-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathenv.sample
More file actions
102 lines (90 loc) · 4.31 KB
/
env.sample
File metadata and controls
102 lines (90 loc) · 4.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# OBP Keycloak Provider — Environment Configuration
# Copy this file to .env and fill in your values.
#
# Development: used by development/run-local-postgres-cicd.sh
# Production: pass these as container environment variables (-e / env_file)
# =============================================================================
# KEYCLOAK ADMIN
# =============================================================================
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=secure_admin_password
# =============================================================================
# KEYCLOAK INTERNAL DATABASE
# Stores realm data, clients, tokens — Keycloak's own state.
# =============================================================================
KC_DB_URL=jdbc:postgresql://host.docker.internal:5432/keycloak
KC_DB_USERNAME=keycloak
KC_DB_PASSWORD=secure_keycloak_db_password
# =============================================================================
# OBP API — user lookup and credential verification
#
# Required roles on OBP_API_USERNAME:
# CanGetAnyUser — user lookup by username / ID
# CanVerifyUserCredentials — credential verification at login
# CanGetOidcClient — OIDC client verification (optional)
#
# Authentication flow:
# 1. POST /obp/v6.0.0/my/logins/direct → obtain admin token
# 2. GET /obp/v6.0.0/users/provider/{P}/username/{U} → look up user
# 3. POST /obp/v6.0.0/users/verify-credentials → verify password
# 4. GET /obp/v6.0.0/users/user-id/{ID} → post-auth lookup
# =============================================================================
# Base URL of your OBP API instance (no trailing slash)
OBP_API_URL=http://localhost:8080
# OBP admin account that holds the required roles above
OBP_API_USERNAME=admin_user
OBP_API_PASSWORD=admin_password
# Consumer key registered in OBP for Direct Login
OBP_API_CONSUMER_KEY=your_consumer_key
# MANDATORY: only users whose OBP `provider` field matches this value
# will be authenticated. The system refuses to start if this is not set.
OBP_AUTHUSER_PROVIDER=http://127.0.0.1:8080
# =============================================================================
# KEYCLOAK RUNTIME
# =============================================================================
KC_HOSTNAME_STRICT=false
KC_HOSTNAME_STRICT_HTTPS=false
KC_HTTP_ENABLED=true
KC_HEALTH_ENABLED=true
KC_METRICS_ENABLED=true
KC_FEATURES=token-exchange
# =============================================================================
# THEME CUSTOMISATION
# Override the "Forgot Password?" link on the login page.
# Leave empty to use Keycloak's built-in password reset flow.
# =============================================================================
FORGOT_PASSWORD_URL=
# =============================================================================
# NETWORK PORTS (development only — not used in production container)
# =============================================================================
KEYCLOAK_HTTP_PORT=7787
KEYCLOAK_HTTPS_PORT=8443
KEYCLOAK_MGMT_PORT=9000
# =============================================================================
# PRODUCTION EXAMPLES
# =============================================================================
# KC_DB_URL=jdbc:postgresql://keycloak-prod.example.com:5432/keycloak
# KC_DB_USERNAME=keycloak_prod_user
# KC_DB_PASSWORD=very_secure_keycloak_password
#
# OBP_API_URL=https://api.obp-prod.example.com
# OBP_API_USERNAME=keycloak_service_account
# OBP_API_PASSWORD=very_secure_api_password
# OBP_API_CONSUMER_KEY=prod_consumer_key_abc123
# OBP_AUTHUSER_PROVIDER=https://api.obp-prod.example.com
# =============================================================================
# TROUBLESHOOTING
# =============================================================================
# Check Keycloak logs for:
# "FATAL: OBP_AUTHUSER_PROVIDER is not set"
# → set OBP_AUTHUSER_PROVIDER above
#
# "Failed to obtain admin token: HTTP 401"
# → check OBP_API_USERNAME / OBP_API_PASSWORD / OBP_API_CONSUMER_KEY
#
# "getUserByUsername() returned HTTP 404"
# → confirm OBP_AUTHUSER_PROVIDER matches the provider stored in OBP
#
# "Unable to connect" / connection refused
# → check OBP_API_URL; inside Docker use host.docker.internal instead
# of localhost (the deployment script rewrites this automatically)