-
Notifications
You must be signed in to change notification settings - Fork 2
Keycloak Setup
By default variantgrid uses Django inbuilt authentication, but it can be configured to use OpenID Connect.
(Note that at the time of writing the code changes have not been finalised into the master source control stream yet, check back later before this becomes relevant)
We have used Keycloak for our default installation.
Install Keycloak https://www.keycloak.org/docs/latest/getting_started/index.html
As we typically handle SSL via nginx and pass internal http requests to Keycloak you'll need to edit standalone.xml with this
Modify standalone.xml and add the proxy-address-forwarding="true" attribute to element under <server>.
See https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
Make a new database on your database server called keycloak
Follow the instructions below to configure KeyCloak for Postgres (rather than H2) https://www.keycloak.org/docs/9.0/server_installation/index.html#postgresql-database
Instructions for setting up keycloak as a service can be found under the keycloak install directory /docs/contrib/scripts/systemd but all the scripts refer to wildfly (which keycloak runs in). This is pretty confusing so best to change all references to keycloak. Also keep in mind that the scripts refer to downloading wildfly, whereas you most likely have already downloaded keycloak. So skip that step.
Create a Realm (A realm is a silo of users and applications, adding a user to realm 1 is completely independent of adding them to realm 2). The realm we have gone for is "AGHA".
If this is on a test/dev machine, you'll need to configure the realm's login tab to say "Require SSL" none and hit "save".
For a production server you'll want to provide "Forgot password" functionality, potentially "Verify email" and then setup the connection to the Email server.
Create a client of variantgrid, there will be 1 client per application that needs the login. Set Access Type to "confidential"
Set Valid Redirect URLs to *
Base URL, Admin URL and Web Origins to be the root of the URL hosting variantgrid
In Credentials choose "Client Authenticator" of "Client Id and Secret", copy the secret as you'll need to add it to variantgrid to authenticate itself against Keycloak. Ensure Standard Flow is on, and Direct Access Grants Enabled
Mappers allow us to add data more than just the absolute basics for OpenID Connect. variantgrid uses group membership to work out what data access the user will have. Inside variantgrid, create a Mapper called "groups" (hit the Create button, not Add builin) For Mapper Type, select "Group Membership"
For Token Claim Name, enter "groups"
Turn on Full group path
Turn on the other 3 toggles so the group data is sent when needed (TODO check to see if we really need this in all three)
Also add the built in properties of username email given name family name
Now repeat for a new client called "variantgrid-client-tools" except access is set to "public" (so no secret key is needed)
Note that group management will change in future.
For now create a group called variantgrid
Select that group and create another (to make a nested group) called admin which should result in a group /variantgrid/admin. This group will map to is_superuser.
All other groups under /variantgrid/ will be mapped to django groups and created on demand. Note that no nesting is supported.
Note that any user in the system will be considered a valid Keycloak user who will automatically belong to "public" group.
If need be this behaviour can be changed in auth/backend.py