-
-
Notifications
You must be signed in to change notification settings - Fork 331
Keycloak
Keycloak and mod_auth_openidc is a great fit for self hosted authentication with user administration. Official docs contains a guide.
One can use mod_auth_openidc as an OpenID Connect Relying Party with Keycloak, which is described hereafter, or one can use it as an OAuth 2.0 Resource Server, whose setup is described at https://github.com/pingidentity/mod_auth_openidc/wiki/OAuth-2.0-Resource-Server#keycloak.
There's a sample setup for local OpenID Connect testing using Docker at https://github.com/Reposoft/openidc-keycloak-test.
You create an openid-connect type "client" in your Keycloak realm. Set access type to "Confidential", get a secret, put that secret in a conf with something like:
OIDCProviderMetadataURL https://keycloak.example.net/auth/realms/Testrealm/.well-known/openid-configuration
OIDCRedirectURI https://myserver.example.not/oauth2callback
OIDCCryptoPassphrase 0123456789
OIDCClientID testclient
OIDCClientSecret ca446a2d-a65f-4e84-95a7-d20eb36989d8
# See https://github.com/Reposoft/openidc-keycloak-test/issues/7
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCRemoteUserClaim email
OIDCScope "openid email"
Without an OICDRemoteUserClaim you'd get usernames like [user-uuid]@[keycloak-realm-url] which is unuseful. E-mail works well with Keycloak: user@example.net can authenticate as both user and the full address.
Single Sign On (SSO) works. Just duplicate your config in multiple VirtualHosts or httpd instances and modify the OIDCRedirectURI accordingly. You can add multiple "Valid Redirect URIs" in the Keycloak admin ui.