[keycloak-user] Integrate Keycloak 1.9.4 with Openshift Origin

Charles Moulliard cmoullia at redhat.com
Thu May 19 03:18:50 EDT 2016 

Hi,

According to Openshift Doc (
https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#OpenID)
and this blog article (
http://blog.keycloak.org/2015/06/openshift-ui-console-authentication.html),
we can integrate Keycloak as IdentiyProvider with Openshift.

So, I have configured the master-config.yaml to use Keycloak 1.9.4.Final as
Identity Provider. See hereafter the config

oauthConfig:
>
>   alwaysShowProviderSelection: false
>
>   assetPublicURL: https://192.168.99.100:8443/console/
>
>   grantConfig:
>
>     method: auto
>
>   identityProviders:
>
>   - challenge: true
>
>     login: true
>
>     name: keycloak
>
>     provider:
>
>       apiVersion: v1
>
>       kind: OpenIDIdentityProvider
>
>       ca: keycloak-ca.cert
>
>       clientID: openshift
>
>       clientSecret: fbde8b27-3342-4494-b3a3-7db645e9dfe5
>
>       claims:
>
>         id:
>
>         - sub
>
>         preferredUsername:
>
>         - preferred_username
>
>         name:
>
>         - name
>
>         email:
>
>         - email
>
>       urls:
>
>         authorize:
>> https://192.168.1.80:8443/auth/realms/openshift/tokens/login
>
>         token:
>> https://192.168.1.80:8443/auth/realms/openshift/tokens/access/codes
>
>
But, when I try to log on to the Openshift console, I'm redirected to
Keycloak Server which returns this Error 404

--> GET
https://192.168.1.80:8443/auth/realms/openshift/tokens/login?client_id=open…YlMjUyRjE5Mi4xNjguOTkuMTAwJTI1M0E4NDQzJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%3D%3D
404 (Not Found)

According to this thread (
http://stackoverflow.com/questions/28658735/what-are-keycloaks-oauth2-openid-connect-endpoints
), the urls to be used are these

        authorize:
https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth
        token:
https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token

FYI, I can get a token -->

curl -k -s -X POST
> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token  -H
> "Content-Type: application/x-www-form-urlencoded" -d 'username=test-user'
> -d 'password=password' -d 'grant_type=password' -d 'client_id=openshift' -d
> 'client_secret=fbde8b27-3342-4494-b3a3-7db645e9dfe5' | jq -r '.access_token'
> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1ODExNGExZi1mMTQwLTQwYTctODAwOS1hNGU2


Can you confirm that the correct urls to be used are ?

        authorize:
https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth
        token:
https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token

Regards,

Charles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160519/0f7641ef/attachment.html

More information about the keycloak-user mailing list