Keycloak urls setup - keycloak

I want to run Keycloak and to play with it. So I run a container in Docker with quay.io/keycloak/keycloak:20.0.1 image.
version: '3.8'
networks:
default-dev-network:
external: true
services:
keycloak:
container_name: keycloak
image: quay.io/keycloak/keycloak:20.0.1
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgresdb:5432/keycloak
KC_DB_USERNAME: postgres
KC_DB_PASSWORD: pass
KC_DB_SCHEMA: public
KC_HOSTNAME: localhost
KC_HTTPS_PORT: 8443
KC_HTTPS_PROTOCOLS: TLSv1.3,TLSv1.2
KC_HTTP_ENABLED: "true"
KC_HTTP_PORT: 8080
KC_METRICS_ENABLED: "true"
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
ports:
- 18080:8080
- 8443:8443
command: start-dev
networks:
- default-dev-network
Then I created a realm test-realm, a client test-client. So I want to request a bearer token for it. I run
curl \
-d 'client_id=test-client' \
-d 'client_secret=xajewuZlBHL75rpiPttHday8t34aOnYa' \
-d 'grant_type=client_credentials' \
'http://localhost:18080/auth/realms/test-realm/protocol/openid-connect/token'
and I get
{"error":"RESTEASY003210: Could not find resource for full path: http://localhost:18080/auth/realms/test-realm/protocol/openid-connect/token"}
I'm reading a documentation on https://www.keycloak.org but there're so many details there that I'm afraid it will take weeks to figure everything out. Maybe there's a shorter guide?

New versions of Keycloak (after the rewrite in Quarkus) removed the /auth context path.
You can either remove it from the url or set the property KC_HTTP_RELATIVE_PATH=/auth.

Related

connect hasura to existing postgresql

Docker desktop (windows10) running in WSL2
postgresql running in WSL2
pgadmin running in windows10
I can connect with pgadmin (local machine) to postgresql (localmachine WSL2) with the default settings
(localhost:5432)
postgres.conf
listen_addresses = '*'
port = 5432
When I create a docker container it will not connect to my local postgresql.
cmd used in WSL2
docker run -d --net=host \
-e HASURA_GRAPHQL_DATABASE_URL=postgres://postgres:password#localhost:5432/mydb \
-e HASURA_GRAPHQL_ENABLE_CONSOLE=true \
-e HASURA_GRAPHQL_DEV_MODE=true \
hasura/graphql-engine:v1.3.3
error
"could not connect to server: Connection refused\n\tIs the server running on host \"localhost\" (127.0.0.1) and accepting\n\tTCP/IP connections on port 5432?\n","path":"$","error":"connection error","code":"postgres-error"}
What am I missing?
turned out I had to use this:
docker run -d -p 8080:8080
-e HASURA_GRAPHQL_DATABASE_URL=postgres://postgres:password#host.docker.internal:5432/mydb \
-e HASURA_GRAPHQL_ENABLE_CONSOLE=true \
-e HASURA_GRAPHQL_DEV_MODE=true \
hasura/graphql-engine:v1.3.3
I thought "host.docker.internal" was only ment for Mac. Seems to work with Docker Desktop Windows10(WSL2) too.
here is a working solution for me, important is hostname
version: "3.8"
services:
postgres:
restart: always
image: postgres
container_name: postgres
hostname: postgres
#depends_on:
#sql-server:
#condition: service_healthy
volumes:
- pg_data:/var/lib/postgresql/data
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgrespassword
networks:
- backend
sql-api:
restart: always
container_name: api
image: hasura/graphql-engine:v2.2.0
ports:
- 8055:8080
depends_on:
- "postgres"
hostname: sqlapi
environment:
## postgres database to store Hasura metadata
HASURA_GRAPHQL_METADATA_DATABASE_URL: postgres://postgres:postgrespassword#postgres:5432/postgres
## enable the console served by server
HASURA_GRAPHQL_ENABLE_CONSOLE: "true" # set to "false" to disable console
## enable debugging mode. It is recommended to disable this in production
HASURA_GRAPHQL_DEV_MODE: "true"
HASURA_GRAPHQL_ENABLED_LOG_TYPES: startup, http-log, webhook-log, websocket-log, query-log
## uncomment next line to set an admin secret
# HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey
networks:
- backend
networks:
backend:
driver: bridge
volumes:
pg_data:

