
+ () =>
+ (
+ state.clients[0]?.metadata?.id_token_claims as
+ | Array<{
+ namespace?: string;
+ key?: string;
+ value?: string;
+ valueType?: string;
+ }>
+ | undefined
+ )?.[0]?.key,
+ )
+ .toBe("locale");
+ await expect
+ .poll(
+ () =>
+ (
+ state.clients[0]?.metadata?.id_token_claims as
+ | Array<{
+ namespace?: string;
+ key?: string;
+ value?: string;
+ valueType?: string;
+ }>
+ | undefined
+ )?.[1]?.namespace,
+ )
+ .toBe("rp_claims");
+ await expect
+ .poll(
+ () =>
+ (
+ state.clients[0]?.metadata?.id_token_claims as
+ | Array<{
+ namespace?: string;
+ key?: string;
+ value?: string;
+ valueType?: string;
+ }>
+ | undefined
+ )?.[1]?.key,
+ )
+ .toBe("tier");
+
+ await page.reload();
+ await expect(
+ page.getByPlaceholder(/e\.g\. locale|예: locale/i),
+ ).toHaveCount(2);
+ await expect(
+ page.getByPlaceholder(/e\.g\. locale|예: locale/i).first(),
+ ).toHaveValue("locale");
+ await expect(
+ page.getByPlaceholder(/e\.g\. locale|예: locale/i).nth(1),
+ ).toHaveValue("tier");
+ await expect(
+ page.getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i),
+ ).toHaveCount(2);
+ await expect(
+ page
+ .getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i)
+ .first(),
+ ).toHaveValue("ko-KR");
+ await expect(
+ page
+ .getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i)
+ .nth(1),
+ ).toHaveValue("2");
+ });
+
test("pkce headless login uses jwks uri only and shows cache actions", async ({
page,
}) => {
diff --git a/devfront/tests/devfront-developer-request.spec.ts b/devfront/tests/devfront-developer-request.spec.ts
index 79f983fa..25543350 100644
--- a/devfront/tests/devfront-developer-request.spec.ts
+++ b/devfront/tests/devfront-developer-request.spec.ts
@@ -147,7 +147,9 @@ test.describe("DevFront developer request and management", () => {
await nameInput.fill("E2E Test RP");
await nameInput.press("Tab");
- const uriInput = page.locator("textarea.font-mono");
+ const uriInput = page.getByRole("textbox", {
+ name: /Redirect URIs|인증 콜백 URL|Callback/i,
+ });
await uriInput.fill("https://example.com/callback");
await uriInput.press("Tab");
diff --git a/devfront/tests/helpers/devfront-fixtures.ts b/devfront/tests/helpers/devfront-fixtures.ts
index 3f6ff964..3e1b0df5 100644
--- a/devfront/tests/helpers/devfront-fixtures.ts
+++ b/devfront/tests/helpers/devfront-fixtures.ts
@@ -221,6 +221,39 @@ function parseClientId(pathname: string): string {
}
export async function installDevApiMock(page: Page, state: DevApiMockState) {
+ const readMockRole = async () =>
+ (
+ (await page.evaluate(() => window.localStorage.getItem("dev_role"))) ??
+ "rp_admin"
+ ).trim();
+
+ const buildSelfConfigEditorRelation = (): ClientRelation => ({
+ relation: "config_editor",
+ subject: "User:playwright-user",
+ subjectType: "User",
+ subjectId: "playwright-user",
+ userName: "Playwright User",
+ userEmail: "playwright@example.com",
+ userLoginId: "playwright@example.com",
+ });
+
+ const shouldGrantDefaultEditRelation = (role: string) =>
+ role === "rp_admin" || role === "tenant_admin" || role === "super_admin";
+
+ const resolveClientRelations = async (clientId: string) => {
+ const explicitRelations = state.relations?.[clientId];
+ if (explicitRelations) {
+ return explicitRelations;
+ }
+
+ const role = await readMockRole();
+ if (!shouldGrantDefaultEditRelation(role)) {
+ return [];
+ }
+
+ return [buildSelfConfigEditorRelation()];
+ };
+
const appendAuditLog = (
eventType: string,
action: string,
@@ -431,6 +464,10 @@ export async function installDevApiMock(page: Page, state: DevApiMockState) {
});
state.clients.push(created);
+ if (!state.relations) {
+ state.relations = {};
+ }
+ state.relations[created.id] = [buildSelfConfigEditorRelation()];
appendAuditLog("CLIENT_CREATE", "CREATE_CLIENT", created.id);
return json(route, {
client: created,
@@ -451,7 +488,7 @@ export async function installDevApiMock(page: Page, state: DevApiMockState) {
) {
const clientId = pathname.split("/")[5] ?? "";
return json(route, {
- items: state.relations?.[clientId] ?? [],
+ items: await resolveClientRelations(clientId),
});
}
diff --git a/docker/ory/oathkeeper/rules.active.json b/docker/ory/oathkeeper/rules.active.json
index fd6bfb2d..4a0735da 100755
--- a/docker/ory/oathkeeper/rules.active.json
+++ b/docker/ory/oathkeeper/rules.active.json
@@ -156,4 +156,4 @@
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
}
-]
+]
\ No newline at end of file
diff --git a/locales/en.toml b/locales/en.toml
index f60f9a3f..f7129211 100644
--- a/locales/en.toml
+++ b/locales/en.toml
@@ -1095,6 +1095,7 @@ delete_selected = "Delete Selected"
export_with_ids = "Include UUIDs"
export_without_ids = "Export without UUIDs"
import = "Import"
+seed_badge = "Seed"
title = "Tenant Registry"
view_org_chart = "View Full Org Chart"
@@ -1188,6 +1189,7 @@ import_partial_success = "Imported some organization data successfully."
