swissmakers_gmbh/fail2ban-ui
12
1
Fork 0
mirror of https://github.com/swissmakers/fail2ban-ui.git synced 2026-04-17 05:53:15 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add optional OIDC authentication with Keycloak, Authentik, and Pocket-ID support

Browse Source
This commit is contained in:
Michael Reber
2026-01-19 22:09:54 +01:00
parent 62ab6dede3
commit d64eb3db95
25 changed files with 2028 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
development/oidc/README.md
View File

@@ -84,12 +84,16 @@ podman compose up -d
**Important:**
- Without setting these, redirect URIs will use `localhost` which won't work from remote browsers
- After changing these values, you may need to recreate the Keycloak client:
- After changing these values, you may need to recreate the Keycloak client to update redirect URIs:
```bash
podman compose down
rm -rf config/keycloak-client-secret
podman compose up -d
```
Or manually update the client in Keycloak admin console:
- Go to Clients → fail2ban-ui (name of the client)
- Update "Valid redirect URIs" and "Valid post logout redirect URIs"
- Save
## Setup Instructions
@@ -126,9 +130,12 @@ The `keycloak-init` container will:
- Wait for Keycloak to be ready
- Automatically create the `fail2ban-ui` OIDC client
- Configure redirect URIs and web origins
- Configure post-logout redirect URI (for proper logout flow)
- Save the client secret to `/config/keycloak-client-secret`
- Fail2ban-ui will automatically read the secret from this file
**Note:** If you update `PUBLIC_FRONTEND_URL` after the client has been created, you may need to delete the existing client and let `keycloak-init` recreate it, or manually update the client in Keycloak's admin console to include the new post-logout redirect URI.
**If you see "Client not found" error:**
This means the `keycloak-init` container hasn't run yet or failed. To fix:

8
development/oidc/init-keycloak.sh
View File

@@ -13,6 +13,7 @@ CLIENT_SECRET="${CLIENT_SECRET:-}"
# Use PUBLIC_FRONTEND_URL if provided, otherwise default to localhost
PUBLIC_FRONTEND_URL="${PUBLIC_FRONTEND_URL:-http://localhost:3080}"
REDIRECT_URI="${REDIRECT_URI:-${PUBLIC_FRONTEND_URL}/auth/callback}"
POST_LOGOUT_REDIRECT_URI="${POST_LOGOUT_REDIRECT_URI:-${PUBLIC_FRONTEND_URL}/auth/login}"
WEB_ORIGIN="${WEB_ORIGIN:-${PUBLIC_FRONTEND_URL}}"
# Extract host and port from KEYCLOAK_URL for health check
@@ -83,6 +84,9 @@ if [ -n "$EXISTING_CLIENT" ]; then
\"clientAuthenticatorType\": \"client-secret\",
\"redirectUris\": [\"${REDIRECT_URI}\"],
\"webOrigins\": [\"${WEB_ORIGIN}\"],
\"attributes\": {
\"post.logout.redirect.uris\": \"${POST_LOGOUT_REDIRECT_URI}\"
},
\"protocol\": \"openid-connect\",
\"publicClient\": false,
\"standardFlowEnabled\": true,
@@ -103,6 +107,9 @@ else
\"clientAuthenticatorType\": \"client-secret\",
\"redirectUris\": [\"${REDIRECT_URI}\"],
\"webOrigins\": [\"${WEB_ORIGIN}\"],
\"attributes\": {
\"post.logout.redirect.uris\": \"${POST_LOGOUT_REDIRECT_URI}\"
},
\"protocol\": \"openid-connect\",
\"publicClient\": false,
\"standardFlowEnabled\": true,
@@ -148,6 +155,7 @@ echo "Client ID: ${CLIENT_ID}"
echo "Client Secret: ${CLIENT_SECRET}"
echo "Realm: ${REALM}"
echo "Redirect URI: ${REDIRECT_URI}"
echo "Post Logout Redirect URI: ${POST_LOGOUT_REDIRECT_URI}"
echo "=========================================="
# Save secret to shared volume for fail2ban-ui to read