Development with an OIDC server
This document describes the steps needed to enable External Authentication (httpd), running an OIDC server and Apache on a local development setup.
-
Ensure you have the guides repo cloned locally
-
cd guides/external_auth -
Launch KeyCloak
podman run --rm -it --name keycloak \ -p 8443:8443 \ -v $(pwd)/certs:/opt/keycloak/conf/certs \ -v $(pwd)/realms:/opt/keycloak/data/import \ -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \ -e KC_BOOTSTRAP_ADMIN_PASSWORD=smartvm \ -e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/certs/tls.crt \ -e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/certs/tls.key \ quay.io/keycloak/keycloak:26.6.3 \ start-dev --import-realmWhen it completes startup, go to
https://127.0.0.1.nip.io:8443and login withadmin/smartvmto verify it’s working. You should see a realm forManageIQ. -
Launch the httpd container
podman run --rm -it --name httpd \ -p 8080:8080 \ -v $(pwd)/oidc-httpd-configs:/etc/httpd/conf.d \ -e HTTPD_AUTH_OIDC_CLIENT_ID=manageiq-oidc-client \ -e HTTPD_AUTH_OIDC_CLIENT_SECRET=3167ae6f-762d-49cd-b246-ef8856315957 \ -e HTTPD_AUTH_HOST=127.0.0.1.nip.io \ -e HTTPD_AUTH_PORT=8080 \ --add-host=127.0.0.1.nip.io:192.168.127.254 \ manageiq/httpd:latestNote: 192.168.65.2 / 192.168.127.254 is a hardcoded proxy for host.docker.internal / host.containers.internal on docker / podman
-
Launch ManageIQ
Run your Rails server as you normally would for development, however, instead of accessing via the browser at
https://localhost:3000, usehttp://127.0.0.1.nip.io:8080(noticehttpas opposed tohttpsand port8080).If ManageIQ is not yet configured for OIDC, do the following:
- Login as
admin/smartvm - Go to
Settings->Application Settings->Authentication -
Change the following:
Mode External (httpd)Enable Single Sign-On checked Provider Type Enable OpenID-ConnectGet User Groups from External Authentication (httpd) checked - Save the changes
- Logout
- Click
Log In to Corporate System
- Login as
Updating KeyCloak data
Export data from a running KeyCloak
If you’ve made changes in KeyCloak that you’d like to save, leave KeyCloak running and in another terminal run:
podman exec -it keycloak /opt/keycloak/bin/kc.sh export \
--file /opt/keycloak/data/import/ManageIQ-realm.json \
--realm ManageIQ \
--users realm_file
When it completes, realms/ManageIQ-realm.json will be updated on the host.
Recreating KeyCloak setup from scratch
-
Ensure you have a
certsdirectory andrealmsdirectorymkdir certs mkdir realms -
Generate a cert and key
openssl req -x509 -newkey rsa:4096 -keyout certs/tls.key -out certs/tls.crt -days 3650 -nodes -
Launch KeyCloak
podman run --rm -it --name keycloak \ -p 8443:8443 \ -v $(pwd)/certs:/opt/keycloak/conf/certs \ -v $(pwd)/realms:/opt/keycloak/data/import \ -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \ -e KC_BOOTSTRAP_ADMIN_PASSWORD=smartvm \ -e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/certs/tls.crt \ -e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/certs/tls.key \ quay.io/keycloak/keycloak:26.6.3 \ start-dev -
Go to
https://127.0.0.1.nip.io:8443and login withadmin/smartvm -
Create a Realm
Name ManageIQNote: realm name is case-sensitive in URLs!
-
Create an OIDC Client
Client ID manageiq-oidc-clientClient Protocol openid-connectOnce created, go to the credentials tab and copy down the generated
Secretvalue. -
Configure the OIDC Client
-
Settings
Access Type confidentialService Accounts Enabled ONAuthorization Enabled ONValid Redirect URIs http://127.0.0.1.nip.io:8080/* -
Mappers -> Create
Name groupsMapper Type Group MembershipToken Claim Name groupsFull group path OFF
-
-
Create a group
Name EvmGroup-super_administrator -
Create a user
Name user1Email user1@manageiq.orgFirst Name UserLast Name OneEmail Verified ON -
Configure the user
-
Credentials
Password smartvmPassword Confirmation smartvmTemporary OFF -
Groups
Put the user into a group by clicking the group, then clicking
Join.
-
-
Verify the setup
-
Set the OIDC client secret: Be sure you have your OIDC client secret from step 6.
${client_secret}below is a reference to that value. The client secret value from the current ManageIQ Realm export is3167ae6f-762d-49cd-b246-ef8856315957 -
Fetch the configuration
curl -s -k https://127.0.0.1.nip.io:8443/realms/ManageIQ/.well-known/openid-configuration | jq -
Get an access token
token=$(curl -s -k -X POST https://127.0.0.1.nip.io:8443/realms/ManageIQ/protocol/openid-connect/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -u manageiq-oidc-client:${client_secret} \ -d username=user1 \ -d password=smartvm \ -d grant_type=password | jq -r ".access_token") -
Introspect the access token
curl -s -k -X POST https://127.0.0.1.nip.io:8443/realms/ManageIQ/protocol/openid-connect/token/introspect \ -H "Content-Type: application/x-www-form-urlencoded" \ -u manageiq-oidc-client:${client_secret} \ -d "token=${token}" | jq
-
-
Export the realm file. If you plan to commit this, also update the client secret values in this documentation.