Tags: security, keycloak, google, idp, sso, auth


TABLE OF CONTENTS


Reference articles

  1. https://www.keycloak.org/docs/latest/server_admin/#_identity_broker
  2. https://keycloakthemes.com/blog/how-to-setup-sign-in-with-google-using-keycloak


Setting up Google

  1. Go to Google cloud console at https://console.developers.google.com/
  2. Navigate to "APIs & Services > Dashboard"and select the organization at the top of the screen
    1. Create a new project: "Create Project"
  3. Select the new project at the top of the screen
  4. Navigate to "APIs & Services > OAuth consent screen"
    1. Select "User Type" as "Internal" or "External".
      In most cases "Internal" is used, which only allows the users within the organization to login.
    2. Specify required "App name", "User support email", "Developer contact information" (and other optional parameters as necessary)
    3. Add the domain used by your KCP deployment to the "Authorized domains" list
    4. Click through "Save and continue"
  5. Navigate to "APIs & Services > Credentials"
  6. Create a new OAuth 2.0 Client ID: "Create Credentials > OAuth client ID > Application type > Web application"
    1. Specify application name
    2. Add Kublr Google auth URL in form of https://{KCP-address}/auth/realms/demo-app/broker/google/endpoint (for example https://my-kcp.example.com/auth/realms/demo-app/broker/google/endpoint) to the list of "Authorized redirect URIs"
    3. Click "Save" and client ID and secret will be displayed.
      They will be needed later to configure Kublr keycloak.
      Client ID and secret can also be viewed later in the client view screen.


Setting up Kublr Keycloak

  1. Open Keycloak Administration Console, for example via Kublr UI "Sys. Cluster > Keycloak" link
  2. Create a new Google identity provider in the admin console "Identity Providers > Add provider... > Google"
  3. In the provider creation screen note "Redirect URI" parameter.
    Check that it is the same as the "Authorized redirect URI" specified in the Google client settings at the step 6.2 above.
  4. Put Google client's ID and secret in the fields "Client ID" and "Client Secret" correspondingly.
  5. Click "Save"


Testing

Test by opening Kublr KCP URL in a private browsing window, verify that Google IdP is visible on the the login screen, and users can login with their Google accounts