[keycloak-user] Integrate Keycloak 1.9.4 with Openshift Origin

Charles Moulliard cmoullia at redhat.com
Fri May 20 07:59:41 EDT 2016 

Thx. I have been able to configure Openshift with Keycloak as Identity
Provider

On Fri, May 20, 2016 at 7:56 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Yes, those are the correct URLs. The URLs from the blog post you are
> referring to are deprecated as they where not following the spec.
>
> BTW the following endpoint lists all URLs for OIDC, we're also improving
> the docs around this soon:
> http://localhost:8080/auth/realms/<REALM
> NAME>/.well-known/openid-configuration
>
>
>
>
> On 19 May 2016 at 09:18, Charles Moulliard <cmoullia at redhat.com> wrote:
>
>> Hi,
>>
>> According to Openshift Doc (
>> https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#OpenID)
>> and this blog article (
>> http://blog.keycloak.org/2015/06/openshift-ui-console-authentication.html
>> ), we can integrate Keycloak as IdentiyProvider with Openshift.
>>
>> So, I have configured the master-config.yaml to use Keycloak 1.9.4.Final
>> as Identity Provider. See hereafter the config
>>
>> oauthConfig:
>>>
>>>   alwaysShowProviderSelection: false
>>>
>>>   assetPublicURL: https://192.168.99.100:8443/console/
>>>
>>>   grantConfig:
>>>
>>>     method: auto
>>>
>>>   identityProviders:
>>>
>>>   - challenge: true
>>>
>>>     login: true
>>>
>>>     name: keycloak
>>>
>>>     provider:
>>>
>>>       apiVersion: v1
>>>
>>>       kind: OpenIDIdentityProvider
>>>
>>>       ca: keycloak-ca.cert
>>>
>>>       clientID: openshift
>>>
>>>       clientSecret: fbde8b27-3342-4494-b3a3-7db645e9dfe5
>>>
>>>       claims:
>>>
>>>         id:
>>>
>>>         - sub
>>>
>>>         preferredUsername:
>>>
>>>         - preferred_username
>>>
>>>         name:
>>>
>>>         - name
>>>
>>>         email:
>>>
>>>         - email
>>>
>>>       urls:
>>>
>>>         authorize:
>>>> https://192.168.1.80:8443/auth/realms/openshift/tokens/login
>>>
>>>         token:
>>>> https://192.168.1.80:8443/auth/realms/openshift/tokens/access/codes
>>>
>>>
>> But, when I try to log on to the Openshift console, I'm redirected to
>> Keycloak Server which returns this Error 404
>>
>> --> GET
>> https://192.168.1.80:8443/auth/realms/openshift/tokens/login?client_id=open…YlMjUyRjE5Mi4xNjguOTkuMTAwJTI1M0E4NDQzJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%3D%3D
>> 404 (Not Found)
>>
>> According to this thread (
>> http://stackoverflow.com/questions/28658735/what-are-keycloaks-oauth2-openid-connect-endpoints
>> ), the urls to be used are these
>>
>>         authorize:
>> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth
>>         token:
>> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token
>>
>> FYI, I can get a token -->
>>
>> curl -k -s -X POST
>>> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token  -H
>>> "Content-Type: application/x-www-form-urlencoded" -d 'username=test-user'
>>> -d 'password=password' -d 'grant_type=password' -d 'client_id=openshift' -d
>>> 'client_secret=fbde8b27-3342-4494-b3a3-7db645e9dfe5' | jq -r '.access_token'
>>> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1ODExNGExZi1mMTQwLTQwYTctODAwOS1hNGU2
>>
>>
>> Can you confirm that the correct urls to be used are ?
>>
>>         authorize:
>> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth
>>         token:
>> https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token
>>
>> Regards,
>>
>> Charles
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160520/78783fd7/attachment-0001.html

More information about the keycloak-user mailing list