Keycloak Is AWESOME! Single Sign On Made Easy!
Vložit
- čas přidán 2. 06. 2024
- Keycloak is an open source, Red Hat sponsored, authentication and authorisation platform that you can self host! In this video I show you how to configure, deploy, and setup single sign on for Portainer and Proxmox.
Keycloak Docker Files:
github.com/JamesTurland/JimsG...
Recommended Hardware: github.com/JamesTurland/JimsG...
Discord: / discord
Twitter: / jimsgarage_
Reddit: / jims-garage
GitHub: github.com/JamesTurland/JimsG...
00:00 - Introduction to Keycloak and Single Sign On
01:38 - Keycloak Feature Review
03:29 - Docker Compose Overview
07:54 - Deploying Containers
09:26 - Keycloak GUI & Configuration (Portainer and Proxmox)
14:45 - Portainer
18:28 - Proxmox
22:27 - Identity Providers
23:30 - Outro - Věda a technologie
Thanks, It's a nice step by step guide to containerize keycloak and deployment altogether.
spent hours without beeing able to get keycloak running! Now it works. Thanks so much for your research and explanation!
You're welcome, glad it worked.
Great content, very clear explanation! Thanks a lot, Jim.
Thanks, you're welcome 😁
Great content, Jim!
Just wanted to highlight, since you’re using Keyclock for SSO, the importance of creating the users in the OAuth2/OIDC server, leaving that to the clients with auto-user-creation option turned on makes your system less secure, particularly if one of your services got hacked.
Thanks for your video! It helped me very much :)
You're welcome!
Can't wait to dive into this! You're on a roll recently. Keep it up. 3k next :)
Thanks, so much to cover! Just wish I had more spare evenings.
Complements on your great videos. I've been a subscriber for a while because you explain complicated topics quite well making it easy to implement for an average homelab hobbyist. Hopefully you get thousands more subscribers for all the good videos you make.
Thank you for your kind words, fingers crossed!
You read my mind 😃,,
That’s what I started to write 👌😀
@@crc_code thanks 👍
Great Video.....Good work.
Thanks, Louis.
Thank you! Very nice
Glad you enjoyed it ☺️
Not heard of this before. Nice video, not sure I'm going to try it, but still enjoyed it
It's a great tool, although I feel that Authentik is probably going to be the sweet spot for most as it does the web proxy for applications that lack authentication.
Jolly Good Show!
I'm currently trying to decide between Authentik and Keycloak and this has helped, though I'm still unsure. But you've opened the door to me just playing around with them and seeing which one appeals to me most. Thanks!
I think Authentik is the right balance for a homelab.
By the way, there is a noticeable increase of pace in how you communicate in the recent videos. Like when compare it even just few months back! Nice to see this.
Thanks. I like to think I've come a long way in a short span of time. All of this is new to me. Constantly looking to improve.
good video. 12'40", openid-connection does authentication only, it's built on oauth2 which takes care of authorization.
This video covers cases where your varied apps all have native openid capabilities.
Traefik also has the ability to use a key cloak 'forward auth' middleware to add authentication for ANY app.
I’ve need struggling through that now. Your video is a great source for me to clean up my homeland docker settings though.
Thank you
Thanks for sharing, I'll look into that.
Hello Jims, really enjoyed your video. Please create a video for keycloak and kibana integration.
Thanks, I'll consider it for a follow up
Hi Jim, awesome content, I was reviewing the docker compose, and it was not working for me, however after reviewing it in detail, I was able to make it work by changing the service name in the docker compose from postgresql to postgres or changing the environment variable KC_DB_URL_HOST , since I had the error password
FATAL: password authentication failed for user "keycloak"
Again, as always great content.
Thanks 👍
this is an awesome tutorial. One of the problems I am having is getting access to the users keycloak interface. For the admin account on the master realm, that super easy. but its not so straightforward in the documentation about how to access the users portal for setting up MFA, changin passwords, etc.
Thanks. I'm aiming to come back to keycloak in the near future and perhaps I can cover those items. I'm really interested in using hardware tokes for auth / zero trust.
Hi Jim, excellent video, just one detail, it's not good practice to use the realm master as a default, I know it's just an example, but it's always good practice to create a realm and leave the master to manage your keycloak ;)
Thanks, agreed. I believe I do mention that at the start but perhaps a case of practice what you preach.
Great explanation, especially for non native english persons like me.
Thanks 👍
Thank you for the video. I followed your guide but when i stop/remove the containers, all changes are gone. so there is nothing persistant stored in the DB! Help please!
Good explanation, thanks ! When do you plan to roll out the video referred in the last "Outro" section about integrating Keycloak with other identity providers like Google / Facebook / Azure ?
Soon, I keep being sidetracked...
Super, can't wait !!!
Thanks
You're welcome.
