Merge pull request #28 from wayofdev/feat/keycloak-tests

wayofdev · Mar 28, 2023 · d037777 · d037777
2 parents 08618d8 + 1370ced
commit d037777
Show file tree

Hide file tree

Showing 9 changed files with 183 additions and 31 deletions.
diff --git a/.env.example b/.env.example
@@ -30,7 +30,8 @@ KC_DB_URL_PORT=5432
 KC_DB_USERNAME=keycloak
 
 # Hostname
-KC_HOSTNAME=auth.${COMPOSE_PROJECT_NAME}.docker
+KC_HOSTNAME_URL=https://auth.${COMPOSE_PROJECT_NAME}.docker
+KC_HOSTNAME_ADMIN_URL=https://auth.${COMPOSE_PROJECT_NAME}.docker
 KC_HOSTNAME_STRICT=false
 KC_INTERNAL_HOSTNAME_URL=http://localhost:8080
 
@@ -50,13 +51,27 @@ KC_METRICS_ENABLED=false
 # Proxy
 KC_PROXY=passthrough
 
+# Custom theme for keycloak
+KC_THEME_REPOSITORY=wayofdev/keywind
+
 ### Initial Keycloak realm settings
+OIDC_ADMIN_REALM_DISPLAY_NAME="Company Administration"
 OIDC_ADMIN_REALM=operations
 OIDC_ADMIN_USER_ID=user
 OIDC_ADMIN_APP_SECRET=secret
 OIDC_ADMIN_APP_ID=app
 
+OIDC_CLIENT_REALM_DISPLAY_NAME="Company Clients"
 OIDC_CLIENT_REALM=client
 OIDC_CLIENT_USER_ID=user
 OIDC_CLIENT_APP_ID=app
 OIDC_CLIENT_APP_SECRET=secret
+
+### Identity Providers
+# Google
+OIDC_IDP_GOOGLE_CLIENT_ID=xxxxxxxxxxxx
+OIDC_IDP_GOOGLE_CLIENT_SECRET=xxxxxxxxxxxx
+
+# Facebook
+OIDC_IDP_FACEBOOK_CLIENT_ID=xxxxxxxxxxxx
+OIDC_IDP_FACEBOOK_CLIENT_SECRET=xxxxxxxxxxxx
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,5 @@ docker-compose.override.yaml
 .DS_Store
 .env
 traefik/certs/*
+keycloak/themes/*
+docs/workflows/authentication/http-client.env.json
diff --git a/Makefile b/Makefile
@@ -117,6 +117,10 @@ logs: ## Show logs for running containers in this project
 	$(DOCKER_COMPOSE) logs -f
 .PHONY: logs
 
+logs-keycloak: ## Show logs for running containers in this project
+	$(DOCKER_COMPOSE) logs keycloak -f
+.PHONY: logs
+
 ps: ## List running containers in this project
 	$(DOCKER_COMPOSE) ps
 .PHONY: ps
@@ -178,7 +182,7 @@ kc-up: ## Create and start keycloak container
 	$(DOCKER_COMPOSE) up -d keycloak
 .PHONY: kc-up
 
-kc-recreate: kc-clean kc-up _kc-wait kc-configure kc-update ## Stop, delete container and volume, then create and start new one
+kc-recreate: kc-clean kc-get-theme kc-up _kc-wait kc-configure kc-update ## Stop, delete container and volume, then create and start new one
 .PHONY: kc-recreate
 
 kc-clean: ## Removes keycloak, keycloak database containers and their volumes
@@ -192,16 +196,20 @@ _kc-wait:
 		-t 1m
 .PHONY: _kc-wait
 
-kc-configure:
+kc-configure: kc-get-theme
 	$(DOCKER_COMPOSE) exec -T keycloak sh /tmp/setup/setup-master-realm.sh
 	$(DOCKER_COMPOSE) exec -T keycloak sh /tmp/setup/setup-client-realm.sh
-	$(DOCKER_COMPOSE) exec -T keycloak sh /tmp/setup/setup-admin-realm.sh
+	$(DOCKER_COMPOSE) exec -T keycloak sh /tmp/setup/setup-operations-realm.sh
 .PHONY: kc-configure
 
 kc-update:
 	$(DOCKER_COMPOSE) exec -T keycloak sh /tmp/setup/update-realms.sh
 .PHONY: kc-update
 
