Keycloak as the Identity Provider

yuuvis® RAD 10.x »

Identity providers like Keycloak can be connected to yuuvis® RAD gateway via OpenID Connect/OAuth2 using a reverse proxy such as OpenResty for authentication purposes.

The basic steps required to install and configure Keycloak for a scenario like the one shown above are described here.

Installing Keycloak

To install Keycloak, follow these steps:

  • Download the latest version at https://www.keycloak.org/downloads and unzip the file in a directory.
  • Customize the standalone.xml configuration file from the \standalone\configuration\ directory:

    • Add the following entry to the <interfaces> section:

    • <interface name="any">
        <any-address/>
      </interface>

    • Enter the following value for the <default-interface> attribute in the <socket-binding-group> section: any

    • If port 8080 is unavailable: Change the port in the following line under <socket-binding-group>:

      <socket-binding name="http" port="${jboss.http.port:8080}"/>

  • Launch Keycloak using the file \keycloak\bin\standalone.bat.

    The file must be run as an administrator.

  • Open the Keycloak admin console: http://localhost:8080/

  • First create an administrator account.

For productive use, we recommend that you connect Keycloak to a relational database management system (RDBMS) other than the embedded H2 (default). Keycloak provides a list of compatible recommended RDBMSs.

Keycloak: Tenant and User

Keycloak requires a tenant and a user.

Users in Keycloak must also be entered in the yuuvis® RAD user administration.

Follow the steps below to create tenants and users:

  • Open the Keycloak admin console: http://localhost:8080/auth/admin

  • Create a new tenant by clicking Master > Add realm in the navigation area.

  • Create and save a user for the tenant by clicking User > Add user.

  • Enter a password on the Credentials tab on the user page, set Temporary to Off, and press Set Password to save.

Keycloak: Connecting to OpenResty

Follow the steps below to create a client for the connection:

  • Open the Keycloak admin console: http://localhost:8080/auth/admin

  • Select the client and create a new client by clicking Clients > Create

  • Enter a name in the Client ID field, add the OpenResty URL in the Root URL field, and press save.

  • Make the following settings on the Settings tab on the client page:

    • Access Type > confidential

    • Authorization Enabled > ON

    • Valid redirect URIs > Sample: http://<OpenResty>/*

      All basic URLs that redirect to OpenResty and yuuvis® RAD gateway must be entered using this format. You will also need to enter: http://127.0.0.1:*

  • Press Save to save the configuration.

You will need the following information in order to configure OpenResty:

  • The client ID
  • The secret (shown on the Credentials tab on the client page)
  • Click OpenID Endpoint Configuration in the Endpoints field on the General tab under Realm Settings. The URL, adapted to match the Keycloak host, is required for the OpenResty configuration file.

 

The following setting in the application-prod.yml configuration file from the \config directory of yuuvis® RAD service-manager is also required:

  server.max-http-header-size: 1MB