forked from public/stack
35 lines
1.4 KiB
Markdown
35 lines
1.4 KiB
Markdown
# Initial Setup
|
|
|
|
To generate the admin password for Keycloak, run:
|
|
|
|
```sh
|
|
./scripts/generate-keycloak-secret.sh \
|
|
| sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
|
--input-type=yaml --output-type=yaml /dev/stdin \
|
|
> keycloak-config.enc.yaml
|
|
```
|
|
|
|
|
|
# Adding Clients
|
|
|
|
Clients are how Keycloak authenticates a user with a third party service. This
|
|
happens by enabling a "Flow" when adding a client. The "Standard" flow has the
|
|
user's browser get a short-lived authorization token from Keycloak, send the
|
|
authorization token to the client, then the client request a long-lived access
|
|
token from Keycloak. This way, the access token is never given to the client.
|
|
"Direct Access Grants" means that a user may pass their Keycloak credentials to
|
|
the client, then the client may use those credentials to authenticate with
|
|
Keycloak and get an access token. In this manner, the client still does not
|
|
expose the access token to the user, but the user exposes their Keycloak
|
|
credentials to the client.
|
|
|
|
When a Client is created, the Client Secret can be encrypted to a ksops Secret
|
|
using the following script (Forgejo used as an example):
|
|
|
|
```sh
|
|
./kustomizations/keycloak/scripts/generate-keycloak-client-secret.sh \
|
|
| sops --encrypt --encrypted-regex '^(data|stringData)$' \
|
|
--input-type=yaml --output-type=yaml /dev/stdin \
|
|
> kustomizations/forgejo/keycloak-client-config.enc.yaml
|
|
```
|