...
The main elements to configure manually are:
| Directive | Value |
|---|---|
| OIDCProviderMetadataURL | The URL for the OpenID Connect configuration on Keycloak. http://localhost:8080/auth/realms/heeadmin/.well-known/openid-configuration |
| OIDCClientID | The name of the client created when setting up Keycloak |
| OIDCClientSecret | The secret for the client (available from the client's credentials page). For Keycloak, this will be a UUID |
| OIDCRedirectURI | A redirect URL within the area of the redirect URL set up on the Keycloak client page |
| ServerName | The Apache virtual host. (Apache will default to the first virtual host in a file if no virtual host name matches) |
| ProxyPass | The URL of the back-end application you want to protect |
| ProxyPassReverse | The same as ProxyPass. (This is used by Apache to change the Location header in 302 responses) |
Setting up permissions
Access control rules can be put into the Apache config file to limit access to certain URLs to users with a given set of permissions (granted via groups).
...
Note that Apache's authorisation by default looks for any of the Require rules to pass (i.e. it ORs the rules). If you want to enforce all of the claims (such as being a member of two groups) then you should use a <RequireAll> block. Rules based on HTTP methods can also be defined either with "Require method GET" or with <Limit GET>. Be careful that <Limit methods...> applies the contained rules only to the named methods so you may want to use <LimitExcept methods...> instead. See the Apache documentation at https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html for further details on Require and https://httpd.apache.org/docs/2.4/mod/core.html#limit for details on Limit.
Automation
Keycloak has an admin REST API. The documentation for it is available at http://www.keycloak.org/docs/rest-api/index.html
Get an admin token
In order to use the admin REST API an admin token is required. This can be obtained as follows:
TOKEN=$(curl -s 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' -d "client_id=admin-cli&username=admin&password=admin&grant_type=password" | jq -r .access_token)
(jq is a JSON parser that can extract values from JSON. The -r parameter means "raw output" and removes the quotes from the returned value.)
Create a realm
A realm can be created from a JSON template and added using the following:
curl -i 'http://localhost:8080/auth/admin/realms' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN" -d '{"realm":"newrealm", "enabled":true}'
This will return the URL of the new realm as an HTTP Location header.
Create a group
curl -i 'http://localhost:8080/auth/admin/realms/newrealm2/groups' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN" -d '{"name":"groupA"}'
Create a client
curl -i 'http://localhost:8080/auth/admin/realms/test/clients' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN" -d '{"clientId":"newclient","redirectUris":["http://localhost:8080/*"], "secret":"longpassword"}'
This will return the URL of the new client as an HTTP Location header.
Create a user
To create a new user with
curl -i 'http://localhost:8080/auth/admin/realms/newrealm2/users' -H "Content-Type: application/json" -H "Authorization: bearer $TOKEN" -d '{"username":"foo5@example.com","enabled":true,"email":"foo5@example.com","attributes":{"emp_num":["1125"],"NTN":["245/FGS/819"]}}'
asdfasdfas
Adding and removing groups from a user
Use these calls:
- PUT /admin/realms/{realm}/users/{id}/groups/{groupId}
- DELETE /admin/realms/{realm}/users/{id}/groups/{groupId}