[ceph.git] / ceph / doc / radosgw / keycloak.rst

=================================
Keycloak integration with RadosGW
=================================

Keycloak can be setup as an OpenID Connect Identity Provider, which can be used by mobile/ web apps
to authenticate their users. The Web token returned as a result of authentication can be used by the
mobile/ web app to call AssumeRoleWithWebIdentity to get back a set of temporary S3 credentials,
which can be used by the app to make S3 calls.

Setting up Keycloak
====================

Installing and bringing up Keycloak can be found here: https://www.keycloak.org/docs/latest/server_installation/.

Configuring Keycloak to talk to RGW
===================================

The following configurables have to be added for RGW to talk to Keycloak. 
The format of token inspection url is https://[base-server-url]/token/introspect::

  [client.radosgw.gateway]
  rgw sts key = {sts key for encrypting/ decrypting the session token}
  rgw s3 auth use sts = true
  rgw_sts_token_introspection_url = {url for token introspection}
  rgw_sts_client_id = {client-id}
  rgw_sts_client_secret = {client-password}

Example showing how to fetch a web token from Keycloak
======================================================

Several examples of apps authenticating with Keycloak are given here: https://github.com/keycloak/keycloak/tree/master/examples/demo-template
Taking the example of customer-portal app given in the link above, its client secret and client password, can be used to fetch the
access token (web token) as given below::

    KC_REALM=demo
    KC_CLIENT=customer-portal
    KC_CLIENT_SECRET=password
    KC_SERVER=<host>:8080
    KC_CONTEXT=auth

    # Request Tokens for credentials
    KC_RESPONSE=$( \
    curl -k -v -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "scope=openid" \
    -d "grant_type=client_credentials" \
    -d "client_id=$KC_CLIENT" \
    -d "client_secret=$KC_CLIENT_SECRET" \
    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
    | jq .
    )

    KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)

KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in
:doc:`STS`.
Commit	Line	Data
9f95a23c TL	1	=================================
	2	Keycloak integration with RadosGW
	3	=================================
	4
	5	Keycloak can be setup as an OpenID Connect Identity Provider, which can be used by mobile/ web apps
	6	to authenticate their users. The Web token returned as a result of authentication can be used by the
	7	mobile/ web app to call AssumeRoleWithWebIdentity to get back a set of temporary S3 credentials,
	8	which can be used by the app to make S3 calls.
	9
	10	Setting up Keycloak
	11	====================
	12
	13	Installing and bringing up Keycloak can be found here: https://www.keycloak.org/docs/latest/server_installation/.
	14
	15	Configuring Keycloak to talk to RGW
	16	===================================
	17
	18	The following configurables have to be added for RGW to talk to Keycloak.
	19	The format of token inspection url is https://[base-server-url]/token/introspect::
	20
	21	[client.radosgw.gateway]
	22	rgw sts key = {sts key for encrypting/ decrypting the session token}
	23	rgw s3 auth use sts = true
	24	rgw_sts_token_introspection_url = {url for token introspection}
	25	rgw_sts_client_id = {client-id}
	26	rgw_sts_client_secret = {client-password}
	27
	28	Example showing how to fetch a web token from Keycloak
	29	======================================================
	30
	31	Several examples of apps authenticating with Keycloak are given here: https://github.com/keycloak/keycloak/tree/master/examples/demo-template
	32	Taking the example of customer-portal app given in the link above, its client secret and client password, can be used to fetch the
	33	access token (web token) as given below::
	34
	35	KC_REALM=demo
	36	KC_CLIENT=customer-portal
	37	KC_CLIENT_SECRET=password
	38	KC_SERVER=<host>:8080
	39	KC_CONTEXT=auth
	40
	41	# Request Tokens for credentials
	42	KC_RESPONSE=$( \
	43	curl -k -v -X POST \
	44	-H "Content-Type: application/x-www-form-urlencoded" \
	45	-d "scope=openid" \
	46	-d "grant_type=client_credentials" \
	47	-d "client_id=$KC_CLIENT" \
	48	-d "client_secret=$KC_CLIENT_SECRET" \
	49	"http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
	50	\| jq .
	51	)
	52
	53	KC_ACCESS_TOKEN=$(echo $KC_RESPONSE\| jq -r .access_token)
	54
	55	KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in
	56	:doc:`STS`.