Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: keycloak docs #2309

Merged
merged 13 commits into from
Oct 28, 2024
5 changes: 3 additions & 2 deletions docs/deployment/authentication/keycloak-auth.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ To start Keep with Keycloak authentication, set the following environment variab
| AUTH_TYPE | Set to 'KEYCLOAK' for Keycloak authentication | Yes | - |
| KEYCLOAK_ID | Your Keycloak client ID (e.g. keep) | Yes | - |
| KEYCLOAK_ISSUER | Full URL to Your Keycloak issuer URL e.g. http://localhost:8181/auth/realms/keep | Yes | - |
| KEYCLOAK_SECRET | Your Keycloak client secret | Yes | keep-keycloak-secret |

#### Backend Environment Variables

Expand All @@ -50,5 +51,5 @@ To start Keep with Keycloak authentication, set the following environment variab
### Example configuration

To get a better understanding on how to use Keep together with Keycloak, you can:
- See [Keycloak](https://github.com/keephq/keep/tree/main/tests) directory for configuration, realm.json, etc
- See Keep + Keycloak [docker-compose example](https://github.com/keephq/keep/blob/main/keycloak/docker-compose.yml)
- See [Keycloak](https://github.com/keephq/keep/tree/main/keycloak) directory for configuration, realm.json, etc
- See Keep + Keycloak [docker-compose example](https://github.com/keephq/keep/blob/main/keycloak/docker-compose.yaml)
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import os
import logging

from fastapi import Depends, HTTPException

Expand All @@ -8,6 +9,8 @@
from keycloak.keycloak_uma import KeycloakUMA
from keycloak.uma_permissions import UMAPermission

logger = logging.getLogger(__name__)


class KeycloakAuthVerifier(AuthVerifierBase):
"""Handles authentication and authorization for Keycloak"""
Expand Down Expand Up @@ -55,6 +58,10 @@ def _verify_bearer_token(
email = payload.get("preferred_username")
org_id = payload.get("active_organization", {}).get("id")
org_realm = payload.get("active_organization", {}).get("name")
if org_id is None or org_realm is None:
logger.warning(
"Invalid Keycloak configuration - no org information for user. Check organization mapper: https://github.com/keephq/keep/blob/main/keycloak/keep-realm.json#L93"
)
role = (
payload.get("resource_access", {})
.get(self.keycloak_client_id, {})
Expand Down
4 changes: 2 additions & 2 deletions keycloak/keycloak_entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ fi

# Start Keycloak in the background
echo "Starting Keycloak"
/opt/keycloak/bin/kc.sh start-dev --features=preview --import-realm -Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.migration.strategy=OVERWRITE_EXISTIN &
/opt/keycloak/bin/kc.sh start-dev --log-level=DEBUG --features=preview --import-realm -Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.migration.strategy=OVERWRITE_EXISTIN &
Matvey-Kuk marked this conversation as resolved.
Show resolved Hide resolved
echo "Keycloak started"
# Try to connect to Keycloak - wait until Keycloak is ready or timeout
echo "Waiting for Keycloak to be ready"
Expand Down Expand Up @@ -62,7 +62,7 @@ echo "Event listener 'last_login' configured"
# Configure Content-Security-Policy and X-Frame-Options
# So that the SSO connect works with the Keep UI
echo "Configuring Content-Security-Policy and X-Frame-Options"
/opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.contentSecurityPolicy="frame-src '\''self'\'' '"$KEEP_URL"'; frame-ancestors '\''self'\'' '"$KEEP_URL"'; object-src '\''none'\'';"'
/opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.contentSecurityPolicy="frame-src '\''self'\'' '${KEEP_URL}'; frame-ancestors '\''self'\'' '${KEEP_URL}'; object-src '\''none'\'';"'
/opt/keycloak/bin/kcadm.sh update realms/${KEEP_REALM} -s 'browserSecurityHeaders.xFrameOptions="ALLOW"'
echo "Content-Security-Policy and X-Frame-Options configured"

Expand Down
24 changes: 20 additions & 4 deletions keycloak/readme.md
Original file line number Diff line number Diff line change
@@ -1,17 +1,33 @@

# Docker-compose example:
```
docker-compose -f keycloak/docker-compose.yaml up
```
Keycloak: http://localhost:8181/auth/ (keep_kc:keep_kc)

Keep login page: http://localhost:3000/

## For Azure:
Instructions:
1. https://rahulroyz.medium.com/using-keycloak-as-idp-for-azure-ad-sso-authentication-role-authorization-0b309c15eadc
2. https://rahulroyz.medium.com/using-keycloak-as-idp-for-azure-ad-role-authorization-part-2-map-ad-groups-to-keycloak-roles-9850d4acd536

Set email, first name & last name for keep_admin user: http://localhost:8181/auth/admin/master/console/#/keep/users
Also please assign admin role for keep_admin.

# Development

```
docker run --name phasetwo_test --rm -p 8181:8080 \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
quay.io/phasetwo/phasetwo-keycloak:latest \
start-dev


```
```
http://localhost:8181/realms/keep/portal/
http://localhost:8181/realms/keep/portal/

https://euc1.auth.ac/auth/realms/keep/portal

```

# delete realm to refresh
1. delete the realm from the UI
Expand Down
Loading