[keycloak-user] Kubernetes integration

Pedro Igor Silva psilva at redhat.com
Tue Aug 7 14:09:46 EDT 2018 

Please, create an RFE first. We are also working with a generic Golang
adapter (probably a replacement to Keycloak Proxy). Let's see what others
think once we have the JIRA.

On Tue, Aug 7, 2018 at 3:02 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:

> Ok. Is that something the keycloak team would accept if someone were to
> write it? or is a feature request the preferred route?
>
> Thanks,
> Kevin
> ------------------------------
> *From:* Pedro Igor Silva [psilva at redhat.com]
> *Sent:* Tuesday, August 07, 2018 10:46 AM
>
> *To:* Fox, Kevin M
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Kubernetes integration
>
> AFAIK, no support. It shouldn't be hard to implement, I think you would
> probably need some config options to define parameters to the authz request.
>
> On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:
>
>> Ah, yeah. that looks like it might work.
>>
>> Is there any support for token-exchange in keycloak-proxy? If not, is it
>> something that could easily be added?
>>
>> Thanks,
>> Kevin
>> ------------------------------
>> *From:* Pedro Igor Silva [psilva at redhat.com]
>> *Sent:* Tuesday, August 07, 2018 4:59 AM
>> *To:* Fox, Kevin M
>> *Cc:* keycloak-user at lists.jboss.org
>> *Subject:* Re: [keycloak-user] Kubernetes integration
>>
>>
>>
>> On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:
>>
>>> Question regarding using KeyCloak and Kubernetes.
>>>
>>> Kubernetes only supports one ClientID. If you are supporting both the
>>> cli and the web ui, in Dex or Google you setup two clients, one for the
>>> website, and one for the cli. you mark the cli a Public Client, and you
>>> establish a trust between the website client and the cli. In either case
>>> then, the token passed to Kubernetes is for the same client.
>>>
>>> What is the recommended way of doing something like this with KeyCloak?
>>> I see a Public Client option, but I don't see a way to establish the trust
>>> between clients.
>>>
>>
>> We have a token exchange [1] endpoint which can be used to exchange
>> tokens from one client to another.
>>
>> The way Kubernetes supports OIDC is really tricky because API server
>> expects an ID Token and not a OAuth2 Access Token (with no support for
>> token introspection in case tokens are opaque and not JWTs). As you pointed
>> out, API server supports a single client id thus you would need the cli to
>> use the same client configured to API server or use token exchange.
>>
>> [1] https://www.keycloak.org/docs/latest/securing_apps/index
>> .html#_token-exchange
>>
>>
>>>
>>> Thanks,
>>> Kevin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

More information about the keycloak-user mailing list