[keycloak-user] Kubernetes integration

Pedro Igor Silva psilva at redhat.com
Tue Aug 7 13:46:48 EDT 2018 

AFAIK, no support. It shouldn't be hard to implement, I think you would
probably need some config options to define parameters to the authz request.

On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:

> Ah, yeah. that looks like it might work.
>
> Is there any support for token-exchange in keycloak-proxy? If not, is it
> something that could easily be added?
>
> Thanks,
> Kevin
> ------------------------------
> *From:* Pedro Igor Silva [psilva at redhat.com]
> *Sent:* Tuesday, August 07, 2018 4:59 AM
> *To:* Fox, Kevin M
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Kubernetes integration
>
>
>
> On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:
>
>> Question regarding using KeyCloak and Kubernetes.
>>
>> Kubernetes only supports one ClientID. If you are supporting both the cli
>> and the web ui, in Dex or Google you setup two clients, one for the
>> website, and one for the cli. you mark the cli a Public Client, and you
>> establish a trust between the website client and the cli. In either case
>> then, the token passed to Kubernetes is for the same client.
>>
>> What is the recommended way of doing something like this with KeyCloak? I
>> see a Public Client option, but I don't see a way to establish the trust
>> between clients.
>>
>
> We have a token exchange [1] endpoint which can be used to exchange tokens
> from one client to another.
>
> The way Kubernetes supports OIDC is really tricky because API server
> expects an ID Token and not a OAuth2 Access Token (with no support for
> token introspection in case tokens are opaque and not JWTs). As you pointed
> out, API server supports a single client id thus you would need the cli to
> use the same client configured to API server or use token exchange.
>
> [1] https://www.keycloak.org/docs/latest/securing_apps/
> index.html#_token-exchange
>
>
>>
>> Thanks,
>> Kevin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list