First, start and configure Keycloak as the OIDC authentication provider.
mkdir -m 777 ./keycloak-data
docker compose up -d keycloakThe settings for the Keycloak admin user are defined in ./compose.yml as shown below. Edit them if necessary.
environment:
- KEYCLOAK_ADMIN=sio-serv-admin-user
- KEYCLOAK_ADMIN_PASSWORD=sio-serv-admin-passwordNext, open your browser and access http://localhost:8080, then log in using the Keycloak admin user credentials.
First, create a new realm by selecting Create realm.
[Create realm]Realm Name:sio-serv
Next, create a new client under Clients.
[Clients][Create client][General settings]Client type:OpenID ConnectClient ID:sio-serv-appAlways display in UI:On
[Clients][Create client][Capability config]Client authentication:OffAuthorization:OffAuthentication flow:Standard flow
- Notes:
- Since an SPA (Single Page Application) cannot securely store client secrets, configure it as a Public Client (i.e.,
Client authentication: Off). - Proof Key for Code Exchange (PKCE) is automatically supported by Keycloak.
- Since an SPA (Single Page Application) cannot securely store client secrets, configure it as a Public Client (i.e.,
[Clients][Create client][Login settings]Valid redirect URIs:http://localhost:3000/*Valid post logout redirect URIs:http://localhost:3000/*Web origins:http://localhost:3000
Next, in the Advanced settings of the created client, adjust the lifespans of tokens and sessions, and configure the PKCE method.
[Clients][Advanced][Advanced settings]Access Token Lifespan:1 hourClient Session Idle:3 hoursClient Session Max:1 dayClient Offline Session Idle:30 daysProof Key for Code Exchange Code Challenge Method:S256
- Notes:
- Be sure to click the [Save] button below.
Also, create a user for login purposes within the realm.
[Users][Create user]Email verified:OnUsername:sio-serv-dev-userEmail:[email protected]First Name:SioLast Name:Serv
After that, set a password for the user.
[Users]CredentialsPassword:sio-serv-dev-passwordPassword Confirmation:sio-serv-dev-passwordTemporary:Off
Note that the user created here cannot access (or log in to) the current Keycloak Admin Console, as it belongs to a different realm.
The authentication settings for sapporo-service are defined in ./sapporo_config/auth_config.json as shown below.
{
"auth_enabled": true,
"idp_provider": "external",
"sapporo_auth_config": {
"secret_key": "sapporo_secret_key_please_change_this",
"expires_delta_hours": 24,
"users": [
{
"username": "sapporo-dev-user",
"password": "sapporo-dev-password"
}
]
},
"external_config": {
"idp_url": "<http://localhost:8080/realms/sio-serv>",
"jwt_audience": "account",
"client_mode": "public",
"client_id": "sio-serv-app",
"client_secret": "example-client-secret"
}
}If Keycloak is configured as described above, there is no need to edit this configuration.
For more information about this configuration file, please refer to the sapporo-service README: https://github.com/sapporo-wes/sapporo-service?tab=readme-ov-file#authentication.
The authentication settings for sio-serv are defined in ./compose.yml as shown below.
- SIO_SERV_KEYCLOAK_REALM_URL=http://localhost:8080/realms/sio-serv
- SIO_SERV_KEYCLOAK_CLIENT_ID=sio-serv-appOnce these settings are in place, let's start sio-serv and sapporo-service containers:
docker compose up -d --build app sapporo
docker compose exec -d app npm run devOpen your browser and access http://localhost:3000. From the [Sign In] button at the top right, try logging in with sio-serv-dev-user.
If no errors occur, the authentication setup for Keycloak, sio-serv, and sapporo-service is complete.
Currently, sio-serv does not support integration with MinIO, so configuring MinIO is not necessary at this time. You can skip this section.
For reference, a Japanese guide for MinIO configuration can be found at https://hackmd.io/@suecharo/H1I5y65iR.