Chapter 4. Enabling and configuring the Keycloak plugin

Procedure

1. The Keycloak plugin is pre-loaded in Developer Hub with basic configuration properties. To enable it, set the disabled property to false as follows:

   global:
     dynamic:
       includes:
         - dynamic-plugins.default.yaml
       plugins:
         - package: ./dynamic-plugins/dist/backstage-community-plugin-catalog-backend-module-keycloak-dynamic
           disabled: false

   Copy to Clipboard Toggle word wrap

Procedure

1. To configure the Keycloak plugin, add the following in your app-config.yaml file:

   schedule

   Configure the schedule frequency, timeout, and initial delay. The fields support cron, ISO duration, "human duration" as used in code.

        catalog:
          providers:
            keycloakOrg:
              default:
                schedule:
                  frequency: { minutes: 1 }
                  timeout: { minutes: 1 }
                  initialDelay: { seconds: 15 }

   Copy to Clipboard Toggle word wrap

   userQuerySize and groupQuerySize

   Optionally, configure the Keycloak query parameters to define the number of users and groups to query at a time. Default values are 100 for both fields.

      catalog:
        providers:
          keycloakOrg:
            default:
              userQuerySize: 100
              groupQuerySize: 100

   Copy to Clipboard Toggle word wrap

   Authentication

   Communication between Developer Hub and Keycloak is enabled by using the Keycloak API. Username and password, or client credentials are supported authentication methods.

   The following table describes the parameters that you can configure to enable the plugin under catalog.providers.keycloakOrg.<ENVIRONMENT_NAME> object in the app-config.yaml file:

   Expand

   Name	Description	Default Value	Required
   baseUrl	Location of the Keycloak server, such as https://localhost:8443/auth.	""	Yes
   realm	Realm to synchronize	master	No
   loginRealm	Realm used to authenticate	master	No
   username	Username to authenticate	""	Yes if using password based authentication
   password	Password to authenticate	""	Yes if using password based authentication
   clientId	Client ID to authenticate	""	Yes if using client credentials based authentication
   clientSecret	Client Secret to authenticate	""	Yes if using client credentials based authentication
   userQuerySize	Number of users to query at a time	100	No
   groupQuerySize	Number of groups to query at a time	100	No

   Show more

2. When using client credentials

   1. Set the access type to confidential.
   2. Enable service accounts.

   3. Add the following roles from the realm-management client role:

      • query-groups
      • query-users
      • view-users

3. Optionally, if you have self-signed or corporate certificate issues, you can set the following environment variable before starting Developer Hub:

   NODE_TLS_REJECT_UNAUTHORIZED=0

   Copy to Clipboard Toggle word wrap
   Warning

   Setting the environment variable is not recommended.