push, missing gatekeeper config + KC illust
commit
766638d034
@ -0,0 +1,3 @@
|
|||||||
|
[submodule "keycloak-gatekeeper"]
|
||||||
|
path = keycloak-gatekeeper
|
||||||
|
url = https://github.com/oneconcern/keycloak-gatekeeper
|
@ -0,0 +1,43 @@
|
|||||||
|
# KEYCLOAK GATEKEEPER
|
||||||
|
|
||||||
|
Proxy pour service redirigeant vers Keycloak pour authentification
|
||||||
|
|
||||||
|
## PRE REQUIS
|
||||||
|
|
||||||
|
- Docker / docker compose
|
||||||
|
- Instance Keycloak
|
||||||
|
|
||||||
|
## CONFIFURATION
|
||||||
|
|
||||||
|
### Gatekeeper
|
||||||
|
|
||||||
|
#### Config file:
|
||||||
|
- Renseigner gatekeeper-config.yml:
|
||||||
|
```bash
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Coomands:
|
||||||
|
- Renseigner les champs suivants:
|
||||||
|
```bash
|
||||||
|
- "--discovery-url=https://<MON_KEYCLOAK>/auth/realms/<MON_REALM>/.well-known/openid-configuration"
|
||||||
|
- "--client-id=<CLIENT_ID>"
|
||||||
|
- "--client-secret=<CLIENT_SECRET>"
|
||||||
|
- "--listen=0.0.0.0:8880"
|
||||||
|
- "--upstream-url=http://<MON_SERVICE>:<PORT>"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Keycloak
|
||||||
|
|
||||||
|
- Créer un client:
|
||||||
|
```bash
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
![keycloak illustration](docs/pic_1.png)
|
||||||
|
|
||||||
|
## UTILISATION
|
||||||
|
|
||||||
|
```bash
|
||||||
|
docker compose up -d
|
||||||
|
```
|
@ -0,0 +1,19 @@
|
|||||||
|
version: "3.9"
|
||||||
|
|
||||||
|
services:
|
||||||
|
gatekeeper:
|
||||||
|
image: gatekeeper
|
||||||
|
build:
|
||||||
|
context: keycloak-gatekeeper/
|
||||||
|
container_name: gatekeeper
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- 8880:8880
|
||||||
|
depends_on:
|
||||||
|
- sshwifty
|
||||||
|
command:
|
||||||
|
- "--discovery-url=https://<MON_KEYCLOAK>/auth/realms/<MON_REALM>/.well-known/openid-configuration"
|
||||||
|
- "--client-id=<CLIENT_ID>"
|
||||||
|
- "--client-secret=<CLIENT_SECRET>"
|
||||||
|
- "--listen=0.0.0.0:8880"
|
||||||
|
- "--upstream-url=http://<MON_SERVICE>:<PORT>"
|
@ -0,0 +1,91 @@
|
|||||||
|
|
||||||
|
# GATEKEEPER ENVS
|
||||||
|
# is the url for retrieve the openid configuration - normally the <server>/auth/realm/<realm_name>
|
||||||
|
discovery-url: https://<MON_KEYCLOAK>/auth/realms/<MON_REALM>/.well-known/openid-configuration
|
||||||
|
# the client id for the 'client' application
|
||||||
|
client-id: <CLIENT_ID>
|
||||||
|
# the secret associated to the 'client' application - note the client_secret is optional, required for
|
||||||
|
# oauth2 access_type=confidential i.e. the client is being verified
|
||||||
|
client-secret: <CLIENT_SECRET>
|
||||||
|
# the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>'
|
||||||
|
listen: 127.0.0.1:3000
|
||||||
|
# the redirection url, essentially the site url, note: /oauth/callback is added at the end
|
||||||
|
redirection-url: http://<SERVICE>:3000
|
||||||
|
# the upstream endpoint which we should proxy request
|
||||||
|
upstream-url: http://<SERVICE>:<port>
|
||||||
|
# the encryption key used to encode the session state
|
||||||
|
encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6T8xKHWf5RPfqAocuiQ6nUbNHyc3oF2toO2tr
|
||||||
|
|
||||||
|
|
||||||
|
# whether to request offline access and use a refresh token
|
||||||
|
