diff --git a/CHANGELOG.md b/CHANGELOG.md index b87b0fc..3ddfb4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,27 @@ The main changes made so far are listed here. +## 21-Jan-2026 + +* **Keycloak Integration**: Added Keycloak as the default identity provider for authentication + * Replaced GitLab OAuth with OIDC-based authentication + * New `keycloak` service in `compose.traefik.secure.yml` + * Updated `traefik-forward-auth` to use OIDC provider + * Added persistent volume for Keycloak data +* **Environment Configuration**: Updated `.env.example` with Keycloak-specific variables + * Maintained backward compatibility with GitLab OAuth + * Added comprehensive comments for both authentication methods +* **Documentation**: Created comprehensive setup and migration guides + * [KEYCLOAK_SETUP.md](KEYCLOAK_SETUP.md) - Detailed Keycloak configuration + * [KEYCLOAK_MIGRATION.md](KEYCLOAK_MIGRATION.md) - Migration guide from GitLab + * Updated [CONFIGURATION.md](CONFIGURATION.md) to reference Keycloak + * Updated [TRAEFIK_SECURE.md](TRAEFIK_SECURE.md) with Keycloak instructions +* **Flexibility**: Designed for minimal changes when moving Keycloak external + * Environment variable based configuration + * Easy to switch between internal and external Keycloak + * Can still use GitLab OAuth with minor compose file modifications + + ## Week of 10-Feb-2026 ### Added @@ -77,6 +98,7 @@ The main changes made so far are listed here. ## 15-Dec-2025 + * Adds both ml-workspace and workspace in one docker compose and puts them behind traefik proxy * Based on the KASM core ubuntu image. diff --git a/KEYCLOAK_MIGRATION.md b/KEYCLOAK_MIGRATION.md new file mode 100644 index 0000000..f52cea5 --- /dev/null +++ b/KEYCLOAK_MIGRATION.md @@ -0,0 +1,234 @@ +# Keycloak Integration - Migration Guide + +This document describes the changes made to integrate Keycloak authentication into the DTaaS workspace deployment. + +## What Changed + +The `compose.traefik.secure.yml` file has been updated to use **Keycloak** as the identity provider instead of GitLab OAuth. This provides: + +- ✅ **OIDC Standards Compliance**: Uses OpenID Connect for authentication +- ✅ **Better User Management**: Centralized identity and access management +- ✅ **Flexibility**: Easy to switch between internal and external Keycloak +- ✅ **Enterprise Features**: Support for SSO, MFA, user federation, and more +- ✅ **Backward Compatibility**: Can still use GitLab OAuth with minor configuration changes + +## New Services + +### Keycloak Service + +A new `keycloak` service has been added to the compose file: + +```yaml +keycloak: + image: quay.io/keycloak/keycloak:26.0.7 + # Accessible at http://foo.com/auth + # Provides OIDC authentication +``` + +**Key Features:** +- Runs in development mode (`start-dev`) +- Accessible via Traefik at `/auth` path +- Persistent data storage with Docker volume +- Configurable via environment variables + +## Modified Services + +### traefik-forward-auth + +Updated to use OIDC provider instead of generic OAuth: + +**Before:** +```yaml +environment: + - DEFAULT_PROVIDER=generic-oauth + - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${OAUTH_URL}/oauth/authorize + - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${OAUTH_URL}/oauth/token + - PROVIDERS_GENERIC_OAUTH_USER_URL=${OAUTH_URL}/api/v4/user +``` + +**After:** +```yaml +environment: + - DEFAULT_PROVIDER=oidc + - PROVIDERS_OIDC_ISSUER_URL=${KEYCLOAK_ISSUER_URL} + - PROVIDERS_OIDC_CLIENT_ID=${KEYCLOAK_CLIENT_ID} + - PROVIDERS_OIDC_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET} +``` + +## Configuration Files Updated + +### 1. `compose.traefik.secure.yml` + +- Added `keycloak` service +- Updated `traefik-forward-auth` to use OIDC +- Added `keycloak-data` volume for persistence +- Added `depends_on` to ensure Keycloak starts before auth + +### 2. `dtaas/.env.example` + +- Added Keycloak-specific environment variables +- Maintained backward compatibility with GitLab OAuth +- Added comprehensive comments for both authentication methods + +### 3. `CONFIGURATION.md` + +- Updated to reference Keycloak setup as the primary method +- Kept GitLab OAuth instructions as an alternative +- Added link to dedicated Keycloak setup guide + +### 4. `KEYCLOAK_SETUP.md` (New) + +- Comprehensive setup guide for Keycloak +- Step-by-step configuration instructions +- Troubleshooting section +- Production deployment considerations + +## Environment Variables + +### New Required Variables + +```bash +# Keycloak admin credentials +KEYCLOAK_ADMIN=admin +KEYCLOAK_ADMIN_PASSWORD=changeme + +# Keycloak realm and client +KEYCLOAK_REALM=dtaas +KEYCLOAK_CLIENT_ID=dtaas-workspace +KEYCLOAK_CLIENT_SECRET= +KEYCLOAK_ISSUER_URL=http://keycloak:8080/auth/realms/dtaas +``` + +### Deprecated Variables (GitLab OAuth) + +These are no longer used by default but remain for backward compatibility: + +```bash +OAUTH_URL=https://gitlab.com +OAUTH_CLIENT_ID=... +OAUTH_CLIENT_SECRET=... +``` + +### Shared Variables + +```bash +OAUTH_SECRET=... # Still used for session encryption +SERVER_DNS=foo.com +USERNAME1=user1 +USERNAME2=user2 +``` + +## Migration Path + +### Option 1: Use Embedded Keycloak (Default) + +1. Pull the latest changes +2. Update your `.env` file with Keycloak variables +3. Follow [KEYCLOAK_SETUP.md](KEYCLOAK_SETUP.md) +4. Restart services + +### Option 2: Use External Keycloak + +1. Set up Keycloak externally +2. Update `KEYCLOAK_ISSUER_URL` to point to external Keycloak +3. Remove `keycloak` service from compose file (optional) +4. Configure client in external Keycloak +5. Update `.env` with credentials +6. Restart services + +### Option 3: Continue Using GitLab OAuth + +1. Modify `traefik-forward-auth` service in compose file: + ```yaml + environment: + - DEFAULT_PROVIDER=generic-oauth + - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${OAUTH_URL}/oauth/authorize + - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${OAUTH_URL}/oauth/token + - PROVIDERS_GENERIC_OAUTH_USER_URL=${OAUTH_URL}/api/v4/user + - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID} + - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} + - PROVIDERS_GENERIC_OAUTH_SCOPE=read_user + ``` +2. Remove `keycloak` service from compose file +3. Keep your existing `.env` configuration + +## Benefits of This Design + +### Minimal Changes for External Keycloak + +The configuration uses environment variables that make it easy to switch from embedded to external Keycloak: + +```bash +# Internal (default) +KEYCLOAK_ISSUER_URL=http://keycloak:8080/auth/realms/dtaas + +# External (just change the URL) +KEYCLOAK_ISSUER_URL=https://keycloak.company.com/auth/realms/dtaas +``` + +No compose file changes needed! + +### Standard OIDC Implementation + +Using standard OIDC means: +- Compatible with any OIDC provider (not just Keycloak) +- Could switch to Okta, Auth0, Azure AD, etc. with just env var changes +- Following security best practices +- Better token management and refresh + +### Container Isolation + +- Keycloak runs in its own container +- Can be removed/replaced without affecting other services +- Data persisted in Docker volume +- Easy to backup and restore + +## Testing the Setup + +After deploying the changes: + +1. **Check services are running:** + ```bash + docker compose -f compose.traefik.secure.yml ps + ``` + +2. **Verify Keycloak is accessible:** + ```bash + curl -I http://foo.com/auth + # Should return 200 OK + ``` + +3. **Test authentication flow:** + - Navigate to `http://foo.com/` + - Should redirect to Keycloak login + - Login with created user + - Should redirect back to application + +4. **Check logs if issues occur:** + ```bash + docker compose -f compose.traefik.secure.yml logs keycloak + docker compose -f compose.traefik.secure.yml logs traefik-forward-auth + ``` + +## Production Considerations + +Before deploying to production: + +1. ✅ Use HTTPS (switch to `compose.traefik.secure.tls.yml`) +2. ✅ Change default Keycloak admin password +3. ✅ Use external Keycloak instance +4. ✅ Configure Keycloak with proper database (PostgreSQL/MySQL) +5. ✅ Set up proper backup strategy for Keycloak data +6. ✅ Configure Keycloak realm with appropriate security policies +7. ✅ Set `INSECURE_COOKIE=false` in traefik-forward-auth +8. ✅ Use strong client secrets +9. ✅ Enable MFA for users +10. ✅ Regular security audits + +## References + +- [KEYCLOAK_SETUP.md](KEYCLOAK_SETUP.md) - Detailed setup instructions +- [CONFIGURATION.md](CONFIGURATION.md) - General configuration guide +- [Keycloak Documentation](https://www.keycloak.org/documentation) +- [Traefik Forward Auth](https://github.com/thomseddon/traefik-forward-auth) +- [OIDC Specification](https://openid.net/specs/openid-connect-core-1_0.html) diff --git a/KEYCLOAK_QUICKREF.md b/KEYCLOAK_QUICKREF.md new file mode 100644 index 0000000..197c070 --- /dev/null +++ b/KEYCLOAK_QUICKREF.md @@ -0,0 +1,128 @@ +# Keycloak Integration - Quick Reference + +## Summary of Changes + +The `compose.traefik.secure.tls.yml` has been updated to use **Keycloak** for authentication instead of GitLab OAuth. + +## What's New + +### 1. New Keycloak Service +- **Image**: `quay.io/keycloak/keycloak:26.0.7` +- **Access**: `https://foo.com/auth` +- **Purpose**: OIDC-based identity provider +- **Storage**: Persistent volume `keycloak-data` + +### 2. Updated Authentication Flow +``` +User → Traefik → Forward Auth → Keycloak (OIDC) → Protected Service +``` + +### 3. New Environment Variables +| Variable | Purpose | Example | +|----------|---------|---------| +| `KEYCLOAK_ADMIN` | Admin username | `admin` | +| `KEYCLOAK_ADMIN_PASSWORD` | Admin password | `changeme` | +| `KEYCLOAK_REALM` | Realm name | `dtaas` | +| `KEYCLOAK_CLIENT_ID` | OIDC client ID | `dtaas-workspace` | +| `KEYCLOAK_CLIENT_SECRET` | OIDC client secret | `` | +| `KEYCLOAK_ISSUER_URL` | OIDC issuer URL | `https://foo.com/auth/realms/dtaas` | + +## Quick Setup + +### Step 1: Configure Environment +```bash +cp dtaas/.env.example dtaas/.env +# Edit dtaas/.env with Keycloak credentials +``` + +### Step 2: Start Services +```bash +docker compose -f compose.traefik.secure.tls.yml build +docker compose -f compose.traefik.secure.tls.yml --env-file dtaas/.env up -d +``` + +### Step 3: Setup Keycloak (First Time Only) +1. Go to `https://foo.com/auth` +2. Login with admin credentials +3. Create realm: `dtaas` +4. Create client: `dtaas-workspace` (OIDC, confidential) +5. Set redirect URIs: `https://foo.com/_oauth/*` +6. Copy client secret to `.env` +7. Create users in Keycloak +8. Restart services + +### Step 4: Test +Navigate to `https://foo.com/` and login with Keycloak user. + +## Key Benefits + +✅ **Standards-Based**: Uses OIDC/OAuth2 standards +✅ **Flexible**: Easy to switch to external Keycloak +✅ **Enterprise-Ready**: Supports SSO, MFA, user federation +✅ **Minimal Changes**: Environment-variable based configuration +✅ **Backward Compatible**: Can still use GitLab OAuth + +## Migration Paths + +### Use External Keycloak +Just change `KEYCLOAK_ISSUER_URL` in `.env`: +```bash +KEYCLOAK_ISSUER_URL=https://foo.com/auth/realms/dtaas +``` + +### Revert to GitLab OAuth +Modify `traefik-forward-auth` in compose file: +```yaml +environment: + - DEFAULT_PROVIDER=generic-oauth + - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${OAUTH_URL}/oauth/authorize + - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${OAUTH_URL}/oauth/token + - PROVIDERS_GENERIC_OAUTH_USER_URL=${OAUTH_URL}/api/v4/user + - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID} + - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} +``` + +## Documentation + +- 📖 [KEYCLOAK_SETUP.md](KEYCLOAK_SETUP.md) - Complete setup guide +- 🔄 [KEYCLOAK_MIGRATION.md](KEYCLOAK_MIGRATION.md) - Migration details +- ⚙️ [CONFIGURATION.md](CONFIGURATION.md) - Configuration reference +- 🔐 [TRAEFIK_SECURE.md](TRAEFIK_SECURE.md) - Traefik with auth + +## Troubleshooting + +### Cannot access Keycloak +```bash +docker compose -f compose.traefik.secure.tls.yml logs keycloak +``` + +### Authentication