[keycloak-user] Keycloak Gatekeeper + API Key + Service Account

[Sylvain Malnuit]

Hi,
 I have found a solution.
In the same realm, you must create a common client "common" for your 
specific realm.
You create serviceaccount client and override aud and clientId claims to use 
common and username must be "serviceaccount"(client/Mapper or Client 
Templates/Create + Client/Mapper/Inherit Template Mappers)
In Gatekeeper configuration, you declare common client for your realm.

Customer gets token using  the secret of serviceaccount. (aud=common, 
clientid=common and username=serviceaccount)
It uses it to consume a service protected by Gatekeeper.
Gatekeeper will receive this token and compare aud and client with this 
configuration.
Abracadabra!!!
It will allow this request and add serviceaccount as username in the header.

Thanks to spend time to answer.
Bye,



-----Message d'origine-----
De : Bruno Oliveira [mailto:bruno at abstractj.org]
Envoyé : jeudi 4 avril 2019 14:57
À : Sylvain Malnuit <sylvain.malnuit at lyra-network.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account

Hi Sylvain, unfortunatelly that's not possible. Act as a proxy is out of 
scope for Gatekeeper.

On 2019-03-19, Sylvain Malnuit wrote:
> Hi,
>
>
>
> Using  Keycloak , it's possible to declare client like a service account .
> Client secret becomes API key.
>
> In my case, I'm going to generate 10 clients (10 API keys).
>
>
>
> I have tried to use Keycloak-gatekeeper to cover this use case but GK
> support only one client.
>
> In my case, I 'm understanding that I must create 10 instances of GT :(.
>
>
>
> Is there a way to associate  various client to one instance of GT
> (different paths .) ?
>
>
>
> Thxs for your help.
>
>
>
> Regards,
>
> Sylvain
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj