https://github.com/entando/entando-keycloak-plugin
Entando Plugin to connect to keycloak
https://github.com/entando/entando-keycloak-plugin
Last synced: 11 months ago
JSON representation
Entando Plugin to connect to keycloak
- Host: GitHub
- URL: https://github.com/entando/entando-keycloak-plugin
- Owner: entando
- License: lgpl-3.0
- Created: 2019-04-17T18:37:58.000Z (about 7 years ago)
- Default Branch: develop
- Last Pushed: 2025-06-12T14:52:45.000Z (about 1 year ago)
- Last Synced: 2025-07-13T14:45:50.616Z (12 months ago)
- Language: Java
- Homepage: https://dev.entando.org
- Size: 1.14 MB
- Stars: 0
- Watchers: 5
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Entando Keycloak Plugin
Keycloak Integration for Entando Core - Gives SSO capabilities and also has User Management through Keycloak.
For more information and documentation visit: https://dev.entando.org, or https://forum.entando.org. Or for the latest news or product information please visit the main website: https://www.entando.com.
Information below is for building from source or running locally as a contributor or developer on the plugin itself.. See the links above for general documentation and usage.
## Scope
### What this plugin does
* Enables SSO capabilities to an Entando Instance by using Keycloak.
* Moves User Management to Keycloak.
### What this plugin does not
This plugin doesn't come with Role and Group management, because Entando Core roles/groups model isn't compatible with Keycloak. That means that even with the same users across multiple Entando Instances, the role and group mappings have to be configured on each instance.
## Properties
>- `keycloak.enabled`: Enables this plugin. (The default is `false`)
>- `keycloak.auth.url`: It's the Keycloak auth url. Example: `https://is.yourdomain.com/auth`. (The default is `http://localhost:8081/auth`)
>- `keycloak.realm`: The keycloak realm. See https://www.keycloak.org/docs/3.2/server_admin/topics/overview/concepts.html . (The default is `entando`)
>- `keycloak.client.id`: The keycloak confidential client id. (The default is `entando-app`)
>- `keycloak.client.secret`: The secret from the keycloak client. (The default is ``)
>- `keycloak.public.client.id`: The second keycloak client, this one must be public. (The default is `entando-web`)
>- `keycloak.secure.uris`: **[OPTIONAL]** Use if you want to secure an endpoint. Works with wildcards, comma separated.
>- `keycloak.authenticated.user.default.authorizations`: **[OPTIONAL]** Use if you want to automatically assign `group:role` to any user that logs in, comma separated. Example: `administrators:admin,readers`
## Installing
### Installing on your project
First add the `entando-keycloak-auth` dependency to your pom.xml
```xml
org.entando.entando
entando-keycloak-auth
1.0.0-SNAPSHOT
war
```
### Edit web.xml
To Oauth2 work properly, we have to replace the springDispatcher contextConfigLocation by replacing the regular `classpath:spring/web/servlet-context.xml` entry with the keycloak one `classpath:spring/web/servlet-context-keycloak.xml`,
Here what it should look like:
```xml
springDispatcher
org.springframework.web.servlet.DispatcherServlet
contextConfigLocation
classpath:spring/web/servlet-context-keycloak.xml
1
```
#### Edit systemParams.properties
Then you have to open the `systemParams.properties` to add keycloak configuration
```properties
keycloak.enabled=true
keycloak.auth.url=${KEYCLOAK_AUTH_URL:http://localhost:8081/auth}
keycloak.realm=${KEYCLOAK_REALM:entando-development}
keycloak.client.id=${KEYCLOAK_CLIENT_ID:entando-core}
keycloak.client.secret=${KEYCLOAK_CLIENT_SECRET:930837f0-95b2-4eeb-b303-82a56cac76e6}
keycloak.public.client.id=${KEYCLOAK_PUBLIC_CLIENT_ID:entando-web}
keycloak.secure.uris=/api/plugins/cms/contents/*/model/*,/api/pwa/notifications/*
keycloak.authenticated.user.default.authorizations=administrators:admin,readers
```
## Keycloak Setup
In order to setup keycloak to work with entando instance, please refer to the documentation here https://github.com/entando/entando-keycloak-plugin/wiki/Setup-Keycloak
## Keycloak Standard Flow
To enable the standard flow to keep sessions between Entando instances, please refer to the documentation here
https://github.com/entando/entando-keycloak-plugin/wiki/Enable-Standard-Flow-for-Keycloak-Login
## Known issues
### org.apache.log4j.spi.LoggerFactory
If you run this following exception:
```java
Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/spi/LoggerFactory
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74)
at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137)
at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154)
at org.owasp.esapi.reference.DefaultEncoder.(DefaultEncoder.java:75)
at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:59)
... 82 more
```
It might also be a dependency conflict, to fix this issue, add the following dependency to your `pom.xml` file.
```xml
log4j
log4j
1.2.17
```
## Testing
To run unit tests:
```
$ mvn test
```
Some tests are being tested with a real Keycloak instance so, in order to test, you have to start the keycloak before.
```
$ docker-compose -f keycloak/docker-compose.yml up -d
$ mvn failsafe:integration-test
```