issues +```bash +docker compose -f compose.traefik.secure.tls.yml logs traefik-forward-auth +``` + +### Check all services +```bash +docker compose -f compose.traefik.secure.tls.yml ps +``` + +## Production Checklist + +- [ ] Use HTTPS (compose.traefik.secure.tls.yml) +- [ ] Change Keycloak admin password +- [ ] Use external Keycloak instance +- [ ] Configure Keycloak with proper database +- [ ] Set `INSECURE_COOKIE=false` +- [ ] Use strong client secrets +- [ ] Enable MFA for users +- [ ] Regular backups of keycloak-data volume +- [ ] Set log level to INFO or WARN +- [ ] Review security policies + +## Support + +For issues or questions: +1. Check documentation links above +2. Review logs as shown in troubleshooting +3. Verify environment variables in `.env` +4. Check Keycloak client configuration diff --git a/KEYCLOAK_SETUP.md b/KEYCLOAK_SETUP.md new file mode 100644 index 0000000..78453a9 --- /dev/null +++ b/KEYCLOAK_SETUP.md @@ -0,0 +1,270 @@ +# Keycloak Setup Guide for DTaaS + +This guide explains how to configure Keycloak for authentication in the DTaaS workspace deployment using `compose.traefik.secure.tls.yml`. + +## Overview + +The updated configuration uses: +- **Keycloak** as the identity provider (IdP) with OIDC support +- **Traefik Forward Auth** to protect routes using OIDC +- **Traefik** as the reverse proxy + +## Architecture + +``` +User Request → Traefik → Forward Auth → Keycloak (OIDC) + ↓ + Protected Service +``` + +## Prerequisites + +✅ Docker Engine v27 or later +✅ Docker Compose +✅ Port 80 available on your host +✅ At least 2GB RAM available + +## Quick Start + +### 1. Configure Environment Variables + +Copy the example environment file and update it: + +```bash +cp dtaas/.env.example dtaas/.env +``` + +Edit `dtaas/.env`: + +```bash +# Keycloak Admin Credentials (for initial setup) +KEYCLOAK_ADMIN=admin +KEYCLOAK_ADMIN_PASSWORD=changeme + +# Keycloak Realm +KEYCLOAK_REALM=dtaas + +# Keycloak Client Configuration (will be created in step 2) +KEYCLOAK_CLIENT_ID=dtaas-workspace +KEYCLOAK_CLIENT_SECRET= + +# Server Configuration +SERVER_DNS=foo.com + +# Generate a secure secret for OAuth sessions +OAUTH_SECRET=$(openssl rand -base64 32) + +# Usernames +USERNAME1=user1 +USERNAME2=user2 +``` + +### 2. Start Services + +Build and start all services: + +```bash +docker compose -f compose.traefik.secure.tls.yml build +docker compose -f compose.traefik.secure.tls.yml --env-file dtaas/.env up -d +``` + +### 3. Configure Keycloak + +#### Access Keycloak Admin Console + +1. Navigate to `https://foo.com/auth` +2. Click on "Administration Console" +3. Login with credentials from your `.env` file (default: admin/admin) + +#### Create a Realm + +1. In the top-left dropdown (currently showing "Master"), click "Create Realm" +2. **Realm name**: `dtaas` (or match your `KEYCLOAK_REALM` in .env) +3. Click "Create" + +#### Create a Client + +1. In the left sidebar, click "Clients" +2. Click "Create client" +3. Configure the client: + - **Client type**: OpenID Connect + - **Client ID**: `dtaas-workspace` (match `KEYCLOAK_CLIENT_ID` in .env) + - Click "Next" + +4. **Capability config**: + - ✅ Client authentication: ON + - ✅ Authorization: OFF + - **Authentication flow**: Check "Standard flow" + - Click "Next" + +5. **Login settings**: + - **Root URL**: `https://foo.com` + - **Valid redirect URIs**: + - `https://foo.com/_oauth/*` + - `https://foo.com/*` + - **Valid post logout redirect URIs**: `https://foo.com/*` + - **Web origins**: `https://foo.com` + - Click "Save" + +6. **Get the Client Secret**: + - Go to the "Credentials" tab + - Copy the "Client secret" value + - Update `KEYCLOAK_CLIENT_SECRET` in your `.env` file + +#### Create Users + +1. In the left sidebar, click "Users" +2. Click "Create new user" +3. Fill in user details: + - **Username**: `user1` (or your desired username) + - **Email**: user's email (optional) + - **First name** and **Last name**: optional + - ✅ Email verified: ON (optional, for testing) +4. Click "Create" + +5. **Set Password**: + - Go to the "Credentials" tab + - Click "Set password" + - Enter a password + - ⚠️ Temporary: OFF (so users don't need to change it on first login) + - Click "Save" + +6. Repeat for additional users (user2, etc.) + +### 4. Restart Services + +After configuring Keycloak, restart the services to apply the new client secret: + +```bash +docker compose -f compose.traefik.secure.tls.yml --env-file dtaas/.env down +docker compose -f compose.traefik.secure.tls.yml --env-file dtaas/.env up -d +``` + +### 5. Test Authentication + +1. Navigate to `https://foo.com/` +2. You should be redirected to Keycloak login +3. Login with one of the users you created +4. You should be redirected back to the DTaaS interface + +## Access Control Configuration + +To restrict which users can access specific workspaces, edit `dtaas/conf`: + +```ini +# Allow only user1 to access /user1 paths +rule.user1_access.action=auth +rule.user1_access.rule=PathPrefix(`/user1`) +rule.user1_access.whitelist = user1@localhost + +# Allow only user2 to access /user2 paths +rule.user2_access.action=auth +rule.user2_access.rule=PathPrefix(`/user2`) +rule.user2_access.whitelist = user2@localhost +``` + +**Note**: The whitelist uses the email address from Keycloak. Adjust accordingly. + +## Production Considerations + +### 1. Use HTTPS + +For production, use `compose.traefik.secure.tls.yml` instead, which includes TLS/HTTPS configuration. + +### 2. External Keycloak + +To use an external Keycloak instance (recommended for production): + +1. Update `KEYCLOAK_ISSUER_URL` in `.env`: + ```bash + KEYCLOAK_ISSUER_URL=https://keycloak.example.com/auth/realms/dtaas + ``` + +2. Remove the `keycloak` service from `compose.traefik.secure.tls.yml` (optional): + - Comment out or delete the entire `keycloak` service section + - Remove `keycloak` from `depends_on` in `traefik-forward-auth` + - Remove the `keycloak-data` volume + +3. Update client redirect URIs in Keycloak to use your production domain + +### 3. Secure Credentials + +- Change default Keycloak admin password +- Use strong client secrets +- Store secrets securely (use Docker secrets or external secret managers) +- Rotate secrets regularly + +### 4. Database Backend + +For production, configure Keycloak with a proper database (PostgreSQL, MySQL): + +```yaml +keycloak: + environment: + - KC_DB=postgres + - KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak + - KC_DB_USERNAME=keycloak + - KC_DB_PASSWORD=secure_password +``` + +## Troubleshooting + +### Cannot Access Keycloak Admin Console + +- Ensure the Keycloak service is running: `docker compose ps` +- Check Keycloak logs: `docker compose logs keycloak` +- Verify port 80 is accessible + +### Authentication Loop/Redirect Issues + +- Verify `KEYCLOAK_ISSUER_URL` matches the realm name +- Check that redirect URIs in Keycloak client include `/_oauth/*` +- Ensure `COOKIE_DOMAIN` matches your domain +- Clear browser cookies and try again + +### "Invalid Client" Error + +- Verify `KEYCLOAK_CLIENT_ID` matches the client ID in Keycloak +- Ensure `KEYCLOAK_CLIENT_SECRET` is correct +- Check that client authentication is enabled + +### Forward Auth Not Working + +- Check traefik-forward-auth logs: `docker compose logs traefik-forward-auth` +- Verify environment variables are set correctly +- Ensure Keycloak is accessible from the traefik-forward-auth container + +## Advanced Configuration + +### Custom Claims and Scopes + +To access custom user attributes: + +1. In Keycloak, create client scopes with mappers +2. Assign scopes to the client +3. Configure traefik-forward-auth to request additional scopes + +### Role-Based Access Control (RBAC) + +1. Create roles in Keycloak realm +2. Assign roles to users +3. Use role claims in traefik-forward-auth rules + +### Single Sign-On (SSO) + +Keycloak supports SSO across multiple applications. Configure additional clients for other services in your infrastructure. + +## Migration from GitLab OAuth + +If you're migrating from the previous GitLab OAuth setup: + +1. Backup your current `.env` file +2. Update `.env` with Keycloak configuration +3. Update user whitelist in `dtaas/conf` to use Keycloak usernames/emails +4. Test with a single user before migrating all users + +## References + +- [Keycloak Documentation](https://www.keycloak.org/documentation) +- [Traefik Forward Auth](https://github.com/thomseddon/traefik-forward-auth) +- [OIDC Specification](https://openid.net/specs/openid-connect-core-1_0.html) diff --git a/OLD_CONF.md b/OLD_CONF.md new file mode 100644 index 0000000..249dbcb --- /dev/null +++ b/OLD_CONF.md @@ -0,0 +1,167 @@ +# ⚙️ DTaaS Configuration + +This document outlines the configuration needed for docker compose files. +Not all parts of the configuration are required by the compose files. +Here is a mapping of the sections needed for the configuration files. + +- `compose.traefik.yml`: [user directories](#-create-user-directories) +- `compose.traefik.secure.yml`: [user directories](#-create-user-directories), + [Keycloak Setup](#-keycloak-authentication-setup-recommended), + [client OAuth2](#client-oauth2-setup), + [env file](#configure-environment-variables) +- `compose.traefik.secure.tls.yml`: [user directories](#-create-user-directories), + [Keycloak Setup](#-keycloak-authentication-setup-recommended), + [client OAuth2](#client-oauth2-setup), + [traefik forward auth](#traefik-forward-auth-configuration), + [env file](#configure-environment-variables) + +## 📁 Create User Directories + +The compose files need user directories in `persistent_dir`. +Copy existing `user1` directory and paste as two new directories +with usernames selected for your case. These usernames are mentioned as +`USERNAME1` and `USERNAME2` in the docker compose files. + +## 🔑 Authentication Setup + +### 🎯 Keycloak Authentication Setup (Recommended) + +The default configuration for `compose.traefik.secure.yml` now uses **Keycloak** +for authentication via OIDC (OpenID Connect). Keycloak provides a robust, +enterprise-grade identity and access management solution. + +**For detailed Keycloak setup instructions, see [KEYCLOAK_SETUP.md](KEYCLOAK_SETUP.md)** + +Quick overview: +1. Start services with `docker compose -f compose.traefik.secure.yml up -d` +2. Access Keycloak at `http://localhost/auth` +3. Create a realm and OIDC client +4. Create users in Keycloak +5. Update `.env` with client credentials + +### 🔄 GitLab OAuth2 Configuration (Legacy/Alternative) + +If you prefer to use GitLab instead of Keycloak, you can modify the +`traefik-forward-auth` service configuration in the compose file. + +#### Server OAuth2 Setup + +This setup uses traefik-forward-auth with OAuth2 for authentication. You'll +need to configure an OAuth2 application with your provider. + +1. Go to your GitLab instance → Edit Profile Settings → Applications +2. Create a new application with: + - **Name**: DTaaS Workspace + - **Redirect URI**: `https://yourdomain.com/_oauth` + - **Scopes**: `read_user` +3. Save the **Application ID** and **Secret** + +These values are used later in `dtaas/.env` file. + +### Client OAuth2 Setup + +In addition, the DTaaS web client uses OAuth2 authorization as well. +It needs a client application. + +1. Go to your GitLab instance → Edit Profile Settings → Applications +2. Create a new OAuth App with: + - **Application name**: DTaaS Workspace + - **Homepage URL**: `https://yourdomain.com` + - **Authorization callback URL**: `https://yourdomain.com/Library` + - **Scopes**: `openid`, `profile`, `read_user`, `read_repository`, `api` +3. Save the **Client ID** + +Create and update the DTaaS web client configuration. + +```bash +cp dtaas/client.js.example dtaas/client.js +``` + +Update the `REACT_APP_CLIENT_ID` with the **Client ID** generated above +and `REACT_APP_AUTH_AUTHORITY` with URL of your GitLab instance, for example +`https://gitlab.com`. + +### Configure Environment Variables + +1. Copy the example environment file: + + ```bash + cp dtaas/.env.example dtaas/.env + ``` + +2. **For Keycloak (default)**, edit `dtaas/.env` and fill in your Keycloak credentials: + + ```bash + # Keycloak Admin Credentials + KEYCLOAK_ADMIN=admin + KEYCLOAK_ADMIN_PASSWORD=changeme + + # Keycloak Realm + KEYCLOAK_REALM=dtaas + + # Keycloak Client Credentials (obtain from Keycloak after creating client) + KEYCLOAK_CLIENT_ID=dtaas-workspace + KEYCLOAK_CLIENT_SECRET=your_client_secret_here + + # Keycloak Issuer URL + KEYCLOAK_ISSUER_URL=http://keycloak:8080/auth/realms/dtaas + + # Secret key for encrypting OAuth session data + # Generate a random string (at least 16 characters) + OAUTH_SECRET=$(openssl rand -base64 32) + ``` + + **For GitLab OAuth (alternative)**, edit `dtaas/.env`: + + ```bash + # Your GitLab instance URL (without trailing slash) + # Example: https://gitlab.com or https://gitlab.example.com + OAUTH_URL=https://gitlab.com + + # OAuth Application Client ID + # Obtained when creating the OAuth application in GitLab + OAUTH_CLIENT_ID=your_application_id_here + + # OAuth Application Client Secret + # Obtained when creating the OAuth application in GitLab + OAUTH_CLIENT_SECRET=your_secret_here + + # Secret key for encrypting OAuth session data + # Generate a random string (at least 16 characters) + # Example: openssl rand -base64 32 + OAUTH_SECRET=your_random_secret_key_here + ``` + +3. Generate a secure random secret: + + ```bash + openssl rand -base64 32 + ``` + + Use the output as your `OAUTH_SECRET` value. + +4. (OPTIONAL) Update the USERNAME variables in .env, replacing the defaults with + your desired usernames. + + ```bash + # Username Configuration + # These usernames will be used as path prefixes for user workspaces + # Example: http://localhost/user1, http://localhost/user2 + USERNAME1=user1 + USERNAME2=user2 + ``` + +### Traefik Forward Auth Configuration + +The `dtaas/conf.example` contains example configuration for forward-auth service. +Copy it and update it with the chosen usernames and their email addresses. + +```txt +rule.user1_access.action=auth +rule.user1_access.rule=PathPrefix(`/user1`) +rule.user1_access.whitelist = user1@localhost + +rule.user2_access.action=auth +rule.user2_access.rule=PathPrefix(`/user2`) +rule.user2_access.whitelist = user2@localhost +``` diff --git a/workspaces/Dockerfile.ubuntu.noble.gnome b/workspaces/Dockerfile.ubuntu.noble.gnome index 761fc55..e3ce7b4 100644 --- a/workspaces/Dockerfile.ubuntu.noble.gnome +++ b/workspaces/Dockerfile.ubuntu.noble.gnome @@ -22,12 +22,12 @@ WORKDIR $HOME COPY ./src/install/ ${INST_DIR} COPY ./src/admin/ ${ADMIN_DIR} -RUN bash ${INST_DIR}/firefox/install_firefox.sh && \ - bash ${INST_DIR}/nginx/install_nginx.sh && \ - bash ${INST_DIR}/vscode/install_vscode_server.sh && \ - bash ${INST_DIR}/jupyter/install_jupyter.sh && \ - bash ${INST_DIR}/admin/install_admin.sh && \ - bash ${INST_DIR}/dtaas_cleanup.sh +RUN bash ${INST_DIR}/firefox/install_firefox.sh +RUN bash ${INST_DIR}/nginx/install_nginx.sh +RUN bash ${INST_DIR}/vscode/install_vscode_server.sh +RUN bash ${INST_DIR}/jupyter/install_jupyter.sh +RUN bash ${INST_DIR}/admin/install_admin.sh +RUN bash ${INST_DIR}/dtaas_cleanup.sh COPY ./src/startup/ ${STARTUPDIR} diff --git a/workspaces/src/install/firefox/install_firefox.sh b/workspaces/src/install/firefox/install_firefox.sh index f22bf45..728ea8c 100644 --- a/workspaces/src/install/firefox/install_firefox.sh +++ b/workspaces/src/install/firefox/install_firefox.sh @@ -20,7 +20,7 @@ Pin: release o=LP-PPA-mozillateam Pin-Priority: 1001 ' > /etc/apt/preferences.d/mozilla-firefox fi -DEBIAN_FRONTEND=noninteractive apt-get install -y firefox p11-kit-modules +DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y -o Acquire::ForceIPv4=true firefox p11-kit-modules # Update firefox to utilize the system certificate store instead of the one that ships with firefox rm -f /usr/lib/firefox/libnssckbi.so diff --git a/workspaces/src/install/jupyter/install_jupyter.sh b/workspaces/src/install/jupyter/install_jupyter.sh index 78f772c..a5b08c5 100644 --- a/workspaces/src/install/jupyter/install_jupyter.sh +++ b/workspaces/src/install/jupyter/install_jupyter.sh @@ -3,7 +3,7 @@ set -xe # Installs Jupyter and Python3 -DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \ +DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install --no-install-recommends -y \ python3 \ python3-pip diff --git a/workspaces/test/dtaas/TRAEFIK_SECURE.md b/workspaces/test/dtaas/TRAEFIK_SECURE.md index 0f76032..f898bb2 100644 --- a/workspaces/test/dtaas/TRAEFIK_SECURE.md +++ b/workspaces/test/dtaas/TRAEFIK_SECURE.md @@ -1,22 +1,22 @@ -# Workspace with Traefik Forward Auth (OAuth2 Security) +# Workspace with Traefik Forward Auth (OIDC/Keycloak Security) This guide explains how to use the workspace container with Traefik reverse proxy -and OAuth2 authentication via traefik-forward-auth for secure multi-user deployments +and OIDC authentication via Keycloak and traefik-forward-auth for secure multi-user deployments in the DTaaS installation. ## ❓ Prerequisites -✅ Docker Engine v27 or later -✅ Sufficient system resources (at least 1GB RAM per workspace instance) +✅ Docker Engine v27 or later +✅ Sufficient system resources (at least 2GB RAM - includes Keycloak) ✅ Port 80 available on your host machine -✅ GitLab OAuth Application configured (see setup below) ## 🗒️ Overview The `compose.traefik.secure.yml` file sets up: - **Traefik** reverse proxy on port 80 -- **traefik-forward-auth** for OAuth2 authentication with GitLab +- **Keycloak** identity provider with OIDC support +- **traefik-forward-auth** for OIDC authentication - **client** - DTaaS web interface - **user1** workspace using the workspace image - **user2** workspace using the mltooling/ml-workspace-minimal image @@ -25,7 +25,8 @@ The `compose.traefik.secure.yml` file sets up: ## ⚙️ Initial Configuration Please follow the steps in [`CONFIGURATION.md`](CONFIGURATION.md) -for the `compose.traefik.secure.yml` composition before building +for the `compose.traefik.secure.yml` composition