Skip to content

Instantly share code, notes, and snippets.

@rafi
Last active September 23, 2024 15:51
Show Gist options
  • Save rafi/ec8c584e3a3a3c898903a714c2d62976 to your computer and use it in GitHub Desktop.
Save rafi/ec8c584e3a3a3c898903a714c2d62976 to your computer and use it in GitHub Desktop.
Keycloak and oauth2-proxy using k3d & ngrok:

K3d and Keycloak

Prerequisites

Ensure docker, k3d and ngrok are installed.

brew update
brew install --cask docker ngrok
brew install k3d

Versions in use:

$ docker version
Client:
 Cloud integration: 1.0.14
 Version:           20.10.6

Server: Docker Engine - Community
 Engine:
  Version:          20.10.6
  API version:      1.41 (minimum version 1.12)

$ k3d version
k3d version v4.4.6

Deploy Single-Node Cluster

k3d cluster create keycloak --servers 1 \
  --port 443:443@loadbalancer \
  --port 80:80@loadbalancer \
  --api-port 6443 --k3s-server-arg '--no-deploy=traefik'

Run ngrok http 80 to create a temporary domain, tunneling your port 80 traffic.

We'll set a fake domain in our /etc/hosts just for kicks:

echo "127.0.0.1 k3d.local" | sudo tee -a /etc/hosts

Deploy nginx-ingress

Use official Helm repo:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

Install chart:

helm install ingress-nginx ingress-nginx/ingress-nginx \
  --wait --version 3.34.0 --set-string controller.config.ssl-redirect=false

Running curl http://k3d.local should respond with "404 Not Found".

Deploy Keycloak

Let's use codecentric Helm repo:

helm repo add codecentric https://codecentric.github.io/helm-charts
helm repo update

Create a keycloak-values.yaml with custom values:

image:
  tag: 14.0.0
postgresql:
  enabled: false
ingress:
  enabled: true
  rules:
    - host: 4eeaf28b49b8.ngrok.io
      paths: [ / ]
  tls: []
  console:
    enabled: true
    rules:
      - host: 4eeaf28b49b8.ngrok.io
        paths: [ /auth/admin ]
    tls: []
extraEnv: |
  - name: KEYCLOAK_FRONTEND_URL
    value: https://4eeaf28b49b8.ngrok.io/auth
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"
  - name: KEYCLOAK_USER
    value: admin
  - name: KEYCLOAK_PASSWORD
    value: admin

Install chart:

helm install keycloak codecentric/keycloak \
   --version 11.0.1 -f keycloak-values.yaml --wait

Setup Keycloak

Create a Realm

A realm in Keycloak is the equivalent of a tenant. It allows creating isolated groups of applications and users. By default there is a single realm in Keycloak called master. This is dedicated to manage Keycloak and should not be used for your own applications. Let’s create our first realm.

  1. Open browser at https://4eeaf28b49b8.ngrok.io and click on "Administrative Console"
  2. Login with admin / admin
  3. Hover the mouse over the drop-down in the top-left corner where it says Master, then click on Add realm
  4. Fill in the form with the following values:
    • Name: myrealm
  5. Click Create

Create a User

Initially there are no users in a new realm, so let’s create one:

  1. Open the Keycloak Admin Console
  2. Click Users (left-hand menu)
    • Click Add user (top-right corner of table)
  3. Fill in the form with the following values:
    • Username: myuser
    • First Name: Your first name
    • Last Name: Your last name
  4. Click Save

The user will need an initial password set to be able to login. To do this:

  1. Click Credentials (top of the page)
  2. Fill in the Set Password form with a password
  3. Click ON next to Temporary to prevent having to update password on first login

Login to Account Console

Let’s now try to login to the account console to verify the user is configured correctly.

  1. Open the Keycloak Account Console at https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/account
  2. Login with myuser and the password you created earlier

You should now be logged-in to the account console where users can manage their accounts.

Keycloak Playground App

Let’s try to secure our first application. First step is to register this application with your Keycloak playground instance:

  1. Open the Keycloak Admin Console
  2. Click 'Clients'
  3. Fill in the form with the following values:
    • Client ID: myclient
    • Client Protocol: openid-connect
    • Root URL: https://www.keycloak.org/app/
  4. Click Save

To make it easy for you we have a SPA testing application available on the Keycloak website.

Open https://www.keycloak.org/app/. Change Keycloak URL to the URL of your Keycloak instance. Click Save.

Now you can click Sign in to authenticate to this application using the Keycloak server you started earlier.

Secure an App

First, Create new client in your Keycloak.

  1. Open the Keycloak Admin Console
  2. Click 'Clients'
  3. Fill in the form with the following values:
    • Client ID: myapp
    • Client Protocol: openid-connect
    • Root URL: http://4eeaf28b49b8.ngrok.io/oauth2
  4. Click Save
  5. Change:
    • Access Type 'Confidential'
    • Valid Redirect URIs, add '*'
  6. Click Save
  7. Take note of the Secret in the credential tab of the client under the tab 'Credentials'.
  8. Create a mapper with Mapper Type 'Group Membership' and Token Claim Name 'groups'.

Use OAuth2-Proxy

Use official Helm repo:

helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
helm repo update

Create a oauth2proxy-values.yaml with custom values:

image:
  tag: "v7.1.3"
ingress:
  enabled: true
  path: /oauth2
  hosts:
    - 4eeaf28b49b8.ngrok.io
config:
  clientID: myapp
  clientSecret: "<client secret from 'credentials' tab in myapp client>"
  cookieSecret: "UlpPOE8wWUo3cmZtRGxDRllXUmd2bEhaN1VXcGxFclI="
extraArgs:
  provider: keycloak
  scope: address
  login-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/auth
  redeem-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/token
  profile-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/userinfo
  validate-url: https://4eeaf28b49b8.ngrok.io/auth/realms/myrealm/protocol/openid-connect/userinfo

Install chart:

helm install oauth2-proxy oauth2-proxy/oauth2-proxy \
   --version 3.3.2 -f oauth2proxy-values.yaml --wait

Now navigate to https://4eeaf28b49b8.ngrok.io/oauth2 and complete sign-in.

ingress-nginx Integration

You can protect any ingress resource with OAuth2 for example:

---
apiVersion: networking/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "https://auth{{ .Values.dnsDomain }}/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://auth{{ .Values.dnsDomain }}/oauth2/start?rd=https%3A%2F%2F$host$request_uri"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment