Configure the OIDC Settings¶
OIDC Identity Provider¶
SEAL OP-CLI authenticates a user via the OAuth 2.0 and the OpenID Connect protocol. For this, an OIDC identity provider is required.
A preconfigured Keycloak identity provider is provided by SEAL Systems for test purposes. In practice, another OIDC identity provider already installed at the customer's will be used for the user authentication and authorization.
Literature - OIDC identity provider
For more information about Keycloak and other OIDC identity providers used with the SEAL Systems products, refer to the SEAL Interfaces for OIDC documentation.
Hint - version
The client configuration required for SEAL OP-CLI is available as of version 6.0.1-97 of the preconfigured Keycloak (seal-keycloak-6.0.1-97.x86_64.rpm
).
Steps with SEAL OP-CLI¶
Set the following Linux environment variables before calling SEAL OP-CLI unless the correspondent default applies or the correspondent value will be specified as option:
-
AUTH_ISSUER_URL
: OIDC issuer URL; default: The URL is retrieved from theseal-operator-server
service.Hint - changed AUTH_ISSUER_URL as of Keycloak 21.0.1
As of SEAL-specific Keycloak version 21.0.1, the URL needed for `AUTH_ISSUER_URL has changed.
-
old value:
AUTH_ISSUER_URL=https://<hostname>:32769/auth/realms/SEAL
-
new value:
AUTH_ISSUER_URL=https:/<hostname>:32769/realms/SEAL
-
-
OPCLI_AUTH_CLIENT_ID
: Client name configured in the OIDC identity provider; default:seal-opcli
; can also be specified with the--auth-client-id
option. -
OPCLI_AUTH_CLIENT_SECRET
: Client secret for retrieving the OIDC identity provider's access token; default: The secret installed with the SEAL-specific Keycloak; can also be specified with the--auth-client-secret
option.