ruanwenjun commented on code in PR #17340: URL: https://github.com/apache/dolphinscheduler/pull/17340#discussion_r2314137628
########## docs/docs/en/guide/security/oidc-local-environment-setup.md: ########## @@ -0,0 +1,111 @@ +# OIDC Local Development Setup (with Keycloak) + +If you are developing or testing the OIDC authentication feature, you'll need a local OIDC provider. This guide explains how to set up **Keycloak** using Docker and configure it for DolphinScheduler development. + +## Prerequisites + +* You have [Docker](https://www.docker.com/products/docker-desktop/) installed and running. +* You have already cloned the DolphinScheduler repository and can build the project. + +## Step 1: Start Keycloak with a Pre-configured Realm + +For convenience, we provide a pre-configured Keycloak realm export that sets up the necessary client, users, and groups. + +1. **Navigate to the API test resources directory** where the Keycloak configuration is located: + +```bash +cd dolphinscheduler-api-test/dolphinscheduler-api-test-case/src/test/resources/docker/oidc-login/ +``` + +2. **Start Keycloak using Docker Compose**: + The provided `docker-compose.yaml` in this directory is configured to start Keycloak and import the realm automatically. + +```bash +docker-compose up -d keycloak +``` + +This command starts a Keycloak container on port `8081` (to avoid conflicts with other services) and imports `realm-export.json`. + +## Step 2: Access and Verify Keycloak + +1. Open your browser and navigate to the **Keycloak Admin Console**: `http://localhost:8081`. +2. Log in with username `admin` and password `admin`. +3. In the top-left corner, switch from the `master` realm to the `dolphinscheduler` realm. +4. You can explore **Clients** (`dolphinscheduler-client`), **Users** (`admin_user`, `general_user`), and **Groups** (`dolphinscheduler-admins`) to see the imported configuration. + +## Step 3: Configure DolphinScheduler API Server + +Modify your `dolphinscheduler-api/src/main/resources/application.yaml` to enable OIDC and connect to your local Keycloak instance. + +```yaml +security: + authentication: + type: OIDC + oidc: + enable: true + providers: + keycloak: + display-name: "Login with Keycloak" + # Point to your local Keycloak realm + issuer-uri: http://localhost:8080/realms/dolphinscheduler + client-id: dolphinscheduler-client + client-secret: dolphinscheduler-client-secret + scope: openid, profile, email, groups + user-name-attribute: preferred_username + groups-claim: groups + user: + auto-create: true + default-tenant-code: "default" + default-queue: "default" + admin-group-mapping: Review Comment: ```suggestion user-type: "ADMIN_USER" ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
