Merge pull request #94 from adorsys/93-refactor-keycloak-ssi-project-…

…for-dedicated-realm-support-and-secret-management Refactor Keycloak SSI project for dedicated realm support
adorsys · Nov 4, 2024 · 60ef1fa · 60ef1fa
2 parents 2870480 + 35ceacd
commit 60ef1fa
Show file tree

Hide file tree

Showing 12 changed files with 2,706 additions and 2,617 deletions.
diff --git a/.env b/.env
@@ -15,6 +15,10 @@ KC_OID4VCI="keycloak_${KC_TARGET_BRANCH}"
 KEYCLOAK_ADMIN=admin
 KEYCLOAK_ADMIN_PASSWORD=admin
 
+# Keycloak Realms
+# KEYCLOAK_REALM=master
+KEYCLOAK_REALM=oid4vc-vci
+
 # Keystore configuration
 ###
 # If a keystore with the same base name as `KEYCLOAK_KEYSTORE_FILE` 
@@ -58,7 +62,8 @@ KEYCLOAK_ADMIN_ADDR=https://localhost:8443
 KEYCLOAK_EXTERNAL_ADDR=https://keycloak-demo.solutions.adorsys.com
 # KEYCLOAK_EXTERNAL_ADDR=https://localhost:8443
 
-ISSUER_DID="${KEYCLOAK_EXTERNAL_ADDR}/realms/master"
+# ISSUER_DID="${KEYCLOAK_EXTERNAL_ADDR}/realms/master"
+ISSUER_DID="${KEYCLOAK_EXTERNAL_ADDR}/realms/oid4vc-vci"
 
 FRANCIS_KEYSTORE_FILE=$TARGET_DIR/francis_kc_keystore.pkcs12
 FRANCIS_KEYSTORE_PASSWORD=francis_store_key_password
@@ -74,14 +79,17 @@ KC_TRUST_STORE_PASS=francis
 # Start Keycloak with a persistent database
 ###
 # A PostgreSQL database container will be launched with the following config
-KC_DB_EXPOSED_PORT=5442
+KC_DB_EXPOSED_PORT=5432
 KC_DB_NAME=keycloak
 KC_DB_USERNAME=postgres
 KC_DB_PASSWORD=postgres
 ###
 # Manually set KC_DB_OPTS if you want to connect to an existing database instead
 # It takes precedence over all of the KC_DB_* variables above.
 # See https://www.keycloak.org/server/db for available options.
+# For local development
+# KC_DB_OPTS="--db postgres --db-url jdbc:postgresql://localhost:5432/keycloak --db-username postgres --db-password postgres"
+# For production (commented out for safety)
 KC_DB_OPTS="--db postgres --db-url jdbc:postgresql://kc-ssi-instance-1.clh0lvey1bcg.eu-north-1.rds.amazonaws.com:5432/kc_ssi_db --db-username kc_ssi_user --db-password adorsys2+24"
 
 # Keycloak start command
@@ -92,12 +100,12 @@ KC_START="start --hostname-strict=false --https-port=$KEYCLOAK_HTTPS_PORT --http
 
 # Keycloak config CLI
 REPO_URL="https://github.com/adorsys/keycloak-config-cli.git"
-KC_CLI_DIR=$WORK_DIR/config
+KC_CLI_DIR=$WORK_DIR
 KC_CLI_JAR_FILE=keycloak-config-cli.jar
-KEYCLOAK_URL=https://kc-ssi.solutions.adorsys.com/
+# KEYCLOAK_URL=https://kc-ssi.solutions.adorsys.com/
 # Use this url when running locally
-# KEYCLOAK_URL=https://localhost:8443
-KC_REALM_FILE=$KC_CLI_DIR/realm.json
+KEYCLOAK_URL=https://localhost:8443
+KC_REALM_FILE=$KC_CLI_DIR/config/realm.json
 KC_CLI_PROJECT_DIR=$KC_CLI_DIR/keycloak-config-cli
 KC_KEYSTORE_PATH=/opt/keycloak/target/kc_keystore.pkcs12
 # Running locally(without the image) use this path for Keystore file

diff --git a/1.oid4vci_test_deployment.sh b/1.oid4vci_test_deployment.sh
@@ -32,18 +32,21 @@ echo "Obtaining admin token..."
 $KC_INSTALL_DIR/bin/kcadm.sh config truststore --trustpass $KC_TRUST_STORE_PASS $KC_TRUST_STORE
 $KC_INSTALL_DIR/bin/kcadm.sh config credentials --server $KEYCLOAK_ADMIN_ADDR --realm master --user $KEYCLOAK_ADMIN --password $KEYCLOAK_ADMIN_PASSWORD
 
