Keycloak repackaged and preconfigured for MORE
This repository contains a docker-compose.yaml that can be used as a (pretty complete) template to run Keycloak for
the MORE Platform.
Additional Steps to start Keycloak for local development
To start Keycloak for (local) development, you can deactivate some security settings to avoid problems with e.g. the SSL configuration:docker run --name=keycloak \
-p 8099:8080 \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \
-e KC_HOSTNAME=localhost \
-e KC_HOSTNAME_PORT=8099 \
ghcr.io/more-platform/auth-keycloak:latest start-devAfter this, Keycloak will be available under http://localhost:8099/. You can login to the Master-realm using the
provided admin-credentials (admin/admin).
Note: Do not forget to add http://localhost:8080/* and http://localhost:3000/* to the "Valid redirect URIs"
when configuring the realm for MORE!
For Details on recommended configuration settings for production usage, please refer to the Keycloak Documentation.
However, after the first startup, some initial configuration-steps are required to prepare a dedicated Realm for MORE.
Some required variables/values during the setup:
AUTH_URL: https://auth.example.com/
STUDY_MANAGER_URL: https://study-manager.example.com/
LIMESURVEY_URL: https://limesurvey.example.com/- Point your browser to https://auth.example.com/ and login with the init-credentials from the startup configuration.
- Create a new Realm:
MORE-Platformand switch to the new Realm to configure it: - Create Roles: In the navigation, go to
Realm Rolesand create the following roles:more-adminaka. MORE_ADMIN (System Administrator, Platform Administrator): Rights to manage users, emergency functions, no rights to see data or manipulate studies.more-operatoraka. MORE_OPERATOR: Can create/initiate a new Study.more-vieweraka. MORE_VIEWER: Can access existing studies (based on assigned study-level roles).
- Create Groups: In the navigation, go to
Groupsand create the following groups:MORE Administrators: After creation, select the created group and go to theRole mapping-Tab to assign the rolemore-adminMORE Researcher: After creation, select the created group and go to theRole mapping-Tab to assign the rolemore-viewer- Go to the
Child Groups-Tab and create the groupMORE Study Initiator: After creation, select the created sub-group and go to theRole mapping-Tab to assign the rolemore-operator
- Go to the
- Create an OpenId-Client for the Study-Manager
- Client-Type:
OpenID Connect - Client-ID:
study-manager - Provide a name and description if applicable, then klick
Next - Enable the
Standard flowand thenSavethe realm. - In the "General Settings"-Section, enter the
${STUDY_MANAGER_URL}from above into "Root URL", "Home URL" - Add
${STUDY_MANAGER_URL}/*to the "Valid redirect URIs" - Press
Saveagain.
- Client-Type:
- Create an OpenId-Client for Limesurvey
- Client-Type:
OpenID Connect - Client-ID:
limesurvey - Provide a name and description if applicable, then klick
Next - Enable
Client authenticationand theStandard flow, thenSavethe realm. - In the "General Settings"-Section, enter the
${LIMESURVEY_URL}from above into "Root URL", "Home URL" - Add
${LIMESURVEY_URL}/index.php/admin/authentication/sa/loginto the "Valid redirect URIs" - Press
Saveagain. - Take a note of the
Client secreton theCredentials-tab.
- Client-Type:
-
For the Studymanager use the following settings:
OAUTH2_SERVER: https://auth.example.com/realms/More-Platform OAUTH2_CLIENT_ID: study-manager OAUTH2_CLIENT_SECRET: '' MORE_FE_KC_SERVER: https://auth.example.com/ MORE_FE_KC_REALM: More-Platform MORE_FE_KC_CLIENT_ID: study-manager
-
For Limesurvey use the following settings:
CLIENT_ID: limesurvey CLIENT_SECRET: secret-from-the-credentials-tab AUTHORIZE_URL: https://auth.example.com/realms/More-Platform/protocol/openid-connect/auth SCOPES: openid ACCESS_TOKEN_URL: https://auth.example.com/realms/More-Platform/protocol/openid-connect/token USER_DETAILS_URL: https://auth.example.com/realms/More-Platform/protocol/openid-connect/userinfo