Issue
I have a Spring Boot app that uses keycloak for auth.
On deployment, all services including app, keycloak, db are started by a single docker-compose --profile=prod up where an external configuration is passed.
Up to here, everything works as expected.
However, the keycloak client "Access Type" currently is public, and should be changed to confidential. Then a secret needs to be passed to the requests. This can be obtained from Client-> Credentials, where the secret string can be copied or regenerated.
This string can then be copied in the application.yml or application.properties of spring boot app, as below, and everything works as expected.
keycloak:
auth-server-url: http://localhost:8080/auth
realm: qwerty
resource: login-app
ssl-required: external
bearer-only: true
use-resource-role-mappings: true
credentials:
secret: FyQjmAJclqqcLD22szwca1aEskSpqUPr
However, this required the start of keycloak service first, then get the secret, then copy it on the source code of app, build the app, start it.
So this breaks the "one click" deployment that is done in docker-compose....
From what I saw, you cant have a predefined string for secret and pass it on the realm when importing configuration or something.
Am I missing something? what would you suggest?
Solution
After some time we found the answer; we realized its possible to provision the secret on the realm export json. It is as below:
"id": "sad978adsf6sdfadfs",
"clientId": "app",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "someverysecret",
"redirectUris": [
"*"
],
Whole process
- set a secret
- Export realm, secret will hidden like
"secret": "*********", - Replace the **** with your specified secret eg someverysecret
- reprovision realm. Now at keycloak admin screen the value will be "someverysecret" which will be grayed out
Answered By - thahgr
Answer Checked By - Clifford M. (JavaFixing Volunteer)
