1.5 minutes into the video I liked, 5 minutes into it I subscribed. And I don't usually leave comments, but this time I had to: Brilliant video with proper background study to it, thank you for the hard work and can't wait to investigate what else you have in the channel!
Complements on your great videos. I've been a subscriber for a while because you explain complicated topics quite well making it easy to implement for an average homelab hobbyist. Hopefully you get thousands more subscribers for all the good videos you make.
To say that it's a tricky container is an understatement. Why can't it just start and throw any errors in the browser ? Instead you have to try like 100 different options, some of which work in "start" mode, some in "start-devel" mode, some require setting up some https certificates even if you want it to just sit behind traefik, etc. You have to inspect all the logs using docker / podman logs keycloak-server (or whatever your container is) and try to sort out the cryptic messages. And it's not even clear if the first time you have to spin up a custom container to "build" and create the required tables in the database. I wish it would just work 🙃. Authentik wasn't easy to set up, but keycloak is like 100 times worse so far. I keep getting "Bad Gateway" Error messages ...
@@Jims-GarageI'm still figuring out how to use it and for what I need it. Probably stupid misunderstandings on my part, but I'd just like 2FA with my Home Assistant using TOTP from Aegis app on my phone. And on my VPS I wanted to use Authentik + Netbird, since Tailscale/Headscale doesn't resolve DNS on Android (and tailscale "community" isn't interested in helping with Headscale) and I'm running into weird bugs with Zerotier/Headscale and Podman (there is some issues building/combining/reusing Docker/Podman "blobs"). All this convoluted trouble just because Home Assistant Companion App doesn't like custom Certificates so I need Letsencrypted signed Certificates and my Domain Name 😅. At least Netbird cloud DNS Resolution seems to work on android (not sure if it's that or the fact that the records correctly propagate to the root DNS Servers though).
Hey, I replicated your Keycloak setup and it seems that keycloak isn't using the postgres db. For example if you create a new client/realm/anything it doesn't write into the external db, but is instead using the internal h2 db. You can verify that by checking the internal db's under /opt/keycloak/data/h2/keycloakdb.mv.db. I got it working with the following env variables (Keycloak 22.0.3 and latest) : - KC_DB=postgres - KC_DB_URL_HOST=postgresql - KC_DB_URL_PORT=5432 #also exposing ports of the postgres db - might be optional - KC_DB_URL_DATABASE=keycloak - KC_DB_SCHEMA=public With the working external db you won't lose data with commands like "docker compose down". BTW Thank you for your great content. It helps a lot. :)
By the way, there is a noticeable increase of pace in how you communicate in the recent videos. Like when compare it even just few months back! Nice to see this.
Great content, Jim! Just wanted to highlight, since you’re using Keyclock for SSO, the importance of creating the users in the OAuth2/OIDC server, leaving that to the clients with auto-user-creation option turned on makes your system less secure, particularly if one of your services got hacked.
Hi Jim, awesome content, I was reviewing the docker compose, and it was not working for me, however after reviewing it in detail, I was able to make it work by changing the service name in the docker compose from postgresql to postgres or changing the environment variable KC_DB_URL_HOST , since I had the error password FATAL: password authentication failed for user "keycloak" Again, as always great content.
Hi Jim! Thank´s for the video.I´m trying to connect spring boot microservices with keycloak using an external rds db, not containerized. I actually can do with keycloak 16, but using 23 version can´t connect with that db. Do you know what could be the problem? I got some errors related with quarkus ...
Hi Jim, excellent video, just one detail, it's not good practice to use the realm master as a default, I know it's just an example, but it's always good practice to create a realm and leave the master to manage your keycloak ;)
What a brilliant video, thank you so much for that 😄 Do you plan a video for Keycloak 25.0.0? I Tried to update just with this docker files but I am then not able to log in anymore. With 22.0.3 and nginx it works just fine with these files.
This video covers cases where your varied apps all have native openid capabilities. Traefik also has the ability to use a key cloak 'forward auth' middleware to add authentication for ANY app. I’ve need struggling through that now. Your video is a great source for me to clean up my homeland docker settings though. Thank you
You're welcome. You'd need something that supports OIDC / OAuth2. I recommend checking out my Authentik video, that has a proxy for authentication so you can add it to any site (I think that is what you're after).
From the github docker-compose.yaml - Keycloak doesn't connect to Postgres - Issue raised on github - Service refences postgresql but KC_DB_URL_HOST=postgres
this is an awesome tutorial. One of the problems I am having is getting access to the users keycloak interface. For the admin account on the master realm, that super easy. but its not so straightforward in the documentation about how to access the users portal for setting up MFA, changin passwords, etc.
Thanks. I'm aiming to come back to keycloak in the near future and perhaps I can cover those items. I'm really interested in using hardware tokes for auth / zero trust.
Good explanation, thanks ! When do you plan to roll out the video referred in the last "Outro" section about integrating Keycloak with other identity providers like Google / Facebook / Azure ?
