Is there up-to-date Keycloak OAUTH integration docs?
219 views
Skip to first unread message
Dzintars Klavins
Apr 17, 2023, 2:06:24 AM4/17/23
to Repo and Gerrit Discussion
Hi all. Sorry for quite unproductive question, but I'm forced to start at least with something.
I'm new to Gerrit gating and Keycloak at the same time.
I have booth running in containers behind the proxy with the "real development" domains and TLS termination. I got SSH and whole Gerrit workflow working.
I am looking for this integration because Keycloak will be used for other CI tools as well.
I tried to follow booth, SAML and OAUTH instuctions left by @davido, but those are from 2019.
Not sure, how much was changed since then, but I am not able to get them running smoothly.
I had more success with the SAML and got to the redirection after authentication, but that failed due to missing trailing slash at `example.complugins`. Still not sure is it due to my HAProxy settings or something else (checked all URIs in Keycloak client).
This whole Web IAM thing these days are way too overcoplicated for my little gray mass. :)
So I switched to OAUTH method as that was suggested by Keycloak book. But still no luck.
Plugin seems to be loaded. I have ugly OpenID login page with the ugly UI and Keycloak option, but as soon as I click on it I get 404 for `https://sso.example.dev/auth/realms/example/protocol/openid-connect/auth?response_type=code&client_id=gerrit-oauth&redire.....`
Somewhere I saw, that `auth` path is removed in some Keycloak version.... But it's really impossible in the reasonable time to track down all the changelogs.
So... at the end of the day, I'm just looking for simple up-to-date guide to get that thing running in some basic, good enough configuration so that I can learn on top of something running.
I am not looking for help to debug this thing. Just for up-to-date docs as that would be way more productive not only for me.
Thank you all.
Latvia/Europe
I'm new to Gerrit gating and Keycloak at the same time.
I have booth running in containers behind the proxy with the "real development" domains and TLS termination. I got SSH and whole Gerrit workflow working.
I am looking for this integration because Keycloak will be used for other CI tools as well.
I tried to follow booth, SAML and OAUTH instuctions left by @davido, but those are from 2019.
Not sure, how much was changed since then, but I am not able to get them running smoothly.
I had more success with the SAML and got to the redirection after authentication, but that failed due to missing trailing slash at `example.complugins`. Still not sure is it due to my HAProxy settings or something else (checked all URIs in Keycloak client).
This whole Web IAM thing these days are way too overcoplicated for my little gray mass. :)
So I switched to OAUTH method as that was suggested by Keycloak book. But still no luck.
Plugin seems to be loaded. I have ugly OpenID login page with the ugly UI and Keycloak option, but as soon as I click on it I get 404 for `https://sso.example.dev/auth/realms/example/protocol/openid-connect/auth?response_type=code&client_id=gerrit-oauth&redire.....`
Somewhere I saw, that `auth` path is removed in some Keycloak version.... But it's really impossible in the reasonable time to track down all the changelogs.
So... at the end of the day, I'm just looking for simple up-to-date guide to get that thing running in some basic, good enough configuration so that I can learn on top of something running.
I am not looking for help to debug this thing. Just for up-to-date docs as that would be way more productive not only for me.
Thank you all.
Latvia/Europe
David Ostrovsky
May 2, 2023, 1:27:19 AM5/2/23
to Repo and Gerrit Discussion
Dzintars Klavins schrieb am Montag, 17. April 2023 um 08:06:24 UTC+2:
Hi all. Sorry for quite unproductive question, but I'm forced to start at least with something.
I'm new to Gerrit gating and Keycloak at the same time.
I have booth running in containers behind the proxy with the "real development" domains and TLS termination. I got SSH and whole Gerrit workflow working.
I am looking for this integration because Keycloak will be used for other CI tools as well.
I tried to follow booth, SAML and OAUTH instuctions left by @davido, but those are from 2019.
Are you referencing to these tutorials: [1], [2]?
That was the last time I looked into it and unfortunately nobody sent me PR to adapt
the instructions for the latest Keycloak releases.
Not sure, how much was changed since then, but I am not able to get them running smoothly.
I had more success with the SAML and got to the redirection after authentication, but that failed due to missing trailing slash at `example.complugins`. Still not sure is it due to my HAProxy settings or something else (checked all URIs in Keycloak client).
This whole Web IAM thing these days are way too overcoplicated for my little gray mass. :)
So I switched to OAUTH method as that was suggested by Keycloak book. But still no luck.
Plugin seems to be loaded. I have ugly OpenID login page with the ugly UI and Keycloak option, but as soon as I click on it I get 404 for `https://sso.example.dev/auth/realms/example/protocol/openid-connect/auth?response_type=code&client_id=gerrit-oauth&redire.....`
Somewhere I saw, that `auth` path is removed in some Keycloak version.... But it's really impossible in the reasonable time to track down all the changelogs.
Keycloak v17 includes this breaking change, see: [3]. I uploaded this change for review: [4].
You could build the plugin from that change, or download the jar artifact from the Zuul: [5].
Dzintars Klavins
May 2, 2023, 9:02:03 AM5/2/23
to Repo and Gerrit Discussion
Hi.
Thank You for the guidance.
As You suggested, I removed `/auth` path in the OAuth's plugin source and built it and had success to get working Gerrit:latest <-> Keycloak:21.1 OAuth flow.
As You suggested, I removed `/auth` path in the OAuth's plugin source and built it and had success to get working Gerrit:latest <-> Keycloak:21.1 OAuth flow.
P.S. I am using root-less Podman deployment to test all these components.
Will try to play further now. :)
Will try to play further now. :)
Thank You.
Dzintars Klavins
May 2, 2023, 9:05:47 AM5/2/23
to Repo and Gerrit Discussion
Oh... the only weird issue I have is `Valid redirect URIs` not accepting `https://gerrit.example.com/*`. I get that working by temporally using `*` (DON'T DO THAT IN PRODUCTION!!!).
Will dig into that after I will get bit more familiar with all this.
Will dig into that after I will get bit more familiar with all this.
Dzintars Klavins
May 2, 2023, 10:57:09 AM5/2/23
to Repo and Gerrit Discussion
`http://gerrit.example.com/oauth` solved the Invalid URI issue. Thou, ATM I'm not sure why only `http` is accepted as a protocol.
Reply all
Reply to author
Forward
0 new messages