Table of Contents
Keycloak is an opensource identity and access management solution. Keycloak provides single-sign on capability. In this article we will see how to bring up a keycloak in a standalone environment.
Why Keycloak
- In an organization, there will be multiple application which needs authentication and authorization. And if a user need to access to different apps, he will have to perform the login to all the applications which he want to access. So each app need to handle the user login, management and registration. This approach is costly
- With keycloak's, single sign on capability, user only need to authenticate once to get access to all the available application in an organization
- Individual application doesn't need to take care about user registration, authentication and maintaining user database
Setup Details
- Rocky Linux 8 VM on VirtualBox ( The same steps work for ubuntu [verified] )
- RAM 4 GB
- 2 VCPUs
- 23 GB HD
- Host OS: Windows 10
Download keycloak package
Latest Available version of keycloak at the time of this article is 19.0.1, we download the tar from the official website
[root@localhost ~]# wget https://github.com/keycloak/keycloak/releases/download/19.0.1/keycloak-19.0.1.tar.gz --2022-08-24 19:03:48-- https://github.com/keycloak/keycloak/releases/download/19.0.1/keycloak-19.0.1.tar.gz HTTP request sent, awaiting response... 200 OK Length: 171578620 (164M) [application/octet-stream] Saving to: ‘keycloak-19.0.1.tar.gz’ keycloak-19.0.1.tar.gz 100%[==========================================>] 163.63M 3.34MB/s in 54s 2022-08-24 19:04:44 (3.02 MB/s) - ‘keycloak-19.0.1.tar.gz’ saved [171578620/171578620]
Install openjdk
Openjdk installation is mandatory for keycloak to work. Compatibility of the java version also matters. The version java which is compatible with the keycloak version 19.0.1 is java 11. The compatibility matrix can be found in the official page
[root@localhost ~]# java --version bash: java: command not found... [root@localhost ~]# yum install java-11-openjdk-devel
Verify java installation
[root@localhost ~]# java --version openjdk 11.0.16 2022-07-19 LTS OpenJDK Runtime Environment (Red_Hat-11.0.16.0.8-1.el8_6) (build 11.0.16+8-LTS) OpenJDK 64-Bit Server VM (Red_Hat-11.0.16.0.8-1.el8_6) (build 11.0.16+8-LTS, mixed mode, sharing)
Untar the tar package
The downloaded tar package need to be untared. Untaring will create a directory with name keycloak-x.x.x
[root@localhost ~]# tar -xzvf keycloak-19.0.1.tar.gz keycloak-19.0.1/version.txt keycloak-19.0.1/conf/cache-ispn.xml keycloak-19.0.1/README.md keycloak-19.0.1/themes/README.md keycloak-19.0.1/bin/kc.sh <trimmed>
Run the keycloak server
Keycloak server can be run by executing, a shell script kc.sh which is present in the bin directory. Normally the keycloak server will be running on port 8080, but if we need to specify a custom port, it can be achieved by argument --http-port . In this article, i am providing a custom port 8083
Warning: For this article we will using start-dev to run keycloak in development mode because of which we are using http protocol. This configuration shouldn't be used in production grade deployment
[root@localhost ~]# ./keycloak-19.0.1/bin/kc.sh start-dev --http-port 8083
Updating the configuration and installing your custom providers, if any. Please wait.
19:11:19,006 INFO [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 15336ms
19:11:22,468 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin: <request>, Port: -1, Proxied: false
19:11:24,261 INFO [org.keycloak.common.crypto.CryptoIntegration] (main) Detected crypto provider: org.keycloak.crypto.def.DefaultCryptoProvider2022-08-24 19:11:26,293 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
19:11:26,328 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
19:11:26,342 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
19:11:26,871 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.9.Final
19:11:30,994 INFO [org.keycloak.quarkus.runtime.storage.legacy.liquibase.QuarkusJpaUpdaterProvider] (main) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml
19:11:35,989 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: node_716903, Site name: null
19:11:36,179 INFO [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
19:11:38,992 INFO [io.quarkus] (main) Keycloak 19.0.1 on JVM (powered by Quarkus 2.7.6.Final) started in 19.095s. Listening on: http://0.0.0.0:8083
19:11:38,993 INFO [io.quarkus] (main) Profile dev activated.
19:11:38,993 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, smallrye-metrics, vault, vertx]
19:11:38,999 WARN [org.keycloak.quarkus.runtime.KeycloakMain] (main) Running the server in development mode. DO NOT use this configuration in production.
Create Admin profile
- The keycloak gui will be available on localhost in port 8083 via http protocol.
http://0.0.0.0:8083
- Once the page is loaded, we will have to create admin profile, below screen capture shows the same
- Login to the keycloak server with admin credentials
- After successful login, master realm page will be visible, where you can do custom changes for User management. But which is not in scope of this article
