diff --git a/src/assets/Keycloak/images/asign-role-to-user-2.png b/src/assets/Keycloak/images/asign-role-to-user-2.png new file mode 100644 index 0000000..7e363d8 Binary files /dev/null and b/src/assets/Keycloak/images/asign-role-to-user-2.png differ diff --git a/src/assets/Keycloak/images/assign-role-to-user.png b/src/assets/Keycloak/images/assign-role-to-user.png new file mode 100644 index 0000000..bd4d8bf Binary files /dev/null and b/src/assets/Keycloak/images/assign-role-to-user.png differ diff --git a/src/assets/Keycloak/images/client-registration-2.png b/src/assets/Keycloak/images/client-registration-2.png new file mode 100644 index 0000000..282a51e Binary files /dev/null and b/src/assets/Keycloak/images/client-registration-2.png differ diff --git a/src/assets/Keycloak/images/client-registration-3.png b/src/assets/Keycloak/images/client-registration-3.png new file mode 100644 index 0000000..8cd23ad Binary files /dev/null and b/src/assets/Keycloak/images/client-registration-3.png differ diff --git a/src/assets/Keycloak/images/client-registration.png b/src/assets/Keycloak/images/client-registration.png new file mode 100644 index 0000000..4c4f71a Binary files /dev/null and b/src/assets/Keycloak/images/client-registration.png differ diff --git a/src/assets/Keycloak/images/create-realm-2.png b/src/assets/Keycloak/images/create-realm-2.png new file mode 100644 index 0000000..035d026 Binary files /dev/null and b/src/assets/Keycloak/images/create-realm-2.png differ diff --git a/src/assets/Keycloak/images/create-realm-role.png b/src/assets/Keycloak/images/create-realm-role.png new file mode 100644 index 0000000..7802189 Binary files /dev/null and b/src/assets/Keycloak/images/create-realm-role.png differ diff --git a/src/assets/Keycloak/images/create-realm.png b/src/assets/Keycloak/images/create-realm.png new file mode 100644 index 0000000..cc6860b Binary files /dev/null and b/src/assets/Keycloak/images/create-realm.png differ diff --git a/src/assets/Keycloak/images/create-user-1.png b/src/assets/Keycloak/images/create-user-1.png new file mode 100644 index 0000000..7802189 Binary files /dev/null and b/src/assets/Keycloak/images/create-user-1.png differ diff --git a/src/assets/Keycloak/images/create-user-2.png b/src/assets/Keycloak/images/create-user-2.png new file mode 100644 index 0000000..ddcdf30 Binary files /dev/null and b/src/assets/Keycloak/images/create-user-2.png differ diff --git a/src/assets/Keycloak/images/create-user-3.png b/src/assets/Keycloak/images/create-user-3.png new file mode 100644 index 0000000..2044f13 Binary files /dev/null and b/src/assets/Keycloak/images/create-user-3.png differ diff --git a/src/assets/Keycloak/images/create-user-4.png b/src/assets/Keycloak/images/create-user-4.png new file mode 100644 index 0000000..b1dfde1 Binary files /dev/null and b/src/assets/Keycloak/images/create-user-4.png differ diff --git a/src/assets/Keycloak/images/keycloak-features.png b/src/assets/Keycloak/images/keycloak-features.png new file mode 100644 index 0000000..79fac73 Binary files /dev/null and b/src/assets/Keycloak/images/keycloak-features.png differ diff --git a/src/assets/Keycloak/images/keycloak-with-ocis.png b/src/assets/Keycloak/images/keycloak-with-ocis.png new file mode 100644 index 0000000..1ee740c Binary files /dev/null and b/src/assets/Keycloak/images/keycloak-with-ocis.png differ diff --git a/src/assets/Keycloak/images/keycloak.png b/src/assets/Keycloak/images/keycloak.png new file mode 100644 index 0000000..d28b8e3 Binary files /dev/null and b/src/assets/Keycloak/images/keycloak.png differ diff --git a/src/assets/Keycloak/images/ocis-keycloak-UI-setup-1.png b/src/assets/Keycloak/images/ocis-keycloak-UI-setup-1.png new file mode 100644 index 0000000..d28fc0b Binary files /dev/null and b/src/assets/Keycloak/images/ocis-keycloak-UI-setup-1.png differ diff --git