Keycloak as the Identity Provider

yuuvis® RAD 8.x »

For authentication purposes, identity providers like Keycloak can be connected to yuuvis® RAD gateway using OpenID Connect/OAuth2 by way of a reverse proxy such as OpenResty.

The basic steps required to install and configure Keycloak for a scenario like the one shown above are described here.

Installing Keycloak

To install Keycloak, follow these steps:

  • Download the latest version at https://www.keycloak.org/downloads and unzip the file in a directory.
  • Customize the standalone.xml configuration file from the \standalone\configuration\ directory:

    • Add the following entry to the <interfaces> section:

    • <interface name="any">
        <any-address/>
      </interface>

    • Enter the following value for the <default-interface> attribute in the <socket-binding-group> section: any

    • If port 8080 is unavailable: Change the port in the following line under <socket-binding-group>:

      <socket-binding name="http" port="${jboss.http.port:8080}"/>

  • Launch Keycloak using the file \keycloak\bin\standalone.bat.

    The file must be run as an administrator.

  • Open the Keycloak admin console: http://localhost:8080/

  • First create an administrator account.

For productive use, we recommend that you connect Keycloak to a relational database management system (RDBMS) other than the embedded H2 (default). Keycloak provides a list of compatible recommended RDBMSs.

Keycloak: Tenant and User

Keycloak requires a tenant and a user.

Users in Keycloak must also be entered in the yuuvis® RAD user administration.

Follow the steps below to create tenants and users:

  • Open the Keycloak admin console: http://localhost:8080/auth/admin

  • Create a new client by clicking Master > Add realm in the navigation area.

  • Create and save a user for the client by clicking User > Add user.

  • Enter a password on the Credentials tab on the user page, set Temporary to Off, and press Set Password to save.

Keycloak: Connecting to OpenResty

Follow the steps below to create a client for the connection:

  • Open the Keycloak admin console: http://localhost:8080/auth/admin

  • Select the client and create a new client by clicking Clients > Create

  • Enter a name in the Client ID field, add the OpenResty URL in the Root URL field, and press save.

  • Make the following settings on the Settings tab on the client page:

    • Access Type > confidential

    • Authorization Enabled > ON

    • Valid Redirect URIs > Format: http://<OpenResty>/*

      All basic URLs that redirect to OpenResty and yuuvis® RAD gateway must be entered using this format. You will also need to enter: http://127.0.0.1:*

  • Press Save to save the configuration.

You will need the following information in order to configure OpenResty:

  • The client ID
  • The secret (shown on the Credentials tab on the client page)
  • Click OpenID Endpoint Configuration in the Endpoints field on the General tab under Realm Settings. The URL, adapted to match the Keycloak host, is required for the OpenResty configuration file.

 

The following setting in the application-prod.yml configuration file from the \config directory of yuuvis® RAD service-manager is also required:

  server.max-http-header-size: 1MB