Changeset View
Changeset View
Standalone View
Standalone View
docs/keycloak/index.rst
- This file was added.
.. _keycloak: | |||||
Keycloak | |||||
======== | |||||
.. contents:: | |||||
:depth: 3 | |||||
.. | |||||
Software Heritage uses `Keycloak <https://www.keycloak.org/>`__, an open | |||||
source identity and access management solution, to identify and | |||||
authenticate users on its services (for instance the Web API). | |||||
Keycloak implements the `OpenID Connect <https://openid.net/connect/>`__ | |||||
specification, a simple identity layer on top of the OAuth 2.0 protocol. | |||||
It allows to get single sign-on (SSO) on various services. | |||||
The base URL to interact with that authentication service is | |||||
https://auth.softwareheritage.org/auth/. | |||||
Introduction | |||||
------------ | |||||
Keycloak defines three important concepts to know about: **Realm**, | |||||
**Clients** and **Roles**. | |||||
* **realm**: It manages a set of users, credentials, roles, and groups. A user belongs | |||||
to and logs into a realm. Realms are isolated from one another and can only manage and | |||||
authenticate the users that they control. | |||||
* **Client**: Entities that can request Keycloak to authenticate a user. Most often, | |||||
clients are applications and services that want to use Keycloak to secure themselves and | |||||
provide a single sign-on solution. Clients can also be entities that just want to | |||||
request identity information or an access token so that they can securely invoke other | |||||
services on the network that are secured by Keycloak. | |||||
* **Role**: It identifies a type or category of users. Applications (e.g. webapp, | |||||
deposit) often assign access and permissions to specific roles rather than individual | |||||
users as dealing with users can be too fine grained and hard to manage. There is a | |||||
global namespace for roles and each client also has its own dedicated namespace where | |||||
roles can be defined. | |||||
.. _software_heritage_realms: | |||||
Software Heritage Realms | |||||
------------------------ | |||||
Two realms are available for Software Heritage: | |||||
- `SoftwareHeritageStaging <https://auth.softwareheritage.org/auth/admin/SoftwareHeritageStaging/console/>`__, | |||||
for testing purposes | |||||
- `SoftwareHeritage <https://auth.softwareheritage.org/auth/admin/SoftwareHeritage/console/>`__, | |||||
for production use | |||||
The links above target the Admin console of each realm from which | |||||
everything can be configured. | |||||
.. _realm_administration: | |||||
Realm administration | |||||
-------------------- | |||||
.. _user_registration: | |||||
User registration | |||||
^^^^^^^^^^^^^^^^^ | |||||
While public user registration is available by clicking on the "Register" link from the | |||||
login page, realm administrators can still manually create a new user by following that | |||||
guide. | |||||
To register and invite a new user in a realm, click on the **Users** menu entry on the | |||||
left part of the admin interface, then click on the **Add user** button on the top right | |||||
part of the users page. | |||||
.. figure:: keycloak_add_user_01.jpg | |||||
:alt: keycloak_add_user_01.jpg | |||||
:width: 1000px | |||||
Click on the Add user button | |||||
Then fill in the form with basic information about the user: username, | |||||
email, first name and last name. | |||||
Save the user and then go to the **Credentials** tab. | |||||
.. figure:: keycloak_add_user_02.jpg | |||||
:alt: keycloak_add_user_02.jpg | |||||
Fill in information on user | |||||
We are now going to send a mail to the user telling him that an account | |||||
has been created for him with a link to verify his email, set his | |||||
password and update its profile if needed. | |||||
Go to **Credential Reset** section and insert the **Verify Email** , **Update Password** | |||||
and **Update Profile** actions into the **Reset Actions** field. Increase the **Expires | |||||
In** value to 24 hours and then click on **Send Mail**. | |||||
.. figure:: keycloak_add_user_03.jpg | |||||
:alt: keycloak_add_user_03.jpg | |||||
:width: 1000px | |||||
Send the invite and reset password email | |||||
The user account will be active once the email verified, the password changed and the | |||||
profile validated. | |||||
.. _setting_user_permissions_for_a_given_client: | |||||
Setting user permissions for a given client | |||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||||
User permissions are defined as client roles in the Keycloak semantics. That guide | |||||
explains how to set client roles for an existing user. | |||||
As an example, we will set the **swh.web.api.throttling_exempted** role associated to | |||||
the **swh-web** client enabling to lift rate limit for the Software Heritage Web API. | |||||
To edit a user, click on the **Users** menu entry on the left part of the admin | |||||
interface, then click on the **View all users** button on the top left part of the users | |||||
page. | |||||
Then select the user you want to set permission and click on the | |||||
**Edit** action. | |||||
.. figure:: keycloak_add_user_permission_01.jpg | |||||
:alt: keycloak_add_user_permission_01.jpg | |||||
:width: 1400px | |||||
List and select user for edition | |||||
Once the user details interface is displayed, click on the **Role Mappings** tab then | |||||
type the name of the client containing the roles to add for the user in the **Client | |||||
roles** combobox and select it. | |||||
The client roles will then be displayed in multiple lists. | |||||
.. figure:: keycloak_add_user_permission_02.jpg | |||||
:alt: keycloak_add_user_permission_02.jpg | |||||
:width: 1400px | |||||
Edit the client role | |||||
To add a client role for the user, select the one of interest in the **Available Roles** | |||||
list and click on the **Add selected** button. | |||||
To remove a client role for the user, select the one of interest in the **Assigned | |||||
Roles** list and click on the **Removed selected** button. | |||||
And that's it, assigned roles can then be found in the JSON Web Tokens generated by | |||||
Keycloak. | |||||
.. figure:: keycloak_add_user_permission_03.jpg | |||||
:alt: keycloak_add_user_permission_03.jpg | |||||
:width: 1400px | |||||
Assign client role | |||||
.. figure:: keycloak_add_user_permission_04.jpg | |||||
:alt: keycloak_add_user_permission_04.jpg | |||||
:width: 1400px | |||||
Client role assigned |