Open firewall ports:
Tip
|
It is not mandatory to perform this step unless you have compatibility issues with yor firewall. |
firewall-cmd --add-port 8090/tcp --permanent
firewall-cmd --add-port 8043/tcp --permanent
Important
|
It is necessary to map two ports since one is needed for the keycloak console. In this case, you need to map the 8090 with the 8080 because Quarkus is currently using the 8080. |
podman pod create -p 8090:8080 -p 8543:8443 --name trikora_keycloak_quarkus_example_pod
Firstly it is necessary to copy the realm.json in the tmp/keycloak_tmp/ (local) directory. As this directory is volatile, you have to do this operation each time you restart your PC.
You need to be located in your project root directory in order to perform the following commands.
mkdir /tmp/keycloak_tmp/
cp src/test/resources/trikora-realm.json /tmp/keycloak_tmp/
Then you can execute:
Note
|
In the current version of keycloak, it is not possible to run keycloak with an initial database, so you have to run the pod with an empty keycloak and then import the realm.json with the command line (see below). For that reason the flag -e KEYCLOAK_IMPORT=/tmp/trikora-realm.json has been removed from the run command.
|
podman run --name trikora_keycloak_quarkus_example --security-opt label=disable \
--rm --pod trikora_keycloak_quarkus_example_pod \
-e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin \
-v /tmp/keycloak_tmp/:/tmp/ \
quay.io/keycloak/keycloak:15.0.2
Note
|
the --rm flag is set for deleting the pod after the execution. You can kill the process with ^C . Another option would be to launch the command with the -dflag instead of the --rm one. The -d option will launch the pod as a daemon. |
-
Link to keycloak console: https://localhost:8543/auth/admin/master/console/#/realms/trikorasolutions
-
You can access the roles section by the left navigator in the main page or clicking here:
https://localhost:8543/auth/admin/master/console/#/realms/trikorasolutions/roles -
In this section you can add roles to our application that will be saved in the realms.json that you have located in the tmp directory.
-
In the user section, you can edit all the information regarding the user such as the email, password …
but indeed you have the possibility of assigning new roles to the user as well as enroll them to different groups.
-
In this section we will describe how keycloak filter the URLs with the proper permissions.
-
Firstly, you have to locate in Clients → backend-service → Authorization → Settings → Resources.
Link: https://localhost:8543/auth/admin/master/console/#/realms/trikorasolutions/clients/0ac5df91-e044-4051-bd03-106a3a5fb9cc/authz/resource-server/resource -
Then, you have to create a new resource where you will establish the URLs that are going to be restricted. For doing so, there is a button
Create
in the upper-right side of the main layout. -
After that, it is necessary to add an Associated Permission to the Resource, now you have to decide who is going to have access to the service by creating a new policy. A policy, may be a Role, Group, Client scope or even a single user.
Once you have linked the policy to the resource, just the desired users could access to the services. -
If a user without the proper permissions tries to access the service, keycloak will return a http response with status 403 (FORBIDDEN).
It is important to have at least one user with enough privileges to communicate with keycloak through the REST endpoints, in order to develop such a thing you
can create a new group and then in the "role-mappings" section of the desired group, then click on "client-roles" after that select the "realm-management" client.
At this point, you should see the roles in the "Available Roles" window. Select the roles you want give to the group and click on "Add selected".
Lastly, do not forget to add the admin user to the group in the Users section of the keycloak console.
-
In this section we will describe how to export a realm.json in a single file from a running container using podman.
