Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
blocks:sso:keycloak [2019-03-12 14:49] max |
blocks:sso:keycloak [2024-08-02 14:39] (current) melvin Minor changes for Keycloak 25.0.2 |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====KeyCloak==== | + | ====== Keycloak ====== |
- | | + | Here's a [[https:// |
- | - Login to the admin pages of KeyCloak. | + | |
- | | + | |
- | - Click the " | + | - Login to the admin pages of Keycloak. |
- | - Give it a name and select "openid-connect" as the Client | + | |
- | - On the settings page of your new client, add " | + | {{ : |
- | - Select the " | + | |
- | - Click the "Roles" button in the sidebar menu. Click the "Add Role" button and add the role " | + | - Click the " |
+ | - Give it an ID and select "OpenID Connect" as the Client | ||
+ | - On the next screen, turn on Client authentication, | ||
+ | - On the settings page of your new client, add "http://[BLOCKS-IP-OR-DOMAIN]/ | ||
+ | - Select the " | ||
+ | - Click the "Realm roles" button in the sidebar menu. Click the "Create role" button and add the role " | ||
* Admin | * Admin | ||
* Manager | * Manager | ||
Line 15: | Line 20: | ||
* Contributor | * Contributor | ||
* Staff | * Staff | ||
- | - Click the " | + | - Click the " |
- | - Open your server | + | - Select the " |
- | < | + | |
- | server: | + | ===== Blocks specific steps ===== |
- | auth: | + | |
- | urlResolver: | + | - Open your Blocks |
- | ajaxRequestResolver: | + | |
- | callbackUrl: | + | server: |
- | rolesOwner: claims | + | type: pixilab_server |
- | rolesPath: realm_access.roles | + | |
- | clients: | + | urlResolver: |
- | - org.pac4j.oidc.client.OidcClient: | + | ajaxRequestResolver: |
- | configuration: | + | callbackUrl: |
- | discoveryURI: | + | rolesOwner: claims |
- | clientId: [CLIENT-ID] | + | rolesPath: realm_access.roles |
- | secret: [CLIENT-SECRET] | + | clients: |
- | clientAuthenticationMethod: | + | - org.pac4j.oidc.client.OidcClient: |
- | scope: openid profile | + | configuration: |
- | servlet: | + | discoveryURI: |
- | security: | + | clientId: [CLIENT-ID] |
- | - matchers: internalMatcher | + | secret: [CLIENT-SECRET] |
+ | clientAuthenticationMethod: | ||
+ | scope: openid profile | ||
+ | servlet: | ||
+ | security: | ||
+ | - matchers: internalMatcher | ||
clients: OidcClient | clients: OidcClient | ||
authorizers: | authorizers: | ||
+ | </ | ||
+ | - Start Blocks and go to "/ | ||
+ | |||
+ | ===== Role Mapping ===== | ||
+ | |||
+ | If the roles you've added to Keycloak does not match the roles used by blocks, or if you have set up roles on Keycloak already and would like to re-use them, you can add role mapping to the Blocks configuration file. You do this by defining a server.auth.rolesMapping parameter where the keys are the roles of your Keycloak configuration and the values the roles Blocks know about. For example: | ||
+ | |||
+ | < | ||
+ | rolesMapping: | ||
+ | KeycloakAdmin: | ||
+ | KeycloakManager: | ||
+ | KeycloakCreator: | ||
+ | KeycloakEditor: | ||
+ | KeycloakContributor: | ||
+ | KeycloakStaff: | ||
</ | </ | ||
- | Start Blocks and go to "/ |