Keycloak & Cloudron

ianhyzy

I'm working with a volunteer team that's building an SSO system based on Keycloak. I don't know a ton about keycloak, but I've been trying to learn. I'm wondering if anyone here built an app with keycloak before and how they integrated the built-in LDAP to tie it in with Cloudron. I don't have a specific question so much as I'm curious to see if anyone else is using these tools together and if so, how?

nj

@ianhyzy I finally managed to run Keycloak on Cloudron after a few days of trying. Most of the code is from this repository. The author seemed to have used a heavily modified configuration file, tailored to fit their needs. Also they had a two-step build system, where they pushed a customized Keycloak image to the hub, then the actual Cloudron app made use of the previously pushed image. That didn't seem necessary.

So, I wrote a simple build script that would:

• spawn a fresh installation of Keycloak
• export the default master realm configuration
• adds LDAP and SMTP configuration for Cloudron to the exported file

The app I put together is based on cloudron/base:3.2 and makes use of the freshly exported and customized configuration file, which IMO is more compatible with Keycloak updates.

I'll publish the code on Github this weekend. I'm planning to use this instance to install Outline because it now supports a custom OIDC auth provider.

Cheers!

girish

@nj that will be awesome! Will go well together with the upcoming feature that exposes the Cloudron's LDAP server as well. As in, people can choose which LDAP server they want. Keycloak, I am sure can probably do a lot more than our LDAP server.

nj

@girish I think I didn’t make it clear enough earlier. The Keycloak app itself doesn’t support working as a LDAP server, but makes use of Cloudron LDAP to federate users from Cloudron. It works as a OIDC server. So it’s a pretty trivial setup..

nj

@girish, is there a way to import only active users when syncing users with LDAP?
After setting up Keycloak, only the "active" users could log in to Keycloak. But when I try to import active users to Keycloak, all users were imported, including those who were marked as not active in my Cloudron Users dashboard.

girish

@nj is there a reason not to sync the inactive user information as well? Are you thinking of because of performance or is the active flag getting overwritten or something else?

nj

@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP. On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server. In such cases, Keycloak does not have any way to know whether the users are still active. That's why I asked if there's any filter that I can apply to only fetch/sync active users.

girish

@nj said in Keycloak & Cloudron:

@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP

Yes, that's the case. When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right? Or have you made some custom patch to expose Cloudron LDAP to external apps ?

On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server.

I don't get this part... How can Keycloak sync from Cloudron ? (unless, of course, you have made some custom patch to expose Cloudron LDAP...).

(So, if the above is true, we can expose the active flag via LDAP. That should be straightforward, if that's what you are asking).

nj

@girish

When you say "Cloudron LDAP" you mean the apps installed on Cloudron, right?

Yes. I recently built and run Keycloak as an app on my Cloudron instance.

we can expose the active flag via LDAP.

That's exactly what I want. If you could expose the active flag via LDAP, I could use a filter like (&(objectClass=user)(isActive=true)) to only fetch active users.

I'm not a native English speaker, so excuse the confusion that I caused.

girish

@nj I just made a fix in fact to not list inactive users in ldap at all. I think that was an oversight. After all, we don't want those users to appear in LDAP searches. Maybe you can try this patch - https://git.cloudron.io/cloudron/box/-/commit/8958b154e96832688896dafccf7350bad575b0a9

nj

@girish That worked. By the way, is there a plan to package Keycloak? I managed to run Keycloak and Outline on Cloudron. Keycloak needed some patching to make it work on the read-only system without mounting everything to /app/data. Outline wiki app can be easily set up to authenticate using Keycloak. Both apps seem to be working as they should. Do you think we can publish those apps to the Cloudron App Store? That would be my first experience publishing an app.

Currently, I am packaging the Outline app to directly authenticate with the Cloudron user directory without the need to install Keycloak. If anyone is interested, I published a little more details in my blog. I'm doing another write-up describing the issues I solved while packaging Keylcloak.

girish

@nj Yes, we can get them published as time permits! If you post the links to the repos when they are sort of ready, we can take it from there.

Sam_uk

@nj I'm interested in this, is your code available anywhere please?

cuzy-app

https://git.cloudron.io/cloudron/keycloak-app/

Sam_uk

Just spotted this: https://git.cloudron.io/cloudron/keycloak-app/ does anyone know the status of that project?

Sam_uk

@girish would you add this to the appstore? https://git.cloudron.io/cloudron/keycloak-app/ It seems complete?

girish

@Sam_uk mm, not really, it seems to have some compose files etc. I can't find pawel on this forum to tag but I am not even sure who created that repo and why it's in the cloudron namespace. But worth looking into.

girish

Strange there is no app request for keycloak. @Sam_uk do you think you can open an app request topic ?

marcusquinn

@girish Or move this one? It seems to have all the useful links in so far.

Sam_uk

@girish I'm tempted not to.

