This is a utility project that will show all the user's information after they login via Keycloak. It is useful for debugging user roles if they are having trouble accessing Trustmark Tool. The trustmark-keycloak-deploy will deploy this software for you from the Trustmark software repository. You should only need to build it from this project if you want to make changes.
Add the following line to the /etc/hosts file on the host machine:
127.0.0.1 host.docker.internal
Run ./sh/openssl-req.sh to generate the public and private keys for the keycloak server and import
those keys into the truststore of the sample application. When prompted for a password, use password.
$ ./sh/openssl-req.shBuild the application as follows:
$ rm -rf .gradle build && ./grailsw clean && ./grailsw warRun the docker container as follows:
$ docker compose up -d --build Open https://localhost:9443/auth/. You may log in with username administrator and password administrator.
- Add a realm; name it
keycloak. - Add a role; name it
userinfo-role. - Add a client scope; name it
openid. - Update the
rolesclient scope; update therealm rolesmapper; change the Token Claim Name toroles. - Add a client; name it
userinfo. - Under the
userinfoclient, uncheck "Direct Access Grants". - and set the "Valid Redirect URIs" to
http://localhost:8080/userinfo/#/oauth2/code/userinfo. - Under the
userinfoclient, add theopenidclient scope. - Add the following users:
username: userinfo
email: userinfo@example.org
given name: userinfo-name-given
family name: userinfo-name-family
password: userinfo
role: userinfo-role
Because the keycloak server had not been configured, the userinfo application likely failed to start. Restart the userinfo application as follows:
$ docker compose up -d --build userinfo-userinfoOpen http://localhost:8080/userinfo/. The system will redirect the client to https://localhost:9443/auth/, where you
may log in with the username userinfo and the password userinfo.
Keycloak will then redirect to the application; the application will show the username, the user's given name, the user's surname, the user's email, and the user's role.
userinfo
sub 810562ef-02b2-4d0a-951b-474cc799f534
email_verified false
roles [offline_access, default-roles-userinfo, uma_authorization, userinfo-role]
name userinfo-name-given userinfo-name-last
preferred_username userinfo
given_name userinfo-name-given
family_name userinfo-name-last
email userinfo@example.org
In docker-compose.yml and docker/keycloak-grails/grails-app/conf/application.properties,
SPRING_BOOT_CONTEXT_PATH: the value ofserver.servlet.context-path; currently/userinfo.SPRING_SECURITY_CLIENT_ID: the value ofspring.security.oauth2.client.registration.keycloak.client-id; currentlyuserinfo.SPRING_SECURITY_ISSUER_URI: the value ofspring.security.oauth2.client.provider.keycloak.issuer-uri; currentlyhttps://host.docker.internal/auth/realms/keycloakSPRING_SECURITY_REDIRECT_URI: the value ofspring.security.oauth2.client.registration.keycloak.redirect-uri; currentlyhttp://localhost:8080/userinfo/#/oauth2/code/userinfo
Note:
- The
SPRING_SECURITY_CLIENT_IDmust match the keycloak client name. - The
SPRING_SECURITY_ISSUER_URImust match the keycloak realm for the keycloak client. - The
SPRING_SECURITY_REDIRECT_URImust reference the sample application.
If the httpd server or the keycloak server rely on self-signed certificates, the sample application startup must specify
the keystore and they keystore password; they appear in the Dockerfile:
CMD [ \
"java", \
"-Djavax.net.debug=all", \
"-Djavax.net.ssl.trustStore=/work/userinfo-truststore.jks", \
"-Djavax.net.ssl.trustStorePassword=password", \
"-Djava.security.egd=file:/dev/./urandom", \
"-jar", \
"/work/userinfo.war" \
]If neither of these servers rely on self-signed certificates, the Dockerfile may omit them.