1.5 minutes into the video I liked, 5 minutes into it I subscribed. And I don't usually leave comments, but this time I had to: Brilliant video with proper background study to it, thank you for the hard work and can't wait to investigate what else you have in the channel!
Complements on your great videos. I've been a subscriber for a while because you explain complicated topics quite well making it easy to implement for an average homelab hobbyist. Hopefully you get thousands more subscribers for all the good videos you make.
By the way, there is a noticeable increase of pace in how you communicate in the recent videos. Like when compare it even just few months back! Nice to see this.
Fantastic work as usual Jim! Have just got my lab set up with a decent DC, can bearly wait to deploy this to my apps and integrate it with LDAP. Highly apprecitate your work once again! :)
Great content, Jim! Just wanted to highlight, since you’re using Keyclock for SSO, the importance of creating the users in the OAuth2/OIDC server, leaving that to the clients with auto-user-creation option turned on makes your system less secure, particularly if one of your services got hacked.
This video covers cases where your varied apps all have native openid capabilities. Traefik also has the ability to use a key cloak 'forward auth' middleware to add authentication for ANY app. I’ve need struggling through that now. Your video is a great source for me to clean up my homeland docker settings though. Thank you
this is an awesome tutorial. One of the problems I am having is getting access to the users keycloak interface. For the admin account on the master realm, that super easy. but its not so straightforward in the documentation about how to access the users portal for setting up MFA, changin passwords, etc.
Thanks. I'm aiming to come back to keycloak in the near future and perhaps I can cover those items. I'm really interested in using hardware tokes for auth / zero trust.
Hey, I replicated your Keycloak setup and it seems that keycloak isn't using the postgres db. For example if you create a new client/realm/anything it doesn't write into the external db, but is instead using the internal h2 db. You can verify that by checking the internal db's under /opt/keycloak/data/h2/keycloakdb.mv.db. I got it working with the following env variables (Keycloak 22.0.3 and latest) : - KC_DB=postgres - KC_DB_URL_HOST=postgresql - KC_DB_URL_PORT=5432 #also exposing ports of the postgres db - might be optional - KC_DB_URL_DATABASE=keycloak - KC_DB_SCHEMA=public With the working external db you won't lose data with commands like "docker compose down". BTW Thank you for your great content. It helps a lot. :)
It's a great tool, although I feel that Authentik is probably going to be the sweet spot for most as it does the web proxy for applications that lack authentication.
Hi Jim, awesome content, I was reviewing the docker compose, and it was not working for me, however after reviewing it in detail, I was able to make it work by changing the service name in the docker compose from postgresql to postgres or changing the environment variable KC_DB_URL_HOST , since I had the error password FATAL: password authentication failed for user "keycloak" Again, as always great content.
I'm currently trying to decide between Authentik and Keycloak and this has helped, though I'm still unsure. But you've opened the door to me just playing around with them and seeing which one appeals to me most. Thanks!
Hi Jim, excellent video, just one detail, it's not good practice to use the realm master as a default, I know it's just an example, but it's always good practice to create a realm and leave the master to manage your keycloak ;)
Your videos are always well paced and i have followed a number of them. For a home labber I dont use traffic, I use cloudflare tunnels. Is there any chance you would do a tut on setting up keycloak from start to finish with cloudflare tunnles? I cant seem to find enough relevent information on the process.
@@Jims-Garage Thank you sir. I cant say im a fan of Cloudflare myself, the only reason i considered them because i found hosting my own reverse proxy led to many issues. I was using NGINXPM. I kind of saw cloudflare as the lesser of 2 evils in that i didnt have common ports opened on my firewall. But hey, its home labbing and for learning. If theres a better way, im all ears. Thanks for the work you put into your videos
@@chrisd1243 check out my Traefik video. Far better IMO, otherwise if you use a Cloudflare tunnel your data is unencrypted on Cloudflare's side (they can read everything).
What a brilliant video, thank you so much for that 😄 Do you plan a video for Keycloak 25.0.0? I Tried to update just with this docker files but I am then not able to log in anymore. With 22.0.3 and nginx it works just fine with these files.
Good explanation, thanks ! When do you plan to roll out the video referred in the last "Outro" section about integrating Keycloak with other identity providers like Google / Facebook / Azure ?
