Each organization can be configured with an Identity Provider. This chapter will describe how to set up a very basic Keycloak installation via a Docker container for test purposes.
Keycloak can integrate with LDAP, AD, Github, Google, etc. as third-party authentication providers. Note that authorization cannot be configured in a third-party provider since Varnish Controller has its own authorization system.
Running Keycloak in a Docker container is not recommended; this example is for testing purposes.
docker run -d -p 8080:8080 -e KEYCLOAK_USER=keycloak -e KEYCLOAK_PASSWORD=test --name keycloak jboss/keycloak:4.1.0.Final
This will spin up a Docker container with keycloak, setting administrator username to keycloak
and password test
. It will
start listening on localhost:8080
.
http://localhost:8080
in the web browser. Login with keycloak
and password test
.demo
(turn off SSL for now, “Realm Settings” -> “Login” -> “Require SSL” and set it to “none”).demo-client
.demo
with password demo
.Now get the client-secret that is required to configure the IDP with Varnish Controller. This can be found under “Clients” -> “demo-client” -> “Credentials” -> “Secret”.
The IDP is configured per organization, hence, an organization needs to be created.
# Login with system admin
vcli login http://localhost:8002 -u test
Password: ****
# Create an organization
vcli org add neworg
# Add IDP to the org (id 1 here, replace client-secret with your client-secret)
# The URL is the one for Keycloak's OIDC (OpenID Connect) path.
vcli idp add --org 1 --base-url http://localhost:8080/auth/realms/demo/protocol/openid-connect --client-id demo-client --client-secret 9fb199b2-fc83-4bb1-89b8-f497c0b1905f
Now configure Keycloak redirect URL to Varnish Controller. This is specified in Keycloak under “Clients” -> “demo-client” -> “Settings”. Here there is a
“Valid Redirect URIs” and the value should be http://0.0.0.0:8002/api/v1/orgs/1/callback
. Note that 1
is the ID of our previously created organization and may differ between different
Varnish Controller installations.
Log in using CLI, specify organization name and make sure to use --idp
to specify that we should use IDP login and not basic auth.
# Login using IDP to our organization called "neworg"
vcli login -o neworg --idp
Endpoint: http://localhost:8002
Go to the URL below and login:
http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?client_id=demo-client&redirect_uri=http%3A%2F%2F0.0.0.0%3A8002%2Fapi%2Fv1%2Forgs%2F1%2Fcallback&response_type=code&scope=openid+profile+email&state=61051fcf6844cc1a4ee5346f117a6720
Waiting 60sec for access...
Click the given link and log in via the Keycloak login form.
On success, tokens are returned; these can be discarded when using the CLI. The CLI will then print success or timeout if no successful login occurred within 60 seconds.
Login successful.
If it is the first login with the account, no permissions exist and must be added by a system administrator or a user in the organization with enough permissions to add permissions
for the demo
user.
See authorization examples how to add permissions.