+# Create new realm
+$KC_INSTALL_DIR/bin/kcadm.sh create realms -s realm=$KEYCLOAK_REALM -s enabled=true
+
 # Collect the 4 active keys to be disabled.
-RSA_OAEP_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(RSA-OAEP)' | jq -r '.active."RSA-OAEP"')
-RSA_OAEP_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
-echo "Generated RSA-OAEP key will be disbled... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
+RSA_OAEP_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM --fields 'active(RSA-OAEP)' | jq -r '.active."RSA-OAEP"')
+RSA_OAEP_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
+echo "Generated RSA-OAEP key will be disabled... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
 
 # HS512_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(HS512)' | jq -r '.active.HS512')
 # HS512_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$HS512_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
 # echo "Generated HS512 key will be disbled... KID=$HS512_KID PROV_ID=$HS512_PROV_ID"
 
-RS256_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(RS256)' | jq -r '.active.RS256')
-RS256_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
-echo "Generated RS256 key will be disbled... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
+RS256_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM --fields 'active(RS256)' | jq -r '.active.RS256')
+RS256_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
+echo "Generated RS256 key will be disabled... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
 
 # AES_KID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys --fields 'active(AES)' | jq -r '.active.AES')
 # AES_PROV_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$AES_KID" '.keys[] | select(.kid == $kid)' | jq -r '.providerId')
@@ -131,31 +134,31 @@ RSA_ENC_KEY_PROVIDER=$(cat $WORK_DIR/encryption_key_rsa.json | \
 
 # Register the EC-key with Keycloak
 echo "Registering issuer key ecdsa..."
-echo "$ECDSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'ECDSA Issuer Key registration failed' ; exit 1; }
+echo "$ECDSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'ECDSA Issuer Key registration failed' ; exit 1; }
 
 echo "Registering issuer key rsa..."
-echo "$RSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'RSA Issuer Key registration failed' ; exit 1; }
+echo "$RSA_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'RSA Issuer Key registration failed' ; exit 1; }
 
 echo "Registering encryption key rsa..."
-echo "$RSA_ENC_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'RSA Encryption Key registration failed' ; exit 1; }
+echo "$RSA_ENC_KEY_PROVIDER" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'RSA Encryption Key registration failed' ; exit 1; }
 
 # echo "Registering signature key hmac..."
-# $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/signature_key_hmac-tmp.json || { echo 'Hmac Signature Key registration failed' ; exit 1; }
+# $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - < $TARGET_DIR/signature_key_hmac-tmp.json || { echo 'Hmac Signature Key registration failed' ; exit 1; }
 # echo "Registering issuer key ecdsa..."
-# $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - < $TARGET_DIR/encryption_key_aes-tmp.json || { echo 'AES Encryption Key registration failed' ; exit 1; }
+# $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - < $TARGET_DIR/encryption_key_aes-tmp.json || { echo 'AES Encryption Key registration failed' ; exit 1; }
 
 # Disable generated keys
 echo "Deactivating generated RSA-OAEP... KID=$RSA_OAEP_KID PROV_ID=$RSA_OAEP_PROV_ID"
-$KC_INSTALL_DIR/bin/kcadm.sh update components/$RSA_OAEP_PROV_ID -s 'config.active=["false"]' || { echo 'Updating RSA_OAEP provider failed' ; exit 1; }
-$KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)'
+$KC_INSTALL_DIR/bin/kcadm.sh update components/$RSA_OAEP_PROV_ID -r $KEYCLOAK_REALM -s 'config.active=["false"]' || { echo 'Updating RSA_OAEP provider failed' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RSA_OAEP_KID" '.keys[] | select(.kid == $kid)'
 
 # echo "Deactivating generated HS512 key... KID=$HS512_KID PROV_ID=$HS512_PROV_ID"
 # $KC_INSTALL_DIR/bin/kcadm.sh update components/$HS512_PROV_ID -s 'config.active=["false"]' || { echo 'Updating HS512 provider failed' ; exit 1; }
 # $KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$HS512_KID" '.keys[] | select(.kid == $kid)'
 
 echo "Deactivating generated RS256 key... KID=$RS256_KID PROV_ID=$RS256_PROV_ID"
-$KC_INSTALL_DIR/bin/kcadm.sh update components/$RS256_PROV_ID -s 'config.active=["false"]' || { echo 'Updating RS256 provider failed' ; exit 1; }
-$KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)'
+$KC_INSTALL_DIR/bin/kcadm.sh update components/$RS256_PROV_ID -r $KEYCLOAK_REALM -s 'config.active=["false"]' || { echo 'Updating RS256 provider failed' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh get keys -r $KEYCLOAK_REALM | jq --arg kid "$RS256_KID" '.keys[] | select(.kid == $kid)'
 
