Ok. Sounds good. Thanks.
Kevin
________________________________
From: Pedro Igor Silva [psilva(a)redhat.com]
Sent: Tuesday, August 07, 2018 11:09 AM
To: Fox, Kevin M
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Kubernetes integration
Please, create an RFE first. We are also working with a generic Golang adapter (probably a
replacement to Keycloak Proxy). Let's see what others think once we have the JIRA.
On Tue, Aug 7, 2018 at 3:02 PM, Fox, Kevin M
<Kevin.Fox@pnnl.gov<mailto:Kevin.Fox@pnnl.gov>> wrote:
Ok. Is that something the keycloak team would accept if someone were to write it? or is a
feature request the preferred route?
Thanks,
Kevin
________________________________
From: Pedro Igor Silva [psilva@redhat.com<mailto:psilva@redhat.com>]
Sent: Tuesday, August 07, 2018 10:46 AM
To: Fox, Kevin M
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Kubernetes integration
AFAIK, no support. It shouldn't be hard to implement, I think you would probably need
some config options to define parameters to the authz request.
On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M
<Kevin.Fox@pnnl.gov<mailto:Kevin.Fox@pnnl.gov>> wrote:
Ah, yeah. that looks like it might work.
Is there any support for token-exchange in keycloak-proxy? If not, is it something that
could easily be added?
Thanks,
Kevin
________________________________
From: Pedro Igor Silva [psilva@redhat.com<mailto:psilva@redhat.com>]
Sent: Tuesday, August 07, 2018 4:59 AM
To: Fox, Kevin M
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Kubernetes integration
On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M
<Kevin.Fox@pnnl.gov<mailto:Kevin.Fox@pnnl.gov>> wrote:
Question regarding using KeyCloak and Kubernetes.
Kubernetes only supports one ClientID. If you are supporting both the cli and the web ui,
in Dex or Google you setup two clients, one for the website, and one for the cli. you mark
the cli a Public Client, and you establish a trust between the website client and the cli.
In either case then, the token passed to Kubernetes is for the same client.
What is the recommended way of doing something like this with KeyCloak? I see a Public
Client option, but I don't see a way to establish the trust between clients.
We have a token exchange [1] endpoint which can be used to exchange tokens from one client
to another.
The way Kubernetes supports OIDC is really tricky because API server expects an ID Token
and not a OAuth2 Access Token (with no support for token introspection in case tokens are
opaque and not JWTs). As you pointed out, API server supports a single client id thus you
would need the cli to use the same client configured to API server or use token exchange.
[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exch...
Thanks,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user