Differences between revisions 2 and 24 (spanning 22 versions)

keycloak

Open Source Identity and Access Management.

https://www.keycloak.org/

OIDC

https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview

OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.

Steps setup realm

   1 cd /tmp
   2 wget https://github.com/keycloak/keycloak/releases/download/14.0.0/keycloak-14.0.0.zip
   3 unzip -t keycloak-14.0.0.zip
   4 unzip keycloak-14.0.0.zip
   5 cd ~/tmp/keycloak-14.0.0/bin
   6 sh standalone.sh 
   7 http://localhost:8080/auth

Create admin user

http://localhost:8080/auth
Administration Console
User: admin
Password: admin
Password confirmation: admin
Click on Create

Create realm

http://localhost:8080/auth/admin/master/console/#/realms/master
login with admin:admin
http://localhost:8080/auth/admin/master/console/#/create/realm
Name: MyRealm
Enabled: On
Click on Create

Add user myuser

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
Go to Users
Click on Add user
Username: myuser
User enabled: ON
Save

Add user mysubtaskuser

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
Go to Users
Click on Add user
Username: mysubtaskuser
User enabled: ON
Save

Set user password myuser

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
Select user myuser
Select credentials tab
Password: mypwd
Password confirmation: mypwd
Temporary: off
Click on "Set Password"

Set user password mysubtaskuser

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
Select user mysubtaskuser
Select credentials tab
Password: mypwd2
Password confirmation: mypwd2
Temporary: off
Click on "Set Password"

Create role USER

http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USER to MyRealm
Role name: USER
Click on Save

Create role USERSUBTASK

http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USERSUBTASK to MyRealm
Role name: USERSUBTASK
Click on Save

Associate role to user myuser

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
select user myuser
select tab Role mappings
select USER role and click on add selected

Associate role to user mysubtaskuser

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
select user mysubtaskuser
select tab Role mappings
select USERSUBTASK role and click on add selected

Create keycloak client

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
click on create
client id: curl_confidential
client protocol: openid-connect
root url: http://localhost:8080
Click on save
Clients Curl_confidential settings:
access-type: confidential
Should appear tab Credentials
Client authenticator: Client ID and secret
Click on "Regenerate Secret"
# 3a862f1b-6687-4f7a-8e04-be494fca99e0
Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
add selected
For each map add "Add to userinfo"
Clients Curl_confidential Scope,
select full scope allowed: ON

client data

realm: MyRealm
user pwd: myuser mypwd
client id: curl_confidential
protocol: openid-connect
Curl_confidential settings:
access-type confidential
valid redirect url http://localhost:8080
tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0

Signout

http://localhost:8080/auth/realms/MyRealm/account/

cUrl calls to test keycloak

   1 ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
   2 echo $ACCESS_TOKEN
   3 
   4 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat
   5 
   6 curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat

   1 CLIENT_ID="curl_confidential"
   2 CLIENT_SECRET="3a862f1b-6687-4f7a-8e04-be494fca99e0"
   3 TOKEN=$(curl -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat)
   4 
   5 ACCESS_TOKEN=$(echo $TOKEN | jq -r '.access_token')
   6 REFRESH_TOKEN=$(echo $TOKEN | jq -r '.refresh_token')
   7 
   8 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
   9 
  10 curl -vvv -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d "refresh_token=$REFRESH_TOKEN" -H "Bearer: $ACCESS_TOKEN" 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/logout'
  11 
  12 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
  13 #
  14

Setup keycloak as service in Raspberry pi

/etc/init.d/keycloak

   1 #! /bin/sh
   2 ### BEGIN INIT INFO
   3 # Provides:          keycloak
   4 # Default-Start:     2 3 4 5
   5 # Default-Stop:
   6 # Short-Description: keycloak
   7 # Description:       keycloak
   8 ### END INIT INFO
   9 #
  10 # Some things that run always
  11 touch /var/lock/keycloak
  12 # Carry out specific functions when asked to by the system
  13 case "$1" in
  14   start)
  15     echo "Starting script keycloak "
  16     su pi -c "nohup /home/pi/keycloak-14.0.0/bin/standalone.sh &"
  17     ;;
  18   stop)
  19     echo "Stopping script keycloak"
  20     kill $(ps uax | grep keycloak | grep java | awk '//{print $2}')
  21     ;;
  22   status)
  23     echo "keycloak PID: $(ps uax | grep keycloak | grep java | awk '//{print $2}')"
  24     ;;
  25   *)
  26     echo "Usage: /etc/init.d/keycloak {start|stop|status}"
  27     exit 1
  28     ;;
  29 esac
  30 
  31 exit 0

