Integrating oCIS With Keycloak

amrita_shrestha_d8cbc9b06

Amrita Shrestha

Posted on August 20, 2024

Integrating oCIS With Keycloak

In the previous blog, we explored the general functionality of Keycloak.
In this blog, I demonstrate how we can integrate oCIS(file-sync and share platform) with Keycloak using the Keycloak WebUI.
This benefits anyone who is interested in getting hands-on experience with Keycloak.

Run Services

Make sure you've installed Docker Engine and Docker Compose.

Before setting up oCIS with Keycloak, it's essential to deploy both oCIS and Keycloak services. I'll describe how to achieve it with docker compose.
oCIS and Keycloak runs behind Traefik as reverse proxy. Traefik generates self-signed certificates for oCIS and Keycloak.

You have to create a csp.yaml file with the following contents:

directives:
  child-src:
    - '''self'''
  connect-src:
    - '''self'''
    # In contrast to bash and docker the default is given after the | character
    - 'https://${KEYCLOAK_DOMAIN|host.docker.internal:8443}'
  default-src:
    - '''none'''
  font-src:
    - '''self'''
  frame-ancestors:
    - '''none'''
  frame-src:
    - '''self'''
    - 'https://embed.diagrams.net/'
  img-src:
    - '''self'''
    - 'data:'
    - 'blob:'
  manifest-src:
    - '''self'''
  media-src:
    - '''self'''
  object-src:
    - '''self'''
    - 'blob:'
  script-src:
    - '''self'''
    - '''unsafe-inline'''
  style-src:
    - '''self'''
    - '''unsafe-inline'''
Enter fullscreen mode Exit fullscreen mode

You can either download the docker code from GitHub or utilize the code provided below:

Note: PROXY_CSP_CONFIG_FILE_LOCATION should contain the exact location of a csp.yaml file

services:
  traefik:
    image: traefik:2.11.0
    command:
      [
        "--log.level=ERROR",
        "--api.insecure=true",
        "--api.dashboard=true",
        "--pilot.dashboard=false",
        "--providers.docker=true",
        "--entrypoints.ocis.address=:9200",
        "--entrypoints.keycloak.address=:8443",
        "--providers.docker.exposedbydefault=false",
        "--entrypoints.websecure.http.tls.options=default",
      ]
    ports:
      - 8080:8080
      - 9200:9200
      - 8443:8443
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      traefik.enable: true
      traefik.http.routers.traefik.rule: HostRegexp(`{any:.+}`)
    restart: always

  ocis:
    image: owncloud/ocis:latest # ocis version = v5.0.5
    entrypoint:
      - /bin/sh
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      # Keycloak IDP configuration
      PROXY_AUTOPROVISION_ACCOUNTS: true
      PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
      OCIS_OIDC_ISSUER: https://host.docker.internal:8443/realms/oCIS # ocis is keycloak realm name
      PROXY_OIDC_REWRITE_WELLKNOWN: true
      WEB_OIDC_CLIENT_ID: web
      # general config
      OCIS_URL: https://host.docker.internal:9200
      OCIS_LOG_LEVEL: error
      OCIS_INSECURE: true
      OCIS_ADMIN_USER_ID: ""
      OCIS_EXCLUDE_RUN_SERVICES: idp
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: false
      GRAPH_USERNAME_MATCH: none
      # PROXY
      PROXY_TLS: false
      PROXY_USER_OIDC_CLAIM: preferred_username
      PROXY_USER_CS3_CLAIM: username
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
      KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-host.docker.internal:8443}
    volumes:
      - ./csp.yaml:/etc/ocis/csp.yaml
    extra_hosts:
      - host.docker.internal:host-gateway
    labels:
      traefik.enable: true
      traefik.http.routers.ocis.tls: true
      traefik.http.routers.ocis.rule: PathPrefix(`/`)
      traefik.http.routers.ocis.entrypoints: ocis
      traefik.http.services.ocis.loadbalancer.server.port: 9200

  postgres:
    image: postgres:alpine
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: keycloak

  keycloak:
    image: quay.io/keycloak/keycloak:24.0.1
    command: ["start-dev", "--proxy=edge"]
    environment:
      KC_DB: postgres
      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: keycloak
      KC_FEATURES: impersonation
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
    extra_hosts:
      - host.docker.internal:host-gateway
    labels:
      traefik.enable: true
      traefik.http.routers.keycloak.tls: true
      traefik.http.routers.keycloak.rule: PathPrefix(`/`)
      traefik.http.routers.keycloak.entrypoints: keycloak
      traefik.http.services.keycloak.loadbalancer.server.port: 8080
    depends_on:
      - postgres

volumes:
  postgres_data:
Enter fullscreen mode Exit fullscreen mode

Save the above code in compose.yaml file locally and run docker command docker compose up in a terminal.

Docker compose serves three services:

  • oCIS on https://host.docker.internal:9200
  • Keycloak on https://host.docker.internal:8443
  • Traefik dashboard on http://host.docker.internal:8080/

Manual Steps For Setting Up oCIS With Keycloak

  1. Go to oCIS url: https://host.docker.internal:9200/ > Note: The oCIS WebUI will not be accessible until Keycloak and oCIS are fully integrated. The discovery endpoint is unavailable, which is why the web interface is inaccessible.

oCIS

  1. Go to Keycloak url: https://host.docker.internal:8443/

Keycloak

  1. Create new realm:

create realm

  • Realm name: oCIS create realm with name `oCIS` > Note: the realm name should be the name provided in the oCIS environment variable: OCIS_OIDC_ISSUER: https://host.docker.internal:8443/realms/oCIS
  1. Add a new client:

client registration

  • Client ID: web

add client

  • Root URL: https://host.docker.internal:9200

add root url

  1. Add realm roles:
  • Role name: ocisAdmin

add realm role

Note: oCIS has defined role names that have been documented under Automatic Quota Assignments. So, we can't create the role with a random name.

  1. Create a new user:
  • With username: admin and other information:

create user
add user information

  • Create password

create password
setup password for user

  • Role Mapping: Assign ocisAdmin role

assign role

assign role to user

  1. Update roles Client scope: Client Scopes -> roles
  • Mappers -> realm roles -> Token Claim Name=roles update-roles > Note: oCIS default role_claim is 'roles'
  1. Go to url https://host.docker.internal:9200/, reload if already opened login to oCIS with Keycloak Enter username: admin and password: admin to log into oCIS

Setting Up oCIS With Keycloak Using JSON Files

Keycloak provides an Importing and Exporting Realms feature. If we have JSON configuration files, then we can avoid manually setting services in Keycloak.
oCIS provides documentation to set up oCIS with Keycloak which uses JSON configuration.
If you want to automate Keycloak integration with oCIS services, then you can use json files.

In this blog post, we've talked about putting Keycloak and oCIS together. We've shown how to set them up using Docker Compose, making sure they work smoothly with Traefik.
We've also given step-by-step instructions on setting up oCIS with Keycloak manually, like making realms, adding clients and roles, and creating users.
For those who like using JSON files, Keycloak lets you do that to set things up more easily.

💖 💪 🙅 🚩
amrita_shrestha_d8cbc9b06
Amrita Shrestha

Posted on August 20, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Integrating oCIS With Keycloak
owncloud Integrating oCIS With Keycloak

August 20, 2024