stack/kustomizations/keycloak/docs
ryan-distrust.co 710af7dbc7
docs: add steps to rebuild kustomization secrets
2023-05-16 22:06:13 -04:00
..
README.md docs: add steps to rebuild kustomization secrets 2023-05-16 22:06:13 -04:00
realms.md k/keycloak: add docs and client secret generator 2023-05-15 21:51:16 -04:00

README.md

Initial Setup

To generate the admin password for Keycloak, run:

./scripts/generate-keycloak-secret.sh \
  | sops --encrypt --encrypted-regex '^(data|stringData)$' \
  --input-type=yaml --output-type=yaml /dev/stdin \
  > keycloak-config.enc.yaml

To get the database credentials, run:

sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml

Adding Clients

Clients are how Keycloak authenticates a user with a third party service. This happens by enabling a "Flow" when adding a client. The "Standard" flow has the user's browser get a short-lived authorization token from Keycloak, send the authorization token to the client, then the client request a long-lived access token from Keycloak. This way, the access token is never given to the client. "Direct Access Grants" means that a user may pass their Keycloak credentials to the client, then the client may use those credentials to authenticate with Keycloak and get an access token. In this manner, the client still does not expose the access token to the user, but the user exposes their Keycloak credentials to the client.

When a Client is created, the Client Secret can be encrypted to a ksops Secret using the following script (Forgejo used as an example):

./kustomizations/keycloak/scripts/generate-keycloak-client-secret.sh \
  | sops --encrypt --encrypted-regex '^(data|stringData)$' \
  --input-type=yaml --output-type=yaml /dev/stdin \
  > kustomizations/forgejo/keycloak-client-config.enc.yaml