Select an Identity Provider service for development

[mrjones-plip]

Describe the issue
In order to be able to actually be sure our code works for the SSO effort in #9735, we need to both have an instance that can be developed against, but also that can work in e2e tests.

Describe the improvement you'd like
Find a solution that is either cloud based or docker based (or both?!) - but that is easy to set up and test against that provides just the most limited services we need.

Describe alternatives you've considered
Pay for an existing commercial service that one of the SSO squad members recommends.

[mrjones-plip]

@rmayore - you had expressed interest in working on this ticket - thank you!

[rmayore]

Yes @mrjones-plip

[raphaelkenyuri]

If we settle on a commercial service, is it possible to use Microsoft Azure AD.

CC @mrjones-plip @rmayore

[mrjones-plip]

@raphaelkenyuri - are you asking if the MVP will work on Azure AD (now called Entra ID I see) or if the development effort can use Azure AD?

In give my opinion on both, but will defer to @rmayore who's working on this ticket ;)

• the development environment should be as easy as possible to setup, and hopefully support e2e testing - this would rule out any commercial provider like Azure AD.
• Conversely, we really want the end result MVP to be OIDC compliant, so I think it should work with any ID provider, including Azure AD

[rmayore]

Features to consider for testing

• Free and Open source.
• Docker based, meaning it can be installed locally and on the cloud
• Support for common protocols such as OIDC, Oauth 2.0, SAML
• Ability to run e2e tests
• IAM
• Single Sign-On
• Documentation and support

Extras (Beyond Testing)

• Social Login
• User federation
• Multi-factor authentication

Options Considered

1. Shibboleth
2. Keycloak
3. OpenIAM
4. Evolveum
5. FusionAuth
6. Apache Synocope
7. Auth0

1. Shibboleth

❌ Free only for development and testing
✔️ Open source
❌ No native support for docker
✔️ Support for SAML and OIDC
✔️ Possible to run e2e tests, not verified
✔️ IAM supported SSO supported 
✔️ Adequate documentation and support

2. Keycloak

✔️ Free
✔️ Open source
✔️ Native support for docker: Install single container for local dev work and guides for HA setups on the cloud
✔️ Support for SAML and OIDC
✔️ E2E tests seems possible
✔️ IAM supported SSO supported 
✔️ Good documentation and support

3. OpenIAM

❌ Current release paid, old releases paid
✔️ Open source
❌ Complicated docker deployment
✔️ Support for SAML and OIDC
Couldn't get any mention of it online, or of someone who's tried it. If the docker install can be easily automated then e2e tests should be possible
✔️ IAM supported SSO supported 
✔️ Adequate documentation and support

4. Evolveum

❌ Free, but paid for support, such as bug fixes, configuration consulting, and training
✔️ Open source
✔️ Native support for docker
✔️ Support for SAML and OIDC
✔️ E2e testing seems possible
✔️ IAM supported SSO supported 
✔️ Adequate documentation and support

5. FusionAuth

❌ Not open-source
Didn't bother to check on the other features

6. Apache Synocope

✔️ Free
✔️ Open source
✔️ Good native docker support
✔️ Support for SAML and OIDC
✔️ E2e testing seems possible
✔️ IAM supported, unclear if SSO is natively supported
✔️ Adequate documentation and support

7. Auth0

❌ Paid but there's a free tier
❌ Not open source , SAAS (no local setup
Didn't bother to check on the other features

[rmayore]

@mrjones-plip @raphaelkenyuri most of the options above support user federation, allowing syncing of identities from other LDAP or AD systems, therefore precluding the need to have AD itself as an option.

As an example, Keycloak can be set up to use Azure AD as an Identity Provider.

[rmayore]

Recommendation

cc @mrjones-plip @jkuester

I recommend we pick Keycloak because of the following reasons:

• It's free to use both for development and for production environments
• It's Open-source
• Easy setup for development (docker), and at a glance easy setup for prod environments using either docker compose or K8S. This means it could be included at some point in the CHT services deployed. Also this fact makes it easy to transition it from dev to prod
• Can be set up in a highly available way
• On top of Identity Management, External users from other ADs can be managed
• Social sign-in can be supported (Google, twitter, facebook, etc)
• Admin management console, User management console
• Support for all common protocols
• Is a CNCF project, if that carries any weight

[rmayore]

I'll try to write some E2E tests against Keycloak, so we can cross that off.

[mrjones-plip]

excellent research and great transparency on your process - thank you @rmayore ! I would say do what ever testing (either manual setting up of docker or nascent e2e tests) and once you feel confident in your choice - write up some docs (just on this ticket is a good place to start) on how to set up a development environment. Keep to just the simplest of steps covering just the happy path.

w00t!

[jkuester]

Thanks for the great write-up @rmayore! KeyCloak seems like a solid choice for using during development. I like how it gives a nice web GUI for configuring services/users/etc.

If anyone has a basic docker compose config for spinning up KeyCloak locally that they could share here, that would be great!

[mrjones-plip]

maybe need TLS in dev? Local-IP certs might be handy! These work on any local IP on a LAN and offer an easy way to curl in place the private keys

[rmayore]

Setup

@mrjones-plip you can spin up keycloak locally with the below docker command:

docker run -p 8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.1.1 start-dev

Optionally, you can put this into a docker compose file:

services:
  keycloak_web:
    image: quay.io/keycloak/keycloak:26.1.1
    container_name: keycloak_web
    environment:
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://keycloakdb:5432/keycloak
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password

      KC_HOSTNAME: localhost
      KC_HOSTNAME_PORT: 8080
      KC_HOSTNAME_STRICT: false
      KC_HOSTNAME_STRICT_HTTPS: false

      KC_LOG_LEVEL: info
      KC_METRICS_ENABLED: true
      KC_HEALTH_ENABLED: true
      KEYCLOAK_ADMIN: "${KEYCLOAK_ADMIN:-admin}"
      KEYCLOAK_ADMIN_PASSWORD: "${KEYCLOAK_ADMIN_PASSWORD:-admin}"
    command: start-dev
    depends_on:
      - keycloakdb
    ports:
      - 8080:8080

  keycloakdb:
    image: postgres:15
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password

volumes:
  postgres_data:

The start it with
KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD=password docker compose -f keycloak-docker-compose.yml up -d

Access

http://localhost:8080/admin

[mrjones-plip]

This is great work - thanks @rmayore !

I'm able to easily spin up a keycloak instance with either docker run... or docker compose... - I did a rudimentary test by logging in to both with the admin user.

What is the advantage of the compose file using a Postgres database? I noticed if I went with a simplified compose file, keycloak worked (well, I was able to log in ;) with out it - I see defaulting to dev-file mode.

I think if there's no advantage to postgres in a development scenario, maybe we skip it? Less complexity is better!

Finally - do we yet know what the OIDC flow will require in terms of TLS? If we think we'll need TLS, it might be worth researching how to implement it in a dev scenario?

[jkuester]

Finally - do we yet know what the OIDC flow will require in terms of TLS? If we think we'll need TLS, it might be worth researching how to implement it in a dev scenario?

It looks like openid-client lets you make HTTP requests. So, to get us off the ground for local testing with KeyCloak we should not need any TLS since we can hopefully just use that allowInsecureRequests option.

However, we of course will not want to have this option set in the final version of the code. So, eventually we will need to sort something out for TLS (particularly when doing the e2e tests)

[mrjones-plip]

(oops! clicked the "close" button by accident - sorry!)

Gotcha - make sense Josh! With the hard part done by @rmayore already, I was able to stand up a TLS instance pretty easily:

services:
  keycloak_web:
    image: quay.io/keycloak/keycloak:26.1.1
    container_name: keycloak_web
    environment:
       KC_HOSTNAME: 127-0-0-1.local-ip.medicmobile.org
       KC_LOG_LEVEL: info
       KC_METRICS_ENABLED: true
       KC_HEALTH_ENABLED: true
       KEYCLOAK_ADMIN: "${KEYCLOAK_ADMIN:-admin}"
       KEYCLOAK_ADMIN_PASSWORD: "${KEYCLOAK_ADMIN_PASSWORD:-admin}"
       KC_HTTPS_CERTIFICATE_FILE: /etc/x509/https/tls.crt
       KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/x509/https/tls.key
    command: start-dev
    ports:
      - 8080:8080
      - 8443:8443
    volumes:
      - ./certs:/etc/x509/https

These three commands were needed:

mkdir -p certs
curl -o certs/tls.crt https://local-ip.medicmobile.org/fullchain
curl -o certs/tls.key https://local-ip.medicmobile.org/key

And then my instance was available at https://127-0-0-1.local-ip.medicmobile.org:8443

[jkuester]

Well, honestly, what is left for this issue? 😅 Maybe we should close it!

[mrjones-plip]

Rock on!

@rmayore - feel free to re-open if you feel we need more work here.

Thanks all!

[rmayore]

This is great work - thanks @rmayore !

I'm able to easily spin up a keycloak instance with either docker run... or docker compose... - I did a rudimentary test by logging in to both with the admin user.

What is the advantage of the compose file using a Postgres database? I noticed if I went with a simplified compose file, keycloak worked (well, I was able to log in ;) with out it - I see defaulting to dev-file mode.

I think if there's no advantage to postgres in a development scenario, maybe we skip it? Less complexity is better!

Finally - do we yet know what the OIDC flow will require in terms of TLS? If we think we'll need TLS, it might be worth researching how to implement it in a dev scenario?

@mrjones-plip completely agree we don't need an extra containser for pg if we can avoid it