Hi Jim! Thank´s for the video.I´m trying to connect spring boot microservices with keycloak using an external rds db, not containerized. I actually can do with keycloak 16, but using 23 version can´t connect with that db. Do you know what could be the problem? I got some errors related with quarkus ...
To say that it's a tricky container is an understatement. Why can't it just start and throw any errors in the browser ? Instead you have to try like 100 different options, some of which work in "start" mode, some in "start-devel" mode, some require setting up some https certificates even if you want it to just sit behind traefik, etc. You have to inspect all the logs using docker / podman logs keycloak-server (or whatever your container is) and try to sort out the cryptic messages. And it's not even clear if the first time you have to spin up a custom container to "build" and create the required tables in the database. I wish it would just work 🙃. Authentik wasn't easy to set up, but keycloak is like 100 times worse so far. I keep getting "Bad Gateway" Error messages ...
@@Jims-GarageI'm still figuring out how to use it and for what I need it. Probably stupid misunderstandings on my part, but I'd just like 2FA with my Home Assistant using TOTP from Aegis app on my phone. And on my VPS I wanted to use Authentik + Netbird, since Tailscale/Headscale doesn't resolve DNS on Android (and tailscale "community" isn't interested in helping with Headscale) and I'm running into weird bugs with Zerotier/Headscale and Podman (there is some issues building/combining/reusing Docker/Podman "blobs"). All this convoluted trouble just because Home Assistant Companion App doesn't like custom Certificates so I need Letsencrypted signed Certificates and my Domain Name 😅. At least Netbird cloud DNS Resolution seems to work on android (not sure if it's that or the fact that the records correctly propagate to the root DNS Servers though).
Great content thanks for sharing it. Could you please share the proxmox user creation step details? (assigning the necessary permission to the user that you created)
Thank you for the video. I followed your guide but when i stop/remove the containers, all changes are gone. so there is nothing persistant stored in the DB! Help please!
Even with the pinned version it did work for me ... "Clients" menu had a javascript error Setting it to latest showed some config variables already deprecated and it would not start until these were corrected With those corrected now it was completely defunct with web interface showing "somethingWentWrong" "somethingWentDescription" and a "TryAgain" button Deleting the postgresql db data did nothing to correct the issue I think I'll (maybe) revisit KeyCloak in a couple of years when it's more mature... Authentik seems rockstable compared to this
@@Jims-Garage Ah, that's interesting (if somewhat convoluted). I'm using NginxProxyManager so I suppose I can ignore all that. Thanks for the explanation.
You're welcome. You'd need something that supports OIDC / OAuth2. I recommend checking out my Authentik video, that has a proxy for authentication so you can add it to any site (I think that is what you're after).
Followed your guide. When trying to sign into portainer getting "Failure Unauthorized".. tried creating user in portainer and also with Automatic user provisioning = ON. Nginx proxy configured to forward to my docker containers.
Great job ! Do you run Keycloak inside proxmox on a vm(running docker) or ct, or outside proxmox ? Cause if it’s hosted on proxmox and keycloak is not running, how do you log in to Proxmox using auth ?
nice. can you use this in/with Cloudflare Tunnels as the auth mechanism? I know Cloudflare Tunnels has some risk, but if you can get passed the fact they have sight into the data. For a lot of things in the lab it should be permissible. Secondly, I have 1 or 2 "production" workloads I need to move to my NAS server as that's the only server likely stay alive any given moment. After that I plan to nuke the lab and start over. Not sure if I will be on 3 nodes of Proxmox or if I want to tackle Harvester. Either way where should I start? Cloudflare, Keycloak, Traefik? you know outside-in, auth, and routing then spin up services to tinker with? Trying to come up with a bit of a ground zero run book of creating the lab, do A, B, C, then whatever tickets your fancy.
I don't know if it can be used with Cloudflare Tunnels. Essentially if the app uses OAuth2 it should be possible. I would play with harvester but I don't recommend it for a Homelab, it's too heavy. A Proxmox cluster is the right balance IMO. For general homelab Auth I recommend Authentik. It does everything that keycloak does plus it supports Auth proxy as many homelab apps don't use OAuth2
@@Jims-Garage yeah I started with Harvester maybe a little over a year ago when I only had one node. I liked how you can run rancher on harvester to control then Kube and VM within Harvester. Maybe I'll stick with Proxmox though. I don't know.
