Update Keycloak documentation

auth/introduction.rst

@@ -0,0 +1,2 @@
+
+

authentication.rst

@@ -46,7 +46,7 @@ configuration settings file::
     random string on Linux::
 
         $ LC_CTYPE=C tr -dc A-Za-z0-9_\!\@\#\$\%\^\&\*\(\)-+= < /dev/urandom | head -c 32 && echo
-    
+
     or Mac OSX::
 
         $ date | md5 | base64
@@ -127,7 +127,7 @@ You can fetch ldap groups dynamically from LDAP server and use them as customer
 name by using ``LDAP_DOMAINS_GROUP`` configuration. Either of ``{username}``,
 ``{userdn}`` or ``{email}`` can be used for the same.
 
-All users are initially assigned the "user" role by default. 
+All users are initially assigned the "user" role by default.
 
 .. note:: User sign-up, email verfication and password reset through the
     Alerta web UI or CLI is not supported. Self-service user management
@@ -546,7 +546,7 @@ Now go to *Installation* and generate it by selecting 'Keycloak OIDC JSON'. You
 
    {
      "realm": "master",
-     "auth-server-url": "https://keycloak.example.org/auth",
+     "auth-server-url": "https://keycloak.example.org",
      "ssl-required": "external",
      "resource": "alerta-ui",
      "credentials": {
@@ -564,13 +564,17 @@ the values shown below with the values generated by Keycloak)::
     OAUTH2_CLIENT_ID = 'alerta-ui'
     OAUTH2_CLIENT_SECRET = '418bbf31-aef-33d1-a471-322a60276879'
 
+.. note:: The ``/auth`` context path was removed as a default in Keycloak ``18.0.0``. You might need the add the context path ``KEYCLOAK_URL = https://keycloak.example.org/auth`` to your configuration. See the `Keycloak migration guide`_  for further details.
+
+.. _`Keycloak migration guide`: https://www.keycloak.org/migration/migrating-to-quarkus
+
 .. _allowed_keycloak_roles:
 
 To restrict access to users who are associated with a particular `Keycloak role`_ use::
 
     ALLOWED_KEYCLOAK_ROLES = ['role1', 'role2']
 
-.. _`Keycloak role`: https://keycloak.gitbooks.io/documentation/server_admin/topics/roles.html
+.. _`Keycloak role`: https://www.keycloak.org/docs/latest/server_admin/#con-client-roles_server_administration_guide
 
 .. note:: ``ALLOWED_KEYCLOAK_ROLES`` can be an asterisk (``*``) to force
           login but *not* restrict who can login.
@@ -605,7 +609,7 @@ HTTP header or a query parameter.
 
     Using an HTTP header is the preferred method so that API keys are
     not exposed even when using HTTPS or inadvertently captured in log
-    files. 
+    files.
 
 **Example using HTTP header**
 

configuration.rst

@@ -500,7 +500,7 @@ HMAC Auth Settings
 ``HMAC_AUTH_CREDENTIALS``
     HMAC credentials
 
-.. _Audit Log config:
+.. _Audit Log settings:
 
 Audit Log Settings
 ~~~~~~~~~~~~~~~~~~
@@ -532,7 +532,7 @@ using a POST.
 ``AUDIT_URL``
     forward audit logs to HTTP POST URL (no default)
 
-.. _CORS config:
+.. _CORS settings:
 
 CORS Settings
 ~~~~~~~~~~~~~
@@ -552,7 +552,7 @@ CORS Settings
 ``CORS_ORIGINS``
     URL origins that can access the API for Cross-Origin Resource Sharing (CORS)
 
-.. _severity config:
+.. _severity settings:
 
 Severity Settings
 ~~~~~~~~~~~~~~~~~
@@ -598,7 +598,7 @@ in which Alerta is deployed.
 ``COLOR_MAP``
     dictionary of severity colors, text and highlight color
 
-.. _timeout config:
+.. _timeout settings:
 
 Timeout Settings
 ~~~~~~~~~~~~~~~~
@@ -627,7 +627,7 @@ are important for generating alerts from stale heartbeats.
 ``SHELVE_TIMEOUT``
     timeout period for unshelving alerts in shelved status (default is ``7200`` seconds, ``0`` = do not auto-unshelve)
 
-.. _housekeeping config:
+.. _housekeeping settings:
 
 Housekeeping Settings
 ~~~~~~~~~~~~~~~~~~~~~
@@ -648,7 +648,7 @@ Housekeeping Settings
 
 .. note:: Ensure to set ``DEFAULT_INFORM_SEVERITY`` to the "informational" severity that should be deleted.
 
-.. _email config:
+.. _email settings:
 
 Email Settings
 ~~~~~~~~~~~~~~
@@ -692,7 +692,7 @@ email address before they can login.
 ``SMTP_PASSWORD``
     application-specific password for ``MAIL_FROM`` or ``SMTP_USERNAME`` (no default)
 
-.. _webui config:
+.. _webui settings:
 
 Web UI Settings
 ~~~~~~~~~~~~~~~
@@ -773,7 +773,7 @@ Alert Status Indicator Settings
 ``ASI_QUERIES``
     list of alert queries applied to filter status indicators (see example for default)
 
-.. _plugin config:
+.. _plugin settings:
 
 Plugin Settings
 ~~~~~~~~~~~~~~~~
@@ -887,7 +887,7 @@ Alerts and actions can be forwarded to other Alerta servers to create a
         $ date | md5 | base64                        <= create HMAC "secret"
         MzVlMzQ5NWYzYWE2YTgxYTUyYmIyNDY0ZWE2ZWJlYTMK
 
-.. _webhook config:
+.. _webhook settings:
 
 Webhook Settings
 ~~~~~~~~~~~~~~~~

faq.rst

@@ -22,7 +22,7 @@ To fix this you can either serve the web UI from the `same origin`_ as
 the API using a web server to :ref:`reverse proxy <reverse proxy>` the
 web UI or ensure that the API server `allows the origin`_ where the
 web UI is hosted by adding it to the :envvar:`CORS_ORIGINS` :ref:`server
-configuration <CORS config>` setting.
+configuration <CORS settings>` setting.
 
 .. _CORS: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
 .. _same origin: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

webui/configuration.rst

@@ -113,37 +113,8 @@ shown below that.
 
 Client Settings
 ~~~~~~~~~~~~~~~
-Full list of API server settings that can be used to configure clients.
-
-``AUTH_REQUIRED``
-
-``CUSTOMER_VIEWS``
-
-``AUTH_PROVIDER``
-
-``SIGNUP_ENABLED``
-
-``OAUTH2_CLIENT_ID``
-
-``GITHUB_URL``
-
-``GITLAB_URL``
-
-``KEYCLOAK_URL``
-
-``KEYCLOAK_REALM``
-
-``PINGFEDERATE_URL``
-
-``COLOR_MAP``
-
-``SEVERITY_MAP``
-
-``GOOGLE_TRACKING_ID``
-
-``AUTO_REFRESH_INTERVAL``
-
-.. note:: It is not currently possible to configure dates or audio.
+Full list of API server settings that can be used to configure clients can be found
+at :ref:`webui settings`.
 
 .. raw:: html
     <style> .red { background-color: red } </style>