hedgedoc: create realm and roles via scripts

single-dockerfile
Ubuntu 3 years ago
parent be5ea40f83
commit 9031c8d126
  1. 2
      hedgedoc/docker-compose.yaml
  2. 146
      keycloak/README.md

@ -23,7 +23,7 @@ services:
- CMD_OAUTH2_TOKEN_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/token
- CMD_OAUTH2_AUTHORIZATION_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth
- CMD_OAUTH2_CLIENT_ID=hedgedoc
- CMD_OAUTH2_CLIENT_SECRET=NNtfTHMlme8LmkTvRS0T3i3L8zGGuqHT
- CMD_OAUTH2_CLIENT_SECRET=abcdef1234
- CMD_OAUTH2_PROVIDERNAME=Keycloak
- CMD_SESSION_SECRET=abcdef1234
# - CMD_DOMAIN=<hedgedoc.example.com>

@ -0,0 +1,146 @@
For initial setup;
* Setup auth credentials
```
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
config credentials \
--server http://localhost:8080/ \
--user admin \
--password admin \
--realm master \
```
* Create a new realm for the `spacestation`:
```
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
create realms \
-s realm=spacestation \
-s enabled=true \
```
# Fix up a id bug
* https://github.com/hedgedoc/hedgedoc/issues/56
```
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create client-scopes \
-r spacestation \
-f - <<EOF
{
"name": "id",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "id",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"user.attribute": "id",
"id.token.claim": "true",
"access.token.claim": "true",
"jsonType.label": "String",
"userinfo.token.claim": "true"
}
}
]
}
EOF
# Create a client in the realm with a provided shared secret and client scope
```
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create clients \
-r spacestation \
-f - <<EOF
{
"clientId": "hedgerow",
"rootUrl": "http://spacestation:3000/",
"adminUrl": "http://spacestation:3000/",
"redirectUrls": [ "http://spacestation:3000/*" ],
"webOrigins": [ "http://spacestation:3000" ],
"clientAuthenticatorType": "client-secret",
"secret": "abcdef1234",
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"id",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
EOF
```
* Create an admin user
```
kcadm.sh create users \
-o \
--fields id,username \
-r spacestation \
-s username=admin \
-s enabled=true \
-s 'credentials=[{"type":"password","value":"admin","temporary":false}]' \
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
config credentials \
--server http://localhost:8080/ \
--user admin \
--password admin \
--realm master
```
```
Create a new realm:
$ kcadm.sh create realms -s realm=demorealm -s enabled=true
Create a new realm role in realm 'demorealm' returning newly created role:
$ kcadm.sh create roles -r demorealm -s name=manage-all -o
Create a new user in realm 'demorealm' returning only 'id', and 'username' attributes:
$ kcadm.sh create users -r demorealm -s username=testuser -s enabled=true -o --fields id,username
Create a new client using configuration read from standard input:
$ kcadm.sh create clients -r demorealm -f - << EOF
{
"clientId": "my_client"
}
EOF
Create a new group using configuration JSON passed as 'body' argument:
$ kcadm.sh create groups -r demorealm -b '{ "name": "Admins" }'
Create a client using file as a template, and override some attributes - return an 'id' of new client:
$ kcadm.sh create clients -r demorealm -f my_client.json -s clientId=my_client2 -s 'redirectUris=["http://localhost:8980/myapp/*"]' -i
Create a new client role for client my_client in realm 'demorealm' (replace ID with output of previous example command):
$ kcadm.sh create clients/ID/roles -r demorealm -s name=client_role
Use 'kcadm.sh help' for general information and a list of commands
```
Loading…
Cancel
Save