Keycloak
Open Source Identity and Access Management that includes SSO, identity brokering, and user federation.
Install
# Install OpenJDK
$ sudo apt install default-jre
# Download and Run Keycloak
$ wget https://github.com/keycloak/keycloak/releases/download/17.0.1/keycloak-17.0.1.zip
$ unzip keycloak-17.0.1.zip
$ cd keycloak-17.0.1
$ bin/kc.sh start-dev &
$ ssh -L 9999:localhost:8080 user@ip-of-server
# Create Admin user- http://localhost:9999/
# AWS Security group allow inbound 8080
# Login: http://ip-of-server:8080
# Create a Realm
> Admin Console > Master > Create Realm
# Create A User
> Admin Console > Users > Add User > Fill in Data > Save
# Enable SSL while communicating, doesn't actually encrypt the web page you access?
> Admin Console > Realm Setting > Login > Require SSL > ALL Requests >
# Secure your app
> Admin Console > Clients > FIll in data: > save
Client ID: myclient
Client Protocol: openid-connect
Root URL: https://www.keycloak.org/app/
# Using Keycloak with Jupyterhub#
# Create Client ID
> Admin Console > Clients > Create > Fill out Form > Save
> ClientID > Settings > Access Type = Confidential
> ClientID > Settings > Valid Redirect URIs:
http://127.0.0.1:8001
http://127.0.0.1:8081/*
http://127.0.0.1:443/hub/home
http://127.0.0.1:443/*
> Admin Console > Clients > Client Name > Credentials Tab > Copy secret
# Add to jupyterhub_cofig.py
from oauthenticator.generic import GenericOAuthenticator
c.JupyterHub.authenticator_class = GenericOAuthenticator
c.GenericOAuthenticator.client_id = 'Jupyterhub'
c.GenericOAuthenticator.client_secret = 'client-secret'
c.GenericOAuthenticator.token_url = 'http://0.0.0.0:8080/auth/realms/keycloak-demo/protocol/openid-connect/token'
c.GenericOAuthenticator.userdata_url = 'http://0.0.0.0:8080/auth/realms/keycloak-demo/protocol/openid-connect/userinfo'
c.GenericOAuthenticator.userdata_params = {'state': 'state'}
c.GenericOAuthenticator.username_key = 'preferred_username'
c.GenericOAuthenticator.login_service = 'Keycloak'
c.GenericOAuthenticator.scope = ['openid', 'profile']
c.JupyterHub.spawner_class = 'jupyterhub.spawner.SimpleLocalProcessSpawner'
# You may not have to export these variables, just add them to the config, this looks confusing.
export OAUTH2_AUTHORIZE_URL=http://<keycloak-host:port>/auth/realms/keycloak-demo/protocol/openid-connect/authexport OAUTH2_TOKEN_URL=http://<keycloak-
host:port/auth/realms/keycloak-demo/protocol/openid-connect/token
# The Previous instructions will point Jupyterhub to Keycloak, now need to connect Keycloak to Azure
> Azure AD > App Registrations > Name & Select single tenant account > save
> Azure AD > Select new app made > Configuation & secrets > get client secret
# Keycloak settings
# Should choose most secure, following instrucitons here.
> Admin Console > Identity Providers > Open ID Connect v 1.0 > Add names & save
Next > Import External IDP Config > see the Import from URL field.
> Azure AD > App registration > See Endpoints.
References
https://linoxide.com/install-java-ubuntu-20-04/
https://www.keycloak.org/getting-started/getting-started-zip
https://www.keycloak.org/docs/latest/server_admin/
https://medium.com/keycloak/secure-jupyterlab-using-keycloak-56e60c369c5f
https://dev.to/andremoriya/keycloak-azure-active-directory-4cg4