Managing Open Data for Industries users through Keycloak

Open Data for Industries uses Keycloak as a supporting service to act as an identity provider and authorization service.

After Keycloak is configured, it creates the necessary entities to secure resources. These entities can then be maintained with Keycloak or by using the Open Data for Industries Entitlements API.

Procedure

  1. Configure Keycloak.
  2. Manage roles and users.
  3. Configure token settings.

Configuring Keycloak

To configure Keycloak, you must create and configure the following entities for creating the credentials to be authenticated and authorized by the identity provider:
  • Realm: A realm is a space that contains a set of users, credentials, roles, and groups.
  • Clients: Clients can request Keycloak to authenticate a user.
Follow these steps as an administrator:
  1. Obtain the URL for the Keycloak Administration Console from the Red Hat® OpenShift® administrator console.
  2. Log in to the Keycloak Administration Console.
    Note: A default user and password exist, which can be used when you first access the Keycloak Administration Console. The default password must be changed on the first login.
  3. From the Master menu, click Add realm.
  4. From the Add realm page, provide a Name for the new realm then click Create.
  5. If the Keycloak Administration Console does not refresh with the newly created realm, open the realm menu and select the newly created realm.
  6. From the side menu, click Clients.
  7. From the Clients page, click Create.
  8. From the Add Client page:
    • Enter the Client ID of the client. Enter a simple alpha-numeric string that will be used in requests and in the Keycloak database to identify the client.
    • Select openid-connect as the Client Protocol.
    • Enter in the Root URL of your application.
  9. Click Save. The Keycloak Administration Console displays the settings page for the newly created client.

Managing users

You must create the users, who identify the persons who are to be authenticated and authorized to access the clients in the identity provider.

Follow these steps as an administrator:
  1. Log in to the Keycloak Administration Console.
  2. To create a user:
    1. From the side menu, click Users to open the Users page.
    2. Click Add User to open the Add user page.
    3. Enter a Username. All other fields are optional.
    4. Click Save. The management page for the new user opens.
    5. Set extra parameters, as you see fit. For example, you can:
      • Use the Credentials tab to set a temporary password.
      • Use the Role Mappings tab to map the user to a role.

Configuring token settings

Keycloak gives you fine-grained control of session, cookie, and token timeouts.

To configure these settings, follow these steps as an administrator:
  1. Log in to the Keycloak Administration Console.
  2. From the side menu, click Realm Settings to open the settings page for the active realm.
  3. Click the Tokens tab.
  4. Adjust the token parameters and click Save.
    Note: To avoid expiration of the access token, set the Access Token Lifespan control to minimum 30 minutes.