update keycloak version in OIDC example (#6049)

* update keycloak version in OIDC example --------- Signed-off-by: Haywood Shannon <[email protected]>
nginxinc · Jul 24, 2024 · e316fdd · e316fdd
1 parent d852e65
commit e316fdd
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 13 deletions.
diff --git a/examples/custom-resources/oidc/keycloak.yaml b/examples/custom-resources/oidc/keycloak.yaml
@@ -31,20 +31,21 @@ spec:
  spec:
  containers:
  - name: keycloak
- image: quay.io/keycloak/keycloak:15.0.2
+ image: quay.io/keycloak/keycloak:25.0.2
+ args: ["start-dev"]
  env:
- - name: KEYCLOAK_USER
+ - name: KEYCLOAK_ADMIN
  value: "admin"
- - name: KEYCLOAK_PASSWORD
+ - name: KEYCLOAK_ADMIN_PASSWORD
  value: "admin"
- - name: PROXY_ADDRESS_FORWARDING
- value: "true"
+ - name: KC_PROXY
+ value: "edge"
  ports:
  - name: http
  containerPort: 8080
  - name: https
  containerPort: 8443
  readinessProbe:
  httpGet:
- path: /auth/realms/master
+ path: /realms/master
  port: 8080
diff --git a/examples/custom-resources/oidc/keycloak_setup.md b/examples/custom-resources/oidc/keycloak_setup.md
@@ -7,7 +7,8 @@ This guide will help you configure KeyCloak using Keycloak's API:
 
 **Notes**:
 
-- if you changed the username and password for Keycloak in `keycloak.yaml`, modify the commands accordingly.
+- This guide has been tested with keycloak 19.0.2 and later. If you modify `keycloak.yaml` to use an older version, Keycloak may not start correctly or the commands in this guide may not work as expected. The Keycloak OpenID endpoints `oidc.yaml` might also be different in older versions of Keycloak.
+- if you changed the admin username and password for Keycloak in `keycloak.yaml`, modify the commands accordingly.
 - The instructions use [`jq`](https://stedolan.github.io/jq/).
 
 Steps:
@@ -21,21 +22,27 @@ Steps:
 1. Retrieve the access token and store it into a shell variable:
 
  ```console
- TOKEN=`curl -sS -k --data "username=admin&password=admin&grant_type=password&client_id=admin-cli" https://${KEYCLOAK_ADDRESS}/auth/realms/master/protocol/openid-connect/token | jq -r .access_token`
+ TOKEN=`curl -sS -k --data "username=admin&password=admin&grant_type=password&client_id=admin-cli" "https://${KEYCLOAK_ADDRESS}/realms/master/protocol/openid-connect/token" | jq -r .access_token`
  ```
 
+ Ensure the request was successful and the token is stored in the shell variable by running:
+ ```console
+ echo $TOKEN
+ ```
+
  ***Note***: The access token lifespan is very short. If it expires between commands, retrieve it again with the
  command above.
+
 1. Create the user `nginx-user`:
 
  ```console
- curl -sS -k -X POST -d '{ "username": "nginx-user", "enabled": true, "credentials":[{"type": "password", "value": "test", "temporary": false}]}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/auth/admin/realms/master/users
+ curl -sS -k -X POST -d '{ "username": "nginx-user", "enabled": true, "credentials":[{"type": "password", "value": "test", "temporary": false}]}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/admin/realms/master/users
  ```
 
 1. Create the client `nginx-plus` and retrieve the secret:
 
  ```console
- SECRET=`curl -sS -k -X POST -d '{ "clientId": "nginx-plus", "redirectUris": ["https://webapp.example.com:443/_codexch"] }' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/auth/realms/master/clients-registrations/default | jq -r .secret`
+ SECRET=`curl -sS -k -X POST -d '{ "clientId": "nginx-plus", "redirectUris": ["https://webapp.example.com:443/_codexch"] }' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/realms/master/clients-registrations/default | jq -r .secret`
  ```
 
  If everything went well you should have the secret stored in $SECRET. To double check run:

diff --git a/examples/custom-resources/oidc/oidc.yaml b/examples/custom-resources/oidc/oidc.yaml
@@ -6,8 +6,8 @@ spec:
  oidc:
  clientID: nginx-plus
  clientSecret: oidc-secret
- authEndpoint: https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth
- tokenEndpoint: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/protocol/openid-connect/token
- jwksURI: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/protocol/openid-connect/certs
+ authEndpoint: https://keycloak.example.com/realms/master/protocol/openid-connect/auth
+ tokenEndpoint: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token
+ jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs
  scope: openid+profile+email
  accessTokenEnable: true