8:32 a.m.
Hi,
Using Keycloak , it's possible to declare client like a service account .
Client secret becomes API key.
In my case, I'm going to generate 10 clients (10 API keys).
I have tried to use Keycloak-gatekeeper to cover this use case but GK
support only one client.
In my case, I 'm understanding that I must create 10 instances of GT :(.
Is there a way to associate various client to one instance of GT
(different paths .) ?
Thxs for your help.
Regards,
Sylvain
3:16 p.m.
Hi,
I have found a solution.
In the same realm, you must create a common client "common" for your
specific realm.
You create serviceaccount client and override aud and clientId claims to use
common and username must be "serviceaccount"(client/Mapper or Client
Templates/Create + Client/Mapper/Inherit Template Mappers)
In Gatekeeper configuration, you declare common client for your realm.
Customer gets token using the secret of serviceaccount. (aud=common,
clientid=common and username=serviceaccount)
It uses it to consume a service protected by Gatekeeper.
Gatekeeper will receive this token and compare aud and client with this
configuration.
Abracadabra!!!
It will allow this request and add serviceaccount as username in the header.
Thanks to spend time to answer.
Bye,
-----Message d'origine-----
De : Bruno Oliveira [mailto:bruno@abstractj.org]
Envoyé : jeudi 4 avril 2019 14:57
À : Sylvain Malnuit <sylvain.malnuit(a)lyra-network.com>
Cc : keycloak-user(a)lists.jboss.org
Objet : Re: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account
Hi Sylvain, unfortunatelly that's not possible. Act as a proxy is out of
scope for Gatekeeper.
On 2019-03-19, Sylvain Malnuit wrote:
--
abstractj
2170
days inactive
2186
days old
2 comments
2 participants
participants (2)
-
Bruno Oliveira -
Sylvain Malnuit