Contrib.social

Is there a discussion forum for Drupal/Keycloak?

Open on Drupal.org β†’
Created on 10 August 2023, over 1 year ago
Updated 11 August 2023, over 1 year ago

Problem/Motivation

There are many setup steps to go through. Wondering if there is a discussion forum, tutorial or demo that is up to date.

  • I have a skinny D10 site running in a lab env. I just created the docker keycloak system.
  • Install this module and did some basic setup.
  • Now, when I log am presented with the login screen on a private window I get the extra login via keycloak button which does indeed bring up the keycloak login window.
  • This is all good, so far...

Wondering about some best practices now... What is the best way to create new users?

Some minor tech questions such as in the Drupal Keycloak settings there is an information note about the redirect url being
Redirect URL
http://www.my_domain.com/openid-connect/drupal_client
Why is that using http instead of https? I needed to add both in keycloak as valid redirects.

Maybe lots of other questions more suited for a forum rather than a ticketing system.

Thanks

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ’¬ Support request
Status

Active

Version

2.2

Component

Documentation

Created by

πŸ‡ΊπŸ‡ΈUnited States HeneryH

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @HeneryH
  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States HeneryH

    OK, so I tried to create a drupal user AND then go create a keycloak user. That failed login due to duplicate.

    So I deleted the drupal user and retried the login.

    That worked, but the user was blocked and had to be unblocked.

    A simple refresh on the private window that was a user logging in then worked.

    Trying to figure out the optimal new user process.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States HeneryH

    I'll contribute where I can:

    My Home Network Reverse Proxy
    I wanted to use my Keycloak instance behind a central Nginx firewall that I have routing different domain name ingresses to my home network all over the place. That Nginx reverse proxy does my Let's Encrypt certs as well as the routing.

    Nginx Server File

    #########################################
# Keycloak server configuration
#
server {
    server_name keycloak.flynnconsultingllc.com;

    listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
#    listen [::]:443 ssl proxy_protocol; # managed by Certbot
#    listen 443 ssl proxy_protocol; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/keycloak.flynnconsultingllc.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/keycloak.flynnconsultingllc.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

#    real_ip_header proxy_protocol;
#    set_real_ip_from 127.0.0.1;

    #include /etc/nginx/templates/ssl.tmpl;
    #include /etc/nginx/templates/misc.tmpl;

    access_log /var/log/nginx/keycloak.access.log;
    error_log /var/log/nginx/keycloak.error.log;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    location = / {
        proxy_pass http://192.168.50.145:8080;
        #return 301 https://$host/realms/example/account/#/;
    }

    Of note above, I normally use proxy protocol but I don't think that works well in this case. Need to investigate more.

    Keycloak Docker Stack From Portainer

    version: '3'
services:
  keycloak_srv:
    image: quay.io/keycloak/keycloak:latest
    command: start-dev
    environment:
      KC_DB: postgres
      KC_DB_URL_HOST: postgres_srv
      KC_DB_URL_DATABASE: keycloak
      KC_DB_PASSWORD: pa55w0rd
      KC_DB_USERNAME: keycloak
      KC_DB_SCHEMA: public
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: pa55w0rd
      KC_PROXY: edge
      KC_HOSTNAME: "keycloak.my-domain.com"
      KC_HOSTNAME_STRICT_HTTPS: 'true'
    ports:
      - "8080:8080"
    depends_on:
      postgres_srv:
        condition: service_healthy
    networks:
      - keycloak_env_network
  postgres_srv:
    image: postgres:latest
    command: postgres -c 'max_connections=200'
    volumes:
      - pgdata-keycloak_vm:/var/lib/postgressql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: pa55w0rd
    healthcheck:
      test: "exit 0"
    ports:
      - "5436:5432"
    networks:
      - keycloak_env_network
volumes:
  pgdata-keycloak_vm:
networks:
  keycloak_env_network:
    driver: bridge

    This launches fine and then I can get to it from my Nginx reverse proxy with https://keycloak.my-domain.com .

    I created a Realm for my domain I wish to manage access to.

    Insert screen shots

    Insert Drupal Config

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States HeneryH

    Is there a way to push newly created users in Drupal to Keycloak? I'd like to keep all users there because I am also trying to make a NextCloud instance where the same users have access.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States HeneryH

    I'm also having trouble figuring out the login replacement feature where:

    Replace Drupal login with Keycloak single sign-on (SSO)
    Changes Drupal's authentication back-end to use Keycloak by default. Drupal's user login and registration pages will redirect to Keycloak. Existing users will be able to login using their Drupal credentials at /keycloak/login.

    Checking that box does not seem to actually 1) make the login look like the keycloak login OR 2) use the keycloak mechanics even if it doesn't look like keycloak.

    If I add the OpenID block in addition to the standard drupal login then that works.

    I want all my users to be forced to use the Keycload method.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024