= keycloak =
Open Source Identity and Access Management.
 * https://www.keycloak.org/

== OIDC ==
 * https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview
OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.

== Steps setup realm ==
{{{#!highlight bash
cd /tmp
wget https://github.com/keycloak/keycloak/releases/download/14.0.0/keycloak-14.0.0.zip
unzip -t keycloak-14.0.0.zip
unzip keycloak-14.0.0.zip
cd ~/tmp/keycloak-14.0.0/bin
sh standalone.sh 
http://localhost:8080/auth
}}}

=== Create admin user ===
 * http://localhost:8080/auth
 * Administration Console
 * User: admin 
 * Password: admin 
 * Password confirmation: admin 
 * Click on Create

=== Create realm ===
 * http://localhost:8080/auth/admin/master/console/#/realms/master
 * login with admin:admin
 * http://localhost:8080/auth/admin/master/console/#/create/realm
 * Name: MyRealm
 * Enabled: On
 * Click on Create

=== Add user myuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
 * Go to Users
 * Click on Add user
 * Username: myuser
 * User enabled: ON
 * Save 

=== Add user mysubtaskuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm
 * Go to Users
 * Click on Add user
 * Username: mysubtaskuser
 * User enabled: ON
 * Save 

=== Set user password myuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * Select user myuser
 * Select credentials tab
 * Password: mypwd 
 * Password confirmation: mypwd
 * Temporary: off 
 * Click on "Set Password" 

=== Set user password mysubtaskuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * Select user mysubtaskuser
 * Select credentials tab
 * Password: mypwd2 
 * Password confirmation: mypwd2
 * Temporary: off 
 * Click on "Set Password" 

=== Create role USER ===
 * http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
 * Add role USER to MyRealm
 * Role name: USER
 * Click on Save 

=== Create role USERSUBTASK ===
 * http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
 * Add role USERSUBTASK to MyRealm
 * Role name: USERSUBTASK
 * Click on Save 


=== Associate role to user myuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * select user myuser 
 * select tab Role mappings
 * select USER role and click on add selected

=== Associate role to user mysubtaskuser ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
 * select user mysubtaskuser 
 * select tab Role mappings
 * select USERSUBTASK role and click on add selected


=== Create keycloak client ===
 * http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
 * click on create 
 * client id: curl_confidential
 * client protocol: openid-connect
 * root url: http://localhost:8080
 * Click on save 
 * Clients Curl_confidential  settings: 
 * access-type: confidential
 * Should appear tab Credentials 
 * Client authenticator: Client ID and secret
 * Click on "Regenerate Secret"
 * # 3a862f1b-6687-4f7a-8e04-be494fca99e0
 * Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
 * add selected 
 * For each map add "Add to userinfo"
 * Clients Curl_confidential Scope, 
 * select full scope allowed: ON

=== client data ===
 * realm: MyRealm
 * user pwd: myuser mypwd
 * client id: curl_confidential
 * protocol: openid-connect
 * Curl_confidential  settings: 
 * access-type confidential
 * valid redirect url http://localhost:8080
 * tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0
 
=== Signout ===
 * http://localhost:8080/auth/realms/MyRealm/account/

=== cUrl calls to test keycloak ===
{{{#!highlight bash
ACCESS_TOKEN=$(curl -d 'client_id=curl_confidential' -d 'client_secret=3a862f1b-6687-4f7a-8e04-be494fca99e0' -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat | jq -r '.access_token')
echo $ACCESS_TOKEN

curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo | json_reformat

curl -X GET -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/.well-known/openid-configuration | json_reformat 

}}}

{{{#!highlight bash
CLIENT_ID="curl_confidential"
CLIENT_SECRET="3a862f1b-6687-4f7a-8e04-be494fca99e0"
TOKEN=$(curl -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'username=myuser' -d 'password=mypwd' -d 'grant_type=password' 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token' | json_reformat)

ACCESS_TOKEN=$(echo $TOKEN | jq -r '.access_token')
REFRESH_TOKEN=$(echo $TOKEN | jq -r '.refresh_token')

curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo

curl -vvv -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d "refresh_token=$REFRESH_TOKEN" -H "Bearer: $ACCESS_TOKEN" 'http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/logout'

curl -X POST -d "access_token=$ACCESS_TOKEN" http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo

}}}