Keycloak Is AWESOME! Single Sign On Made Easy!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody and welcome back to Jim's Garage today we're continuing our home lab journey and we're revisiting authentication and authorization but whilst we've already touched on things like orthelia and authentic today we're moving into the big leagues and we're talking about key cloak now key cloak is a red hat sponsored solution to authorization and authentication and it's a bit more like the bigger brother of those two I've just mentioned so it's going to do things like single sign-on identity brokering and social login which is a big thing so you'll be able to log in with your GitHub account or your Google Facebook Instagram whatever it is and you'll be able to use that account to actually log in to all of your local applications which is pretty powerful right so not only is it an identity provider it also can do things like Federation by tying in with your ldap solution that you might have so in this video I'm going to to show you how to deploy it and it's taken me a while to figure out how to actually get this nice in a Docker compose file we'll go through that in a moment but it's safe to say that the documentation wasn't fantastic and even things like the variable names are not consistent so once we've deployed it I'll show you how to integrate it into proxmox on portena so you'll get a single sign-on with both of those applications so you'll be able to use the same account within key cloak to log on to them both with just one click which is pretty awesome right so let's dive into a quick feature review of key cloak then we'll walk through the compose file and then we'll get onto deployment so over on keycloak's website you can see all of the features and the benefits of using this solution so not only is it open source which is a massive win for a company like red Hut to be sponsoring it but you can also see all of the different features and Integrations so here you can see a quick sneak peek of the UI and we'll come on to that in a moment the identity and brokering solution so you can see here examples with Google GitHub and Facebook and basically anything that supports open ID Kerberos or saml and we'll come on to that later we can do Federation with things like active directory or any ldap solution and there's a really cool handy admin console so that once we've got this deployed you can do all of the management through the web GUI much like orthelia and authentic you get the ability to manage your account revoke passwords update details and that's important because depending on what you're wanting to share with your applications regarding your keycloak profile you might need to update that over time it's built upon standard protocols so open ID saml and oauth 2 which are pretty much the industry leaders in their respective fields and to give you a sneak peek of what it will look like when we set this up here's my key cloak that I set up earlier and if we log into the administrative console using my username and password you can see that I have a whole load of options available to me and we're not going to be able to cover all of the options in this video but what I will show you is the oauth section to it which will allow you to replace authentic and hopefully give you the tools and enough information to be able to go and configure this for all of your applications that support it so heading over to the deployment let's have a look through the docker compose now believe it or not this took me quite a while to figure out because the documentation isn't great and there's a lot of conflicting older documentation because things have changed it's being rapidly developed so the first thing that you'll notice is this is a multi-container deployment albeit is only two containers so we're back with our good old friend postgres for our database and key cloak is going to be storing all of its keys and all of its persistent data within this database so there's nothing here that's fundamentally different from previous installations of postgres we need to specify a database a user and a password and I recommend that you store these in an environment file for security and ease but I'm not going to do this for this demonstration because I want to keep it nice and simple the main thing to do here is just to specify a volume on your Docker host and make sure that that's backed up I've created a new network here called keycloak and both of these containers will be on that Network and that's pretty much it for postgres so the interesting part now is in the key cloak so for this key cloak I've made sure that I've added the traffic labels and put it on the proxy Network so that it's going to have SSL certificates and it's going to play nicely within your browser that was the easy part I've also added it to the key cloak Network so that it can connect to the database now the tricky bit here was all of these environment variables because as you can see some of them start with KC some of them start with DB and some of them start with key cloak and I don't know why that is there's a lack of consistency which is really confusing but hopefully you can use this and get it up and running on your end here we can see that we're creating a command to start this and this is going to run it in production mode you can do it in a start Dev mode you'll put it in a Dev mode if you wanted to go and do some development with it but I'm going to assume that you just want to get this up and running within your home lab within these variables there's nothing too much to take note of the way that this is configured is so that it will run behind traffic so we've got that there's a proxy address forwarding true which is true we're going to be letting the proxy do all of the SSL termination and forward those requests I've set the hostname to be keycloak.jimsgarage.co.uk it's going to act in Edge mode and HTTP is enabled if you don't have that it's going to request a certificate