Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 3. Authenticating with Red Hat Build of Keycloak (RHBK)

To authenticate users with Red Hat Build of Keycloak (RHBK):

  1. Enable the OpenID Connect (OIDC) authentication provider in RHDH.
  2. Provision users from Red Hat Build of Keycloak (RHBK) to the software catalog.

3.1. Enabling authentication with Red Hat Build of Keycloak (RHBK)
Copiar enlace

To authenticate users with Red Hat Build of Keycloak (RHBK), enable the OpenID Connect (OIDC) authentication provider in Red Hat Developer Hub.

Prerequisites

Procedure

  1. To allow Developer Hub to authenticate with RHBK, complete the steps in RHBK, to create a realm and a user and secure the first application:

    1. Use an existing realm, or create a realm, with a distinctive Name such as <my_realm>. Save the value for the next step:

      • RHBK realm base URL, such as: <your_rhbk_URL>/realms/<your_realm>.

    2. To register your Developer Hub in RHBK, in the created realm, secure the first application, with:

      1. Client ID: A distinctive client ID, such as <RHDH>.
      2. Valid redirect URIs: Set to the OIDC handler URL: https://<RHDH_URL>/api/auth/oidc/handler/frame.
      3. Navigate to the Credentials tab and copy the Client secret.

      4. Save the values for the next step:

        • Client ID
        • Client Secret
    3. To prepare for the verification steps, in the same realm, get the credential information for an existing user or create a user. Save the user credential information for the verification steps.

  2. To add your RHSSO credentials to your Developer Hub, add the following key/value pairs to your Developer Hub secrets:

    AUTH_OIDC_CLIENT_ID
    Enter the saved Client ID.
    AUTH_OIDC_CLIENT_SECRET
    Enter the saved Client Secret.
    AUTH_OIDC_METADATA_URL
    Enter the saved RHBK realm base URL.

  3. To set up the RHBK authentication provider in your Developer Hub custom configuration, edit your custom Developer Hub ConfigMap such as app-config-rhdh, and add the following lines to the app-config.yaml content:

    1. Configure mandatory fields:

      app-config.yaml fragment with mandatory fields to enable authentication with RHBK

      auth:
  environment: production
  providers:
    oidc:
      production:
        metadataUrl: ${AUTH_OIDC_METADATA_URL}
        clientId: ${AUTH_OIDC_CLIENT_ID}
        clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
        prompt: auto
signInPage: oidc
      Copy to Clipboard Toggle word wrap

      environment: production
      Mark the environment as production to hide the Guest login in the Developer Hub home page.
      metadataUrl, clientId, clientSecret
      To configure the OIDC provider with your secrets.
      sigInPage: oidc
      To enable the OIDC provider as default sign-in provider.
      prompt: auto
      To allow the identity provider to automatically determine whether to prompt for credentials or bypass the login redirect if an active RHSSO session exists.
Note

If prompt: auto is not set, the identity provider defaults to prompt: none, which assumes that you are already logged in and rejects sign-in requests without an active session.

callbackUrl

RHBK callback URL.

app-config.yaml fragment with optional callbackURL field

auth:
  providers:
    oidc:
      production:
        callbackUrl: ${AUTH_OIDC_CALLBACK_URL}
Copy to Clipboard Toggle word wrap

tokenEndpointAuthMethod

Token endpoint authentication method.

app-config.yaml fragment with optional tokenEndpointAuthMethod field

auth:
  providers:
    oidc:
      production:
        tokenEndpointAuthMethod: ${AUTH_OIDC_TOKEN_ENDPOINT_METHOD}
Copy to Clipboard Toggle word wrap

tokenSignedResponseAlg

Token signed response algorithm.

app-config.yaml fragment with optional tokenSignedResponseAlg field

auth:
  providers:
    oidc:
      production:
        tokenSignedResponseAlg: ${AUTH_OIDC_SIGNED_RESPONSE_ALG}
Copy to Clipboard Toggle word wrap

scope

RHBK scope.

app-config.yaml fragment with optional scope field

auth:
  providers:
    oidc:
      production:
        scope: ${AUTH_OIDC_SCOPE}
Copy to Clipboard Toggle word wrap

signIn
resolvers

After successful authentication, the user signing in must be resolved to an existing user in the Developer Hub catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: oidcSubClaimMatchingKeycloakUserId.

The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.

