keycloak
Open Source Identity and Access Management.
OIDC
OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.
Steps setup realm
Create admin user
- Administration Console
- User: admin
- Password: admin
- Password confirmation: admin
- Click on Create
Create realm
http://localhost:8080/auth/admin/master/console/#/realms/master
- login with admin:admin
http://localhost:8080/auth/admin/master/console/#/create/realm
Name: MyRealm
- Enabled: On
- Click on Create
Add user myuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
- Go to Users
- Click on Add user
- Username: myuser
- User enabled: ON
- Save
Add user mysubtaskuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
- Go to Users
- Click on Add user
- Username: mysubtaskuser
- User enabled: ON
- Save
Set user password myuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- Select user myuser
- Select credentials tab
- Password: mypwd
- Password confirmation: mypwd
- Temporary: off
- Click on "Set Password"
Set user password mysubtaskuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- Select user mysubtaskuser
- Select credentials tab
- Password: mypwd2
- Password confirmation: mypwd2
- Temporary: off
- Click on "Set Password"
Create role USER
http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USER to MyRealm
- Role name: USER
- Click on Save
Create role USERSUBTASK
http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USERSUBTASK to MyRealm
- Role name: USERSUBTASK
- Click on Save
Associate role to user myuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- select user myuser
- select tab Role mappings
- select USER role and click on add selected
Associate role to user mysubtaskuser
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
- select user mysubtaskuser
- select tab Role mappings
- select USERSUBTASK role and click on add selected
Create keycloak client
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
- click on create
- client id: curl_confidential
- client protocol: openid-connect
root url: http://localhost:8080
- Click on save
- Clients Curl_confidential settings:
- access-type: confidential
- Should appear tab Credentials
- Client authenticator: Client ID and secret
- Click on "Regenerate Secret"
- # 3a862f1b-6687-4f7a-8e04-be494fca99e0
- Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
- add selected
- For each map add "Add to userinfo"
- Clients Curl_confidential Scope,
- select full scope allowed: ON
client data
realm: MyRealm
- user pwd: myuser mypwd
- client id: curl_confidential
- protocol: openid-connect
- Curl_confidential settings:
- access-type confidential
valid redirect url http://localhost:8080
- tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0
Signout
cUrl calls to test keycloak
1 ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
2 echo $ACCESS_TOKEN
3
4 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat
5
6 curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat
1 CLIENT_ID="curl_confidential"
2 CLIENT_SECRET="3a862f1b-6687-4f7a-8e04-be494fca99e0"
3 TOKEN=$(curl -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat)
4
5 ACCESS_TOKEN=$(echo $TOKEN | jq -r '.access_token')
6 REFRESH_TOKEN=$(echo $TOKEN | jq -r '.refresh_token')
7
8 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
9
10 curl -vvv -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d "refresh_token=$REFRESH_TOKEN" -H "Bearer: $ACCESS_TOKEN" 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/logout'
11
12 curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
13 #
14
Setup keycloak as service in Raspberry pi
- /etc/init.d/keycloak
1 #! /bin/sh
2 ### BEGIN INIT INFO
3 # Provides: keycloak
4 # Default-Start: 2 3 4 5
5 # Default-Stop:
6 # Short-Description: keycloak
7 # Description: keycloak
8 ### END INIT INFO
9 #
10 # Some things that run always
11 touch /var/lock/keycloak
12 # Carry out specific functions when asked to by the system
13 case "$1" in
14 start)
15 echo "Starting script keycloak "
16 su pi -c "nohup /home/pi/keycloak-14.0.0/bin/standalone.sh &"
17 ;;
18 stop)
19 echo "Stopping script keycloak"
20 kill $(ps uax | grep keycloak | grep java | awk '//{print $2}')
21 ;;
22 status)
23 echo "keycloak PID: $(ps uax | grep keycloak | grep java | awk '//{print $2}')"
24 ;;
25 *)
26 echo "Usage: /etc/init.d/keycloak {start|stop|status}"
27 exit 1
28 ;;
29 esac
30
31 exit 0