keycloak
Open Source Identity and Access Management.
OIDC
OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.
Steps setup realm
Create admin user
- Administration Console
- User: admin
- Password: admin
- Password confirmation: admin
- Click on Create
Create realm
http://localhost:8080/auth/admin/master/console/#/realms/master
- login with admin:admin
http://localhost:8080/auth/admin/master/console/#/create/realm
Name: MyRealm
- Enabled: On
- Click on Create
Add user
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
- Go to Users
- Click on Add user
- Username: myuser
- User enabled: ON
- Save
Set user password
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- Select user myuser,
- Select credentials tab,
- Password: mypwd
- Password confirmation: mypwd,
- Temporary: off
- Click on "Set Password"
Create role USER
http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USER to MyRealm
- Role name: USER
- Click on Save
Associate role to user
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- select user myuser
- select tab Role mappings
- select user and click on add selected
Create keycloak client
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
- click on create
- client id: curl_confidential
- client protocol: openid-connect
root url: http://localhost:8080
- Click on save
- Clients Curl_confidential settings:
- access-type: confidential
- Should appear tab Credentials
- Client authenticator: Client ID and secret
- Click on "Regenerate Secret"
- # 3a862f1b-6687-4f7a-8e04-be494fca99e0
- Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
- add selected
- For each map add "Add to userinfo"
- Clients Curl_confidential Scope,
- select full scope allowed: ON
client data
realm: MyRealm
- user pwd: myuser mypwd
- client id: curl_confidential
- protocol: openid-connect
- Curl_confidential settings:
- access-type confidential
valid redirect url http://localhost:8080
- tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0
Signout
cUrl calls to test keycloak
1 ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
2 echo $ACCESS_TOKEN
3
4 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat
5
6 curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat
1 CLIENT_ID="curl_confidential"
2 CLIENT_SECRET="3a862f1b-6687-4f7a-8e04-be494fca99e0"
3 TOKEN=$(curl -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat)
4
5 ACCESS_TOKEN=$(echo $TOKEN | jq -r '.access_token')
6 REFRESH_TOKEN=$(echo $TOKEN | jq -r '.refresh_token')
7
8 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
9
10 curl -vvv -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d "refresh_token=$REFRESH_TOKEN" -H "Bearer: $ACCESS_TOKEN" 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/logout'
11
12 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo