Upgraded nginx-keycloak

flavienbwk · Sep 21, 2024 · 7062c82 · 7062c82
1 parent 419e319
commit 7062c82
Show file tree

Hide file tree

Showing 9 changed files with 247 additions and 45 deletions.
diff --git a/.github/workflows/linux-build.yml b/.github/workflows/linux-build.yml
@@ -5,8 +5,8 @@ on: [push]
 jobs:
 
   build-linux:
-    name: Ubuntu 20.04 build of nginx-keycloak
-    runs-on: ubuntu-20.04
+    name: Ubuntu 22.04 build of nginx-keycloak
+    runs-on: ubuntu-22.04
 
     steps:
 

diff --git a/.github/workflows/test-keycloak-setup.yml b/.github/workflows/test-keycloak-setup.yml
@@ -0,0 +1,31 @@
+name: Test Keycloak configuration
+
+on: [push]
+
+jobs:
+
+  test-keycloak-setup:
+    name: Ubuntu 22.04 test of nginx-keycloak
+    runs-on: ubuntu-22.04
+
+    steps:
+
+      - name: Check Out Repo 
+        uses: actions/checkout@v2
+
+      - name: docker compose build
+        run: |
+          docker compose build
+            
+      - name: docker compose start
+        run: |
+          docker compose up -d keycloak
+            
+      - name: Setup nginx-keycloak
+        run: |
+          cp .env.example .env
+          bash ./scripts/configure-keycloak.sh
+            
+      - name: docker compose down
+        run: |
+          docker compose down
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM openresty/openresty:1.19.9.1-5-alpine-fat
+FROM openresty/openresty:1.25.3.2-0-alpine-fat
 
 RUN mkdir /var/log/nginx
 

diff --git a/README.md b/README.md
@@ -17,7 +17,7 @@ Setting NGINX as a reverse proxy with Keycloak SSO in front of your web applicat
 2. Start Keycloak
 
     ```bash
-    docker-compose up -d keycloak
+    docker compose up -d keycloak
     ```
 
 3. Go to `http://localhost:3333` and login with your credentials
@@ -32,14 +32,16 @@ Setting NGINX as a reverse proxy with Keycloak SSO in front of your web applicat
 
 5. Go to ["Users"](http://localhost:3333/auth/admin/master/console/#/realms/master/users) in the sidebar and create one. Edit its password in the "Credentials" tab.
 
+6. (optional) Edit max token lifespan going to "Realm settings" > "SSO Session Max" and set the desired time before the user token expires.
+
 ### Simple user authentication
 
 With this method, being a registered user is sufficient to access your apps.
 
 If you choose this method, you're already set. Just run :
 
 ```bash
-docker-compose up -d nginx app_1
+docker compose up -d nginx app_1
 ```
 
 You can now visit `http://localhost:3002` to validate the configuration.
@@ -61,14 +63,14 @@ Now we want to attribute this role to our user.
 3. Go to the "Role Mappings" tab
 4. Select the "Client Roles" `NginxApps` and assign the `NginxApps-App1` role by selecting it and clicking "Add selected"
 
-In our [docker-compose](./docker-compose.yml) configuration, edit the NGINX configuration mount point to be `./nginx-roles.conf.template` instead of `./nginx.conf.template`.
+In our [docker compose](./docker compose.yml) configuration, edit the NGINX configuration mount point to be `./nginx-roles.conf.template` instead of `./nginx.conf.template`.
 
 :information_source: If you want to name your role differently, you can edit the expected name in `./nginx-roles.conf.template` in the `contains(client_roles, "NginxApps-App1")` line.
 
 Start NGINX and the app :
 
 ```bash
-docker-compose up -d nginx app_1
+docker compose up -d nginx app_1
 ```
 
 You can now visit `http://localhost:3002` to validate the configuration.