+kc-get-theme:
+	wget https://github.com/$(KC_THEME_REPOSITORY)/releases/latest/download/keywind.jar -O keycloak/themes/keywind.jar
+.PHONE: kc-get-theme
+
 mkcert:
 	mkcert -key-file keycloak/certs/key.pem -cert-file keycloak/certs/cert.pem auth.wod.docker *.wod.docker
 .PHONY: mkcert
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -67,6 +67,7 @@ services:
     container_name: ${COMPOSE_PROJECT_NAME_SAFE}_keycloak
     restart: on-failure
     volumes:
+      - ./keycloak/themes/keywind.jar:/opt/keycloak/providers/keywind.jar
       - ./keycloak/certs/cert.pem:/opt/keycloak/conf/cert.pem
       - ./keycloak/certs/key.pem:/opt/keycloak/conf/key.pem
       - ./keycloak/setup:/tmp/setup:ro
@@ -94,11 +95,6 @@ services:
       - traefik.http.routers.keycloak-${COMPOSE_PROJECT_NAME_SLUG}.tls=true
       - traefik.http.services.keycloak-${COMPOSE_PROJECT_NAME_SLUG}.loadbalancer.server.port=${KC_HTTP_PORT}
     entrypoint: ["/opt/keycloak/bin/kc.sh", "start-dev"]
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080"]
-      interval: 5s
-      timeout: 2s
-      retries: 15
 
 volumes:
   rabbitmq_data:

diff --git a/docs/workflows/authentication/api-oidc-client.http b/docs/workflows/authentication/api-oidc-client.http
@@ -0,0 +1,61 @@
+### Successful User Login
+
+POST {{public_url}}/token
+Content-Type: application/x-www-form-urlencoded
+User-Agent: PhpStorm
+
+client_id=user&username=john.roe&password=john.roe&grant_type=password
+
+> {%
+    client.global.set("access_token", response.body.access_token);
+    client.global.set("refresh_token", response.body.refresh_token);
+%}
+
+### Failed User Login
+
+POST {{public_url}}/token
+Accept: application/json
+Content-Type: application/x-www-form-urlencoded
+User-Agent: PhpStorm
+
+client_id=user&username=john.roe&password=wrong&grant_type=password
+
+### Successful Logout
+
+POST {{public_url}}/logout
+Accept: application/json
+Content-Type: application/x-www-form-urlencoded
+X-Auth-Refresh-Token: {{refresh_token}}
+User-Agent: PhpStorm
+
+client_id=user&refresh_token={{refresh_token}}
+
+### Failed Logout
+
+POST {{public_url}}/logout
+Accept: application/json
+Content-Type: application/x-www-form-urlencoded
+X-Auth-Refresh-Token: {{refresh_token}}
+User-Agent: PhpStorm
+
+client_id=user&refresh_token=invalid_token
+
+### Successful Refresh-Token
+
+POST {{public_url}}/refresh
+Accept: application/json
+Content-Type: application/x-www-form-urlencoded
+X-Auth-Refresh-Token: {{refresh_token}}
+User-Agent: PhpStorm
+
+client_id=user&grant_type=refresh_token&refresh_token={{refresh_token}}
+
+### Failed Refresh-Token
+
+POST {{public_url}}/refresh
+Accept: application/json
+Content-Type: application/x-www-form-urlencoded
+X-Auth-Refresh-Token: {{refresh_token}}
+User-Agent: PhpStorm
+
+client_id=user&grant_type=refresh_token&refresh_token=invalid_token
diff --git a/docs/workflows/authentication/http-client.env.json.dist b/docs/workflows/authentication/http-client.env.json.dist
@@ -0,0 +1,24 @@
+{
+    "development": {
+        "client_username": "john.roe",
+        "client_password": "john.roe",
+        "agent_username": "john.doe",
+        "agent_password": "john.doe",
+        "public_url": "https://auth.vbase.docker/realms/client/protocol/openid-connect",
+        "private_url": "https://auth.vbase.docker/realms/operations/protocol/openid-connect",
+        "third_party_url": "https://auth.vbase.docker/realms/third-party/protocol/openid-connect",
+        "auth_url": "https://auth.vbase.docker",
+        "private_api_key": "secret"
+    },
+    "production": {
+        "client_username": "john.roe",
+        "client_password": "john.roe",
+        "agent_username": "john.doe",
+        "agent_password": "john.doe",
+        "public_url": "https://auth.vbase.io/realms/client/protocol/openid-connect",
+        "private_url": "https://auth.vbase.io/realms/operations/protocol/openid-connect",
+        "third_party_url": "https://auth.vbase.io/realms/third-party/protocol/openid-connect",
+        "auth_url": "https://auth.vbase.io",
+        "private_api_key": "secret"
+    }
+}
diff --git a/keycloak/setup/setup-client-realm.sh b/keycloak/setup/setup-client-realm.sh
@@ -9,22 +9,29 @@ ${KCADM} config credentials --server "$KC_INTERNAL_HOSTNAME_URL" --realm master
 ${KCADM} create realms \
     -s "realm=${OIDC_CLIENT_REALM}" \
     -s enabled=true \
-    -s 'displayName="Company Clients"' \
+    -s displayName="${OIDC_CLIENT_REALM_DISPLAY_NAME}" \
     -s accessTokenLifespan=300 \
     -s ssoSessionIdleTimeout=3600 \
     -s ssoSessionMaxLifespan=3600 \
     -s revokeRefreshToken=true \
     -s refreshTokenMaxReuse=0 \
     -s defaultSignatureAlgorithm=RS256 \
-    -s editUsernameAllowed=true
+    -s editUsernameAllowed=true \
+    -s registrationEmailAsUsername=true \
+    -s registrationAllowed=true \
+    -s resetPasswordAllowed=true \
+    -s rememberMe=true \
+    -s duplicateEmailsAllowed=false \
+    -s loginTheme=keywind
 
