Docs: adds keycloak OIDC guide #973
Conversation
✅ Deploy Preview for pomerium-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| expose: | ||
| - 8000 |
There was a problem hiding this comment.
I think the expose setting isn't necessary here.
| docker compose up | ||
| ``` | ||
|
|
||
| When Keycloak is ready, navigate to `http://0.0.0.0:8080` to access the **Administration Console:** |
There was a problem hiding this comment.
I'm not sure that all browsers will translate 0.0.0.0 to localhost. I'd recommend we specify localhost explicitly here instead.
I think we can also make this into a link?
| When Keycloak is ready, navigate to `http://0.0.0.0:8080` to access the **Administration Console:** | |
| When Keycloak is ready, navigate to [http://localhost:8080](http://localhost:8080) to access the **Administration Console:** |
(and similarly for other occurrences of 0.0.0.0 in this page)
| authenticate_service_url: https://authenticate.localhost.pomerium.io | ||
|
|
||
| idp_provider: oidc | ||
| idp_client_id: 'account' |
There was a problem hiding this comment.
Shouldn't this use the client created in the previous step?
| idp_client_id: 'account' | ||
| idp_provider_url: 'http://keycloak.localhost.pomerium.io:8080/realms/MyRealm' | ||
|
|
||
| signing_key: <generate_key> |
There was a problem hiding this comment.
I wonder if this will confuse some users. Would it be simpler to provide a valid key here instead, along with a warning not to use it in production?
|
|
||
| idp_provider: oidc | ||
| idp_client_id: 'account' | ||
| idp_provider_url: 'http://keycloak.localhost.pomerium.io:8080/realms/MyRealm' |
There was a problem hiding this comment.
I'd recommend we pick one realm name and use it consistently throughout this guide. It looks like the screen recording above uses the realm name 'Pomerium'.
We could update line 93 to read:
In the Realm name field, enter the name "Pomerium"
and this line to read:
idp_provider_url: 'http://keycloak.localhost.pomerium.io:8080/realms/Pomerium'
|
|
||
| Update the client you created: | ||
|
|
||
| 1. Under **General Settings** in the **Name** field, enter your Client ID in template literals (for example, `${mynewclient}`)  |
There was a problem hiding this comment.
I don't understand the ${mynewclient} part here. What does this do?
There was a problem hiding this comment.
It specifies the display name of the client. I tested it without this value and it works fine, but I was getting an invalid client credentials error today after testing again. I had to add the client secret to get it work. I added these steps as well.
* adds first half of guide * adds keycloak and pomerium config steps * adds oidc and keycloak guide * resolves precommit failures * adds more workds to cspell ignore * fixes typo * updates keycloak client steps * updates text * updates cspell * updates client steps * runs prettier
Docs: adds keycloak OIDC guide (#973) * adds first half of guide * adds keycloak and pomerium config steps * adds oidc and keycloak guide * resolves precommit failures * adds more workds to cspell ignore * fixes typo * updates keycloak client steps * updates text * updates cspell * updates client steps * runs prettier Co-authored-by: zachary painter <60552605+ZPain8464@users.noreply.github.com>
Resolves https://github.com/pomerium/internal/issues/1489. Also resolves #866
This PR adds OIDC to the sidebar under
identity provider. It adds an OIDC implementation using Keycloak as the OIDC server.This guide is only compatible with Core at the moment.