Keycloak Book
Mirtha Hinrichs
Few years back I wrote a keycloak plugin (identity provider) to sign into keycloak using Discourse auth apis. Not sure if its compatible with recent changes to discourse SSO, but if you need that part I might be able to publish it at some time.
We already have Keycloak running for our user management (and use it e. g. to authenticate users for our own applications).
Now we set up a Discourse instance and would like to use Keycloak as the SSO provider.
Is DiscourseConnect the correct thing to use here? Or do we need instead (or additionally) a plugin for openid, or SAML?
What do we need to configure on the Keycloak end? Is it just standard configuration, or do we need a plugin?
Keycloak is generic identity provider - it does offer OpenID Connect compatible endpoints to authenticate external applications. You can pair Keycloak with Discourse using discourse-openid-connect plugin.
The Discourse Connect is a bit different. As far I understand it does permit to completely delegate user management to Keycloak, which might not be what you need for a start.
as far as I understand your setup consists of adding the Keycloak community extension to a Tomcat distribution.This means, that you have changed the original identity provider to now work with Keycloak. This is all your setup does. It does not include SSO. If you want to have full SSO, please go to sample provided at camunda-platform-7-keycloak/examples/sso-kubernetes at master camunda-community-hub/camunda-platform-7-keycloak GitHub.
I am trying to connect AuthO in Keycloak so that my users can get into Keycloak using Auth0. The huddles I am facing is how to implement this also how do I port users from one service to another or add users. If a new user is added to keycloak how do they have Auth0 access or vice versa?
If you want to check information in the Auth0 tokens - just for troubleshooting purposes, just request the token to the Auth0 token endpoint with ROPC using the SAME scopes that you have configured in KC Identity Provider.
I'm new with Outsystems and planning to use keycloak with it , is there a way to use Outsystems with keycloak? I know there's a plugin called SSO within outsystems but I need to use keycloak for my project
In order to make sure Keycloak is initialized when your application is bootstrapped you will have to add an APP_INITIALIZER provider to your AppModule. This provider will call the initializeKeycloak factory function shown below which will set up the Keycloak service so that it can be used in your application.
Use the code provided below as an example and implement it's functionality in your application. In this process ensure that the configuration you are providing matches that of your client as configured in Keycloak.
In the example we have set up Keycloak to use a silent check-sso. With this feature enabled, your browser will not do a full redirect to the Keycloak server and back to your application, instead this action will be performed in a hidden iframe, so your application resources only need to be loaded and parsed once by the browser when the app is initialized and not again after the redirect back from Keycloak to your app.
A generic AuthGuard, KeycloakAuthGuard is provided to help you protect authenticated routes in your application. This guard provides you with information to see if the user is logged in and a list of roles from that belong to the user. In your implementation you just need to implement the desired logic to protect your routes.
To write your own implementation extend the KeycloakAuthGuard class and implement the isAccessAllowed method. For example the code provided below checks if the user is authenticated and if not the user is requested to sign in. It also checks if the user has the correct roles which could be provided by passing the roles field into the data of the route.
There is also the possibility to exclude requests that should not have the authorization header. This is accomplished by implementing the shouldAddToken method in the keycloak initialization. For example, the configuration below will not add the token to GET requests that match the paths /assets or /clients/public:
In the case where your application frequently polls an authenticated endpoint, you will find that users will not be logged out automatically over time. If that functionality is not desirable, you can add an http header to the polling requests then configure the shouldUpdateToken option in the keycloak initialization.
Hi, I've tried few tutorials how to integrate Keycloak with Alfresco, but in the case of the latest version of the platform, none of them worked for me (probably my mistake). Is there any tutorial that has been tested for Alfresco Community 6.2? In most cases, I ended up with "barrer" authentication, which Alfresco does not support.
Thank you.
