RHDH: How to configure Keycloak as an identity provider for Red Hat Developer Hub
The purpose of this article is to provide a quick guide that shows how to set up Keycloak (RHBK / RHSSO) as an identity provider for Red Hat Developer Hub (RHDH) in testing and development environments. The blog does not seek to provide a production grade solution, but rather show how to create a quick integration with a Keycloak identity provider for testing purposes.
The guide is a practical implementation of the documentation at — https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.4/html/authentication/assembly-authenticating-with-rhbk
Prerequisites
- OpenShift 4.16
- Keycloak / RHBK / RHSSO
- Red Hat Developer Hub operator 1.4.0 (installed in the rhdh-operator namespace)
Procedure
This section provides the instructions that need to be followed in order to create the integration.
Keycloak
In the Master Realm, create a new Client -
- Client ID: rhdh
- Access Type: confidential
- Valid Redirect URIs: *
- Web Origins: *
Make sure to save the Client Secret from the Credentials tab (The Credentials tab appears after the creation of the confidential client).
The resulting client -
In the Master realm, create a user -
- Provide an indicative username.
- Provide an email that correlates to the username.
- Make sure to set the— Email Verified field to true.
- Set a password for the user in the Credentials tab.
The resulting user -
Red Hat Developer Hub
This section shows which resources have to be configured in OpenShift in order to allow the Keycloak — RHDH integration. All resources are created in the rhdh-operator namespace for this example.
Create the next dynamic-plugins-rhdh ConfigMap in order to enable the Keycloak plugin —
kind: ConfigMap
apiVersion: v1
metadata:
name: dynamic-plugins-rhdh
namespace: rhdh-operator
data:
dynamic-plugins.yaml: |
includes:
- dynamic-plugins.default.yaml
plugins:
- package: ./dynamic-plugins/dist/backstage-community-plugin-catalog-backend-module-keycloak-dynamic
disabled: falseSet the next environment variables in the backstage-envs-developer-hub Secret -
The environment variables description -
- AUTH_OIDC_BASE_URL — The Keycloak server base URL (e.g — https://<keycloak-server>/auth). The ‘/auth’ extension is removed in newer Keycloak versions.
- AUTH_OIDC_CLIENT_ID — The Client ID used for RHDH (e.g — rhdh [as created in the first section of the article]).
- AUTH_OIDC_CLIENT_SECRET — The Client Secret used for RHDH, obtained from the Client page in Keycloak.
- AUTH_OIDC_METADATA_URL — The Keycloak server metadata URL for the configured realm (e.g — https://<keycloak-server/auth/realms/master/.well-known/openid-configuration). The ‘/auth’ extension is removed in newer Keycloak versions. ‘master’ is the name of the Keycloak Realm.
- KEYCLOAK_USER — A username used to synchronize users from the Keycloak Realm into RHDH (e.g — admin).
- KEYCLOAK_PASSWORD — The password for the user that synchronizes users from the Keycloak Realm into RHDH.
Next, apply the rhdh-custom-appconfig Configmap in order to set the configuration for RHDH. Make sure to modify the <rhdh-route-name> with the route used to access the RHDH instance (it can be configured as an environment variable) —
kind: ConfigMap
apiVersion: v1
metadata:
name: rhdh-custom-appconfig
namespace: rhdh-operator
data:
app-config.yaml: |
app:
baseUrl: 'https://<rhdh-route-name>'
backend:
baseUrl: 'https://<rhdh-route-name>'
listen:
port: 7007
host: 0.0.0.0
catalog:
providers:
keycloakOrg:
default:
baseUrl: ${AUTH_OIDC_BASE_URL}
username: ${KEYCLOAK_USER}
password: ${KEYCLOAK_PASSWORD}
realm: master
loginRealm: master
schedule:
frequency: { minutes: 1 }
timeout: { minutes: 1 }
initialDelay: { seconds: 15 }
auth:
environment: production
session:
secret: mysecret
providers:
oidc:
production:
metadataUrl: ${AUTH_OIDC_METADATA_URL}
clientId: ${AUTH_OIDC_CLIENT_ID}
clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
prompt: auto
signInPage: oidcConfigure the RHDH instance to use the created above ConfigMaps —
apiVersion: rhdh.redhat.com/v1alpha3
kind: Backstage
metadata:
name: developer-hub
namespace: rhdh-operator
spec:
application:
appConfig:
configMaps:
- name: rhdh-custom-appconfig
mountPath: /opt/app-root/src
dynamicPluginsConfigMapName: dynamic-plugins-rhdh
extraFiles:
mountPath: /opt/app-root/src
replicas: 1
route:
enabled: true
database:
enableLocalDb: trueAfter applying the configuration, make sure that users from Keycloak are synchronized successfully into RHDH. The next log should appear in the Backstage pod -
{"class":"KeycloakOrgEntityProvider","level":"\u001b[32minfo\u001b[39m","message":"Reading Keycloak users and groups","plugin":"catalog","service":"backstage","span_id":"527b7947f7fb8a70","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"0a404298-4674-4d24-ad37-a0fce2f0f855","timestamp":"2024-12-30 15:06:02","trace_flags":"01","trace_id":"3045ad2b4e01b3135a182e480c67fa30"}
{"class":"KeycloakOrgEntityProvider","level":"\u001b[32minfo\u001b[39m","message":"Read 2 Keycloak users and 0 Keycloak groups in 0.1 seconds.The Result
After everything is configured, navigate to the RHDH instance and follow the authentication instructions -
Conclusion
In this blog you configured Keycloak as an identity provider for RHDH. The platform can now be used to test your components, plugins and templates! Please follow the official documentation for additional configurations and integrations for RHDH.
