|
Size: 5504
Comment:
|
Size: 8101
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 154: | Line 154: |
== Setup keycloak as service in Raspberry pi == * /etc/init.d/keycloak {{{#!highlight bash #! /bin/sh ### BEGIN INIT INFO # Provides: keycloak # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: keycloak # Description: keycloak ### END INIT INFO # # Some things that run always touch /var/lock/keycloak # Carry out specific functions when asked to by the system case "$1" in start) echo "Starting script keycloak " su pi -c "nohup /home/pi/keycloak-14.0.0/bin/standalone.sh &" ;; stop) echo "Stopping script keycloak" kill $(ps uax | grep keycloak | grep java | awk '//{print $2}') ;; status) echo "keycloak PID: $(ps uax | grep keycloak | grep java | awk '//{print $2}')" ;; *) echo "Usage: /etc/init.d/keycloak {start|stop|status}" exit 1 ;; esac exit 0 }}} == Keyclock 21.1 == {{{#!highlight sh wget https://github.com/keycloak/keycloak/releases/download/21.1.1/keycloak-21.1.1.zip unzip keycloak-21.1.1.zip cd keycloak-21.1.1/bin bash kc.sh start bash kc.sh show-config keytool -genkeypair -alias debian -keyalg RSA -keysize 2048 -validity 365 -keystore server.keystore -dname "cn=Server Administrator,o=Keycloak,c=PT" -keypass secret -storepass secret cp server.keystore ../conf ./kc.sh start-dev --hostname=debian --https-key-store-password=secret #Sign in to your account #Master, Create realm, MyRealm , Create #Users, Create new user, myuser, create #select user, credentials, set password, mypwd mypwd, temporary off , save, save password #Realm roles, create role, USER, save #Users, myuser, role mapping, assign role USER #signout #http://debian:8080/admin/master/console/#/MyRealm #My realm, clients, create client # client type: openid connect # client id: curl_confidential # next # client authentication: on # standard flow, direct access grants # next # valid redirect url http://localhost:8080 # save # tab credentials of curl_confidential # client secret regenerate -> Cymorm3jWN2b5z49dNASwPWwgY5zAsdV curl -d 'client_id=curl_confidential' -d 'client_secret=Cymorm3jWN2b5z49dNASwPWwgY5zAsdV' -d 'usr' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/token' sudo apt install jq TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=Cymorm3jWN2b5z49dNASwPWwgY5zAsdV' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/token') echo $TOKEN }}} |
keycloak
Open Source Identity and Access Management.
OIDC
OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.
Steps setup realm
Create admin user
- Administration Console
- User: admin
- Password: admin
- Password confirmation: admin
- Click on Create
Create realm
http://localhost:8080/auth/admin/master/console/#/realms/master
- login with admin:admin
http://localhost:8080/auth/admin/master/console/#/create/realm
Name: MyRealm
- Enabled: On
- Click on Create
Add user myuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
- Go to Users
- Click on Add user
- Username: myuser
- User enabled: ON
- Save
Add user mysubtaskuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
- Go to Users
- Click on Add user
- Username: mysubtaskuser
- User enabled: ON
- Save
Set user password myuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- Select user myuser
- Select credentials tab
- Password: mypwd
- Password confirmation: mypwd
- Temporary: off
- Click on "Set Password"
Set user password mysubtaskuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- Select user mysubtaskuser
- Select credentials tab
- Password: mypwd2
- Password confirmation: mypwd2
- Temporary: off
- Click on "Set Password"
Create role USER
http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USER to MyRealm
- Role name: USER
- Click on Save
Create role USERSUBTASK
http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USERSUBTASK to MyRealm
- Role name: USERSUBTASK
- Click on Save
Associate role to user myuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- select user myuser
- select tab Role mappings
- select USER role and click on add selected
Associate role to user mysubtaskuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- select user mysubtaskuser
