]>
Commit | Line | Data |
---|---|---|
9f95a23c TL |
1 | ================================= |
2 | Keycloak integration with RadosGW | |
3 | ================================= | |
4 | ||
5 | Keycloak can be setup as an OpenID Connect Identity Provider, which can be used by mobile/ web apps | |
6 | to authenticate their users. The Web token returned as a result of authentication can be used by the | |
7 | mobile/ web app to call AssumeRoleWithWebIdentity to get back a set of temporary S3 credentials, | |
8 | which can be used by the app to make S3 calls. | |
9 | ||
10 | Setting up Keycloak | |
11 | ==================== | |
12 | ||
13 | Installing and bringing up Keycloak can be found here: https://www.keycloak.org/docs/latest/server_installation/. | |
14 | ||
15 | Configuring Keycloak to talk to RGW | |
16 | =================================== | |
17 | ||
18 | The following configurables have to be added for RGW to talk to Keycloak. | |
19 | The format of token inspection url is https://[base-server-url]/token/introspect:: | |
20 | ||
21 | [client.radosgw.gateway] | |
22 | rgw sts key = {sts key for encrypting/ decrypting the session token} | |
23 | rgw s3 auth use sts = true | |
24 | rgw_sts_token_introspection_url = {url for token introspection} | |
25 | rgw_sts_client_id = {client-id} | |
26 | rgw_sts_client_secret = {client-password} | |
27 | ||
28 | Example showing how to fetch a web token from Keycloak | |
29 | ====================================================== | |
30 | ||
31 | Several examples of apps authenticating with Keycloak are given here: https://github.com/keycloak/keycloak/tree/master/examples/demo-template | |
32 | Taking the example of customer-portal app given in the link above, its client secret and client password, can be used to fetch the | |
33 | access token (web token) as given below:: | |
34 | ||
35 | KC_REALM=demo | |
36 | KC_CLIENT=customer-portal | |
37 | KC_CLIENT_SECRET=password | |
38 | KC_SERVER=<host>:8080 | |
39 | KC_CONTEXT=auth | |
40 | ||
41 | # Request Tokens for credentials | |
42 | KC_RESPONSE=$( \ | |
43 | curl -k -v -X POST \ | |
44 | -H "Content-Type: application/x-www-form-urlencoded" \ | |
45 | -d "scope=openid" \ | |
46 | -d "grant_type=client_credentials" \ | |
47 | -d "client_id=$KC_CLIENT" \ | |
48 | -d "client_secret=$KC_CLIENT_SECRET" \ | |
49 | "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \ | |
50 | | jq . | |
51 | ) | |
52 | ||
53 | KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) | |
54 | ||
55 | KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in | |
56 | :doc:`STS`. |