Skip to content

Instantly share code, notes, and snippets.

@t-book

t-book/geonode-keycloack.md

Last active February 22, 2024 11:58
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save t-book/0fb30804e217bdeb064dd91b5041fbc9 to your computer and use it in GitHub Desktop.
Save t-book/0fb30804e217bdeb064dd91b5041fbc9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
geonode-keycloack.md

SSO - Authenticate GeoNode against a keycloack server

For local testing I do use geonode paver on port 8000 and a Keycloak server started with docker on port 8090:

docker run -p 8090:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:12.0.1 https://www.keycloak.org/getting-started/getting-started-docker

A. On side of keycloack

  1. create a new realm to group our new app and users marsianer
  2. if needed allow user registration in Realm Settings -> User registration
  3. for testing create a new user Manage Users Toni/Toni, User Enabled -> ON
  4. create a new client Configure->Clients->create with ACCESS TYPE -> confidental (A)
  5. save and copy the Secret from Credentials Tab (A)

(A) kc

B. On side of GeoNode

In your settings add keycloak as provider

# Uncomment this to enable Linkedin and Facebook login
INSTALLED_APPS += (
    'allauth.socialaccount.providers.keycloak', # changed
 )

SOCIALACCOUNT_PROVIDERS = { # changed
        'keycloak': {
        'KEYCLOAK_URL': 'http://127.0.0.1:8090/auth',
        'KEYCLOAK_REALM': 'marsianer'
    },
}

Next Login to Django Admin and add a new Social App (B):

  • Provider: Keycloack
  • Name Keycloak
  • Client id: geonode-local the name of your keycloak app
  • Secret Key: <the copied secret from your app

(B) Bildschirmfoto von 2020-12-21 11-39-22

After that you get a new Login Option for (Keycloack) (C). This button should redirect to your realm login. If you provide correct credentials we're redirected to GeoNode as a logged in User.

(C) sign-in

C. TODO

  • Describe LDAP integreation with keycloak
  • Add a SOCIALACCOUNT_PROFILE_EXTRACTORS for keycloak to geonode
  • Test a production setup
@t-book
Copy link
Author

t-book commented Dec 21, 2020
edited

(A)
kc

@t-book
Copy link
Author

t-book commented Dec 21, 2020

(B)

Bildschirmfoto von 2020-12-21 11-39-22

@t-book
Copy link
Author

t-book commented Dec 21, 2020

(C)

sign-in

@ep3data-admin
Copy link

Hi T-Book,

Thanks for the documentation! Do you have two sets of users: keycloak and those signed up through Geonode. Is there a simple way to disable the Geonode sign in, and just use keycloak?

@t-book
Copy link
Author

t-book commented Mar 12, 2021

Hi @ep3data-admin to be honest I've not dived deep into keycloak with geonode. Still on my todo list. From what I know is that we need a user in geonode database otherwise the foreign key relations for resources might not work. I think that's why this module https://github.com/GeoNode/geonode-contribs/tree/master/django-geonode-keycloak has an inbuilt sync function.

@t-book
Copy link
Author

t-book commented Mar 12, 2021

... and regarding django login. as an easy solution just remove it from the template.

@simplygeo
Copy link

Hi t-book,

Thanks for this documentation.
How would we know the "secret key" and "key" when configuring django social application?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment