go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-05-27 23:08:10 +02:00
Code Issues Releases Activity
oauth2-proxy/docs/next/configuration/providers/keycloak_oidc/index.html

44 lines
31 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-configuration/providers/keycloak_oidc" data-has-hydrated="false">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v2.4.3">
<title data-rh="true">Keycloak OIDC | OAuth2 Proxy</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Keycloak OIDC | OAuth2 Proxy"><meta data-rh="true" name="description" content="Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The"><meta data-rh="true" property="og:description" content="Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The"><link data-rh="true" rel="icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-rh="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc" hreflang="en"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc" hreflang="x-default"><link rel="stylesheet" href="/oauth2-proxy/assets/css/styles.4014daec.css">
<link rel="preload" href="/oauth2-proxy/assets/js/runtime~main.063d341a.js" as="script">
<link rel="preload" href="/oauth2-proxy/assets/js/main.263947fa.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/oauth2-proxy/"><div class="navbar__logo"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--light_HNdA"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--dark_i4oU"></div><b class="navbar__title text--truncate">OAuth2 Proxy</b></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" aria-haspopup="true" aria-expanded="false" role="button" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.5.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.4.x/">7.4.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.3.x/">7.3.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.2.x/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a><div class="toggle_vylO colorModeToggle_DEke"><button class="clean-btn toggleButton_gllP toggleButtonDisabled_aARS" type="button" disabled="" title="Switch between dark and light mode (currently light mode)" aria-label="Switch between dark and light mode (currently light mode)" aria-live="polite"><svg viewBox="0 0 24 24" width="24" height="24" class="lightToggleIcon_pyhR"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" class="darkToggleIcon_wfgR"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"></path></svg></button></div><div class="searchBox_ZlJk"><div class="navbar__search searchBarContainer_NW3z"><input placeholder="Search" aria-label="Search" class="navbar__search-input"><div class="loadingRing_RJI3 searchBarLoadingRing_YnHq"><div></div><div></div><div></div><div></div></div><div class="searchHintContainer_Pkmr"><kbd class="searchHint_iIMx">ctrl</kbd><kbd class="searchHint_iIMx">K</kbd></div></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/">Installation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/behaviour">Behaviour</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--active" aria-expanded="true" href="/oauth2-proxy/docs/next/configuration/overview">Configuration</a><button aria-label="Toggle the collapsible sidebar category &#x27;Configuration&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/overview">Overview</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--active" aria-expanded="true" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/">OAuth Provider Configuration</a><button aria-label="Toggle the collapsible sidebar category &#x27;OAuth Provider Configuration&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/google">Google (default)</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/azure">Azure</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/adfs">ADFS</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/facebook">Facebook</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/github">GitHub</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/gitea">Gitea</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/keycloak">Keycloak</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc">Keycloak OIDC</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/gitlab">GitLab</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/linkedin">LinkedIn</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/azure_ad">Microsoft Azure AD</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/openid_connect">OpenID Connect</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/login_gov">Login.gov</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/nextcloud">NextCloud</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/digitalocean">DigitalOcean</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/providers/bitbucket">BitBucket</a></li></ul></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/session_storage">Session