Unable to reproduce keycloak direct naked impersonation

After some efforts, I still unable to reproduce the feature of direct naked impersonation with OIDC.
refs: https://www.keycloak.org/docs/latest/securing_apps/#direct-naked-impersonation
I got same errors.
curl -X POST http://localhost:8080/auth/realms/iot/protocol/openid-connect/token \
-d "client_id=backend-service" \
-d "client_secret=f0ead74d-c3eb-47c5-82fd-d8fccc5e5096" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "requested_subject=1c04c634-a64a-4905-b87f-e654ca01b889"
{"error":"access_denied","error_description":"Client not allowed to exchange"}
below is my development configuration.
$ cat docker-compose.yaml
version: '2.4'
volumes:
postgres_data:
driver: local
services:
postgres:
image: postgres:12-alpine
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
ports:
- 5432:5432
keycloak:
image: jboss/keycloak:10.0.1
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres
DB_DATABASE: keycloak
DB_USER: postgres
DB_SCHEMA: public
DB_PASSWORD: postgres
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
#JDBC_PARAMS: "ssl=true"
ports:
- 8080:8080
volumes:
- /etc/localtime:/etc/localtime:ro
command: -Dkeycloak.profile=preview
depends_on:
- postgres
realm-export.json
https://gist.github.com/whisper-bye/20c86de26459efe641008ba5f448f3f1
In your expert there is no Policy that permits a specific Client to use the Impersonation feature.
Example from my Realm:
{
"id": "7588d6d2-82b6-42ef-9bd0-e9c01a2dc92b",
"name": "admin-impersonating.permission.users",
"description": "Client foo may impersonate any user",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"impersonate\"]",
"applyPolicies": "[\"foo client-policy\"]"
}
}
You can configure this hat Manage/User on the left and then "Permissions" on the right. This menu item only appears when starting Keycloak with -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled!
Then click on "impersonate" and make sure "Apply Policy" has something set.

How To Pass Username & Password to Private Docker Registry For "htpasswd" authentication

I have a docker registry:2 implemented using docker-compose with "htpasswd" authentication.
This is working perfectly. I can log in to the registry using "docker login" command by passing the credentials on the terminal.
All docker push/pull operations can be performed.
However, the curl queries are failing with Authentication Error.
curl -s -H "Content-Type: application/json" -X POST -d '{"username": "regisrty-admin", "password": "Password#123"}' https://my-registry.com:5000/v2/_catalog
ERROR:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
Docker-Compose.yml
version: '3.7'
services:
my-registry:
container_name: my-registry
restart: always
image: registry:2
ports:
- "5000:5000"
environment:
REGISTRY_HTTP_ADDR: 0.0.0.0:5000
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
volumes:
- type: bind
source: /opt/docker/registry/certs/
target: /certs
- type: volume
source: registry_data
target: /data
- type: bind
source: /opt/docker/registry/auth/
target: /auth
volumes:
registry_data:
What is the correct way to use "htpasswd" credentials with CURL command for operations like listing registry images?
You can authenticate a request to a private docker registry with curl like:
curl --user ${user}:${password} http://${domain}:${port}/v2/*
In your use case, this should be:
curl --user registry-admin:Password#123 https://my-registry.com:5000/v2/_catalog

How to access exposed containers with docker-compose and Hyperledger Sawtooth?

