Versions Compared

Old Version 187

changes.mady.by.user Kevin Timoney

Saved on

compared with

New Version 188

changes.mady.by.user Kevin Timoney

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagetext
titleIstio
    when:
    - key: request.auth.claims[clientRole]
      values: ["hwclientrole"]


Keycloak Client Authenticator

Using X509 certificates

Create the server side certificates using the following script

...

Code Block
languagetext
titleJWT snippet
        claims["iss"] = "jwtclient3"
        claims["aud"] = "https://192.168.49.2:31561/auth/realms/x509"

        token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
        token.Header["kid"] = "AKAwbsKtqu9OmIwIsPOUf5zTJkIC73hzY9Myv4srjTs"
        tokenString, err := token.SignedString(key)
        if err != nil {
                return "", fmt.Errorf("create: sign token: %w", err)
        }


        return tokenString, nil
}


Keycloak Authorization code grant

The OAuth Authorization Code Grant flow is recommended if your application support redirects.
e.g. your application is a Web application or a mobile application.

...

Login will trigger a call to the /callback endpoint whcih in turn gets the JWT token and returns it to the user.


PKCE

PKCE stands for Proof Key for Code Exchange and the PKCE-enhanced Authorization Code Flow builds upon the standard Authorization Code Flow and it provides an additional level of security for OAuth clients.

...

curl -H "Authorization: Bearer $TOKEN" localhost:9000
Hello World OAuth2!


See also: golang oauth2

Keycloak Rest API

Documentation for the keycloak Rest API is available here: Keycloak Admin REST API

...

Code Block
languagetext
titleKeycloak Client Rest API 
export ADMIN_TKN=$(curl -s -X POST --insecure https://$HOST:$KEYCLOAK_PORT/auth/realms/master/protocol/openid-connect/token \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "username=admin" \
 -d 'password=admin' \
 -d 'grant_type=password' \
 -d 'client_id=admin-cli' | jq -r '.access_token')
echo "ADMIN CLIENT TOKEN = $ADMIN_TKN"

curl -X POST --insecure https://$HOST:$KEYCLOAK_PORT/auth/admin/realms/x509provider/clients \
 -H "authorization: Bearer $ADMIN_TKN" \
 -H "Content-Type: application/json" \
 --data \
 '
  {
    "id": "x509Client",
    "name": "x509Client",
    "enabled": "true",
    "defaultClientScopes": ["email"],
    "redirectUris": ["*"],
    "attributes": {"use.refresh.tokens": "true", "client_credentials.use_refresh_token": "true"}
  }
 '


Keycloak SSO & User management

Identity Providers

You can use keycloak for single-sign so users don't have to login to each application individually.

...

See the "Identity Providers" menu in the keycloak UI.


User Federation

You can also use existing LDAP, active directory servers or relational databases for user management if this is required.

...

See the "User Federation" menu in the keycloak UI.


Keycloak Authorization services

Authorization Services Guide

...