Configuring Keycloak as an identity Provider in WSO2 Identity Server
In this write up, I will walk you through how you can configure Keycloack as an IdP in WSO2 Identity Server.
I will be using WSO2 Identity Server 5.11, Keycloak 18.0.0 and Apache Tomcat 9.0.62 for this.
Configuring KeyCloak
1. Setting up the server with hostname
- Download the Keycloak distribution from https://www.keycloak.org/downloads.
- Extract the downloaded zip/tar.gz file. (KC_HOME)
- Navigate to <KC_HOME>/bin and start the keycloak server. (I will be running the server in dev mode for the purpose of this demo.)
sh kc.sh start-dev — hostname=keycloak.acme.com
- Next, navigate to the default http://0.0.0.0:8080 and create an intial admin user.
2. Creating a realm and users
- Log in with the intial admin user you created, and then add a new realm from here.
- Add a new user from the Manage -> Users.
- Go to the Credentials tab and set a password for the user.
3. Registering WSO2 Identity Server as a client
- Go to Configure-> Clients -> create
Fill in the configurations as follows:
Client ID: wso2is
Root URL: https://{is_hostname}:{is_port}/commonauth
- Set the Access Type to confidential, enable the configurations as follows and click on save.
- Next, navigate to the Credentials tab and retrieve the Secret.
That’s everything that we need to do on the Keycloak side for now.
Configuring WSO2 Identity Server
- Setting up the server with hostname
- Download the WSO2 Identity Server from here.
- Extract the downloaded zip file to a local directory (IS_HOME)
- Open the <IS_HOME>/repository/conf/deployment.toml and change the hostname for the server.
[server]
hostname = “wso2is.acme.com”Next we need to update the keystore to include the new hostname. Please follow the instructions on https://is.docs.wso2.com/en/latest/setup/changing-the-hostname/ to do that.
- Navigate to <IS_HOME>/bin and start the server.
sh wso2server.sh2. Adding Keycloak as an Identity Provider
- Once the server starts up, login to the carbon console using your browser using the default credentials admin:admin.
Mgt Console URL : https://wso2is.acme.com:9443/carbon/- Navigate to Main -> Identity -> Identity Providers and click on Add
- Expand the Federated Authenticators and select OAuth2/OpenID Connect Configuration
- Obtain the Keycloak Openid-connect configurations from the .well-known endpoint
http://{kc_hostname}:{kc_port}/realms/{realm_name}/.well-known/openid-configurationeg: http://keycloak.acme.com:8080/realms/demo/.well-known/openid-configuration
- Fill in the configurations in the Federated Authenticators -> OAuth2/OpenID Connect Configuration as below
Client Id: wso2isClientSecret: {client_secret from keycloak}Authorization Endpoint URL: http://keycloak.acme.com:8080/realms/demo/protocol/openid-connect/authToken Endpoint URL: http://keycloak.acme.com:8080/realms/demo/protocol/openid-connect/tokenCallback Url: https://wso2is.acme.com:9443/commonauthUserinfo Endpoint URL: http://keycloak.acme.com:8080/realms/demo/protocol/openid-connect/userinfoLogout Endpoint URL: http://keycloak.acme.com:8080/realms/demo/protocol/openid-connect/logout
Save the configurations and we are done with the identity provider configurations.
3. Adding Pickup Dispatch as the service provider
- Click Service Providers -> Add in the Management Console
- Provide a suitable name and a description and click on register
- Go to Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration and click on Configure
- Set the callback Url as follows and click on update
http://{tomcat_host}:{tomcat_port}/pickup-dispatch/oauth2clienthttp://localhost:8181/pickup-dispatch/oauth2client
- Expand the Local & Outbound Authentication Configuration and set the Authentication Type to Federated Authentication and select the authenticator keycloak
Retrieve the OAuth Client Key and the OAuth Client Secret and save the configurations. Now we have completed the service provider configurations.
Configuring the sample app
In this setup, we are hosting the webapp in an Apache Tomcat Server.
- Download the pickup-dispatch sample app from the samples-is releases.
- Copy the downloaded .war file to the <TOMCAT_HOME>/webapps directory.
- Open the dispatch.properties file in the <TOMCAT_HOME>/webapps/pickup-dispatch/WEB-INF/classes directory.
- Set the configurations as follows:
consumerKey=tuyEmKZcLP8KV9f1nLUQ7hIBNxka
consumerSecret=f4uhFvPJDUarC1kbXN2N4zn3o9wacallBackUrl=http://localhost:8181/pickup-dispatch/oauth2client
scope=openid internal_application_mgt_view
authzGrantType=codeenableOIDCSessionManagement=false
enableOIDCBackchannelLogout=true
authzEndpoint=https://wso2is.acme.com:9443/oauth2/authorize
OIDC_LOGOUT_ENDPOINT=https://wso2is.acme.com:9443/oidc/logout
sessionIFrameEndpoint=https://wso2is.acme.com:9443/oidc/checksession
tokenEndpoint=https://wso2is.acme.com:9443/oauth2/token
claimManagementEndpoint=https://wso2is.acme.com:9443/services/ClaimMetadataManagementServicepost_logout_redirect_uri=http://localhost:8181/pickup-dispatch/oauth2client
api_endpoint=http://localhost:39090/bookingsadminUsername=admin
adminPassword=admin
5. Add the pulic key with CN=wso2is.acme.com (obtained during hostname change in the WSO2 Identity Server) to the wso2carbon.jks keystore in <TOMCAT_HOME>/webapps/pickup-dispatch/WEB-INF/classes directory.
6. Save the configurations and restart the Tomcat server.
Trying Out
- Go to the webapp landing page and click on login
http://localhost:8181/pickup-dispatch/index.jsp
Then you will be redirected to the Keycloak authentication endpoint. There, enter the credentials of the user we previously created in our realm.
After succesful authentication, the user infomation is sent back to the WSO2 Identity server and there, the WSO2 Identity server prompts for the user consent for sharing attributes with the sample app.
When you allow consent, the user is redirected back to the sample application home page.
Thanks for reading!