@@Jims-Garage yeah I have very little "need" if I am being honest. Just a couple of services that I "need" to keep alive. Now that I have my third node in the post... I don't know what Want to do with the "lab" portion of my home lab. I'm a cloud architect/engineer. And I feel that less and less of the lab is translating over to my career. Most of my day is spent in CDK building things in AWS. I'll have to do some re-evaluating. Maybe I trade out my dell r620s for a handful of Raspberry Pi XD.
@@Jims-Garage Got it. You were logged with admin account so you already had a validade token. Otherwise you would get the keycloak loggin page. Correct?
@Jims-Garage I went through the hassle of installing this just to read this comment 😅. Oh well, I learned how to get it up and running. Got everything set up if I ever need it. On to your Authentik video
I'm guessing that would fall under setting up WebAuthn in keycloak, it's usually what is used for fingerprint scanners and hardware keys for authentication
@@Jims-Garage As part of my project, I am trying to install Docker and Docker-Compose on my Raspberry Pi 3B+ to run Keycloak in a Docker environment. Unfortunately, I am facing several issues and cannot proceed further. 1. Docker was successfully installed Docker-Compose was installed using sudo pip3 install docker-compose. The Docker version is 19.03.15, and the Docker-Compose version is v2.11.2. 2. Attempting to use the jboss/keycloak Docker image failed because it is not available for the ARMv7 architecture of my Raspberry Pi: Error response from daemon: pull access denied for jboss/keycloak, repository does not exist or may require 'docker login': denied: requested access to the resource is denied Efforts to build a custom Docker image for Keycloak led to issues with GPG keys and missing packages, resulting in the image not building successfully:
I was saying to my partner today, about how good the channel was, but hoped Jim remembered he had a family because of the amount of video's he's been outputting.😀
Unfortunately you dove to much into the practical side of this in my opinion or you should update the description to clarify that you just want to configure and deploy keycloak. I am missing a lot of theoretical explanation of the internals of the things you configure and why..
Thanks, I appreciate the feedback. I think the description is accurate as it states it's deployment and configuration, and in the video I state that I'm only scratching the surface. It's difficult to cover everything in all videos as I've already covered elements of SSO, OAuth in Authelia (and subsequently Zitadel). I will be coming back to Keycloak in the future.
Agree, if you would explain all protocols and details, it would be a 12h video nobody would watch. Its better to focus on Keycloak, and maybe a different video on how modern auth methods work. Just my 2 cents
From the github docker-compose.yaml - Keycloak doesn't connect to Postgres - Issue raised on github - Service refences postgresql but KC_DB_URL_HOST=postgres
spent hours without beeing able to get keycloak running! Now it works. Thanks so much for your research and explanation!
You're welcome, glad it worked.
The iFrame is really what killed me for a bit now!
1.5 minutes into the video I liked, 5 minutes into it I subscribed. And I don't usually leave comments, but this time I had to:
Brilliant video with proper background study to it, thank you for the hard work and can't wait to investigate what else you have in the channel!
@@sylviaOreilly thank you, I really appreciate it
Thanks, It's a nice step by step guide to containerize keycloak and deployment altogether.
good video. 12'40", openid-connection does authentication only, it's built on oauth2 which takes care of authorization.
Complements on your great videos. I've been a subscriber for a while because you explain complicated topics quite well making it easy to implement for an average homelab hobbyist. Hopefully you get thousands more subscribers for all the good videos you make.
Thank you for your kind words, fingers crossed!
You read my mind 😃,,
That’s what I started to write 👌😀
@@crc_code thanks 👍
By the way, there is a noticeable increase of pace in how you communicate in the recent videos. Like when compare it even just few months back! Nice to see this.
Thanks. I like to think I've come a long way in a short span of time. All of this is new to me. Constantly looking to improve.
Can't wait to dive into this! You're on a roll recently. Keep it up. 3k next :)
Thanks, so much to cover! Just wish I had more spare evenings.
Fantastic work as usual Jim! Have just got my lab set up with a decent DC, can bearly wait to deploy this to my apps and integrate it with LDAP.
