Use Keycloak as Identity provider for Drupal

readme.md

Keycloak with Drupal

Create docker container

• git clone https://github.com/wadmiraal/docker-drupal.git

• cd docker-drupal

• git checkout 7.x

• docker build -t local/drupal7x .

• docker run --name=drupal -d -p 8080:80 -p 8022:22 -t local/drupal7x

• docker exec -it drupal bash

Install openid_connect module

cd /var/www/sites/all/
drush dl openid_connect && drush en openid_connect

Setup IPTables

Special case: if you run keycloak on the host machine, you might need to allow docker containers to access the host machine with an additional iptables rule.

For adding the rule just run the following:

sudo iptables -A INPUT -i docker0 -j ACCEPT

you should be able to do a curl -v http://172.17.0.1:8081/auth

For deleting the rule just run:

sudo iptables -D INPUT -i docker0 -j ACCEPT

Configure Keycloak

In my example I run the default KeycloakServer from the integration tests with
-Dkeycloak.bind.address=0.0.0.0 -Djava.net.preferIPv4Stack=true

Where the IP's are used as follows:

//172.17.0.1 -> IP of keycloak host
//172.17.0.2 -> IP of drupal container

Configure Keycloak CLient

Create a client for drupal with the following settings:

client id: drupal
client name: drupal

Client Protocol: openid-connect
Access type: confidential

Standard Flow Enabled: true

Valid redirect url: http://172.17.0.2:8080/*

Base URL: http://172.17.0.2:8080/

Web Origins: http://172.17.0.2:8080/*

Create test user

username: test
firstname: Theo
lastname: Tester

Password: test

Configure Drupal

Tested with drupal (7.x).

configure openid_connect module

in configuration -> web services -> openid_connect

Enabled OpenID Connect clients: select "generic"

clientid: drupal
client secret: 45acbe37-b05e-4aac-b721-d95abf27ad5a

Authorization endpoint: http://172.17.0.1:8081/auth/realms/master/protocol/openid-connect/auth
Token endpoint: http://172.17.0.1:8081/auth/realms/master/protocol/openid-connect/token
User Info endpoint: http://172.17.0.1:8081/auth/realms/master/protocol/openid-connect/userinfo

User claims mapping:
Time Zone: zoneinfo

add login block

structure -> blocks -> Disabled -> Select block "OpenID Connect login" -> add to sidebar first

To login simply point a browser to your drupal installation and click on "login with generic".

Nice work! but, how do yo map keycloal roles to drupal roles?
I've followed your steps and now I can log in to Drupal with a keycloak user, but inside Drupal this user has no rol.
Thanks!

@leitonet try to create a role in the drupal client within Keycloak.
Then assign the client role to a user - this might transfer the role to drupal.

Hello,

Thanks for this step by step instruction. One thing i noticed is that there is no log messages for certain errors or processes being done. There is an item under manage, called Events, but doesn't include any logs.

Is there any? Thanks!

Hi Thomas, I have done what you sad.

I have a client with the following roles: "ACO - Editor" and "Equipe Web".
I have assigned that roles to specific groups: "ACO Editores" and "GTI Equipe Web".
And these groups to the correct users on Keycloak server.

The user is created but no role is assigned properly.

How can I trace it?

Thanks a ton.

Best Regards,
Ricardo Morais

I get this error when I log in.
Could not retrieve tokens (-110 Connection timed out). Details:
https://example/openid-connect/generic?state=5idLuR3c-1igkC9CeJVDvPwc4neuFu-6uAiYxmIOy0w&session_state=300ff5b2-e1bb-466d-ba32-cf12e5369201&code=91edde40-6f9b-4939-a9b9-cbb63324a40e.300ff5b2-e1bb-466d-ba32-cf12e5369201.a5151b35-9060-478e-940b-f615fc5165d9

You have a solution????
Thank you!!!