 # echo "Deactivating generated AES key will... KID=$AES_KID PROV_ID=$AES_PROV_ID"
 # $KC_INSTALL_DIR/bin/kcadm.sh update components/$AES_PROV_ID -s 'config.active=["false"]' || { echo 'Updating AES provider failed' ; exit 1; }
@@ -164,38 +167,38 @@ $KC_INSTALL_DIR/bin/kcadm.sh get keys | jq --arg kid "$RS256_KID" '.keys[] | sel
 # Create the signing service component for SteuerberaterCredential
 echo "Creating signing service component for SteuerberaterCredential..."
 SIGNING_SERVICE_TEST_CRED=$(cat $WORK_DIR/signing_service-SteuerberaterCredential.json)
-echo "$SIGNING_SERVICE_TEST_CRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'Could not create signing service component for SteuerberaterCredential' ; exit 1; }
+echo "$SIGNING_SERVICE_TEST_CRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'Could not create signing service component for SteuerberaterCredential' ; exit 1; }
 
 echo "Creating signing service component for IdentityCredential..."
 SIGNING_SERVICE_IDENTITYCRED=$(cat $WORK_DIR/signing_service-IdentityCredential.json)
-echo "$SIGNING_SERVICE_IDENTITYCRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r master -o -f - || { echo 'Could not create signing service component for IdentityCredential' ; exit 1; }
+echo "$SIGNING_SERVICE_IDENTITYCRED" | $KC_INSTALL_DIR/bin/kcadm.sh create components -r $KEYCLOAK_REALM -o -f - || { echo 'Could not create signing service component for IdentityCredential' ; exit 1; }
 
 # Create client for oid4vci
 echo "Creating OID4VCI client..."
 OID4VCI_CLIENT=$(cat $WORK_DIR/client-oid4vc.json)
-echo "$OID4VCI_CLIENT" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -o -f - || { echo 'OID4VCIClient creation failed' ; exit 1; }
+echo "$OID4VCI_CLIENT" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -r $KEYCLOAK_REALM -o -f - || { echo 'OID4VCIClient creation failed' ; exit 1; }
 
 # Passing openid4vc-rest-api.json to jq to fill it with the secret before exporting config to keycloak
 CONFIG=$(cat $WORK_DIR/openid4vc-rest-api.json | jq --arg CLIENT_SECRET "$CLIENT_SECRET" '.secret = $CLIENT_SECRET')
 
 # Create client for openid4vc-rest-api
 echo "Creating OPENID4VC-REST-API client..."
-echo "$CONFIG" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -o -f - || { echo 'OPENID4VC-REST-API client creation failed' ; exit 1; }
+echo "$CONFIG" | $KC_INSTALL_DIR/bin/kcadm.sh create clients -r $KEYCLOAK_REALM -o -f - || { echo 'OPENID4VC-REST-API client creation failed' ; exit 1; }
 
 # Clear the CONFIG variable
 unset CONFIG
 
 # Add realm attribute issuerDid
 echo "Updating realm attributes for issuerDid..."
-$KC_INSTALL_DIR/bin/kcadm.sh update realms/master -s attributes.issuerDid=$ISSUER_DID || { echo 'Could not set issuer did' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh update realms/$KEYCLOAK_REALM -s attributes.issuerDid=$ISSUER_DID || { echo 'Could not set issuer did' ; exit 1; }
 
 # Increase lifespan of preauth code
 echo "Updating realm attributes for preAuthorizedCodeLifespanS..."
-$KC_INSTALL_DIR/bin/kcadm.sh update realms/master -s attributes.preAuthorizedCodeLifespanS=120  || { echo 'Could not set preAuthorizedCodeLifespanS' ; exit 1; }
+$KC_INSTALL_DIR/bin/kcadm.sh update realms/$KEYCLOAK_REALM -s attributes.preAuthorizedCodeLifespanS=120  || { echo 'Could not set preAuthorizedCodeLifespanS' ; exit 1; }
 
