RHIDP-7834-RHIDP-7634-RHIDP-598 Refactor authenticating with RHBK (#1231)

themr0c · Gerry-Forde · web-flow · commit cbda9e6a502a · 2025-07-08T10:29:28.000+02:00
Co-authored-by: Gerry-Forde &lt;63045020+Gerry-Forde@users.noreply.github.com&gt;
diff --git a/assemblies/assembly-authenticating-with-rhbk.adoc b/assemblies/assembly-authenticating-with-rhbk.adoc
@@ -1,13 +1,8 @@
 [id="assembly-authenticating-with-rhbk"]
 = Authenticating with {rhbk-brand-name} ({rhbk})
 
-To authenticate users with {rhbk-brand-name} ({rhbk}):
 
-. xref:enabling-authentication-with-rhbk[Enable the OpenID Connect (OIDC) authentication provider in RHDH].
-. xref:provisioning-users-from-rhbk-to-the-software-catalog[Provision users from {rhbk-brand-name} ({rhbk}) to the software catalog].
+include::modules/authentication/proc-enabling-user-authentication-with-rhbk.adoc[leveloffset=+1]
 
-include::modules/authentication/proc-enabling-authentication-with-rhbk.adoc[leveloffset=+1]
-
-include::modules/authentication/proc-provisioning-users-from-rhbk-to-the-software-catalog.adoc[leveloffset=+1]
 
 include::modules/authentication/proc-creating-a-custom-transformer-to-provision-users-from-rhbk-to-the-software-catalog.adoc[leveloffset=+1]
diff --git a/modules/authentication/proc-creating-a-custom-transformer-to-provision-users-from-rhbk-to-the-software-catalog.adoc b/modules/authentication/proc-creating-a-custom-transformer-to-provision-users-from-rhbk-to-the-software-catalog.adoc
@@ -4,7 +4,7 @@
 To customize how {rhbk} users and groups are mapped to {product} entities, you can create a backend module that uses the `keycloakTransformerExtensionPoint` to provide custom user and group transformers for the Keycloak backend.
 
 .Prerequisites
-* You have xref:provisioning-users-from-rhbk-to-the-software-catalog[enabled provisioning users from {rhbk-brand-name} ({rhbk}) to the software catalog].
+* You have xref:enabling-user-authentication-with-rhbk[enabled provisioning users from {rhbk-brand-name} ({rhbk}) to the software catalog].
 
 .Procedure
 . Create a new backend module with the `yarn new` command.
diff --git a/modules/authentication/proc-enabling-user-authentication-with-github.adoc b/modules/authentication/proc-enabling-user-authentication-with-github.adoc
@@ -61,7 +61,7 @@ Enter your GitHub organization name, such as `__<your_github_organization_name>_
 This plugin ingests GitHub users and groups to the {product-short} software catalog.
 +
 .`dynamic-plugins.yaml` file fragment
-[code,yaml]
+[source,yaml]
 ----
 plugins:
   - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org'
diff --git a/modules/authentication/proc-enabling-user-authentication-with-rhbk.adoc b/modules/authentication/proc-enabling-user-authentication-with-rhbk.adoc
@@ -1,12 +1,12 @@
-[id="enabling-authentication-with-rhbk"]
-= Enabling authentication with {rhbk-brand-name} ({rhbk})
-
-To authenticate users with {rhbk-brand-name} ({rhbk}), enable the OpenID Connect (OIDC) authentication provider in {product}.
+[id="enabling-user-authentication-with-rhbk"]
+= Enabling user authentication with {rhbk-brand-name} ({rhbk})
 
+To authenticate users with {rhbk-brand-name} ({rhbk}), enable and configure the OpenID Connect (OIDC) authentication provider in {product} and provision the users and groups from {rhbk} to the {product-short} software catalog.
 
 .Prerequisites
 * You link:{configuring-book-url}[added a custom {product-short} application configuration], and have sufficient permissions to modify it.
-* You have sufficient permissions in {rhsso} to create and manage a realm.
+* You have sufficient permissions in {rhsso} to create and manage a realm and a client.
+Alternatively, your {rhbk} administrator can prepare in {rhbk} the required realm and client for you.
 