Storage</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/tls">TLS Configuration</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/configuration/alpha-config">Alpha Configuration</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="true" href="/oauth2-proxy/docs/next/features/endpoints">Features</a><button aria-label="Toggle the collapsible sidebar category &#x27;Features&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/features/endpoints">Endpoints</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist" aria-expanded="true" href="/oauth2-proxy/docs/next/community/security">Community</a><button aria-label="Toggle the collapsible sidebar category &#x27;Community&#x27;" type="button" class="clean-btn menu__caret"></button></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/contribution">Contribution Guide</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/oauth2-proxy/docs/next/community/security">Security</a></li></ul></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="theme-doc-version-banner alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for <!-- -->OAuth2 Proxy<!-- --> <b>Next</b> version.</div><div class="margin-top--md">For up-to-date documentation, see the <b><a href="/oauth2-proxy/docs/">latest version</a></b> (<!-- -->7.5.x<!-- -->).</div></div><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/oauth2-proxy/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><a class="breadcrumbs__link" itemprop="item" href="/oauth2-proxy/docs/next/configuration/overview"><span itemprop="name">Configuration</span></a><meta itemprop="position" content="1"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><a class="breadcrumbs__link" itemprop="item" href="/oauth2-proxy/docs/next/configuration/providers/"><span itemprop="name">OAuth Provider Configuration</span></a><meta itemprop="position" content="2"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">Keycloak OIDC</span><meta itemprop="position" content="3"></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: Next</span><div class="theme-doc-markdown markdown"><header><h1>Keycloak OIDC</h1></header><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --provider=keycloak-oidc</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-id=&lt;your client&#x27;s id&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --client-secret=&lt;your client&#x27;s secret&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --redirect-url=https://internal.yourcompany.com/oauth2/callback</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --oidc-issuer-url=https://&lt;keycloak host&gt;/realms/&lt;your realm&gt; // For Keycloak versions &lt;17: --oidc-issuer-url=https://&lt;keycloak host&gt;/auth/realms/&lt;your realm&gt;</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --email-domain=&lt;yourcompany.com&gt; // Validate email domain for users, see option documentation</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --allowed-role=&lt;realm role name&gt; // Optional, required realm role</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --allowed-role=&lt;client id&gt;:&lt;client role name&gt; // Optional, required client role</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --allowed-group=&lt;/group name&gt; // Optional, requires group client scope</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> --code-challenge-method=S256 // PKCE</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><div class="theme-admonition theme-admonition-note alert alert--secondary admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</div><div class="admonitionContent_S0QG"><p>Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The
legacy admin console has been announced for removal with the release of version 21.0.0.</p></div></div><p><strong>Keycloak legacy admin console</strong></p><ol><li>Create new client in your Keycloak realm with <strong>Access Type</strong> &#x27;confidential&#x27;, <strong>Client protocol</strong> &#x27;openid-connect&#x27;
and <strong>Valid Redirect URIs</strong> &#x27;<a href="https://internal.yourcompany.com/oauth2/callback&#x27;" target="_blank" rel="noopener noreferrer">https://internal.yourcompany.com/oauth2/callback&#x27;</a></li><li>Take note of the Secret in the credential tab of the client</li><li>Create a mapper with <strong>Mapper Type</strong> &#x27;Group Membership&#x27; and <strong>Token Claim Name</strong> &#x27;groups&#x27;.</li><li>Create a mapper with <strong>Mapper Type</strong> &#x27;Audience&#x27; and <strong>Included Client Audience</strong> and <strong>Included Custom Audience</strong> set