Hi Jim! Thank´s for the video.I´m trying to connect spring boot microservices with keycloak using an external rds db, not containerized. I actually can do with keycloak 16, but using 23 version can´t connect with that db. Do you know what could be the problem? I got some errors related with quarkus ...
I'm not sure. Perhaps requires an encrypted connection? I'm not familiar with the differences between the versions.
I get Oauth authorisation failure... :? the dns entries are there in pihole and both keycloak and portainer are on the same docker host with traefik.
Thanks Jim, It's awesome this video. How can we connect Keycloak to a personal website with php?
You're welcome. You'd need something that supports OIDC / OAuth2. I recommend checking out my Authentik video, that has a proxy for authentication so you can add it to any site (I think that is what you're after).
Great content thanks for sharing it. Could you please share the proxmox user creation step details? (assigning the necessary permission to the user that you created)
Followed your guide. When trying to sign into portainer getting "Failure
Unauthorized".. tried creating user in portainer and also with Automatic user provisioning = ON. Nginx proxy configured to forward to my docker containers.
I haven't tested with nginx but there's no reason it shouldn't work. Double check all of the OIDC settings. Make sure to check scope and profile.
Great job ! Do you run Keycloak inside proxmox on a vm(running docker) or ct, or outside proxmox ?
Cause if it’s hosted on proxmox and keycloak is not running, how do you log in to Proxmox using auth ?
api's connect differently than regular users.
You can always fall back to standard PAM login (the default). I'm currently running in Kubernetes so it helps with this problem.
Indeed. Thank you for these fantastic videos !
Thanks for the video. Recently, i build the yml file, but it says external proxy network doesn't exist. What can do here?
It expects Traefik to be available on a network called proxy. You can use a different proxy if you like.
Hey, I replicated your Keycloak setup and it seems that keycloak isn't using the postgres db. For example if you create a new client/realm/anything it doesn't write into the external db, but is instead using the internal h2 db. You can verify that by checking the internal db's under /opt/keycloak/data/h2/keycloakdb.mv.db.
I got it working with the following env variables (Keycloak 22.0.3 and latest) :
- KC_DB=postgres
- KC_DB_URL_HOST=postgresql
- KC_DB_URL_PORT=5432 #also exposing ports of the postgres db - might be optional
- KC_DB_URL_DATABASE=keycloak
- KC_DB_SCHEMA=public
With the working external db you won't lose data with commands like "docker compose down".
BTW Thank you for your great content. It helps a lot. :)
Great video!
Does Keycloak support SCIM 2.0?
Not natively (I don't think), but there's third party support github.com/Captain-P-Goldfish/scim-for-keycloak
how would you enable am existing logon "bind" to a yubikey with an x.509 cert
?
Good question, I don't know. It's certainly something I want to look into though.
I'm guessing that would fall under setting up WebAuthn in keycloak, it's usually what is used for fingerprint scanners and hardware keys for authentication
could you explain how OAuth work with immich?
thanks!!
Check here: immich.app/docs/administration/oauth/ it should be very similar to my Portainer example
Could you do review on sandfly security? It had free license for 50 linux device and i think it's good for homelab linux
Thanks, I'll take a look at it.
Not quite grasping from your compose file how traefik is managing SSL certificates.
Check my Traefik video out, that should explain things. Videos are kind of in order.
@@Jims-Garage Oh great. I didn’t even think to check, probably because I’m so burnt out trying to get keycloak to work
Where did you get the endpoints from
They're in the official documentation (if you're referring to keycloak).
How did keycloak know that was Jim that was logging in for the first time you logged in your applications ?
Do you have a timestamp? Likely because I'm already logged into keycloak with that account.
Do you have a timestamp? Likely because I'm already logged into keycloak with that account.
@@Jims-Garage Got it. You were logged with admin account so you already had a validade token. Otherwise you would get the keycloak loggin page. Correct?
@@fabiano9714 yes, that's correct
To say that it's a tricky container is an understatement. Why can't it just start and throw any errors in the browser ? Instead you have to try like 100 different options, some of which work in "start" mode, some in "start-devel" mode, some require setting up some https certificates even if you want it to just sit behind traefik, etc. You have to inspect all the logs using docker / podman logs keycloak-server (or whatever your container is) and try to sort out the cryptic messages. And it's not even clear if the first time you have to spin up a custom container to "build" and create the required tables in the database. I wish it would just work 🙃. Authentik wasn't easy to set up, but keycloak is like 100 times worse so far. I keep getting "Bad Gateway" Error messages ...
If it helps, I Authentik in my lab. It's the best choice IMO as it supports non-oauth apps.
