sudo apt update
sudo apt install openjdk-21-jdk
~/.bashrc
file: vim ~/.bashrc
export JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64
source ~/.bashrc
/etc/environment
filesudo apt update && sudo apt upgrade -y
sudo apt install postgresql-14
sudo su postgres
psql
CREATE USER keycloak WITH ENCRYPTED PASSWORD 'mystrongandsecurepassword';
CREATE DATABASE keycloak;
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
wget https://github.com/keycloak/keycloak/releases/download/26.0.6/keycloak-26.0.6.tar.gz
sudo tar -xvf myfiles.tar -C /opt
/opt/keycloak-26.x.x/conf
folder and setup the following in keycloak.conf
file:# Database
# The database vendor.
db=postgres
# The username of the database user.
db-username=keycloak
# The password of the database user.
db-password=mystrongandsecurepassword
# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.
db-url=jdbc:postgresql://localhost/keycloak
# Changes for SW360
keycloak-admin=admin
keycloak-admin-password=admin
log=console,file
# Should be true for productive
hostname-strict-backchannel=false
hostname-strict-https=false
# Should be false for productive
http-enabled=true
http-port=8083
https-port=8533
cd /opt/keycloak-26.x.x/bin
./kc.sh start-dev
./kc.sh start
sudo ./kc.sh start-dev --log="console,file" --debug --log-level=INFO,org.eclipse.sw360.keycloak.spi:debug,org.eclipse.sw360.keycloak.event.listener:debug
mvn clean install -DskipTests -Dbase.deploy.dir=/opt/apache-tomcat-11.x.x/ -Dlistener.deploy.dir=/opt/keycloak-26.x.x/providers -P deploy
Providers are used to read users from SW360 DB and register users from keycloak to SW360 DB.
/opt/keycloak-26.x.x/providers/
:commonIO-19.0.0.jar
datahandler-19.0.0.jar
httpcore5-5.2.5.jar
libthrift-0.20.0.jar
spring-security-crypto-6.3.3.jar
sw360-keycloak-event-listener.jar
sw360-keycloak-user-storage-provider.jar
The KeyCloak providers use thrift clients to connect to the SW360 backend. By default, they look for the thrift
client to be listening on http://localhost:8080
, which will be true for if KeyCloak and SW360 backend are running on
the same server. However, if they are not, you need to set the thrift client URL by providing SPI configuration value
via KeyCloak’s Configuration provider.
keycloak.conf
to store your configuration, add the following
line to the file:spi-events-listener-sw360-add-user-to-couchdb-thrift=http://<thrift-backend-server>:<thrift-backend-port>
spi-storage-sw360-user-storage-jpa-thrift=http://<thrift-backend-server>:<thrift-backend-port>
KC_SPI_EVENTS_LISTENER_SW360_ADD_USER_TO_COUCHDB_THRIFT=http://<thrift-backend-server>:<thrift-backend-port>
KC_SPI_STORAGE_SW360_USER_STORAGE_JPA_THRIFT=http://<thrift-backend-server>:<thrift-backend-port>
Login to Keycloak admin console.
username: admin
password: admin
Create Realm and name it sw360.
Get the JWT issuer and key set for realm and update the backend file at
rest/resource-server/src/main/resources/application.yml
and reinstall the
backend. Restart the Tomcat server.
jwks_uri
. It will look something like
http://localhost:8083/realms/sw360/protocol/openid-connect/certs
issuer-uri
and jwk-set-uri
in the application.yml
file
with this copied jwks_uri
.Create Client in Keycloak.
Under General settings, enter Client ID which will be used in .env
file (SW360 Frontend Repo) as well as in rest.
In Capability config enable Client authentication.
Goto Login settings and enter below fields:
Home URL: http://localhost:3000
Valid redirect URIs: http://localhost:3000/api/auth/callback/keycloak, https://oauth.pstmn.io/v1/callback
Valid post logout redirect URIs: +
Web origins: *
Create Client Scopes.
Create READ
scope by clicking on Create client scope button.
Similarly create WRITE
scope.
Add Scopes to our Client.
Goto Clients, then select your newly created client in Client lists page.
Goto Client scopes page, click on Add client scope and there you will see your READ and WRITE scopes that you need to add.
Select both scopes and then click on Add (default).
Create Groups.
Goto Groups and create different groups that we are going to use in sw360.
Create 7 groups: ADMIN
, CLEARING_ADMIN
, CLEARING_EXPERT
,
ECC_ADMIN
, SECURITY_ADMIN
, SW360_ADMIN
, USER
.
Create an Attribute.
Goto Realm settings then click on User profile page where we can create a new attribute.
Create a new attribute by the name Department
and give the required
permissions as shown in screenshot.
Add Event Listener.
Goto Events page in Realm settings.
Click on event listeners dropdown and select sw360-add-user-to-couchdb.
Access to external Databases.
Goto User federation and select sw360-user-storage-jpa providers.
Give proper name and create the custom provider.
Check Authentication Settings
Goto Authentication and apply the permissions in Required actions as shown in screenshot.
Create Users
To create a new user one can goto Users section.
Also check whether user is created in CouchDB or not.
Set password for the newly created user by selecting the user and going to the Credentials page.
azure-foss360
Login with AzureAD
https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/authorize
https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/token
https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/logout
https://graph.microsoft.com/oidc/userinfo
https://login.microsoftonline.com/<your-tenant-id>/v2.0
https://login.microsoftonline.com/<your-tenant-id>/discovery/v2.0/keys
openid profile email
azure-foss360
in previous section) and click on save.Follow the instructions to setup the frontend using keycloak from Version 19.x on Debian 12 guide, section 3.3.3.
Type of authorization will be OAuth 2.0.
Enter the below details while creating a new Bearer token:
Clallback URL: https://oauth.pstmn.io/v1/callback
Auth URL: http://localhost:8083/realms/sw360/protocol/openid-connect/auth
Access Token URL: http://localhost:8083/realms/sw360/protocol/openid-connect/token
Get Client Id and Client Secret from Keycloak client
Scope: openid READ WRITE