[msg.admin.tenants]
delete_bulk_confirm = "Delete {{count}} selected tenants?"
+seed_delete_blocked = "Seed tenants cannot be deleted."
[msg.admin.users]
self_delete_blocked = "You cannot delete your own account."
@@ -1204,6 +1206,15 @@ title = "Tenant Members ({{count}})"
total = "Total"
total_label = "Total"
+[ui.admin.tenants.import_preview]
+candidates = "Candidates"
+confirm = "Confirm Import"
+create_new = "Create New"
+fixed_id = "Fixed ID"
+match = "Matched Tenant"
+no_candidates = "No matching tenants found."
+title = "Import Preview"
+
[ui.admin.tenants.members.table]
email = "EMAIL"
name = "NAME"
@@ -1339,6 +1350,7 @@ name = "Name"
name_placeholder = "Name Placeholder"
password = "Password"
password_placeholder = "********"
+picker_description = "Search and select a tenant."
phone = "Phone number"
phone_placeholder = "010-1234-5678"
position = "Position"
diff --git a/locales/ko.toml b/locales/ko.toml
index 9795d21f..9ca45c99 100644
--- a/locales/ko.toml
+++ b/locales/ko.toml
@@ -672,11 +672,17 @@ delete_confirm = "테넌트 \\\\\\\"{{name}}\\\\\\\"를 삭제할까요?"
delete_success = "테넌트가 삭제되었습니다."
empty = "아직 등록된 테넌트가 없습니다."
fetch_error = "테넌트 목록 조회에 실패했습니다."
+import_empty = "임포트 파일에 테넌트 행이 없습니다."
+import_error = "테넌트 임포트에 실패했습니다: {{error}}"
+import_result = "{{count}}개의 테넌트 행을 처리했습니다."
missing_id = "테넌트 ID가 없습니다."
not_found = "테넌트를 찾을 수 없습니다."
remove_sub_confirm = "테넌트 \\\\\\\"{{name}}\\\\\\\"을(를) 하위 조직에서 제외할까요?"
subtitle = "현재 등록된 테넌트를 확인하고 상태를 관리합니다."
+[msg.admin.tenants.import_preview]
+description = "임포트 전에 각 행의 매칭 결과를 검토하고 처리 방식을 선택하세요."
+
[msg.admin.tenants.admins]
add_success = "관리자가 추가되었습니다."
empty = "등록된 관리자가 없습니다."
@@ -1564,6 +1570,7 @@ user = "TENANT MEMBER"
[ui.admin.tenants]
add = "테넌트 추가"
delete_selected = "선택 삭제"
+seed_badge = "초기 설정"
title = "테넌트 목록"
view_org_chart = "전체 조직도 보기"
@@ -1642,9 +1649,12 @@ import_partial_success = "일부 조직 정보를 가져왔습니다."
[msg.admin.tenants]
delete_bulk_confirm = "선택한 {{count}}개 테넌트를 삭제할까요?"
+seed_delete_blocked = "초기 설정 테넌트는 삭제할 수 없습니다."
[msg.admin.users]
self_delete_blocked = "자신의 계정은 삭제할 수 없습니다."
