Go to file
Guillaume Dott 27f8d77f2a Correct version checks for dependencies 2022-12-19 15:40:10 +01:00
.vscode Initial commit for keycloak - opend id support 2018-12-16 15:45:33 -06:00
bin fixed issues with gem release 2018-12-16 16:52:37 -06:00
lib Update version 2022-07-25 07:17:29 -05:00
spec added base_url option, updated dev dependencies 2021-12-18 16:58:43 -06:00
.gitignore Initial commit for keycloak - opend id support 2018-12-16 15:45:33 -06:00
.rspec Initial commit for keycloak - opend id support 2018-12-16 15:45:33 -06:00
.travis.yml Initial commit for keycloak - opend id support 2018-12-16 15:45:33 -06:00
CHANGELOG.md Updated Changelog 2022-07-25 07:18:52 -05:00
CODE_OF_CONDUCT.md Initial commit for keycloak - opend id support 2018-12-16 15:45:33 -06:00
Gemfile Initial commit for keycloak - opend id support 2018-12-16 15:45:33 -06:00
Gemfile.lock Remove dependency on MultiJSON 2022-07-24 17:56:34 -05:00
LICENSE.txt Initial commit for keycloak - opend id support 2018-12-16 15:45:33 -06:00
README.md Reference issue in documentation for Keycloak 17+ 2022-06-14 11:07:45 -05:00
Rakefile Initial commit for keycloak - opend id support 2018-12-16 15:45:33 -06:00
omniauth-keycloak.gemspec Correct version checks for dependencies 2022-12-19 15:40:10 +01:00

README.md

Omniauth::Keycloak

Installation

Add this line to your application's Gemfile:

gem 'omniauth-keycloak'

And then execute:

$ bundle

Or install it yourself as:

$ gem install omniauth-keycloak

Use with Keycloak >= 17 (Quarkus distribution)

In version 17 of Keycloak, /auth was removed from the default context path. (See Issue #29)
In order to reduce breaking existing user's setup, this gem assumes /auth as the default context.
So if you want to use Keycloak 17 or greater then you must do one of the following:

  1. Pass in --http-relative-path '/auth' option with the keycloak start command
  2. Pass in a empty string for you base_url client_option:
    client_options: {base_url: '', site: 'https://example.keycloak-url.com', realm: 'example-realm'}

Usage

OmniAuth::Strategies::Keycloak is simply a Rack middleware. Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth.

Here's a quick example, adding the middleware to a Rails app in config/initializers/omniauth.rb:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
    client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm'},
    name: 'keycloak'
end

This will allow a POST request to auth/keycloak since the name is set to keycloak

Or using a proc setup with a custom options:

Rails.application.config.middleware.use OmniAuth::Builder do
  SETUP_PROC = lambda do |env|
    request = Rack::Request.new(env)
    organization = Organization.find_by(host: request.host)
    provider_config = organization.enabled_omniauth_providers[:keycloakopenid]

    env["omniauth.strategy"].options[:client_id] = provider_config[:client_id]
    env["omniauth.strategy"].options[:client_secret] = provider_config[:client_secret]
    env["omniauth.strategy"].options[:client_options] = { site: provider_config[:site],  realm: provider_config[:realm] }
  end

  Rails.application.config.middleware.use OmniAuth::Builder do
    provider :keycloak_openid, setup: SETUP_PROC
  end
end

Devise Usage

Adapted from Devise OmniAuth Instructions

# app/models/user.rb
class User < ApplicationRecord
  #...
  devise :omniauthable, omniauth_providers: %i[keycloakopenid]
  #...
end

# config/initializers/devise.rb
config.omniauth :keycloak_openid, "Example-Client-Name", "example-secret-if-configured", client_options: { site: "https://example.keycloak-url.com", realm: "example-realm" }, :strategy_class => OmniAuth::Strategies::KeycloakOpenId

# Below controller assumes callback route configuration following
# in config/routes.rb
Devise.setup do |config|
  # ...
  devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
end

# app/controllers/users/omniauth_callbacks_controller.rb
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
  def keycloakopenid
    Rails.logger.debug(request.env["omniauth.auth"])
    @user = User.from_omniauth(request.env["omniauth.auth"])
    if @user.persisted?
      sign_in_and_redirect @user, event: :authentication
    else
      session["devise.keycloakopenid_data"] = request.env["omniauth.auth"]
      redirect_to new_user_registration_url
    end
  end

  def failure
    redirect_to root_path
  end
end

Configuration

  • Base Url other than /auth
    This gem tries to get the keycloak configuration from "#{site}/auth/realms/#{realm}/.well-known/openid-configuration". If your keycloak server has been setup to use a different "root" url other than /auth then you need to pass in the base_url option when setting up the gem:
    Rails.application.config.middleware.use OmniAuth::Builder do
      provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
        client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm', base_url: '/authorize'},
        name: 'keycloak'
    end
    

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/ccrockett/omniauth-keycloak. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the Omniauth::Keycloak projects codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.