Keycloak

Hazy can optionally be connected to keycloak in order to provide external user management.

This serves for both authentication and authorisation.

Hazy provide a pre-built version of the keycloak image with a Hazy theme and a default realm set up for Hazy for convenience, but it's possible to connect to any keycloak (>=21) instance. The keycloak provided images can be found here:

release.hazy.com/hazy/keycloak:unknown

In order to use keycloak, the following additional environment variables are required in the hub:

# This has to be set in order to enable authentication via Keycloak.
USE_KEYCLOAK=true

# Keycloak base URL for external connection
KEYCLOAK_URL=http://hazy.domain/auth
# In case the keycloak url is different from the hub itself
INTERNAL_KEYCLOAK_URL=http://hazy-keycloak-internal:8080/auth

# The url for the hub after authentication
KEYCLOAK_REDIRECT_URL=https://hazy.domain:port
LOGOUT_REDIRECT_URL=https://hazy.domain:port

# The keycloak realm in which the hazy client is installed
KEYCLOAK_REALM=hazy

As per the pre-configured instance Hazy provide, it's necessary to create 2 clients in the configured realm. One for the frontend, named, hazy-hub-frontend; this must allow standard OAuth2 flow with the Hazy url listed as the origin and valid redirects. The second client is for the backend, no login flow is necessary but it must be an audience in the ticket obtained for the frontend.

If using the preconfigured keycloak image, it will be necessary to add the service url (or proxy url if one is used) to the list of valid redirect urls in the frontend client config for the realm.

Further, system admins of the Hazy platform can log into Keycloak via $KEYCLOAK_URL with username and password as configured in the keycloak startup settings. Further refer to Identity and Access Management at Hazy for details on Keycloak user setup.

More information including a particularly extensive set of documentation can be found at the keycloak website.

https://www.keycloak.org/