From e316fdd5622ed1e537f2019ae770f24f40210c27 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Wed, 24 Jul 2024 16:09:25 +0100 Subject: [PATCH] update keycloak version in OIDC example (#6049) * update keycloak version in OIDC example --------- Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> --- examples/custom-resources/oidc/keycloak.yaml | 13 +++++++------ examples/custom-resources/oidc/keycloak_setup.md | 15 +++++++++++---- examples/custom-resources/oidc/oidc.yaml | 6 +++--- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/examples/custom-resources/oidc/keycloak.yaml b/examples/custom-resources/oidc/keycloak.yaml index 5130a8ea4a..0e879dfa11 100644 --- a/examples/custom-resources/oidc/keycloak.yaml +++ b/examples/custom-resources/oidc/keycloak.yaml @@ -31,14 +31,15 @@ spec: spec: containers: - name: keycloak - image: quay.io/keycloak/keycloak:15.0.2 + image: quay.io/keycloak/keycloak:25.0.2 + args: ["start-dev"] env: - - name: KEYCLOAK_USER + - name: KEYCLOAK_ADMIN value: "admin" - - name: KEYCLOAK_PASSWORD + - name: KEYCLOAK_ADMIN_PASSWORD value: "admin" - - name: PROXY_ADDRESS_FORWARDING - value: "true" + - name: KC_PROXY + value: "edge" ports: - name: http containerPort: 8080 @@ -46,5 +47,5 @@ spec: containerPort: 8443 readinessProbe: httpGet: - path: /auth/realms/master + path: /realms/master port: 8080 diff --git a/examples/custom-resources/oidc/keycloak_setup.md b/examples/custom-resources/oidc/keycloak_setup.md index 3db8078146..9863e32c63 100644 --- a/examples/custom-resources/oidc/keycloak_setup.md +++ b/examples/custom-resources/oidc/keycloak_setup.md @@ -7,7 +7,8 @@ This guide will help you configure KeyCloak using Keycloak's API: **Notes**: -- if you changed the username and password for Keycloak in `keycloak.yaml`, modify the commands accordingly. +- This guide has been tested with keycloak 19.0.2 and later. If you modify `keycloak.yaml` to use an older version, Keycloak may not start correctly or the commands in this guide may not work as expected. The Keycloak OpenID endpoints `oidc.yaml` might also be different in older versions of Keycloak. +- if you changed the admin username and password for Keycloak in `keycloak.yaml`, modify the commands accordingly. - The instructions use [`jq`](https://stedolan.github.io/jq/). Steps: @@ -21,21 +22,27 @@ Steps: 1. Retrieve the access token and store it into a shell variable: ```console - TOKEN=`curl -sS -k --data "username=admin&password=admin&grant_type=password&client_id=admin-cli" https://${KEYCLOAK_ADDRESS}/auth/realms/master/protocol/openid-connect/token | jq -r .access_token` + TOKEN=`curl -sS -k --data "username=admin&password=admin&grant_type=password&client_id=admin-cli" "https://${KEYCLOAK_ADDRESS}/realms/master/protocol/openid-connect/token" | jq -r .access_token` ``` + Ensure the request was successful and the token is stored in the shell variable by running: + ```console + echo $TOKEN + ``` + ***Note***: The access token lifespan is very short. If it expires between commands, retrieve it again with the command above. + 1. Create the user `nginx-user`: ```console - curl -sS -k -X POST -d '{ "username": "nginx-user", "enabled": true, "credentials":[{"type": "password", "value": "test", "temporary": false}]}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/auth/admin/realms/master/users + curl -sS -k -X POST -d '{ "username": "nginx-user", "enabled": true, "credentials":[{"type": "password", "value": "test", "temporary": false}]}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/admin/realms/master/users ``` 1. Create the client `nginx-plus` and retrieve the secret: ```console - SECRET=`curl -sS -k -X POST -d '{ "clientId": "nginx-plus", "redirectUris": ["https://webapp.example.com:443/_codexch"] }' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/auth/realms/master/clients-registrations/default | jq -r .secret` + SECRET=`curl -sS -k -X POST -d '{ "clientId": "nginx-plus", "redirectUris": ["https://webapp.example.com:443/_codexch"] }' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/realms/master/clients-registrations/default | jq -r .secret` ``` If everything went well you should have the secret stored in $SECRET. To double check run: diff --git a/examples/custom-resources/oidc/oidc.yaml b/examples/custom-resources/oidc/oidc.yaml index 9711db74d4..d750275849 100644 --- a/examples/custom-resources/oidc/oidc.yaml +++ b/examples/custom-resources/oidc/oidc.yaml @@ -6,8 +6,8 @@ spec: oidc: clientID: nginx-plus clientSecret: oidc-secret - authEndpoint: https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth - tokenEndpoint: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/protocol/openid-connect/token - jwksURI: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/protocol/openid-connect/certs + authEndpoint: https://keycloak.example.com/realms/master/protocol/openid-connect/auth + tokenEndpoint: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token + jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs scope: openid+profile+email accessTokenEnable: true