Keycloak: Difference between revisions
(Created page with "We are using [https://www.keycloak.org/ Keycloak] for web SSO (Single Sign-On). Clients may use Keycloak for authenticating users via SAML or OIDC (OpenID Connect). * Admin l...") |
mNo edit summary |
||
| Line 8: | Line 8: | ||
OK so before we get started, there's this really useful feature in Keycloak called "Conditional user attribute" which allows you to create a flow which branches based on attributes a user may have. For some reason, this is enabled in the test suite for Keycloak, but is not available from the main application. So we're going to compile and inject it ourselves. |
OK so before we get started, there's this really useful feature in Keycloak called "Conditional user attribute" which allows you to create a flow which branches based on attributes a user may have. For some reason, this is enabled in the test suite for Keycloak, but is not available from the main application. So we're going to compile and inject it ourselves. |
||
Clone https://git.csclub.uwaterloo.ca/public/keycloak-spi and run <code>mvn clean package</ |
Clone https://git.csclub.uwaterloo.ca/public/keycloak-spi and run <code>mvn clean package</code>. This will create a JAR file called csc-keycloak-spi.jar in the target directory; we will need this later. |
||
== Database setup == |
== Database setup == |
||
Revision as of 08:38, 29 December 2021
We are using Keycloak for web SSO (Single Sign-On). Clients may use Keycloak for authenticating users via SAML or OIDC (OpenID Connect).
- Admin login: https://keycloak.csclub.uwaterloo.ca/auth/admin
- Regular user login: https://keycloak.csclub.uwaterloo.ca/auth/realms/csc/account
- OIDC Auto Discovery URL: https://keycloak.csclub.uwaterloo.ca/auth/realms/csc/.well-known/openid-configuration
Prerequisites
OK so before we get started, there's this really useful feature in Keycloak called "Conditional user attribute" which allows you to create a flow which branches based on attributes a user may have. For some reason, this is enabled in the test suite for Keycloak, but is not available from the main application. So we're going to compile and inject it ourselves.
Clone https://git.csclub.uwaterloo.ca/public/keycloak-spi and run mvn clean package. This will create a JAR file called csc-keycloak-spi.jar in the target directory; we will need this later.
Database setup
Go to biloba or chamomile, run mysql, and run the following:
CREATE USER 'keycloak' IDENTIFIED BY 'replace_this_password'; CREATE DATABASE keycloak CHARACTER SET utf8 COLLATE utf8_unicode_ci; GRANT ALL PRIVILEGES ON keycloak.* TO 'keycloak'; FLUSH PRIVILEGES;
Kubernetes setup
We are running Keycloak on Kubernetes. This introduces some complications because it gets reverse proxied twice, and we also can't (or at least shouldn't) modify the filesystem of the Pod where it's running, since that Pod can get destroyed at any time. We still need to load that JAR file we just created, though, so we're going to place it into a PersistentVolume instead. We're going to do this by first creating a PersistentVolumeClaim, then claiming it in a temporary Pod which we'll use for shell access:
cat <<EOF | kubectl apply -f
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: syscom
name: keycloak-spi-pvc
spec:
storageClassName: cloudstack-storage
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Mi
---
apiVersion: v1
kind: Pod
metadata:
namespace: syscom
name: temp-pod
spec:
containers:
- name: temp
image: alpine
volumeMounts:
- mountPath: "/data"
name: keycloak-spi-pv
stdin: true
stdinOnce: true
tty: true
volumes:
- name: keycloak-spi-pv
persistentVolumeClaim:
claimName: keycloak-spi-pvc
EOF