Document how to configure the Keycloak server and oauth proxy

Question

Document how to configure the Keycloak server and oauth proxy

Closed this issue 4 years ago · 14 comments

Piiit commented 4 years ago

Please update the readme to incorporate also the oauth and keycloak configuration.

Belongs to #36

Piiit commented 4 years ago

Now?

jcte02 commented 4 years ago

Yes

Answer 1 · 2021-03-04T11:33:08.000Z

@Piiit I'll document the configuration

Answer 2 · 2021-03-04T13:18:20.000Z

Perfect, thx... waiting for a PR then

Answer 3 · 2021-03-04T13:23:40.000Z

@jcte02 Please move this issue to "In Progress" when you start to work and "To Review" when you are done...

Answer 4 · 2021-03-04T13:30:38.000Z

@jcte02 Please also accept the invitation to this repository: https://github.com/noi-techpark/it.bz.opendatahub.sparql/invitations

Answer 5 · 2021-03-04T13:43:14.000Z

@Piiit how do I move the issue to "In progress"?

Answer 6 · 2021-03-04T13:48:27.000Z

On the Kanban https://github.com/orgs/noi-techpark/projects/19... do you have access?

Answer 7 · 2021-03-04T13:49:01.000Z

No I don't have access

Answer 8 · 2021-03-04T17:03:37.000Z

@jcte02 Hi, it does not work as you describe it. Maybe we miss here some parts?

I get 403 Permission Denied: invalid_request... Do we need Role Mappings for a user? How do I say that only some users can login?

Could you please provide a full description similar as in https://github.com/noi-techpark/authentication-server/blob/master/docs/applications.md?

Since we do not know if left-out fields in the Keycloak configuration will be the default in future versions.

Thx

Answer 9 · 2021-03-04T17:07:50.000Z

We use Keycloak v12

Answer 10 · 2021-03-04T17:51:08.000Z

@Piiit I used your authentication-server repository to test the authentication before sending the PR. What I wrote in the documentation was all the steps I did on my local Keycloak instance. We clearly have a configuration mismatch here, ie you have configured something in you Keycloak instance I don't know about.
At the moment the authentication is only done on email domain, there is no granularity. If you don't expose or have the email field this can explain the failed authentication. The good news is that everything else is now working, because we are completing the flow with the callback, even if the authentication fails.
Since you mentioned wanting to manage users I would advise switching to group validation. On you Keycloak instance you can have a specific group (eg restricted) whose users will be able to access the restricted endpoint. Managing access then becomes managing that group's membership.
It would help greatly if you could provide me access to a throwaway realm on your testing auth server, or at least provide the relevant configuration, because this is an integration problem and my local configuration always worked.
To save time I will preentivly start working on the group membership. If you can't provide any details about you authentication server I can understand that but I fear it will complicate debugging. If you have access to the logs generated by the authentication proxy it would help greatly.
Regarding documentation, I will rewrite it to include screeshots of the configuration.

Answer 11 · 2021-03-04T21:58:47.000Z

@jcte02 Hi, we have many users on our auth server, we cannot allow all of them to access the data, even if they have the same domain... Let's have a pair programming session, then with shared screens I think we can sort the issues out easily.

Answer 12 · 2021-03-15T21:56:02.000Z

@jcte02 Documentation is well done, thank you