hedgedoc: create realm and roles via scripts

3 years ago · 9031c8d126
parent be5ea40f83
commit 9031c8d126
2 changed files with 147 additions and 1 deletions
--- a/hedgedoc/docker-compose.yaml
+++ b/hedgedoc/docker-compose.yaml
@ -23,7 +23,7 @@ services:
      - CMD_OAUTH2_TOKEN_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/token
      - CMD_OAUTH2_AUTHORIZATION_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth
      - CMD_OAUTH2_CLIENT_ID=hedgedoc
-      - CMD_OAUTH2_CLIENT_SECRET=NNtfTHMlme8LmkTvRS0T3i3L8zGGuqHT
+      - CMD_OAUTH2_CLIENT_SECRET=abcdef1234
      - CMD_OAUTH2_PROVIDERNAME=Keycloak
      - CMD_SESSION_SECRET=abcdef1234
        # - CMD_DOMAIN=<hedgedoc.example.com>
--- a/keycloak/README.md
+++ b/keycloak/README.md
@ -0,0 +1,146 @@
+For initial setup;
+
+* Setup auth credentials
+```
+sudo docker-compose exec keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  config credentials \
+  --server http://localhost:8080/ \
+  --user admin \
+  --password admin \
+  --realm master \
+
+```
+
+* Create a new realm for the `spacestation`:
+```
+sudo docker-compose exec keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create realms \
+  -s realm=spacestation \
+  -s enabled=true \
+
+```
+
+# Fix up a id bug
+
+* https://github.com/hedgedoc/hedgedoc/issues/56
+
+```
+sudo docker-compose exec -T keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create client-scopes \
+  -r spacestation \
+  -f - <<EOF
+ {
+      "name": "id",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true"
+      },
+      "protocolMappers": [
+        {
+          "name": "id",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "id",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "jsonType.label": "String",
+            "userinfo.token.claim": "true"
+          }
+        }
+      ]
+}
+EOF
+
+# Create a client in the realm with a provided shared secret and client scope
+
+```
+sudo docker-compose exec -T keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create clients \
+  -r spacestation \
+  -f - <<EOF
+{
+	"clientId": "hedgerow",
+	"rootUrl": "http://spacestation:3000/",
+	"adminUrl": "http://spacestation:3000/",
+	"redirectUrls": [ "http://spacestation:3000/*" ],
+	"webOrigins": [ "http://spacestation:3000" ],
+	"clientAuthenticatorType": "client-secret",
+	"secret": "abcdef1234",
+	"defaultClientScopes": [
+		"web-origins",
+		"acr",
+		"profile",
+		"roles",
+		"id",
+		"email"
+	],
+	"optionalClientScopes": [
+		"address",
+		"phone",
+		"offline_access",
+		"microprofile-jwt"
+	]
+}
+EOF
+```
+
+
+* Create an admin user
+```
+kcadm.sh create users \
+  -o \
+  --fields id,username \
+  -r spacestation \
+  -s username=admin \
+  -s enabled=true \
+  -s 'credentials=[{"type":"password","value":"admin","temporary":false}]' \
+
+
+
+sudo docker-compose exec keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  config credentials \
+  --server http://localhost:8080/ \
+  --user admin \
+  --password admin \
+  --realm master
+```
+
+
+```
+Create a new realm:
+  $ kcadm.sh create realms -s realm=demorealm -s enabled=true
+
+Create a new realm role in realm 'demorealm' returning newly created role:
+  $ kcadm.sh create roles -r demorealm -s name=manage-all -o
+
+Create a new user in realm 'demorealm' returning only 'id', and 'username' attributes:
+  $ kcadm.sh create users -r demorealm -s username=testuser -s enabled=true -o --fields id,username
+
+Create a new client using configuration read from standard input:
+  $ kcadm.sh create clients -r demorealm  -f - << EOF
+  {
+    "clientId": "my_client"
+  }
+  EOF
+
+Create a new group using configuration JSON passed as 'body' argument:
+  $ kcadm.sh create groups -r demorealm -b '{ "name": "Admins" }'
+
+Create a client using file as a template, and override some attributes - return an 'id' of new client:
+  $ kcadm.sh create clients -r demorealm -f my_client.json -s clientId=my_client2 -s 'redirectUris=["http://localhost:8980/myapp/*"]' -i
+
+Create a new client role for client my_client in realm 'demorealm' (replace ID with output of previous example command):
+  $ kcadm.sh create clients/ID/roles -r demorealm -s name=client_role
+
+
+Use 'kcadm.sh help' for general information and a list of commands
+
+```