4

I have a rails application where keycloak api use for authentication in back end. but now i want to integrate the single sign on with keycloak. When a user navigates to the login page, they will be redirected to the Keycloak login page. Keycloak will be handle all login options. Once the user successfully authenticates, they will be redirected to the dashboard.

Any help in this regard will be appreciated.

Suneel
  • 371
  • 4
  • 14
  • Hi, I have the same target with keycloak. I use the openid-connect gem from nov (https://github.com/nov/openid_connect). He also provided some ruby apps for testing purposes but they don't come along with the keycloak server. So far some modification to his openid-connect-sample-rp repository are needed. Did you came along with some improvements? – tingel2k Oct 14 '15 at 12:59
  • Could you use keycloak with rails with my answer? – tingel2k Dec 03 '15 at 10:22
  • Ok, if you have some troubles please let me know, I ported the example into an formally standalone rails application. Now with the "discovery" function. – tingel2k Feb 08 '16 at 10:42

1 Answers1

2

So I'll try to describe how to use openid with keycloak and rails. First I used the example repo from nov and also did the following alterations.

First I had to configure webrick to use ssl as an example from here and it is necessary to configure the keycloak server with ssl (info from here exclude the openshift references, this is where you client should connect).

I modified the webrick a little bit more I generate on each start new certificates and store the actual valid certificate in a temporary file, that the openid call can use the same certificate, but if you use static certificates this is obsolete.

Now you need to input your provider (keycloak server) settings into the provider model. You can get you information about the interface from keycloak server with a browser from this link: 

https://keycloak-url:PORT/auth/realms/REALM-NAME/.well-known/openid-configuration

I suggest the ./db/seeds.rb file 

{issuer: "https://keycloak-url:PORT/auth/realms/REALM-NAME",
authorization_endpoint: "https://keycloak-url:PORT/auth/realms/REALM-NAME/protocol/openid-connect/auth",
token_endpoint: "https://keycloak-url:PORT/auth/realms/REALM-NAME/protocol/openid-connect/token",
userinfo_endpoint: "https://keycloak-url:PORT/auth/realms/REALM-NAME/protocol/openid-connect/userinfo",
jwks_uri: "https://keycloak-url:PORT/auth/realms/REALM-NAME/protocol/openid-connect/certs",
name: "SOME-PROVIDER-NAME",
identifier: "CLIENT-ID-FROM-KEYCLOAK",
scopes_supported: ["SCOPES-FROM-KEYCLOAK"],
secret: "SECRET-FROM-KEYCLOAK"}

To avoid client certificate validation (it is recommended for productive environments) add the following line to the ./app/models/provider.rb (e.g. line 23f)

  OpenIDConnect.http_client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
  OpenIDConnect.http_client.ssl_config.set_client_cert_file('WEBRICK-CERTIFICATE-FILE','WEBRICK-CERTIFICATE-KEY-FILE')

Also there is a problem with the json response form keycloak and that is why I added some cruel way of checking (please don't judge the way I did it, it's only for dev purposes) if the response is an array or not. 

def decode_id(id_token)
  if config.jwks.to_s.chars.first == '['
    OpenIDConnect::ResponseObject::IdToken.decode id_token, config.jwks.first
  else
    OpenIDConnect::ResponseObject::IdToken.decode id_token, config.jwks
  end
end

So please replace the decode_id method in ./app/models/provider.rb

And then it should work to get an access-token from keycloak, assumed you have an account and the requesting client with client-id and secret set up within keycloak.

regards tingel

tingel2k
  • 392
  • 1
  • 12