On your Keycloak server, create a Realm (pulp)
Create a Client in the new Realm
Configure the Client Access Type
to be “confidential. Provide Valid Redirect URIs` with
http://<pulp-hostname>:<port>/*
. Set the User Info Signed Response Algorithm
and
Request Object Signature Algorithm
is set to RS256
in the
Fine Grain OpenID Connect Configuration
section
In the Pulp settings, add the value for the Client ID
:
SOCIAL_AUTH_KEYCLOAK_KEY = '<Client ID>'
Gather the Client Secret
for the Pulp settings. You can find the Client Secret
in the
Credentials tab:
SOCIAL_AUTH_KEYCLOAK_SECRET = '<Client Secret>'
Collect the Public Key
from the Realm’s Keys tab:
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = '<Public Key>'
Add the authorization_endpoint
and token_endpoint
URL that you find to the Realm OpenID Endpoint
Configuration to the Pulp settings:
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = \
'https://iam.example.com/auth/realms/pulp/protocol/openid-connect/auth/'
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = \
'https://iam.example.com/auth/realms/pulp/protocol/openid-connect/token/'
Create an audience mapper for the JWT token. In the Client, select the Mappers tab, select
the Create button to create a Mapper. Name the mapper, for example, “Audience Mapper”. From
the Mapper Type
list, select “Audience”. Define the Included Client Audience
to be the
Client ID
. Enable this for both the ID token and access token.
Add additional Built-in Mappers to the JWT to populate the token with the data defined in the
Social Auth Pipeline. To do this, in the Client again select the Mappers tab. Next select the
“Add Builtin” button and you will be presented with a table of mappers that can be chosen.
Common choices are username
, email
, groups
, given name
, family name
,
full name
, updated at
, and email verified
.