How to Integrate Keycloak With Blue Brain Nexus?

[chance2021]

Hi,

I have been searching for the instruction about how to integrate Keycloak with BB Nexus for a while but without any luck. Just wondering if anyone has managed to complete this integration? Any guide will be really appreciated! Thanks!

Thanks,
Chance

[bogdanromanx]

Hi @chance2021,

BB Nexus works with Keycloak without a specific "integration guide". Once you've deployed keycloak and configured a realm, you just need to create a realm in Nexus Delta by providing the OIDC discovery document URL.
Once a realm has been created in Nexus Delta, you can start granting ACLs for identities. Make sure not to lock yourself out. :)

We typically recommend setting up 2+ realms:

• 1 realm for service accounts
• 1+ realms for users

Service accounts would typically have a longer token expiration (months or years), while users a short token expiration (hours). Since Keycloak only allows setting the token expiration at the realm level (instead of client), you'd need 2 realms to get this done.

On the service account realm you would create a new client, configured as confidential and check the "Service Account" checkbox along with the option to login through the password grant. You will then be allowed to exchange the client-id and client-token for an access token.

On the user realm you need to create a new client, named nexus-web as public (no client secret) and allow the Implicit Flow. This specific client will be used by Fusion (Nexus Web) to authenticate users.

After setting up the two realms, the first thing one should do is to grant full access on / to the service account to avoid locking yourself out of the system. To get the specific identity of the service account you just need to ask Delta the collection of identities for a token:

curl -s -H"Authorization: Bearer $TOKEN" http://localhost:8080/nexus/v1/identities | jq

After granting full access to the service account, you can use its token to further grant access to users.

I hope this is what you were looking for...

[chance2021]

@bogdanromanx Thanks so much for the very detailed instruction!! I will definitely try this and let you know how it works. Thanks again!

[chance2021]

Hi @bogdanromanx, I have encountered with an issue during setting up Keycloak integrated with domain name URL address. I have managed to integrate the Keycloak with Keycloak IP as openIDConfig (see below working setup command), but when I changed the URL from IP from https://domain_name, it returns a Timeout error. Have you seen this issue before? Thanks!

Working Keycloak IP Setup Command

curl -XPUT \
>   -H "Content-Type: application/json" \
>   "http://<nexus delta ip address>/nexus/v1/realms/<my_realm>?rev=1" \
>   -d '{
>         "name":"vre",
>         "openIdConfig":"http://<keycloak ip address>/auth/realms/<my_realm>/.well-known/openid-configuration",
>         "logo":"http://localhost:8080/logo.png"
>       }'

NOT working Keycloak Domain Name (https) Setup Command

curl -XPUT \
>   -H "Content-Type: application/json" \
>   "http://<nexus delta ip address>/nexus/v1/realms/<my_realm>?rev=1" \
>   -d '{
>         "name":"vre",
>         "openIdConfig":"https://<keycloak domain name>/auth/realms/<my_realm>/.well-known/openid-configuration",
>         "logo":"http://localhost:8080/logo.png"
>       }'

Returned Error:

{"@context":"https://bluebrain.github.io/nexus/contexts/error.json","@type":"RealmEvaluationTimeout","reason":"Timeout while evaluating the command 'UpdateRealm' for realm '<my_realm>' after '14 seconds'"}

[chance2021]

Hi @bogdanromanx , I think I may figure out the cause of the issue. I set http:<ip address> in PUBLIC_URI in delta.yaml by default, however, I have to use the public https domain name to access the website, so it causes the mixed content error. My solution is to replace the PUBLIC_URI value with my https domain name and it is working fine now!

From

        - name: PUBLIC_URI
          value: 'http://$(public_ip)'

To

        - name: PUBLIC_URI
          value: 'https://<public domain name>'

Now I can continue setup user permission by following your above instruction. Thanks again for those great help!! @bogdanromanx