[keycloak-user] Integrate Keycloak 1.9.4 with Openshift Origin

Fri May 20 01:56:42 EDT 2016

Yes, those are the correct URLs. The URLs from the blog post you are
referring to are deprecated as they where not following the spec.

BTW the following endpoint lists all URLs for OIDC, we're also improving
the docs around this soon:
http://localhost:8080/auth/realms/<REALM
NAME>/.well-known/openid-configuration

On 19 May 2016 at 09:18, Charles Moulliard <cmoullia at redhat.com> wrote:

> Hi,
>
> According to Openshift Doc (
> https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#OpenID)
> and this blog article (
> http://blog.keycloak.org/2015/06/openshift-ui-console-authentication.html),
> we can integrate Keycloak as IdentiyProvider with Openshift.
>
> So, I have configured the master-config.yaml to use Keycloak 1.9.4.Final
> as Identity Provider. See hereafter the config
>
> oauthConfig:
>>
>>   alwaysShowProviderSelection: false
>>
>>   assetPublicURL: https://192.168.99.100:8443/console/
>>
>>   grantConfig:
>>
>>     method: auto
>>
>>   identityProviders:
>>
>>   - challenge: true
>>
>>     login: true
>>
>>     name: keycloak
>>
>>     provider:
>>
>>       apiVersion: v1
>>
>>       kind: OpenIDIdentityProvider
>>
>>       ca: keycloak-ca.cert
>>
>>       clientID: openshift
>>
>>       clientSecret: fbde8b27-3342-4494-b3a3-7db645e9dfe5
>>
>>       claims:
>>
>>         id:
>>
>>         - sub
>>
>>         preferredUsername:
>>
>>         - preferred_username
>>
>>         name:
>>
>>         - name
>>
>>         email:
>>
>>         - email
>>
>>       urls:
>>
>>         authorize:
>>> https://192.168.1.80:8443/auth/realms/openshift/tokens/login
>>
>>         token:
>>> https://192.168.1.80:8443/auth/realms/openshift/tokens/access/codes
>>
>>
> But, when I try to log on to the Openshift console, I'm redirected to
> Keycloak Server which returns this Error 404
>
> --> GET
> https://192.168.1.80:8443/auth/realms/openshift/tokens/login?client_id=open…YlMjUyRjE5Mi4xNjguOTkuMTAwJTI1M0E4NDQzJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%3D%3D
> 404 (Not Found)
>
> According to this thread (
> http://stackoverflow.com/questions/28658735/what-are-keycloaks-oauth2-openid-connect-endpoints
> ), the urls to be used are these
>
>         authorize:
> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth
>         token:
> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token
>
> FYI, I can get a token -->
>
> curl -k -s -X POST
>> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token  -H
>> "Content-Type: application/x-www-form-urlencoded" -d 'username=test-user'
>> -d 'password=password' -d 'grant_type=password' -d 'client_id=openshift' -d
>> 'client_secret=fbde8b27-3342-4494-b3a3-7db645e9dfe5' | jq -r '.access_token'
>> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1ODExNGExZi1mMTQwLTQwYTctODAwOS1hNGU2
>
>
> Can you confirm that the correct urls to be used are ?
>
>         authorize:
> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth
>         token:
> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token
>
> Regards,
>
> Charles
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160520/00339589/attachment-0001.html 