Skip to content

Update keycloak-setup.md for Keycloak > 18 #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 6, 2025
Merged

Update keycloak-setup.md for Keycloak > 18 #45

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8e2ecdd
Update keycloak-setup.md for Keycloak > 18
mkingst Jan 6, 2025
f7a6825
formatting edits
travisamartin Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 40 additions & 2 deletions content/nim/admin-guide/authentication/oidc/keycloak-setup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,19 @@ Follow these steps to configure Keycloak.

After the client is created, configure it as follows:

1. On the **Settings** tab, in the **Access Type** list, select **confidential**.
2. On the **Mappers** tab, select **Add Builtin**, and select **groups**. This exports the user's Keycloak Realm Role information for NGINX Instance Manager to use.
#### For Keycloak versions earlier than 18.x

1. On the **Settings** tab, set **Access Type** to **confidential**.
2. On the **Mappers** tab, select **Add Builtin** and choose **groups** to export Keycloak Realm Role information for NGINX Instance Manager.

#### For Keycloak versions 18.x and later

1. On the **Settings** tab, under **Capability config**, enable **Client authentication**.
2. In the **Authentication flow** section, enable **Direct Access Grants** and **Service Account**.
3. Go to the **Client Scopes** tab.
- Select the scope named **<client_name>-dedicated (nim-dedicated)**.
- On the **Mappers** tab, click **Configure new Mapper** and choose **From predefined mappers**.
- Search for **groups** and select **Add groups mapper**.

### Create Keycloak Roles

Expand Down Expand Up @@ -119,6 +130,8 @@ To configure NGINX Instance Manager with the necessary OIDC settings, follow the

- Export the environment variables:

- **For Keycloak versions earlier than 18.x**:

```bash
# Either the FQDN or the IP address is suitable for these environment variables.
export KEYCLOAK_IP="<insert-keycloak-IP>"
Expand All @@ -134,6 +147,31 @@ To configure NGINX Instance Manager with the necessary OIDC settings, follow the
export KEYCLOAK_KEYS_ENDPOINT=$(curl -k "https://$KEYCLOAK_IP:8443/auth/realms/<realm-name>/.well-known/openid-configuration" | jq -r ".jwks_uri")
```

- **For Keycloak versions 18.x and later**:

```bash
# Either the FQDN or the IP address is suitable for these environment variables.
export KEYCLOAK_IP="<insert-keycloak-IP>"
export NIM_IP="<insert-NIM-IP>"
export KEYCLOAK_CLIENT_ID="<insert-keycloak-client-id>"
export KEYCLOAK_CLIENT_SECRET="<insert-kecloak-client-secret>"

# Choose an appropriate Hash-Based Message Authentication Code (HMAC)
export HMAC_KEY="<insert-HMAC>"

export KEYCLOAK_AUTH_ENDPOINT=$(curl -k \
"https://$KEYCLOAK_IP:8443/realms/<realm-name>/.well-known/openid-configuration" | \
jq -r ".authorization_endpoint")

export KEYCLOAK_TOKEN_ENDPOINT=$(curl -k \
"https://$KEYCLOAK_IP:8443/realms/<realm-name>/.well-known/openid-configuration" | \
jq -r ".token_endpoint")

export KEYCLOAK_KEYS_ENDPOINT=$(curl -k \
"https://$KEYCLOAK_IP:8443/realms/<realm-name>/.well-known/openid-configuration" | \
jq -r ".jwks_uri")
```

- Back up the original configuration files:

```bash
Expand Down
Loading