Each organization can be configured with an Identity Provider. This chapter will describe how to set up a very basic Keycloak installation via a Docker container for test purposes.
Keycloak can integrate with LDAP, AD, Github, Google, etc. as third-party authentication providers. Note that authorization cannot be configured in a third-party provider since Varnish Controller has its own authorization system.
Running Keycloak in a Docker container is not recommended; this example is for testing purposes.
docker run -d -p 8080:8080 -e KEYCLOAK_USER=keycloak -e KEYCLOAK_PASSWORD=test --name keycloak jboss/keycloak:4.1.0.Final
This will spin up a Docker container with keycloak, setting administrator username to
keycloak and password
test. It will
start listening on
http://localhost:8080in the web browser. Login with
demo(turn off SSL for now, “Realm Settings” -> “Login” -> “Require SSL” and set it to “none”).
Now get the client-secret that is required to configure the IDP with Varnish Controller. This can be found under “Clients” -> “demo-client” -> “Credentials” -> “Secret”.
The IDP is configured per organization, hence, an organization needs to be created.
# Login with system admin vcli login http://localhost:8002 -u test Password: **** # Create an organization vcli org add neworg # Add IDP to the org (id 1 here, replace client-secret with your client-secret) # The URL is the one for Keycloak's OIDC (OpenID Connect) path. vcli idp add --org 1 --base-url http://localhost:8080/auth/realms/demo/protocol/openid-connect --client-id demo-client --client-secret 9fb199b2-fc83-4bb1-89b8-f497c0b1905f
Now configure Keycloak redirect URL to Varnish Controller. This is specified in Keycloak under “Clients” -> “demo-client” -> “Settings”. Here there is a
“Valid Redirect URIs” and the value should be
http://0.0.0.0:8002/api/v1/orgs/1/callback. Note that
1 is the ID of our previously created organization and may differ between different
Varnish Controller installations.
Log in using CLI, specify organization name and make sure to use
--idp to specify that we should use IDP login and not basic auth.
# Login using IDP to our organization called "neworg" vcli login -o neworg --idp Endpoint: http://localhost:8002 Go to the URL below and login: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?client_id=demo-client&redirect_uri=http%3A%2F%2F0.0.0.0%3A8002%2Fapi%2Fv1%2Forgs%2F1%2Fcallback&response_type=code&scope=openid+profile+email&state=61051fcf6844cc1a4ee5346f117a6720 Waiting 60sec for access...
Click the given link and log in via the Keycloak login form.
On success, tokens are returned; these can be discarded when using the CLI. The CLI will then print success or timeout if no successful login occurred within 60 seconds.
If it is the first login with the account, no permissions exist and must be added by a system administrator or a user in the organization with enough permissions to add permissions
See authorization examples how to add permissions.