diff --git a/cookie_jar.txt b/cookie_jar.txt
@@ -0,0 +1,8 @@
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+#HttpOnly_localhost	FALSE	/realms/master/	TRUE	0	KC_RESTART	eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..dBgRgaKKyNMVCMGFPpHOKw.-rAnRL3RiINe9u8yOY_tewSdmOrgeDJ9MMTQba-u__eZfd7S1eLa812ftjOcu6gBB5AQJCr1LJeYkR2NSZn0Cq0QRPYmeG9uOs7AfEF_29hdrZBbi2uYNopZ3yeD169hJh8bRh5FWHEB6z1hP99kBFGz4GflFFa4OJ5c7D82U98SMXdMSxGOF88HbCUL0xoTtDvktiYrgKJ4IYsgHP3bhmLPbsZ3gvx-y7j1A55o025cNb0mUNoeE2CmZpzG9-gwgt-WweAHZc_CVWintbTLMvDbMgBwcNYaMEZWOflF82naqGO3QtpBNBTnLO3pRksKN_z7OxKWT09MBZ-4-bsgOOk13_eseiMEUflpVwcZxgYjUNcMgbTkcU3JbqKqCQ2m9nM9YRe79rmClTJ4oumyX3VsJIaHTxTN6z7NbHvCFUCBNNWEIFJ6Os_G7waor_xQKG0MdTwkTdlEn2aey3sSRKEFcy6GpWD5BHhaRO96LcVVsFaGF0oisROAG4tLmeBjDjcEpBFxvwOJXn7tDMtmC6zNo0GQMPXc_Ex-MiJ7spRtU-E6fOgF-zk7hQl1tCbbPnVVIE6kfRdrfcZwxiWUm5oWnrwfxRHTuYQ92ngrCx8lOsbRi3Ea6NcmN5TjI5a0_fV-iZ_YBi8dF7JoG1dTALHffwBc8xMZw7jv4NgRXNR8R2sXLDQiM8KkBIGC0S9smGcrod2nE_eelwYnn9s-IMdQjhfRD4PcmuX4dZZHU9sWn1YaifYuP1h60X43URl5UOYc9BBj7wKXopr3wWeRr1rlXrAAVsvnWzlbhmGRCimW4RawILjYLf3FzCphGWOXQFOl-gKGQLNyATtz2aT3tGUGEGr1-bO2yQv6BG32-QA.p1N7sYNcLKaldaAcIqHqrg
+#HttpOnly_localhost	FALSE	/realms/master/	FALSE	0	AUTH_SESSION_ID_LEGACY	8f53a730-11a7-49e7-ac00-b97a2389c5a9
+#HttpOnly_localhost	FALSE	/realms/master/	TRUE	0	AUTH_SESSION_ID	8f53a730-11a7-49e7-ac00-b97a2389c5a9
+#HttpOnly_localhost	FALSE	/	FALSE	0	session	AQAA-EdVit5SDR0yxl5IjOwXOvJPqHCbTvB1zdDIiX59nHu3P-9mAGkAAADMAAAYGagw9j3H6XfVNrkBe5QMAAAA10YyRVVmAN8VDnJBBikZPQ1Q7TsqQxTeRUGEtqPkKVxJHSPxMseaCdJgbTybyMf9DP39QVcHc5RgpDOgH9IMHraJgowieahiiC9bKP1tfDjGJHuH_6PmgK0yEe9qwmKlPkqy6zPiiLIAg20RvSrADTkpkBdKRdU-epg4JyAvnpQIAxP-EnB74xvtHMn_wkMelLy47ILqtlFem3DZkxTX0dnI8w66yL4s7k
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,53 +1,68 @@
-version: "3"
-
 services:
 
+    app_1:
+        # This is the demo app we want to provide behind authentication
+        image: nginx:1.27.1
+        depends_on:
+            - nginx
+
     nginx:
         build: .
-        image: ghcr.io/flavienbwk/nginx-keycloak/nginx-sso:20220304
+        image: ghcr.io/flavienbwk/nginx-keycloak/nginx-sso:20240921
         # Following command auto-replaces env variables in NGINX configuration
         command: /bin/bash -c "envsubst < /etc/nginx/conf.d/nginx.conf.template > /etc/nginx/conf.d/default.conf && /usr/local/openresty/nginx/sbin/nginx -g 'daemon off;'" 
         ports:
             - 3002:3002
         volumes: 
             - ./logs:/var/log/nginx
             - ./nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template
+            #- ./nginx-roles.conf.template:/etc/nginx/conf.d/nginx.conf.template
         environment:
             KEYCLOAK_INTERNAL_ENDPOINT: ${KEYCLOAK_INTERNAL_ENDPOINT}
             KEYCLOAK_EXTERNAL_ENDPOINT: ${KEYCLOAK_EXTERNAL_ENDPOINT}
             KEYCLOAK_LOGOUT_REDIRECT_URI: ${KEYCLOAK_LOGOUT_REDIRECT_URI}
             KEYCLOAK_REALM: ${KEYCLOAK_REALM}
             KEYCLOAK_CLIENT: ${KEYCLOAK_CLIENT}
             KEYCLOAK_SECRET: ${KEYCLOAK_SECRET}
+        depends_on:
+            keycloak:
+                condition: service_healthy
 
     postgres:
-        image: postgres:12
+        image: postgres:15
         volumes:
             - postgres_data:/var/lib/postgresql/data
         environment: 
             POSTGRES_DB: ${POSTGRES_DB}
             POSTGRES_USER: ${POSTGRES_USER}
             POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+        healthcheck:
+            test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+            interval: 10s
+            timeout: 5s
+            retries: 5
 