 ${KCADM} create clients -r "${OIDC_CLIENT_REALM}" -f - <<EOF
 {
       "protocol": "openid-connect",
       "clientId": "${OIDC_CLIENT_APP_ID}",
       "directAccessGrantsEnabled": true,
       "webOrigins": ["*"],
-      "standardFlowEnabled": false,
+      "redirectUris": ["*"],
+      "standardFlowEnabled": true,
       "clientAuthenticatorType": "client-secret",
       "secret": "${OIDC_CLIENT_APP_SECRET}",
       "bearerOnly": false,
@@ -43,8 +50,9 @@ ${KCADM} create clients -r "${OIDC_CLIENT_REALM}" -f - <<EOF
     "clientId": "${OIDC_CLIENT_USER_ID}",
     "directAccessGrantsEnabled": true,
     "webOrigins": ["*"],
+    "redirectUris": ["*"],
     "bearerOnly": false,
-    "standardFlowEnabled": false,
+    "standardFlowEnabled": true,
     "publicClient": true,
     "serviceAccountsEnabled": false,
     "authorizationServicesEnabled": false,
@@ -55,18 +63,47 @@ ${KCADM} create clients -r "${OIDC_CLIENT_REALM}" -f - <<EOF
 EOF
 
 ### Users
-${KCADM} create users -r "${OIDC_CLIENT_REALM}" -s enabled=true -s emailVerified=true -s username=john.roe -s [email protected] -s firstName=John -s lastName=Roe
-${KCADM} set-password -r "${OIDC_CLIENT_REALM}" --username john.roe --new-password john.roe
+${KCADM} create users -r "${OIDC_CLIENT_REALM}" -s enabled=true -s emailVerified=true -s username=john.roe@wayof.dev -s [email protected] -s firstName=John -s lastName=Roe
+${KCADM} set-password -r "${OIDC_CLIENT_REALM}" --username john.roe@wayof.dev --new-password john.roe
 