 
 # Check server status and oid4vc-vci feature
-response=$(curl -k -s $KEYCLOAK_ADMIN_ADDR/realms/master/.well-known/openid-credential-issuer)
+response=$(curl -k -s $KEYCLOAK_ADMIN_ADDR/realms/$KEYCLOAK_REALM/.well-known/openid-credential-issuer)
 
 if ! jq -e '."credential_configurations_supported"."SteuerberaterCredential"' <<< "$response" > /dev/null; then
     echo "Server started but error occurred. 'SteuerberaterCredential' not found in OID4VCI configuration."

diff --git a/2.configure_user_4_account_client.sh b/2.configure_user_4_account_client.sh
@@ -10,23 +10,23 @@ $KC_INSTALL_DIR/bin/kcadm.sh config credentials --server $KEYCLOAK_ADMIN_ADDR --
 
 # Read the direct access property of the openid4vc-rest-api client
 echo "Reading direct access property of the openid4vc-rest-api client..."
-$KC_INSTALL_DIR/bin/kcadm.sh get clients -q clientId=openid4vc-rest-api --fields 'id,directAccessGrantsEnabled'
+$KC_INSTALL_DIR/bin/kcadm.sh get clients -r $KEYCLOAK_REALM -q clientId=openid4vc-rest-api --fields 'id,directAccessGrantsEnabled'
 
 # Store property ACC_CLIENT_ID in an environment variable
-export ACC_CLIENT_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get clients -q clientId=openid4vc-rest-api --fields id | jq -r '.[0].id')
+export ACC_CLIENT_ID=$($KC_INSTALL_DIR/bin/kcadm.sh get clients -r $KEYCLOAK_REALM -q clientId=openid4vc-rest-api --fields id | jq -r '.[0].id')
 echo "Stored openid4vc-rest-api Client ID: $ACC_CLIENT_ID"
 
 # Enable direct grant on the openid4vc-rest-api client
 echo "Enabling direct grant on the openid4vc-rest-api client..."
-$KC_INSTALL_DIR/bin/kcadm.sh update clients/$ACC_CLIENT_ID -r master -s directAccessGrantsEnabled=true -o --fields 'id,directAccessGrantsEnabled'
+$KC_INSTALL_DIR/bin/kcadm.sh update clients/$ACC_CLIENT_ID -r $KEYCLOAK_REALM -s directAccessGrantsEnabled=true -o --fields 'id,directAccessGrantsEnabled'
 
 # Create a user named Francis
 echo "Creating user Francis..."
-$KC_INSTALL_DIR/bin/kcadm.sh create users -r master -s username=francis -s firstName=Francis -s lastName=Pouatcha -s [email protected] -s enabled=true
+$KC_INSTALL_DIR/bin/kcadm.sh create users -r $KEYCLOAK_REALM -s username=francis -s firstName=Francis -s lastName=Pouatcha -s [email protected] -s enabled=true
 
 # Set password for Francis
 echo "Setting password for user Francis..."
-$KC_INSTALL_DIR/bin/kcadm.sh set-password -r master --username $USER_FRANCIS_NAME --new-password $USER_FRANCIS_PASSWORD
+$KC_INSTALL_DIR/bin/kcadm.sh set-password -r $KEYCLOAK_REALM --username $USER_FRANCIS_NAME --new-password $USER_FRANCIS_PASSWORD
 
 # Prepare user key proof header if not existent
 if [ ! -f "$TARGET_DIR/user_key_proof_header.json" ]; then

diff --git a/3.retrieve_IdentityCredential.sh b/3.retrieve_IdentityCredential.sh
@@ -4,7 +4,7 @@
 . load_env.sh
 
 # Retrieve the bearer token
-response=$(curl -k -s -o $TARGET_DIR/response.json -w "%{http_code}" -X POST $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/openid-connect/token \
+response=$(curl -k -s -o $TARGET_DIR/response.json -w "%{http_code}" -X POST $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
     -d "client_id=openid4vc-rest-api" \
     -d "client_secret=$CLIENT_SECRET" \
     -d "username=$USER_FRANCIS_NAME" \
@@ -24,7 +24,7 @@ USER_ACCESS_TOKEN=$(jq -r '.access_token' < $TARGET_DIR/response.json )
 echo -e "Bearer Token: $USER_ACCESS_TOKEN \n"
 