     keycloak:
-        image: jboss/keycloak:15.1.1
+        image: keycloak/keycloak:25.0.6
+        command: start-dev
         environment:
-            DB_VENDOR: POSTGRES
-            DB_ADDR: postgres
-            DB_DATABASE: ${POSTGRES_DB}
-            DB_USER: ${POSTGRES_USER}
-            DB_SCHEMA: public
-            DB_PASSWORD: ${POSTGRES_PASSWORD}
-            KEYCLOAK_USER: ${KEYCLOAK_USER}
-            KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
-            KEYCLOAK_FRONTEND_URL: ${KEYCLOAK_EXTERNAL_ENDPOINT}/auth
+            KC_DB: postgres
+            KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
+            KC_DB_USERNAME: ${POSTGRES_USER}
+            KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
+            KC_HEALTH_ENABLED: true
+            KEYCLOAK_ADMIN: ${KEYCLOAK_USER}
+            KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_PASSWORD}
         ports:
             - 3333:8080
+        healthcheck:
+            test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/9000;echo -e \"GET /health/ready HTTP/1.1\r\nhost: http://localhost\r\nConnection: close\r\n\r\n\" >&3;grep \"HTTP/1.1 200 OK\" <&3"]
+            interval: 10s
+            timeout: 5s
+            retries: 5
         depends_on:
-            - postgres
-
-    app_1:
-        image: nginx:1.21.6
+            postgres:
+                condition: service_healthy
 
 volumes:
     postgres_data:
diff --git a/nginx-roles.conf.template b/nginx-roles.conf.template
@@ -38,22 +38,22 @@ server {
             redirect_uri = "/redirect_uri",
             accept_none_alg = false,
             renew_access_token_on_expiry = true,
-            discovery = { -- Overwriting auto-discovery [parameters](http://localhost:3333/auth/realms/master/.well-known/openid-configuration)
-                issuer = "${KEYCLOAK_EXTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}",
-                authorization_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth",
+            discovery = { -- Overwriting auto-discovery [parameters](http://localhost:3333/realms/master/.well-known/openid-configuration)
+                issuer = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}",
+                authorization_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth",
                 id_token_signing_alg_values_supported = { "RS256", "RS384", "RS512" },
                 token_signing_alg_values_expected = { "RS256", "RS384", "RS512" },
-                token_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token",
-                jwks_uri = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs",
-                userinfo_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/userinfo",
-                revocation_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/revoke",
-                end_session_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout",
-                introspection_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token/introspect",
+                token_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token",
+                jwks_uri = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs",
+                userinfo_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/userinfo",
+                revocation_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/revoke",
+                end_session_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout",
+                introspection_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token/introspect",
             },            client_id = "${KEYCLOAK_CLIENT}",
             token_endpoint_auth_method = "client_secret_basic", -- Recommended over [client_secret_post](https://stackoverflow.com/a/55040462/4958081)
             client_secret = "${KEYCLOAK_SECRET}",
             logout_path = "/logout",
-            redirect_after_logout_uri = "${KEYCLOAK_EXTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout?redirect_uri=${KEYCLOAK_LOGOUT_REDIRECT_URI}",
+            redirect_after_logout_uri = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout?redirect_uri=${KEYCLOAK_LOGOUT_REDIRECT_URI}",
             redirect_after_logout_with_id_token_hint = false,
             scope = "openid",
             session_contents = {id_token=true, access_token=true}

diff --git a/nginx.conf.template b/nginx.conf.template
@@ -31,23 +31,23 @@ server {
             redirect_uri = "/redirect_uri",
             accept_none_alg = false,
             renew_access_token_on_expiry = true,
-            discovery = { -- Overwriting auto-discovery [parameters](http://localhost:3333/auth/realms/master/.well-known/openid-configuration)
-                issuer = "${KEYCLOAK_EXTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}",
-                authorization_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth",
+            discovery = { -- Overwriting auto-discovery [parameters](http://localhost:3333/realms/master/.well-known/openid-configuration)
+                issuer = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}",
+                authorization_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth",
                 id_token_signing_alg_values_supported = { "RS256", "RS384", "RS512" },
                 token_signing_alg_values_expected = { "RS256", "RS384", "RS512" },
-                token_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token",
-                jwks_uri = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs",
-                userinfo_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/userinfo",
-                revocation_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/revoke",
-                end_session_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout",
-                introspection_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token/introspect",
+                token_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token",
+                jwks_uri = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs",
+                userinfo_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/userinfo",
+                revocation_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/revoke",
+                end_session_endpoint = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout",
+                introspection_endpoint = "${KEYCLOAK_INTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token/introspect",
             },
             token_endpoint_auth_method = "client_secret_basic", -- Recommended over [client_secret_post](https://stackoverflow.com/a/55040462/4958081)
             client_id = "${KEYCLOAK_CLIENT}",
             client_secret = "${KEYCLOAK_SECRET}",
             logout_path = "/logout",
-            redirect_after_logout_uri = "${KEYCLOAK_EXTERNAL_ENDPOINT}/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout?redirect_uri=${KEYCLOAK_LOGOUT_REDIRECT_URI}",
+            redirect_after_logout_uri = "${KEYCLOAK_EXTERNAL_ENDPOINT}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/logout?redirect_uri=${KEYCLOAK_LOGOUT_REDIRECT_URI}",
             redirect_after_logout_with_id_token_hint = false,
             scope = "openid",
             session_contents = {id_token=true}