-${KCADM} create users -r "${OIDC_CLIENT_REALM}" -s enabled=true -s emailVerified=true -s username=jane.roe -s [email protected] -s firstName=Jane -s lastName=Roe
-${KCADM} set-password -r "${OIDC_CLIENT_REALM}" --username jane.roe --new-password jane.roe
+${KCADM} create users -r "${OIDC_CLIENT_REALM}" -s enabled=true -s emailVerified=true -s username=jane.roe@wayof.dev -s [email protected] -s firstName=Jane -s lastName=Roe
+${KCADM} set-password -r "${OIDC_CLIENT_REALM}" --username jane.roe@wayof.dev --new-password jane.roe
 
-${KCADM} create users -r "${OIDC_CLIENT_REALM}" -s enabled=true -s emailVerified=true -s username=johnny.roe -s [email protected] -s firstName=Johnny -s lastName=Roe
-${KCADM} set-password -r "${OIDC_CLIENT_REALM}" --username johnny.roe --new-password johnny.roe
+${KCADM} create users -r "${OIDC_CLIENT_REALM}" -s enabled=true -s emailVerified=true -s username=johnny.roe@wayof.dev -s [email protected] -s firstName=Johnny -s lastName=Roe
+${KCADM} set-password -r "${OIDC_CLIENT_REALM}" --username johnny.roe@wayof.dev --new-password johnny.roe
 
 ### Roles
 ${KCADM} add-roles \
     -r "${OIDC_CLIENT_REALM}" \
     --uusername "service-account-${OIDC_CLIENT_APP_ID}" \
     --cclientid realm-management \
     --rolename manage-users
+
+### Identity Providers
+${KCADM} create identity-provider/instances -r "${OIDC_CLIENT_REALM}" -f - <<EOF
+{
+    "alias": "google",
+    "providerId": "google",
+    "enabled": true,
+    "trustEmail": true,
+    "config": {
+        "useJwksUrl": true,
+        "clientId": "${OIDC_IDP_GOOGLE_CLIENT_ID}",
+        "clientSecret": "${OIDC_IDP_GOOGLE_CLIENT_SECRET}"
+    }
+}
+EOF
+
+${KCADM} create identity-provider/instances -r "${OIDC_CLIENT_REALM}" -f - <<EOF
+{
+    "alias": "facebook",
+    "providerId": "google",
+    "enabled": true,
+    "trustEmail": true,
+    "config": {
+        "useJwksUrl": true,
+        "clientId": "${OIDC_IDP_FACEBOOK_CLIENT_ID}",
+        "clientSecret": "${OIDC_IDP_FACEBOOK_CLIENT_SECRET}"
+    }
+}
+EOF
diff --git a/keycloak/setup/setup-master-realm.sh b/keycloak/setup/setup-master-realm.sh
@@ -7,8 +7,8 @@ KCADM=/opt/keycloak/bin/kcadm.sh
 ${KCADM} config credentials --server "$KC_INTERNAL_HOSTNAME_URL" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD"
 
 ${KCADM} update realms/master \
-    -s 'displayName=w*d auth' \
-    -s 'displayNameHtml=<img src="https://wayof.dev/assets/logo.gh-light-mode-only.png" width="148">'
+    -s 'displayName="Master Login"' \
+    -s loginTheme=keywind
 
 REALM_MASTER_FILE=/tmp/setup/realms/realm-master.json
 if [ -f $REALM_MASTER_FILE ]; then

