Introduction
Keycloak is an identity management platform that supports application and microservices security in single sign-on with Identity, Access Management processes, offering authentication and authorization integrated with the Devprime platform. This integration is done by the Security adapter.
Follow the steps below to prepare the Keycloak on-premises environment with the basic co-configurations to enable on-premises integration tests with the security engine.
- Initialize the Keycloak container using the command provided in the docker documentation.
- Open the Keycloak url in http://localhost:8080 and view the Keycloak portal.
- Log in by entering the username ‘admin’ and password ‘admin’.
- Create a new Realm and set a name. In this example we’ll use ‘devprime’.
- Configure some initial settings to allow user registration and use of email at login. To find this setting, go to Realm “Devprime” and locate the ‘Realm settings’ menu.
a) Locate the “Login” menu and enter the “Login screen customization” option and change it.
b) Locate the “Email settings” option and change it.
- At this point we will create a “Client” to allow the microservice access to Keycloak. In the main menu, locate the “Clients” item and choose the “Create client” option.
- Perform an initial configuration informing the “Client ID” and other settings according to General Settings and Capability config. In our example, we use the name “myapp” for ClientID and change the Client authentication and Implicit flow.
First step of setup
Second step of the setup
- To allow url rerouting between Keycloak and the microservice, it is necessary to register valid urls.
a) If you have the screen open from the previous step, locate the “Access settings” option
b) Add the url “https://localhost:5001/signin-oidc” in the Valid redirect URIs option.
c) This same screen is available in the main menu under “Clients” / “myapp”.
- To get the integration credentials of the microservice with Keycloak go to the “Clients” menu and then enter “myapp” to locate the “Credentials” tab. Copy the secret key for use in your application.
This initial configuration will allow you to start the first tests on the security configuration in the microservices. Keycloak offers a variety of options for authentication flows.
At the end, remember the parameters used and/or obtained in the configuration of the keycloak for use in the microservice. The Logout url below is an example returning the redirect to localhost
Another important option to configure is “Valid redirect URIs” which defines the authorized urls. In our scenario, we are using localhost in the on-premises environment. You must register all urls or you can use the example “https://localhost:5001/*”.
Item | Parameter |
---|---|
Domain | https://localhost:8080/auth/realms/devprime |
ClientID | Your ClientID |
ClientSecret | Your Secrets |
LogoutUri | https://localhost:8080/auth/realms/devprime/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Flocalhost%3A5001 |
Valid redirect URIs | https://localhost:5001/signin-oidc |
Common error:
- Verify the ClientID name and credential
[ERR][Web]["HTTP"][System.Exception]["Microsoft.AspNetCore.Authentication"]
["An error was encountered while handling the remote login." "An error was encountered while handling the remote login.
Message contains error: 'unauthorized_client', error_description: 'Invalid client or Invalid client credentials', error_uri: 'error_uri is null'."]
Next Steps:
Last modified January 10, 2024 (967dcac3)