The Compose file includes a Keycloak instance that you can use for authentication instead of spinning up a separate one or using one of the deployed instances. (It's enabled by default but running it won't prevent you from using a separate instance.)
There are some defaults that are part of this.
SSL Certificate: There's a self-signed cert that's in config/keycloak/tls - if you'd rather set up your own (or you have a real cert or something to use), you can drop the PEM files in there. See the README there for info.
Realm: There's a default-realm.json in config/keycloak that will get loaded by Keycloak when it starts up, and will set up a realm for you with some users and a client so you don't have to set it up yourself. The realm it creates is called ol-local.
The users it sets up are:
| User | Password |
|---|---|
student@odl.local |
student |
prof@odl.local |
prof |
admin@odl.local |
admin |
The client it sets up is called apisix. You can change the passwords and get the secret in the admin.
If you don't have a Keycloak instance running locally already, you can use the pack-in one. It starts with the rest of the services and is configured to be at http://kc.ol.local:8006 and https://kc.ol.local:8007 by default (but you can change this in the env files).
Some setup is required to use the pack-in instance:
- Set required keycloak environment values in your
.envfile:- Set a keystore password via
KEYCLOAK_SVC_KEYSTORE_PASSWORD. This is required, but the password need not be anything special. - Set
KEYCLOAK_CLIENT_SECRET; ask another developer for the relevant value.
- Set a keystore password via
- Optionally add
KEYCLOAK_SVC_HOSTNAME,KEYCLOAK_SVC_ADMIN, andKEYCLOAK_SVC_ADMIN_PASSWORDto your.envfile.KEYCLOAK_SVC_HOSTNAMEis the hostname you want to use for the instance - the default iskc.ol.local.KEYCLOAK_SVC_ADMINis the admin username. The default isadmin.KEYCLOAK_SVC_ADMIN_PASSWORDis the admin password. The default isadmin.
- Re-start the stack.
The Keycloak container should start and stay running. Once it does, you should be able to log in at https://kc.ol.local:8007 with username and password admin (or the values you supplied).
If you'd rather use a separate Keycloak instance, ensure these settings are present in the appropriate env file (best is probably backend.local.env):
-
KEYCLOAK_REALMSets the realm used by APISIX for Keycloak authentication. Defaults to
ol-local. -
KEYCLOAK_DISCOVERY_URLSets the discovery URL for the Keycloak OIDC service. (In Keycloak admin, navigate to the realm you're using, then go to Realm Settings under Configure, and the link is under OpenID Endpoint Configuration.) This defaults to a valid value for the pack-in Keycloak instance.
-
KEYCLOAK_CLIENT_IDThe client ID for the OIDC client for APISIX. Defaults to
apisix. -
KEYCLOAK_CLIENT_SECRETThe client secret for the OIDC client. No default - you will need to get this from the Keycloak admin, even if you're using the pack-in Keycloak instance.
If you're using a Keycloak instance also hosted within a Docker container on the same machine you're running the AI chatbots, you'll need to make sure it can be seen from within the
apigatewaycontainer. This will require some work on your part - generally, stuff within Composer environments can't see things outside of their own environment. There's an example of this in thedocker-compose.services.ymlfile if your Keycloak instance uses a Compose environment, as we use it so that the Keycloak OIDC URLs all match externally and internally.