From fb46b475d2ad835fcbaebce4f235bfd2e595d98e Mon Sep 17 00:00:00 2001 From: amandilaras Date: Wed, 21 Aug 2024 16:23:41 +0300 Subject: [PATCH] add keycloak initialization documentation --- .../keycloak_initialization.md | 379 ++++++++++++++++++ 1 file changed, 379 insertions(+) create mode 100644 docs/docs/documentation/getting-started/keycloak_initialization.md diff --git a/docs/docs/documentation/getting-started/keycloak_initialization.md b/docs/docs/documentation/getting-started/keycloak_initialization.md new file mode 100644 index 000000000..e5124fc69 --- /dev/null +++ b/docs/docs/documentation/getting-started/keycloak_initialization.md @@ -0,0 +1,379 @@ +--- +sidebar_position: 1 +description: A brief introduction to the platform features +--- + +# Introduction +This Section shows the steps required to initialize the Keycloak Instance in order to work correctly with the Application. This tutorial assumes that keycloak has already been deployed and is up and running. + +# Keycloak Setup +If keycloak is up and ready then you can start the initialization: +1. Login as Admin +2. Create Argos Realm (if doesn't already exist) +3. Enter that Realm + +## 1) Create Clients + +#### Web Client (dmp_web) +1. Create New Client +2. General Settings: + 1. Client ID: **dmp_web** + 2. Name: **dmp_web** + 3. Front channel logout: **Off** +3. Capability config: + 1. Client Authentication: **On** + 2. Authorization: **Off** + 3. Standard flow: **off** + 4. Direct access grants: **On** + 5. Service accounts roles: **On** +4. Logout settings: + 1. Front channel logout: **On** +5. Roles: + 1. Create the roles "Admin", "User", "InstallationAdmin" + +#### Annotation Client (dmp_annotation) +1. Create New Client +2. General Settings: + 1. Client ID: **dmp_annotation** + 2. Name: **dmp_annotation** + 3. Front channel logout: **Off** +3. Capability config: + 1. Client Authentication: **On** + 2. Authorization: **Off** + 3. Standard flow: **off** + 4. Direct access grants: **On** + 5. Service accounts roles: **On** +4. Logout settings: + 1. Front channel logout: **Off** +5. Roles: + 1. Create the roles "Admin", "User" + +#### Notification Client (dmp_notification) +1. Create New Client +2. General Settings: + 1. Client ID: **dmp_web** + 2. Name: **dmp_web** + 3. Front channel logout: **Off** +3. Capability config: + 1. Client Authentication: **On** + 2. Authorization: **Off** + 3. Standard flow: **off** + 4. Direct access grants: **On** + 5. Service accounts roles: **On** +4. Logout settings: + 1. Front channel logout: **On** +5. Roles: + 1. Create the roles "Admin", "User" + +#### Plugin Client (dmp_plugins) +1. Create New Client +2. General Settings: + 1. Client ID: **dmp_web** + 2. Name: **dmp_web** + 3. Front channel logout: **Off** +3. Capability config: + 1. Client Authentication: **On** + 2. Authorization: **Off** + 3. Standard flow: **off** + 4. Direct access grants: **On** + 5. Service accounts roles: **On** +4. Logout settings: + 1. Front channel logout: **On** +5. Roles: + 1. Create the role "app-service" + +#### Webapp Client (dmp_webapp) +1. Create New Client +2. General Settings: + 1. Client ID: **dmp_web** + 2. Name: **dmp_web** + 3. Front channel logout: **Off** +3. Access settings: + 1. Root URL: https://{APP_URL}/home + 2. Home URL: https://{APP_URL}/home + 3. Valid redirect URIs: https://{APP_URL}/* + 4. Web Origins: https://{APP_URL} +4. Capability config: + 1. Client Authentication: **Off** + 2. Authorization: **Off** + 3. Standard flow: **on** + 4. Direct access grants: **Off** + 5. Service accounts roles: **Off** +5. Logout settings: + 1. Front channel logout: **On** + + +## 2) Create Realm Roles +1. Create Admin Role (Admin) +2. Create User Role (User) + +## 3) Create Client Scopes + +#### Web Scope (dmp_web) +1. Settings: + 1. Name: **dmp_web** + 2. Type: **None** + 3. Protocol: **OpenID Connect** + 4. Display on consent screen: **On** + 5. include in token scope: **Off** +2. Mappers: + 1. "Configure a new mapper" + 1. Pick "**Audience**": + 1. Name: **Client Id Audience** + 2. Included Client Audience: **dmp_web** + 3. Add to ID token: **Off** + 4. Add to access token: **On** + 5. Add to lightweight access token: **Off** + 6. Add to token introspection: **On** +3. Scope: + 1. "Assign