Highly apprecitate your work once again! :)
That sounds like a great project. It's worth checking out Authentik as well for those apps that do not support OIDC/OAuth etc
@@Jims-Garage will defo look into that as well in the future, ill surely check out your authentik one as well.
Great content, Jim!
Just wanted to highlight, since you’re using Keyclock for SSO, the importance of creating the users in the OAuth2/OIDC server, leaving that to the clients with auto-user-creation option turned on makes your system less secure, particularly if one of your services got hacked.
This video covers cases where your varied apps all have native openid capabilities.
Traefik also has the ability to use a key cloak 'forward auth' middleware to add authentication for ANY app.
I’ve need struggling through that now. Your video is a great source for me to clean up my homeland docker settings though.
Thank you
Thanks for sharing, I'll look into that.
Great explanation, especially for non native english persons like me.
Thanks 👍
this is an awesome tutorial. One of the problems I am having is getting access to the users keycloak interface. For the admin account on the master realm, that super easy. but its not so straightforward in the documentation about how to access the users portal for setting up MFA, changin passwords, etc.
Thanks. I'm aiming to come back to keycloak in the near future and perhaps I can cover those items. I'm really interested in using hardware tokes for auth / zero trust.
Great content, very clear explanation! Thanks a lot, Jim.
Thanks, you're welcome 😁
Hey, I replicated your Keycloak setup and it seems that keycloak isn't using the postgres db. For example if you create a new client/realm/anything it doesn't write into the external db, but is instead using the internal h2 db. You can verify that by checking the internal db's under /opt/keycloak/data/h2/keycloakdb.mv.db.
I got it working with the following env variables (Keycloak 22.0.3 and latest) :
- KC_DB=postgres
- KC_DB_URL_HOST=postgresql
- KC_DB_URL_PORT=5432 #also exposing ports of the postgres db - might be optional
- KC_DB_URL_DATABASE=keycloak
- KC_DB_SCHEMA=public
With the working external db you won't lose data with commands like "docker compose down".
BTW Thank you for your great content. It helps a lot. :)
Not heard of this before. Nice video, not sure I'm going to try it, but still enjoyed it
It's a great tool, although I feel that Authentik is probably going to be the sweet spot for most as it does the web proxy for applications that lack authentication.
Thanks for your video! It helped me very much :)
You're welcome!
Hi Jim, awesome content, I was reviewing the docker compose, and it was not working for me, however after reviewing it in detail, I was able to make it work by changing the service name in the docker compose from postgresql to postgres or changing the environment variable KC_DB_URL_HOST , since I had the error password
FATAL: password authentication failed for user "keycloak"
Again, as always great content.
Thanks 👍
Hello Jims, really enjoyed your video. Please create a video for keycloak and kibana integration.
Thanks, I'll consider it for a follow up
Thank you! Very nice
Glad you enjoyed it ☺️
I'm currently trying to decide between Authentik and Keycloak and this has helped, though I'm still unsure. But you've opened the door to me just playing around with them and seeing which one appeals to me most. Thanks!
I think Authentik is the right balance for a homelab.
Hi Jim, excellent video, just one detail, it's not good practice to use the realm master as a default, I know it's just an example, but it's always good practice to create a realm and leave the master to manage your keycloak ;)
Thanks, agreed. I believe I do mention that at the start but perhaps a case of practice what you preach.
Köszönjük!
Very kind, thank you for the donation!
Jolly Good Show!
Your videos are always well paced and i have followed a number of them. For a home labber I dont use traffic, I use cloudflare tunnels. Is there any chance you would do a tut on setting up keycloak from start to finish with cloudflare tunnles? I cant seem to find enough relevent information on the process.
Thanks, I'll consider it although I'm not a fan of Cloudflare Tunnels due to privacy.
@@Jims-Garage Thank you sir. I cant say im a fan of Cloudflare myself, the only reason i considered them because i found hosting my own reverse proxy led to many issues. I was using NGINXPM. I kind of saw cloudflare as the lesser of 2 evils in that i didnt have common ports opened on my firewall. But hey, its home labbing and for learning. If theres a better way, im all ears. Thanks for the work you put into your videos
@@chrisd1243 check out my Traefik video. Far better IMO, otherwise if you use a Cloudflare tunnel your data is unencrypted on Cloudflare's side (they can read everything).
Great Video.....Good work.
