Harmonize Keycloak Client Configurations with Built-in IdP#589
Conversation
This change makes the Keycloak client configurations consistent with the built-in IdP:
1. Standardized client IDs to match built-in IdP:
- web (unchanged)
- OpenCloudDesktop (was random ID)
- OpenCloudAndroid (was random ID)
- OpenCloudIOS (was random ID)
- Cyberduck (simplified ID)
2. Updated domain names to use .eu consistently:
- Changed from opencloud.com to opencloud.eu for mobile apps
- Changed from hardcoded domains to templated {{OC_URL}} values
3. Updated redirect URIs to match built-in IdP format:
- Added specific callback paths for web client
- Removed wildcarded ports for desktop client
4. Changed mobile/desktop clients to public clients (equivalent to native app type)
5. Enhanced docker-entrypoint-override.sh to handle {{OC_URL}} template variables
These changes ensure a consistent authentication experience regardless of
whether users are using the built-in IdP or Keycloak.
This adds detailed documentation for Keycloak integration with OpenCloud, including: - Setup with Docker Compose - OpenCloud configuration - Client configuration details (matching built-in IdP) - Advanced configuration (Backchannel Logout) - Troubleshooting advice - User and group management overview Relates to opencloud-eu/opencloud#589
|
@michaelstingl Thanks! I tested your changes - the clients are working fine! 👏 One issue is, that the deployment only imports the full realm, so we need to also change the client values in the realm itself. |
michaelstingl
force-pushed
the
harmonize-keycloak-client-configs
branch
from
f1c73ad to
e487dfd
Compare
|
Thanks for the feedback! I've updated the Since the realm configuration file is quite complex, please let me know if I missed anything else that needs to be aligned. This should ensure that when the realm is imported during deployment, all client configurations match exactly. |
Update the realm configuration to match the client configuration JSON files: 1. Update client IDs to match client JSON files: - Changed 'xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69' to 'OpenCloudDesktop' - Changed 'e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD' to 'OpenCloudAndroid' - Changed 'mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1' to 'OpenCloudIOS' 2. Fix additional client properties: - Fix client names: Use proper capitalization for all clients - Fix OAuth redirect URIs for Android and iOS to use .eu domain - Fix Desktop URIs by removing wildcard asterisks - Update post-logout redirect URIs to match client JSONs - Set publicClient flag to true for all mobile/desktop clients These changes ensure that when the realm is imported during deployment, the client configurations will match the client JSONs exactly.
michaelstingl
force-pushed
the
harmonize-keycloak-client-configs
branch
from
e487dfd to
8bbd562
Compare
Harmonize the web client configuration in the realm:
- Add 'OpenCloud Web App' client name
- Change URLs to use {{OC_URL}} template variables
- Update redirect URIs to use specific paths instead of wildcard
- Set backchannel logout URL to use templated URL
This completes the harmonization of all client configurations in the realm.
|
I noticed one more issue while testing and fixed it in another commit: The web client configuration also needed harmonization. I updated it to:
These changes should complete the harmonization of all clients in the realm configuration. |
micbar
left a comment
micbar
left a comment
There was a problem hiding this comment.
Working fine. I am not so happy with the new OC_URL placeholder.
| # replace openCloud domain in keycloak realm import | ||
| mkdir /opt/keycloak/data/import | ||
| sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json | ||
| sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" \ |
There was a problem hiding this comment.
What is the gain of that change?
Before your change, it was already a valid config, because cloud.opencloud.test is used on all testing and developer machines.
${OC_DOMAIN} is not always populated if you do not run the entrypoint script.
So i would like to keep it like it was.
There was a problem hiding this comment.
Also the introduction of {{OC_URL}} makes updating the config harder. Before, we could just commit the export generated by keycloak (kc.sh export)
Reverted templating changes to match upstream conventions:
1. Removed template variable handling from docker-entrypoint-override.sh
- Removed {{OC_URL}} replacement, keeping only domain replacement
This maintains compatibility with the upstream approach of using direct URLs
with domain substitution instead of template variables.
|
Thanks for the feedback about the template variables! I've reverted those changes to match the upstream conventions. I initially added the {{OC_URL}} variables because I noticed they're used in the built-in IdP configuration (in services/idp/pkg/config/defaults/defaultconfig.go) and wanted to make the Keycloak configuration consistent with that pattern. However, I understand now that the Keycloak configuration should follow its own established convention with direct URLs and domain substitution. I've:
The important client ID harmonization and redirect URI updates remain in place. Let me know if there's anything else that should be adjusted! |
|
There are still old references like e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD in the new /keycloak/opencloud-realm.dist.json |
Updated the remaining references to old client IDs in the role mappings section: - xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 → OpenCloudDesktop - e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD → OpenCloudAndroid - mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1 → OpenCloudIOS This ensures all client ID references throughout the realm configuration are consistent and use the simplified IDs.
|
Thanks @suse-coder for catching those remaining old client IDs! I've fixed all the references in the role mappings section of the configuration, replacing the long random IDs with the simplified client names. This should complete the harmonization of client IDs throughout the entire realm configuration. |
This adds detailed documentation for Keycloak integration with OpenCloud, including: - Setup with Docker Compose - OpenCloud configuration - Client configuration details (matching built-in IdP) - Advanced configuration (Backchannel Logout) - Troubleshooting advice - User and group management overview Relates to opencloud-eu/opencloud#589
* Add comprehensive Keycloak integration documentation This adds detailed documentation for Keycloak integration with OpenCloud, including: - Setup with Docker Compose - OpenCloud configuration - Client configuration details (matching built-in IdP) - Advanced configuration (Backchannel Logout) - Troubleshooting advice - User and group management overview Relates to opencloud-eu/opencloud#589 * Simplify docker-compose command and explain .env file auto-configuration
4 participants
Description
This PR harmonizes the Keycloak client configurations with the built-in IdP client configurations to ensure a consistent authentication experience regardless of which identity provider is used.
Related Issue
Motivation and Context
When switching between the built-in IdP and Keycloak, users may experience authentication issues due to inconsistent client configurations. This PR ensures that client IDs, redirect URIs, domain names, and authentication methods are aligned between both systems.
Key changes:
Standardized client IDs to match built-in IdP:
web(unchanged)OpenCloudDesktop(was random ID)OpenCloudAndroid(was random ID)OpenCloudIOS(was random ID)Cyberduck(simplified ID)Fixed domain names:
Standardized redirect URIs:
Aligned authentication methods:
How Has This Been Tested?
Types of changes
Checklist:
Note on documentation: The Keycloak documentation file at
/docs/docs/admin/30-configuration/30-keycloak.mdexists in the separate docs repository as a draft. After this PR is merged, a separate PR should be created in the docs repository to update the documentation with the new client configuration details.Detailed Analysis
1. Client ID Differences
webweb✅OpenCloudDesktopxdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69❌OpenCloudAndroide4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD❌OpenCloudIOSmxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1❌2. Domain Name Inconsistencies
{{OC_URL}}(templated)https://cloud.opencloud.test(hardcoded) ❌oc://android.opencloud.euoc://android.opencloud.com❌oc://ios.opencloud.euoc://ios.opencloud.com❌3. Redirect URI Format Differences
4. Client Authentication Type
Trusted: truepublicClient: true(equivalent) ✅ApplicationType: nativeApplicationType: nativeApplicationType: native