role" + 2. Filter by realm roles. + 3. Assign role "Admin" and "User" (those are the ones we created on the "Realm roles" section) + +#### Annotation Scope (dmp_annotation) +1. Settings: + 1. Name: **dmp_annotation** + 2. Type: **None** + 3. Protocol: **OpenID Connect** + 4. Display on consent screen: **On** + 5. include in token scope: **Off** +2. Mappers: + 1. "Configure a new mapper" + 1. Pick "**Audience**": + 1. Name: **Client Id Audience** + 2. Included Client Audience: **dmp_annotation** + 3. Add to ID token: **Off** + 4. Add to access token: **On** + 5. Add to lightweight access token: **Off** + 6. Add to token introspection: **On** +3. Scope: + 1. "Assign role" + 2. Filter by realm roles. + 3. Assign role "Admin" and "User" (those are the ones we created on the "Realm roles" section) + +#### Notification Scope (dmp_notification) +1. Settings: + 1. Name: **dmp_notification** + 2. Type: **None** + 3. Protocol: **OpenID Connect** + 4. Display on consent screen: **On** + 5. include in token scope: **Off** +2. Mappers: + 1. "Configure a new mapper" + 1. Pick "**Audience**": + 1. Name: **Client Id Audience** + 2. Included Client Audience: **dmp_notification** + 3. Add to ID token: **Off** + 4. Add to access token: **On** + 5. Add to lightweight access token: **Off** + 6. Add to token introspection: **On** +3. Scope: + 1. "Assign role" + 2. Filter by realm roles. + 3. Assign role "Admin" and "User" (those are the ones we created on the "Realm roles" section) + +#### Plugin Scope (dmp_plugins) +1. Settings: + 1. Name: **dmp_plugins** + 2. Type: **None** + 3. Protocol: **OpenID Connect** + 4. Display on consent screen: **On** + 5. include in token scope: **Off** +2. Mappers: + 1. "Configure a new mapper" + 1. Pick "**Audience**": + 1. Name: **Client Id Audience** + 2. Included Client Audience: **dmp_plugins** + 3. Add to ID token: **Off** + 4. Add to access token: **On** + 5. Add to lightweight access token: **Off** + 6. Add to token introspection: **On** + +#### ID Scope (identity_provider) +1. Settings: + 1. Name: **identity_provider** + 2. Type: **None** + 3. Protocol: **OpenID Connect** + 4. Display on consent screen: **On** + 5. include in token scope: **On** +2. Mappers: + 1. "Configure a new mapper" + 1. Pick "**User Session Note**": + 1. Name: **identity_provider** + 2. User Session Note: **identity_provider** + 3. Token Claim Name: **identity_provider** + 4. Claim JSON Type: **String** + 5. Add to ID token: **On** + 6. Add to access token: **On** + 7. Add to lightweight access token: **Off** + 8. Add to userinfo: **On** + 9. Add to access token response: **On** + 10. Add to token introspection: **On** + +#### Tenant Scope (tenant_role) +1. Settings: + 1. Name: **tenant_role** + 2. Type: **Optional** + 3. Protocol: **OpenID Connect** + 4. Display on consent screen: **On** + 5. include in token scope: **On** +2. Mappers: + 1. "Configure a new mapper" + 1. Pick "**User Attribute**" + 1. Name: **Tenant role** + 2. User Attribute: **tenant_role** + 3. Token Claim Name: **tenant_role** + 4. Claim JSON Type: **String** + 5. Add to ID token: **On** + 6. Add to access token: **On** + 7. Add to lightweight access token: **Off** + 8. Add to userinfo: **On** + 9. Add to token introspection: **On** + 10. Multivalued: **On** + 11. Aggregate attribute values: **On** + +## 4) Finalize Clients +1. Choose clients again + +#### dmp_web +1. Choose the **dmp_web** client +2. Client scopes: + 1. add **dmp_plugins** as "**Optional**" + +#### dmp_webapp +1. Choose the **dmp_webapp** Client +2. Client scopes: + 1. add **dmp_web** as "**Optional**" + 2. add **dmp_notification** as "**Optional**" + 3. add **dmp_annotation** as "**Optional**" + 4. add **identity_provider** as "**Default**" + 5. add **tenant_role** as "**Default**" + +## 5) Create Groups + +- **opencdmp-app** + - **role-admin** + - Role Mapping: Assign role (search "Admin" to find them easily) + - dmp_annotation - Admin + - dmp_notification - Admin + - dmp_web - Admin + - **role-installation-admin** + - Role Mapping: Assign role (search "dmp" to find them easily) + - dmp_web InstallationAdmin + - dmp_web User + - dmp_notification User + - **role-user** + - Role Mapping: Assign role (search "User" to find them easily) + - dmp_annotation User + - dmp_notification User + - dmp_web User + - **tenant-config-manager** + - **tenant-default** + - Attributes: + - tenant_role | TenantConfigManager:default + - **tenant-plan-manager** + - **tenant-default** + - Attributes: + - tenant_role | TenantPlanManager:default + - **tenant-role-admin** + - **tenant-default** + - Attributes: + - tenant_role | TenantAdmin:default + - **tenant-role-user** + - **tenant-default** + - Attributes: + - tenant_role | TenantUser:default + +## 6) Create Users +- We will be creating an admin user and a user that will be used for the API in order to authenticate and authorize the users that log in to the Application. + +#### Admin User +1. Create User: + 1. Email Verified: On + 2. Username: argos-admin + 3. Email: {ADMIN_EMAIL} (ex. argos@admin.gr) + 4. firstName: Argos + 5. lastName: Admin +2. Credentials: + 1. Set a Password for this user with **Temporary: Off** +3. Role mapping: + 1. Assign the role **realm-management realm-admin** (search realm-admin to find it easily) +4. Groups: + 1. Assign the Groups: + - /opendmp-app/role-admin + - /opendmp-app/role-user + - /opendmp-app/tenant-role-admin/tenant-default + - /opendmp-app/tenant-role-user/tenant-default + + +#### API User +1. Create User: + 1. Email Verified: On + 2. Username: dmp-keycloak-api + 3. Email: {API_EMAIL} (ex. dmp-keycloak-api@gmail.com) + 4. firstName: dmp + 5. lastName: keycloak +2. Credentials: + 1. Set a Password for this user with **Temporary: Off** +3. Role mapping: + 1. Assign the role **realm-management realm-admin** (search realm-admin to find it easily) +4. Groups: + 1. Assign the Groups: + - /opendmp-app/role-user + - /opendmp-app/tenant-role-user/tenant-default + +## 7) Realm Settings + +#### Login: +1. Enable the "Verify Email" option + +#### Email: +1. On the Template->From text box add the email that will be used by the application to send emails. (ex. no-reply@openaire.eu) +2. On the "Connection & Authentication" section add the required information for the email server used for the application. Then save and Test connection. + +#### User registration: +1. Add the groups "tenant-default" and "role-user". The paths should be " /opendmp-app/tenant-role-user/tenant-default" and "/opendmp-app/role-user" respectively. This will be the default roles for every new user that gets created. + +## 8) Identity Providers: +1. Google IDP: + 1. On the Settings section add the required creds: + 1. Redirect URI: https://{KEYCLOAK_URL}/realms/{REALM_NAME}/broker/google/endpoint + 2. Client ID: {GOOGLE_CLIENT_ID} + 3. Client Secret: {GOOGLE_CLIENT_SECRET} + 2. After Creating the IDP, on the Mappers section add a mapper: + 1. Name: **identity_provider** + 2. Sync mode override: **Force** + 3. Mapper type: **Hardcoded User Session Attribute** + 4. User Session Attribute: **identity_provider** + 5. User Session Attribute Value **google** +2. OpenAIRE AAI Beta or ({IDP_NAME}): + 1. Create a "Keycloak OpenID Connect" type IDP + 2. Redirect URI: https://{KEYCLOAK_URL}/realms/{REALM_NAME}/broker/{ALIAS_NAME}/endpoint + 3. Alias: {ALIAS_NAME} + 4. Display name: {IDP_NAME} + 5. Use discovery endpoint: **Off** + 6. Authorization URL: https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/auth + 7. Token URL: https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/token + 8. Logout URL: https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/logout + 9. User Info URL: https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/userinfo + 10. Issuer: https://beta.aai.openaire.eu/auth/realms/openaire + 11. Validate Signatures: **On** + 12. Use JWKS URL: **On** + 13. JWKS URL: https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/certs + 14. Use PKCE: **Off** + 15. Client authentication: **Client secret sent as post** + 16. Client ID: {CLIENT_ID} + 17. Client Secret: {CLIENT_SECRET} + 18. Client assertion signature algorithm: **Algorithm not specified** + 19. Store tokens: **Off** + 20. Stored tokens readable: **Off** + 21. Access Token is JWT: **Off** + 22. Trust Email: **Off** + 23. Account linking only: **Off** + 24. Hide on login page: **Off** + 25. Verify essential claim: **Off** + 26. First login flow override **first broker login** + 27. Post login flow: **None** + 28. Sync mode: **Import** + +