Auth Server Template

The template used for creating an Auth Server using the `add authserver` or `new domain` commands.

For more information on Duende and how to configure an auth server, please see their docs.

Add Auth Server Template Properties

NameRequiredDescriptionDefaultNotes
NameYesThe name of your auth server scaffolding projectNone
RealmNameYesThe name of your auth server's Keycloak Realm (essentially a Tenant)None
PortNoAn integer that designates your auth server port.A random free port will be selected if none is provided
UsernameNoThe root username for getting into Keycloakadmin
PasswordNoThe root password for getting into Keycloakadmin
ClientsNoA list of the various AuthClients (applications) using your auth server.None

AuthClient

NameRequiredDescriptionDefaultNotes
IdYesThe client id for this app.None
NameYesThe name of your clientNone
BaseUrlYesThe url for the given client (e.g. https://localhost:5375/)None
SecretNoThe secret you'd like to use for this client.Random Guid
GrantTypeNoThe grant type to dictate which auth flow you want to configure. Can be set to ClientCredentials or Code. Case insensitive.Code
RedirectUrisNoA list of strings to determine your acceptable callback URIs. This is generally going to be your front end client.BaseUrl/*
AllowedCorsOriginsNoA list of strings to determine the allowed origins to accommodate CORS.BaseUrl
ScopesNoSpecifies the api scopes that the client is allowed to request.NoneThis should match the audience scope in your boundary auth settings and swagger specs

Add Auth Server Template Examples

Adding a Auth Server with Your Domain

In this example, I'm setting up an auth server on port 3385 with a single client for my swagger page. I also add the recipe management api since that will have protected endpoints configured for this auth server. Finally, we have read only and individual feature permissions for the features.

DomainName: RecipeManagementApi
BoundedContexts:
  - ProjectName: RecipeManagement
    Port: 5375
    DbContext:
      ContextName: RecipesDbContext
      DatabaseName: RecipeManagement
      Provider: Postgres
    Entities:
      - Name: Recipe
        Features:
          - Type: GetList
            IsProtected: true
            PermissionName: CanReadRecipes
          - Type: GetRecord
            IsProtected: true
            PermissionName: CanReadRecipes
          - Type: AddRecord
            IsProtected: true
          - Type: UpdateRecord
            IsProtected: true
          - Type: DeleteRecord
            IsProtected: true
          - Type: PatchRecord
            IsProtected: true
        Properties:
          - Name: Title
            Type: string
            CanFilter: true
            CanSort: true
          - Name: Visibility
            SmartNames:
              - Public
              - Friends Only
              - Private
            CanFilter: true
            CanSort: true
          - Name: Directions
            Type: string
            CanFilter: true
            CanSort: true
          - Name: Rating
            Type: int?
            CanFilter: true
            CanSort: true
    Environment:
      AuthSettings:
        Authority: http://localhost:3255/auth/realms/DevRealm
        Audience: recipe_management
        AuthorizationUrl: http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/auth
        TokenUrl: http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token
        ClientId: recipe_management.swagger
        ClientSecret: 974d6f71-d41b-4601-9a7a-a33081f80687
AuthServer:
  Name: KeycloakPulumi
  RealmName: DevRealm
  Port: 3255
  Clients:
    - Id: recipe_management.postman.machine
      Name: RecipeManagement Postman Machine
      Secret: 974d6f71-d41b-4601-9a7a-a33081f84682
      GrantType: ClientCredentials
      BaseUrl: "https://oauth.pstmn.io/"
      Scopes:
        - recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
    - Id: recipe_management.postman.code
      Name: RecipeManagement Postman Code
      Secret: 974d6f71-d41b-4601-9a7a-a33081f84680 #optional
      GrantType: Code
      BaseUrl: "https://oauth.pstmn.io/"
      Scopes:
        - recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
    - Id: recipe_management.swagger
      Name: RecipeManagement Swagger
      Secret: 974d6f71-d41b-4601-9a7a-a33081f80687
      GrantType: Code
      BaseUrl: "https://localhost:5375/"
      Scopes:
        - recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
    - Id: recipe_management.bff
      Name: RecipeManagement BFF
      Secret: 974d6f71-d41b-4601-9a7a-a33081f80688
      BaseUrl: "https://localhost:4378/"
      GrantType: Code
      RedirectUris:
        - "https://localhost:4378/signin-oidc"
      AllowedCorsOrigins:
        - "https://localhost:5375" # api 1 - recipe_management
        - "https://localhost:4378"
      Scopes:
        - recipe_management #this should match the audience scope in your boundary auth settings and swagger specs

Adding a Auth Server to an Existing Project

If you've already created your Wrapt project and want to add an Auth Server after the fact, you can use the add authserver command to scaffold it out as well. This looks the same as above, you just need the auth server part:

Name: KeycloakPulumi
RealmName: DevRealm
Port: 3255
Clients:
  - Id: recipe_management.postman.machine
    Name: RecipeManagement Postman Machine
    Secret: 974d6f71-d41b-4601-9a7a-a33081f84682
    GrantType: ClientCredentials
    BaseUrl: "https://oauth.pstmn.io/"
    Scopes:
      - recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
  - Id: recipe_management.postman.code
    Name: RecipeManagement Postman Code
    Secret: 974d6f71-d41b-4601-9a7a-a33081f84680 #optional
    GrantType: Code
    BaseUrl: "https://oauth.pstmn.io/"
    Scopes:
      - recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
  - Id: recipe_management.swagger
    Name: RecipeManagement Swagger
    Secret: 974d6f71-d41b-4601-9a7a-a33081f80687
    GrantType: Code
    BaseUrl: "https://localhost:5375/"
    Scopes:
      - recipe_management #this should match the audience scope in your boundary auth settings and swagger specs
  - Id: recipe_management.bff
    Name: RecipeManagement BFF
    Secret: 974d6f71-d41b-4601-9a7a-a33081f80688
    BaseUrl: "https://localhost:4378/"
    GrantType: Code
    RedirectUris:
      - "https://localhost:4378/signin-oidc"
    AllowedCorsOrigins:
      - "https://localhost:5375" # api 1 - recipe_management
      - "https://localhost:4378"
    Scopes:
      - recipe_management #this should match the audience scope in your boundary auth settings and swagger specs