[keycloak-user] Kubernetes integration

Fox, Kevin M Kevin.Fox at pnnl.gov
Tue Aug 7 14:02:44 EDT 2018


Ok. Is that something the keycloak team would accept if someone were to write it? or is a feature request the preferred route?

Thanks,
Kevin
________________________________
From: Pedro Igor Silva [psilva at redhat.com]
Sent: Tuesday, August 07, 2018 10:46 AM
To: Fox, Kevin M
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Kubernetes integration

AFAIK, no support. It shouldn't be hard to implement, I think you would probably need some config options to define parameters to the authz request.

On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov<mailto:Kevin.Fox at pnnl.gov>> wrote:
Ah, yeah. that looks like it might work.

Is there any support for token-exchange in keycloak-proxy? If not, is it something that could easily be added?

Thanks,
Kevin
________________________________
From: Pedro Igor Silva [psilva at redhat.com<mailto:psilva at redhat.com>]
Sent: Tuesday, August 07, 2018 4:59 AM
To: Fox, Kevin M
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Kubernetes integration



On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov<mailto:Kevin.Fox at pnnl.gov>> wrote:
Question regarding using KeyCloak and Kubernetes.

Kubernetes only supports one ClientID. If you are supporting both the cli and the web ui, in Dex or Google you setup two clients, one for the website, and one for the cli. you mark the cli a Public Client, and you establish a trust between the website client and the cli. In either case then, the token passed to Kubernetes is for the same client.

What is the recommended way of doing something like this with KeyCloak? I see a Public Client option, but I don't see a way to establish the trust between clients.

We have a token exchange [1] endpoint which can be used to exchange tokens from one client to another.

The way Kubernetes supports OIDC is really tricky because API server expects an ID Token and not a OAuth2 Access Token (with no support for token introspection in case tokens are opaque and not JWTs). As you pointed out, API server supports a single client id thus you would need the cli to use the same client configured to API server or use token exchange.

[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange


Thanks,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list