On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M <Kevin.Fox(a)pnnl.gov> wrote:
Question regarding using KeyCloak and Kubernetes.
Kubernetes only supports one ClientID. If you are supporting both the cli
and the web ui, in Dex or Google you setup two clients, one for the
website, and one for the cli. you mark the cli a Public Client, and you
establish a trust between the website client and the cli. In either case
then, the token passed to Kubernetes is for the same client.
What is the recommended way of doing something like this with KeyCloak? I
see a Public Client option, but I don't see a way to establish the trust
between clients.
We have a token exchange [1] endpoint which can be used to exchange tokens
from one client to another.
The way Kubernetes supports OIDC is really tricky because API server
expects an ID Token and not a OAuth2 Access Token (with no support for
token introspection in case tokens are opaque and not JWTs). As you pointed
out, API server supports a single client id thus you would need the cli to
use the same client configured to API server or use token exchange.
[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exch...
Thanks,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user