Enabling single sign-on with Google for Keycloak client applications.
TypeScriptTo enable Single Sign-On (SSO) with Google for Keycloak client applications, we'll use resources from the Keycloak provider in Pulumi. We'll specifically use the
keycloak.Realm
andkeycloak.IdentityProvider
resources to integrate Google as an identity provider within a realm in Keycloak.The steps to achieve this are as follows:
-
Create a Keycloak Realm: A realm in Keycloak is like a space which is isolated from other realms. It can be thought of as a workspace. This will act as the domain for your users, roles, clients, and other settings.
-
Configure Google as an Identity Provider: We'll add Google as an identity provider to our previously created realm. This step involves the configuration of the connection between Keycloak and Google to enable SSO.
Here's how the Pulumi TypeScript code would look:
import * as keycloak from "@pulumi/keycloak"; // Step 1: Create a new Keycloak realm. const realm = new keycloak.Realm("my-realm", { realm: "example-realm", enabled: true, displayName: "Example Realm", // Configure other realm settings as needed }); // Step 2: Add Google as an identity provider to the realm. const googleIdentityProvider = new keycloak.IdentityProvider("google", { realm: realm.realm, alias: "google", providerId: "google", enabled: true, // These must be set according to the values obtained from the Google Developer Console config: { clientId: "GOOGLE_CLIENT_ID", clientSecret: "GOOGLE_CLIENT_SECRET", // Please make sure to replace the below URL with the actual redirect URI configured for your Keycloak instance and Google Developer Console. redirectUri: "https://<KEYCLOAK_DOMAIN>/auth/realms/<REALM_NAME>/broker/google/endpoint", }, }); // Output URL that users can visit to log in using Google export const loginWithGoogleUrl = pulumi.interpolate`${realm.realm}:${googleIdentityProvider.alias}`;
Explanation
-
The
keycloak.Realm
resource is instantiated to create a new realm in Keycloak. The name of the realm, in this case, is "example-realm." Ensure that theenabled
property is set totrue
to make the realm active. -
The
keycloak.IdentityProvider
resource is used to define the external identity provider, such as Google.- The
alias
is a simple, human-readable identifier for this identity provider and is used in the URL for directing users to the identity provider. providerId
specifies that we are using Google as an identity provider.- The
enabled
flag is set totrue
to enable this identity provider. - The
config
map includes theclientId
andclientSecret
you obtain from the Google Developer Console. - The
redirectUri
should match the URI you have set in the Google Developer Console for your Keycloak application.
- The
Replace
"GOOGLE_CLIENT_ID"
and"GOOGLE_CLIENT_SECRET"
with the actual credentials provided by Google and ensure theredirectUri
reflects your Keycloak instance's configuration and the realm you have created.The above Pulumi program effectively integrates Google as an SSO identity provider within a Keycloak realm. Users will be able to authenticate to the Keycloak client applications through their Google accounts, enjoying a seamless SSO experience. Please be aware that storing secrets directly in code is not recommended. Instead, use Pulumi secrets management or another secure way of providing the
clientSecret
.As always, ensure you have the Keycloak provider configured for Pulumi. You'll also need access to your Keycloak server to retrieve and configure these values. And remember, this is a simplified example – you will need to configure Google's OAuth consent screen and retrieve the client ID and client secret from the Google Developer Console to use Google as an identity provider.
-