Versions Compared

Old Version 2

changes.mady.by.user Aijana S

Saved on

compared with

New Version Current

changes.mady.by.user Aijana S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Keycloak version 11.0.3 is used.

Setup

Execute this script to get a keycloak container up and running and setup default users for onap.

Setup-Workflow

  1. Checks if keycloak docker image is available
    1. get image if not available
  2. starts container on default port with default admin-user (see Script variables)
  3. gets admin bearer-token
  4. creates "onap" realm
  5. adds default users

Script Variables

At the start of the script, several variables are defined. Update accordingly. 

...

Known problems - regenerate/change secret

...

General

Keycloak comes with the so-called 'master' realm by default, which governs all other realms ('sub-realms'). It is for administrative purposes.

To allow 'normal' users to authenticate, a new realm should be created (for any given application / as needed) to separate concerns.

If an admin needs access to sub-realms, he should authenticate against the master realm, receive a token, and can then proceed to access the sub-realms.


For further information about keycloak, see the documentation.

Setup

Start docker container

  1. Do a   docker pull quay.io/keycloak/keycloak:11.0.3
  2. Start the docker container with set env vars for 'KEYCLOAK_USER' and 'KEYCLOAK_PASSWORD` on a preferred port. Internal port is 8080.
  3. Navigate to http://localhost:8080/auth/admin and login, getting access to the master realm / admin console.
  4. Create an 'onap' realm

Following, three steps need to be done. The creation of the default users, creating and assigning roles, and the creation of a client for onap/odlux to use for authentication of the users.

Adding Roles

  • Navigate to 'Roles'
  • Add roles as needed

Adding default users

  • Navigate to 'Users'
  • Add users as needed
  • Once created, click a user, navigate to 'Role Mappings' and assign a given role

Adding client

  1. Navigate to 'Clients' and create a new one
  2. Create a client with client ID 'odlux.app' and client protocol 'openid-connect'
  3. Select client and open 'Settings' tab
  4. enable if not already done
    1. Direct Access Grants
    2. Standard Flow Enabled
  5. Add valid redirect urls for your onap installation
  6. Set access type to 'confidential'
  7. (Save. Navigate to the 'credentials' tab and create your secret)
  8. (Note: If the lifespan of a token should be longer, it can be updated under the 'Advanced Settings' dropdown)

Further setup

Before you go and run Keycloak in production there are a few more things that you will want to do, including:

  • Switch to a production ready database such as PostgreSQL

  • Configure SSL with your own certificates

  • Switch the admin password to a more secure password

Quoted from: [https://www.keycloak.org/getting-started/getting-started-docker]

...

To access the secret via the GUI, the access-type must be changed to 'confidential' and saved. Following, the 'credentials' tab gets visible in the GUI.

On the credentials tab, the current secret can be copied or a new one created.

Currently, the client can not be created as confidential via the REST api.