micedre
commented
2 years ago I just tested with quarkus distribution on FranceConnect V1, it works fine. I'll test the others providers as soon as possible.
Closed mboisnard closed 1 year ago
micedre
commented
2 years ago I just tested with quarkus distribution on FranceConnect V1, it works fine. I'll test the others providers as soon as possible.
semangard
commented
2 years ago hello @micedre would it be possible to share your configuration for KC 17 (especially where you deploy your jar) ?
Here is mine and it seems FC provider is not loaded
version: '3.8'
#### DOCS ####
#: https://github.com/eabykov/keycloak-compose/blob/main/docker-compose.yml
# https://blog.codecentric.de/en/2021/12/keycloak-keycloak-x/
##############
services:
postgres:
container_name: keycloak17-db
image: postgres:13.2-alpine
#healthcheck:
# test: ["CMD", "nc", "-zv", "localhost", "5432"]
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
volumes:
- keycloak17_postgres_data:/var/lib/postgresql/data
networks:
- network-development
ports:
- "5432:5432"
keycloak:
container_name: keycloak17
image: quay.io/keycloak/keycloak:17.0.0
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
## https://www.keycloak.org/server/db
KC_DB: postgres
# jdbc:postgresql://host:port/database
KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: password
## https://www.keycloak.org/server/features
KC_FEATURES: admin-fine-grained-authz, upload-scripts, token-exchange, impersonation
JAVA_TOOL_OPTIONS: -Dsun.security.krb5.debug=true -Dsun.security.spenego.degug=true
JAVA_OPTS: -server -Xms512m -Xmx2048m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
# JAVA_OPTS_APPEND: -server -Xms512m -Xmx2048m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
# JGROUPS_DISCOVERY_PROTOCOL: JDBC_PING
# JGROUPS_DISCOVERY_PROPERTIES: datasource_jndi_name=java:datasources/KeycloakDS,info_writer_sleep_time=500
ROOT_LOGLEVEL: INFO
KEYCLOAK_LOGLEVEL: INFO
# CACHE_OWNERS_COUNT: 1 # TODO: DEPRECATED...
# CACHE_OWNERS_AUTH_SESSIONS_COUNT: 1 # TODO: DEPRECATED...
KC_HOSTNAME: localhost
KC_METRICS_ENABLED: true
# KEYCLOAK_STATISTICS: all # DEPRECATED...
#X509_CA_BUNDLE: /etc/x509/https/rootCA.crt /etc/x509/https/hugrootCA.crt # use space to add multiple root CA if needed # TODO: DEPRECATED...
USER_EVENT_TO_SEND: CREATE, UPDATE, DELETE, LOGIN
KEYCLOAK_SERVICE_URL: http://keycloak-service:10001/
KEYCLOAK_IMPORT: /tmp/keycloak/config/realm.json # depends on the line uncommented just below
# DEBUG: true
# DEBUG_PORT: "*:8787"
## entrypoint
## WARNING : --auto-build has to be used for dev purpose, for perf concern ==> build your own custom image
# entrypoint to enable realm import : https://github.com/keycloak/keycloak/discussions/10229
# entrypoint: ["/tmp/keycloak/config/docker-compose-entrypoint.sh", "start", "--auto-build", "--db=postgres", "--https-certificate-file=/etc/x509/https/tls.crt", "--https-certificate-key-file=/etc/x509/https/tls.key"]
# standard enretrypoint
entrypoint: ["/opt/keycloak/bin/kc.sh", "start", "--auto-build", "--db=postgres", "--https-certificate-file=/etc/x509/https/tls.crt", "--https-certificate-key-file=/etc/x509/https/tls.key"]
volumes:
###########################
# Import test realm
- ./scripts:/tmp/keycloak/config
- ./realms/realm.json:/tmp/keycloak/config/realm.json
###########################
# HUG themes and extensions
- ../../theme/hug-base:/opt/keycloak/themes/hug-base
- ../../theme/hug-hug:/opt/keycloak/themes/hug-hug
- ../../theme/pedamines-base:/opt/keycloak/themes/pedamines-base # TODO: to be remamed as external-base
# HUG extensions
- ../../target/hug-keycloak-jar-with-dependencies.jar:/opt/keycloak/providers/hug-keycloak.jar
# HUG passwords blacklists
- ../../blacklists/french_passwords_top20000.txt:/opt/data/password-blacklists/french_passwords_top20000.txt
- ../../blacklists/hug_pwd_blacklist_2021.txt:/opt/data/password-blacklists/hug_pwd_blacklist_2021.txt
# External extensions
- ../../extensions/metrics/keycloak-metrics-spi-2.5.3.jar:/opt/keycloak/standalone/deployments/keycloak-metrics-spi-2.5.3.jar
- ../../extensions/france-connect/keycloak-franceconnect-4.1.0.jar:/opt/keycloak/standalone/deployments/keycloak-franceconnect-4.1.0.jar
# Custom configurations with CLI
#- ../../cli/themes-cache-disable.cli:/opt/startup-scripts/themes-cache-disable.cli # TODO: DEPRECATED...
