Using Keycloak as an IdP¶
Follow the instructions below to use Keycloak as the Identity Provider (IdP) to authenticate the APIs that belong to a specific Organization:
Configure Keycloak¶
-
Sign in to the Keycloak Management Console.
-
Click Client Scopes and create client scope named "default".
-
Click Clients and create client
Add client id - In this scenario it is "apk-client"
Add capability config and enable client authentication
Click Save
-
Click Client Scopes and add the default scope created previously to the client as default scope.
-
Click the created client and in Credential section you can get the client secret.
Configure Kubernetes Gateway¶
-
Add a keycloak token issuer. Create
.yaml apiVersion: dp.wso2.com/v1alpha2 kind: TokenIssuer metadata: name: keyclock namespace: apk spec: claimMappings: [] consumerKeyClaim: azp issuer: http://keycloak.default.svc.cluster.local:8080/realms/master name: KeyClock organization: carbon.super scopesClaim: scope signatureValidation: jwks: url: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs targetRef: group: gateway.networking.k8s.io kind: Gateway name: wso2-apk-defaultParameter Description issuer:The IdP's issuer URL. jwksEndpoint:The URL of the IdP's JSON Web Key Set (JWKS) endpoint. organization:The organization of IDP. -
Run the following commands to add the token Issuers to which Kubernetes Gateway deployed.
kubectl apply -f <token-issuer>.yaml -n <namespace>
Generate Token with Client Credentials¶
curl -X POST http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token -d "client_id=apk-client" -d "client_secret=JZVw8AbO4HbyybDYqPErebBnnog2PRsy" -d "grant_type=client_credentials"
curl -X POST <keyclock_token_endpoint> -d "client_id=<client_id>" -d "client_secret=<client_secret>" -d "grant_type=client_credentials"
Then you can use this token to invoke the API that is deployed in the same organization, in this case, "carbon.super".