Add 'Configuration'

Georg Pfuetzenreuter 2021-09-01 00:25:38 +02:00
parent 11bc1c270f
commit 32ab9683ad

19
Configuration.md Normal file

@ -0,0 +1,19 @@
The initial configuration requires setting the following configuration variables:
| Registry Key | Example| Description |
| -------- | -------- | -------- |
| plugins.Keycloak.backend.server | https://example.com | Hostname or IP address of the instance to connect to |
| plugins.Keycloak.backend.realm | MyRealm | Specifies the realm to use
| plugins.Keycloak.backend.token | http://localhost:8080/kctoken | URL to OIDC Token
It is recommended to use a dedicated Keycloak client with a minimum set of roles for the bot.
Create an OpenID Connect client in Keycloak, set the Access Type to "Confidential", enable "Enable Service Accounts", and take temporary note of the secret from the "Credentials" tab. Head to "Service Account Roles" and select the Client Role "realm-management". Assign the Client Role "manage-users".
Now you can aquire a token through a HTTP request and save it to a file on an, ideally, local webserver. This is an example to do so via `curl`:
`curl -o /srv/www/local/kctoken -LX POST 'http://192.168.0.115:8880/auth/realms/MyRealm/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'client_id=irc' --data-urlencode 'client_secret=SecretYouCopiedEarlier'`
Make sure the output file contains something resembling a JSON array containing a field `access_token`. The `access_token` should be quite long, generally around ~1300 characters.
Pay attention to the `expiration` field as well - if the defaults of your Realm set an expiration on your tokens (i.e. the value of the field is not `0`), you either need to disable the expiration for the OIDC client you created, or set up a shedule (i.e. a cronjob) to re-aquire and replace the token-file. This is not in scope of this article.
Finally, make the file accessible by a webserver - ideally one on your local network or local host. Then try accessing it via `curl`, and if that works, copy the URL to `plugins.Keycloak.backend.token`.
You should then be set up.