urban/hemhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Keycloak configuration and enable persistent storage
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
Updated Keycloak settings in `realm-hemhub.json` to include additional roles, user attributes, client scopes, and OpenID Connect configurations. Modified `application.yml` to replace `issuer-uri` with `jwk-set-uri` for JWT handling. Enhanced `docker-compose.yml` to include persistent volumes, updated Keycloak image, and environment variables for better container interoperability.
This commit is contained in:
Urban Modig
2025-10-06 17:06:36 +02:00
parent 699fb3836b
commit 0993164062
3 changed files with 185 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docker-compose.yml
View File

@ -15,14 +15,23 @@ services:
retries: 10 retries: 10
keycloak: keycloak:
image: quay.io/keycloak/keycloak:24.0 image: quay.io/keycloak/keycloak:24.0.5
command: ["start-dev","--http-port=8081","--import-realm"] command: ["start-dev","--http-port=8081","--import-realm"]
environment: environment:
KEYCLOAK_ADMIN: admin KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin KEYCLOAK_ADMIN_PASSWORD: admin
# Make issuer consistent & reachable from other containers
KC_HOSTNAME: keycloak
KC_HTTP_ENABLED: "true"
KC_HOSTNAME_STRICT: "false"
KC_PROXY: edge
ports:
- "8081:8081"
volumes: volumes:
- ./keycloak:/opt/keycloak/data/import # persist state
ports: ["8081:8081"] - keycloak_data:/opt/keycloak/data
# import our realm once
- ./keycloak/realm-hemhub.json:/opt/keycloak/data/import/realm-hemhub.json:ro
api: api:
@ -39,3 +48,4 @@ services:
volumes: volumes:
pgdata: pgdata:
keycloak_data:

