Auth and User Management
Eclipse Che relies on Keycloak to create, import, manage, delete and authenticate users. Keycloak uses its own authentication mechanisms and user storage. Eclipse Che requires a Keycloak token when access to Che resources is requested.
Keycloak can create and authenticate users by itself or rely on 3rd party identity management systems and providers.
Note that it is required for all types of users (local or imported from federation) to have the email address field set. Che cannot work with users that have no email in their profile.
Default Keycloak credentials are
admin:admin. You can find your Keycloak URL either in OpenShift web console > keycloak namespace (if you deployed to OpenShift) of go to
$CHE_HOST:5050/auth if Che is running on Docker. Admin user is also a pre-defined Che user with privileges on the system scope. So, you may use
admin:admin credentials when loggin in to Che for the first time.
Che and Keycloak
When Che is deployed on OpenShift or installed on Docker, either deployment script or CLI makes sure that Keycloak is properly configured. When a
che-public client is created, there are two important fields to be populated:
Valid Redirect URIs need to be the URL you use to access Che. For example, if your original
188.8.131.52but you access Che at
myhostwhich is an alias, you will see an error from Keycloak, saying that it’s an invalid
redirectURI. So, if this error occurs, go to Keycloak administration console and check valid Redirect URIs.
Web Origins - the same concerns Web Origins. An invalid web origin causes CORS error.
By default, a user token gets expired after 30 mins. Keycloak admin can fine tune different realm settings related to Keycloak tokens:
Keycloak provides a user friendly page to connect LDAP/Active Directory. There are a number of fields to be populated on the config page, and those are specific to your particular LDAP instance, user filters, preferable mode etc. It is possible to test connection and authentication even before saving any particular storage provider.
Social Login and Brokering
Keycloak offers social login buttons such as GitHub, Facebook, Twitter, OpenShift etc. See: Instructions to enable Login with GitHub.
If you add GitHub login, you can also enable ssh key upload to Che users’ GitHub accounts. To enable this feature, make sure scopes are
repo,user,write:public_key, and Store Tokens, Stored Tokens Readable are ON when you register a GitHub identity provider.
Next thing is to add a default read-token role:
This is default
delegated OAuth service mode for Multi-User Che, which is configured with property
Setting it to
embedded will make it use Che’s OAuth Authenticator, for which Instructions for Single User mode will apply.
Read more about SHH key management.
Protocol Based Providers
There’s UI to add, delete and edit users. See: Keycloak User Management.
SMTP Configuration/Email Notifications
Eclipse Che does not provide any out-of-the-box SMTP servers. This functionality is enabled in Keycloak itself,
che realm settings > Email. You will need to provide host, port, username and password, if necessary. Eclipse Che is shipped with the default theme that is used for email templates (registration, email confirmation, password recovery, failed login etc).