Verified Commit 99e7cae1 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧 Committed by Jelle van der Waa
Browse files

Use a service account for Keycloak auth

parent 8b26c9cc
......@@ -13,3 +13,23 @@ Gluebuddy requires the following environment variables to be set:
* GLUEBUDDY_KEYCLOAK_PASSWORD - keycloak admin password
* GLUEBUDDY_KEYCLOAK_REALM - Keycloak realm
* GLUEBUDDY_KEYCLOAK_URL - Keycloak base url (without trailing /)
## Service account Keycloak
To not use the admin user for obtaining the users/groups a service account can be used which needs to be created in Keycloak.
Create a new client, go to `Clients` and click `Create`:
* enter a client ID
* make sure client protocl is set to `openid-connect`
In the client settings configure:
* Set Access Type to `Confidential`
* Set `Service Accounts Enabled` to `On`
* Specify a `redirect_uri` even though it is not required
* Click `Save` to save the changes
Go to the `Service Account Roles` tab, select `realm-management` in the `Client roles` dropdown and add:
* query-groups
* view-users
This allows the service account to view users and groups we need in gluebuddy, the username is the `client ID` and the password is the client secret which can be found in the `Credentials` tab.
......@@ -44,7 +44,7 @@ impl Keycloak {
"acquire API token for keycloak {} using realm {}",
url, realm
);
let token = KeycloakAdminToken::acquire(url, username, password, &client).await?;
let token = KeycloakAdminToken::acquire_custom_realm(url, username, password, "archlinux", username, "client_credentials", &client).await?;
let admin = KeycloakAdmin::new(url, token, client);
Ok(Keycloak {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment