This SSO Demo
uses four container instances:
- keycloak: the OAuth2(OpenID connection) server instance
- db: the mysql server instance for keycloak backend
- app1: simple web app
- app2: simple web app
version: '2'
services:
db:
image: mysql
environment:
- MYSQL_DATABASE=keycloak
- MYSQL_USER=keycloak
- MYSQL_PASSWORD=password
- MYSQL_ROOT_PASSWORD=root_password
ports:
- 3306:3306
keycloak:
image: jboss/keycloak
environment:
- KEYCLOAK_LOGLEVEL=DEBUG
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- DB_VENDOR=MYSQL
- MYSQL_PORT_3306_TCP_ADDR=db
- MYSQL_PORT_3306_TCP_PORT=3306
links:
- db:db
ports:
- 8080:8080
- 9999:9990
- 443:8443
volumes:
- ./data:/data
app1:
image: php:7.1-apache
ports:
- 8091:80
volumes:
- ./app1:/var/www/html
app2:
image: php:7.1-apache
ports:
- 8092:80
volumes:
- ./app2:/var/www/html
The user tries to access the user profile page on one of the web app,
and is redirected to login page on keycloak
server at first.
If user is logged in, the further authentication
on the other web apps will
not be required.
Be sure that the docker engine
& docker-compose
are installed.
- Install docker engine: https://docs.docker.com/engine/installation/
- Install docker-compose: https://docs.docker.com/compose/install/
start the container instanc
bash doority.sh start
Login on keycloak
on localhost:8080
user: admin
password: admin
create new realm
named myrealm
create new clients named with web-app1
and web-app2
repeat the operation to create another client named
web-app2
user: demo
password: demo
update the client credentials in app1/app.js
with the created client credentials:
//app1/app.js
let keycloakConfig = {
"realm": "myrealm",
"auth-server-url": "http://127.0.0.1:8080/auth",
"ssl-required": "external",
"resource": "web-app1",
"credentials": {
"secret": "90d014fa-89bf-45b5-ab87-bcd8a9028c7f"
},
"confidential-port": 0,
"clientId": "web-app1"
};
repeat the operation to update the credentials in
app2
open the two web apps on
http://localhost:8091/
http://localhost:8092/
click on the link named my account
on web-app1
, the user should be redirected
to login page on the keycloak server http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/auth?client_id=web-app1&redirect_uri=http%3A%2F%2Flocalhost%3A8091%2Fme.html&state=228f9b01-2b83-446e-89ce-aac4bfba845e&nonce=82123d67-d176-403b-92aa-2303617d5183&response_mode=fragment&response_type=id_token%20token&scope=openid
Login with
user: demo
passL demo
After login, the user profile page will be shown:
click on the link named my account
on web-app2
, the user will NOT
be redirected
to login page, because of login on the web-app1
in the step 8
.
To clean up the test instances
bash doority.sh clean