How to Enable OAuth2 Login in ThingsBoard 4.0.1 Community Edition Using Keycloak and HAProxy

By /

ThingsBoard is a powerful open-source IoT platform supporting device management, telemetry, dashboards, and multi-tenancy. In this guide, I’ll show you how to enable OAuth2 login using Keycloak in ThingsBoard 4.0.1 Community Edition (CE), with HAProxy managing SSL termination and routing for multiple domains.

Login Architecture

We’ll have two domains:

DomainPurposeLogin Options
thingsboard.maksonlee.comPrimary server domain for internal accessLocal login only
iot.maksonlee.comCustomer-facing portal for end usersLocal + OAuth2 login visible

Prerequisites

  • ThingsBoard 4.0.1 Community Edition installed (running on port 8080)
  • HAProxy installed and running on port 443
  • Keycloak available at https://keycloak.maksonlee.com
  • TLS certificates for:
    • thingsboard.maksonlee.com
    • iot.maksonlee.com
  1. Configure HAProxy with SSL and SNI

HAProxy terminates SSL and routes traffic based on domain via SNI.

Place your certs

/etc/haproxy/certs/
├── thingsboard.maksonlee.com.pem
├── iot.maksonlee.com.pem

Each .pem must include both private key and full certificate chain.

HAProxy Configuration

frontend https-in
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
    mode http
    option forwardfor
    http-request set-header X-Forwarded-Proto https

    acl host_tb hdr(host) -i thingsboard.maksonlee.com
    acl host_iot hdr(host) -i iot.maksonlee.com

    use_backend tb-backend if host_tb
    use_backend tb-backend if host_iot

backend tb-backend
    mode http
    server tb1 127.0.0.1:8080

This HAProxy setup:

  • Terminates TLS
  • Uses the correct cert for each domain
  • Routes all requests to ThingsBoard on localhost
  1. Configure Keycloak

Create a new client in your Keycloak realm.

SettingValue
Client IDiot
Root URLhttps://iot.maksonlee.com
Valid Redirect URIshttps://iot.maksonlee.com/login/oauth2/code/
Post Logout Redirect URIshttps://iot.maksonlee.com
Web Originshttps://iot.maksonlee.com
Access Typeconfidential
Standard FlowEnabled
Direct Access GrantsEnabled
Consent RequiredDisabled

Copy the Client Secret from the Credentials tab after saving.

  1. Configure OAuth2 in ThingsBoard
  • Add OAuth2 Client
    Navigate to: Security → OAuth 2.0 → OAuth 2.0 clients → Add OAuth 2.0 client
FieldValue
Client IDiot
Client Secret(from Keycloak)
ProviderCustom
Authorization URIhttps://keycloak.maksonlee.com/realms/maksonlee.com/protocol/openid-connect/auth
Access Token URIhttps://keycloak.maksonlee.com/realms/maksonlee.com/protocol/openid-connect/token
User Info URIhttps://keycloak.maksonlee.com/realms/maksonlee.com/protocol/openid-connect/userinfo
JWKS URIhttps://keycloak.maksonlee.com/realms/maksonlee.com/protocol/openid-connect/certs
Scopeopenid profile email
Allow user creationEnabled
Provider labelKeycloak

Mapper:

FieldValue
Mapper typeBASIC
Username attribute keyemail
Email attribute keyemail
Tenant name strategyCUSTOM
Tenant name patternTenant
Customer name patternCustomer %{email}
  • Add OAuth2 Domain
    Navigate to: Security → OAuth 2.0 → Domains → Add domain
FieldValue
Domain nameiot.maksonlee.com
Redirect URI templatehttps://iot.maksonlee.com/login/oauth2/code/
Enable OAuth 2.0 settingsEnabled
OAuth2 ClientKeycloak Login (select the one you just created)
  1. Test the Login Behavior
  • https://iot.maksonlee.com
    • Login page shows both local login and OAuth2 login (CE default)
    • Clicking Keycloak logs the user in via OAuth
    • User is automatically provisioned in ThingsBoard under a tenant/customer
  • https://thingsboard.maksonlee.com
    • No OAuth2 configured
    • Only local login is shown (e.g. for sysadmin@thingsboard.com)

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top