- select tab Role mappings
- select USERSUBTASK role and click on add selected
Create keycloak client
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
- click on create
- client id: curl_confidential
- client protocol: openid-connect
root url: http://localhost:8080
- Click on save
- Clients Curl_confidential settings:
- access-type: confidential
- Should appear tab Credentials
- Client authenticator: Client ID and secret
- Click on "Regenerate Secret"
- # 3a862f1b-6687-4f7a-8e04-be494fca99e0
- Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
- add selected
- For each map add "Add to userinfo"
- Clients Curl_confidential Scope,
- select full scope allowed: ON
client data
realm: MyRealm
- user pwd: myuser mypwd
- client id: curl_confidential
- protocol: openid-connect
- Curl_confidential settings:
- access-type confidential
valid redirect url http://localhost:8080
- tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0
Signout
cUrl calls to test keycloak
1 ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
2 echo $ACCESS_TOKEN
3
4 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat
5
6 curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat
1 CLIENT_ID="curl_confidential"
2 CLIENT_SECRET="3a862f1b-6687-4f7a-8e04-be494fca99e0"
3 TOKEN=$(curl -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat)
4
5 ACCESS_TOKEN=$(echo $TOKEN | jq -r '.access_token')
6 REFRESH_TOKEN=$(echo $TOKEN | jq -r '.refresh_token')
7
8 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
9
10 curl -vvv -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d "refresh_token=$REFRESH_TOKEN" -H "Bearer: $ACCESS_TOKEN" 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/logout'
11
12 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
13 #
14
Setup keycloak as service in Raspberry pi
- /etc/init.d/keycloak
1 #! /bin/sh
2 ### BEGIN INIT INFO
3 # Provides: keycloak
4 # Default-Start: 2 3 4 5
5 # Default-Stop:
6 # Short-Description: keycloak
7 # Description: keycloak
8 ### END INIT INFO
9 #
10 # Some things that run always
11 touch /var/lock/keycloak
12 # Carry out specific functions when asked to by the system
13 case "$1" in
14 start)
15 echo "Starting script keycloak "
16 su pi -c "nohup /home/pi/keycloak-14.0.0/bin/standalone.sh &"
17 ;;
18 stop)
19 echo "Stopping script keycloak"
20 kill $(ps uax | grep keycloak | grep java | awk '//{print $2}')
21 ;;
22 status)
23 echo "keycloak PID: $(ps uax | grep keycloak | grep java | awk '//{print $2}')"
24 ;;
25 *)
26 echo "Usage: /etc/init.d/keycloak {start|stop|status}"
27 exit 1
28 ;;
29 esac
30
31 exit 0
Keyclock 21.1
1 wget https://github.com/keycloak/keycloak/releases/download/21.1.1/keycloak-21.1.1.zip
2 unzip keycloak-21.1.1.zip
3 cd keycloak-21.1.1/bin
4 bash kc.sh start
5 bash kc.sh show-config
6 keytool -genkeypair -alias debian -keyalg RSA -keysize 2048 -validity 365 -keystore server.keystore -dname "cn=Server Administrator,o=Keycloak,c=PT" -keypass secret -storepass secret
7 cp server.keystore ../conf
8 ./kc.sh start-dev --hostname=debian --https-key-store-password=secret
9 #Sign in to your account
10 #Master, Create realm, MyRealm , Create
11 #Users, Create new user, myuser, create
12 #select user, credentials, set password, mypwd mypwd, temporary off , save, save password
13 #Realm roles, create role, USER, save
14 #Users, myuser, role mapping, assign role USER
15 #signout
16 #http://debian:8080/admin/master/console/#/MyRealm
17 #My realm, clients, create client
18 # client type: openid connect
19 # client id: curl_confidential
20 # next
21 # client authentication: on
22 # standard flow, direct access grants
23 # next
24 # valid redirect url http://localhost:8080
25 # save
26 # tab credentials of curl_confidential
27 # client secret regenerate -> Cymorm3jWN2b5z49dNASwPWwgY5zAsdV
28
29 curl -d 'client_id=curl_confidential' -d 'client_secret=Cymorm3jWN2b5z49dNASwPWwgY5zAsdV' -d 'usr' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/token'
30 sudo apt install jq
31
32 TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=Cymorm3jWN2b5z49dNASwPWwgY5zAsdV' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/token')
33 echo $TOKEN