Skip to content

Keycloak setup (OAuth openid connect)

Jump to bottom
Håvar Aambø Fosstveit edited this page Jun 4, 2023 · 2 revisions

This is a guide to setup keycloak locally for testing with the edumeet-management-server.

Start a keycloak docker container

docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/edumeet-demo-cert.pem -e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/edumeet-demo-key.pem -v $PWD/edumeet-demo-cert.pem:/opt/keycloak/conf/edumeet-demo-cert.pem -v $PWD/edumeet-demo-key.pem:/opt/keycloak/conf/edumeet-demo-key.pem -p 8443:8443 quay.io/keycloak/keycloak:latest start-dev

You can change the certificate/key to whichever you want, self-signed is ok for testing. Whenever this container is up and running, you can go to https://localhost:8443 and you should be presented with a login screen. Username: admin Password: admin

Screenshot from 2023-05-31 15-26-35

When you get into the administrator console, make a new realm, and call it whatever you like, in this example we call it dev.

Screenshot from 2023-05-31 15-34-06 Screenshot from 2023-05-31 15-34-26

Make sure you have selected the new realm in the dropdown in the top left.

Screenshot from 2023-05-31 20-33-42

Select client scopes on the left and create a new client scope.

Screenshot from 2023-05-31 15-34-52

Make sure the name of the new scope is openid.

Screenshot from 2023-05-31 15-35-13

Select clients on the left and create a new client.

Screenshot from 2023-05-31 15-35-22

You may choose the name of the client, in this example we chose edumeet-dev-client.

Screenshot from 2023-05-31 15-35-41

Make sure Client authentication is checked, and the rest of the options should be correct by default.

Screenshot from 2023-05-31 15-35-49

Set the Root URL to the same as the keycloak instance, in this example https://localhost:8443. Set the Valid redirect URIs and Web origins to the URL of your edumeet-management-server, in this example http://localhost:3030/*. Save the client.

Screenshot from 2023-05-31 15-36-25

Under the Credentials tab you can unveil the Client secret. Copy it as we need it in the edumeet-management-server.

Screenshot from 2023-05-31 15-36-39

Under Client scopes, make sure openid is in the list, and set to Default. If it isn't, click Add client scope at the top to add it.

Screenshot from 2023-05-31 15-37-20

Now go to Users on the left and click Create new user.

Screenshot from 2023-05-31 15-37-44

Set the various options for the user as you see fit, this is the user that will be used to log into edumeet-management-server.

Screenshot from 2023-05-31 15-38-14

Under the Credentials tab, you may set a password for the user.

Screenshot from 2023-05-31 15-38-38

Your keycloak instance should now be ready for use. If you used a self-signed certificate in keycloak, make sure you start the edumeet-management-server with NODE_TLS_REJECT_UNAUTHORIZED=0.

To configure this instance as the authentication for one of your tenants on edumeet-management-server, you will need to do a POST to the tenantOAuths endpoint to add it.

Screenshot from 2023-05-31 15-41-39

Clone this wiki locally