The template used for creating an Auth Server using the `add authserver` or `new domain` commands.
For more information on Duende and how to configure an auth server, please see their docs.
| Name | Required | Description | Default | Notes |
|---|---|---|---|---|
| Name | Yes | The name of your auth server scaffolding project | None | |
| RealmName | Yes | The name of your auth server's Keycloak Realm (essentially a Tenant) | None | |
| Port | No | An integer that designates your auth server port. | A random free port will be selected if none is provided | |
| Username | No | The root username for getting into Keycloak | admin | |
| Password | No | The root password for getting into Keycloak | admin | |
| Clients | No | A list of the various AuthClients (applications) using your auth server. | None |
| Name | Required | Description | Default | Notes |
|---|---|---|---|---|
| Id | Yes | The client id for this app. | None | |
| Name | Yes | The name of your client | None | |
| BaseUrl | Yes | The url for the given client (e.g. https://localhost:5375/) | None | |
| Secret | No | The secret you'd like to use for this client. | Random Guid | |
| GrantType | No | The grant type to dictate which auth flow you want to configure. Can be set to ClientCredentials or Code. Case insensitive. | Code | |
| RedirectUris | No | A list of strings to determine your acceptable callback URIs. This is generally going to be your front end client. | BaseUrl/* | |
| AllowedCorsOrigins | No | A list of strings to determine the allowed origins to accommodate CORS. | BaseUrl | |
| Scopes | No | Specifies the api scopes that the client is allowed to request. | None | This should match the audience scope in your boundary auth settings and swagger specs |
In this example, I'm setting up an auth server on port 3385 with a single client for my swagger page. I also add the recipe management api since that will have protected endpoints configured for this auth server. Finally, we have read only and individual feature permissions for the features.
DomainName: RecipeManagementApi
BoundedContexts:
- ProjectName: RecipeManagement
Port: 5375
DbContext:
ContextName: RecipesDbContext
DatabaseName: RecipeManagement
Provider: Postgres
Entities:
- Name: Recipe
Features:
- Type: GetList
IsProtected: true
PermissionName: CanReadRecipes
- Type: GetRecord
IsProtected: true
PermissionName: CanReadRecipes
- Type: AddRecord
IsProtected: true
- Type: UpdateRecord
IsProtected: true
- Type: DeleteRecord
IsProtected: true
Properties:
- Name: Title
Type: string
- Name: Visibility
SmartNames:
- Public
- Friends Only
- Private
- Name: Directions
Type: string
- Name: Rating
Type: int?
Environment:
AuthSettings:
Authority: http://localhost:3255/auth/realms/DevRealm
Audience: recipe_management
AuthorizationUrl: http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/auth
TokenUrl: http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token
ClientId: recipe_management.swagger
ClientSecret: 974d6f71-d41b-4601-9a7a-a33081f80687
AuthServer:
Name: KeycloakPulumi
RealmName: DevRealm
Port: 3255
Clients:
- Id: recipe_management.postman.machine
Name: RecipeManagement Postman Machine
Secret: 974d6f71-d41b-4601-9a7a-a33081f84682
GrantType: ClientCredentials
BaseUrl: "https://oauth.pstmn.io/"
Scopes:
- recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
- Id: recipe_management.postman.code
Name: RecipeManagement Postman Code
Secret: 974d6f71-d41b-4601-9a7a-a33081f84680 #optional
GrantType: Code
BaseUrl: "https://oauth.pstmn.io/"
Scopes:
- recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
- Id: recipe_management.swagger
Name: RecipeManagement Swagger
Secret: 974d6f71-d41b-4601-9a7a-a33081f80687
GrantType: Code
BaseUrl: "https://localhost:5375/"
Scopes:
- recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
- Id: recipe_management.bff
Name: RecipeManagement BFF
Secret: 974d6f71-d41b-4601-9a7a-a33081f80688
BaseUrl: "https://localhost:4378/"
GrantType: Code
RedirectUris:
- "https://localhost:4378/signin-oidc"
AllowedCorsOrigins:
- "https://localhost:5375" # api 1 - recipe_management
- "https://localhost:4378"
Scopes:
- recipe_management #this should match the audience scope in your boundary auth settings and swagger specsIf you've already created your Wrapt project and want to add an Auth Server after the fact, you can use the add authserver command to scaffold it out as well.
This looks the same as above, you just need the auth server part:
Name: KeycloakPulumi
RealmName: DevRealm
Port: 3255
Clients:
- Id: recipe_management.postman.machine
Name: RecipeManagement Postman Machine
Secret: 974d6f71-d41b-4601-9a7a-a33081f84682
GrantType: ClientCredentials
BaseUrl: "https://oauth.pstmn.io/"
Scopes:
- recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
- Id: recipe_management.postman.code
Name: RecipeManagement Postman Code
Secret: 974d6f71-d41b-4601-9a7a-a33081f84680 #optional
GrantType: Code
BaseUrl: "https://oauth.pstmn.io/"
Scopes:
- recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
- Id: recipe_management.swagger
Name: RecipeManagement Swagger
Secret: 974d6f71-d41b-4601-9a7a-a33081f80687
GrantType: Code
BaseUrl: "https://localhost:5375/"
Scopes:
- recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
- Id: recipe_management.bff
Name: RecipeManagement BFF
Secret: 974d6f71-d41b-4601-9a7a-a33081f80688
BaseUrl: "https://localhost:4378/"
GrantType: Code
RedirectUris:
- "https://localhost:4378/signin-oidc"
AllowedCorsOrigins:
- "https://localhost:5375" # api 1 - recipe_management
- "https://localhost:4378"
Scopes:
- recipe_management #this should match the audience scope in your boundary auth settings and swagger specs