but we want traffic to handle that certificate for us so we run this in HTTP you can see down here that it's using Port 80 which is the HTTP port and we get all the benefits of still having the SSL because we've got traffic in front of it other than that it's straightforward we just need to specify the database credentials which you can see are taken from the previous container so before we deploy this we're going to want to make sure that we create this folder location here so that we can be sure that the persistence stays between reboots so on your host create this folder here and we're going to want to create postgresql underscore data in my case in the key cloak folder so I create a new folder I'm going to call it postgresql underscore data and there we go but there's one last thing we need to do and that's to change the permissions of this folder now postgres expects to be running as user 1001 so we're going to need to do a tone a change owner to reflect that so over in your terminal you're going to want to run sudo Chone change owner 1001 as the user 1001 as the group and you're going to specify the folder that we've just created so when we hit return we should be able to do a refresh within winner CP and with any look we should see that reflected so yeah here you can see that the owner is now 1001 and that's great we're now in a position to go and fire up the container so let's do a pseudo Docker compose up Dash D now I've already downloaded these containers just to help with this video but when we've run that hopefully it should download and you'll get the following message that it's created those containers once you've got the message that's on screen let's hop into portina and just make sure that everything's okay now over in portena you can see that both containers have been created so let's check the database first that all looks good and it says the database system is ready to accept connections great and I did know when I was playing around with this beforehand that if there is any issues with key cloak not being able to connect to the database this container usually is an x to the state IE it's crashed so this is looking good so let's check the logs this all looks fine looks like there's a lot going on here but that's usually a sign that it's connected to the database and it's creating all the tables and files and records that it needed and perfect at the bottom you can see that the added user admin to the realm Master we'll get into Realms in a minute but that's good so everything is up and running and there's no errors in the logs and as you can see in my Docker compose file I've specified the URL to be keycloak.jimsgarage.co.uk and I've added that record to my internal DNS resolver so I should now be able to hit that within my browser and be greeted with the dashboard brilliant we've managed to get in okay so to continue you want to hit the administration console and this is the bit that I gave you a sneak peek of earlier so it's going to load the admin and then it's going to ask you to sign in now your credentials are within your Docker compose or your dot EMV file in my case it's simply admin password obviously make sure you change this but once you've specified those and you log in you'll be greeted with the actual dashboard itself so here you can see some of the server info and I can't go through all of this in this video but I will be coming back to key cloak in the future but you can look through here and check a few things the first thing that you might want to do is go to the users and assign an email address to your admin now this will be useful for not only things like password resets Etc but when we come to tie this in with portena and proxmox we're actually going to use the email for our profile so that when you log into portana the email that you specify here will actually be what's created with importana I.E your username so I'm going to click on this and I'm going to change the email address to Jim at Jim's Garage dot Co dot UK now I recommend that you go and verify this email but I'm not going to do it for this video just because it's not necessary but that will allow you to do things like password resets Etc just in case the worst things happens and you get locked out so go ahead and fill out any details you want to on the user page and once you're ready click save those should now be saved within key cloak and that's pretty much it in terms of the absolute Bare Bones configuration for users now I did just mention about realms now Realms are basically where applications and profiles Etc can sit so you could have multiple Realms if you're running this in say a more Enterprise setup you might have different business units different business functions Etc and they could all reside in their own realm now I'm going to keep this real simple and this master realm was created when we started up the container and this is the one I'm going to use for the video but if you wanted to specify a different one you could just click create realm you would go and give it a name and save it and then you would quite simply just change all of the clients that we're going to create in users Etc you would just attach them to this realm instead of the master it's pretty straightforward but how do we actually get this now set up well it's not too dissimilar from authentic and that's a good thing so we're gonna head over to clients and you'll see that it's already created some clients within the Masters Realm we're not going to use any of these we're going to create a new client and it's going to be of the type open ID connect because we're going to be using open ID for this open auth is great because it's good for authorization but open ID is better because it doesn't just do authorization it also does authentication so it's better from a security perspective so we're going to leave that as a default and I'm first going to set this up for portena so the client ID in this case will be portana I'm going to give it