a/src/assets/Keycloak/images/ocis-keycloak-UI-setup-2.png b/src/assets/Keycloak/images/ocis-keycloak-UI-setup-2.png new file mode 100644 index 0000000..40afa5b Binary files /dev/null and b/src/assets/Keycloak/images/ocis-keycloak-UI-setup-2.png differ diff --git a/src/assets/Keycloak/images/ocis-keycloak-login.png b/src/assets/Keycloak/images/ocis-keycloak-login.png new file mode 100644 index 0000000..d467548 Binary files /dev/null and b/src/assets/Keycloak/images/ocis-keycloak-login.png differ diff --git a/src/assets/Keycloak/images/start-keycloak-with-docker-compose.png b/src/assets/Keycloak/images/start-keycloak-with-docker-compose.png new file mode 100644 index 0000000..74225be Binary files /dev/null and b/src/assets/Keycloak/images/start-keycloak-with-docker-compose.png differ diff --git a/src/assets/Keycloak/images/update-roles.png b/src/assets/Keycloak/images/update-roles.png new file mode 100644 index 0000000..2c6815d Binary files /dev/null and b/src/assets/Keycloak/images/update-roles.png differ diff --git a/src/assets/Keycloak/keycloak.md b/src/assets/Keycloak/keycloak.md new file mode 100644 index 0000000..f6bf352 --- /dev/null +++ b/src/assets/Keycloak/keycloak.md @@ -0,0 +1,69 @@ +--- +title: Introduction to Keycloak +authorName: Amrita Shrestha +authorAvatar: https://avatars.githubusercontent.com/u/54478846?s=100&v=4 +authorLink: https://github.com/amrita-shrestha +createdAt: March 26, 2024 +tags: Keycloak +banner: https://blog.jankaritech.com/src/assets/keycloak/images/keycloak.png +--- + +## Keycloak +[Keycloak](https://github.com/keycloak/keycloak) is an open-source project for Red Hat SSO. It provides an `Identity and Access Management` solutions designed to secure application services. +Additionally, it enables users to authenticate through various identity providers and use fine-grained permissions for regulating access to Software as a Service (SaaS) applications. +Keycloak alternatives are Auth0, Zluri, Microsoft Azure Active Directory, Okta or WSO2 Identity Server. + +It facilitates the creation of a user database with customizable roles and groups, offering functionalities such as user management, registration, and password policy enforcement. +This makes it a comprehensive Identity and Access Management (IAM) solution for contemporary applications. Keycloak's API enables the integration of all these features into your application +without the need for additional coding. + +## Keycloak Features +![Keycloak features](/src/assets/Keycloak/images/keycloak-features.png) + +1. `Identity Broker:` + Identity Broker acts as a middleman, linking various service providers with different identity providers. It establishes trust with external identity providers to utilize their identities for accessing internal services offered by service providers. + Imagine a textile company, which has two Keycloak setups: one for customer and another for internal employees. If you want your employees to access external services without creating new accounts on customer Keycloak, you can use the customer Keycloak + as the mediator and the customer Keycloak as the source in this scenario. + +2. `User Federation:` + Keycloak provides the ability to integrate with existing LDAP or Active Directory servers. It also supports implementation of your own provider such as a relational database. + +3. `Standard Protocols:` + Keycloak is based on three standard protocols i.e., OpenID Connect, OAuth2.0, and SAML. + +4. `Password Policies:` + Keycloak contain different password policies i.e., HashAlgorithm, Hashing Iterations, Digits, Lowercase Characters, Regular Expression and so on. + +5. `Single-Sign On:` + Keycloak facilitates a seamless login experience where users only need to sign in once to access multiple applications, eliminating the need for repeated logins. + This not only streamlines user experience but