Varnish Controller

Identity Provider

Each organization can be configured with an Identity Provider. This chapter will describe how to set up a very basic Keycloak installation via a Docker container for test purposes.

Keycloak can integrate with LDAP, AD, Github, Google, etc. as third-party authentication providers. Note that authorization cannot be configured in a third-party provider since Varnish Controller has its own authorization system.

Start Keycloak Docker Container

Running Keycloak in a Docker container is not recommended; this example is for testing purposes.

docker run -d -p 8080:8080 -e KEYCLOAK_USER=keycloak -e KEYCLOAK_PASSWORD=test --name keycloak jboss/keycloak:4.1.0.Final

This will spin up a Docker container with keycloak, setting administrator username to keycloak and password test. It will start listening on localhost:8080.

Configure Keycloak

  1. Open http://localhost:8080 in the web browser. Login with keycloak and password test.
  2. Create a new “realm”, call it demo (turn off SSL for now, “Realm Settings” -> “Login” -> “Require SSL” and set it to “none”).
  3. Create a client, call it demo-client.
  4. Go to “Users” on the left and create a user called demo with password demo.

Now get the client-secret that is required to configure the IDP with Varnish Controller. This can be found under “Clients” -> “demo-client” -> “Credentials” -> “Secret”.


Configure Varnish Controller

The IDP is configured per organization, hence, an organization needs to be created.

# Login with system admin 
vcli login http://localhost:8002 -u test
Password: ****

# Create an organization
vcli org add neworg

# Add IDP to the org (id 1 here, replace client-secret with your client-secret)
# The URL is the one for Keycloak's OIDC (OpenID Connect) path.
vcli idp add --org 1 --base-url http://localhost:8080/auth/realms/demo/protocol/openid-connect --client-id demo-client --client-secret 9fb199b2-fc83-4bb1-89b8-f497c0b1905f

Now configure Keycloak redirect URL to Varnish Controller. This is specified in Keycloak under “Clients” -> “demo-client” -> “Settings”. Here there is a “Valid Redirect URIs” and the value should be Note that 1 is the ID of our previously created organization and may differ between different Varnish Controller installations.


Login Using IDP

Log in using CLI, specify organization name and make sure to use --idp to specify that we should use IDP login and not basic auth.

# Login using IDP to our organization called "neworg"
vcli login -o neworg --idp
Endpoint: http://localhost:8002
Go to the URL below and login:

Waiting 60sec for access...

Click the given link and log in via the Keycloak login form.


On success, tokens are returned; these can be discarded when using the CLI. The CLI will then print success or timeout if no successful login occurred within 60 seconds.

Login successful.

If it is the first login with the account, no permissions exist and must be added by a system administrator or a user in the organization with enough permissions to add permissions for the demo user.

See authorization examples how to add permissions.