https://github.com/cloudforet-io/plugin-keycloak-identity-auth
Keycloak OpenID Connector
https://github.com/cloudforet-io/plugin-keycloak-identity-auth
auth identity plugin
Last synced: about 1 year ago
JSON representation
Keycloak OpenID Connector
- Host: GitHub
- URL: https://github.com/cloudforet-io/plugin-keycloak-identity-auth
- Owner: cloudforet-io
- License: apache-2.0
- Created: 2022-09-05T01:14:29.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2024-03-21T16:37:09.000Z (about 2 years ago)
- Last Synced: 2025-03-26T07:04:55.627Z (about 1 year ago)
- Topics: auth, identity, plugin
- Language: Python
- Homepage:
- Size: 764 KB
- Stars: 4
- Watchers: 4
- Forks: 6
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# plugin-keycloak-identity-auth
Plugin for Keycloak OpenID Connector
# Tested Keycloak version
| Version | Status |
| 21.1.0 | Tested |
# Configuration
> Based on Keycloak version, ***openid-configuration*** url is differrent. After ver 17.0.0, ***auth*** after base url is removed.
| Version | open-configuration URL format |
| --- | --- |
| 17.0.0 ~ | https:///realms//.well-known/openid-configuration |
| ~ 16.1.0 | https:///auth/realms//.well-known/openid-configuration |
~~~python
options = {
'openid-configuration': 'https:///realms//.well-known/openid-configuration',
'auth_type': 'keycloak_oidc',
'client_id': 'CLIENT ID for login',
'field_mapper': {...},
'verify': True
}
secret_data = {
'client_id': 'CLIENT ID for find users',
'client_secret': 'client secret text'
}
~~~
## Field Mapper
`field_mapper` setting allows you to change user field information.
## Verify
If you set `verify` to `False`, the keycloak server's certificate will not be verified.
### Default Settings
~~~python
{
'field_mapper (optional)': {
'user_id': 'username',
'name': 'name',
'email': 'email'
}
}
~~~
### Available Keycloak Fields
* username
* email
* firstName
* lastName
* name: `{firstName} {lastName}`
## Example
To enable keycloak-oidc plugin,
use identity.Domain.change_auth_plugin API.
~~~bash
spacectl exec change_auth_plugin identity.Domain -f keycloak.yaml
~~~
Example YAML file
See https://github.com/spaceone-dev/plugin-keycloak-oidc/wiki/Keycloak-configuration-example
~~~yaml
plugin_info:
options:
auth_type: keycloak_oidc
openid-configuration: https://sso.example.com/realms/test-domain/.well-known/openid-configuration
client_id: test_client_id
plugin_id: plugin-keycloak-identity-auth
secret_data:
client_id: test_client_id2
client_secret: 11111111-1111-1111-1111-111111111111
version: '1.0'
~~~
# Auth.init
If you init plugin, the response looks like
~~~
{
'metadata': {
'authorization_endpoint': 'https://sso.example.com/realms/MY_DOMAIN/protocol/openid-connect/auth',
'end_session_endpoint': 'https://sso.example.com/realms/MY_DOMAIN/protocol/openid-connect/logout',
'issuer': 'https://sso.example.com/realms/MY_DOMAIN',
'token_endpoint': 'https://sso.example.com/realms/MY_DOMAIN/protocol/openid-connect/token',
'userinfo_endpoint': 'https://sso.example.com/realms/MY_DOMAIN/protocol/openid-connect/userinfo',
'realm': 'MY_DOMAIN',
'user_find_url': 'https://sso.example.com/admin/realms/MY_DOMAIN/user'
}
}
~~~
# Release Note
## Version 1.4
- Support new openid-configuration endpoint (keycloak: 17.0.0 ~)
## Version 1.3
- Add 'field_mapper' option to change fields for authenticated users.
## Version 1.0
Support New Auth API
* Auth.init
* Auth.verify
* Auth.find
* Auth.login