Files
keycloak-pam/README.md
T
javalsai d2a2baebc8 initial commit
- login works
- basic documentation
2026-05-09 18:06:35 +02:00

63 lines
2.8 KiB
Markdown

# keycloak-pam
Tiny PAM module to perform authentication against a keycloak instance.
Testing and development are done within a nix environment, if you don't plan to use nix extract the pieces you care about, but we only support nix configuration.
# System Configuration
This is being worked on, refer to the test configuration at [`tests/nixos/configuration.nix`](./tests/nixos/configuration.nix).
# Arguments
Module can be easily configured with PAM arguments, for the sake of completeness refer to the source code.
You can `cargo doc` to find the documentation for this at `keycloak_pam > Args`.
# Restrictions
With the purpose of being tiny and minimal, the module uses libcurl for the few requests it makes, so HTTP/S and all networking behavior is offloaded to it.
# Behavior
To authenticate users, the module uses the endpoint `{BASE_URL}/realms/{realm}/protocol/openid-connect/token` as a configured client. This needs a client ID and its secret that you need to get and configure per realm.
A curl request you can use anywhere to test this is:
```
curl -X POST http://keycloak-pam.test/realms/master/protocol/openid-connect/token \
-d grant_type=password \
-d username=admin \
-d password=dontchangeme \
-d client_id=account \
-d client_secret=7bsrMrRuNKpqsxcOOJavWjEqek12ZCkj
```
The secret and id there are just an example (`account` is a client configurd by default by keycloak).
This is the simplest way to check credentials but also has the consequence of leaking unhandled oauth2/OIDC user tokens. I'm unsure if this could have further consequences but it's a risk worth considering.
# Development
The nix test configuration relies on bridging the VM IP, for this it relies on the default `libvirt`'s interface and needs the `qemu-bridge-helper`. This is found in a nix shell hook.
To have the necessary environment you should nix-develop in the shell, which will also provide the proper rust version and components.
You should also have `libvirt` configured on your system, other virtualization methods are not supported, if you have interface issues try to `virsh net-start default/virbr0`.
The test configuration treats itself as `keycloak-pam.test`, you might be interested in adding this to your `/etc/hosts` if you are going to use its web interface much.
# Rust Version
The project is meant to work under rust stable.
No specific MSRV is given, but if it compiles it should work.
# License
This code is meant to be used for [tuxcord.nix](https://git.javalsai.tuxcord.net/tuxcord/tuxcord.nix/issues), it copies some of such configuration and follows its same license.
This is **exclusively** licensed under the GNU Lesser General Public License (`LGPL-3.0-only`).
You are allowed to modify and redistribte derivatives of this work provided you comply with the license.