Warning

In production mode, only configure one resolver to ensure users are securely matched. resolver:::: Enter the sign-in resolver name. Available values: * oidcSubClaimMatchingKeycloakUserId * emailLocalPartMatchingUserEntityName * emailMatchingUserEntityProfileEmail * preferredUsernameMatchingUserEntityName

+ .app-config.yaml fragment with optional resolvers list 

auth:
  providers:
    oidc:
      production:
        signIn:
          resolvers:
            - resolver: oidcSubClaimMatchingKeycloakUserId
            - resolver: preferredUsernameMatchingUserEntityName
            - resolver: emailMatchingUserEntityProfileEmail
            - resolver: emailLocalPartMatchingUserEntityName
Copy to Clipboard Toggle word wrap
dangerouslyAllowSignInWithoutUserInCatalog: true

Configure the sign-in resolver to bypass the user provisioning requirement in the Developer Hub software catalog.

Warning

Use this option to explore Developer Hub features, but do not use it in production.

app-config-rhdh.yaml fragment with optional field to allow signing in users absent from the software catalog

auth:
  environment: production
  providers:
    oidc:
      production:
        metadataUrl: ${AUTH_OIDC_METADATA_URL}
        clientId: ${AUTH_OIDC_CLIENT_ID}
        clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
        signIn:
          resolvers:
            - resolver: oidcSubClaimMatchingKeycloakUserID
              dangerouslyAllowSignInWithoutUserInCatalog: true
signInPage: oidc
Copy to Clipboard Toggle word wrap

sessionDuration

Lifespan of the user session. Enter a duration in ms library format (such as '24h', '2 days'), ISO duration, or "human duration" as used in code.

app-config-rhdh.yaml fragment with optional sessionDuration field

auth:
  providers:
    github:
      production:
        sessionDuration: { hours: 24 }
Copy to Clipboard Toggle word wrap

auth
backstageTokenExpiration
To modify the Developer Hub token expiration from its default value of one hour, note that this refers to the validity of short-term cryptographic tokens, not the session duration. The expiration value must be set between 10 minutes and 24 hours.

app-config.yaml fragment with optional auth.backstageTokenExpiration field

auth:
  backstageTokenExpiration: { minutes: <user_defined_value> }
Copy to Clipboard Toggle word wrap

Security consideration

If multiple valid refresh tokens are issued due to frequent refresh token requests, older tokens will remain valid until they expire. To enhance security and prevent potential misuse of older tokens, enable a refresh token rotation strategy in your RHBK realm.

  1. From the Configure section of the navigation menu, click Realm Settings.
  2. From the Realm Settings page, click the Tokens tab.
  3. From the Refresh tokens section of the Tokens tab, toggle the Revoke Refresh Token to the Enabled position.

Verification

  1. Go to the Developer Hub login page.
  2. Your Developer Hub sign-in page displays Sign in using OIDC and the Guest user sign-in is disabled.
  3. Log in with OIDC by using the saved Username and Password values.

Prerequisites

Procedure

  • To enable RHBK member discovery, edit your custom Developer Hub ConfigMap, such as app-config-rhdh, and add the following lines to the app-config.yaml content:

    app-config.yaml fragment with mandatory keycloakOrg fields

    catalog:
  providers:
    keycloakOrg:
      default:
        baseUrl: ${AUTH_OIDC_METADATA_URL}
        clientId: ${AUTH_OIDC_CLIENT_ID}
        clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
    Copy to Clipboard Toggle word wrap

    baseUrl
    Your RHBK server URL, defined when enabling authentication with RHBK.
    clientId
    Your Developer Hub application client ID in RHBK, defined when enabling authentication with RHBK.
    clientSecret
    Your Developer Hub application client secret in RHBK, defined when enabling authentication with RHBK.

    Optional: Consider adding the following optional fields:

    realm

    Realm to synchronize. Default value: master.

    app-config.yaml fragment with optional realm field

    catalog:
  providers:
    keycloakOrg:
      default:
        realm: master
    Copy to Clipboard Toggle word wrap

    loginRealm

    Realm used to authenticate. Default value: master.

    app-config.yaml fragment with optional loginRealm field

    catalog:
  providers:
    keycloakOrg:
      default:
        loginRealm: master
    Copy to Clipboard Toggle word wrap

    userQuerySize

    User number to query simultaneously. Default value: 100.

    app-config.yaml fragment with optional userQuerySize field

    catalog:
  providers:
    keycloakOrg:
      default:
        userQuerySize: 100
    Copy to Clipboard Toggle word wrap

    groupQuerySize

    Group number to query simultaneously. Default value: 100.

    app-config.yaml fragment with optional groupQuerySize field

    catalog:
  providers:
    keycloakOrg:
      default:
        groupQuerySize: 100
    Copy to Clipboard Toggle word wrap

    schedule.frequency

    To specify custom schedule frequency. Supports cron, ISO duration, and "human duration" as used in code.

