The initial configuration requires setting the following configuration variables:
| Registry Key | Example | Description |
|---|---|---|
| plugins.Keycloak.backend.server | https://example.com | Hostname or IP address of the instance to connect to |
| plugins.Keycloak.backend.realm | MyRealm | Specifies the realm to use |
| plugins.Keycloak.backend.token | http://localhost:8080/kctoken | URL to OIDC Token |
It is recommended to use a dedicated Keycloak client with a minimum
set of roles for the bot. Create an OpenID Connect client in Keycloak,
set the Access Type to “Confidential”, enable “Enable Service Accounts”,
and take temporary note of the secret from the “Credentials” tab. Head
to “Service Account Roles” and select the Client Role
“realm-management”. Assign the Client Role “manage-users”. Now you can
aquire a token through a HTTP request and save it to a file on an,
ideally, local webserver. This is an example to do so via
curl:
curl -o /srv/www/local/kctoken -LX POST 'http://192.168.0.115:8880/auth/realms/MyRealm/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'client_id=irc' --data-urlencode 'client_secret=SecretYouCopiedEarlier'
Make sure the output file contains something resembling a JSON array
containing a field access_token. The
access_token should be quite long, generally around ~1300
characters. Pay attention to the expiration field as well -
if the defaults of your Realm set an expiration on your tokens (i.e. the
value of the field is not 0), you either need to disable
the expiration for the OIDC client you created, or set up a shedule
(i.e. a cronjob) to re-aquire and replace the token-file. This is not in
scope of this article. Finally, make the file accessible by a webserver
- ideally one on your local network or local host. Then try accessing it
via curl, and if that works, copy the URL to
plugins.Keycloak.backend.token. You should then be set
up.