Difference between revisions of "Keycloak"

From Dogtag
Jump to: navigation, search
m (Configuring Tomcat Client)
m (Configuring Tomcat Client)
Line 39: Line 39:
= Configuring Tomcat Client =
= Configuring Tomcat Client =
To create a Tomcat server:
To create a [https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_Basic_PKI_Server.md Tomcat server with TLS connector]:
  $ pki-server create tomcat@keycloak
  $ pki-server create tomcat@keycloak

Revision as of 15:28, 2 November 2019


To build Keycloak:

$ git clone https://github.com/keycloak/keycloak.git
$ cd keycloak
$ mvn install

See also:


To install Keycloak server:

$ wget https://downloads.jboss.org/keycloak/6.0.1/keycloak-6.0.1.tar.gz
$ tar xzvf keycloak-6.0.1.tar.gz
$ cd keycloak-6.0.1/bin

To setup admin user:

$ ./add-user-keycloak.sh -u admin -p Secret.123

To start Keycloak server:

$ ./standalone.sh -b=

Adding a New Realm

To access the Admin Console, open http://$HOSTNAME:8080/auth/admin/.

To access a realm, open http://$HOSTNAME:8080/auth/realms/<realm>/account.

Adding Roles in Realm

Adding Users in Realm

Configuring Tomcat Client

To create a Tomcat server with TLS connector:

$ pki-server create tomcat@keycloak
$ pki-server http-connector-mod -i tomcat@keycloak --port 9080 Connector1

To install Keycloak client adapter:

$ curl https://downloads.jboss.org/keycloak/7.0.0/adapters/keycloak-oidc/keycloak-tomcat-adapter-dist-7.0.0.tar.gz \
    --output keycloak-tomcat-adapter-dist-7.0.0.tar.gz
$ mkdir lib
$ cd lib
$ tar xzvf ../keycloak-tomcat-adapter-dist-7.0.0.tar.gz
$ mv * /var/lib/tomcats/keycloak/lib

To enable Keycloak, prepare context.xml for customization:

$ cd /var/lib/tomcats/keycloak/conf
$ rm context.xml
$ cp /etc/tomcat/context.xml .

Then add the following <Valve> element:

    <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

To register Tomcat client:

  • Open Keycloak Admin Console
  • Click Clients -> Create

To generate client adapter configuration, click Installation:

  • Format option: Keycloak OIDC JSON

Then store the configuration in <web application>/WEB-INF/keycloak.json:

  "realm": "demo",
  "auth-server-url": "http://$HOSTNAME:8080/auth",
  "ssl-required": "external",
  "resource": "tomcat",
  "public-client": true,
  "confidential-port": 0

To configure web application, edit <web application>/WEB-INF/web.xml:

  • Define security constraints
  • Define login-config with auth-method set to KEYCLOAK
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app 
   PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "file:///usr/share/pki/setup/web-app_2_3.dtd">

            <web-resource-name>Account Services</web-resource-name>




To run Tomcat server:

$ pki-server run tomcat@keycloak

See Also