Configure Keycloak auth

TL;DR - Authorize using Keycloak

You can use Keycloak for authentication. You can configure your own keycloak, or use the procedure below to install Keycloak:

1. Install keycloak using a Docker container: cd devops/keycloak; docker compose up

2. Activate: als add-auth --provider-type=keycloak --db-url=localhost

In addition, this page describes how to administer User/Roles in your Keycloak, and export these settings into your project for source control and team development.

This page is under construction.

 

Keycloak: local config

Projects are pre-created with scripts start Keycloak under Docker. Use this procedure to install and configure a local version of keycloak, running under Docker.

 

Install Keycloak under Docker

Install Keycloak with Docker (imports settings from devops/keycloak/data/import):

Start [install] Keycloak

cd devops/keycloak; docker compose up

 

Configure Project for Keycloak

Execute the following. Optionally, observe the settings in config/config.py:

Configure Keycloak - local

als add-auth --provider-type=keycloak --db-url=localhost

The above uses the localhost abbreviation for the server location. To use a non-default, be sure to speccify your port:

Configure Keycloak - local (not default location)

als add-auth --provider-type=keycloak --db-url=http://10.0.0.77:8080

Internals - verify Configuration in running Admin App

The config settings for the admin app are set in ui/admin/admin_loader.py. This reduces the number of settings to change when altering your configuration. You can verify them as shown below:

 

Verify With the Admin App

You should now be able to run the admin app:

1. login as s1/p -- note the login screen indicates kcals:

2. Verify there is only 1 customer

3. Logout and login as admin/p, and there should be more customers

 

Keycloak Admin

You can use the Keycloak admin console to define Users and their Roles / Attributes.

 

User Administration

To define Users and their Roles / Attributes:

1. Note the selected realm (kcals)

User Roles

Define Roles for your realm:

 

And assign them to users:

User Attributes

Valid Attributes

First, define attributes types:

Link Attributes to Scopes

Assign User Attribute Values

Warning: do not specify None or Null for attribute values; these lead to unpredictable results.

 

Export Auth Data

After defining your users, attributes and roles, you will want to save this keycloak auth data into your project, for source control and sharing.

Export your revised auth data:

1. In the terminal window of your project:

Export the revised auth data

% docker exec -it keycloak bash

$ cd /opt/keycloak
$ bin/kc.sh export --help
$ bin/kc.sh export --dir export
$ exit

This creates a directory in the keycloak docker: keycloak:/opt/keycloak/export. We can import this back into our project, as described next.

 

Use Exported Auth Data in Project

You can make this saved auth data part of your project (and saved to git for your team), as follows:

1. In the terminal window of your project

Use Exported Auth Data in Project

mv devops/keycloak/import-save devops/keycloak/import-backup
docker cp keycloak:/opt/keycloak/export devops/keycloak/import

Appendix

Browser Cache

Keycloak caches security data (e.g., for single sign-on). This may required you to clear your Browser cache.

Internals

Authentication and the keycloak provider interact as shown below:

Inspecting Access Tokens

You can use jwt.io: