mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-01-10 04:18:14 +02:00
Update Keycloak documentation
This commit is contained in:
parent
138a6b128a
commit
f07a5630f1
@ -4,6 +4,8 @@
|
|||||||
|
|
||||||
## Important Notes
|
## Important Notes
|
||||||
|
|
||||||
|
- [#953](https://github.com/oauth2-proxy/oauth2-proxy/pull/953) Keycloak will now use `--profile-url` if set for the userinfo endpoint
|
||||||
|
instead of `--validate-url`. `--validate-url` will still work for backwards compatibility.
|
||||||
- [#936](https://github.com/oauth2-proxy/oauth2-proxy/pull/936) `--user-id-claim` option is deprecated and replaced by `--oidc-email-claim`
|
- [#936](https://github.com/oauth2-proxy/oauth2-proxy/pull/936) `--user-id-claim` option is deprecated and replaced by `--oidc-email-claim`
|
||||||
- [#630](https://github.com/oauth2-proxy/oauth2-proxy/pull/630) Gitlab projects needs a Gitlab application with the extra `read_api` enabled
|
- [#630](https://github.com/oauth2-proxy/oauth2-proxy/pull/630) Gitlab projects needs a Gitlab application with the extra `read_api` enabled
|
||||||
- [#849](https://github.com/oauth2-proxy/oauth2-proxy/pull/849) `/oauth2/auth` `allowed_groups` querystring parameter can be paired with the `allowed-groups` configuration option.
|
- [#849](https://github.com/oauth2-proxy/oauth2-proxy/pull/849) `/oauth2/auth` `allowed_groups` querystring parameter can be paired with the `allowed-groups` configuration option.
|
||||||
@ -33,6 +35,8 @@
|
|||||||
|
|
||||||
## Breaking Changes
|
## Breaking Changes
|
||||||
|
|
||||||
|
- [#953](https://github.com/oauth2-proxy/oauth2-proxy/pull/953) In config files & envvar configs, `keycloak_group` is now the plural `keycloak_groups`.
|
||||||
|
Flag configs are still `--keycloak-group` but it can be passed multiple times.
|
||||||
- [#911](https://github.com/oauth2-proxy/oauth2-proxy/pull/911) Specifying a non-existent provider will cause OAuth2-Proxy to fail on startup instead of defaulting to "google".
|
- [#911](https://github.com/oauth2-proxy/oauth2-proxy/pull/911) Specifying a non-existent provider will cause OAuth2-Proxy to fail on startup instead of defaulting to "google".
|
||||||
- [#797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) Security changes to Google provider group authorization flow
|
- [#797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) Security changes to Google provider group authorization flow
|
||||||
- If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
|
- If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
|
||||||
@ -54,6 +58,7 @@
|
|||||||
|
|
||||||
## Changes since v6.1.1
|
## Changes since v6.1.1
|
||||||
|
|
||||||
|
- [#953](https://github.com/oauth2-proxy/oauth2-proxy/pull/953) Migrate Keycloak to EnrichSession & support multiple groups for authorization (@NickMeves)
|
||||||
- [#630](https://github.com/oauth2-proxy/oauth2-proxy/pull/630) Add support for Gitlab project based authentication (@factorysh)
|
- [#630](https://github.com/oauth2-proxy/oauth2-proxy/pull/630) Add support for Gitlab project based authentication (@factorysh)
|
||||||
- [#907](https://github.com/oauth2-proxy/oauth2-proxy/pull/907) Introduce alpha configuration option to enable testing of structured configuration (@JoelSpeed)
|
- [#907](https://github.com/oauth2-proxy/oauth2-proxy/pull/907) Introduce alpha configuration option to enable testing of structured configuration (@JoelSpeed)
|
||||||
- [#938](https://github.com/oauth2-proxy/oauth2-proxy/pull/938) Cleanup missed provider renaming refactor methods (@NickMeves)
|
- [#938](https://github.com/oauth2-proxy/oauth2-proxy/pull/938) Cleanup missed provider renaming refactor methods (@NickMeves)
|
||||||
|
@ -135,15 +135,25 @@ If you are using GitHub enterprise, make sure you set the following to the appro
|
|||||||
|
|
||||||
Make sure you set the following to the appropriate url:
|
Make sure you set the following to the appropriate url:
|
||||||
|
|
||||||
-provider=keycloak
|
--provider=keycloak
|
||||||
-client-id=<client you have created>
|
--client-id=<client you have created>
|
||||||
-client-secret=<your client's secret>
|
--client-secret=<your client's secret>
|
||||||
-login-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/auth"
|
--login-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/auth"
|
||||||
-redeem-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/token"
|
--redeem-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/token"
|
||||||
-validate-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/userinfo"
|
--profile-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/userinfo"
|
||||||
-keycloak-group=<user_group>
|
--validate-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/userinfo"
|
||||||
|
--keycloak-group=<first_allowed_user_group>
|
||||||
|
--keycloak-group=<second_allowed_user_group>
|
||||||
|
|
||||||
The group management in keycloak is using a tree. If you create a group named admin in keycloak you should define the 'keycloak-group' value to /admin.
|
For group based authorization, the optional `--keycloak-group` (legacy) or `--allowed-group` (global standard)
|
||||||
|
flags can be used to specify which groups to limit access to.
|
||||||
|
|
||||||
|
If these are unset but a `groups` mapper is set up above in step (3), the provider will still
|
||||||
|
populate the `X-Forwarded-Groups` header to your upstream server with the `groups` data in the
|
||||||
|
Keycloak userinfo endpoint response.
|
||||||
|
|
||||||
|
The group management in keycloak is using a tree. If you create a group named admin in keycloak
|
||||||
|
you should define the 'keycloak-group' value to /admin.
|
||||||
|
|
||||||
### GitLab Auth Provider
|
### GitLab Auth Provider
|
||||||
|
|
||||||
|
@ -80,9 +80,7 @@ func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.Sessio
|
|||||||
}
|
}
|
||||||
|
|
||||||
groups, err := json.Get("groups").StringArray()
|
groups, err := json.Get("groups").StringArray()
|
||||||
if err != nil {
|
if err == nil {
|
||||||
logger.Errorf("Warning: unable to extract groups from userinfo endpoint: %v", err)
|
|
||||||
} else {
|
|
||||||
for _, group := range groups {
|
for _, group := range groups {
|
||||||
if group != "" {
|
if group != "" {
|
||||||
s.Groups = append(s.Groups, group)
|
s.Groups = append(s.Groups, group)
|
||||||
|
Loading…
Reference in New Issue
Block a user