[keycloak-user] Keycloak Gatekeeper + API Key + Service Account
Sylvain Malnuit
sylvain.malnuit at lyra-network.com
Thu Apr 4 09:16:25 EDT 2019
Hi,
I have found a solution.
In the same realm, you must create a common client "common" for your
specific realm.
You create serviceaccount client and override aud and clientId claims to use
common and username must be "serviceaccount"(client/Mapper or Client
Templates/Create + Client/Mapper/Inherit Template Mappers)
In Gatekeeper configuration, you declare common client for your realm.
Customer gets token using the secret of serviceaccount. (aud=common,
clientid=common and username=serviceaccount)
It uses it to consume a service protected by Gatekeeper.
Gatekeeper will receive this token and compare aud and client with this
configuration.
Abracadabra!!!
It will allow this request and add serviceaccount as username in the header.
Thanks to spend time to answer.
Bye,
-----Message d'origine-----
De : Bruno Oliveira [mailto:bruno at abstractj.org]
Envoyé : jeudi 4 avril 2019 14:57
À : Sylvain Malnuit <sylvain.malnuit at lyra-network.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account
Hi Sylvain, unfortunatelly that's not possible. Act as a proxy is out of
scope for Gatekeeper.
On 2019-03-19, Sylvain Malnuit wrote:
> Hi,
>
>
>
> Using Keycloak , it's possible to declare client like a service account .
> Client secret becomes API key.
>
> In my case, I'm going to generate 10 clients (10 API keys).
>
>
>
> I have tried to use Keycloak-gatekeeper to cover this use case but GK
> support only one client.
>
> In my case, I 'm understanding that I must create 10 instances of GT :(.
>
>
>
> Is there a way to associate various client to one instance of GT
> (different paths .) ?
>
>
>
> Thxs for your help.
>
>
>
> Regards,
>
> Sylvain
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
More information about the keycloak-user
mailing list