the name of portena and I don't need to give it a description but feel free to give it one if you need to we're not going to keep it always in the UI but you can do if you want it will just give you a link on the UI itself we're going to click next now we get into some of the trickier bits or at least some of the bits that you have to put on right or it's not going to work so on this page I'm going to turn client authentication on so it can authenticate with the respective app authorization is going to be left off because I'm going to be doing that within the respective apps so for example importana I'll specify what the user can do I.E the user that we created over here in the users tab I.E that email address we can control that with importana the rest are going to stay as is apart from the services account role which we need to turn on now we can click next and we need to specify a few more URLs and we'll have to do that for the home URL the valid redirects the valid post logout and the web Origins and when you're done it should look something like this so now you're ready to hit save and that should show up on the page afterwards which is right and you can scroll down and just double check that that all looks right so now you have all of that saved and it's correct we need to head into portana and you're going to need to log in as your standard user I.E I think it's called the local database user which will typically be admin in your password so I've just logged in using my admin username and you can see that here in the top right and to get this up and running we need to hit to settings authentication and then we need to click oauth on the right hand side now you want to specify single sign-on as on and you can also do automatic user provisioning which is pretty helpful so what it will do is when you log in with keycloak it will create that user so in my example it was gyms garage dot Co dot UK so the first time you log in with key cloak is going to create that user for you now you can disable that and create it manually if you want and I'm going to tweak that in a minute so that when that user logs in they're actually an admin but the bit that we need to focus on first is if we scroll down so much like in our authentic video you need to pre-populate all of this so copy what's on screen and I'll have a copy of this on my GitHub but the key bits that we need to populate are the client ID and handily this time is just portena and the client secret you can get from back in key cloak I'll show you that now so heading back over to key cloak you want to click on credentials and then hit the copy button here then we want to go back to portena and we just want to right click and paste that in so now that's there and I've set this up already with the correct endpoints so it's pretty much pointing back to my key cloak installation for all of them except the redirect URL which is going to be back to portina the user identifier is the email and that's why we set up the email within key cloak first so this is the account it's going to create within portana when you first connect and the Scopes so what does portena have access to it's going to have access to your email your open ID which is in key cloak and your keycloak profile so let's save that now and just before we log out and test this I recommend that you create the user so in my case it's Jim at Jim's Garage dot Co dot UK and I've toggled this button when I created it to make sure that this user is an admin because I want to be able to use this account to administrate my Docker environment so now that's all ready fingers crossed I should be able to hit the log out button up here and now you should get two new options so previously we've been using use internal Authentication but now we can click login with oauth and where we specified all of those URLs in the open ID settings this should now go to key cloak be authenticated already because it's got the client and the secret it should be able to pull that key cloak account and then the user in the top right should reflect that we're logged in now as Jim Jim's Garage dot Co dot UK so here goes everything worked and as you can see at the top I'm now Jim at Jim's Garage dot Co dot UK I'm able to click on my environment look at all my containers and I'm an administrator so brilliant we've now got single sign-on with portena using key cloak so now that we have this running for portena let's try and get this running with proxmox so pretty much the same process in key cloak itself so we want to go back to the clients we want to create a new client and this time we're going to create proxmogs so you probably guessed that so I've called it proxmox and given the name proxmox thankfully for proxmox the defaults are going to work for us so let's hit next and just like portena we're going to tweak this for our proxmox installation so for me that looks like this so I'm going to hit save and we're pretty much good to go so now we need to head over into proxbox and key in these details so over in proxmox you want to make sure you click on your data center and then you want to click on the realms and you want to click add and we want an open ID connect server so click on this and then you're going to need to import the details for your setup so in my case this is going to be my key cloak but importantly you need to append the Realms and then which realm you're using so in my case this is the master Realm but you would change this to whatever you're using so here for Realms I'm going to specify Master again the client ID is going to be exactly the same as before so for me it's proxmox and the client key we need to head back into key cloak we need to scroll up go to the credentials and we want to copy that key we're going to paste that back into proxmox and then we're pretty much ready to go one thing that's useful is to Auto create the users a bit like we had the option in portena and you could tick this to make it the default login option so when