Thanks, Louis.
What a brilliant video, thank you so much for that 😄 Do you plan a video for Keycloak 25.0.0? I Tried to update just with this docker files but I am then not able to log in anymore. With 22.0.3 and nginx it works just fine with these files.
Thanks! I'll try to update in the near future, becomes increasingly difficult as I cover more content!
@@Jims-Garage perfect, then I'm already looking forward to it 👍
Thanks
You're welcome.
Good explanation, thanks ! When do you plan to roll out the video referred in the last "Outro" section about integrating Keycloak with other identity providers like Google / Facebook / Azure ?
Soon, I keep being sidetracked...
Super, can't wait !!!
Hi Jim! Thank´s for the video.I´m trying to connect spring boot microservices with keycloak using an external rds db, not containerized. I actually can do with keycloak 16, but using 23 version can´t connect with that db. Do you know what could be the problem? I got some errors related with quarkus ...
I'm not sure. Perhaps requires an encrypted connection? I'm not familiar with the differences between the versions.
To say that it's a tricky container is an understatement. Why can't it just start and throw any errors in the browser ? Instead you have to try like 100 different options, some of which work in "start" mode, some in "start-devel" mode, some require setting up some https certificates even if you want it to just sit behind traefik, etc. You have to inspect all the logs using docker / podman logs keycloak-server (or whatever your container is) and try to sort out the cryptic messages. And it's not even clear if the first time you have to spin up a custom container to "build" and create the required tables in the database. I wish it would just work 🙃. Authentik wasn't easy to set up, but keycloak is like 100 times worse so far. I keep getting "Bad Gateway" Error messages ...
If it helps, I Authentik in my lab. It's the best choice IMO as it supports non-oauth apps.
@@Jims-GarageI'm still figuring out how to use it and for what I need it. Probably stupid misunderstandings on my part, but I'd just like 2FA with my Home Assistant using TOTP from Aegis app on my phone. And on my VPS I wanted to use Authentik + Netbird, since Tailscale/Headscale doesn't resolve DNS on Android (and tailscale "community" isn't interested in helping with Headscale) and I'm running into weird bugs with Zerotier/Headscale and Podman (there is some issues building/combining/reusing Docker/Podman "blobs"). All this convoluted trouble just because Home Assistant Companion App doesn't like custom Certificates so I need Letsencrypted signed Certificates and my Domain Name 😅. At least Netbird cloud DNS Resolution seems to work on android (not sure if it's that or the fact that the records correctly propagate to the root DNS Servers though).
Great content thanks for sharing it. Could you please share the proxmox user creation step details? (assigning the necessary permission to the user that you created)
Thank you for the video. I followed your guide but when i stop/remove the containers, all changes are gone. so there is nothing persistant stored in the DB! Help please!
Even with the pinned version it did work for me ... "Clients" menu had a javascript error
Setting it to latest showed some config variables already deprecated and it would not start until these were corrected
With those corrected now it was completely defunct with web interface showing "somethingWentWrong" "somethingWentDescription" and a "TryAgain" button
Deleting the postgresql db data did nothing to correct the issue
I think I'll (maybe) revisit KeyCloak in a couple of years when it's more mature... Authentik seems rockstable compared to this
What are the labels in the Docker Compose for?
Treafik, to run through a reverse proxy.
@@Jims-GarageI’m not too familiar with Docker Compose. How does it get picked up by Traefik?
@cakerer Traefik is dynamic. It listens for container labels and automatically routes traffic
@@Jims-Garage Ah, that's interesting (if somewhat convoluted). I'm using NginxProxyManager so I suppose I can ignore all that. Thanks for the explanation.
Thanks Jim, It's awesome this video. How can we connect Keycloak to a personal website with php?
You're welcome. You'd need something that supports OIDC / OAuth2. I recommend checking out my Authentik video, that has a proxy for authentication so you can add it to any site (I think that is what you're after).
Followed your guide. When trying to sign into portainer getting "Failure
Unauthorized".. tried creating user in portainer and also with Automatic user provisioning = ON. Nginx proxy configured to forward to my docker containers.
I haven't tested with nginx but there's no reason it shouldn't work. Double check all of the OIDC settings. Make sure to check scope and profile.