@@Jims-GarageI'm still figuring out how to use it and for what I need it. Probably stupid misunderstandings on my part, but I'd just like 2FA with my Home Assistant using TOTP from Aegis app on my phone. And on my VPS I wanted to use Authentik + Netbird, since Tailscale/Headscale doesn't resolve DNS on Android (and tailscale "community" isn't interested in helping with Headscale) and I'm running into weird bugs with Zerotier/Headscale and Podman (there is some issues building/combining/reusing Docker/Podman "blobs"). All this convoluted trouble just because Home Assistant Companion App doesn't like custom Certificates so I need Letsencrypted signed Certificates and my Domain Name 😅. At least Netbird cloud DNS Resolution seems to work on android (not sure if it's that or the fact that the records correctly propagate to the root DNS Servers though).
nice. can you use this in/with Cloudflare Tunnels as the auth mechanism? I know Cloudflare Tunnels has some risk, but if you can get passed the fact they have sight into the data. For a lot of things in the lab it should be permissible.
Secondly, I have 1 or 2 "production" workloads I need to move to my NAS server as that's the only server likely stay alive any given moment. After that I plan to nuke the lab and start over. Not sure if I will be on 3 nodes of Proxmox or if I want to tackle Harvester. Either way where should I start?
Cloudflare, Keycloak, Traefik? you know outside-in, auth, and routing then spin up services to tinker with? Trying to come up with a bit of a ground zero run book of creating the lab, do A, B, C, then whatever tickets your fancy.
I don't know if it can be used with Cloudflare Tunnels. Essentially if the app uses OAuth2 it should be possible.
I would play with harvester but I don't recommend it for a Homelab, it's too heavy. A Proxmox cluster is the right balance IMO.
For general homelab Auth I recommend Authentik. It does everything that keycloak does plus it supports Auth proxy as many homelab apps don't use OAuth2
@@Jims-Garage yeah I started with Harvester maybe a little over a year ago when I only had one node. I liked how you can run rancher on harvester to control then Kube and VM within Harvester.
Maybe I'll stick with Proxmox though. I don't know.
@@JohnWeland it's definitely a great tool to learn and if it works for you then use it.
@@Jims-Garage yeah I have very little "need" if I am being honest. Just a couple of services that I "need" to keep alive. Now that I have my third node in the post... I don't know what Want to do with the "lab" portion of my home lab.
I'm a cloud architect/engineer. And I feel that less and less of the lab is translating over to my career. Most of my day is spent in CDK building things in AWS. I'll have to do some re-evaluating. Maybe I trade out my dell r620s for a handful of Raspberry Pi XD.
could we just use keycloak like Authelia or Authentik? it look great an the idea begin its just Awesome!! mora of Keycloak please.
It's great for oidc/OAuth2, but doesn't have a proxy like Authentik. IMO Authentik is the best choice for a homelab.
Casdoor is another modern open source solution for IAM
Thanks, I'll take a look
Key cloak feels kinda old and casdoor seems to be the new kid on the block. The UI is definitely prettier 😍
@@SatinderSingh71 check out my Zitadel video. That's pretty awesome and new as well
Any plans on casdoor video? Great video on zitadel too
@@SatinderSingh71 I do plan to come back to it in the future (not sure when)
SSO is fine, but what if someone gets access to my desktop?
Agreed, it's a convenience Vs security trade-off. Best thing is SSO with multifactor authentication.
Slow down Jimbo. Video almost every day?
Sorry 😂
I wont complain because im loving the content. Just dont burn out.
I was saying to my partner today, about how good the channel was, but hoped Jim remembered he had a family because of the amount of video's he's been outputting.😀
@@try-that most of these videos are filmed between 10pm and 2am! Always family first!
@@Jims-Garage If only I could do that sort day now, old age has caught up with me🥱
british ai kurwa
Unfortunately you dove to much into the practical side of this in my opinion or you should update the description to clarify that you just want to configure and deploy keycloak. I am missing a lot of theoretical explanation of the internals of the things you configure and why..
Thanks, I appreciate the feedback. I think the description is accurate as it states it's deployment and configuration, and in the video I state that I'm only scratching the surface. It's difficult to cover everything in all videos as I've already covered elements of SSO, OAuth in Authelia (and subsequently Zitadel). I will be coming back to Keycloak in the future.
Agree, if you would explain all protocols and details, it would be a 12h video nobody would watch. Its better to focus on Keycloak, and maybe a different video on how modern auth methods work. Just my 2 cents
From the github docker-compose.yaml - Keycloak doesn't connect to Postgres - Issue raised on github -
Service refences postgresql but KC_DB_URL_HOST=postgres
Try adding the port. postgres:port
@@Jims-Garage As in
postgresql:
expose:
- 5432
I'd tried that
My Keycloak Vars:
environment:
- KC_PROXY_ADDRESS_FORWARDING=true
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME=keycloak.####.####
- KC_PROXY=edge
- KC_HTTP_ENABLED=true
- KC_DB=postgres
- KC_DB_USERNAME=keycloak
- KC_DB_PASSWORD=SUPERsecret
- KC_DB_URL_HOST=postgresql
- KC_DB_URL_PORT=5432
- KC_DB_URL_DATABASE=keycloak
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=password
- KC_DB_URL_HOST=postgresql