Update for leanpub preview

2026-01-06 05:19:21 +00:00 · 2020-06-03 01:42:01 +00:00
parent 65dd34c7ea
commit 2e8e16157b
193 changed files with 12667 additions and 155 deletions
--- a/manuscript/recipes/keycloak/authenticate-against-openldap.md
+++ b/manuscript/recipes/keycloak/authenticate-against-openldap.md
@@ -65,4 +65,4 @@ We've setup a new realm in KeyCloak, and configured read-write federation to an

    * [X] KeyCloak realm in read-write federation with [OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/)recipes/openldap/) directory

-## Chef's Notes 📓
+## Chef's Notes 
--- a/manuscript/recipes/keycloak/authenticate-against-openldap.mde
+++ b/manuscript/recipes/keycloak/authenticate-against-openldap.mde
@@ -0,0 +1,68 @@
+# Authenticate KeyCloak against OpenLDAP
+
+!!! warning
+    This is not a complete recipe - it's an **optional** component of the [Keycloak recipe](/recipes/keycloak/), but has been split into its own page to reduce complexity.
+
+KeyCloak gets really sexy when you integrate it into your [OpenLDAP](/recipes/openldap/) stack (_also, it's great not to have to play with ugly LDAP tree UIs_). Note that OpenLDAP integration is **not necessary** if you want to use KeyCloak with [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/) - all you need for that is [local users](/recipes/keycloak/create-user/), and an [OIDC client](http://localhost:8000/recipes/keycloak/setup-oidc-provider/).
+
+## Ingredients
+
+!!! Summary
+    Existing:
+
+    * [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully
+  
+    New:
+    
+    * [ ] An [OpenLDAP server](/recipes/openldap/) (*assuming you want to authenticate against it*)
+
+## Preparation
+
+You'll need to have completed the [OpenLDAP](/recipes/openldap/) recipe
+
+You start in the "Master" realm - but mouseover the realm name, to a dropdown box allowing you add an new realm:
+
+### Create Realm
+
+![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-1.png)
+
+Enter a name for your new realm, and click "_Create_":
+
+![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-2.png)
+
+### Setup User Federation
+
+Once in the desired realm, click on **User Federation**, and click **Add Provider**. On the next page ("_Required Settings_"), set the following:
+
+* **Edit Mode** : Writeable
+* **Vendor** : Other
+* **Connection URL** : ldap://openldap
+* **Users DN** : ou=People,<your base DN\>
+* **Authentication Type** : simple
+* **Bind DN** : cn=admin,<your base DN\>
+* **Bind Credential** : <your chosen admin password\>
+
+Save your changes, and then navigate back to "User Federation" > Your LDAP name > Mappers:
+
+![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-3.png)
+
+For each of the following mappers, click the name, and set the "_Read Only_" flag to "_Off_" (_this enables 2-way sync between KeyCloak and OpenLDAP_)
+
+* last name
+* username
+* email
+* first name
+
+![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-4.png)
+
+
+## Summary
+
+We've setup a new realm in KeyCloak, and configured read-write federation to an [OpenLDAP](/recipes/openldap/) backend. We can now manage our LDAP users using either KeyCloak or LDAP directly, and we can protect vulnerable services using [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/).
+
+!!! Summary
+    Created:
+
+    * [X] KeyCloak realm in read-write federation with [OpenLDAP](/recipes/openldap/) directory
+
+## Chef's Notes 📓
--- a/manuscript/recipes/keycloak/create-user.mde
+++ b/manuscript/recipes/keycloak/create-user.mde
@@ -0,0 +1,38 @@
+# Create KeyCloak Users
+
+!!! warning
+    This is not a complete recipe - it's an optional component of the [Keycloak recipe](/recipes/keycloak/), but has been split into its own page to reduce complexity.
+
+Unless you plan to authenticate against an outside provider (*[OpenLDAP](/recipes/keycloak/openldap/), below, for example*), you'll want to create some local users..
+
+## Ingredients
+
+!!! Summary
+    Existing:
+
+    * [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully
+  
+### Create User
+
+Within the "Master" realm (*no need for more realms yet*), navigate to **Manage** -> **Users**, and then click **Add User** at the top right:
+
+![Navigating to the add user interface in Keycloak](/images/keycloak-add-user-1.png)
+
+Populate your new user's username (it's the only mandatory field)
+
+![Populating a username in the add user interface in Keycloak](/images/keycloak-add-user-2.png)
+
+### Set User Credentials
+
+Once your user is created, to set their password, click on the "**Credentials**" tab, and procede to reset it. Set the password to non-temporary, unless you like extra work!
+
+![Resetting a user's password in Keycloak](/images/keycloak-add-user-3.png)
+
+## Summary
+
+We've setup users in KeyCloak, which we can now use to authenticate to KeyCloak, when it's used as an [OIDC Provider](/recipes/keycloak/setup-oidc-provider/), potentially to secure vulnerable services using [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/).
+
+!!! Summary
+    Created:
+
+    * [X] Username / password to authenticate against [KeyCloak](/recipes/keycloak/)
--- a/manuscript/recipes/keycloak/setup-oidc-provider.md
+++ b/manuscript/recipes/keycloak/setup-oidc-provider.md
@@ -52,4 +52,4 @@ We've setup an OIDC client in KeyCloak, which we can now use to protect vulnerab

