...
Keycloak version 11.0.3 is used.
Setup
Execute this script to get a keycloak container up and running and setup default users for onap.
Setup-Workflow
- Checks if keycloak docker image is available
- get image if not available
- starts container on default port with default admin-user (see Script variables)
- gets admin bearer-token
- creates "onap" realm
- adds default users
Script Variables
At the start of the script, several variables are defined. Update accordingly.
...
Known problems - regenerate/change secret
...
To access the secret via the GUI, the access-type must be changed to 'confidential' and saved. Following, the 'credentials' tab gets visible in the GUI.
On the credentials tab, the current secret can be copied or a new one created.
...
General
Keycloak comes with the so-called 'master' realm by default, which governs all other realms ('sub-realms'). It is for administrative purposes.
To allow 'normal' users to authenticate, a new realm should be created (for any given application / as needed) to separate concerns.
If an admin needs access to sub-realms, he should authenticate against the master realm, receive a token, and can then proceed to access the sub-realms.
For further information about keycloak, see the documentation.
Setup
Start docker container
- Do a docker pull quay.io/keycloak/keycloak:11.0.3
- Start the docker container with set env vars for 'KEYCLOAK_USER' and 'KEYCLOAK_PASSWORD` on a preferred port. Internal port is 8080.
- Navigate to http://localhost:8080/auth/admin and login, getting access to the master realm / admin console.
- Create an 'onap' realm
Following, three steps need to be done. The creation of the default users, creating and assigning roles, and the creation of a client for onap/odlux to use for authentication of the users.
Adding Roles
- Navigate to 'Roles'
- Add roles as needed
Adding default users
- Navigate to 'Users'
- Add users as needed
- Once created, click a user, navigate to 'Role Mappings' and assign a given role
Adding client
- Navigate to 'Clients' and create a new one
- Create a client with client ID 'odlux.app' and client protocol 'openid-connect'
- Select client and open 'Settings' tab
- enable if not already done
- Direct Access Grants
- Standard Flow Enabled
- Add valid redirect urls for your onap installation
- Set access type to 'confidential'
- (Save. Navigate to the 'credentials' tab and create your secret)
- (Note: If the lifespan of a token should be longer, it can be updated under the 'Advanced Settings' dropdown)
Further setup
Before you go and run Keycloak in production there are a few more things that you will want to do, including:
Switch to a production ready database such as PostgreSQL
Configure SSL with your own certificates
Switch the admin password to a more secure password
Quoted from: [https://www.keycloak.org/getting-started/getting-started-docker]