also simplifies identity management for administrators. + +6. `Social Login:` + Keycloak has built-in support for Google, GitHub, and Facebook which help us to use social identity providers. + +## Keycloak Drawbacks +Despite its extensive features, Keycloak does have certain limitations. One of these is the need for a more varied implementation approach. +Additionally, the following are some of the drawbacks associated with Keycloak: +1. `Complex Server Deployment:` The manual process involved in deploying Keycloak on a server can be complicated, potentially affecting overall productivity. +2. `Lack of Comprehensive Support Documentation:` Despite its robust functionalities, Keycloak could benefit from more efficient and extensive support documentation. This would make it easier for users to find suitable solutions to their problems. + +## SetUp Keycloak using docker +1. Keycloak using docker image +```bash +docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:24.0.2 start-dev +``` + +2. Keycloak with postgres database using docker-compose + ![Setup Keycloak using docker compose](src/assets/keycloak/images/start-keycloak-with-docker-compose.png) + +## Why You Should Know Keycloak +1. Open source +2. Supports three different authentication protocols which give you the possibility to cover many applications with different security demands with a single tool. +3. Provides web-based GUI which makes any configurations changes easier. +4. Huge community support + +## When It May Not Be the Best Choice +1. Enterprises seeking robust guarantees or support may find Keycloak lacking in this regard. As an open-source project, there are no assurances provided by its producer regarding its functionality or roadmap. + Support is community-driven, typically through platforms like Stack Overflow, with no guaranteed response times. +2. If your application consists of a single application with just one client in the Keycloak realm, you won't benefit from Single Sign-On (SSO) capabilities. +3. For applications solely reliant on a pure user database, Keycloak could be overkill. A database with specific tables may offer a simpler alternative, especially if you already have one set up. diff --git a/src/assets/Keycloak/ocis-with-keycloak.md b/src/assets/Keycloak/ocis-with-keycloak.md new file mode 100644 index 0000000..24ac8c0 --- /dev/null +++ b/src/assets/Keycloak/ocis-with-keycloak.md @@ -0,0 +1,161 @@ +--- +title: keycloak Server +authorName: Amrita Shrestha +authorAvatar: https://avatars.githubusercontent.com/u/54478846?s=100&v=4 +authorLink: https://github.com/amrita-shrestha +createdAt: March 26, 2024 +tags: owncloud infinte scale, ocis, ocis-with-keycloak +banner: https://blog.jankaritech.com/src/assets/keycloak/images/keycloak-with-ocis.png +--- + +[In previous blog](src/assets/keycloak/keycloak.md), we explored the topic of Keycloak. In this current post, our focus shifts to discussing the setup of OCIS with Keycloak. + + +## Keycloak with ocis + +### Run services +Before setting up `ocis with keycloak`, it's essential to deploy `keycloak and ocis`. This blog details the deployment of `ocis and keycloak` via `docker compose`. +Using `Traefik`, `ocis and keycloak` has been served using certificates. +You can either download the code from [GitHub](https://github.com/amrita-shrestha/keycloak-ocis/blob/master/compose.yaml) or utilize the code provided below: + +```dockerfile +services: + traefik: + image: traefik:2.11.0 + command: + [ + "--log.level=ERROR", + "--api.insecure=true", + "--api.dashboard=true", + "--pilot.dashboard=false", + "--providers.docker=true", + "--entrypoints.ocis.address=:9200", + "--entrypoints.keycloak.address=:8443", + "--providers.docker.exposedbydefault=false", + "--entrypoints.websecure.http.tls.options=default", + ] + ports: + - 8080:8080 + - 9200:9200 + - 8443:8443 + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + labels: + traefik.enable: true + traefik.http.routers.traefik.rule: HostRegexp(`{any:.