Keycloak 21.1.1

   1 cd ~
   2 wget https://github.com/keycloak/keycloak/releases/download/21.1.1/keycloak-21.1.1.zip
   3 unzip keycloak-21.1.1.zip
   4 cd keycloak-21.1.1/bin
   5 bash kc.sh start 
   6 bash kc.sh show-config
   7 keytool -genkeypair -alias debian -keyalg RSA -keysize 2048 -validity 365 -keystore server.keystore -dname "cn=Server Administrator,o=Keycloak,c=PT" -keypass secret -storepass secret
   8 cp server.keystore ../conf
   9 ./kc.sh start-dev --hostname=debian --https-key-store-password=secret
  10 #Sign in to your account 
  11 #Master, Create realm, MyRealm , Create 
  12 #Users, Create new user, myuser, create 
  13 #select user, credentials, set password,  mypwd mypwd, temporary off , save, save password
  14 #Realm roles, create role, USER, save 
  15 #Users, myuser, role mapping, assign role USER 
  16 #signout
  17 #http://debian:8080/admin/master/console/#/MyRealm
  18 #My realm, clients, create client 
  19 #  client type: openid connect 
  20 #  client id:  curl_confidential
  21 #  next 
  22 #  client authentication: on 
  23 #  standard flow, direct access grants 
  24 #  next 
  25 #  valid redirect url http://localhost:8080
  26 #  save 
  27 #  tab credentials of curl_confidential 
  28 #  client secret regenerate -> Cymorm3jWN2b5z49dNASwPWwgY5zAsdV
  29   
  30 curl -d 'client_id=curl_confidential' -d 'client_secret=Cymorm3jWN2b5z49dNASwPWwgY5zAsdV' -d 'usr' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/token'
  31 sudo apt install jq 
  32 
  33 TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=Cymorm3jWN2b5z49dNASwPWwgY5zAsdV' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/token')
  34 echo $TOKEN

-  ⇤ ← Revision 2 as of 2021-07-09 14:43:13 → 
  Size: 1196
  Editor: localhost
  Comment:
+   ← Revision 24 as of 2023-05-24 19:03:37 → ⇥
  Size: 8107
  Editor: 127
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 5:
+== OIDC ==
 * https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview
OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.
-Line 7:
+Line 11:
+cd /tmp
-Line 9:
+Line 14:
-cd ~/keycloak-14.0.0/bin
+unzip keycloak-14.0.0.zip
cd ~/tmp/keycloak-14.0.0/bin
-Line 12:
+Line 18:
-# admin admin admin create 
# http://localhost:8080/auth/admin/master/console/#/realms/master
# Master, add realm, MyRealm , create 
# Users, add user, myuser
# select user, credentials, mypwd mypwd, temporary off 
# Add role USER to MyRealm
# Make user myuser have role USER
# signout
# http://localhost:8080/auth/realms/MyRealm/account/
# realm: MyRealm
# user pwd: myuser mypwd
# client id: curl_confidential
# protocol: openid-connect
# Curl_confidential  settings: access-type confidential
# valid redirect url http://localhost:8080
# tab credentials: regenerate secret 6dfe5f84-d115-4d3e-8a56-a0fcf5b2f13e
curl -d 'client_id=curl_confidential' -d 'client_secret=6dfe5f84-d115-4d3e-8a56-a0fcf5b2f13e' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token'
}}}
+}}}

=== Create admin user ===
 * http://localhost:8080/auth
 * Administration Console
 * User: admin 
 * Password: admin 
 * Password confirmation: admin 
 * Click on Create

=== Create realm ===
 * http://localhost:8080/auth/admin/master/console/#/realms/master
 * login with admin:admin
 * http://localhost:8080/auth/admin/master/console/#/create/realm
 * Name: MyRealm
 * Enabled: On
 * Click on Create

=== Add user myuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
 * Go to Users
 * Click on Add user
 * Username: myuser
 * User enabled: ON
 * Save 

=== Add user mysubtaskuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
 * Go to Users
 * Click on Add user
 * Username: mysubtaskuser
 * User enabled: ON
 * Save 

=== Set user password myuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * Select user myuser
 * Select credentials tab
 * Password: mypwd 
 * Password confirmation: mypwd
 * Temporary: off 
 * Click on "Set Password" 

=== Set user password mysubtaskuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * Select user mysubtaskuser
 * Select credentials tab
 * Password: mypwd2 
 * Password confirmation: mypwd2
 * Temporary: off 
 * Click on "Set Password" 

=== Create role USER ===
 * http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
 * Add role USER to MyRealm
 * Role name: USER
 * Click on Save 

