Skip to content

Latest commit

 

History

History
118 lines (90 loc) · 2.89 KB

README.md

File metadata and controls

118 lines (90 loc) · 2.89 KB

plugin-keycloak-identity-auth

Plugin for Keycloak OpenID Connector

Tested Keycloak version

| Version | Status | | 21.1.0 | Tested |

Configuration

Based on Keycloak version, openid-configuration url is differrent. After ver 17.0.0, auth after base url is removed.

Version open-configuration URL format
17.0.0 ~ https:///realms//.well-known/openid-configuration
~ 16.1.0 https:///auth/realms//.well-known/openid-configuration
options = {
    'openid-configuration': 'https://<SSO domain>/realms/<Your Realm>/.well-known/openid-configuration',
    'auth_type': 'keycloak_oidc',
    'client_id': 'CLIENT ID for login',
    'field_mapper': {...},
    'verify': True
}

secret_data = {
    'client_id': 'CLIENT ID for find users',
    'client_secret': 'client secret text'
}

Field Mapper

field_mapper setting allows you to change user field information.

Verify

If you set verify to False, the keycloak server's certificate will not be verified.

Default Settings

{
    'field_mapper (optional)': {
        'user_id': 'username',
        'name': 'name',
        'email': 'email'
    }
}

Available Keycloak Fields

  • username
  • email
  • firstName
  • lastName
  • name: {firstName} {lastName}

Example

To enable keycloak-oidc plugin, use identity.Domain.change_auth_plugin API.

spacectl exec change_auth_plugin identity.Domain -f keycloak.yaml

Example YAML file

See https://github.com/spaceone-dev/plugin-keycloak-oidc/wiki/Keycloak-configuration-example

plugin_info:
  options:
    auth_type: keycloak_oidc
    openid-configuration: https://sso.example.com/realms/test-domain/.well-known/openid-configuration
    client_id: test_client_id
  plugin_id: plugin-keycloak-identity-auth
  secret_data:
    client_id: test_client_id2
    client_secret: 11111111-1111-1111-1111-111111111111
  version: '1.0'

Auth.init

If you init plugin, the response looks like

{
    'metadata': {
        'authorization_endpoint': 'https://sso.example.com/realms/MY_DOMAIN/protocol/openid-connect/auth',
        'end_session_endpoint': 'https://sso.example.com/realms/MY_DOMAIN/protocol/openid-connect/logout',
        'issuer': 'https://sso.example.com/realms/MY_DOMAIN',
        'token_endpoint': 'https://sso.example.com/realms/MY_DOMAIN/protocol/openid-connect/token',
        'userinfo_endpoint': 'https://sso.example.com/realms/MY_DOMAIN/protocol/openid-connect/userinfo',
        'realm': 'MY_DOMAIN',
        'user_find_url': 'https://sso.example.com/admin/realms/MY_DOMAIN/user'
    }
}

Release Note

Version 1.4

  • Support new openid-configuration endpoint (keycloak: 17.0.0 ~)

Version 1.3

  • Add 'field_mapper' option to change fields for authenticated users.

Version 1.0

Support New Auth API

  • Auth.init
  • Auth.verify
  • Auth.find
  • Auth.login