keycloak-sso

Minimal login scenario with Keycloak (OIDC Provider) and Python (Flask).

• Check REPORT.md for more details.

Overview

The sequence diagram illustrates the typical interactions between system components to implement a simple login scenario.

Screenshots

• Application webpage before logging in. Configured locally with self-signed certs for HTTPS.

  

• Clicking "Log In" redirects to Keyclock login form.

  • Need to pre-configure connection to the client and sample users/roles in "myrealm".

  

• Successful login and redirection.

  

• The client session can be inspected at the server

  

Local Testing

0. Clone repository

   git clone https://github.com/sh3b0/keycloak-sso
   cd keycloak-sso

1. Configure certificates in certs directory. Refer to REPORT.md for more details

   • Expected content: tls.crt, tls.key, and ca.crt (issuer CA).

2. Create .env with environment variables. Sample config:

   CA_PATH=/app/certs/ca.crt
   KEYCLOAK_SERVER_URL=https://keycloak.internal.test
   KEYCLOAK_REALM=myrealm
   KEYCLOAK_CLIENT_ID=demo
   KEYCLOAK_CLIENT_SECRET=<KEYCLOAK_CLIENT_SECRET>
   KEYCLOAK_REDIRECT_URI=https://app.internal.test:5000/callback

3. Configure domain names for app and keycloak accordingly.

4. Run keycloak and app containers in the same network.

   docker compose up -d

5. Login to Keycloak UI with admin:admin, then change credentials.

6. Create a realm, a client, and sample users for testing.

7. Access the test client at port 5000.

References

• https://www.keycloak.org/securing-apps/oidc-layers

• https://openid.net/developers/how-connect-works/

• https://openid.net/specs/openid-connect-basic-1_0.html