=== Create role USERSUBTASK ===
 * http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
 * Add role USERSUBTASK to MyRealm
 * Role name: USERSUBTASK
 * Click on Save 


=== Associate role to user myuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * select user myuser 
 * select tab Role mappings
 * select USER role and click on add selected

=== Associate role to user mysubtaskuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * select user mysubtaskuser 
 * select tab Role mappings
 * select USERSUBTASK role and click on add selected


=== Create keycloak client ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
 * click on create 
 * client id: curl_confidential
 * client protocol: openid-connect
 * root url: http://localhost:8080
 * Click on save 
 * Clients Curl_confidential  settings: 
 * access-type: confidential
 * Should appear tab Credentials 
 * Client authenticator: Client ID and secret
 * Click on "Regenerate Secret"
 * # 3a862f1b-6687-4f7a-8e04-be494fca99e0
 * Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
 * add selected 
 * For each map add "Add to userinfo"
 * Clients Curl_confidential Scope, 
 * select full scope allowed: ON

=== client data ===
 * realm: MyRealm
 * user pwd: myuser mypwd
 * client id: curl_confidential
 * protocol: openid-connect
 * Curl_confidential  settings: 
 * access-type confidential
 * valid redirect url http://localhost:8080
 * tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0
 
=== Signout ===
 * http://localhost:8080/auth/realms/MyRealm/account/

=== cUrl calls to test keycloak ===
{{{#!highlight bash
ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
echo $ACCESS_TOKEN

curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat

curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat 

}}}

{{{#!highlight bash
CLIENT_ID="curl_confidential"
CLIENT_SECRET="3a862f1b-6687-4f7a-8e04-be494fca99e0"
TOKEN=$(curl -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat)

ACCESS_TOKEN=$(echo $TOKEN | jq -r '.access_token')
REFRESH_TOKEN=$(echo $TOKEN | jq -r '.refresh_token')

curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo

curl -vvv -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d "refresh_token=$REFRESH_TOKEN" -H "Bearer: $ACCESS_TOKEN" 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/logout'

curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
#
}}}

== Setup keycloak as service in Raspberry pi ==
 * /etc/init.d/keycloak
{{{#!highlight bash 
#! /bin/sh
### BEGIN INIT INFO
# Provides:          keycloak
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: keycloak
# Description:       keycloak
### END INIT INFO
#
# Some things that run always
touch /var/lock/keycloak
# Carry out specific functions when asked to by the system
case "$1" in
  start)
    echo "Starting script keycloak "
    su pi -c "nohup /home/pi/keycloak-14.0.0/bin/standalone.sh &"
    ;;
  stop)
    echo "Stopping script keycloak"
    kill $(ps uax | grep keycloak | grep java | awk '//{print $2}')
    ;;
  status)
    echo "keycloak PID: $(ps uax | grep keycloak | grep java | awk '//{print $2}')"
    ;;
  *)
    echo "Usage: /etc/init.d/keycloak {start|stop|status}"
    exit 1
    ;;
esac

exit 0
}}}

== Keycloak 21.1.1 ==
{{{#!highlight sh
cd ~
wget https://github.com/keycloak/keycloak/releases/download/21.1.1/keycloak-21.1.1.zip
unzip keycloak-21.1.1.zip
cd keycloak-21.1.1/bin
bash kc.sh start 
bash kc.sh show-config
keytool -genkeypair -alias debian -keyalg RSA -keysize 2048 -validity 365 -keystore server.keystore -dname "cn=Server Administrator,o=Keycloak,c=PT" -keypass secret -storepass secret
cp server.keystore ../conf
./kc.sh start-dev --hostname=debian --https-key-store-password=secret
#Sign in to your account 
#Master, Create realm, MyRealm , Create 
#Users, Create new user, myuser, create 
#select user, credentials, set password,  mypwd mypwd, temporary off , save, save password
#Realm roles, create role, USER, save 
#Users, myuser, role mapping, assign role USER 
#signout
#http://debian:8080/admin/master/console/#/MyRealm
#My realm, clients, create client 
#  client type: openid connect 
#  client id:  curl_confidential
#  next 
#  client authentication: on 
#  standard flow, direct access grants 
#  next 
#  valid redirect url http://localhost:8080
#  save 
#  tab credentials of curl_confidential 
#  client secret regenerate -> Cymorm3jWN2b5z49dNASwPWwgY5zAsdV
  
curl -d 'client_id=curl_confidential' -d 'client_secret=Cymorm3jWN2b5z49dNASwPWwgY5zAsdV' -d 'usr' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/token'
sudo apt install jq 

TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=Cymorm3jWN2b5z49dNASwPWwgY5zAsdV' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/token')
echo $TOKEN 
}}}