AND the setip instructions +for Keycloak in [`KEYCLOAK_SETUP.md`](KEYCLOAK_SETUP.md) before building the workspace and running the setup. ### Create Workspace Files @@ -45,7 +46,7 @@ sudo chown -R 1000:100 workspaces/test/dtaas/files ## :rocket: Start Services -To start all services (Traefik, auth, client, and workspaces):: +To start all services (Traefik, Keycloak, auth, client, and workspaces): ```bash docker compose -f workspaces/test/dtaas/compose.traefik.secure.yml --env-file workspaces/test/dtaas/config/.env up -d @@ -54,21 +55,42 @@ docker compose -f workspaces/test/dtaas/compose.traefik.secure.yml --env-file wo This will: 1. Start the Traefik reverse proxy on port 80 -2. Start traefik-forward-auth for OAuth2 authentication -3. Start the DTaaS web client interface -4. Start workspace instances for both users +2. Start Keycloak identity provider at `/auth` +3. Start traefik-forward-auth for OIDC authentication +4. Start the DTaaS web client interface +5. Start workspace instances for both users + +**Note**: First-time startup may take a few minutes for Keycloak to initialize. + +## :gear: Configure Keycloak + +After starting the services, you need to configure Keycloak. See [KEYCLOAK_SETUP.md](KEYCLOAK_SETUP.md) for detailed instructions. + +Quick steps: +1. Access Keycloak at `http://foo.com/auth` +2. Login with admin credentials from `.env` +3. Create a realm named `dtaas` (or match your `KEYCLOAK_REALM`) +4. Create an OIDC client named `dtaas-workspace` +5. Create users in Keycloak +6. Update `.env` with the client secret +7. Restart services ## :technologist: Accessing Workspaces -Once all services are running, access the workspaces through Traefik at `http://localhost`. +Once all services are running and Keycloak is configured, access them through Traefik at `http://localhost`. ### Initial Access 1. Navigate to `http://localhost` in your web browser -2. You will be redirected to GitLab for authentication -3. Log in with your GitLab credentials -4. Authorize the DTaaS Workspace application -5. You will be redirected back to the DTaaS web interface +2. You will be redirected to Keycloak for authentication +3. Log in with a user you created in Keycloak +4. You will be redirected back to the DTaaS web interface + +### Keycloak Admin Console + +- **URL**: `http://localhost/auth` +- Access to manage users, roles, clients, and authentication settings +- Login with `KEYCLOAK_ADMIN` credentials from `.env` ### DTaaS Web Client @@ -200,17 +222,43 @@ cp -r workspaces/test/dtaas/files/user1 workspaces/test/dtaas/files/user3 ### Using a Different OAuth Provider -traefik-forward-auth supports multiple OAuth providers. To use a different -provider: +traefik-forward-auth supports multiple OAuth providers including GitLab, Google, Okta, and generic OAuth2. + +**To use GitLab instead of Keycloak:** -1. Update the `DEFAULT_PROVIDER` in the traefik-forward-auth service -2. Adjust the OAuth URLs accordingly -3. Update the scope as needed for your provider +1. Update the traefik-forward-auth environment in `compose.traefik.secure.yml`: + ```yaml + environment: + - DEFAULT_PROVIDER=generic-oauth + - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${OAUTH_URL}/oauth/authorize + - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${OAUTH_URL}/oauth/token + - PROVIDERS_GENERIC_OAUTH_USER_URL=${OAUTH_URL}/api/v4/user + - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID} + - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} + - PROVIDERS_GENERIC_OAUTH_SCOPE=read_user + ``` +2. Remove the `keycloak` service from the compose file +3. Configure GitLab OAuth application (see [CONFIGURATION.md](CONFIGURATION.md)) +4. Update `.env` with GitLab OAuth credentials -See the [traefik-forward-auth documentation][tfa-docs] for details. +See [traefik-forward-auth documentation][tfa-docs] for other providers. [tfa-docs]: https://github.com/thomseddon/traefik-forward-auth +### Using External Keycloak + +To use an external Keycloak instance instead of the embedded one: + +1. Update `KEYCLOAK_ISSUER_URL` in `.env`: + ```bash + KEYCLOAK_ISSUER_URL=https://keycloak.example.com/auth/realms/dtaas + ``` +2. Remove the `keycloak` service from compose file (optional) +3. Configure the client in your external Keycloak +4. Update `.env` with client credentials + +**Minimal changes required!** + ## :shield: Security Considerations ### Current Setup (Development/Testing) @@ -227,45 +275,69 @@ For setting up a composition that includes TLS/HTTPS, see [TRAEFIK_TLS.md](./TRA ## 🔍 Troubleshooting +### Keycloak Not Accessible + +1. Check Keycloak is running: + ```bash + docker compose -f compose.traefik.secure.yml ps keycloak + ``` + +2. Check Keycloak logs: + ```bash + docker compose -f compose.traefik.secure.yml logs keycloak + ``` + +3. Wait for Keycloak to fully start (first startup can take 1-2 minutes) + ### Authentication Loop If you're stuck in an authentication loop: 1. Clear browser cookies for localhost 2. Check that `OAUTH_SECRET` is set and consistent -3. Verify GitLab OAuth redirect URL matches your setup +3. Verify Keycloak client redirect URI matches `http://localhost/_oauth/*` +4. Check traefik-forward-auth logs for errors +5. Ensure `KEYCLOAK_ISSUER_URL` is correct ### Services Not Accessible 1. Check all services are running: - ```bash docker compose -f workspaces/test/dtaas/compose.traefik.secure.yml ps ``` 2. Check Traefik logs: - ```bash docker compose -f workspaces/test/dtaas/compose.traefik.secure.yml logs traefik ``` 3. Check traefik-forward-auth logs: - ```bash docker compose -f workspaces/test/dtaas/compose.traefik.secure.yml logs traefik-forward-auth ``` -### OAuth Errors +### OIDC/OAuth Errors -If you see OAuth errors: +If you see OIDC errors: 1. Verify all environment variables in `.env` are correct -2. Check GitLab OAuth application settings -3. Ensure redirect URI matches exactly (including protocol and path) +2. Check Keycloak client settings (client ID, secret, redirect URIs) +3. Ensure Keycloak realm name