orchestracities/keycloak-scripts

Keycloak Javascript providers for OrchestraCities

This repo includes JavaScript Providers used by OrchestraCities to support multi-tenancy and service Paths:

• Orchestra Cities tenants-roles mapper: maps user to tenants and roles within tenants. e.g.:

  "tenants": {
    "Tenant2": {
      "roles": [
        "tenant-admin",
        "ngsi:entity:op",
        "ngsi:subscription:read",
        "ngsi:registration:write",
        "ngsi:entity:read",
        "ngsi:registration:delete",
        "ngsi:subscription:write",
        "ngsi:registration:read",
        "ngsi:subscription:delete",
        "ngsi:entity:write",
        "ngsi:entity:delete"
      ],
      "groups": [
        "/Admin2",
        "/Group2"
      ],
      "id": "a6662e3f-0328-43d1-b5cf-25f3209c57e8"
    }
  }

• Orchestra Cities super-admin mapper: create a claim reporting if a user is a super user, e.g.:

  "is_super_admin": true,

Deprecated:

• Orchestra Cities tenants-name mapper. See old version.
• Orchestra Cities fiware services mapper. See old version.
• Admin only authenticator. See old version. This not more needed since oauth-proxy allows to validate roles and groups.

Building the package

To build the package, simply use:

sh build.sh

it will create a package called oc-custom.jar.

Alternatively you can download official builds here.

Installing

To deploy the script package in keycloak:

• you need to install the oc-custom.jar in the standalone/deployments folder (see the example in the test.sh for docker-based deployment).
• you need to enable the scripts feature with the flag -Dkeycloak.profile.feature.scripts=enabled (see the example in the test.sh for docker-based deployment) or using the preview profile.

For more information, check the official keycloak documentation.

Testing

Requirements:

• docker
• curl
• jq

To load test the scripts in keycloak:

sh test.sh

Updating realm export

Should you need to update the example realm, you can export a new updated version launching the following script:

sh export-realm.sh

The export realm-export.json includes two demo tenants. The export realm-export-empty.json is clean (includes only demo users).

The script loads always realm-export.json, to generate the realm-export-empty.json, launch start.sh, remove groups in keycloak and launch sh export-realm-empty.sh

Once the export is completed type CTRL+C to exit from the container.