you log into portino and you get the login box I think you've got the Pam for the default login that would Now default to this authentication mechanism so the username claim is default but I'm going to change that to the email because I want that to be my user the Scopes we're going to leave default because it's email and profile which is fine and the prompt is the auth provider which is default which is also correct now you'll notice that we don't have to put in all of the URLs for proxmox and that's good because it uses the search mechanism Within openid to get that for us so it has a discovery piece which makes our life a lot easier so let's click add and there you can see that it's added it at the top so much like portena I'm going to create the username so I'm going to click add and I'm going to fill this in using the details that I know it's going to pull from Key cloak and that'll look something like this so once that's all populated you want to click add don't worry if you're not sure on what these details will be it'll be some variation of what I've got you could just log in and then log back out log back in with your admin and give it these permissions but I'm going to click add and now I think we're in a position to test this so if you look in the top right I'm root at Pam which is probably what you're logged in as at the moment but let's hit log out and then if you haven't chosen the default like I didn't click on the realm and instead click that Master now fingers crossed I should click login and there we have it we're logged in and I've got the user that I specified I've got the permissions so I can see all of my VMS and in the top right hand corner we can validate Jim at Jim's Garage dot Co dot UK perfect so now we have single sign-on for both proxmox and portena and you can basically replicate this method for all of your applications so one final thing I wanted to touch on before I wrap up this video was something I mentioned at the start and that's the identity providers so instead of creating your account in here we're just using the admin account you could create any that you wanted to you could obviously just tie this in with any of your existing accounts if you wanted to I haven't opted for that because typically us home lovers we want to keep it all inside keep it nice and secure but if you wanted to use any of your existing IDs you could also do that so for instance I could click on GitHub I could then create all of these client IDs and secrets for GitHub and then use that account to log in to all my services so when I click login with oauth on portana it's going to ask me to log into my GitHub it's going to trust GitHub it's going to pass on those credentials and then it's going to log me in as long as I'm authenticated with GitHub you get the idea so I hope you enjoyed this Whistle Stop tour of key cloak and there's a ton of stuff I just haven't been able to cover in this video we will be coming back to it in the future because I'm really Keen to go through that process of using an identity provider so something like my Google account so it can pull down my profile and it knows who I am and I'm also Keen to see things like one-time passwords and Fido keys for example which key cloak also supports so you can use physical tokens to be able to log in to your devices which is pretty awesome so let me know what you're going to choose we now are spoil for Choice with orthelia authentic or key cloak and they're all pretty compelling offerings unfortunately keycloak doesn't have the web proxy which is akin to orthelia which is probably how you've got that set up so for any application that doesn't support open ID unfortunately you're not going to be able to use it officially the good news is there are some Community projects in that space which help to fill the void and do things like that traffic forward auth so it will forward the authentication on to key cloak and use it but I'm not going to advise using that at the moment just because it's a third-party application but do let me know if you get into that and what successes you have anyway I hope you enjoyed this video please like comment and subscribe and I'll see you on the next video take care everybody [Music]
Info
Channel: Jim's Garage
Views: 44,781
Rating: undefined out of 5
Keywords: oauth, oauth2.0, oauth tutorial, oauth 2.0, oauth 2.0 tutorial, oauth explained, what is oauth, oauth2 explained, docker, homelab, authentication, proxmox, portainer, linux, single sign on, single sign on authentication, sso, authelia, traefik, keycloak, keycloak docker, keycloak tutorial
Id: 6ye4lP9EA2Y
Channel Id: undefined
Length: 25min 4sec (1504 seconds)
Published: Wed Sep 27 2023
Related Videos
I Use 2 Firewalls, Should You? How To Configure High Availability - Automatic Failover!
Jim's Garage
5.6K
Zitadel, Single Sign On, and OAuth. It's Impressive!
Jim's Garage
31K
Keycloak Intro
Stian Thorgersen
193K
Quick and Easy Local SSL Certificates for Your Homelab!
Wolfgang's Channel
592K
Secure authentication for EVERYTHING! // Authentik
Christian Lempa
42K
Don't use local Docker Volumes
Christian Lempa
154K
It's Making Me REPLACE Docker...
Jim's Garage
42K
Single Sign On With OAuth2.0 - Authentik Is AWESOME!
Jim's Garage
24K
Keycloak - A gentle introduction to Keycloak using Vite+React, NodeJS
DeKay
31K
What Is Single Sign-on (SSO)? How It Works
ByteByteGo
481K
This web UI for Ansible is so damn useful!
Christian Lempa
415K
Meet netboot.xyz - Network Boot Any Operating System
Techno Tim
662K
Authentik - open source, self hosted authentication system with OIDC, SAML, and more...
Awesome Open Source
42K
you need this FREE CyberSecurity tool
NetworkChuck
1.1M
2 Factor Auth and Single Sign On with Authelia
Techno Tim
132K
Kubernetes At Home: What Is Kubernetes? - Part 1
Jim's Garage
20K
Single Sign On App with Angular and Keycloak Authorization Server
Henry Codes
22K
Gitea - Keep Your Repo Private At Home!
Jim's Garage
30K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.