From befe0da39fd08e05a4a3f7fd09d8c15b43003869 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Thu, 11 Jul 2024 05:43:30 -0600 Subject: [PATCH] Update Docker & Kubernetes/Docker/Docker Compose/Keycloak.md --- .../Docker/Docker Compose/Keycloak.md | 50 ++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/Docker & Kubernetes/Docker/Docker Compose/Keycloak.md b/Docker & Kubernetes/Docker/Docker Compose/Keycloak.md index d92b71a..ce25631 100644 --- a/Docker & Kubernetes/Docker/Docker Compose/Keycloak.md +++ b/Docker & Kubernetes/Docker/Docker Compose/Keycloak.md @@ -130,5 +130,53 @@ If you do not already have the following added to the end of your `command:` sec ``` ## Add Middleware to Traefik Dynamic Configuration -You will want to ensure the following exists in the dynamically-loaded config file folder, you can name the file whatever you want, but it will be a one-all middleware for any services you want to have communicating as a specific OAuth2 `Client ID`. For example, you might want to have some services exist in a particular realm of Keycloak, or to have different client rules apply to certain services. If this is the case, you can create multiple middlewares in this single yaml file, each handling a different service / realm. +You will want to ensure the following exists in the dynamically-loaded config file folder, you can name the file whatever you want, but it will be a one-all middleware for any services you want to have communicating as a specific OAuth2 `Client ID`. For example, you might want to have some services exist in a particular realm of Keycloak, or to have different client rules apply to certain services. If this is the case, you can create multiple middlewares in this single yaml file, each handling a different service / realm. It can get pretty complicated if you want to handle a multi-tenant environment, such as one seen in an enterprise environment. +```jsx title="keycloak-middleware.yml" +http: + middlewares: + auth-bunny-lab-io: + plugin: + keycloakopenid: + KeycloakURL: "https://auth.bunny-lab.io" # <- Also supports complete URL, e.g. https://my-keycloak-url.com/auth + ClientID: "traefik-reverse-proxy" + ClientSecret: "https://auth.bunny-lab.io > Clients > traefik-reverse-proxy > Credentials > Client Secret" + KeycloakRealm: "master" + Scope: "openid profile email" + TokenCookieName: "AUTH_TOKEN" + UseAuthHeader: "false" +# IgnorePathPrefixes: "/api,/favicon.ico [comma deliminated] (optional)" +``` + +## Configure Valid Redirect URLs +At this point, within Keycloak, you need to configure domains that you are allowed to visit after authenticating. You can do this with wildcards, but generally you navigate to "**https://auth.bunny-lab.io > Clients > traefik-reverse-proxy > Valid redirect URIs**" A simple example is adding `https://tools.bunny-lab.io/*` to the list of valid redirect URLs. If the site is not in this list, even if it has the middleware configured in Traefik, it will fail to authenticate and not let the user proceed to the website being protected behind Keycloak. + +## Adding Middleware to Dynamic Traefik Service Config Files +At this point, you are in the final stretch, you just need to add the middleware to the Traefik dynamic config files to ensure that it routes the traffic to Keycloak when someone attempts to access that service. Put the following middleware section under the `routers:` section of the config file. + +``` yml + middlewares: + - auth-bunny-lab-io # Referencing the Keycloak Server +``` + +A full example config file would look like the following: +``` yml +http: + routers: + example: + entryPoints: + - websecure + tls: + certResolver: letsencrypt + service: example + rule: Host(`example.bunny-lab.io`) + middlewares: + - auth-bunny-lab-io # Referencing the Keycloak Server Traefik Middleware + + services: + example: + loadBalancer: + servers: + - url: http://192.168.5.16:80 + passHostHeader: true +``` \ No newline at end of file