Setup Keycloak with backend Mysql Docker Container

Keycloak-MySQL extends the keycloak docker image to use MySQL. Docker is becoming main streamline to package and deploy self sufficient application containers. It wrap up a piece of software in a complete file system that contains everything it needs to run: code, run-time, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in. The same Linux kernel and libraries can be shared between multiple containers running on the host.

Keycloak comes with its own embedded Java-based relational database called H2. This is the default database that Keycloak will use to persist data and really only exists so that you can run the authentication server out of the box. We highly recommend that you replace it with a more production ready external database. The H2 database is not very viable in high concurrency situations and should not be used in a cluster either. The purpose of this chapter is to show you how to connect Keycloak to a more mature database.

https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html

Please visit my blog previous blog Install Docker to setup docker.

Let’s Started

Docker hub provides images for all the software and tools. let’s find out the keycloak-mysql docker image.

krishna@ubuntu:~$ docker search keycloak-mysql
NAME                                      DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
jboss/keycloak-mysql                                                                      7                    [OK]
solsson/keycloak-ha-mysql                 The missing HA alternative to https://hub....   1                    [OK]
carljmosca/keycloak-mysql                 Keycloak MySQL with SSL                         0                    
solsson/keycloak-mysql-https-themed       Like keycloak-mysql-https but with a Yolea...   0                    [OK]
dmadk/keycloak-mysql-mc                   Keycloak instance for the Identity Broker ...   0                    [OK]
solsson/keycloak-mysql-https              Enables https for the official keycloak-my...   0                    [OK]
alizarion/keycloak-mysql-db               keycloak mysql preloaded database               0                    [OK]
openfact/keycloak-mysql                   Keycloa Mysql                                   0                    [OK]
solsson/keycloak-mysql-sslx2              Like solsson/keycloak-mysql-https but adds...   0                    [OK]
sistcoop/keycloak-mysql                                                                   0                    [OK]
euforia/keycloak-ha-mysql                 Keyclaok HA setup using MySQL and TCPPING ...   0                    [OK]
cycloneproject/keycloak-mysql                                                             0                    
abacusresearch/keycloak-mysql-openshift   KeyCloak for OpenShift with MySQL support:...   0                    [OK]
azaars/keycloak-mysql                                                                     0                    
gambol99/keycloak-mysql                                                                   0                    
akvo/keycloak-ha-mysql                                                                    0                    
dmadk/keycloak-mysql-mc-ha                                                                0                    
ladynev/keycloak-mysql-realm-users        Based on an official jboss/keycloak-mysql ...   0                    
pidah/keycloak-ha-mysql                                                                   0                    
tb690097/keycloak-mysql                                                                   0                    
uthark/keycloak-mysql-custom                                                              0                    
lorissantamaria/jbpm                      jBPM Workbench with Keycloak and MySQL sup...   0                    [OK]
derekamz/keycloak                         keycloak behind nginx proxy and use mysql ...   0                    [OK]
ajeeth/keycloak                           Keycloak configured for reverse proxy with...   0                    [OK]
krishna@ubuntu:~$ 

There are many Keycloak-mysql Docker images available, but it is always better to go with the official release. As they are highly optimised, bug free and stable. You can download to your computer using pull command. After that we can list down the docker images. Let’s go with jboss/keycloak-mysql.