+export_error = "사용자 내보내기에 실패했습니다: {{error}}"
+status_error = "사용자 상태 변경에 실패했습니다: {{error}}"
[ui.admin.apikeys.registry]
title = "API Key Registry"
@@ -1658,6 +1668,15 @@ title = "테넌트 구성원 ({{count}})"
total = "전체"
total_label = "전체"
+[ui.admin.tenants.import_preview]
+candidates = "후보"
+confirm = "임포트 확정"
+create_new = "새로 생성"
+fixed_id = "고정 ID"
+match = "매칭된 테넌트"
+no_candidates = "매칭 가능한 테넌트가 없습니다."
+title = "임포트 미리보기"
+
[ui.admin.tenants.members.table]
email = "EMAIL"
name = "NAME"
@@ -1793,6 +1812,7 @@ name = "이름"
name_placeholder = "홍길동"
password = "비밀번호"
password_placeholder = "********"
+picker_description = "배정할 테넌트를 검색해서 선택하세요."
phone = "전화번호"
phone_placeholder = "010-1234-5678"
position = "직급"
diff --git a/locales/template.toml b/locales/template.toml
index 7a3bbb00..c3a94fdb 100644
--- a/locales/template.toml
+++ b/locales/template.toml
@@ -1439,6 +1439,7 @@ user = ""
[ui.admin.tenants]
add = ""
delete_selected = ""
+seed_badge = ""
title = ""
view_org_chart = ""
@@ -1517,9 +1518,18 @@ import_partial_success = ""
[msg.admin.tenants]
delete_bulk_confirm = ""
+import_empty = ""
+import_error = ""
+import_result = ""
+seed_delete_blocked = ""
+
+[msg.admin.tenants.import_preview]
+description = ""
[msg.admin.users]
self_delete_blocked = ""
+export_error = ""
+status_error = ""
[ui.admin.apikeys.registry]
title = ""
@@ -1604,6 +1614,15 @@ search_placeholder = ""
title = ""
tree_search_placeholder = ""
+[ui.admin.tenants.import_preview]
+candidates = ""
+confirm = ""
+create_new = ""
+fixed_id = ""
+match = ""
+no_candidates = ""
+title = ""
+
[ui.admin.tenants.sub.table]
action = ""
name = ""
@@ -1668,6 +1687,7 @@ name = ""
name_placeholder = ""
password = ""
password_placeholder = ""
+picker_description = ""
phone = ""
phone_placeholder = ""
position = ""
diff --git a/scripts/run_adminfront_ci_tests.sh b/scripts/run_adminfront_ci_tests.sh
index 2237686d..3b6549e3 100755
--- a/scripts/run_adminfront_ci_tests.sh
+++ b/scripts/run_adminfront_ci_tests.sh
@@ -6,8 +6,40 @@ job_name="${1:-adminfront-tests}"
mkdir -p reports
rm -rf adminfront/node_modules
-playwright_install_cmd=(npx playwright install --with-deps)
-playwright_install_desc="npx playwright install --with-deps"
+is_port_available() {
+ local port="$1"
+ node -e '
+ const net = require("net");
+ const port = Number(process.argv[1]);
+ const server = net.createServer();
+ server.once("error", () => process.exit(1));
+ server.once("listening", () => server.close(() => process.exit(0)));
+ server.listen(port, "127.0.0.1");
+ ' "$port"
+}
+
+find_available_port() {
+ node -e '
+ const net = require("net");
+ const server = net.createServer();
+ server.listen(0, "127.0.0.1", () => {
+ const address = server.address();
+ process.stdout.write(String(address.port));
+ server.close();
+ });
+ '
+}
+
+playwright_install_cmd=(npx playwright install)
+playwright_install_desc="npx playwright install"
+
+if [ "$(id -u)" -eq 0 ]; then
+ playwright_install_cmd=(npx playwright install --with-deps)
+ playwright_install_desc="npx playwright install --with-deps"
+elif command -v sudo >/dev/null 2>&1 && sudo -n true >/dev/null 2>&1; then
+ playwright_install_cmd=(npx playwright install --with-deps)
+ playwright_install_desc="npx playwright install --with-deps"
+fi
set +e
(
@@ -67,6 +99,11 @@ fi
set +e
port="${PORT:-5180}"
+if ! is_port_available "$port"; then
+ fallback_port="$(find_available_port)"
+ echo "==> requested PORT=$port is already in use; switching to PORT=$fallback_port"
+ port="$fallback_port"
+fi
echo "==> adminfront using PORT=$port"
(
cd adminfront