keycloak

Open Source Identity and Access Management.

• https://www.keycloak.org/

OIDC

• https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview

OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.

Steps setup realm

   1 cd /tmp
   2 wget https://github.com/keycloak/keycloak/releases/download/14.0.0/keycloak-14.0.0.zip
   3 unzip -t keycloak-14.0.0.zip
   4 unzip keycloak-14.0.0.zip
   5 cd ~/tmp/keycloak-14.0.0/bin
   6 sh standalone.sh 
   7 http://localhost:8080/auth

• Create admin user

  • http://localhost:8080/auth

  • Administration Console
  • User: admin
  • Password: admin
  • Password confirmation: admin
  • Click on Create

• http://localhost:8080/auth/admin/master/console/#/realms/master

• login with admin:admin

• http://localhost:8080/auth/admin/master/console/#/create/realm

• Name: MyRealm

• Enabled: On
• Click on Create

• http://localhost:8080/auth/admin/master/console/#/realms/MyRealm

• Go to Users
• Click on Add user
• Username: myuser
• User enabled: ON
• Save

• http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users

• Select user myuser,
• Select credentials tab,
• Password: mypwd
• Password confirmation: mypwd,
• Temporary: off
• Click on "Set Password"

• http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm

• Add role USER to MyRealm

• Role name: USER
• Click on Save

• http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users

• select user myuser
• select tab Role mappings
• select user and click on add selected

• http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients

• click on create
• client id: curl_confidential
• client protocol: openid-connect

• root url: http://localhost:8080

• Click on save
• Clients Curl_confidential settings:
• access-type: confidential
• Should appear tab Credentials
• Client authenticator: Client ID and secret
• Click on "Regenerate Secret"
• # 3a862f1b-6687-4f7a-8e04-be494fca99e0
• Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
• add selected
• For each map add "Add to userinfo"
• Clients Curl_confidential Scope,
• select full scope allowed: ON

• realm: MyRealm

• user pwd: myuser mypwd
• client id: curl_confidential
• protocol: openid-connect
• Curl_confidential settings:
• access-type confidential

• valid redirect url http://localhost:8080

• tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0
• Signout

• http://localhost:8080/auth/realms/MyRealm/account/

   1 ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
   2 echo $ACCESS_TOKEN
   3 
   4 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat
   5 
   6 curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat