Linking Keycloak-managed user accounts with Google identities.
TypeScriptTo link Keycloak-managed user accounts with Google identities, we will use the
keycloak.oidc.GoogleIdentityProvider
resource from the Keycloak provider. This resource configures Keycloak to use Google as an Identity Provider (IdP) for user authentication. This involves creating a Google Identity Provider within Keycloak and setting up the required client ID and client secret that you receive from the Google API Console when you register an application.Precisely, we'll perform the following steps:
- Create a new
GoogleIdentityProvider
within a Keycloak realm. - Configure the IdP with the necessary details like
clientID
andclientSecret
. - Enable OIDC (OpenID Connect) for Google authentication.
- Define the scopes and additional settings like syncing modes according to your needs.
When users attempt to log in to an application that relies on Keycloak for authentication, they can choose to authenticate via Google. If they do so and if their Keycloak account is linked to their Google account, they will be authenticated into the application using their Google identity.
Below is the TypeScript code in Pulumi that sets up a Google Identity Provider in a Keycloak realm:
import * as pulumi from "@pulumi/pulumi"; import * as keycloak from "@pulumi/keycloak"; // Define the Keycloak realm. Make sure you replace this with the name of an existing realm. const realmName = 'my-realm'; // The configurations below should be replaced by your actual Google client ID and client secret. const googleClientId = '<GOOGLE_CLIENT_ID>'; const googleClientSecret = '<GOOGLE_CLIENT_SECRET>'; // Create a Google Identity Provider in the Keycloak realm. const googleIdentityProvider = new keycloak.oidc.GoogleIdentityProvider("googleIdp", { realm: realmName, clientId: googleClientId, clientSecret: googleClientSecret, enabled: true, trustEmail: true, storeToken: false, addReadTokenRoleOnCreate: false, // Additional OIDC Configurations might be set here based on your needs. // See the Pulumi documentation for other settings you can configure: // https://www.pulumi.com/registry/packages/keycloak/api-docs/oidc/googleidentityprovider/ }); // Export the provider ID for reference. export const providerId = googleIdentityProvider.id;
This Pulumi program creates a new Google Identity Provider within a specified Keycloak realm using your Google client ID and secret. Make sure to replace the placeholder fields with actual values for
realmName
,googleClientId
, andgoogleClientSecret
.realm
: The realm is a logical group managing a set of users, roles, and clients. It is fundamental in Keycloak as you can have multiple isolated realms.clientId
: This is the Google client ID obtained from the Google API Console.clientSecret
: This is the secret associated with your Google client ID.enabled
: Determines whether the identity provider is enabled.trustEmail
: If you trust the email claim provided by Google without verification, set this to true.
Notice at the end of the script, we're exporting the
providerId
, which gives you the ability to reference the Google IdP in other parts of your program or for querying the status outside of Pulumi.Make sure you have your environment set up with Keycloak, including having a Keycloak server running and having created a realm within it where you want to enable Google authentication.
To execute this Pulumi program:
- Save the code in a file named
index.ts
. - Run
pulumi up
to preview and deploy the changes.
Remember, to apply this Pulumi program, you should have the Pulumi CLI installed and configured with the necessary access to your Keycloak server. Also, ensure you have already set up a project and registered an application with Google to get the required
clientId
andclientSecret
.- Create a new