diff --git a/docs/deployment/authentication/keycloak-auth.mdx b/docs/deployment/authentication/keycloak-auth.mdx index 255e67ed2..eb821e7a6 100644 --- a/docs/deployment/authentication/keycloak-auth.mdx +++ b/docs/deployment/authentication/keycloak-auth.mdx @@ -32,6 +32,7 @@ To start Keep with Keycloak authentication, set the following environment variab | AUTH_TYPE | Set to 'KEYCLOAK' for Keycloak authentication | Yes | - | | KEYCLOAK_ID | Your Keycloak client ID (e.g. keep) | Yes | - | | KEYCLOAK_ISSUER | Full URL to Your Keycloak issuer URL e.g. http://localhost:8181/auth/realms/keep | Yes | - | +| KEYCLOAK_SECRET | Your Keycloak client secret | Yes | keep-keycloak-secret | #### Backend Environment Variables @@ -50,5 +51,5 @@ To start Keep with Keycloak authentication, set the following environment variab ### Example configuration To get a better understanding on how to use Keep together with Keycloak, you can: -- See [Keycloak](https://github.com/keephq/keep/tree/main/tests) directory for configuration, realm.json, etc -- See Keep + Keycloak [docker-compose example](https://github.com/keephq/keep/blob/main/keycloak/docker-compose.yml) +- See [Keycloak](https://github.com/keephq/keep/tree/main/keycloak) directory for configuration, realm.json, etc +- See Keep + Keycloak [docker-compose example](https://github.com/keephq/keep/blob/main/keycloak/docker-compose.yaml) diff --git a/ee/identitymanager/identity_managers/keycloak/keycloak_authverifier.py b/ee/identitymanager/identity_managers/keycloak/keycloak_authverifier.py index 1daf5bb6a..1a2fd7516 100644 --- a/ee/identitymanager/identity_managers/keycloak/keycloak_authverifier.py +++ b/ee/identitymanager/identity_managers/keycloak/keycloak_authverifier.py @@ -1,4 +1,5 @@ import os +import logging from fastapi import Depends, HTTPException @@ -8,6 +9,8 @@ from keycloak.keycloak_uma import KeycloakUMA from keycloak.uma_permissions import UMAPermission +logger = logging.getLogger(__name__) + class KeycloakAuthVerifier(AuthVerifierBase): """Handles authentication and authorization for Keycloak""" @@ -55,6 +58,10 @@ def _verify_bearer_token( email = payload.get("preferred_username") org_id = payload.get("active_organization", {}).get("id") org_realm = payload.get("active_organization", {}).get("name") + if org_id is None or org_realm is None: + logger.warning( + "Invalid Keycloak configuration - no org information for user. Check organization mapper: https://github.com/keephq/keep/blob/main/keycloak/keep-realm.json#L93" + ) role = ( payload.get("resource_access", {}) .get(self.keycloak_client_id, {}) diff --git a/keycloak/keycloak_entrypoint.sh b/keycloak/keycloak_entrypoint.sh index d8bfa81e2..74a95fce9 100755 --- a/keycloak/keycloak_entrypoint.sh +++ b/keycloak/keycloak_entrypoint.sh @@ -28,7 +28,7 @@ fi # Start Keycloak in the background echo "Starting Keycloak" -/opt/keycloak/bin/kc.sh start-dev --features=preview --import-realm -Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.migration.strategy=OVERWRITE_EXISTIN & +/opt/keycloak/bin/kc.sh start-dev --log-level=DEBUG --features=preview --import-realm -Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.migration.strategy=OVERWRITE_EXISTIN & echo "Keycloak started" # Try to connect to Keycloak - wait until Keycloak is ready or timeout echo "Waiting for Keycloak to be ready" @@ -62,7 +62,7 @@ echo "Event listener 'last_login' configured" # Configure Content-Security-Policy and X-Frame-Options # So that the SSO connect works with the Keep UI echo "Configuring Content-Security-Policy and X-Frame-Options" -/opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.contentSecurityPolicy="frame-src '\''self'\'' '"$KEEP_URL"'; frame-ancestors '\''self'\'' '"$KEEP_URL"'; object-src '\''none'\'';"' +/opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.contentSecurityPolicy="frame-src '\''self'\'' '${KEEP_URL}'; frame-ancestors '\''self'\'' '${KEEP_URL}'; object-src '\''none'\'';"' /opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.xFrameOptions="ALLOW"' echo "Content-Security-Policy and X-Frame-Options configured" diff --git a/keycloak/readme.md b/keycloak/readme.md index a7f980b42..910bc3a8c 100644 --- a/keycloak/readme.md +++ b/keycloak/readme.md @@ -1,17 +1,33 @@ +# Docker-compose example: +``` +docker-compose -f keycloak/docker-compose.yaml up +``` +Keycloak: http://localhost:8181/auth/ (keep_kc:keep_kc) +Keep login page: http://localhost:3000/ +## For Azure: +Instructions: +1. https://rahulroyz.medium.com/using-keycloak-as-idp-for-azure-ad-sso-authentication-role-authorization-0b309c15eadc +2. https://rahulroyz.medium.com/using-keycloak-as-idp-for-azure-ad-role-authorization-part-2-map-ad-groups-to-keycloak-roles-9850d4acd536 + +Set email, first name & last name for keep_admin user: http://localhost:8181/auth/admin/master/console/#/keep/users +Also please assign admin role for keep_admin. + +# Development + +``` docker run --name phasetwo_test --rm -p 8181:8080 \ -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \ quay.io/phasetwo/phasetwo-keycloak:latest \ start-dev - - +``` +``` http://localhost:8181/realms/keep/portal/ http://localhost:8181/realms/keep/portal/ - https://euc1.auth.ac/auth/realms/keep/portal - +``` # delete realm to refresh 1. delete the realm from the UI