-
Notifications
You must be signed in to change notification settings - Fork 8
KeyCloak
Sean McIlvenna edited this page Dec 9, 2019
·
1 revision
You may easily run KeyCloak in a development environment using Docker with the following command: docker run --name keycloak --publish 8081:8080 --hostname keycloak -e DB_VENDOR=h2 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=<admin_pass> jboss/keycloak
Create an application within the desired realm with:
- Client Protocol: openid-connect
- Implicit Flow Enabled: Yes
- Access Type: confidential
- Redirect URIs
- <root url>/login (ex: https://trifolia-fhir-dev.lantanagroup.com/silent-refresh.html)
- <root url>/silent-refresh.html (ex: https://trifolia-fhir-dev.lantanagroup.com/silent-refresh.html)
- auth.clientId = keycloak app's "Client ID"
- auth.domain = <the publicly available url of the tof app>
- auth.scope = openid profile name email roles
- auth.secret = keycloak app > Credentials tab > "Secret"
- auth.issuer = <keycloak url>/auth/realms/<realm id>
- auth.jwksUri = <keycloak url>/auth/realms/<realm id>/protocol/openid-connect/certs
An admin role can be assigned to users so that they are recognized as an administrative user.
Add the role to the client app:
- From the KeyCloak admin panel, click "Clients" and select the app you created for ToF
- Select the "Roles" tab
- Click "Add Role"
- The role name must be "admin"
- Click "Save"
Have KeyCloak return the roles in the id token:
- From the KeyCloak admin panel, click "Client Scopes"
- Click "roles"
- Select "On" for "Include in Token Scope"
- Select "Mappers" tab
- Click "client roles"
- Change the "Token Claim Name" to "roles"
- Make sure the "On" is selected for both "Add to ID token" and "Add to access token"
- In the KeyCloak admin dashboard, select "Users" on the left
- Click the ID of the user you want to make an admin
- Select the "Role Mappings" tab
- In the "Client Roles" drop-down menu, select the app for ToF
- Under "Available Roles" select/highlight the "admin" role
- Click "Add selected"