I'm trying to run a bare bones version of Hyperledger Sawtooth using Docker CE on a Mac. The docker-compose.yaml has containers running the base images from Sawtooth.
I'm unable to access the Sawtooth REST API from the host machine even though there are ports published for it when I run docker ps. The docker-compose file has worked on other Macs running Docker CE so I'm suspecting it may be a configuration or setup issue.
The contents of the docker-compose.yaml are below:
version: '2.1'
services:
settings-tp:
image: 'hyperledger/sawtooth-settings-tp:1.1.3'
container_name: sawtooth-settings-tp
depends_on:
- validator
entrypoint: settings-tp --connect tcp://validator:4004
identity-tp:
image: 'hyperledger/sawtooth-identity-tp:1.1.3'
container_name: sawtooth-identity-tp
depends_on:
- validator
entrypoint: identity-tp -vv --connect tcp://validator:4004
rest-api:
image: 'hyperledger/sawtooth-rest-api:1.1.3'
container_name: sawtooth-rest-api
ports:
- '8008:8008'
depends_on:
- validator
entrypoint: sawtooth-rest-api --connect tcp://validator:4004 --bind rest-api:8008
validator:
image: 'hyperledger/sawtooth-validator:1.1.3'
container_name: sawtooth-validator
ports:
- '4004:4004'
command: |
bash -c "
if [ ! -f /etc/sawtooth/keys/validator.priv ]; then
sawadm keygen
sawtooth keygen my_key
sawset genesis -k /root/.sawtooth/keys/my_key.priv
sawset proposal create \
-k /root/.sawtooth/keys/my_key.priv \
sawtooth.consensus.algorithm.name=Devmode \
sawtooth.consensus.algorithm.version=0.1 \
-o config.batch && \
sawadm genesis config-genesis.batch config.batch
fi;
sawtooth-validator -vvv \
--endpoint tcp://validator:8800 \
--bind component:tcp://eth0:4004 \
--bind network:tcp://eth0:8800 \
--bind consensus:tcp://eth0:5050 \
"
devmode-engine:
image: 'hyperledger/sawtooth-devmode-engine-rust:1.1.3'
container_name: sawtooth-devmode-engine-rust-default
depends_on:
- validator
entrypoint: devmode-engine-rust -C tcp://validator:5050
If you cannot access the port from the host, the container must not be running correctly. Look for error messages for that container when starting docker-compose
What does docker ps -a show?
Can you connect to the port? Try something like telnet localhost 8008

How to deploy Keycloak HA cluster in Docker

I'm following http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html and when trying to run the first keycloak instance:
docker run --name postgres -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e POSTGRES_ROOT_PASSWORD=password -d postgres
docker run -p 8080:8080 --name keycloak --link postgres:postgres -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -d jboss/keycloak-ha-postgres
I am getting the error:
javax.resource.ResourceException: IJ031083: Wrong driver class [org.postgresql.Driver] for this connection URL [jdbc:postgresql://postgres:tcp://172.17.0.2:5432/keycloak]
Has anyone got experience using this Keycloak Docker image? Or is there an easier way to deploy a Keycloak cluster to Docker?
an example for deploy keycloak in HA mode with postgres
version: '3'
volumes:
postgres_data:
driver: local
services:
postgres:
image: 'postgres:alpine'
volumes:
- ./postgres:/var/lib/postgresql/data
restart: 'always'
# ports:
# - 5432:5432
environment:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
POSTGRES_DB: keycloak
POSTGRES_HOST: postgres
traefik:
image: library/traefik:alpine
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: >
--logLevel=ERROR
--api.dashboard
--docker
--entrypoints="Name:http Address::80"
--defaultentrypoints="http"
ports:
- 80:80
- 3000:8080
keycloak:
image: jboss/keycloak
environment:
DB_VENDOR: postgres
DB_ADDR: postgres
DB_PORT: 5432
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: Pa55w0rd
# KEYCLOAK_LOGLEVEL: DEBUG
JGROUPS_DISCOVERY_PROTOCOL: JDBC_PING
JGROUPS_DISCOVERY_PROPERTIES: datasource_jndi_name=java:jboss/datasources/KeycloakDS,info_writer_sleep_time=500,initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"
depends_on:
- postgres
labels:
traefik.enable: true
traefik.port: 8080
traefik.protocol: http
traefik.frontend.rule: Host:localhost
traefik.frontend.passHostHeader: true
# traefik.backend.loadbalancer.stickiness: true
https://gist.github.com/ERRECabrera/a4fb1ebdba300521b46587881b66aaf4
You should try using this more updated docker-compose file provided by the people behind the image wich might contain updated var names and versions. I ran it and it created the containers correctly. Just download the file and run docker-compose up and you'll have the stack running.
In the example you mentioned they just start another docker container, which in docker compose would only mean adding a new entry. Checkout this gist: https://gist.github.com/pacuna/e7427d8fef752992ff1df944223ad0ab
Now, that's not the ideal way of running a cluster of docker containers, you may want to checkout docker swarm or Kubernetes if it's a serious project. The docker compose template would be easy to translate to Kubernetes files.