to your client name.</li></ol><p><strong>Keycloak new admin console (default as of v19.0.0)</strong></p><p>The following example shows how to create a simple OIDC client using the new Keycloak admin2 console. However, for best
practices, it is recommended to consult the Keycloak documentation.</p><p>The OIDC client must be configured with an <em>audience mapper</em> to include the client&#x27;s name in the <code>aud</code> claim of the JWT token.<br>
<!-- -->The <code>aud</code> claim specifies the intended recipient of the token, and OAuth2 Proxy expects a match against the values of
either <code>--client-id</code> or <code>--oidc-extra-audience</code>.</p><p><em>In Keycloak, claims are added to JWT tokens through the use of mappers at either the realm level using &quot;client scopes&quot; or
through &quot;dedicated&quot; client mappers.</em></p><p><strong>Creating the client</strong></p><ol><li>Create a new OIDC client in your Keycloak realm by navigating to:<br><strong>Clients</strong> -&gt; <strong>Create client</strong><ul><li><strong>Client Type</strong> &#x27;OpenID Connect&#x27;</li><li><strong>Client ID</strong> <code>&lt;your client&#x27;s id&gt;</code>, please complete the remaining fields as appropriate and click <strong>Next</strong>.<ul><li><strong>Client authentication</strong> &#x27;On&#x27;</li><li><strong>Authentication flow</strong><ul><li><strong>Standard flow</strong> &#x27;selected&#x27;</li><li><strong>Direct access grants</strong> &#x27;deselect&#x27;<ul><li><em>Save the configuration.</em></li></ul></li></ul></li><li><strong>Settings / Access settings</strong>:<ul><li><strong>Valid redirect URIs</strong> <code>https://internal.yourcompany.com/oauth2/callback</code><ul><li><em>Save the configuration.</em></li></ul></li></ul></li><li>Under the <strong>Credentials</strong> tab you will now be able to locate <code>&lt;your client&#x27;s secret&gt;</code>.</li></ul></li></ul></li><li>Configure a dedicated <em>audience mapper</em> for your client by navigating to <strong>Clients</strong> -&gt; <strong>&lt;your client&#x27;s id&gt;</strong> -&gt; <strong>Client scopes</strong>.</li></ol><ul><li>Access the dedicated mappers pane by clicking <strong>&lt;your client&#x27;s id&gt;-dedicated</strong>, located under <em>Assigned client scope</em>.<br><em>(It should have a description of &quot;Dedicated scope and mappers for this client&quot;)</em><ul><li>Click <strong>Configure a new mapper</strong> and select <strong>Audience</strong><ul><li><strong>Name</strong> &#x27;aud-mapper-&lt;your client&#x27;s id&gt;&#x27;</li><li><strong>Included Client Audience</strong> select <code>&lt;your client&#x27;s id&gt;</code> from the dropdown.<ul><li><em>OAuth2 proxy can be set up to pass both the access and ID JWT tokens to your upstream services.
If you require additional audience entries, you can use the <strong>Included Custom Audience</strong> field in addition
to the &quot;Included Client Audience&quot; dropdown. Note that the &quot;aud&quot; claim of a JWT token should be limited and
only specify its intended recipients.</em></li></ul></li><li><strong>Add to ID token</strong> &#x27;On&#x27;</li><li><strong>Add to access token</strong> &#x27;On&#x27; - <a href="https://github.com/oauth2-proxy/oauth2-proxy/pull/1916" target="_blank" rel="noopener noreferrer">#1916</a><ul><li><em>Save the configuration.</em></li></ul></li></ul></li></ul></li><li>Any subsequent dedicated client mappers can be defined by clicking <strong>Dedicated scopes</strong> -&gt; <strong>Add mapper</strong> -&gt;
<strong>By configuration</strong> -&gt; <em>Select mapper</em></li></ul><p>You should now be able to create a test user in Keycloak and get access to the OAuth2 Proxy instance, make sure to set
an email address matching <code>&lt;yourcompany.com&gt;</code> and select <em>Email verified</em>.</p><p><strong>Authorization</strong></p><p><em>OAuth2 Proxy will perform authorization by requiring a valid user, this authorization can be extended to take into
account a user&#x27;s membership in Keycloak <code>groups</code>, <code>realm roles</code>, and <code>client roles</code> using the keycloak-oidc provider options<br><code>--allowed-role</code> or <code>--allowed-group</code></em></p><p><strong>Roles</strong></p><p><em>A standard Keycloak installation comes with the required mappers for <strong>realm roles</strong> and <strong>client roles</strong> through the
pre-defined client scope &quot;roles&quot;. This ensures that any roles assigned to a user are included in the <code>JWT</code> tokens when
