Add this line to your application's Gemfile:
gem 'omniauth-keycloak'
And then execute:
$ bundle
Or install it yourself as:
$ gem install omniauth-keycloak
In version 17 of Keycloak, /auth
was removed from the default context path. (See Issue #29)
In order to reduce breaking existing user's setup, this gem assumes /auth
as the default context.
So if you want to use Keycloak 17 or greater then you must do one of the following:
- Pass in
--http-relative-path '/auth'
option with the keycloak start command - Pass in a empty string for you base_url client_option:
client_options: {base_url: '', site: 'https://example.keycloak-url.com', realm: 'example-realm'}
OmniAuth::Strategies::Keycloak
is simply a Rack middleware. Read the OmniAuth docs for detailed instructions: https://github.com/intridea/omniauth.
Here's a quick example, adding the middleware to a Rails app in config/initializers/omniauth.rb
:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884',
client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm'},
name: 'keycloak'
end
This will allow a POST request to auth/keycloak
since the name is set to keycloak
Or using a proc setup with a custom options:
Rails.application.config.middleware.use OmniAuth::Builder do
SETUP_PROC = lambda do |env|
request = Rack::Request.new(env)
organization = Organization.find_by(host: request.host)
provider_config = organization.enabled_omniauth_providers[:keycloakopenid]
env["omniauth.strategy"].options[:client_id] = provider_config[:client_id]
env["omniauth.strategy"].options[:client_secret] = provider_config[:client_secret]
env["omniauth.strategy"].options[:client_options] = { site: provider_config[:site], realm: provider_config[:realm] }
end
Rails.application.config.middleware.use OmniAuth::Builder do
provider :keycloak_openid, setup: SETUP_PROC
end
end
Adapted from Devise OmniAuth Instructions
# app/models/user.rb
class User < ApplicationRecord
#...
devise :omniauthable, omniauth_providers: %i[keycloakopenid]
#...
end
# config/initializers/devise.rb
config.omniauth :keycloak_openid, "Example-Client-Name", "example-secret-if-configured", client_options: { site: "https://example.keycloak-url.com", realm: "example-realm" }, :strategy_class => OmniAuth::Strategies::KeycloakOpenId
# Below controller assumes callback route configuration following
# in config/routes.rb
Devise.setup do |config|
# ...
devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
end
# app/controllers/users/omniauth_callbacks_controller.rb
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def keycloakopenid
Rails.logger.debug(request.env["omniauth.auth"])
@user = User.from_omniauth(request.env["omniauth.auth"])
if @user.persisted?
sign_in_and_redirect @user, event: :authentication
else
session["devise.keycloakopenid_data"] = request.env["omniauth.auth"]
redirect_to new_user_registration_url
end
end
def failure
redirect_to root_path
end
end
- Base Url other than /auth
This gem tries to get the keycloak configuration from"#{site}/auth/realms/#{realm}/.well-known/openid-configuration"
. If your keycloak server has been setup to use a different "root" url other than/auth
then you need to pass in thebase_url
option when setting up the gem:Rails.application.config.middleware.use OmniAuth::Builder do provider :keycloak_openid, 'Example-Client', '19cca35f-dddd-473a-bdd5-03f00d61d884', client_options: {site: 'https://example.keycloak-url.com', realm: 'example-realm', base_url: '/authorize'}, name: 'keycloak' end
- Pass params from request thru to Keycloak
See PR #24 for details on how to configure this.
Bug reports and pull requests are welcome on GitHub at https://github.com/ccrockett/omniauth-keycloak. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
The gem is available as open source under the terms of the MIT License.
Everyone interacting in the Omniauth::Keycloak project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.