"use strict";(self.webpackChunkdocusaurus=self.webpackChunkdocusaurus||[]).push([[6298],{3905:function(e,t,r){r.d(t,{Zo:function(){return u},kt:function(){return k}});var o=r(7294);function n(e,t,r){return t in e?Object.defineProperty(e,t,{value:r,enumerable:!0,configurable:!0,writable:!0}):e[t]=r,e}function a(e,t){var r=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);t&&(o=o.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),r.push.apply(r,o)}return r}function i(e){for(var t=1;t<arguments.length;t++){var r=null!=arguments[t]?arguments[t]:{};t%2?a(Object(r),!0).forEach((function(t){n(e,t,r[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(r)):a(Object(r)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(r,t))}))}return e}function l(e,t){if(null==e)return{};var r,o,n=function(e,t){if(null==e)return{};var r,o,n={},a=Object.keys(e);for(o=0;o<a.length;o++)r=a[o],t.indexOf(r)>=0||(n[r]=e[r]);return n}(e,t);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);for(o=0;o<a.length;o++)r=a[o],t.indexOf(r)>=0||Object.prototype.propertyIsEnumerable.call(e,r)&&(n[r]=e[r])}return n}var c=o.createContext({}),p=function(e){var t=o.useContext(c),r=t;return e&&(r="function"==typeof e?e(t):i(i({},t),e)),r},u=function(e){var t=p(e.components);return o.createElement(c.Provider,{value:t},e.children)},s="mdxType",d={inlineCode:"code",wrapper:function(e){var t=e.children;return o.createElement(o.Fragment,{},t)}},y=o.forwardRef((function(e,t){var r=e.components,n=e.mdxType,a=e.originalType,c=e.parentName,u=l(e,["components","mdxType","originalType","parentName"]),s=p(r),y=n,k=s["".concat(c,".").concat(y)]||s[y]||d[y]||a;return r?o.createElement(k,i(i({ref:t},u),{},{components:r})):o.createElement(k,i({ref:t},u))}));function k(e,t){var r=arguments,n=t&&t.mdxType;if("string"==typeof e||n){var a=r.length,i=new Array(a);i[0]=y;var l={};for(var c in t)hasOwnProperty.call(t,c)&&(l[c]=t[c]);l.originalType=e,l[s]="string"==typeof e?e:n,i[1]=l;for(var p=2;p<a;p++)i[p]=r[p];return o.createElement.apply(null,i)}return o.createElement.apply(null,r)}y.displayName="MDXCreateElement"},5330:function(e,t,r){r.r(t),r.d(t,{assets:function(){return u},contentTitle:function(){return c},default:function(){return k},frontMatter:function(){return l},metadata:function(){return p},toc:function(){return s}});var o=r(7462),n=r(3366),a=(r(7294),r(3905)),i=["components"],l={id:"keycloak",title:"Keycloak"},c=void 0,p={unversionedId:"configuration/providers/keycloak",id:"configuration/providers/keycloak",title:"Keycloak",description:"This is the legacy provider for Keycloak, use Keycloak OIDC Auth Provider if possible.",source:"@site/docs/configuration/providers/keycloak.md",sourceDirName:"configuration/providers",slug:"/configuration/providers/keycloak",permalink:"/oauth2-proxy/docs/next/configuration/providers/keycloak",draft:!1,editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/providers/keycloak.md",tags:[],version:"current",frontMatter:{id:"keycloak",title:"Keycloak"},sidebar:"docs",previous:{title:"Gitea",permalink:"/oauth2-proxy/docs/next/configuration/providers/gitea"},next:{title:"Keycloak OIDC",permalink:"/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc"}},u={},s=[],d={toc:s},y="wrapper";function k(e){var t=e.components,r=(0,n.Z)(e,i);return(0,a.kt)(y,(0,o.Z)({},d,r,{components:t,mdxType:"MDXLayout"}),(0,a.kt)("admonition",{type:"note"},(0,a.kt)("p",{parentName:"admonition"},"This is the legacy provider for Keycloak, use ",(0,a.kt)("a",{parentName:"p",href:"/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc"},"Keycloak OIDC Auth Provider")," if possible.")),(0,a.kt)("ol",null,(0,a.kt)("li",{parentName:"ol"},"Create new client in your Keycloak realm with ",(0,a.kt)("strong",{parentName:"li"},"Access Type")," 'confidential' and ",(0,a.kt)("strong",{parentName:"li"},"Valid Redirect URIs")," '",(0,a.kt)("a",{parentName:"li",href:"https://internal.yourcompany.com/oauth2/callback'"},"https://internal.yourcompany.com/oauth2/callback'")),(0,a.kt)("li",{parentName:"ol"},"Take note of the Secret in the credential tab of the client"),(0,a.kt)("li",{parentName:"ol"},"Create a mapper with ",(0,a.kt)("strong",{parentName:"li"},"Mapper Type")," 'Group Membership' and ",(0,a.kt)("strong",{parentName:"li"},"Token Claim Name")," 'groups'.")),(0,a.kt)("p",null,"Make sure you set the following to the appropriate url:"),(0,a.kt)("pre",null,(0,a.kt)("code",{parentName:"pre"},'    --provider=keycloak\n    --client-id=<client you have created>\n    --client-secret=<your client\'s secret>\n    --login-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/auth"\n    --redeem-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/token"\n    --profile-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/userinfo"\n    --validate-url="http(s)://<keycloak host>/auth/realms/<your realm>/protocol/openid-connect/userinfo"\n    --keycloak-group=<first_allowed_user_group>\n    --keycloak-group=<second_allowed_user_group>\n')),(0,a.kt)("p",null,"For group based authorization, the optional ",(0,a.kt)("inlineCode",{parentName:"p"},"--keycloak-group")," (legacy) or ",(0,a.kt)("inlineCode",{parentName:"p"},"--allowed-group")," (global standard)\nflags can be used to specify which groups to limit access to."),(0,a.kt)("p",null,"If these are unset but a ",(0,a.kt)("inlineCode",{parentName:"p"},"groups")," mapper is set up above in step (3), the provider will still\npopulate the ",(0,a.kt)("inlineCode",{parentName:"p"},"X-Forwarded-Groups")," header to your upstream server with the ",(0,a.kt)("inlineCode",{parentName:"p"},"groups")," data in the\nKeycloak userinfo endpoint response."),(0,a.kt)("p",null,"The group management in keycloak is using a tree. If you create a group named admin in keycloak\nyou should define the 'keycloak-group' value to /admin."))}k.isMDXComponent=!0}}]);