Build Your Own
Authentication
The Setup
Today we are going to set up Keycloak with oauth2-proxy and Nginx so that all of our services are protected by a FIDO security key, except for those that we choose to leave public. We are going to be using Docker containers and creating a new virtual machine called hs-auth-01 to run Keycloak and auth2-proxy. Nginx actually runs on a separate virtual machine that is called hs-edge-01, which is the gateway into the entire network. Ports 80 and 443 are exposed to hs-edge-01, which we will set up to proxy to oauth2-proxy and keycloak. Let’s get started.
Creating Our Virtual Machine
The first step is to create our virtual machine. We don’t want to consume a lot of resources, but it needs to be able to run Ubuntu Server.
We chose to give it the following specs:
RAM: 2GB
CPU: 1x 2.2Ghz core
HDD: 24gb
OS: Ubuntu 22.04 Server (Minimized)
IP: 192.168.5.21
Of course the edge virtual machine is running on the same server which is currently using VMWare, but will be blown out and rebuilt with ProxMox in the future. So go ahead and install Linux and give it an IP address. The IP Address we will be using is 192.168.5.21, and again the host name will be hs-auth-01. Make sure to select Ubuntu Server (minimized) when doing the setup so as to reduce the bloat of the operating system and save storage space.
While for nearly all of my VMs I enable LUKS on the boot drive, hs-edge-01 and hs-auth-01 will not have password based disk encryption so that in the event of a power failure we can still get back into the server from anywhere and log into the other VMs. So far this happens very rarely, but it does happen. Be sure to enable openssh as well.
Go ahead and install docker and docker-compose as well, and openssh if you forgot to earlier. I had to also install nano and htop, which is my favorite editor and a process manager to view memory/cpu consumption.
Setting up Keycloak
Next, we set up Keycloak. I used the docker-compose.yml file from here as a reference to get started. Go ahead and follow the rest of that tutorial as well and we will proceed to setting up oauth2 within Keycloak. I put everything for Keycloak under /srv/keycloak/.
Alright, so first we need to set up a realm, then we need create the client, role, and user. You can use this tutorial to guide you through those steps. You can name the realm whatever you want. I used Eanix. Instead of using a public client, we are going to use a confidential one. The callback URL is the domain and url that OAuth2-Proxy is running on.
Next we will be installing oauth2-proxy.
OAuth2-proxy
Now we need to install oauth2-proxy. Copy the docker-compose.yml file under section “Configure OAuth2 Proxy to support API and browser clients” from here. It’s not 100% what we need, but we can adapt it. Make sure you grab the .env file as well, then create the files on hs-auth-01. I put everything under /srv/oauth2-proxy/.
Now that you have that, we will need to update the issuer from the .env variable. The issuer is the Base URL under Clients in Keycloak for you realm, without the /account/ at the end. So in our case it would be http://192.168.5.21:28080/auth/realms/Eanix. Note the lacking of a / at the end.
In our docker-compose.yml file, we will need to clean it up a bit because Nginx resides on our edge virtual machine instead. Go ahead and remove the section titled “nginx” and “web_app.” I personally took out the volumes section and changed the redis volume to ./redis:/data instead. While your editing the file, you can also change the OAUTH2_PROXY_PROVIDER_DISPLAY_NAME to Eanix or whatever you want. We will need to change the OAUTH2_PROXY_REDIRECT_URL as well to our callback URL, which is the domain that you will access OAuth2-Proxy from. In my case, https://oauth.mydomain.com/oauth2/callback.
Now it’s time to update the .env file and set the client_id and client_secret. You can obtain the client_id from Keycloak admin for the client you created in settings. The secret is in the credentials tab which is right next to settings. You will also need to add OAUTH2_PROXY_COOKIE_SECRET to the .env file and set it to something random.
Once done, do a docker-compose pull or up -d to start the container.