Skip to content

Commit

Permalink
add initial keycloak config to prod compose
Browse files Browse the repository at this point in the history
  • Loading branch information
@FelixTJDietrich
FelixTJDietrich committed Feb 7, 2025
1 parent 1226f93 commit 0857c24
Show file tree
Hide file tree
Showing 2 changed files with 255 additions and 3 deletions.
249 changes: 246 additions & 3 deletions docker/compose.prod.core.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,15 @@ services:
- shared-network
volumes:
- keycloak-data:/opt/keycloak/data
configs:
- source: realm-import.json
target: /opt/keycloak/data/import
command:
- start
- start --import-realm
environment:
- TZ=${TIMEZONE:-UTC}
- KEYCLOAK_ADMIN=${KEYCLOAK_USER_ADMIN}
- KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD_ADMIN}
- KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN_USER}
- KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
- KC_DB=postgres
- KC_DB_USERNAME=root
- KC_DB_PASSWORD=root
Expand Down Expand Up @@ -157,3 +160,243 @@ configs:
}
# No tls for production since we are not exposing the NATS ports to the host
realm-import.json:
content: |
{
"realm": "hephaestus",
"displayName": "Hephaestus",
"enabled": true,
"ssoSessionIdleTimeout": 1209600,
"ssoSessionMaxLifespan": 2592000,
"clients": [
{
"clientId": "hephaestus",
"enabled": true,
"rootUrl": "https://${APP_HOSTNAME}",
"surrogateAuthRequired": false,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://${APP_HOSTNAME}/*"
],
"webOrigins": [
"+"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"client.introspection.response.allow.jwt.claim.enabled": "false",
"post.logout.redirect.uris": "https://${APP_HOSTNAME}/*",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"use.refresh.tokens": "true",
"realm_client": "false",
"oidc.ciba.grant.enabled": "false",
"client.use.lightweight.access.token.enabled": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"acr.loa.map": "{}",
"require.pushed.authorization.requests": "false",
"tls.client.certificate.bound.access.tokens": "false",
"display.on.consent.screen": "false",
"token.response.type.bearer.lower-case": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"basic",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"organization",
"microprofile-jwt"
]
},
{
"clientId": "hephaestus-confidential",
"rootUrl": "https://${APP_HOSTNAME}",
"adminUrl": "https://${APP_HOSTNAME}",
"baseUrl": "https://${APP_HOSTNAME}/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "${KEYCLOAK_HEPHAESTUS_CONFIDENTIAL_CLIENT_SECRET}",
"redirectUris": [
"https://${APP_HOSTNAME}/"
],
"webOrigins": [
"+"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"realm_client": "false",
"oidc.ciba.grant.enabled": "false",
"client.secret.creation.time": "1728160951",
"backchannel.logout.session.required": "true",
"post.logout.redirect.uris": "https://${APP_HOSTNAME}/",
"display.on.consent.screen": "false",
"oauth2.device.authorization.grant.enabled": "false",
"use.jwks.url": "false",
"backchannel.logout.revoke.offline.tokens": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"name": "Client ID",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "client_id",
"id.token.claim": "true",
"introspection.token.claim": "true",
"access.token.claim": "true",
"claim.name": "client_id",
"jsonType.label": "String"
}
},
{
"name": "Client IP Address",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientAddress",
"id.token.claim": "true",
"introspection.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientAddress",
"jsonType.label": "String"
}
},
{
"name": "Client Host",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientHost",
"id.token.claim": "true",
"introspection.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientHost",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"basic",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"organization",
"microprofile-jwt"
]
}
],
"identityProviders": [
{
"alias": "github",
"displayName": "GitHub",
"providerId": "github",
"enabled": true,
"updateProfileFirstLoginMode": "on",
"trustEmail": true,
"storeToken": false,
"addReadTokenRoleOnCreate": false,
"authenticateByDefault": false,
"linkOnly": false,
"hideOnLogin": false,
"config": {
"syncMode": "LEGACY",
"clientSecret": "${KEYCLOAK_GITHUB_CLIENT_SECRET}",
"clientId": "${KEYCLOAK_GITHUB_CLIENT_ID}",
"guiOrder": "1"
}
}
],
"roles" : {
"realm" : [
{
"name": "admin",
"description": "Administrator privileges"
},
{
"name": "mentor_access",
"description": "Access to AI Mentor"
},
{
"name": "offline_access",
"description": "${role_offline-access}",
"composite": false,
"clientRole": false
},
{
"name": "uma_authorization",
"description": "${role_uma_authorization}",
"composite": false,
"clientRole": false
},
{
"name": "default-roles-hephaestus",
"description": "${role_default-roles}",
"composite": true,
"composites": {
"realm": [
"offline_access",
"uma_authorization"
],
"client": {
"account": [
"view-profile",
"manage-account"
]
}
},
"clientRole": false
}
]
},
"defaultRole": {
"name": "default-roles-hephaestus",
"description": "${role_default-roles}",
"composite": true,
"clientRole": false
}
}
9 changes: 9 additions & 0 deletions docs/admin/production_setup.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
# Production Setup

TODO

## Environment Variables

- `WEBHOOK_SECRET`: GitHub webhook secret (`openssl rand -base64 32`)
- `KEYCLOAK_GITHUB_CLIENT_ID`: GitHub identity provider client ID
- `KEYCLOAK_GITHUB_CLIENT_SECRET`: GitHub identity provider client secret
- `KEYCLOAK_ADMIN`: Keycloak admin username
- `KEYCLOAK_ADMIN_PASSWORD`: Keycloak admin password (`openssl rand -base64 32`)
- `KEYCLOAK_HEPHAESTUS_CONFIDENTIAL_CLIENT_SECRET`: Keycloak Hephaestus confidential client secret (for application server communication with Keycloak) (`openssl rand -base64 32`)

0 comments on commit 0857c24

Please sign in to comment.