using an OIDC client that has the &quot;Full scope allowed&quot; feature activated, the feature is enabled by default.</em></p><p><em>Creating a realm role</em></p><ul><li>Navigate to <strong>Realm roles</strong> -&gt; <strong>Create role</strong><ul><li><strong>Role name</strong>, <em><code>&lt;realm role name&gt;</code></em> -&gt; <strong>save</strong></li></ul></li></ul><p><em>Creating a client role</em></p><ul><li>Navigate to <strong>Clients</strong> -&gt; <code>&lt;your client&#x27;s id&gt;</code> -&gt; <strong>Roles</strong> -&gt; <strong>Create role</strong><ul><li><strong>Role name</strong>, <em><code>&lt;client role name&gt;</code></em> -&gt; <strong>save</strong></li></ul></li></ul><p><em>Assign a role to a user</em></p><p><strong>Users</strong> -&gt; <em>Username</em> -&gt; <strong>Role mapping</strong> -&gt; <strong>Assign role</strong> -&gt; <em>filter by roles or clients and select</em> -&gt; <strong>Assign</strong>.</p><p>Keycloak &quot;realm roles&quot; can be authorized using the <code>--allowed-role=&lt;realm role name&gt;</code> option, while &quot;client roles&quot; can be
evaluated using <code>--allowed-role=&lt;your client&#x27;s id&gt;:&lt;client role name&gt;</code>.</p><p>You may limit the <em>realm roles</em> included in the JWT tokens for any given client by navigating to:<br>
<strong>Clients</strong> -&gt; <code>&lt;your client&#x27;s id&gt;</code> -&gt; <strong>Client scopes</strong> -&gt; <em>&lt;your client&#x27;s id&gt;-dedicated</em> -&gt; <strong>Scope</strong><br>
<!-- -->Disabling <strong>Full scope allowed</strong> activates the <strong>Assign role</strong> option, allowing you to select which roles, if assigned
to a user, will be included in the user&#x27;s JWT tokens. This can be useful when a user has many associated roles, and you
want to reduce the size and impact of the JWT token.</p><p><strong>Groups</strong></p><p>You may also do authorization on group memberships by using the OAuth2 Proxy option <code>--allowed-group</code>.<br>
<!-- -->We will only do a brief description of creating the required <em>client scope</em> <strong>groups</strong> and refer you to read the Keycloak
documentation.</p><p>To summarize, the steps required to authorize Keycloak group membership with OAuth2 Proxy are as follows:</p><ul><li>Create a new Client Scope with the name <strong>groups</strong> in Keycloak.<ul><li>Include a mapper of type <strong>Group Membership</strong>.</li><li>Set the &quot;Token Claim Name&quot; to <strong>groups</strong> or customize by matching it to the <code>--oidc-groups-claim</code> option of OAuth2 Proxy.</li><li>If the &quot;Full group path&quot; option is selected, you need to include a &quot;/&quot; separator in the group names defined in the
<code>--allowed-group</code> option of OAuth2 Proxy. Example: &quot;/groupname&quot; or &quot;/groupname/child_group&quot;.</li></ul></li></ul><p>After creating the <em>Client Scope</em> named <em>groups</em> you will need to attach it to your client.<br>
<strong>Clients</strong> -&gt; <code>&lt;your client&#x27;s id&gt;</code> -&gt; <strong>Client scopes</strong> -&gt; <strong>Add client scope</strong> -&gt; Select <strong>groups</strong> and choose Optional
and you should now have a client that maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them.</p><p>Create a group by navigating to <strong>Groups</strong> -&gt; <strong>Create group</strong> and <em>add</em> your test user as a member.</p><p>The OAuth2 Proxy option <code>--allowed-group=/groupname</code> will now allow you to filter on group membership</p><p>Keycloak also has the option of attaching roles to groups, please refer to the Keycloak documentation for more information.</p><p><strong>Tip</strong></p><p>To check if roles or groups are added to JWT tokens, you can preview a users token in the Keycloak console by following
these steps: <strong>Clients</strong> -&gt; <code>&lt;your client&#x27;s id&gt;</code> -&gt; <strong>Client scopes</strong> -&gt; <strong>Evaluate</strong>.<br>
<!-- -->Select a <em>realm user</em> and optional <em>scope parameters</em> such as groups, and generate the JSON representation of an access
or id token to examine its contents.</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/providers/keycloak_oidc.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_vwxv"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/oauth2-proxy/docs/next/configuration/providers/keycloak"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Keycloak</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/oauth2-proxy/docs/next/configuration/providers/gitlab"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">GitLab</div></a></nav></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2023 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/assets/js/runtime~main.063d341a.js"></script>
<script src="/oauth2-proxy/assets/js/main.263947fa.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink