Published in


Keycloak (as an Identity Provider) to secure Openshift

In this post, we will see using Keycloak as an Identity Provider for your Openshift cluster act as an Identity Broker. Visa versa can be possible. You can use Openshift as a provider for the Keycloak. We won’t be covering that scenario in this post. In simple terms, keycloak users can log in to the Openshift cluster.

Figure: 1.1 Keycloak (Identity Provider) for the Openshift cluster

As shown in the flow diagram(Figure 1.1). Once you configure the Identity Provider in the Openshift instance. You will see an option appeared on the login screen. Using the keycloak(as an open-id provider). Keycloak users will be able to access the openshift cluster. Now, let’s see the configuration

Let’s start with creating a Client in Keycloak.

Client Configuration:

You can create a realm or use an existing realm. Create a client (Figure 1.2)

  • Client ID: test
  • Client Protocol: openid-connect
  • Access Type: confidential
  • Standard Flow Enabled: On
  • Valid Redirect URI: https://* (For testing or non-production environment)

https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name> (production environment)

<idp_provider_name>: Name define in Openshift for the configuration (Please see Figure 1.5)

Figure: 1.2 Keycloak: Client Configuration

Now, login into the Openshift Console as Kubeadmin. Once you are logged In. Browse to the side menu, locate the Cluster settings

Figure 1.3: Administration

Under Global Configuration You will see Oauth

Figure 1.4: Oauth Configuration

You will see the Identity Provider section. In ADD section, select the OpenID Connect from options.

Figure 1.4: Add Identity Provider

Openshift Oauth Configuration

  • Name: keycloak (Case Sensitive)
  • Client ID: test
  • Client Secret: <Copy from keycloak client credential section for the test client>
  • Issuer Url: https://<keycloak-host>auth/realms/realm-name
Figure 1.5 Add Identity Provider

Based on the Name, your redirect URI would be:


Make sure you have updated the valid redirect URI in the Keycloak client configuration of your test client (Figure 1.2).

That’s all you need. Let’s try it out.

Access the Openshift console in the browser. You will see keycloak (as a login option). Click on the keycloak login option. You will get redirected to the Keycloak login page.

Now, enter your keycloak user credentials.

You will be redirected to your Openshift console. As you can see I am logged in!

Great! Your Keycloak users can now use the Openshift cluster!


You can manage the Openshift cluster users with Keycloak & define more permissions to manage fine-grain authorization for users.

If you like this post, give it a Cheer!!!

Follow the Collection: Keycloak for learning more…

Happy Secure Coding ❤




Open Source Identity Solution for Applications, Services and APIs

Recommended from Medium

Two Heads Are Better Than One

Flash Stock Rom on Xolo Q710s


Alcatel One Touch Pop C3 4033e


Flash Stock Rom on Kata I3


2022. 04. 07 - 08 Today I did / Today I learned

Sunrise Commander in 2021 needs some work

VRF [Video + Slides]

Automating Code with MapStruct

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhishek koserwal

Abhishek koserwal

#redhatter #opensource #developer #kubernetes #keycloak #golang #openshift #quarkus #spring

More from Medium

Integrating custom vertex program with janusgraph

CS371p Spring 2022: Santi Dasari

CS371p Spring 2022: Daniel Cai

Connecting to Redis in Go