Please, create an RFE first. We are also working with a generic Golang
adapter (probably a replacement to Keycloak Proxy). Let's see what others
think once we have the JIRA.
On Tue, Aug 7, 2018 at 3:02 PM, Fox, Kevin M <Kevin.Fox(a)pnnl.gov> wrote:
Ok. Is that something the keycloak team would accept if someone were
to
write it? or is a feature request the preferred route?
Thanks,
Kevin
------------------------------
*From:* Pedro Igor Silva [psilva(a)redhat.com]
*Sent:* Tuesday, August 07, 2018 10:46 AM
*To:* Fox, Kevin M
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Kubernetes integration
AFAIK, no support. It shouldn't be hard to implement, I think you would
probably need some config options to define parameters to the authz request.
On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M <Kevin.Fox(a)pnnl.gov> wrote:
> Ah, yeah. that looks like it might work.
>
> Is there any support for token-exchange in keycloak-proxy? If not, is it
> something that could easily be added?
>
> Thanks,
> Kevin
> ------------------------------
> *From:* Pedro Igor Silva [psilva(a)redhat.com]
> *Sent:* Tuesday, August 07, 2018 4:59 AM
> *To:* Fox, Kevin M
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Kubernetes integration
>
>
>
> On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M <Kevin.Fox(a)pnnl.gov> wrote:
>
>> Question regarding using KeyCloak and Kubernetes.
>>
>> Kubernetes only supports one ClientID. If you are supporting both the
>> cli and the web ui, in Dex or Google you setup two clients, one for the
>> website, and one for the cli. you mark the cli a Public Client, and you
>> establish a trust between the website client and the cli. In either case
>> then, the token passed to Kubernetes is for the same client.
>>
>> What is the recommended way of doing something like this with KeyCloak?
>> I see a Public Client option, but I don't see a way to establish the trust
>> between clients.
>>
>
> We have a token exchange [1] endpoint which can be used to exchange
> tokens from one client to another.
>
> The way Kubernetes supports OIDC is really tricky because API server
> expects an ID Token and not a OAuth2 Access Token (with no support for
> token introspection in case tokens are opaque and not JWTs). As you pointed
> out, API server supports a single client id thus you would need the cli to
> use the same client configured to API server or use token exchange.
>
> [1]
https://www.keycloak.org/docs/latest/securing_apps/index
> .html#_token-exchange
>
>
>>
>> Thanks,
>> Kevin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>