diff --git a/keycloak/setup/setup-admin-realm.sh → keycloak/setup/setup-operations-realm.sh b/keycloak/setup/setup-admin-realm.sh → keycloak/setup/setup-operations-realm.sh
@@ -9,21 +9,29 @@ ${KCADM} config credentials --server "$KC_INTERNAL_HOSTNAME_URL" --realm master
 ${KCADM} create realms \
     -s "realm=${OIDC_ADMIN_REALM}" \
     -s enabled=true \
-    -s 'displayName="Company Employees"' \
+    -s displayName="${OIDC_ADMIN_REALM_DISPLAY_NAME}" \
     -s accessTokenLifespan=300 \
     -s ssoSessionIdleTimeout=3600 \
     -s ssoSessionMaxLifespan=3600 \
     -s revokeRefreshToken=true \
     -s refreshTokenMaxReuse=0 \
-    -s defaultSignatureAlgorithm=RS256
+    -s defaultSignatureAlgorithm=RS256 \
+    -s editUsernameAllowed=false \
+    -s registrationEmailAsUsername=true \
+    -s registrationAllowed=false \
+    -s resetPasswordAllowed=true \
+    -s rememberMe=true \
+    -s duplicateEmailsAllowed=false \
+    -s loginTheme=keywind
 
 ${KCADM} create clients -r ${OIDC_ADMIN_REALM} -f - <<EOF
 {
     "protocol": "openid-connect",
     "clientId": "${OIDC_ADMIN_APP_ID}",
     "directAccessGrantsEnabled": true,
     "webOrigins": ["*"],
-    "standardFlowEnabled": false,
+    "redirectUris": ["*"],
+    "standardFlowEnabled": true,
     "clientAuthenticatorType": "client-secret",
     "secret": "${OIDC_ADMIN_APP_SECRET}",
     "bearerOnly": false,
@@ -42,8 +50,9 @@ ${KCADM} create clients -r ${OIDC_ADMIN_REALM} -f - <<EOF
     "clientId": "${OIDC_ADMIN_USER_ID}",
     "directAccessGrantsEnabled": true,
     "webOrigins": ["*"],
+    "redirectUris": ["*"],
     "bearerOnly": false,
-    "standardFlowEnabled": false,
+    "standardFlowEnabled": true,
     "publicClient": true,
     "serviceAccountsEnabled": false,
     "authorizationServicesEnabled": false,
@@ -54,14 +63,14 @@ ${KCADM} create clients -r ${OIDC_ADMIN_REALM} -f - <<EOF
 EOF
 
 ### Users
-${KCADM} create users -r ${OIDC_ADMIN_REALM} -s enabled=true -s emailVerified=true -s username=john.doe -s [email protected] -s firstName=John -s lastName=Doe
-${KCADM} set-password -r ${OIDC_ADMIN_REALM} --username john.doe --new-password john.doe
+${KCADM} create users -r ${OIDC_ADMIN_REALM} -s enabled=true -s emailVerified=true -s username=john.doe@wayof.dev -s [email protected] -s firstName=John -s lastName=Doe
+${KCADM} set-password -r ${OIDC_ADMIN_REALM} --username john.doe@wayof.dev --new-password john.doe
 
-${KCADM} create users -r ${OIDC_ADMIN_REALM} -s enabled=true -s emailVerified=true -s username=jane.doe -s [email protected] -s firstName=Jane -s lastName=Doe
-${KCADM} set-password -r ${OIDC_ADMIN_REALM} --username jane.doe --new-password jane.doe
+${KCADM} create users -r ${OIDC_ADMIN_REALM} -s enabled=true -s emailVerified=true -s username=jane.doe@wayof.dev -s [email protected] -s firstName=Jane -s lastName=Doe
+${KCADM} set-password -r ${OIDC_ADMIN_REALM} --username jane.doe@wayof.dev --new-password jane.doe
 
-${KCADM} create users -r ${OIDC_ADMIN_REALM} -s enabled=true -s emailVerified=true -s username=johnny.doe -s [email protected] -s firstName=Johnny -s lastName=Doe
-${KCADM} set-password -r ${OIDC_ADMIN_REALM} --username johnny.doe --new-password johnny.doe
+${KCADM} create users -r ${OIDC_ADMIN_REALM} -s enabled=true -s emailVerified=true -s username=johnny.doe@wayof.dev -s [email protected] -s firstName=Johnny -s lastName=Doe
+${KCADM} set-password -r ${OIDC_ADMIN_REALM} --username johnny.doe@wayof.dev --new-password johnny.doe
 
 ### Roles
 ${KCADM} add-roles \