matches `KEYCLOAK_REALM` +4. Verify client authentication is enabled in Keycloak +5. Check that the issuer URL is accessible from the traefik-forward-auth container + +### "Invalid Client" Error + +- Verify `KEYCLOAK_CLIENT_SECRET` matches the value in Keycloak +- Ensure client authentication is enabled in Keycloak client settings ## 📚 Additional Resources +- [KEYCLOAK_SETUP.md](KEYCLOAK_SETUP.md) - Detailed Keycloak setup guide +- [KEYCLOAK_MIGRATION.md](KEYCLOAK_MIGRATION.md) - Migration guide from GitLab OAuth +- [CONFIGURATION.md](CONFIGURATION.md) - General configuration guide - [Traefik Documentation](https://doc.traefik.io/traefik/) +- [Keycloak Documentation](https://www.keycloak.org/documentation) - [traefik-forward-auth GitHub](https://github.com/thomseddon/traefik-forward-auth) -- [GitLab OAuth Documentation](https://docs.gitlab.com/ee/integration/oauth_provider.html) +- [OIDC Specification](https://openid.net/specs/openid-connect-core-1_0.html) - [DTaaS Documentation](https://github.com/INTO-CPS-Association/DTaaS) diff --git a/workspaces/test/dtaas/compose.traefik.secure.tls.yml b/workspaces/test/dtaas/compose.traefik.secure.tls.yml index ed51ba9..8ed66a8 100644 --- a/workspaces/test/dtaas/compose.traefik.secure.tls.yml +++ b/workspaces/test/dtaas/compose.traefik.secure.tls.yml @@ -23,6 +23,45 @@ services: networks: - frontend - users + depends_on: + keycloak: + condition: service_healthy + + keycloak: + image: quay.io/keycloak/keycloak:26.0.7 + restart: unless-stopped + command: + - "start" + - "--proxy-headers=xforwarded" + - "--hostname-strict=false" + - "--http-relative-path=/auth" + environment: + - KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN:-admin} + - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-admin} + - KC_HOSTNAME=${SERVER_DNS:-localhost} + - KC_HOSTNAME_STRICT=false + - KC_PROXY_HEADERS=xforwarded + - KC_HTTP_ENABLED=true + - KC_HTTP_RELATIVE_PATH=/auth + - KC_HOSTNAME_URL=https://${SERVER_DNS:-localhost}/auth + - KC_HOSTNAME_ADMIN_URL=https://${SERVER_DNS:-localhost}/auth + volumes: + - keycloak-data:/opt/keycloak/data + healthcheck: + test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 10 + start_period: 60s + labels: + - "traefik.enable=true" + - "traefik.http.routers.keycloak.entryPoints=web-secure" + - "traefik.http.routers.keycloak.rule=Host(`${SERVER_DNS:-localhost}`) && PathPrefix(`/auth`)" + - "traefik.http.routers.keycloak.tls=true" + - "traefik.http.services.keycloak.loadbalancer.server.port=8080" + networks: + - frontend + - users client: image: intocps/dtaas-web:latest @@ -31,6 +70,7 @@ services: - "./config/client.js:/dtaas/client/build/env.js" labels: - "traefik.enable=true" + - "traefik.http.routers.client.entryPoints=web-secure" - "traefik.http.routers.client.rule=Host(`${SERVER_DNS:-localhost}`) && PathPrefix(`/`)" - "traefik.http.routers.client.tls=true" - "traefik.http.routers.client.middlewares=traefik-forward-auth" @@ -51,6 +91,7 @@ services: - "./files/user1:/workspace" labels: - "traefik.enable=true" + - "traefik.http.routers.u1.entryPoints=web-secure" - "traefik.http.routers.u1.rule=Host(`${SERVER_DNS:-localhost}`) && PathPrefix(`/${USERNAME1:-user1}`)" - "traefik.http.routers.u1.tls=true" - "traefik.http.routers.u1.middlewares=traefik-forward-auth" @@ -68,6 +109,7 @@ services: - WORKSPACE_BASE_URL=${USERNAME2:-user2} labels: - "traefik.enable=true" + - "traefik.http.routers.u2.entryPoints=web-secure" - "traefik.http.routers.u2.rule=Host(`${SERVER_DNS:-localhost}`) && PathPrefix(`/${USERNAME2:-user2}`)" - "traefik.http.routers.u2.tls=true" - "traefik.http.routers.u2.middlewares=traefik-forward-auth" @@ -82,29 +124,39 @@ services: - "./config/conf:/conf" environment: - LOG_LEVEL=trace - - DEFAULT_PROVIDER=generic-oauth - - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${OAUTH_URL}/oauth/authorize - - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${OAUTH_URL}/oauth/token - - PROVIDERS_GENERIC_OAUTH_USER_URL=${OAUTH_URL}/api/v4/user - - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID} - - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} - - PROVIDERS_GENERIC_OAUTH_SCOPE=read_user - - SECRET= "${OAUTH_SECRET}" + - DEFAULT_PROVIDER=oidc + - PROVIDERS_OIDC_ISSUER_URL=${KEYCLOAK_ISSUER_URL:-https://${SERVER_DNS:-localhost}/auth/realms/${KEYCLOAK_REALM:-dtaas}} + - PROVIDERS_OIDC_CLIENT_ID=${KEYCLOAK_CLIENT_ID} + - PROVIDERS_OIDC_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET} + - SECRET=${OAUTH_SECRET} + - INSECURE_COOKIE=false - CONFIG=/conf + - AUTH_HOST=${SERVER_DNS:-localhost} + - COOKIE_DOMAIN=${SERVER_DNS:-localhost} + - URL_PATH=/_oauth + - INSECURE_SKIP_VERIFY=true + extra_hosts: + - "${SERVER_DNS:-localhost}:host-gateway" labels: - "traefik.enable=true" - "traefik.http.routers.redirect.entryPoints=web-secure" - "traefik.http.routers.redirect.rule=Host(`${SERVER_DNS:-localhost}`) && PathPrefix(`/_oauth`)" - - "traefik.http.routers.redirect.middlewares=traefik-forward-auth" + - "traefik.http.routers.redirect.tls=true" - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181" - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User" - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181" networks: - frontend - users + depends_on: + keycloak: + condition: service_healthy networks: frontend: name: dtaas-frontend users: name: dtaas-users +volumes: + keycloak-data: + driver: local \ No newline at end of file diff --git a/workspaces/test/dtaas/compose.traefik.secure.yml b/workspaces/test/dtaas/compose.traefik.secure.yml index c2d2f70..b31a705 100644 --- a/workspaces/test/dtaas/compose.traefik.secure.yml +++ b/workspaces/test/dtaas/compose.traefik.secure.yml @@ -30,6 +30,37 @@ services: - frontend - users + keycloak: + image: quay.io/keycloak/keycloak:26.0.7 + restart: unless-stopped + command: + - "start-dev" # DEV ONLY - use 'start' with proper config in production + - "--http-relative-path=/auth" + environment: + - KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN:-admin} + - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-admin} + - KC_HOSTNAME=${SERVER_DNS:-localhost} + - KC_HOSTNAME_STRICT=false + - KC_HTTP_ENABLED=true # DEV ONLY - use HTTPS in production + - KC_PROXY_HEADERS=xforwarded # Enable proxy headers for Traefik + - KC_HTTP_RELATIVE_PATH=/auth + volumes: + - keycloak-data:/opt/keycloak/data + healthcheck: + test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 10 + start_period: 60s + labels: + - "traefik.enable=true" + - "traefik.http.routers.keycloak.entryPoints=web" + - "traefik.http.routers.keycloak.rule=Host(`${SERVER_DNS:-localhost}`) && PathPrefix(`/auth`)" + - "traefik.http.services.keycloak.loadbalancer.server.port=8080" + networks: + - frontend + - users + traefik-forward-auth: image: thomseddon/traefik-forward-auth:2.2.0 restart: unless-stopped @@ -37,22 +68,19 @@ services: - ./config/conf:/conf environment: - LOG_LEVEL=trace - - DEFAULT_PROVIDER=generic-oauth - - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${OAUTH_URL}/oauth/authorize - - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${OAUTH_URL}/oauth/token - - PROVIDERS_GENERIC_OAUTH_USER_URL=${OAUTH_URL}/api/v4/user - - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID} - - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} - - PROVIDERS_GENERIC_OAUTH_SCOPE=read_user + - DEFAULT_PROVIDER=oidc + - PROVIDERS_OIDC_ISSUER_URL=${KEYCLOAK_ISSUER_URL:-http://keycloak:8080/auth/realms/${KEYCLOAK_REALM:-dtaas}} + - PROVIDERS_OIDC_CLIENT_ID=${KEYCLOAK_CLIENT_ID} + - PROVIDERS_OIDC_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET} - SECRET=${OAUTH_SECRET} - INSECURE_COOKIE=true # DEV ONLY - set to false with HTTPS in production - CONFIG=/conf - AUTH_HOST=${SERVER_DNS:-localhost} - COOKIE_DOMAIN=${SERVER_DNS:-localhost} + - URL_PATH=/_oauth labels: - "traefik.enable=true" - "traefik.http.routers.redirect.entryPoints=web" - # - "traefik.http.routers.redirect.rule=PathPrefix(`/_oauth`)" - "traefik.http.routers.redirect.rule=Host(`${SERVER_DNS:-localhost}`) && PathPrefix(`/_oauth`)" - "traefik.http.routers.redirect.middlewares=traefik-forward-auth" - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181" @@ -61,6 +89,9 @@ services: networks: - frontend - users + depends_on: + keycloak: + condition: service_healthy client: image: intocps/dtaas-web:latest @@ -119,3 +150,6 @@ networks: name: dtaas-frontend users: name: dtaas-users +volumes: + keycloak-data: + driver: local \ No newline at end of file diff --git a/workspaces/test/dtaas/config/.env.example b/workspaces/test/dtaas/config/.env.example index c48cc34..3ef6f8a 100644 --- a/workspaces/test/dtaas/config/.env.example +++ b/workspaces/test/dtaas/config/.env.example @@ -1,6 +1,41 @@ -# OAuth2 Configuration for Traefik Forward Auth +# OAuth2/OIDC Configuration for Traefik Forward Auth # Copy this file to .env and fill in your actual values +# ============================================================================== +# KEYCLOAK CONFIGURATION (Default for compose.traefik.secure.yml) +# ============================================================================== + +# Keycloak Admin Credentials (for initial setup only) +KEYCLOAK_ADMIN=admin +KEYCLOAK_ADMIN_PASSWORD=admin + +# Keycloak Realm Configuration +# The realm name where your application and users are configured +KEYCLOAK_REALM=dtaas + +# Keycloak OIDC Client Configuration +# Create a client in your Keycloak realm with: +# - Client ID: dtaas-workspace +# - Access Type: confidential +# - Valid Redirect URIs: http://localhost/_oauth/* (or your domain) +# - Web Origins: http://localhost (or your domain) +KEYCLOAK_CLIENT_ID=dtaas-workspace +KEYCLOAK_CLIENT_SECRET=your_keycloak_client_secret_here + +# Keycloak Issuer URL +# Format: http://keycloak:8080/auth/realms/{REALM_NAME} +# For internal Docker network communication, use 'keycloak' as hostname +# For external Keycloak, use the full URL (e.g., https://keycloak.example.com/auth/realms/dtaas) +# Prefer external keycloak URL for better compliance with traefik and traefik forward-auth setup. +# Note: Keycloak 26.x is configured with legacy /auth path for compatibility +KEYCLOAK_ISSUER_URL=https://foo.com/auth/realms/dtaas + +# ============================================================================== +# LEGACY GITLAB OAUTH CONFIGURATION (Optional - for backward compatibility) +# ============================================================================== +# Uncomment and configure these if you want to use GitLab instead of Keycloak +# Remember to also update the traefik-forward-auth environment variables in the compose file + # GitLab OAuth Application Configuration # Create an OAuth application in your GitLab instance at: # Settings -> Applications (for personal) or @@ -8,15 +43,19 @@ # Your GitLab instance URL (without trailing slash) # Example: https://gitlab.com or https://gitlab.example.com -OAUTH_URL=https://gitlab.com +# OAUTH_URL=https://gitlab.com # OAuth Application Client ID # Obtained when creating the OAuth application in GitLab -OAUTH_CLIENT_ID=your_client_id_here +# OAUTH_CLIENT_ID=your_gitlab_client_id_here # OAuth Application Client Secret # Obtained when creating the OAuth application in GitLab -OAUTH_CLIENT_SECRET=your_client_secret_here +# OAUTH_CLIENT_SECRET=your_gitlab_client_secret_here + +# ============================================================================== +# SHARED CONFIGURATION +# ============================================================================== # Secret key for encrypting OAuth session data # Generate a random string (at least 16 characters) @@ -25,10 +64,10 @@ OAUTH_SECRET=your_random_secret_key_here # Server Configuration # Replace with your domain name -SERVER_DNS=localhost +SERVER_DNS=https://foo.com # Redirect URL Configuration -# When creating the GitLab OAuth application, set the redirect URL to: +# When creating the OAuth/OIDC application, set the redirect URL to: # http://localhost/_oauth (for local development) # or https://your-domain.com/_oauth (for production)