    app-config.yaml fragment with optional schedule.frequency field

    catalog:
  providers:
    keycloakOrg:
      default:
        schedule:
          frequency: { hours: 1 }
    Copy to Clipboard Toggle word wrap

    schedule.timeout

    To specify custom timeout. Supports ISO duration and "human duration" as used in code.

    app-config.yaml fragment with optional schedule.timeout field

    catalog:
  providers:
    keycloakOrg:
      default:
        schedule:
          timeout: { minutes: 50 }
    Copy to Clipboard Toggle word wrap

    schedule.initialDelay

    To specify custom initial delay. Supports ISO duration and "human duration" as used in code.

    app-config.yaml fragment with optional schedule.initialDelay field

    catalog:
  providers:
    keycloakOrg:
      default:
        schedule:
          initialDelay: { seconds: 15}
    Copy to Clipboard Toggle word wrap

Verification

  1. Check the console logs to verify that the synchronization is completed.

    Successful synchronization example:

    {"class":"KeycloakOrgEntityProvider","level":"info","message":"Read 3 Keycloak users and 2 Keycloak groups in 1.5 seconds. Committing...","plugin":"catalog","service":"backstage","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"bf0467ff-8ac4-4702-911c-380270e44dea","timestamp":"2024-09-25 13:58:04"}
{"class":"KeycloakOrgEntityProvider","level":"info","message":"Committed 3 Keycloak users and 2 Keycloak groups in 0.0 seconds.","plugin":"catalog","service":"backstage","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"bf0467ff-8ac4-4702-911c-380270e44dea","timestamp":"2024-09-25 13:58:04"}
    Copy to Clipboard Toggle word wrap

  2. Log in with an RHBK account.

To customize how RHBK users and groups are mapped to Red Hat Developer Hub entities, you can create a backend module that uses the keycloakTransformerExtensionPoint to provide custom user and group transformers for the Keycloak backend.

Prerequisites

Procedure

  1. Create a new backend module with the yarn new command.

  2. Add your custom user and group transformers to the keycloakTransformerExtensionPoint.

    The following is an example of how the backend module can be defined:

    plugins/<module-name>/src/module.ts

    import {
  GroupTransformer,
  keycloakTransformerExtensionPoint,
  UserTransformer,
} from '@backstage-community/plugin-catalog-backend-module-keycloak';

const customGroupTransformer: GroupTransformer = async (
  entity, // entity output from default parser
  realm, // Keycloak realm name
  groups, // Keycloak group representation
) => {
  /* apply transformations */
  return entity;
};
const customUserTransformer: UserTransformer = async (
  entity, // entity output from default parser
  user, // Keycloak user representation
  realm, // Keycloak realm name
  groups, // Keycloak group representation
) => {
  /* apply transformations */
  return entity;
};

export const keycloakBackendModuleTransformer = createBackendModule({
  pluginId: 'catalog',
  moduleId: 'keycloak-transformer',
  register(reg) {
    reg.registerInit({
      deps: {
        keycloak: keycloakTransformerExtensionPoint,
      },
      async init({ keycloak }) {
        keycloak.setUserTransformer(customUserTransformer);
        keycloak.setGroupTransformer(customGroupTransformer);
        /* highlight-add-end */
      },
    });
  },
});
    Copy to Clipboard Toggle word wrap

    Important

    The module’s pluginId must be set to catalog to match the pluginId of the keycloak-backend; otherwise, the module fails to initialize.

  3. Install this new backend module into your Developer Hub backend. 

    backend.add(import(backstage-plugin-catalog-backend-module-keycloak-transformer))
    Copy to Clipboard Toggle word wrap

Verification

  • Developer Hub imports the users and groups each time when started. Check the console logs to verify that the synchronization is completed.

    Successful synchronization example:

    {"class":"KeycloakOrgEntityProvider","level":"info","message":"Read 3 Keycloak users and 2 Keycloak groups in 1.5 seconds. Committing...","plugin":"catalog","service":"backstage","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"bf0467ff-8ac4-4702-911c-380270e44dea","timestamp":"2024-09-25 13:58:04"}
{"class":"KeycloakOrgEntityProvider","level":"info","message":"Committed 3 Keycloak users and 2 Keycloak groups in 0.0 seconds.","plugin":"catalog","service":"backstage","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"bf0467ff-8ac4-4702-911c-380270e44dea","timestamp":"2024-09-25 13:58:04"}
    Copy to Clipboard Toggle word wrap

  • After the first import is complete, navigate to the Catalog page and select User to view the list of users.
  • When you select a user, you see the information imported from RHBK.
  • You can select a group, view the list, and access or review the information imported from RHBK.
  • You can log in with an RHBK account.
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat