PIXILAB Wiki

This is an old revision of the document!

KeyCloak

  1. Install, configure and run KeyCloak: https://www.keycloak.org/docs/latest/server_installation/index.html
  2. Login to the admin pages of KeyCloak.
  3. Click the "Clients" button in the sidebar menu and then add a new client by clicking the "Create" button in the top right corner.
  4. Give it a name and select "openid-connect" as the Client Protocol.
  5. On the settings page of your new client, add "[BLOCKS-IP]/rest/auth/*" as a "Valid Redirect URI" and set "Access Type" to "confidential", then save your changes.
  6. Select the "Credentials" tab at the top and note the "Secret" for use as [CLIENT-SECRET] in step 9.
  7. Click the "Roles" button in the sidebar menu. Click the "Add Role" button and add the role "Admin". Repeat the process until you end up with the following roles listed:
    • Admin
    • Manager
    • Creator
    • Editor
    • Contributor
    • Staff
  8. Click the "Users" button in the sidebar menu. Click the "Add user" button in the top right corner and add your first user. On the edit page for the newly created user, click the "Role Mappings" tab at the top. Assign the roles you want this user to have.
  9. Open your server configuration file and add the "auth" section below to the allready existing "server" section. Replace the values of [BLOCKS-IP], [KEYCLOAK-IP], [REALM-NAME], [CLIENT-ID] and [CLIENT-SECRET]. If you didn't configure your own realm for your users, [REALM-NAME] is the default "Master" realm. [CLIENT-ID] is the name of the client from step 4.
    server:
      auth:
        urlResolver: null
        ajaxRequestResolver: null
        callbackUrl: https://[BLOCKS-IP]/rest/auth/callback
        rolesOwner: claims
        rolesPath: realm_access.roles
        clients:
          - org.pac4j.oidc.client.OidcClient:
              configuration:
                discoveryURI: [KEYCLOAK-IP]/auth/realms/[REALM-NAME]/.well-known/openid-configuration
                clientId: [CLIENT-ID]
                secret: [CLIENT-SECRET]
                clientAuthenticationMethod: client_secret_basic
                scope: openid profile groups
        servlet:
        security:
          - matchers: internalMatcher
          clients: OidcClient
          authorizers: isAuthenticated

Start Blocks and go to "/edit" for login.