Keycloak can be used as an IdP (Identity Provider) to secure the Amazon CloudFront Distribution created by this repository.
In order to get started, login to Keycloak with an identity that has the ability to create a new Application.
- Navigate to
Clients
on the left of the screen and fill-in specific details about the client you would like to create like below:
- Click on
Next
. On the next page choose the settings that work for you and your organization. At a minimum, ensure that underAuthentication flow
thatStandard flow
is checked and clickSave
like below:
- On the next page under
Client details
navigate to theAccess settings
and at a very minimum configure theValid redirect URIs
with your Amazon CloudFront Distribution URL with the/_callback
value appended to it and click onSave
at the bottom of the screen:
- Navigate back to the
Clients
section on the left of the screen and click on the Client you just registered. Scroll down toAdvanced Settings
and under theProof Key for Code Exchange Code Challenge Method
chooseS256
and clickSave
:
-
Update the AWS Secrets Manager Configuration with the appropriate IDP URL and the Client ID. The Client ID will be the value that you gave to the application during the Client Creation process. In this cae it will be
my-cloudfront-distribution-application
. There is no Client Secret used so this value can be ignored since you will use PKCE or Proof Key for Code Exchange to securely interact with the IDP and the Amazon CloudFront Distribution. -
That is all!