Keycloak as an Identity Provider

enaio® 10.10 »

Identity providers such as Keycloak can be connected to enaio® gateway for authentication using Connect/OAuth2 via a reverse proxy, such as OpenResty.

The installation and configuration of Keycloak for this type of scenario are broadly described here.

Keycloak must be installed on its own server for security and maintenance reasons.

Keycloak Installation

Führen Sie die Installation anhand der Keycloak-Dokumentation durch.

It is recommended to connect Keycloak to a Relational Database Management System (RDBMS) other than the default embedded H2 for productive use. Compatible RDBMS are recommended by Keycloak.

Keycloak: Tenant and User

You require a tenant and a user.

Users in Keycloak must also be entered into the enaio® user administration.

Tenants and users are created with the following steps:

  • Die Keycloak Admin Console aufrufen: http://localhost:8080/admin

  • Create a new tenant in the navigation area via Master > Add realm.

  • Create and save a user for the tenant via Users > Add user.

  • Enter a password in the Credentials tab on the user page, set the Temporary option to Off, and save with Set Password.

Keycloak: Connecting to OpenResty

To connect, create a client with the following steps:

  • Die Keycloak Admin Console aufrufen: http://localhost:8080/admin

  • Select the tenant and create the new client via Clients > Create.

  • Enter a name into the Client ID field and enter and save the OpenResty URL in the Root URL field.

  • Configure the following in the Settings tab of the client page:

    • Access Type > confidential

    • Authorization Enabled > ON

    • Valid Redirect URIs > Pattern: http://<OpenResty>/*

      All base URLs pointing to OpenResty must be specified according to this pattern. In addition, you must enter: http://127.0.0.1:*

  • Save the configuration by clicking Save.

To configure OpenResty, the following data is required:

  • The client ID
  • The secret, which is displayed under the Credentials tab on the client page.
  • Click on OpenID Endpoint Configuration in Realm Settings in the General tab in the Endpoints field. The OpenResty configuration file requires the URL for the specific Keycloak host.

Embedding the Keycloak Login Page in an iframe

The Keycloak login page can be embedded as an iframe in another web page if it is published using the same host name as Keycloak. If the web page is published using a different host name, then that host name must be authorized in all Keycloak tenants that are to use that web page for logging in:

  • Die Keycloak Admin Console aufrufen: http://localhost:8080/admin/

  • Select the tenant and add the host name of the website via: Realm settings > Security defenses > Content security policy > frame-ancestors

    Separate multiple host names by spaces.