Hey Jim, how do you get this to work in a cluster? I setup it on one node but it doesn't work on the other nodes.
@@Julian-lv6ph what kind of cluster? Normally you have a loadbalancer with an IP
@@Jims-Garage Sorry its a Proxmox cluster, I cant access other nodes
Thanks for the video. Recently, i build the yml file, but it says external proxy network doesn't exist. What can do here?
It expects Traefik to be available on a network called proxy. You can use a different proxy if you like.
Great video!
Does Keycloak support SCIM 2.0?
Not natively (I don't think), but there's third party support github.com/Captain-P-Goldfish/scim-for-keycloak
I get Oauth authorisation failure... :? the dns entries are there in pihole and both keycloak and portainer are on the same docker host with traefik.
could you explain how OAuth work with immich?
thanks!!
Check here: immich.app/docs/administration/oauth/ it should be very similar to my Portainer example
Could you do review on sandfly security? It had free license for 50 linux device and i think it's good for homelab linux
Thanks, I'll take a look at it.
Great job ! Do you run Keycloak inside proxmox on a vm(running docker) or ct, or outside proxmox ?
Cause if it’s hosted on proxmox and keycloak is not running, how do you log in to Proxmox using auth ?
api's connect differently than regular users.
You can always fall back to standard PAM login (the default). I'm currently running in Kubernetes so it helps with this problem.
Indeed. Thank you for these fantastic videos !
Could you explain how to use keycloak to secure a web application that has no login? How can I make a login for an app?
You can't, it's only for oidc/oauth. You should use Authentik or Authelia in those instances.
nice. can you use this in/with Cloudflare Tunnels as the auth mechanism? I know Cloudflare Tunnels has some risk, but if you can get passed the fact they have sight into the data. For a lot of things in the lab it should be permissible.
Secondly, I have 1 or 2 "production" workloads I need to move to my NAS server as that's the only server likely stay alive any given moment. After that I plan to nuke the lab and start over. Not sure if I will be on 3 nodes of Proxmox or if I want to tackle Harvester. Either way where should I start?
Cloudflare, Keycloak, Traefik? you know outside-in, auth, and routing then spin up services to tinker with? Trying to come up with a bit of a ground zero run book of creating the lab, do A, B, C, then whatever tickets your fancy.
I don't know if it can be used with Cloudflare Tunnels. Essentially if the app uses OAuth2 it should be possible.
I would play with harvester but I don't recommend it for a Homelab, it's too heavy. A Proxmox cluster is the right balance IMO.
For general homelab Auth I recommend Authentik. It does everything that keycloak does plus it supports Auth proxy as many homelab apps don't use OAuth2
@@Jims-Garage yeah I started with Harvester maybe a little over a year ago when I only had one node. I liked how you can run rancher on harvester to control then Kube and VM within Harvester.
Maybe I'll stick with Proxmox though. I don't know.
@@JohnWeland it's definitely a great tool to learn and if it works for you then use it.
@@Jims-Garage yeah I have very little "need" if I am being honest. Just a couple of services that I "need" to keep alive. Now that I have my third node in the post... I don't know what Want to do with the "lab" portion of my home lab.
I'm a cloud architect/engineer. And I feel that less and less of the lab is translating over to my career. Most of my day is spent in CDK building things in AWS. I'll have to do some re-evaluating. Maybe I trade out my dell r620s for a handful of Raspberry Pi XD.
Not quite grasping from your compose file how traefik is managing SSL certificates.
Check my Traefik video out, that should explain things. Videos are kind of in order.
@@Jims-Garage Oh great. I didn’t even think to check, probably because I’m so burnt out trying to get keycloak to work
Casdoor is another modern open source solution for IAM
Thanks, I'll take a look
Key cloak feels kinda old and casdoor seems to be the new kid on the block. The UI is definitely prettier 😍
@@SatinderSingh71 check out my Zitadel video. That's pretty awesome and new as well
Any plans on casdoor video? Great video on zitadel too
@@SatinderSingh71 I do plan to come back to it in the future (not sure when)
Where did you get the endpoints from
They're in the official documentation (if you're referring to keycloak).
How did keycloak know that was Jim that was logging in for the first time you logged in your applications ?
Do you have a timestamp? Likely because I'm already logged into keycloak with that account.