I think my position is that Authentik is the better app, which would provide everything that Keycloak does.

girish

@Sam_uk ah ok, I upvoted that one

nj

@girish Please check this out. I previously packaged Keycloak but suddenly the Keycloak team decided to deprecate the Wildfly version and started supporting Quarkus runtime. So I had to re-package it again. Took a while during the weekdays.

https://github.com/njsubedi/cloudron-keycloak

Sam_uk

@nj Great stuff, thanks I'll have a go at installing it sometime this week.

girish

@nj thanks! this is awesome, added to our list of packages to push out.

Sam_uk

@girish

Just to update https://github.com/njsubedi/cloudron-keycloak seems to be working well so far.

Configured Nextcloud, Humhub & Rocketchat to use it.

marcusquinn

@girish @nebulon Maybe it makes sense to consider making this an add-on app and option to enable for apps that can support it. Very valuable to us, and could look at helping with sponsorship if that motivates.

nj

Update available: Keycloak 7.0.1

Sam_uk

@nj I've run into an issue with using custom themes on Keycloak: https://github.com/njsubedi/cloudron-keycloak/issues/5

Does this seem to be specific to a Cloudron install? It works on a more conventional install for us.

Can anyone suggest how to troubleshoot or fix?

timconsidine

@nj awesome ! thank you !

I just installed it as a custom app. Looks great. BUT ...

I haven't a scoobies how to use it !
There's far too many words on their website, and far too many options in the app.

2 questions :

• the sync of Cloudron users does not seem to complete, although app says completed.
• how do I add an app to be protected by Keycloak ?

nj

Update available for Keycloak 18.0.0. Up and running without issues for a while.

https://github.com/njsubedi/cloudron-keycloak

nj

Update available v18.0.1

nj

Update available 18.0.2

nj

Update available v19.0.1

jdaviescoates

@staff we should get this in the app store, no?

BrutalBirdie

@nj && @jdaviescoates
I just tested the app but ended up with an error state.

# Clone the repo
git clone https://github.com/njsubedi/cloudron-keycloak.git; cd cloudron-keycloak

# build the app
cloudron build --set-repository dr.cloudron.dev/$(jq -r .id < CloudronManifest.json) --tag $(jq -r .version < CloudronManifest.json)

# Install the app
cloudron install -l keycloak.cloudron.dev

log:
https://paste.cloudron.dev/hemoxaroni.log

nj

@BrutalBirdie It seems the problem only occurs in new installation. Since I've always been updating from previous versions, the error didn't show up. I'm fixing it now; and will update you when done.

Issue: Starting v19.0, Keycloak would require kc.sh --optimized to start Keycloak. Otherwise it would try to run kc.sh build before starting. That resulted in failure in the readonly system.

Issue 2: I had set optionalSso=true but that lead to another issue where CLOUDRON_LDAP_URL variable would be unbound when installed from CLI. I don't think this was the default behaviour when I first packaged Cloudron. Anyway, I have set optionalSso=false just in case Cloudron's default changes again.

The package should build and install correctly. PS: I'll start testing on fresh installs from next releases, so it should not repeat again.

https://github.com/njsubedi/cloudron-keycloak/releases/tag/v19.0.1-patch2

BrutalBirdie

@nj lgtm - Install checks out OK.

Now there are tests missing for the app.
If I create the tests they will be rudimentary and will not cover much of the functionality of the app it self.

@nj could you also write the tests?
If you need support regarding the tests I can point you in the right directions.

nj

@BrutalBirdie do you mean the Cloudron's usual tests to see if the app installs, backs up and restores correctly? If so I don't think I'll do that because you guys better know how to do that.

BrutalBirdie

@nj
Okay.
My next free week is in around 2/3 Weeks

The basic tests you could just copy paste from any other app.
But when I got the time again I will tackle this task.

Sam_uk

Is anyone working on the tests for this?

What do the tests need to do?

Sam_uk

@Sam_uk @BrutalBirdie

Do you know when you'll have time to look at this?

nj

There is an update to v20.0.2.

jdaviescoates

@nj thanks!

@staff be great of all these apps @nj has packaged could find themselves into the App Store!

cuzy-app

Thanks @nj !
+1 for the App Store!

nj

There is an update to the latest Keycloak version at v20.0.3. I recommed this update because of many bugfixes in the upstream repo.

New Feauture in this package: Support for Mail FROM Address.

cuzy-app

Thanks @nj for this great update!
Has anyone managed to update?
I'm stuck with this issue: https://github.com/njsubedi/cloudron-keycloak/issues/7

jayonrails

Hi,

seems like I have a similar issue. Maybe someone can help? I am not able to build the Keycloak package.

See my issue report on GitHub: https://github.com/njsubedi/cloudron-keycloak/issues/8

Best
Jay

BrutalBirdie

I could build, install and use the https://github.com/njsubedi/cloudron-keycloak master branch with no problems.

girish

@BrutalBirdie thanks for testing, will prioritize getting this published.

Sam_uk

@girish Great stuff! We're a bit stuck on this one at the moment: https://github.com/njsubedi/cloudron-keycloak/issues/7#issuecomment-1384001649