Keycloak

Keycloak is an identity provider (IDP) that enables SAML and OpenID Connect (OIDC) (preferred) authentication to applications within /dev/hack, enabling members to log into various services with one central account.

If your application wants to authenticate /dev/hack users, you will probably want a Keycloak client created.

Your application is expected to use OpenID Connect. You will pick a client ID and we will generate a client secret. Your application will probably ask for single configuration URL, which will probably be https://idp.devhack.net/realms/devhack, or if your application's configuration is hard-mode, you'll need many URLs, all of which can be found at https://idp.devhack.net/realms/devhack/.well-known/openid-configuration.

This process is semi-self-service, but not completely.

1. To begin, file a pull request to add your client to https://git.devhack.net/devhack/core-infra/src/branch/main/tf/keycloak.tf.
2. You will need to fill out a client_id and root_url.
3. After it is merged, someone with admin access will need to run tofu apply to create your new client.
   • Your client secret will be in openbao's secret store. Whoever merged your PR and applied it will reach out to you to help you get the secret.

• Normal users access at https://idp.devhack.net (see IDP account for more)
• Admin portal must be accessed directly from https://idp.devhack.net/admin/devhack/console/#/devhack

dunno what this url is: https://idp.devhack.net/admin/master/console/

https://idp.devhack.net/admin/devhack/console/#/devhack

to add new admins, the clickops way doesn't work, there's some other way, maybe through git?

admins can do everything (functionally, due to the fact that they can give themselves other permissions or impersonate users), including having some special perms on member services to approve members for membership.

Keycloak and its postgres database is deployed in a VM and LXC container respectively on the pve-devhack Proxmox host:

• [pve-devhack]
  • devhack-idp01: Primary VM.
    • systemd service keycloak.service
    • docker-compose stack and dockerfile in /opt/keycloak
    • Some configuration is baked directly into the keycloak container, so it is built on every startup, hence the dockerfile
  • idp01-psql01: Postgres database