Keycloak Setup
A local Keycloak for development purposes is configured by setup-devenv.sh
and started by start-devenv.sh (option kc / keycloak). The container
is a standard keycloak container (quay.io/keycloak/keycloak:latest), with
HTTPS terminated inside the container using a generated certificate.
The directory scripts/devenv/keycloak mirrors the layout of the keycloak
named volume (mounted at /opt/keycloak/data in the container): it contains a
certs/ directory with the generated TLS certificates (written once by
setup-devenv.sh and git-ignored) and an import/ directory holding
realm.json, which Keycloak imports on container start.
setup-devenv.sh populates the named volume in a single pass by streaming a
self-extracting shell script through stdin to the keycloak container (using
docker compose run, so this also works with a remote DOCKER_HOST). The
keycloak image (Red Hat UBI 9 minimal) ships neither tar nor a package
manager, so each file is base64-encoded on the host and decoded in the
container with coreutils base64.
The realm is only imported on a fresh volume; after editing realm.json,
drop the volume and re-run setup-devenv.sh to repopulate it.
In general, to run:
git clone nl-wallet
cd nl-wallet
scripts/setup-devenv.sh # configure the named volume
scripts/start-devenv.sh keycloak # starts the container
scripts/start-devenv.sh keycloak --stop # stops keycloak
Login Credentials
Administration user: keycloak / keycloak, HTTP :11080, HTTPS :11443.
Overridable with: KC_USERNAME, KC_PASSWORD, KC_PORT_HTTP, KC_PORT_HTTPS.
Realm Configuration
Realm name: nl-wallet
Realm file: scripts/devenv/keycloak/import/realm.json
Privileges (realm roles)
Role |
Description |
|---|---|
|
Create or review a task to revoke a Wallet. |
|
Create or review a task to block a user. |
|
Create or approve a task to unblock a blocked user. |
|
See all open and completed tasks. |
|
Revoke the Wallet Solution. |
Privileges are plain realm roles and appear in the access token as realm_access.roles.
Test users
A couple of test users, password equals username.
User |
Password |
Privileges |
|---|---|---|
|
|
|
|
|
|
|
|
|
Client
Property |
Value |
|---|---|
Client ID |
|
Type |
Public (PKCE, no secret) |
Flow |
|
PKCE |
|
Redirect URI |
|