= keycloak = Open Source Identity and Access Management. * https://www.keycloak.org/ == OIDC == * https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth. == Steps setup realm == {{{#!highlight bash cd /tmp wget https://github.com/keycloak/keycloak/releases/download/14.0.0/keycloak-14.0.0.zip unzip -t keycloak-14.0.0.zip unzip keycloak-14.0.0.zip cd ~/tmp/keycloak-14.0.0/bin sh standalone.sh http://localhost:8080/auth }}} === Create admin user === * http://localhost:8080/auth * Administration Console * User: admin * Password: admin * Password confirmation: admin * Click on Create === Create realm === * http://localhost:8080/auth/admin/master/console/#/realms/master * login with admin:admin * http://localhost:8080/auth/admin/master/console/#/create/realm * Name: MyRealm * Enabled: On * Click on Create === Add user myuser === * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm * Go to Users * Click on Add user * Username: myuser * User enabled: ON * Save === Add user mysubtaskuser === * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm * Go to Users * Click on Add user * Username: mysubtaskuser * User enabled: ON * Save === Set user password myuser === * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users * Select user myuser * Select credentials tab * Password: mypwd * Password confirmation: mypwd * Temporary: off * Click on "Set Password" === Set user password mysubtaskuser === * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users * Select user mysubtaskuser * Select credentials tab * Password: mypwd2 * Password confirmation: mypwd2 * Temporary: off * Click on "Set Password" === Create role USER === * http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm * Add role USER to MyRealm * Role name: USER * Click on Save === Create role USERSUBTASK === * http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm * Add role USERSUBTASK to MyRealm * Role name: USERSUBTASK * Click on Save === Associate role to user myuser === * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users * select user myuser * select tab Role mappings * select USER role and click on add selected === Associate role to user mysubtaskuser === * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users * select user mysubtaskuser * select tab Role mappings * select USERSUBTASK role and click on add selected === Create keycloak client === * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients * click on create * client id: curl_confidential * client protocol: openid-connect * root url: http://localhost:8080 * Click on save * Clients Curl_confidential settings: * access-type: confidential * Should appear tab Credentials * Client authenticator: Client ID and secret * Click on "Regenerate Secret" * # 3a862f1b-6687-4f7a-8e04-be494fca99e0 * Clients Curl_confidential Mappers Add builtin "realm roles", "groups" * add selected * For each map add "Add to userinfo" * Clients Curl_confidential Scope, * select full scope allowed: ON === client data === * realm: MyRealm * user pwd: myuser mypwd * client id: curl_confidential * protocol: openid-connect * Curl_confidential settings: * access-type confidential * valid redirect url http://localhost:8080 * tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0 === Signout === * http://localhost:8080/auth/realms/MyRealm/account/ === cUrl calls to test keycloak === {{{#!highlight bash ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token') echo $ACCESS_TOKEN curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat }}} {{{#!highlight bash CLIENT_ID="curl_confidential" CLIENT_SECRET="3a862f1b-6687-4f7a-8e04-be494fca99e0" TOKEN=$(curl -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat) ACCESS_TOKEN=$(echo $TOKEN | jq -r '.access_token') REFRESH_TOKEN=$(echo $TOKEN | jq -r '.refresh_token') curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo curl -vvv -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d "refresh_token=$REFRESH_TOKEN" -H "Bearer: $ACCESS_TOKEN" 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/logout' curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo }}}