Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(keycloak-integration): resource provisioning on both jans-auth and keycloak at deploy time #7399

Closed
uprightech opened this issue Jan 17, 2024 · 0 comments · Fixed by #7447 or #7518
Assignees
Labels
kind-feature Issue or PR is a new feature request
Milestone

Comments

@uprightech
Copy link
Contributor

uprightech commented Jan 17, 2024

In order to have keycloak work with jans , there are a few resources that need creation/instantiation during installation,
Some have been done already , but this issue tracks what's left over.

1. Janssen

1.1. Create a client used only for SAML authentication.

In janssen-auth, please create a client:

  • client name: kc_saml_openid
  • description: Keycloak OpenID client used for SAML authentication
  • authentication method: client_secret_basic. Will be changed to private_key_jwt eventually.
  • response type: code , token
  • Application type: web
  • Redirect uri: https://<server_url>/realms/jans/kc-jans-authn-rest-bridge/auth-complete
  • scopes: email , user_name , openid
  • active: yes
    Save the clientid as it will be used at a later time

1.2. Create a client used only for API access by the keycloak scheduler

In janssen-auth please create a client:
- client name: kc_scheduler_api
- description: keycloak scheduler openid client used to obtain API keys to invoke the config-api
-authentication method: client_secret_basic. Will be changed to private_key eventually
- response type: token
- Application type: native
- Redirect uri: https://<server_url>/realms/jans/dev/null
- scopes: http://jans.io/idp/saml.write, http://jans.io/idp/saml.readonly, http://jans.io/oauth/config/saml.readonly, http://jans.io/oauth/config/saml.write, http://jans.io/oauth/config/attributes.readonly
- active: yes

1.3. Create a client used only for authentication from the master realm (optional).

This client will be used only to authenticate users in the master realm that want to access the keycloak admin console.
In janssen-auth please create a client:
- client name: kc_master_auth
- description: keycloak master realm client used to authenticate administrators
-authentication method: client_secret_basic. Will be changed to private_key eventually
- response type: code , token
- Application type: web
- Redirect uri: https://<server_url>/realms/master/kc-jans-authn-rest-bridge/auth-complete
- scopes: email , user_name , openid
- active: yes

2. Keycloak

The following commands will assume the command for authentication has already been run

2.1. Create authentication flow in the jans realm used for saml clients

Run the following command:

/opt/keycloak/bin/kcadm.sh create authentication/flows -r jans -f jans.browser-auth-flow.json  --config /opt/keycloak/conf/kcadmn-jans.config

The file jans.browser-auth-flow.json is provided with this ticket. This commands creates an authentication flow called janssen login
Which can be seen under Authentication in the realm jans.
A response of the form will be returned:

Created new flow with id '62b4ea41-71cb-4bd6-be0a-41c9bc97e187'

Save/parse the id in the response

2.2. Add execution steps to the flow created in the jans realm.

Run the following commands:

/opt/keycloak/bin/kcadm.sh create authentication/executions -r jans -f jans.execution-auth-cookie.json --config /opt/keycloak/conf/kcadmn-jans.config
/opt/keycloak/bin/kcadm.sh create authentication/executions  -r jans -f ~/Projects/Gluu/kcadmin/jans.execution-auth-jans.json --config /opt/keycloak/conf/kcadmn-jans.config

Please make sure the parentFlow key in the files jans.execution-auth-cookie.json and jans.execution-auth-jans.json are replaced by the flow id obtained in 2.1.
Also both commands, but most importantly , the last one, will return a response of the form

Created new execution with id '62b4ea41-71cb-4bd6-be0a-41c9bc97e187'

Please note the id for the last one as it will be used in the next step

2.3. Configure the jans auth execution step in realm jans

Run the following command:

/opt/keycloak/bin/kcadm.sh create authentication/executions/ae4a3323-390e-4707-8ef6-4d4ddd9197c0/config -r jans -f jans.execution-config-jans.json --config /opt/keycloak/conf/kcadmn-jans.config

Replace the value in the command ae4a3323-390e-4707-8ef6-4d4ddd9197c0 with the id obtained from running the second command
in 2.2.
In the file jans.execution-config-jans.json, please replace the values found there as follows:

  • jans.auth.server.url should contain the url our janssen instance , with no suffix. Maybe in the future we can change it to point directly
    to the janssen authorization url.
  • jans.auth.client.id should contain the client id of the client created in 1.1
  • jans.auth.client.secret should contain the secret of the client created in 1.1
  • jans.auth.issuer should contain the url of our janssen instance
  • jans.auth.extra_scopes should be left to null for now

2.4. Create authentication flow in the master realm (optional)

Same as 2.1 but replace the realm -r jans in the command to -r master

2.5. Add execution steps to the flow created in the master realm. (optional)

Same as in 2.2 but again , replace references to the jans realm with the master realm in the commands
and use the id reference created in 2.4.

2.6 Configure the jans auth execution step in realm jans (optional)

Same as in 2.3 but again, replace references to the jans realm with the master realm. Also important difference in
the jans.execution-config-jans.json file:

  • jans.auth.server.url should contain the url our janssen instance , with no suffix. Maybe in the future we can change it to point directly
    to the janssen authorization url.
  • jans.auth.client.id should contain the client id of the client created in 1.3
  • jans.auth.client.secret should contain the secret of the client created in 1.3
  • jans.auth.issuer should contain the url of our janssen instance
  • jans.auth.extra_scopes should be left to null for now

Files

Files to use as reference
jans.browser-auth-flow.json
jans.execution-auth-cookie.json
jans.execution-auth-jans.json
jans.execution-config-jans.json

@uprightech uprightech added this to the 1.0.22 milestone Jan 17, 2024
@mo-auto mo-auto added the kind-feature Issue or PR is a new feature request label Jan 17, 2024
@iromli iromli self-assigned this Jan 17, 2024
@uprightech uprightech changed the title feat(keycloak-integration): resource provisioning on both jans-auh and keycloak at deploy time feat(keycloak-integration): resource provisioning on both jans-auth and keycloak at deploy time May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment