AFAIK, no support. It shouldn't be hard to implement, I think you would
probably need some config options to define parameters to the authz request.
On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M <Kevin.Fox(a)pnnl.gov> wrote:
Ah, yeah. that looks like it might work.
Is there any support for token-exchange in keycloak-proxy? If not, is it
something that could easily be added?
Thanks,
Kevin
------------------------------
*From:* Pedro Igor Silva [psilva(a)redhat.com]
*Sent:* Tuesday, August 07, 2018 4:59 AM
*To:* Fox, Kevin M
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Kubernetes integration
On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M <Kevin.Fox(a)pnnl.gov> wrote:
> Question regarding using KeyCloak and Kubernetes.
>
> Kubernetes only supports one ClientID. If you are supporting both the cli
> and the web ui, in Dex or Google you setup two clients, one for the
> website, and one for the cli. you mark the cli a Public Client, and you
> establish a trust between the website client and the cli. In either case
> then, the token passed to Kubernetes is for the same client.
>
> What is the recommended way of doing something like this with KeyCloak? I
> see a Public Client option, but I don't see a way to establish the trust
> between clients.
>
We have a token exchange [1] endpoint which can be used to exchange tokens
from one client to another.
The way Kubernetes supports OIDC is really tricky because API server
expects an ID Token and not a OAuth2 Access Token (with no support for
token introspection in case tokens are opaque and not JWTs). As you pointed
out, API server supports a single client id thus you would need the cli to
use the same client configured to API server or use token exchange.
[1]
https://www.keycloak.org/docs/latest/securing_apps/
index.html#_token-exchange
>
> Thanks,
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>