2.1 KiB
2.1 KiB
Keycloak/Red Hat SSO (self-hosted)
- Sign in to your Keycloak instance at https://keycloak.example.com/auth/admin/master/console
- Navigate to the client management page at
https://keycloak.example.com/auth/admin/master/console/#/realms/your-realm/clients(admin permissions required) - Click Create to create a new client and fill out the registration form. You should set the Root URL to the fully qualified public URL of your CodiMD instance.
- Click Save
- Set the Access Type of the client to
confidential. This will make your client require a client secret upon authentication.
Additional steps to circumvent generic OAuth2 issue:
- Select Client Scopes from the sidebar, and create a new one.
- Ensure that the Name is set to
id. - Create a new mapper under the Mappers tab. This should reference the User Property
id.Claim JSON Typeshould be String and all switches below should be enabled. Save the mapper. - Go to your client, then choose the Client Scopes tab. Apply the scope you've created. This should mitigate errors as seen in codimd/server#56.
- In the
docker-compose.ymladd the following environment variables toapp:environment:
- CMD_OAUTH2_USER_PROFILE_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/userinfo
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
- CMD_OAUTH2_TOKEN_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/token
- CMD_OAUTH2_AUTHORIZATION_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/auth
- CMD_OAUTH2_CLIENT_ID=<your client ID>
- CMD_OAUTH2_CLIENT_SECRET=<your client secret, which you can find under the Credentials tab for your client>
- CMD_OAUTH2_PROVIDERNAME=Keycloak
- CMD_DOMAIN=<codimd.example.com>
- CMD_PROTOCOL_USESSL=true
- CMD_URL_ADDPORT=false
- Run
docker-compose up -dto apply your settings. - Sign in to your CodiMD using your Keycloak ID