krishna@ubuntu:~$ docker pull jboss/keycloak-mysql
Using default tag: latest
latest: Pulling from jboss/keycloak-mysql
93857f76ae30: Pull complete 
cde6403934ad: Pull complete 
f847b784f425: Pull complete 
ab2339d8111f: Pull complete 
57023440fdba: Pull complete 
f75489b3e958: Pull complete 
1826b0198b70: Pull complete 
bcc3880ffce0: Pull complete 
eed70929465e: Pull complete 
6db62036c8ff: Pull complete 
b6049a720fe0: Pull complete 
48bf3f62fe16: Pull complete 
115e2db4efda: Pull complete 
f29913c21d5f: Pull complete 
Digest: sha256:44baf2894938a6672dfc7a33dd28efbb36751098c1ded6452b811835471fd31b
Status: Downloaded newer image for jboss/keycloak-mysql:latest
krishna@ubuntu:~$ 
krishna@ubuntu:~$ docker pull mysql
Using default tag: latest
latest: Pulling from library/mysql
10a267c67f42: Pull complete 
c2dcc7bb2a88: Pull complete 
17e7a0445698: Pull complete 
9a61839a176f: Pull complete 
a1033d2f1825: Pull complete 
0d6792140dcc: Pull complete 
cd3adf03d6e6: Pull complete 
d79d216fd92b: Pull complete 
b3c25bdeb4f4: Pull complete 
02556e8f331f: Pull complete 
4bed508a9e77: Pull complete 
Digest: sha256:2f4b1900c0ee53f344564db8d85733bd8d70b0a78cd00e6d92dc107224fc84a5
Status: Downloaded newer image for mysql:latest
krishna@ubuntu:~$ 
krishna@ubuntu:~$ docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
mysql                  latest              e799c7f9ae9c        12 days ago         407 MB
jboss/keycloak-mysql   latest              e967dffec757        13 days ago         644 MB
mongo                  latest              51f03b16565e        2 weeks ago         360 MB
krishna@ubuntu:~$ 

Run Keycloak-mysql & MySQL Container

After an image has been downloaded, you may then run a container using the downloaded image with the run sub command. If an image has not been downloaded when docker is executed with the run sub command, the Docker client will first download the image, then run a container using it.

krishna@ubuntu:~$ docker run --name mysql -p 3306:3306 -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=password -e MYSQL_ROOT_PASSWORD=root_password -d mysql
58538351e9599263b3f0e1541f7141aa89db718245a24e439ed258abe9777858
krishna@ubuntu:~$
 
krishna@ubuntu:~$ docker run --name keycloak -p 8080:8080 --link mysql:mysql -e MYSQL_DATABASE=keycloak -e MYSQL_USERNAME=keycloak -e MYSQL_PASSWORD=password -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -d jboss/keycloak-mysql
a548d4de2c883f5d34dfe64039ced86e75f7158b5908c439aa0c1f64de9d4910
krishna@ubuntu:~$

Looks good. Our Keycloak-mysql and MySQL Container is running now. Now, Keycloak is using MySQL for scalability purpose.

Let’s verify the status of the container.

krishna@ubuntu:~$ docker ps
CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS              PORTS                    NAMES
a548d4de2c88        jboss/keycloak-mysql   "/opt/jboss/docker..."   2 minutes ago       Up 2 minutes        0.0.0.0:8080->8080/tcp   keycloak
58538351e959        mysql                  "docker-entrypoint..."   18 minutes ago      Up 18 minutes       0.0.0.0:3306->3306/tcp   mysql
krishna@ubuntu:~$ 

Keycloak container is now running and accessible on port 8080 of that container. MySQL on port 3306. Use the following command to see what happened during the container startup:

krishna@ubuntu:~$ docker logs keycloak
krishna@ubuntu:~$ docker logs mysql

Connecting to Container

Next, we can get detailed info about the Keycloak container named keycloak and mysql. Run the inspect command:

krishna@ubuntu:~$ docker inspect keycloak
krishna@ubuntu:~$ docker inspect mysql

Now Keycloak is using MySQL

Your command prompt should change to reflect the fact that you’re now working inside the container and should take this form

