Users authentication with OpenID and KeyCloak
If you are going to implement this type of authentication this action implies you clearly understand what you are doing.
Prerequisites
- You need to have administrative access to KeyCloak or an admin near you.
- You need the access to Allure Testops configuration files.
- You need to be able to apply the changes in the configuration, which could require some downtime.
- Both KeyCloak and Allure Testops need to use the same version of HTTP, i.e. if one of the systems works behind HTTPS, then both systems need to work behind HTTPS, i.e. there must be something like reverse proxy between Allure Testops and KeyCloak servers. Please consult your network administrator or DevOps to ensure proper configuration on the network side.
Integration of Allure Testops and KeyCloak
Given
Let's assume
- Allure Testops is deployed and accessible on
http://allure.local
your URLs will be different. - KeyCloak is deployed and accessible on
http://192.168.1.14:6060
your URLs will be different.
Registering new client application in KeyCloak
In KeyCloak
- Create new realm demo (it's up to you how to name it).
- Switch to the newly created realm demo.
- Create new client demoapp (it's up to you how to name it).
- Go to the newly created client settings and set Valid Redirect URIs as
http://allure.local/login/oauth2/code/keycloak
- Create a new user for testing purposes.
Configuring Allure Testops
To integrate Allure Testops with KeyCloak you need to pass the following environment variables to gateway service:
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_CLIENTNAME
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_CLIENTID
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_REDIRECTURI
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_ISSUERURI
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_USERNAMEATTRIBUTE
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_SCOPE
See below for the deployment specific examples.
Deployment in Kubernetes
For k8s deployment you need to add the parameters to open environment of gateway service of values.yaml
file used to pass user's configuration to Helm.
version: 3.182.0
<snip>
gateway:
env:
open:
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_CLIENTNAME: KeyCloak
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_CLIENTID: demoapp
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_REDIRECTURI: 'https://allure.local/login/oauth2/code/keycloak'
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_ISSUERURI: http://192.168.1.14:6060/auth/realms/demo
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_USERNAMEATTRIBUTE: preferred_username
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_SCOPE: openid
<snip>
Now you need to update your Allure Testops configuration as usual for Kubernetes installation using Helm's commands.
Deployment via docker-compose
For the deployment done via docker-compose you need to update docker-compose.yml
configuration file by adding the parameters to gateway service.
Updating of the configuration requires downtime to properly stop and run the application.
gateway:
image: allure/allure-gateway:${VERSION}
environment:
# settings
<snip>
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_CLIENTNAME: KeyCloak
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_CLIENTID: demoapp
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_KEYCLOAK_REDIRECTURI: 'https://allure.local/login/oauth2/code/keycloak'
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_ISSUERURI: http://192.168.1.14:6060/auth/realms/demo
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_USERNAMEATTRIBUTE: preferred_username
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_KEYCLOAK_SCOPE: openid
<snip>
To update Allure Testops for the usage of KeyCloak as identity provider you need to perform the same actions you do for updating Allure Testops using docker-compose commands., i.e. 1) down
, 2) then start the application using up -d
Deployment via packages
This works for Allure Testops release 3.193.1 and 4+. If you have Allure Testops older release installed, you need to upgrade to the most recent release first.
Update the configuration file of gateway service /opt/allure-testops/gateway/conf/allure-gateway.conf
with the following strings:
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENTNAME=Keycloak
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_REDIRECTURI=https://<your-domain>/login/oauth2/code/allure
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_SCOPE=openid,email,profile
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUERURI=https://<your-keycloak>
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_USERNAMEATTRIBUTE=preferred_username
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENTID=<clientId>
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENTSECRET=<clientSecret>
Setting the default authentication way
When you've updated the settings and these were successfully applied, you need to check the authentication by trying to log in using the following URL:
http://allure.local/login/openid
,
Your URL will differ, you remember, right? Only this part you need to take for test from this guide: /login/openid
When you've successfully tested the authentication, you can switch to OpenID as main authentication method.
Deployment in Kubernetes
uaa:
<snip>
env:
open:
ALLURE_LOGIN_PRIMARY:openid
<snip>
Deployment via docker-compose
uaa:
<snip>
environment:
ALLURE_LOGIN_PRIMARY: openid
Deployment via packages
Update configuration file /opt/allure-testops/uaa/conf/allure-uaa.conf
with the following string:
ALLURE_LOGIN_PRIMARY: openid
Setting the default role for new user registering via OpenID/Keycloak
Why
If no additional setting made all new users will have ROLE_USER
by default and will consume 1 license.
What
To prevent new users consuming the licenses you need to define the default role for them as ROLE_GUEST
, when they register in the system using openid/keycloak. This will ensure they will have read only access by default and won't consume any licenses in the system.
How
The following parameter should be set for UAA service: ALLURE_LOGIN_OPENID_DEFAULTROLE
For docker-compose, Kubernetes and packages deployment
ALLURE_LOGIN_OPENID_DEFAULTROLE: ROLE_GUEST
For the deployment using packages you need to provide supply this parameter to the configuration file of UAA service /opt/allure-testops/uaa/conf/allure-uaa.conf
.