192
keycloak/realm-hemhub.json
View File

@ -2,55 +2,205 @@
"realm": "hemhub", "realm": "hemhub",
"enabled": true, "enabled": true,
"displayName": "HemHub", "displayName": "HemHub",
"registrationAllowed": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"roles": {
"realm": [
{ "name": "OWNER" },
{ "name": "MEMBER" },
{ "name": "ADMIN" }
]
},
"users": [ "users": [
{ {
"username": "maria", "username": "maria",
"email": "maria@example.com", "email": "maria@example.com",
"firstName": "Maria",
"lastName": "Andersson",
"enabled": true, "enabled": true,
"emailVerified": true, "emailVerified": true,
"attributes": { "household_id": ["H-ANDERSSON"] }, "attributes": { "household_id": ["H-ANDERSSON"] },
"credentials": [{ "type": "password", "value": "Passw0rd!", "temporary": false }], "credentials": [{ "type": "password", "value": "Passw0rd", "temporary": false }],
"realmRoles": ["OWNER","MEMBER"] "realmRoles": ["OWNER","MEMBER"]
}, },
{ {
"username": "ulf", "username": "ulf",
"email": "ulf@example.com", "email": "ulf@example.com",
"firstName": "Ulf",
"lastName": "Svensson",
"enabled": true, "enabled": true,
"emailVerified": true, "emailVerified": true,
"attributes": { "household_id": ["H-ANDERSSON"] }, "attributes": { "household_id": ["H-ANDERSSON"] },
"credentials": [{ "type": "password", "value": "Passw0rd!", "temporary": false }], "credentials": [{ "type": "password", "value": "Passw0rd", "temporary": false }],
"realmRoles": ["MEMBER"] "realmRoles": ["MEMBER"]
} }
], ],
"roles": {
"realm": [ "clientScopes": [
{"name":"OWNER","composite":false}, {
{"name":"MEMBER","composite":false}, "name": "roles",
{"name":"ADMIN","composite":false} "description": "OpenID Connect scope for add user roles to the access token",
] "protocol": "openid-connect",
}, "attributes": { "include.in.token.scope": "true" },
"protocolMappers": [
{
"name": "realm roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-realm-role-mapper",
"consentRequired": false,
"config": {
"claim.name": "realm_access.roles",
"jsonType.label": "String",
"multivalued": "true",
"usermodel.realmRoleMapping.rolePrefix": "",
"access.token.claim": "true",
"id.token.claim": "false"
}
}
]
},
{
"name": "profile",
"description": "Standard OpenID Connect profile claims",
"protocol": "openid-connect",
"attributes": { "include.in.token.scope": "true" },
"protocolMappers": [
{
"name": "preferred username",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"config": {
"user.attribute": "username",
"claim.name": "preferred_username",
"jsonType.label": "String",
"access.token.claim": "true",
"id.token.claim": "true"
}
},
{
"name": "given name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"config": {
"user.attribute": "firstName",
"claim.name": "given_name",
"jsonType.label": "String",
"access.token.claim": "true",
"id.token.claim": "true"
}
},
{
"name": "family name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"config": {
"user.attribute": "lastName",
"claim.name": "family_name",
"jsonType.label": "String",
"access.token.claim": "true",
"id.token.claim": "true"
}
},
{
"name": "name",
"protocol": "openid-connect",
"protocolMapper": "oidc-full-name-mapper",
"config": {
"access.token.claim": "true",
"id.token.claim": "true"
}
}
]
},
{
"name": "email",
"description": "Standard OpenID Connect email claims",
"protocol": "openid-connect",
"attributes": { "include.in.token.scope": "true" },
"protocolMappers": [
{
"name": "email",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"config": {
"user.attribute": "email",
"claim.name": "email",
"jsonType.label": "String",
"access.token.claim": "true",
"id.token.claim": "true"
}
},
{
"name": "email verified",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"config": {
"user.attribute": "emailVerified",
"claim.name": "email_verified",
"jsonType.label": "boolean",
"access.token.claim": "true",
"id.token.claim": "true"
}
}
]
},
{
"name": "hemhub-extra",
"description": "Custom claims for HemHub",
"protocol": "openid-connect",
"attributes": { "include.in.token.scope": "true" },
"protocolMappers": [
{
"name": "household_id",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"config": {
"user.attribute": "household_id",
"claim.name": "household_id",
"jsonType.label": "String",
"access.token.claim": "true",
"id.token.claim": "true"
}
}
]
}
],
"defaultDefaultClientScopes": [ "roles", "profile", "email", "hemhub-extra" ],
"defaultOptionalClientScopes": [ "offline_access" ],
"clients": [ "clients": [
{ {
"clientId": "hemhub-public", "clientId": "hemhub-public",
"name": "HemHub Public",
"enabled": true,
"publicClient": true, "publicClient": true,
"redirectUris": ["http://localhost:5173/*","http://localhost:8080/swagger-ui/*"], "protocol": "openid-connect",
"standardFlowEnabled": true, "standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true, "directAccessGrantsEnabled": true,
"attributes": { "pkce.code.challenge.method": "S256" } "serviceAccountsEnabled": false,
"attributes": { "pkce.code.challenge.method": "S256" },
"redirectUris": [
"http://localhost:8080/swagger-ui/*",
"http://localhost:5173/*"
],
"webOrigins": ["*"]
}, },
{ {
"clientId": "hemhub-service", "clientId": "hemhub-service",
"serviceAccountsEnabled": true, "name": "HemHub Service",
"secret": "dev-secret", "enabled": true,
"publicClient": false, "publicClient": false,
"redirectUris": [], "protocol": "openid-connect",
"standardFlowEnabled": false,
"directAccessGrantsEnabled": false, "directAccessGrantsEnabled": false,
"standardFlowEnabled": false "serviceAccountsEnabled": true,
"secret": "dev-secret"
} }
], ]
"clientScopes": [
{"name":"roles","protocol":"openid-connect"}
],
"defaultDefaultClientScopes": ["roles", "profile", "email"]
} }

2
src/main/resources/application.yml
View File

@ -15,4 +15,4 @@ spring:
oauth2: oauth2:
resourceserver: resourceserver:
jwt: jwt:
issuer-uri: http://localhost:8082/realms/hemhub jwk-set-uri: http://keycloak:8081/realms/hemhub/protocol/openid-connect/certs