krishna@ubuntu:~$ docker exec -it mysql bash
root@58538351e959:/# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.7.18 MySQL Community Server (GPL)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keycloak           |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> use keycloak
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-------------------------------+
| Tables_in_keycloak            |
+-------------------------------+
| ADMIN_EVENT_ENTITY            |
| ASSOCIATED_POLICY             |
| AUTHENTICATION_EXECUTION      |
| AUTHENTICATION_FLOW           |
| AUTHENTICATOR_CONFIG          |
| AUTHENTICATOR_CONFIG_ENTRY    |
| BROKER_LINK                   |
| CLIENT                        |
| CLIENT_ATTRIBUTES             |
| CLIENT_DEFAULT_ROLES          |
| CLIENT_IDENTITY_PROV_MAPPING  |
| CLIENT_NODE_REGISTRATIONS     |
| CLIENT_SESSION                |
| CLIENT_SESSION_AUTH_STATUS    |
| CLIENT_SESSION_NOTE           |
| CLIENT_SESSION_PROT_MAPPER    |
| CLIENT_SESSION_ROLE           |
| CLIENT_TEMPLATE               |
| CLIENT_TEMPLATE_ATTRIBUTES    |
| CLIENT_USER_SESSION_NOTE      |
| COMPONENT                     |
| COMPONENT_CONFIG              |
| COMPOSITE_ROLE                |
| CREDENTIAL                    |
| CREDENTIAL_ATTRIBUTE          |
| DATABASECHANGELOG             |
| DATABASECHANGELOGLOCK         |
| EVENT_ENTITY                  |
| FEDERATED_IDENTITY            |
| FEDERATED_USER                |
| FED_CREDENTIAL_ATTRIBUTE      |
| FED_USER_ATTRIBUTE            |
| FED_USER_CONSENT              |
| FED_USER_CONSENT_PROT_MAPPER  |
| FED_USER_CONSENT_ROLE         |
| FED_USER_CREDENTIAL           |
| FED_USER_GROUP_MEMBERSHIP     |
| FED_USER_REQUIRED_ACTION      |
| FED_USER_ROLE_MAPPING         |
| GROUP_ATTRIBUTE               |
| GROUP_ROLE_MAPPING            |
| IDENTITY_PROVIDER             |
| IDENTITY_PROVIDER_CONFIG      |
| IDENTITY_PROVIDER_MAPPER      |
| IDP_MAPPER_CONFIG             |
| KEYCLOAK_GROUP                |
| KEYCLOAK_ROLE                 |
| MIGRATION_MODEL               |
| OFFLINE_CLIENT_SESSION        |
| OFFLINE_USER_SESSION          |
| POLICY_CONFIG                 |
| PROTOCOL_MAPPER               |
| PROTOCOL_MAPPER_CONFIG        |
| REALM                         |
| REALM_ATTRIBUTE               |
| REALM_DEFAULT_GROUPS          |
| REALM_DEFAULT_ROLES           |
| REALM_ENABLED_EVENT_TYPES     |
| REALM_EVENTS_LISTENERS        |
| REALM_REQUIRED_CREDENTIAL     |
| REALM_SMTP_CONFIG             |
| REALM_SUPPORTED_LOCALES       |
| REDIRECT_URIS                 |
| REQUIRED_ACTION_CONFIG        |
| REQUIRED_ACTION_PROVIDER      |
| RESOURCE_POLICY               |
| RESOURCE_SCOPE                |
| RESOURCE_SERVER               |
| RESOURCE_SERVER_POLICY        |
| RESOURCE_SERVER_RESOURCE      |
| RESOURCE_SERVER_SCOPE         |
| SCOPE_MAPPING                 |
| SCOPE_POLICY                  |
| TEMPLATE_SCOPE_MAPPING        |
| USERNAME_LOGIN_FAILURE        |
| USER_ATTRIBUTE                |
| USER_CONSENT                  |
| USER_CONSENT_PROT_MAPPER      |
| USER_CONSENT_ROLE             |
| USER_ENTITY                   |
| USER_FEDERATION_CONFIG        |
| USER_FEDERATION_MAPPER        |
| USER_FEDERATION_MAPPER_CONFIG |
| USER_FEDERATION_PROVIDER      |
| USER_GROUP_MEMBERSHIP         |
| USER_REQUIRED_ACTION          |
| USER_ROLE_MAPPING             |
| USER_SESSION                  |
| USER_SESSION_NOTE             |
| WEB_ORIGINS                   |
+-------------------------------+
90 rows in set (0.00 sec)

mysql> 

 

Keycloak Dashboard

Conclusion

VOWW…. We now have a Keyclaok-mysql & MySQL instance running in a container.

Docker allocates a dynamic IP address on every running container. Whenever a container is restarted, you will get a new IP address. You can get the IP address range from the Docker network interface in the Linux box. To sort this issue there is an option called –link

Leave a Reply

Your email address will not be published. Required fields are marked *