keycloak-pam
Tiny PAM module to perform authentication against a keycloak instance.
Testing and development are done within a nix environment, if you don't plan to use nix extract the pieces you care about, but we only support nix configuration.
System Configuration
This is being worked on, refer to the test configuration at tests/nixos/configuration.nix.
Arguments
Module can be easily configured with PAM arguments, for the sake of completeness refer to the source code.
You can cargo doc to find the documentation for this at keycloak_pam > Args.
Restrictions
With the purpose of being tiny and minimal, the module uses libcurl for the few requests it makes, so HTTP/S and all networking behavior is offloaded to it.
Behavior
To authenticate users, the module uses the endpoint {BASE_URL}/realms/{realm}/protocol/openid-connect/token as a configured client. This needs a client ID and its secret that you need to get and configure per realm.
A curl request you can use anywhere to test this is:
curl -X POST http://keycloak-pam.test/realms/master/protocol/openid-connect/token \
-d grant_type=password \
-d username=admin \
-d password=dontchangeme \
-d client_id=account \
-d client_secret=7bsrMrRuNKpqsxcOOJavWjEqek12ZCkj
The secret and id there are just an example (account is a client configurd by default by keycloak).
This is the simplest way to check credentials but also has the consequence of leaking unhandled oauth2/OIDC user tokens. I'm unsure if this could have further consequences but it's a risk worth considering.
Development
The nix test configuration relies on bridging the VM IP, for this it relies on the default libvirt's interface and needs the qemu-bridge-helper. This is found in a nix shell hook.
To have the necessary environment you should nix-develop in the shell, which will also provide the proper rust version and components.
You should also have libvirt configured on your system, other virtualization methods are not supported, if you have interface issues try to virsh net-start default/virbr0.
The test configuration treats itself as keycloak-pam.test, you might be interested in adding this to your /etc/hosts if you are going to use its web interface much.
Rust Version
The project is meant to work under rust stable.
No specific MSRV is given, but if it compiles it should work.
License
This code is meant to be used for tuxcord.nix, it copies some of such configuration and follows its same license.
This is exclusively licensed under the GNU Lesser General Public License (LGPL-3.0-only).
You are allowed to modify and redistribte derivatives of this work provided you comply with the license.