Skip to content

Commit

Permalink
fix: keycloak docs (#2309)
Browse files Browse the repository at this point in the history
  • Loading branch information
Matvey-Kuk authored Oct 28, 2024
1 parent ab5afc7 commit ebbb889
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 8 deletions.
5 changes: 3 additions & 2 deletions docs/deployment/authentication/keycloak-auth.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ To start Keep with Keycloak authentication, set the following environment variab
| AUTH_TYPE | Set to 'KEYCLOAK' for Keycloak authentication | Yes | - |
| KEYCLOAK_ID | Your Keycloak client ID (e.g. keep) | Yes | - |
| KEYCLOAK_ISSUER | Full URL to Your Keycloak issuer URL e.g. http://localhost:8181/auth/realms/keep | Yes | - |
| KEYCLOAK_SECRET | Your Keycloak client secret | Yes | keep-keycloak-secret |

#### Backend Environment Variables

Expand All @@ -50,5 +51,5 @@ To start Keep with Keycloak authentication, set the following environment variab
### Example configuration

To get a better understanding on how to use Keep together with Keycloak, you can:
- See [Keycloak](https://github.com/keephq/keep/tree/main/tests) directory for configuration, realm.json, etc
- See Keep + Keycloak [docker-compose example](https://github.com/keephq/keep/blob/main/keycloak/docker-compose.yml)
- See [Keycloak](https://github.com/keephq/keep/tree/main/keycloak) directory for configuration, realm.json, etc
- See Keep + Keycloak [docker-compose example](https://github.com/keephq/keep/blob/main/keycloak/docker-compose.yaml)
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import os
import logging

from fastapi import Depends, HTTPException

Expand All @@ -8,6 +9,8 @@
from keycloak.keycloak_uma import KeycloakUMA
from keycloak.uma_permissions import UMAPermission

logger = logging.getLogger(__name__)


class KeycloakAuthVerifier(AuthVerifierBase):
"""Handles authentication and authorization for Keycloak"""
Expand Down Expand Up @@ -55,6 +58,10 @@ def _verify_bearer_token(
email = payload.get("preferred_username")
org_id = payload.get("active_organization", {}).get("id")
org_realm = payload.get("active_organization", {}).get("name")
if org_id is None or org_realm is None:
logger.warning(
"Invalid Keycloak configuration - no org information for user. Check organization mapper: https://github.com/keephq/keep/blob/main/keycloak/keep-realm.json#L93"
)
role = (
payload.get("resource_access", {})
.get(self.keycloak_client_id, {})
Expand Down
4 changes: 2 additions & 2 deletions keycloak/keycloak_entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ fi

# Start Keycloak in the background
echo "Starting Keycloak"
/opt/keycloak/bin/kc.sh start-dev --features=preview --import-realm -Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.migration.strategy=OVERWRITE_EXISTIN &
/opt/keycloak/bin/kc.sh start-dev --log-level=DEBUG --features=preview --import-realm -Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.migration.strategy=OVERWRITE_EXISTIN &
echo "Keycloak started"
# Try to connect to Keycloak - wait until Keycloak is ready or timeout
echo "Waiting for Keycloak to be ready"
Expand Down Expand Up @@ -62,7 +62,7 @@ echo "Event listener 'last_login' configured"
# Configure Content-Security-Policy and X-Frame-Options
# So that the SSO connect works with the Keep UI
echo "Configuring Content-Security-Policy and X-Frame-Options"
/opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.contentSecurityPolicy="frame-src '\''self'\'' '"$KEEP_URL"'; frame-ancestors '\''self'\'' '"$KEEP_URL"'; object-src '\''none'\'';"'
/opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.contentSecurityPolicy="frame-src '\''self'\'' '${KEEP_URL}'; frame-ancestors '\''self'\'' '${KEEP_URL}'; object-src '\''none'\'';"'
/opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.xFrameOptions="ALLOW"'
echo "Content-Security-Policy and X-Frame-Options configured"

Expand Down
24 changes: 20 additions & 4 deletions keycloak/readme.md
Original file line number Diff line number Diff line change
@@ -1,17 +1,33 @@

# Docker-compose example:
```
docker-compose -f keycloak/docker-compose.yaml up
```
Keycloak: http://localhost:8181/auth/ (keep_kc:keep_kc)

Keep login page: http://localhost:3000/

## For Azure:
Instructions:
1. https://rahulroyz.medium.com/using-keycloak-as-idp-for-azure-ad-sso-authentication-role-authorization-0b309c15eadc
2. https://rahulroyz.medium.com/using-keycloak-as-idp-for-azure-ad-role-authorization-part-2-map-ad-groups-to-keycloak-roles-9850d4acd536

Set email, first name & last name for keep_admin user: http://localhost:8181/auth/admin/master/console/#/keep/users
Also please assign admin role for keep_admin.

# Development

```
docker run --name phasetwo_test --rm -p 8181:8080 \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
quay.io/phasetwo/phasetwo-keycloak:latest \
start-dev


```
```
http://localhost:8181/realms/keep/portal/
http://localhost:8181/realms/keep/portal/

https://euc1.auth.ac/auth/realms/keep/portal

```

# delete realm to refresh
1. delete the realm from the UI
Expand Down

0 comments on commit ebbb889

Please sign in to comment.