MoinMoin Logo
  • Comments
  • Immutable Page
  • Menu
    • Navigation
    • RecentChanges
    • FindPage
    • Local Site Map
    • Help
    • HelpContents
    • HelpOnMoinWikiSyntax
    • Display
    • Attachments
    • Info
    • Raw Text
    • Print View
    • Edit
    • Load
    • Save
  • Login

Navigation

  • Start
  • Sitemap

Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

Revision 21 as of 2021-07-19 09:52:36
  • keycloak

keycloak

Open Source Identity and Access Management.

  • https://www.keycloak.org/

OIDC

  • https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview

OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.

Steps setup realm

   1 cd /tmp
   2 wget https://github.com/keycloak/keycloak/releases/download/14.0.0/keycloak-14.0.0.zip
   3 unzip -t keycloak-14.0.0.zip
   4 unzip keycloak-14.0.0.zip
   5 cd ~/tmp/keycloak-14.0.0/bin
   6 sh standalone.sh 
   7 http://localhost:8080/auth

Create admin user

  • http://localhost:8080/auth

  • Administration Console
  • User: admin
  • Password: admin
  • Password confirmation: admin
  • Click on Create

Create realm

  • http://localhost:8080/auth/admin/master/console/#/realms/master

  • login with admin:admin

  • http://localhost:8080/auth/admin/master/console/#/create/realm

  • Name: MyRealm

  • Enabled: On
  • Click on Create

Add user myuser

  • http://localhost:8080/auth/admin/master/console/#/realms/MyRealm

  • Go to Users
  • Click on Add user
  • Username: myuser
  • User enabled: ON
  • Save

Add user mysubtaskuser

  • http://localhost:8080/auth/admin/master/console/#/realms/MyRealm

  • Go to Users
  • Click on Add user
  • Username: mysubtaskuser
  • User enabled: ON
  • Save

Set user password myuser

  • http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users

  • Select user myuser
  • Select credentials tab
  • Password: mypwd
  • Password confirmation: mypwd
  • Temporary: off
  • Click on "Set Password"

Set user password mysubtaskuser

  • http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users

  • Select user mysubtaskuser
  • Select credentials tab
  • Password: mypwd2
  • Password confirmation: mypwd2
  • Temporary: off
  • Click on "Set Password"

Create role USER

  • http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm

  • Add role USER to MyRealm

  • Role name: USER
  • Click on Save

Create role USERSUBTASK

  • http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm

  • Add role USERSUBTASK to MyRealm

  • Role name: USERSUBTASK
  • Click on Save

Associate role to user myuser

  • http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users

  • select user myuser
  • select tab Role mappings
  • select USER role and click on add selected

Associate role to user mysubtaskuser

  • http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users

  • select user mysubtaskuser
  • select tab Role mappings
  • select USERSUBTASK role and click on add selected

Create keycloak client

  • http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients

  • click on create
  • client id: curl_confidential
  • client protocol: openid-connect

  • root url: http://localhost:8080

  • Click on save
  • Clients Curl_confidential settings:
  • access-type: confidential
  • Should appear tab Credentials
  • Client authenticator: Client ID and secret
  • Click on "Regenerate Secret"
  • # 3a862f1b-6687-4f7a-8e04-be494fca99e0
  • Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
  • add selected
  • For each map add "Add to userinfo"
  • Clients Curl_confidential Scope,
  • select full scope allowed: ON

client data

  • realm: MyRealm

  • user pwd: myuser mypwd
  • client id: curl_confidential
  • protocol: openid-connect
  • Curl_confidential settings:
  • access-type confidential

  • valid redirect url http://localhost:8080

  • tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0

Signout

  • http://localhost:8080/auth/realms/MyRealm/account/

cUrl calls to test keycloak

   1 ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
   2 echo $ACCESS_TOKEN
   3 
   4 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat
   5 
   6 curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat 


   1 CLIENT_ID="curl_confidential"
   2 CLIENT_SECRET="3a862f1b-6687-4f7a-8e04-be494fca99e0"
   3 TOKEN=$(curl -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat)
   4 
   5 ACCESS_TOKEN=$(echo $TOKEN | jq -r '.access_token')
   6 REFRESH_TOKEN=$(echo $TOKEN | jq -r '.refresh_token')
   7 
   8 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
   9 
  10 curl -vvv -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d "refresh_token=$REFRESH_TOKEN" -H "Bearer: $ACCESS_TOKEN" 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/logout'
  11 
  12 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
  13 #
  14
  • MoinMoin Powered
  • Python Powered
  • GPL licensed
  • Valid HTML 4.01