Differences between revisions 1 and 17 (spanning 16 versions)

keycloak

Open Source Identity and Access Management.

https://www.keycloak.org/

OIDC

https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview

OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.

Steps setup realm

   1 cd /tmp
   2 wget https://github.com/keycloak/keycloak/releases/download/14.0.0/keycloak-14.0.0.zip
   3 unzip -t keycloak-14.0.0.zip
   4 unzip keycloak-14.0.0.zip
   5 cd ~/tmp/keycloak-14.0.0/bin
   6 sh standalone.sh 
   7 http://localhost:8080/auth

Create admin user

http://localhost:8080/auth
Administration Console
User: admin
Password: admin
Password confirmation: admin
Click on Create

Create realm

http://localhost:8080/auth/admin/master/console/#/realms/master
login with admin:admin
http://localhost:8080/auth/admin/master/console/#/create/realm
Name: MyRealm
Enabled: On
Click on Create

Add user

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
Go to Users
Click on Add user
Username: myuser
User enabled: ON
Save

Set user password

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
Select user myuser,
Select credentials tab,
Password: mypwd
Password confirmation: mypwd,
Temporary: off
Click on "Set Password"

Create role USER

http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USER to MyRealm
Role name: USER
Click on Save

Associate role to user

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
select user myuser
select tab Role mappings
select user and click on add selected

Create keycloak client
- http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
- click on create
- client id: curl_confidential
- client protocol: openid-connect
- root url: http://localhost:8080
- Click on save
- Clients Curl_confidential settings:
- access-type: confidential
- Should appear tab Credentials
- Client authenticator: Client ID and secret
- Click on "Regenerate Secret"
- # 3a862f1b-6687-4f7a-8e04-be494fca99e0
- Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
- add selected
- For each map add "Add to userinfo"
- Clients Curl_confidential Scope,
- select full scope allowed: ON
client data
- realm: MyRealm
- user pwd: myuser mypwd
- client id: curl_confidential
- protocol: openid-connect
- Curl_confidential settings:
- access-type confidential
- valid redirect url http://localhost:8080
- tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0

* Signout

http://localhost:8080/auth/realms/MyRealm/account/

   1 ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
   2 echo $ACCESS_TOKEN
   3 
   4 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat
   5 
   6 curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat

-  ⇤ ← Revision 1 as of 2021-07-09 14:42:19 → 
  Size: 1178
  Editor: localhost
  Comment:
+   ← Revision 17 as of 2021-07-09 17:59:28 → ⇥
  Size: 3634
  Editor: localhost
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 5:
+== OIDC ==
 * https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview
OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.
-Line 7:
+Line 11:
-wget https://downloads.jboss.org/keycloak/10.0.2/keycloak-10.0.2.zip
unzip -t keycloak-10.0.2.zip
cd ~/keycloak-10.0.2/bin
+cd /tmp
wget https://github.com/keycloak/keycloak/releases/download/14.0.0/keycloak-14.0.0.zip
unzip -t keycloak-14.0.0.zip
unzip keycloak-14.0.0.zip
cd ~/tmp/keycloak-14.0.0/bin
-Line 12:
+Line 18:
-# admin admin admin create 
# http://localhost:8080/auth/admin/master/console/#/realms/master
# Master, add realm, MyRealm , create 
# Users, add user, myuser
# select user, credentials, mypwd mypwd, temporary off 
# Add role USER to MyRealm
# Make user myuser have role USER
# signout
# http://localhost:8080/auth/realms/MyRealm/account/
# realm: MyRealm
# user pwd: myuser mypwd
# client id: curl_confidential
# protocol: openid-connect
# Curl_confidential  settings: access-type confidential
# valid redirect url http://localhost:8080
# tab credentials: regenerate secret 6dfe5f84-d115-4d3e-8a56-a0fcf5b2f13e
curl -d 'client_id=curl_confidential' -d 'client_secret=6dfe5f84-d115-4d3e-8a56-a0fcf5b2f13e' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token'
-Line 30:
+Line 19:
+=== Create admin user ===
 * http://localhost:8080/auth
 * Administration Console
 * User: admin 
 * Password: admin 
 * Password confirmation: admin 
 * Click on Create

=== Create realm ===
 * http://localhost:8080/auth/admin/master/console/#/realms/master
 * login with admin:admin
 * http://localhost:8080/auth/admin/master/console/#/create/realm
 * Name: MyRealm
 * Enabled: On
 * Click on Create

=== Add user ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
 * Go to Users
 * Click on Add user
 * Username: myuser
 * User enabled: ON
 * Save 

=== Set user password ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * Select user myuser, 
 * Select credentials tab, 
 * Password: mypwd 
 * Password confirmation: mypwd, 
 * Temporary: off 
 * Click on "Set Password" 

=== Create role USER ===
 * http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
 * Add role USER to MyRealm
 * Role name: USER
 * Click on Save 

=== Associate role to user ===
  * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
  * select user myuser 
  * select tab Role mappings
  * select user and click on add selected

 * Create keycloak client
  * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
  * click on create 
  * client id: curl_confidential
  * client protocol: openid-connect
  * root url: http://localhost:8080
  * Click on save 
  * Clients Curl_confidential  settings: 
  * access-type: confidential
  * Should appear tab Credentials 
  * Client authenticator: Client ID and secret
  * Click on "Regenerate Secret"
  * # 3a862f1b-6687-4f7a-8e04-be494fca99e0
  * Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
  * add selected 
  * For each map add "Add to userinfo"
  * Clients Curl_confidential Scope, 
  * select full scope allowed: ON
 * client data
  * realm: MyRealm
  * user pwd: myuser mypwd
  * client id: curl_confidential
  * protocol: openid-connect
  * Curl_confidential  settings: 
  * access-type confidential
  * valid redirect url http://localhost:8080
  * tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0
 
* Signout
 * http://localhost:8080/auth/realms/MyRealm/account/

{{{#!highlight bash
ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
echo $ACCESS_TOKEN

curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat

curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat 

}}}