 .Procedure
 . To allow {product-short} to authenticate with {rhbk}, complete the steps in {rhbk}, to link:https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html/getting_started_guide/getting-started-zip-#getting-started-zip-create-a-realm[create a realm and a user] and link:https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html/getting_started_guide/getting-started-zip-#getting-started-zip-secure-the-first-application[secure the first application]:
@@ -25,15 +25,143 @@ Save the value for the next step:
 
 .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html-single/getting_started_guide/index#getting-started-zip-create-a-user[create a user]. Save the user credential information for the verification steps.
 
-. To add your {rhsso} credentials to your {product-short}, add the following key/value pairs to link:{configuring-dynamic-plugins-book-url}#provisioning-your-custom-configuration[your {product-short} secrets]:
+. To add your {rhsso} credentials to {product-short}, add the following key/value pairs to link:{configuring-dynamic-plugins-book-url}#provisioning-your-custom-configuration[your {product-short} secrets].
+You can use these secrets in the {product-short} configuration files by using their respective environment variable name.
++
+`AUTHENTICATION_OIDC_CLIENT_ID`::
+Enter the saved **Client ID**.
+
+`AUTHENTICATION_OIDC_CLIENT_SECRET`::
+Enter the saved **Client Secret**.
+
+`AUTHENTICATION_OIDC_METADATA_URL`::
+Enter the saved **{rhbk} realm base URL**.
+
+. Enable the Keycloak organization plugin (`backstage-plugin-catalog-backend-module-keycloak-dynamic`).
+The plugin is named after {rhbk} upstream project.
+This plugin ingests {rhbk} users and groups to the {product-short} software catalog.
++
+.`dynamic-plugins.yaml` file fragment
+[source,yaml]
+----
+plugins:
+  - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-keycloak-dynamic'
+    disabled: false
+----
+
+. To provision {rhbk} users and groups to the {product-short} software catalog, add the `catalog.providers.keycloakOrg` section to your custom {product-short} `{my-app-config-file}` configuration file:
+
+.. Add mandatory fields:
 +
-`AUTH_OIDC_CLIENT_ID`:: Enter the saved **Client ID**.
-`AUTH_OIDC_CLIENT_SECRET`:: Enter the saved **Client Secret**.
-`AUTH_OIDC_METADATA_URL`:: Enter the saved **{rhbk} realm base URL**.
+[id=keycloakOrgProviderId]
+.`{my-app-config-file}` fragment with mandatory `keycloakOrg` fields
+[source,yaml]
+----
+catalog:
+  providers:
+    keycloakOrg:
+      default:
+        baseUrl: ${AUTHENTICATION_OIDC_METADATA_URL}
+        clientId: ${AUTHENTICATION_OIDC_CLIENT_ID}
+        clientSecret: ${AUTHENTICATION_OIDC_CLIENT_SECRET}
+        realm: master
+        loginRealm: master
+----
+
+`baseUrl`::
+Enter your {rhbk} server URL, defined when xref:enabling-user-authentication-with-rhbk[enabling authentication with {rhbk}].
+
+`clientId`::
+Enter your {product-short} application client ID in {rhbk}, defined when xref:enabling-user-authentication-with-rhbk[enabling authentication with {rhbk}].
+
+`clientSecret`::
+Enter your {product-short} application client secret in {rhbk}, defined when xref:enabling-user-authentication-with-rhbk[enabling authentication with {rhbk}].
+
+`realm`::
+Enter the realm name to provision users, such as `master`.
+
+`loginRealm`::
+Enter the realm name to authenticate users, such as `master`.
+
+.. Optional: Consider adding optional fields:
+
+`userQuerySize`::
+Enter the user count to query simultaneously.
+Default value: `100`.
++
+.`{my-app-config-file}` fragment with optional `userQuerySize` field
+[source,yaml]
+----
+catalog:
+  providers:
+    keycloakOrg:
+      default:
+        userQuerySize: 100
+----
+
+`groupQuerySize`::
+Enter the group count to query simultaneously.
+Default value: `100`.
++
+.`{my-app-config-file}` fragment with optional `groupQuerySize` field
+[source,yaml]
+----
+catalog:
+  providers:
+    keycloakOrg:
+      default:
+        groupQuerySize: 100
+----
+
+`schedule.frequency`::
+Enter the schedule frequency.
+Supports cron, ISO duration, and "human duration" as used in code.
++
+.`{my-app-config-file}` fragment with optional `schedule.frequency` field
+[source,yaml]
+----
+catalog:
+  providers:
+    keycloakOrg:
+      default:
+        schedule:
+          frequency: { hours: 1 }
+----
+
+`schedule.timeout`::
+Enter the timeout for the user provisioning job.
+Supports ISO duration and "human duration" as used in code.
++
+.`{my-app-config-file}` fragment with optional `schedule.timeout` field
+[source,yaml]
+----
+catalog:
+  providers:
+    keycloakOrg:
+      default:
+        schedule:
+          timeout: { minutes: 50 }
+----
+
+`schedule.initialDelay`::
+Enter the initial delay to wait for before starting the user provisioning job.
+Supports ISO duration and "human duration" as used in code.
++
+.`{my-app-config-file}` fragment with optional `schedule.initialDelay` field
+[source,yaml]
+----
+catalog:
+  providers:
+    keycloakOrg:
+      default:
+        schedule:
+          initialDelay: { seconds: 15}
+----
+--
 