Do you have a timestamp? Likely because I'm already logged into keycloak with that account.
@@Jims-Garage Got it. You were logged with admin account so you already had a validade token. Otherwise you would get the keycloak loggin page. Correct?
@@fabiano9714 yes, that's correct
could we just use keycloak like Authelia or Authentik? it look great an the idea begin its just Awesome!! mora of Keycloak please.
It's great for oidc/OAuth2, but doesn't have a proxy like Authentik. IMO Authentik is the best choice for a homelab.
@Jims-Garage I went through the hassle of installing this just to read this comment 😅. Oh well, I learned how to get it up and running. Got everything set up if I ever need it. On to your Authentik video
how would you enable am existing logon "bind" to a yubikey with an x.509 cert
?
Good question, I don't know. It's certainly something I want to look into though.
I'm guessing that would fall under setting up WebAuthn in keycloak, it's usually what is used for fingerprint scanners and hardware keys for authentication
I cant get it running in a docker-compose. Dont know what to do. 😢
@@rugu1100 what errors?
@@Jims-Garage As part of my project, I am trying to install Docker and Docker-Compose on my Raspberry Pi 3B+ to run Keycloak in a Docker environment. Unfortunately, I am facing several issues and cannot proceed further.
1.
Docker was successfully installed
Docker-Compose was installed using sudo pip3 install docker-compose.
The Docker version is 19.03.15, and the Docker-Compose version is v2.11.2.
2.
Attempting to use the jboss/keycloak Docker image failed because it is not available for the ARMv7 architecture of my Raspberry Pi:
Error response from daemon: pull access denied for jboss/keycloak, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Efforts to build a custom Docker image for Keycloak led to issues with GPG keys and missing packages, resulting in the image not building successfully:
@@rugu1100 try Authentik or zitadel, they might have a RPI image
@@Jims-Garage Thanks for you help, I will try.
SSO is fine, but what if someone gets access to my desktop?
Agreed, it's a convenience Vs security trade-off. Best thing is SSO with multifactor authentication.
The Documentation is weird as fu :D - Authentik has a better doc. But I'm also a lover of keycloack
Slow down Jimbo. Video almost every day?
Sorry 😂
I wont complain because im loving the content. Just dont burn out.
I was saying to my partner today, about how good the channel was, but hoped Jim remembered he had a family because of the amount of video's he's been outputting.😀
@@try-that most of these videos are filmed between 10pm and 2am! Always family first!
@@Jims-Garage If only I could do that sort day now, old age has caught up with me🥱
A like an American ride like an Italian? What does this mean😢 edit: evidently im blind and only saw the a in eat
Ha, it's a cycling joke. Eat junk food and ride well
@@Jims-Garage lol
british ai kurwa
Unfortunately you dove to much into the practical side of this in my opinion or you should update the description to clarify that you just want to configure and deploy keycloak. I am missing a lot of theoretical explanation of the internals of the things you configure and why..
Thanks, I appreciate the feedback. I think the description is accurate as it states it's deployment and configuration, and in the video I state that I'm only scratching the surface. It's difficult to cover everything in all videos as I've already covered elements of SSO, OAuth in Authelia (and subsequently Zitadel). I will be coming back to Keycloak in the future.
Agree, if you would explain all protocols and details, it would be a 12h video nobody would watch. Its better to focus on Keycloak, and maybe a different video on how modern auth methods work. Just my 2 cents
From the github docker-compose.yaml - Keycloak doesn't connect to Postgres - Issue raised on github -
Service refences postgresql but KC_DB_URL_HOST=postgres
Try adding the port. postgres:port
@@Jims-Garage As in
postgresql:
expose:
- 5432
I'd tried that
My Keycloak Vars:
environment:
- KC_PROXY_ADDRESS_FORWARDING=true
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME=keycloak.####.####
- KC_PROXY=edge
- KC_HTTP_ENABLED=true
- KC_DB=postgres
- KC_DB_USERNAME=keycloak
- KC_DB_PASSWORD=SUPERsecret
- KC_DB_URL_HOST=postgresql
- KC_DB_URL_PORT=5432
- KC_DB_URL_DATABASE=keycloak
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=password
- KC_DB_URL_HOST=postgresql
@radiofisik thanks man! I had the same issue and adding the ql fixed it.