@@Jims-Garage As part of my project, I am trying to install Docker and Docker-Compose on my Raspberry Pi 3B+ to run Keycloak in a Docker environment. Unfortunately, I am facing several issues and cannot proceed further. 1. Docker was successfully installed Docker-Compose was installed using sudo pip3 install docker-compose. The Docker version is 19.03.15, and the Docker-Compose version is v2.11.2. 2. Attempting to use the jboss/keycloak Docker image failed because it is not available for the ARMv7 architecture of my Raspberry Pi: Error response from daemon: pull access denied for jboss/keycloak, repository does not exist or may require 'docker login': denied: requested access to the resource is denied Efforts to build a custom Docker image for Keycloak led to issues with GPG keys and missing packages, resulting in the image not building successfully:
@Jims-Garage I went through the hassle of installing this just to read this comment 😅. Oh well, I learned how to get it up and running. Got everything set up if I ever need it. On to your Authentik video
Your videos are always well paced and i have followed a number of them. For a home labber I dont use traffic, I use cloudflare tunnels. Is there any chance you would do a tut on setting up keycloak from start to finish with cloudflare tunnles? I cant seem to find enough relevent information on the process.
@@Jims-Garage Thank you sir. I cant say im a fan of Cloudflare myself, the only reason i considered them because i found hosting my own reverse proxy led to many issues. I was using NGINXPM. I kind of saw cloudflare as the lesser of 2 evils in that i didnt have common ports opened on my firewall. But hey, its home labbing and for learning. If theres a better way, im all ears. Thanks for the work you put into your videos
@@chrisd1243 check out my Traefik video. Far better IMO, otherwise if you use a Cloudflare tunnel your data is unencrypted on Cloudflare's side (they can read everything).
Thank you for the video. I followed your guide but when i stop/remove the containers, all changes are gone. so there is nothing persistant stored in the DB! Help please!
Fantastic work as usual Jim! Have just got my lab set up with a decent DC, can bearly wait to deploy this to my apps and integrate it with LDAP. Highly apprecitate your work once again! :)
Great content thanks for sharing it. Could you please share the proxmox user creation step details? (assigning the necessary permission to the user that you created)
I was saying to my partner today, about how good the channel was, but hoped Jim remembered he had a family because of the amount of video's he's been outputting.😀
nice. can you use this in/with Cloudflare Tunnels as the auth mechanism? I know Cloudflare Tunnels has some risk, but if you can get passed the fact they have sight into the data. For a lot of things in the lab it should be permissible. Secondly, I have 1 or 2 "production" workloads I need to move to my NAS server as that's the only server likely stay alive any given moment. After that I plan to nuke the lab and start over. Not sure if I will be on 3 nodes of Proxmox or if I want to tackle Harvester. Either way where should I start? Cloudflare, Keycloak, Traefik? you know outside-in, auth, and routing then spin up services to tinker with? Trying to come up with a bit of a ground zero run book of creating the lab, do A, B, C, then whatever tickets your fancy.
I don't know if it can be used with Cloudflare Tunnels. Essentially if the app uses OAuth2 it should be possible. I would play with harvester but I don't recommend it for a Homelab, it's too heavy. A Proxmox cluster is the right balance IMO. For general homelab Auth I recommend Authentik. It does everything that keycloak does plus it supports Auth proxy as many homelab apps don't use OAuth2
@@Jims-Garage yeah I started with Harvester maybe a little over a year ago when I only had one node. I liked how you can run rancher on harvester to control then Kube and VM within Harvester. Maybe I'll stick with Proxmox though. I don't know.
@@Jims-Garage yeah I have very little "need" if I am being honest. Just a couple of services that I "need" to keep alive. Now that I have my third node in the post... I don't know what Want to do with the "lab" portion of my home lab. I'm a cloud architect/engineer. And I feel that less and less of the lab is translating over to my career. Most of my day is spent in CDK building things in AWS. I'll have to do some re-evaluating. Maybe I trade out my dell r620s for a handful of Raspberry Pi XD.
I'm guessing that would fall under setting up WebAuthn in keycloak, it's usually what is used for fingerprint scanners and hardware keys for authentication
@@Jims-Garage Got it. You were logged with admin account so you already had a validade token. Otherwise you would get the keycloak loggin page. Correct?
It's a great tool, although I feel that Authentik is probably going to be the sweet spot for most as it does the web proxy for applications that lack authentication.
Great job ! Do you run Keycloak inside proxmox on a vm(running docker) or ct, or outside proxmox ? Cause if it’s hosted on proxmox and keycloak is not running, how do you log in to Proxmox using auth ?
Followed your guide. When trying to sign into portainer getting "Failure Unauthorized".. tried creating user in portainer and also with Automatic user provisioning = ON. Nginx proxy configured to forward to my docker containers.
Unfortunately you dove to much into the practical side of this in my opinion or you should update the description to clarify that you just want to configure and deploy keycloak. I am missing a lot of theoretical explanation of the internals of the things you configure and why..
Thanks, I appreciate the feedback. I think the description is accurate as it states it's deployment and configuration, and in the video I state that I'm only scratching the surface. It's difficult to cover everything in all videos as I've already covered elements of SSO, OAuth in Authelia (and subsequently Zitadel). I will be coming back to Keycloak in the future.
Agree, if you would explain all protocols and details, it would be a 12h video nobody would watch. Its better to focus on Keycloak, and maybe a different video on how modern auth methods work. Just my 2 cents
I'm currently trying to decide between Authentik and Keycloak and this has helped, though I'm still unsure. But you've opened the door to me just playing around with them and seeing which one appeals to me most. Thanks!