 # Retrieve link to the credential offer
-CREDENTIAL_OFFER_LINK=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/oid4vc/credential-offer-uri?credential_configuration_id=IdentityCredential \
+CREDENTIAL_OFFER_LINK=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/oid4vc/credential-offer-uri?credential_configuration_id=IdentityCredential \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $USER_ACCESS_TOKEN" | jq -r '"\(.issuer)\(.nonce)"')
@@ -59,7 +59,7 @@ echo -e "Pre-Authorized Code: $PRE_AUTHORIZED_CODE \n"
 
 # Obtain the credential
 # See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-request
-CREDENTIAL_BEARER_TOKEN=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/openid-connect/token \
+CREDENTIAL_BEARER_TOKEN=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/x-www-form-urlencoded' \
     -d 'grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code' \
@@ -93,7 +93,7 @@ REQ_BODY=$(cat $WORK_DIR/credential_request_body.json | jq --arg credential_iden
 echo "REQ_BODY: " $REQ_BODY
 
 # Obtain the credential
-CREDENTIAL=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/oid4vc/credential \
+CREDENTIAL=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/oid4vc/credential \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $CREDENTIAL_ACCESS_TOKEN" \

diff --git a/3.retrieve_SteuerberaterCredential.sh b/3.retrieve_SteuerberaterCredential.sh
@@ -4,7 +4,7 @@
 . load_env.sh
 
 # Retrieve the bearer token
-response=$(curl -k -s -o $TARGET_DIR/response.json -w "%{http_code}" -X POST $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/openid-connect/token \
+response=$(curl -k -s -o $TARGET_DIR/response.json -w "%{http_code}" -X POST $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
     -d "client_id=openid4vc-rest-api" \
     -d "client_secret=$CLIENT_SECRET" \
     -d "username=$USER_FRANCIS_NAME" \
@@ -24,7 +24,7 @@ USER_ACCESS_TOKEN=$(jq -r '.access_token' < $TARGET_DIR/response.json )
 echo -e "Bearer Token: $USER_ACCESS_TOKEN \n"
 
 # Retrieve link to the credential offer
-CREDENTIAL_OFFER_LINK=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/oid4vc/credential-offer-uri?credential_configuration_id=SteuerberaterCredential \
+CREDENTIAL_OFFER_LINK=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/oid4vc/credential-offer-uri?credential_configuration_id=SteuerberaterCredential \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $USER_ACCESS_TOKEN" | jq -r '"\(.issuer)\(.nonce)"')
@@ -59,7 +59,7 @@ echo -e "Pre-Authorized Code: $PRE_AUTHORIZED_CODE \n"
 
 # Obtain the credential
 # See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-request
-CREDENTIAL_BEARER_TOKEN=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/openid-connect/token \
+CREDENTIAL_BEARER_TOKEN=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/x-www-form-urlencoded' \
     -d 'grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code' \
@@ -93,7 +93,7 @@ REQ_BODY=$(cat $WORK_DIR/credential_request_body.json | jq --arg credential_iden
 echo "REQ_BODY: " $REQ_BODY
 
 # Obtain the credential
-CREDENTIAL=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/master/protocol/oid4vc/credential \
+CREDENTIAL=$(curl -k -s $KEYCLOAK_EXTERNAL_ADDR/realms/$KEYCLOAK_REALM/protocol/oid4vc/credential \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $CREDENTIAL_ACCESS_TOKEN" \

diff --git a/Dockerfile b/Dockerfile
@@ -7,8 +7,8 @@ WORKDIR /app
 # Install Git, apt-utils and other dependencies
 RUN apt-get update && apt-get install -y git apt-utils
 
-# Copy the Keycloak start-up script and .env file
-COPY . .
+# Copy necessary files for building and starting keycloak
+COPY generate-kc-certs.sh .env build-kc-oid4vci.sh load_env.sh cert-config.txt kc_keystore.pkcs12 ./
 
 # Run the Keycloak start-up script
 RUN ./build-kc-oid4vci.sh
@@ -26,4 +26,4 @@ COPY --from=builder /app/target /opt/keycloak/target
 COPY --from=builder /app/.env /opt/keycloak/
 
 # Set the entry point
-ENTRYPOINT ["sh", "-c", "set -a && . /opt/keycloak/.env && set +a && cd $KC_INSTALL_DIR && bin/kc.sh $KC_START $KC_DB_OPTS --features=oid4vc-vci"]
+ENTRYPOINT ["sh", "-c", "set -a && . /opt/keycloak/.env && set +a && cd $KC_INSTALL_DIR && bin/kc.sh $KC_START $KC_DB_OPT --features=oid4vc-vci"]