Configuring Flipt to enable login with Keycloak via OIDC
If you’ve read the Login With Google guide, you would have learned that Flipt supports many methods of authentication for users to control who has access to Flipt.
Keycloak is an open-source identity and access management solution that supports OpenID Connect (OIDC). This guide will serve as a walk-through on how to set up Keycloak for authentication of users of Flipt in your organization.
In this guide, you will learn how to configure Keycloak as an OIDC provider for Flipt.
By the end of this guide, we will have:
For this guide you’re going to need the following:
To set up Keycloak for authentication, you will need to create a new realm, client, and user.
This section of the guide is a simplified version of the Keycloak: Getting Started Docker Guide.
Start Keycloak using Docker:
Access Keycloak at http://localhost:8080 and log in with the admin credentials (admin
/admin
).
Create a new realm called flipt
:
Keycloak
in the top-left corner.Create realm
button.flipt
as the realm name.Create
button.Create a new user called user
:
Users
tab.Create new user
button.Create
button.Credentials
tab and click Set Password
.Temporary
to OFF
so that the user does not need to change their password on the first login.Save
.Create a new client called flipt
:
Clients
tab.Create Client
button.OpenID Connect
is selected as the client type.flipt
as the client ID and click on Next
.Standard flow
and Direct access grants
are enabled and click on Next
.Valid Redirect URIs
to http://localhost:8081/auth/v1/method/oidc/keycloak/callback
.Web Origins
to http://localhost:8081
.Client authentication
is set to ON
.Save
.flipt
client, click on the Credentials
tab.flipt
). Copy this value and save it for later.Client Secret
field to copy the client secret. Save this value for later.issuer
URL from the JSON response. This will be used as the issuer_url
in the Flipt configuration.Now that we have an OIDC client configured in our Keycloak instance, we can begin configuring Flipt to leverage it.
config.yml
We’re going to create a configuration file named config.yml
in the current directory.
This file will tell Flipt to increase its logging level to the maximum to aid in debugging. We will also set the HTTP port to 8081
to avoid conflicts with Keycloak.
It will also set authentication as required = true
.
This is needed to ensure that Flipt enforces its APIs and must be provided with a credential of some sort to gain access.
keycloak
provider to config.yml
In your config.yml
file, add the following configuration in the authentication
section to enable the OIDC method and configure the Keycloak provider:
The session domain is required for session-compatible authentication methods. It’s used by Flipt as the domain for storing authentication cookies.
Note that we’ve enabled the oidc
method, and it has a section called providers
. Each key beneath the providers
section is unique and can be whatever you want. However, the name is important as it affects the redirect_url
generated for the particular provider.
Each provider section has a consistent structure. You’re required to provide the issuer_url
, client_id
, client_secret
and redirect_address
.
The scopes
section is optional, and allows Flipt the opportunity to obtain additional details on the authenticating caller (e.g. email and profile picture).
You can now start your Flipt instance using the following command:
Once Flipt has started you can to navigate your browser to the UI and attempt a login with Keycloak.
When you click Login with Keycloak
you should be navigated away to your Keycloak instance to complete the authentication flow.
Once you successfully authenticate with the username/password you created earlier, you should return to Flipt and be logged in.
🎉 Congratulations, you’ve successfully run Flipt and enabled login with Keycloak as the OIDC provider.
Many of the same production considerations from the Login With Google guide apply here. You should follow the same steps to secure your Flipt instance and ensure that only authorized users can access it.
Next, you might want to consider enabling authorization and setting up policies to control who can access what in Flipt. You can learn more about this in the Role-Based Access Control with Keycloak guide.
Configuring Flipt to enable login with Keycloak via OIDC
If you’ve read the Login With Google guide, you would have learned that Flipt supports many methods of authentication for users to control who has access to Flipt.
Keycloak is an open-source identity and access management solution that supports OpenID Connect (OIDC). This guide will serve as a walk-through on how to set up Keycloak for authentication of users of Flipt in your organization.
In this guide, you will learn how to configure Keycloak as an OIDC provider for Flipt.
By the end of this guide, we will have:
For this guide you’re going to need the following:
To set up Keycloak for authentication, you will need to create a new realm, client, and user.
This section of the guide is a simplified version of the Keycloak: Getting Started Docker Guide.
Start Keycloak using Docker:
Access Keycloak at http://localhost:8080 and log in with the admin credentials (admin
/admin
).
Create a new realm called flipt
:
Keycloak
in the top-left corner.Create realm
button.flipt
as the realm name.Create
button.Create a new user called user
:
Users
tab.Create new user
button.Create
button.Credentials
tab and click Set Password
.Temporary
to OFF
so that the user does not need to change their password on the first login.Save
.Create a new client called flipt
:
Clients
tab.Create Client
button.OpenID Connect
is selected as the client type.flipt
as the client ID and click on Next
.Standard flow
and Direct access grants
are enabled and click on Next
.Valid Redirect URIs
to http://localhost:8081/auth/v1/method/oidc/keycloak/callback
.Web Origins
to http://localhost:8081
.Client authentication
is set to ON
.Save
.flipt
client, click on the Credentials
tab.flipt
). Copy this value and save it for later.Client Secret
field to copy the client secret. Save this value for later.issuer
URL from the JSON response. This will be used as the issuer_url
in the Flipt configuration.Now that we have an OIDC client configured in our Keycloak instance, we can begin configuring Flipt to leverage it.
config.yml
We’re going to create a configuration file named config.yml
in the current directory.
This file will tell Flipt to increase its logging level to the maximum to aid in debugging. We will also set the HTTP port to 8081
to avoid conflicts with Keycloak.
It will also set authentication as required = true
.
This is needed to ensure that Flipt enforces its APIs and must be provided with a credential of some sort to gain access.
keycloak
provider to config.yml
In your config.yml
file, add the following configuration in the authentication
section to enable the OIDC method and configure the Keycloak provider:
The session domain is required for session-compatible authentication methods. It’s used by Flipt as the domain for storing authentication cookies.
Note that we’ve enabled the oidc
method, and it has a section called providers
. Each key beneath the providers
section is unique and can be whatever you want. However, the name is important as it affects the redirect_url
generated for the particular provider.
Each provider section has a consistent structure. You’re required to provide the issuer_url
, client_id
, client_secret
and redirect_address
.
The scopes
section is optional, and allows Flipt the opportunity to obtain additional details on the authenticating caller (e.g. email and profile picture).
You can now start your Flipt instance using the following command:
Once Flipt has started you can to navigate your browser to the UI and attempt a login with Keycloak.
When you click Login with Keycloak
you should be navigated away to your Keycloak instance to complete the authentication flow.
Once you successfully authenticate with the username/password you created earlier, you should return to Flipt and be logged in.
🎉 Congratulations, you’ve successfully run Flipt and enabled login with Keycloak as the OIDC provider.
Many of the same production considerations from the Login With Google guide apply here. You should follow the same steps to secure your Flipt instance and ensure that only authorized users can access it.
Next, you might want to consider enabling authorization and setting up policies to control who can access what in Flipt. You can learn more about this in the Role-Based Access Control with Keycloak guide.