# - ../../cli/logs-manage.cli:/opt/startup-scripts/logs-manage.cli # TODO: DEPRECATED...
#- ../../cli/logs-http-debug.cli:/opt/startup-scripts/logs-http-debug.cli # TODO: DEPRECATED...
################
# Self-signed certificates to activate HTTPS for tests
- ./certs/server/server.tls.crt:/etc/x509/https/tls.crt
- ./certs/server/server.tls.key:/etc/x509/https/tls.key
# CA certificates to enable user auth with certificates
- ./certs/ca.crt:/etc/x509/https/rootCA.crt # auto-signed CA cert
- ./certs/hugca.crt:/etc/x509/https/hugrootCA.crt # HUG CA cert
################
ports:
- "8080:8080" # http://localhost:8080/
- "443:8443" # https://localhost/ (you must accept also warnings triggered by navigators)
- "8787:8787"
deploy:
replicas: 1
depends_on:
- postgres
networks:
- network-development
networks:
network-development:
volumes:
keycloak17_postgres_data:
external: true # because the volume was clone from keycloak 13 DB (in order to test separately the migration)
# driver: local
micedre
commented
2 years ago With keycloak 17 the docker image is based on the quarkus distribution, I thibk you need to place extensions in KEYCLOAK_HOME/providers. In your case you should replace /opt/keycloak/standalone/deployments with /opt/keycloak/providers
semangard
commented
2 years ago OK @micedre
It is better now 👍
version: '3.8'
#### DOCS ####
# https://github.com/eabykov/keycloak-compose/blob/main/docker-compose.yml
# https://blog.codecentric.de/en/2021/12/keycloak-keycloak-x/
##############
services:
postgres:
container_name: keycloak17-db
image: postgres:13.2-alpine
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
volumes:
- keycloak17_postgres_data:/var/lib/postgresql/data
networks:
- network-development
ports:
- "5432:5432"
keycloak:
container_name: keycloak17
image: quay.io/keycloak/keycloak:17.0.0
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
## https://www.keycloak.org/server/db
## https://www.keycloak.org/server/all-config#_database
KC_DB: postgres
KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak" # jdbc:postgresql://host:port/database
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: password
## https://www.keycloak.org/server/hostname
KC_HOSTNAME: localhost # mandatory because we are using the production mode (launch with 'start' and not 'start-dev') better to be as closed as possible to the production
# KC_HOSTNAME_ADMIN: localhost
# KC_HOSTNAME_STRICT_BACKCHANNEL: true
KC_HTTP_RELATIVE_PATH: "/auth" # mandatory to keep same URL compared to previous versions of KC
## https://www.keycloak.org/server/enabletls
## https://www.keycloak.org/server/all-config#_httptls
KC_HTTP_ENABLED: "true"
KC_HTTPS_PROTOCOLS: "TLSv1.3,TLSv1.2"
#KC_HTTPS_CIPER_SUITES: ### TODO
KC_HTTPS_CERTIFICATE_FILE: "/etc/x509/https/tls.crt"
KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/https/tls.key"
# X509_CA_BUNDLE: /etc/x509/https/rootCA.crt /etc/x509/https/hugrootCA.crt # use space to add multiple root CA if needed
### DEPRECATED => TODO: use instead --https-trust-store-file=/path/to/file --https.trust-store.password=<value>
## https://www.keycloak.org/server/all-config#_feature
## https://www.keycloak.org/server/features
KC_FEATURES: admin-fine-grained-authz,token-exchange,upload-scripts
JAVA_TOOL_OPTIONS: -Dsun.security.krb5.debug=true -Dsun.security.spenego.degug=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8790 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dquarkus-log-max-startup-records=10000
JAVA_OPTS: -server -Xms512m -Xmx2048m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true # JAVA_OPTS_APPEND does not work
## https://www.keycloak.org/server/all-config#_cluster
## https://www.keycloak.org/server/caching
## https://github.com/keycloak/keycloak/issues/10780
## https://github.com/keycloak/keycloak/issues/10875
# JGROUPS_DISCOVERY_PROTOCOL: JDBC_PING ### DEPRECATED : replaced by KC_CACHE_STACK
# JGROUPS_DISCOVERY_PROPERTIES: datasource_jndi_name=java:jboss/datasources/KeycloakDS,info_writer_sleep_time=500,remove_old_coords_on_view_change=true,remove_all_data_on_view_change=true ### DEPRECATED : => TODO: find a solution