[podman | docker] exec -it <pod_name> opt/jboss/keycloak/bin/standalone.sh
-Djboss.socket.binding.port-offset=<interger_value> Docker recommend an offset of 100 at least
-Dkeycloak.migration.action=[export | import]
-Dkeycloak.migration.provider=[singleFile | dir]
-Dkeycloak.migration.dir=<DIR TO EXPORT TO> Use only iff .migration.provider=dir
-Dkeycloak.migration.realmName=<REALM_NAME_TO_EXPORT>
-Dkeycloak.migration.usersExportStrategy=[DIFFERENT_FILES | SKIP | REALM_FILE | SAME_FILE]
-Dkeycloak.migration.usersPerFile=<integer_value> Use only iff .usersExportStrategy=DIFFERENT_FILES
-Dkeycloak.migration.file=<FILE TO EXPORT TO>
podman exec -it trikora_keycloak_quarkus_example /opt/jboss/keycloak/bin/standalone.sh \
-Djboss.socket.binding.port-offset=100 \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.realmName=trikorasolutions \
-Dkeycloak.migration.usersExportStrategy=REALM_FILE \
-Dkeycloak.migration.file=/tmp/trikora-realm.json
[podman | docker] exec -it <container_name> <PATH_TO_KEYCLOAK_IN_THE_POD>/bin/standalone.sh
-Djboss.socket.binding.port-offset=100
-Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.realmName=quarkus
-Dkeycloak.migration.usersExportStrategy=REALM_FILE
-Dkeycloak.migration.file=<FILE_TO_IMPORT>
-Dkeycloak.profile.feature.upload_scripts=enabled
-Dkeycloak.profile.feature.scripts=enabled
-Dkeycloak.migration.strategy=[OVERWRITE_EXISTING | IGNORE_EXISTING]
Important
|
When a realm is imported from the command line, the keycloak console is not updated due to a version bug. In order to see the imported realm, it is necessary to create another realm (empty, only need to enter the realm name). This action will force the console table to be updated, this is a keycloak bug, so we hope that it could be fixed in futures releases. |
podman exec -it trikora_keycloak_quarkus_example /opt/jboss/keycloak/bin/standalone.sh \
-Djboss.socket.binding.port-offset=100 \
-Dkeycloak.migration.action=import \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.realmName=trikorasolutions \
-Dkeycloak.migration.usersExportStrategy=REALM_FILE \
-Dkeycloak.migration.file=/tmp/trikora-realm.json \
-Dkeycloak.profile.feature.upload_scripts=enabled \
-Dkeycloak.profile.feature.scripts=enabled \
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING
-
If you have stored the data of the project split in several files, you can merge it in a single project just by importing the files as they are a list separated by commas:
-Dkeycloak.import=/tmp/realm1.json,/tmp/realm2.json
Warning
|
You cannot use the keycloak.import parameter with keycloak.migration.X parameters. If you use these parameters together, keycloak.import parameter will be ignored. The keycloak.import mechanism ignores the realms which already exist in the project. The keycloak.import mechanism is convenient for development purposes, but if more flexibility is needed, use the keycloak.migration.X parameters. |
Keycloak allows the user to interact with the system from an OpenID connection which is based on REST, you can see a list of the different endpoints here:
https://localhost:<CONSOLE_PORT>/auth/realms/<REALM_NAME>/.well-known/openid-configuration
In our application it would be:
https://localhost:8543/auth/realms/trikorasolutions/.well-known/openid-configuration
Import and Export:
Keycloak CRUD:
Similar Keycloaks open projects:
Problem
FATAL [org.keycloak.services] (ServerService Thread Pool -- 58) Error during startup: java.lang.RuntimeException: java.io.FileNotFoundException: /tmp/trikora-realm.json (Permission denied)
Cause
The pod has not enough permissions for accessing the realm.json file.
Solution
When running the pod, you should add the --security-opt label=disable
flag.
Problem
07:37:13,702 WARN [org.keycloak.services] (ServerService Thread Pool -- 68) KC-SERVICES0005: Unable to import realm trikorasolutions from file /tmp/trikora-realm.json.: java.lang.RuntimeException: Script upload is disabled
at org.keycloak.keycloak-authz-policy-common@15.0.2//org.keycloak.authorization.policy.provider.js.JSPolicyProviderFactory.updatePolicy(JSPolicyProviderFactory.java:125)
at org.keycloak.keycloak-authz-policy-common@15.0.2//org.keycloak.authorization.policy.provider.js.JSPolicyProviderFactory.onImport(JSPolicyProviderFactory.java:70)
Cause
From keycloak version 7.0.1 onwards, it is not possible to import a realm.json file since it is considered a deprecated way.
Solution
Adding the flag "-e -Dkeycloak.profile.feature.upload_scripts=enabled" does not work, so the only solution is to run podman with an empty master realm and then
import ours from the command line.
Other possible solution to try would be launch keycloak in version 6.0.0 with the realm and then update keycloak.
Or using: https://www.keycloak.org/docs/latest/server_development/#_script_providers