    * [X] Client ID and Client Secret used to authenticate against KeyCloak with OpenID Connect

-## Chef's Notes 📓
+## Chef's Notes 
--- a/manuscript/recipes/keycloak/setup-oidc-provider.mde
+++ b/manuscript/recipes/keycloak/setup-oidc-provider.mde
@@ -0,0 +1,55 @@
+# Add OIDC Provider to KeyCloak
+
+!!! warning
+    This is not a complete recipe - it's an optional component of the [Keycloak recipe](/recipes/keycloak/), but has been split into its own page to reduce complexity.
+
+Having an authentication provider is not much use until you start authenticating things against it! In order to authenticate against KeyCloak using OpenID Connect (OIDC), which is required for [Traefik Forward Auth](/recipe/traefik-forward-auth/), we'll setup a client in KeyCloak...
+
+## Ingredients
+
+!!! Summary
+    Existing:
+
+    * [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully
+
+    New:
+
+    * [ ] The URI(s) to protect with the OIDC provider. Refer to the [Traefik Forward Auth](/recipe/traefik-forward-auth/) recipe for more information  
+
+## Preparation 
+
+### Create Client
+
+Within the "Master" realm (*no need for more realms yet*), navigate to **Clients**, and then click **Create** at the top right:
+
+![Navigating to the add user interface in Keycloak](/images/keycloak-add-client-1.png)
+
+Enter a name for your client (*remember, we're authenticating **applications** now, not users, so use an application-specific name*):
+
+![Adding a client in KeyCloak](/images/keycloak-add-client-2.png)
+
+### Configure Client
+
+Once your client is created, set at **least** the following, and click **Save**
+
+* **Access Type** : Confidential
+* **Valid Redirect URIs** : <The URIs you want to protect\>
+
+![Set KeyCloak client to confidential access type, add redirect URIs](/images/keycloak-add-client-3.png)
+
+### Retrieve Client Secret
+
+Now that you've changed the access type, and clicked **Save**, an additional **Credentials** tab appears at the top of the window. Click on the tab, and capture the KeyCloak-generated secret. This secret, plus your client name, is required to authenticate against KeyCloak via OIDC.
+
+![Capture client secret from KeyCloak](/images/keycloak-add-client-4.png)
+
+## Summary
+
+We've setup an OIDC client in KeyCloak, which we can now use to protect vulnerable services using [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/). The OIDC URL provided by KeyCloak in the master realm, is *https://<your-keycloak-url\>/realms/master/.well-known/openid-configuration*
+
+!!! Summary
+    Created:
+
+    * [X] Client ID and Client Secret used to authenticate against KeyCloak with OpenID Connect
+
+## Chef's Notes 📓