Keycloak (as an Identity Provider) to secure Openshift
In this post, we will see using Keycloak as an Identity Provider for your Openshift cluster act as an Identity Broker. Visa versa can be possible. You can use Openshift as a provider for the Keycloak. We won’t be covering that scenario in this post. In simple terms, keycloak users can log in to the Openshift cluster.
As shown in the flow diagram(Figure 1.1). Once you configure the Identity Provider in the Openshift instance. You will see an option appeared on the login screen. Using the keycloak(as an open-id provider). Keycloak users will be able to access the openshift cluster. Now, let’s see the configuration
Let’s start with creating a Client in Keycloak.
You can create a realm or use an existing realm. Create a client (Figure 1.2)
- Client ID: test
- Client Protocol: openid-connect
- Access Type: confidential
- Standard Flow Enabled: On
- Valid Redirect URI: https://* (For testing or non-production environment)
https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name> (production environment)
<idp_provider_name>: Name define in Openshift for the configuration (Please see Figure 1.5)
Now, login into the Openshift Console as Kubeadmin. Once you are logged In. Browse to the side menu, locate the Cluster settings
Under Global Configuration You will see Oauth
You will see the Identity Provider section. In ADD section, select the OpenID Connect from options.
Openshift Oauth Configuration
- Name: keycloak (Case Sensitive)
- Client ID: test
- Client Secret: <Copy from keycloak client credential section for the test client>
- Issuer Url: https://<keycloak-host>auth/realms/realm-name
Based on the Name, your redirect URI would be:
Make sure you have updated the valid redirect URI in the Keycloak client configuration of your test client (Figure 1.2).
That’s all you need. Let’s try it out.
Access the Openshift console in the browser. You will see keycloak (as a login option). Click on the keycloak login option. You will get redirected to the Keycloak login page.
Now, enter your keycloak user credentials.
You will be redirected to your Openshift console. As you can see I am logged in!
Great! Your Keycloak users can now use the Openshift cluster!
You can manage the Openshift cluster users with Keycloak & define more permissions to manage fine-grain authorization for users.
If you like this post, give it a Cheer!!!
Follow the Collection: Keycloak for learning more…
Happy Secure Coding ❤