enable-refresh-tokens: true
|
||||||
|
# log all incoming requests
|
||||||
|
enable-logging: true
|
||||||
|
# log in json format
|
||||||
|
enable-json-logging: true
|
||||||
|
# should the access token be encrypted - you need an encryption-key if 'true'
|
||||||
|
enable-encrypted-token: false
|
||||||
|
# do not redirec the request, simple 307 it
|
||||||
|
no-redirects: false
|
||||||
|
# the location of a certificate you wish the proxy to use for TLS support
|
||||||
|
tls-cert:
|
||||||
|
# the location of a private key for TLS
|
||||||
|
tls-private-key:
|
||||||
|
# the public key for the ca, used for mutual TLS
|
||||||
|
tls-ca-certificate:
|
||||||
|
# the name of the access cookie, defaults to kc-access
|
||||||
|
cookie-access-name:
|
||||||
|
# the name of the refresh cookie, default to kc-state
|
||||||
|
cookie-refresh-name:
|
||||||
|
# upstream-keepalives specified wheather you want keepalive on the upstream endpoint
|
||||||
|
upstream-keepalives: true
|
||||||
|
# skip the tls verification of the upstream url
|
||||||
|
skip-upstream-tls-verify: true|false
|
||||||
|
# additional scopes to add to add to the default (openid+email+profile)
|
||||||
|
scopes: []
|
||||||
|
# enables a more extra secuirty features
|
||||||
|
enable-security-filter: true
|
||||||
|
# headers permits you to inject custom headers into all requests
|
||||||
|
headers:
|
||||||
|
myheader_name: my_header_value
|
||||||
|
# a map of claims that MUST exist in the token presented and the value is it MUST match
|
||||||
|
# So for example, you could match the audience or the issuer or some custom attribute
|
||||||
|
match-claims:
|
||||||
|
aud: openvpn
|
||||||
|
iss: https://keycloak.example.com/auth/realms/commons
|
||||||
|
# a list of claims to inject into the authentication headers i.e. given_name -> X-Auth-Given-Name
|
||||||
|
add-claims:
|
||||||
|
- given_name
|
||||||
|
- family_name
|
||||||
|
- name
|
||||||
|
# a collection of resource i.e. urls that you wish to protect
|
||||||
|
resources:
|
||||||
|
- uri: /admin/test*
|
||||||
|
# the methods on this url that should be protected, if missing, we assuming all
|
||||||
|
methods:
|
||||||
|
- GET
|
||||||
|
# a list of roles the user must have in order to accces urls under the above
|
||||||
|
roles:
|
||||||
|
- openvpn:vpn-test
|
||||||
|
- uri: /admin/white_listed
|
||||||
|
# permits a url prefix through, bypassing the admission controls
|
||||||
|
white-listed: true
|
||||||
|
- uri: /admin/*
|
||||||
|
methods:
|
||||||
|
- GET
|
||||||
|
roles:
|
||||||
|
- openvpn:vpn-user
|
||||||
|
- openvpn:prod-vpn
|
||||||
|
|
||||||
|
# an array of origins (Access-Control-Allow-Origin)
|
||||||
|
cors-origins: []
|
||||||
|
# an array of headers to apply (Access-Control-Allow-Headers)
|
||||||
|
cors-headers: []
|
||||||
|
# an array of expose headers (Access-Control-Expose-Headers)
|
||||||
|
cors-exposed-headers: []
|
||||||
|
# an array of methods (Access-Control-Allow-Methods)
|
||||||
|
cors-methods: []
|
||||||
|
# the credentials flag (Access-Control-Allow-Credentials)
|
||||||
|
cors-credentials: true|false
|
||||||
|
# the max age (Access-Control-Max-Age)
|
||||||
|
cors-max-age: 1h
|
@ -0,0 +1 @@
|
|||||||
|
Subproject commit 41596cbaf63bcfd380101686aa6582a44092f42d
|
Loading…
Reference in New Issue