 . To set up the {rhbk} authentication provider in your {product-short} custom configuration, edit your custom {product-short} ConfigMap such as `app-config-rhdh`, and add the following lines to the `{my-app-config-file}` content:
 
-.. Configure mandatory fields:
+.. Add mandatory fields:
 +
 .`{my-app-config-file}` fragment with mandatory fields to enable authentication with {rhbk}
 [source,yaml]
@@ -43,9 +171,9 @@ auth:
   providers:
     oidc:
       production:
-        metadataUrl: ${AUTH_OIDC_METADATA_URL}
-        clientId: ${AUTH_OIDC_CLIENT_ID}
-        clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
+        metadataUrl: ${AUTHENTICATION_OIDC_METADATA_URL}
+        clientId: ${AUTHENTICATION_OIDC_CLIENT_ID}
+        clientSecret: ${AUTHENTICATION_OIDC_CLIENT_SECRET}
         prompt: auto
 signInPage: oidc
 ----
@@ -61,12 +189,14 @@ To enable the OIDC provider as default sign-in provider.
 
 `prompt: auto`::
 To allow the identity provider to automatically determine whether to prompt for credentials or bypass the login redirect if an active {rhsso} session exists.
-
++
 [NOTE]
 ====
 If `prompt: auto` is not set, the identity provider defaults to `prompt: none`, which assumes that you are already logged in and rejects sign-in requests without an active session.
 ====
 
+.. Optional: Consider adding optional fields:
+
 `callbackUrl`::
 {rhbk} callback URL.
 +
@@ -77,7 +207,7 @@ auth:
   providers:
     oidc:
       production:
-        callbackUrl: ${AUTH_OIDC_CALLBACK_URL}
+        callbackUrl: ${AUTHENTICATION_OIDC_CALLBACK_URL}
 ----
 
 `tokenEndpointAuthMethod`::
@@ -90,7 +220,7 @@ auth:
   providers:
     oidc:
       production:
-        tokenEndpointAuthMethod: ${AUTH_OIDC_TOKEN_ENDPOINT_METHOD}
+        tokenEndpointAuthMethod: ${AUTHENTICATION_OIDC_TOKEN_ENDPOINT_METHOD}
 ----
 
 `tokenSignedResponseAlg`::
@@ -103,39 +233,47 @@ auth:
   providers:
     oidc:
       production:
-        tokenSignedResponseAlg: ${AUTH_OIDC_SIGNED_RESPONSE_ALG}
+        tokenSignedResponseAlg: ${AUTHENTICATION_OIDC_SIGNED_RESPONSE_ALG}
 ----
 
-`scope`::
-{rhbk} scope.
+`additionalScopes`::
+Enter additional {rhbk} scopes to request for during the authentication flow.
 +
-.`{my-app-config-file}` fragment with optional `scope` field
+.`{my-app-config-file}` fragment with optional `additionalScopes` field
 [source,yaml]
 ----
 auth:
   providers:
     oidc:
       production:
-        scope: ${AUTH_OIDC_SCOPE}
+        additionalScopes: ${AUTHENTICATION_OIDC_SCOPE}
 ----
 