Yes, AIMS can be used in Community edition as well. Only the Share integration is not part of the last official community release and you'll either have to use a Share WAR from a different (Enterprise) release (Share is the same in Enterprise and Community) or wait until 7.0 is released.
First of all, you should outline what kind of integration with Keycloak you want to achieve. The Alfresco Identity Management Service (AIMS) is based on Keycloak and supports Bearer authentication on the Repository, which can used with ADF-based applications out of the box. In Alfresco Enterprise 6.2.something they apparently added some support to Share, which will likely see a Community release with Alfresco 7.0 (whenever that happens to come out). There are various use cases of Keycloak integration that are currently entirely neglected by AIMS, which is the reason that I built my own integration.
Hello, thank you for your reply, I would like to set up single sign-on authentication using Active Directory for Share and Repository tier. I'll check the integration you mentioned. Alfresco Identity Management Service (AIMS) is also accessible in the community edition?
I was able to download Alfresco Content Services Community: 7.0.0 (alfresco-content-services-community-distribution-7.0.0.zip). Do you know if Keycloak integration with Share is now included in 7.0 community edition? I tried it but redirection to Keycloak does not happen. Wondering if anyone able to integrate Share with Keycloak.
i already integrate alfresco to my projet with docker , and also integrate keycloak .. i used basic configuration. so actully i can authentificate to alfresco with my own keycloak instance . I only use repository content ( no need for share at the moment).
"Yes, I believe it is available for Share in ACS 7.0 - for both Community & Enterprise editions." I have enterprise 7.4 installed onto my local, I also have latest Keycloak installed onto my local. How to integrate Keycloak with Share? I proved my Keycloak authentication chain works in admin console ( on repo side).
I am trying to find this application: -enterprise-sso-with-keycloak?tab=support&hosting=server on my confluence installation, but it doesn't show up. When I check the version, it seems that the app only supports up to v7.16.3, but we are running v7.17.1 - perhaps that is why it doesn't show up.
When following that guide, it shows menu options that we do not have. Therefore I started searching for an application for the integration... Which then came up with the link that I posted. However, this doesn't show up when I search for it within Confluence, which I suspect is for the version reason that I said...
We want to integrate Keycloak authentication SSO into Confluence, ideally without using a paid application. We have SSO for Data Center app installed, but this seemingly only offers options for Atlassian Crowd integration.
You can also evaluate the miniOrange Confluence OIDC/OAuth SSO app for the OIDC /OAuth SSO requirements. It has support for version 7.17.1 of confluence as you need. You will be able to add integration easily with the support of detailed documentation and video.
These instructions will take you through the entire process of getting your ArgoCD application authenticating with Keycloak. You will create a client within Keycloak and configure ArgoCD to use Keycloak for authentication, using groups set in Keycloakto determine privileges in Argo.
First we need to setup a new client. Start by logging into your keycloak server, select the realm you want to use (master by default)and then go to Clients and click the Create client button at the top.
In order for ArgoCD to provide the groups the user is in we need to configure a groups claim that can be included in the authentication token.To do this we'll start by creating a new Client Scope called groups.
Once you've created the client scope you can now add a Token Mapper which will add the groups claim to the token when the client requeststhe groups scope. In the Tab "Mappers", click on "Configure a new mapper" and choose Group Membership.Make sure to set the Name as well as the Token Claim Name to groups. Also disable the "Full group path".
We can now configure the client to provide the groups scope. Go back to the client we've created earlier and go to the Tab "Client Scopes".Click on "Add client scope", choose the groups scope and add it either to the Default or to the Optional Client Scope. If you put it in the Optionalcategory you will need to make sure that ArgoCD requests the scope in its OIDC configuration. Since we will always want group information, I recommendusing the Default category.
The quarkus-keycloak-authorization extension relies on quarkus-oidc.It includes a policy enforcer that regulates access to secured resources.Access is governed by permissions set in Keycloak.Currently, this extension is compatible solely with Quarkus OIDC service applications.
c80f0f1006