# CACHE_OWNERS_COUNT: 1 ### DEPRECATED => useless now ?
# CACHE_OWNERS_AUTH_SESSIONS_COUNT: 1 ### DEPRECATED => useless now ?
KC_CACHE: ispn
KC_CACHE_STACK: tcp
## https://www.keycloak.org/server/logging
## https://www.keycloak.org/server/all-config#_logging
KC_LOG_LEVEL: INFO
## https://www.keycloak.org/server/all-config#_metrics
KC_METRICS_ENABLED: true # https://localhost/auth/metrics
# KEYCLOAK_STATISTICS: all ### DEPRECATED: no solution yet
# DEBUG: true
# DEBUG_PORT: "*:8787"
KEYCLOAK_IMPORT: /tmp/keycloak/config/realm.json # depends on the line uncommented just below ### TODO : will be available with KC 17.0.1
## CUSTOM for HUG listener
USER_EVENT_TO_SEND: CREATE,UPDATE,DELETE,LOGIN
KEYCLOAK_SERVICE_URL: http://keycloak-service:10001/
###########################
## WARNING : --auto-build has to be used for dev purpose, for perf concern (quick start-up) ==> build your own custom image
# a) CUSTOM entrypoint to enable realm import : https://github.com/keycloak/keycloak/discussions/10229 ==> Does NOT WORK with a DB: driver is not yet initialized
# entrypoint: ["/tmp/keycloak/config/docker-compose-entrypoint.sh", "start", "--auto-build", "--http-enabled=true", "--https-certificate-file=/etc/x509/https/tls.crt", "--https-certificate-key-file=/etc/x509/https/tls.key"]
# b) STANDARD enrtrypoint
entrypoint: ["/opt/keycloak/bin/kc.sh", "start", "--auto-build"]
volumes:
###########################
# Import test realm
- ./scripts:/tmp/keycloak/config
- ./realms/realm.json:/tmp/keycloak/config/realm.json:ro
###########################
# HUG themes and extensions
- ../../theme/hug-base:/opt/keycloak/themes/hug-base
- ../../theme/hug-hug:/opt/keycloak/themes/hug-hug
- ../../theme/pedamines-base:/opt/keycloak/themes/pedamines-base # TODO: to be remamed as external-base
# HUG extensions
- ../../target/hug-keycloak-jar-with-dependencies.jar:/opt/keycloak/providers/hug-keycloak.jar:ro
# HUG passwords blacklists
- ../../blacklists/french_passwords_top20000.txt:/opt/data/password-blacklists/french_passwords_top20000.txt:ro
- ../../blacklists/hug_pwd_blacklist_2021.txt:/opt/data/password-blacklists/hug_pwd_blacklist_2021.txt:ro
# External extensions
- ../../extensions/metrics/keycloak-metrics-spi-2.5.3.jar:/opt/keycloak/providers/keycloak-metrics-spi-2.5.3.jar:ro
- ../../extensions/france-connect/keycloak-franceconnect-4.1.0.jar:/opt/keycloak/providers/keycloak-franceconnect-4.1.0.jar:ro
# Custom configurations with CLI
# - ../../cli/themes-cache-disable.cli:/opt/startup-scripts/themes-cache-disable.cli ### DEPRECATED => TODO: find a solution
# - ../../cli/logs-manage.cli:/opt/startup-scripts/logs-manage.cli ### DEPRECATED => TODO: find a solution to send logs to logstash
# - ../../cli/logs-http-debug.cli:/opt/startup-scripts/logs-http-debug.cli ### DEPRECATED => TODO: find a solution (optional)
################
# Self-signed certificates to activate HTTPS for tests
- ./certs/server/server.tls.crt:/etc/x509/https/tls.crt:ro
- ./certs/server/server.tls.key:/etc/x509/https/tls.key:ro
# CA certificates to enable user auth with certificates
- ./certs/ca.crt:/etc/x509/https/rootCA.crt:ro # auto-signed CA cert
- ./certs/hugca.crt:/etc/x509/https/hugrootCA.crt:ro # HUG CA cert
################
ports:
- "8080:8080" # KC HTTP : http://localhost:8080/
- "443:8443" # KC HTTPS : https://localhost/ (you must accept also warnings triggered by navigators)
- "8787:8787" # KC debug port
- "8790:8790" # KC JMX port
deploy:
replicas: 1
depends_on:
- postgres
networks:
- network-development
networks:
network-development:
volumes:
keycloak17_postgres_data:
external: true # because the volume was clone from keycloak 13 DB (in order to test separately the migration)
# driver: local
Can you check that FC plugin works with Keycloak 17 which uses Quarkus instead of Wildfly?