“Configure Keycloak to use Google as an IdP”
🗣️ Introduction
Keycloak is an open-source software product to allow single sign-on with Identity and Access Management aimed at modern applications and services.
Keycloak supports out-of-the-box an extensive list of social networks: Google, Github, Facebook, Linkedin, Microsoft, Twitter, and many other providers. It’s even flexible enough to support the integration of any OpenId Connect or SAML 2.0 provider.
In this post, I will show you how you can configure a sign-in with Google functionality.
🧰 Prerequisites
- A realm on Keycloak
- A Google Application on the Google developers portal
Configure Keycloak with the credentials from your Google Application
Keycloak
Login to your Keycloak admin interface, and then, click Identity providers in the left column and select Google between the available providers.
On the new page that appears note the Redirect URI, we will need it later when we set up the Google Application. It should be something like:
https://YOUR_KEYCLOAK_DOMAIN/auth/realms/YOUR_REALM_NAME/broker/google/endpointKeep this page open in a tab of your browser, we will go to Google for a while but we will continue on Keycloak in the last step of this guide.
Google Application
Head to this page, log in with your Google Account and you will see the Google Developers Console. This is where you configure the Google APIs for your project.
Click on the dropdown near the Google Cloud (Google APIs) on top, and select the related project, you will see a page similar to the one in the following screenshot:
Click on Explore and enable APIs where you should enable google+ API and you will be redirected to the following page, and then, click Credentials.
After clicking on Credentials, Google Developers Console recall us that we need to Configure the consent screen. This is a mandatory step for our integration and it basically configures what our users will see when we redirect them to Google for signing in.
Let’s do it now, click on that button.
Select the proper option that we want to allow user type(for this example I will use External) to sign in to our application. Then click on Create.
We will be redirected to a page with many settings, fill them as follows:
- Application type: Public
- Application name: Your application name (for this example I will use Keycloak Test App)
- Authorized domains: Your application's top-level domain name
- Application Homepage link: Your application homepage
- Application Privacy Policy link: Your application privacy policy link
Then click on Save at the end of the page.
After configuring the consent screen, now click again on Credentials & click on Create Credentials:
Select OAuth client ID option from the dropdown:
Select Web Application as the type of your application, add a name for your application, and into the Authorized redirect URIs field add the URL you saved at the end of the first step of this guide. It should be something like:
https://YOUR_KEYCLOAK_DOMAIN/auth/realms/YOUR_REALM_NAME/broker/google/endpointYou will get now a set of credentials, a Client ID, and a Client Secret.
Take note of Client ID and Client Secret, you will need them while setting up Keycloak in the last part of this guide.
Keycloak
Go back to Keycloak and add the Client ID and Client secret on the page we left at the end of the first step of this guide. Then click on Save.
We are done. Now, whenever you want to log in with a Keycloak configured client you will find the option to log in with Google.
Hopefully, this was in some way helpful to someone…