+}`) + restart: always + + ocis: + image: owncloud/ocis:latest + entrypoint: + - /bin/sh + command: ["-c", "ocis init || true; ocis server"] + environment: + # Keycloak IDP configuration + PROXY_AUTOPROVISION_ACCOUNTS: true + PROXY_ROLE_ASSIGNMENT_DRIVER: oidc + OCIS_OIDC_ISSUER: https://host.docker.internal:8443/realms/ocis # ocis is keycloak realm name + PROXY_OIDC_REWRITE_WELLKNOWN: true + WEB_OIDC_CLIENT_ID: web + # general config + OCIS_URL: https://host.docker.internal:9200 + OCIS_LOG_LEVEL: error + OCIS_INSECURE: true + OCIS_ADMIN_USER_ID: "" + OCIS_EXCLUDE_RUN_SERVICES: idp + GRAPH_ASSIGN_DEFAULT_USER_ROLE: false + GRAPH_USERNAME_MATCH: none + # PROXY + PROXY_TLS: false + PROXY_USER_OIDC_CLAIM: preferred_username + PROXY_USER_CS3_CLAIM: username + extra_hosts: + - host.docker.internal:host-gateway + labels: + traefik.enable: true + traefik.http.routers.ocis.tls: true + traefik.http.routers.ocis.rule: PathPrefix(`/`) + traefik.http.routers.ocis.entrypoints: ocis + traefik.http.services.ocis.loadbalancer.server.port: 9200 + + postgres: + image: postgres:alpine + volumes: + - postgres_data:/var/lib/postgresql/data + environment: + POSTGRES_DB: keycloak + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: keycloak + + keycloak: + image: quay.io/keycloak/keycloak:24.0.1 + command: ["start-dev", "--proxy=edge"] + environment: + KC_DB: postgres + KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak" + KC_DB_USERNAME: keycloak + KC_DB_PASSWORD: keycloak + KC_FEATURES: impersonation + KEYCLOAK_ADMIN: admin + KEYCLOAK_ADMIN_PASSWORD: admin + extra_hosts: + - host.docker.internal:host-gateway + labels: + traefik.enable: true + traefik.http.routers.keycloak.tls: true + traefik.http.routers.keycloak.rule: PathPrefix(`/`) + traefik.http.routers.keycloak.entrypoints: keycloak + traefik.http.services.keycloak.loadbalancer.server.port: 8080 + depends_on: + - postgres + +volumes: + postgres_data: +``` + + +### Manual configuration for ocis on keycloak +1. Go to ocis url: `https://host.docker.internal:9200/` +![ocis](src/assets/keycloak/images/ocis-keycloak-UI-setup-1.png) + +2. Go to keycloak url: `https://host.docker.internal:8443/` +![keycloak](src/assets/keycloak/images/ocis-keycloak-UI-setup-2.png) + +3. Create new realm: `ocis` +![create realm](src/assets/keycloak/images/create-realm.png) +![create realm with name `ocis`](src/assets/keycloak/images/create-realm-2.png) + +4. Add a new client: +![client registration](src/assets/keycloak/images/client-registration.png) + +- Client ID: `web` +![add client](src/assets/keycloak/images/client-registration-2.png) + +- Root URL: `https://host.docker.internal:9200` +![add root url](src/assets/keycloak/images/client-registration-3.png) + +5. Add realm roles: + +- Role name: `ocisAdmin` +![add realm role](src/assets/keycloak/images/create-realm-role.png) + +6. Create a new user: + +- Username: `admin` and other info +![create user](src/assets/keycloak/images/create-user-1.png) +![add user information](src/assets/keycloak/images/create-user-2.png) + +- Create password +![create password](src/assets/keycloak/images/create-user-3.png) +![setup password for user](src/assets/keycloak/images/create-user-4.png) + +- Role Mapping: Assign `ocisAdmin` role +![assign role](src/assets/keycloak/images/assign-role-to-user.png) +![assign role to user](src/assets/keycloak/images/asign-role-to-user-2.png) + +7. Update `roles` Client scope: `Client Scopes` -> `roles` +- `Mappers` -> `realm roles` -> `Token Claim Name=roles` +![update-roles](src/assets/keycloak/images/update-roles.png) + +8. Go to url `https://host.docker.internal:9200/` reload if already opened +![login ocis with keycloak](src/assets/keycloak/images/ocis-keycloak-login.png)