mercoledì 17 giugno 2020

SSO With Keycloak and Liferay

My intent is to configure SSO on Keycloak and Liferay.
I have createad a docker-compose environment  with Keycloak:

################################

version: '3.7'
services:
  mysql:
    image: mysql:5.7.29
    container_name: mysql-SSO
    ports:
      - "3306:3306"
    environment:
      - MYSQL_DATABASE=keycloak
      - MYSQL_USER=keycloak
      - MYSQL_PASSWORD=password
      - MYSQL_ROOT_PASSWORD=root_password
    healthcheck:
      test: "mysqladmin ping -u root -p$${MYSQL_ROOT_PASSWORD}"
      start_period: 10s

  keycloak:
    image: jboss/keycloak:9.0.3
    container_name: keycloak-SSO
    environment:
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin
      - DB_VENDOR=mysql
      - DB_ADDR=mysql
      - DB_USER=keycloak
      - DB_PASSWORD=password
      - JDBC_PARAMS=useSSL=false
    ports:
      - 8080:8080
    depends_on:
      - mysql
    healthcheck:
      test: "curl -f http://localhost:8080/auth || exit 1"
      start_period: 10s


################################

At first I tryed to configure SSO using a Liferay Docker image:

docker run --name='liferay' -d -p 8081:8080 liferay/portal:7.1.0-ga1-201809012030

 

Unfortunately I have a redirection error on liferay when it receives the auth token from Keycloak. So I decided to give a test with a real instance of Liferay, so I installed it and started Liferay.


I changed Liferay Tomcat port to 8090.

So I did the following cofiguration steps:

on Keycloak:
  
  • Realm Settings: click on Endpoints "OpenId Endpoint Configuration" and leave the tab opened, we well need those values in a while.
  • Clients: Create new Client
 

  • Credentials: copy client secrets.  

  • Identity Providers: Create a new idp: Keycloak OpenID Connect, use the tab we left open at step 1 to fill URLS and choose "Client secrets sent as basic auth" on Client Authentication, and the client-id has to be the same of the one configured before.
  • Users: create a user, and set passwords in Credentials.
  •  
    On Liferay:
  • Configuration -> System Settings -> SSO -> OpenIdConnect: Check Enabled  
  • Configuration -> System Settings -> SSO -> OpenId Connect Provider: create new provider:
    • provider name: keycloak idp
    • secret: keycloak clients secret
    • Provider Name: from Keycloak
    • OpenID Connect Client ID: from Keycloak
    • OpenID connect client secret: from Keycloak
    • Scopes: openid email profile
    • Discovery Endpoint Cache in Milliseconds: 360000
    • Authorization Endpoint: http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
    • Issuer URL: http://localhost:8080/auth/realms/master
    • JWKS URI: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
    • ID Token Signing Algorithms: RS256
    • Subject Types: public
    • Token Endpoint: http://localhost:8080/auth/realms/master/protocol/openid-connect/token
    • User Information Endpoint: http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo
  • Go to anonymous page and click on sign in. Then click on OpenId Connect.
  • Login with the user created in Keycloak and pray.

Once signed in on Liferay through OpenIdConnect Liferay could require email verification.
If it happens we have to disable the functionality in authentication settings.

Nessun commento:

How to deploy Podman images to OpenShift Container Platform (CRC on localhost)

I have a microservice on localhost and I want to deploy its Podman image on OCP, which I am running using CRC on localhost.       1. Get the...