Keycloak & Cloudron
-
I'm working with a volunteer team that's building an SSO system based on Keycloak. I don't know a ton about keycloak, but I've been trying to learn. I'm wondering if anyone here built an app with keycloak before and how they integrated the built-in LDAP to tie it in with Cloudron. I don't have a specific question so much as I'm curious to see if anyone else is using these tools together and if so, how?
@ianhyzy I finally managed to run Keycloak on Cloudron after a few days of trying. Most of the code is from this repository. The author seemed to have used a heavily modified configuration file, tailored to fit their needs. Also they had a two-step build system, where they pushed a customized Keycloak image to the hub, then the actual Cloudron app made use of the previously pushed image. That didn't seem necessary.
So, I wrote a simple build script that would:
- spawn a fresh installation of Keycloak
- export the default master realm configuration
- adds LDAP and SMTP configuration for Cloudron to the exported file
The app I put together is based on
cloudron/base:3.2and makes use of the freshly exported and customized configuration file, which IMO is more compatible with Keycloak updates.I'll publish the code on Github this weekend. I'm planning to use this instance to install Outline because it now supports a custom OIDC auth provider.
Cheers!
-
@ianhyzy I finally managed to run Keycloak on Cloudron after a few days of trying. Most of the code is from this repository. The author seemed to have used a heavily modified configuration file, tailored to fit their needs. Also they had a two-step build system, where they pushed a customized Keycloak image to the hub, then the actual Cloudron app made use of the previously pushed image. That didn't seem necessary.
So, I wrote a simple build script that would:
- spawn a fresh installation of Keycloak
- export the default master realm configuration
- adds LDAP and SMTP configuration for Cloudron to the exported file
The app I put together is based on
cloudron/base:3.2and makes use of the freshly exported and customized configuration file, which IMO is more compatible with Keycloak updates.I'll publish the code on Github this weekend. I'm planning to use this instance to install Outline because it now supports a custom OIDC auth provider.
Cheers!
-
@nj that will be awesome! Will go well together with the upcoming feature that exposes the Cloudron's LDAP server as well. As in, people can choose which LDAP server they want. Keycloak, I am sure can probably do a lot more than our LDAP server.
-
@girish, is there a way to import only active users when syncing users with LDAP?
After setting up Keycloak, only the "active" users could log in to Keycloak. But when I try to import active users to Keycloak, all users were imported, including those who were marked as not active in my Cloudron Users dashboard. -
@girish, is there a way to import only active users when syncing users with LDAP?
After setting up Keycloak, only the "active" users could log in to Keycloak. But when I try to import active users to Keycloak, all users were imported, including those who were marked as not active in my Cloudron Users dashboard. -
@nj is there a reason not to sync the inactive user information as well? Are you thinking of because of performance or is the active flag getting overwritten or something else?
@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP. On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server. In such cases, Keycloak does not have any way to know whether the users are still active. That's why I asked if there's any filter that I can apply to only fetch/sync active users.
-
@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP. On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server. In such cases, Keycloak does not have any way to know whether the users are still active. That's why I asked if there's any filter that I can apply to only fetch/sync active users.
@nj said in Keycloak & Cloudron:
@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP
Yes, that's the case. When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right? Or have you made some custom patch to expose Cloudron LDAP to external apps ?
On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server.
I don't get this part... How can Keycloak sync from Cloudron ? (unless, of course, you have made some custom patch to expose Cloudron LDAP...).
(So, if the above is true, we can expose the active flag via LDAP. That should be straightforward, if that's what you are asking).
-
@nj said in Keycloak & Cloudron:
@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP
Yes, that's the case. When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right? Or have you made some custom patch to expose Cloudron LDAP to external apps ?
On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server.
I don't get this part... How can Keycloak sync from Cloudron ? (unless, of course, you have made some custom patch to expose Cloudron LDAP...).
(So, if the above is true, we can expose the active flag via LDAP. That should be straightforward, if that's what you are asking).
When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right?
Yes. I recently built and run Keycloak as an app on my Cloudron instance.
we can expose the active flag via LDAP.
That's exactly what I want. If you could expose the
activeflag via LDAP, I could use a filter like(&(objectClass=user)(isActive=true))to only fetch active users.I'm not a native English speaker, so excuse the confusion that I caused.
-
When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right?
Yes. I recently built and run Keycloak as an app on my Cloudron instance.
we can expose the active flag via LDAP.
That's exactly what I want. If you could expose the
activeflag via LDAP, I could use a filter like(&(objectClass=user)(isActive=true))to only fetch active users.I'm not a native English speaker, so excuse the confusion that I caused.
@nj I just made a fix in fact to not list inactive users in ldap at all. I think that was an oversight. After all, we don't want those users to appear in LDAP searches. Maybe you can try this patch - https://git.cloudron.io/cloudron/box/-/commit/8958b154e96832688896dafccf7350bad575b0a9
-
@nj I just made a fix in fact to not list inactive users in ldap at all. I think that was an oversight. After all, we don't want those users to appear in LDAP searches. Maybe you can try this patch - https://git.cloudron.io/cloudron/box/-/commit/8958b154e96832688896dafccf7350bad575b0a9
@girish That worked. By the way, is there a plan to package Keycloak? I managed to run Keycloak and Outline on Cloudron. Keycloak needed some patching to make it work on the read-only system without mounting everything to /app/data. Outline wiki app can be easily set up to authenticate using Keycloak. Both apps seem to be working as they should. Do you think we can publish those apps to the Cloudron App Store? That would be my first experience publishing an app.
Currently, I am packaging the Outline app to directly authenticate with the Cloudron user directory without the need to install Keycloak. If anyone is interested, I published a little more details in my blog. I'm doing another write-up describing the issues I solved while packaging Keylcloak.
-
@girish That worked. By the way, is there a plan to package Keycloak? I managed to run Keycloak and Outline on Cloudron. Keycloak needed some patching to make it work on the read-only system without mounting everything to /app/data. Outline wiki app can be easily set up to authenticate using Keycloak. Both apps seem to be working as they should. Do you think we can publish those apps to the Cloudron App Store? That would be my first experience publishing an app.
Currently, I am packaging the Outline app to directly authenticate with the Cloudron user directory without the need to install Keycloak. If anyone is interested, I published a little more details in my blog. I'm doing another write-up describing the issues I solved while packaging Keylcloak.
-
@nj Yes, we can get them published as time permits! If you post the links to the repos when they are sort of ready, we can take it from there.
-
-
Just spotted this: https://git.cloudron.io/cloudron/keycloak-app/ does anyone know the status of that project?
-
@girish would you add this to the appstore? https://git.cloudron.io/cloudron/keycloak-app/ It seems complete?
-
Strange there is no app request for keycloak. @Sam_uk do you think you can open an app request topic ?
@girish Or move this one? It seems to have all the useful links in so far.
-
Strange there is no app request for keycloak. @Sam_uk do you think you can open an app request topic ?
-
@girish I'm tempted not to.
I think my position is that Authentik is the better app, which would provide everything that Keycloak does.