 `signIn`::
 `resolvers`:::
 After successful authentication, the user signing in must be resolved to an existing user in the {product-short} catalog.
 To best match users securely for your use case, consider configuring a specific resolver.
++
 Enter the resolver list to override the default resolver: `oidcSubClaimMatchingKeycloakUserId`.
 +
+Available values:
+
+`oidcSubClaimMatchingKeycloakUserId`::::
+Matches the user with the immutable `sub` parameter from OIDC to the {RHBK} user ID.
+Consider using this resolver for enhanced security.
+
+`emailLocalPartMatchingUserEntityName`::::
+Matches the email local part with the user entity name.
+
+`emailMatchingUserEntityProfileEmail`::::
+Matches the email with the user entity profile email.
+
+`preferredUsernameMatchingUserEntityName`::::
+Matches the preferred username with the user entity name.
++
 The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
 +
 WARNING: In production mode, only configure one resolver to ensure users are securely matched.
-
-`resolver`::::
-Enter the sign-in resolver name.
-Available values:
-* `oidcSubClaimMatchingKeycloakUserId`
-* `emailLocalPartMatchingUserEntityName`
-* `emailMatchingUserEntityProfileEmail`
-* `preferredUsernameMatchingUserEntityName`
 +
 .`{my-app-config-file}` fragment with optional `resolvers` list
 [source,yaml]
@@ -165,9 +303,9 @@ auth:
   providers:
     oidc:
       production:
-        metadataUrl: ${AUTH_OIDC_METADATA_URL}
-        clientId: ${AUTH_OIDC_CLIENT_ID}
-        clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
+        metadataUrl: ${AUTHENTICATION_OIDC_METADATA_URL}
+        clientId: ${AUTHENTICATION_OIDC_CLIENT_ID}
+        clientSecret: ${AUTHENTICATION_OIDC_CLIENT_SECRET}
         signIn:
           resolvers:
             - resolver: oidcSubClaimMatchingKeycloakUserID
@@ -212,6 +350,18 @@ If multiple valid refresh tokens are issued due to frequent refresh token reques
 ====
 
 .Verification
-. Go to the {product-short} login page.
-. Your {product-short} sign-in page displays *Sign in using OIDC* and the Guest user sign-in is disabled.
-. Log in with OIDC by using the saved **Username** and **Password** values.
+
+. To verify user and group provisioning, check the console logs.
++
+.Successful synchronization example:
+[source]
+----
+2025-06-27T16:02:34.647Z catalog info Read 5 Keycloak users and 3 Keycloak groups in 0.4 seconds. Committing... class="KeycloakOrgEntityProvider" taskId="KeycloakOrgEntityProvider:default:refresh" taskInstanceId="db55c34b-46b3-402b-b12f-2fbc48498e82" trace_id="606f80a9ce00d1c86800718c4522f7c6" span_id="7ebc2a254a546e90" trace_flags="01"
+
+2025-06-27T16:02:34.650Z catalog info Committed 5 Keycloak users and 3 Keycloak groups in 0.0 seconds. class="KeycloakOrgEntityProvider" taskId="KeycloakOrgEntityProvider:default:refresh" taskInstanceId="db55c34b-46b3-402b-b12f-2fbc48498e82" trace_id="606f80a9ce00d1c86800718c4522f7c6" span_id="7ebc2a254a546e90" trace_flags="01"
+----
+
+. To verify {rhbk} user authentication:
+.. Go to the {product-short} login page.
+.. Your {product-short} sign-in page displays *Sign in using OIDC* and the Guest user sign-in is disabled.
+.. Log in with OIDC by using the saved **Username** and **Password** values.
diff --git a/modules/authentication/proc-provisioning-users-from-rhbk-to-the-software-catalog.adoc b/modules/authentication/proc-provisioning-users-from-rhbk-to-the-software-catalog.adoc

Original file line number	Diff line number	Diff line change
@@ -61,7 +61,7 @@ Enter your GitHub organization name, such as `__<your_github_organization_name>_
`61`	`61`	`This plugin ingests GitHub users and groups to the {product-short} software catalog.`
`62`	`62`	`+`
`63`	`63`	.`dynamic-plugins.yaml` file fragment
`64`		`-[code,yaml]`
	`64`	`+[source,yaml]`
`65`	`65`	`----`
`66`	`66`	`plugins:`
`67`	`67`	`- package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-org'`