1 =================================
2 Keycloak integration with RadosGW
3 =================================
5 Keycloak can be setup as an OpenID Connect Identity Provider, which can be used by mobile/ web apps
6 to authenticate their users. The Web token returned as a result of authentication can be used by the
7 mobile/ web app to call AssumeRoleWithWebIdentity to get back a set of temporary S3 credentials,
8 which can be used by the app to make S3 calls.
13 Installing and bringing up Keycloak can be found here: https://www.keycloak.org/docs/latest/server_installation/.
15 Configuring Keycloak to talk to RGW
16 ===================================
18 The following configurables have to be added for RGW to talk to Keycloak.
19 The format of token inspection url is https://[base-server-url]/token/introspect::
21 [client.radosgw.gateway]
22 rgw sts key = {sts key for encrypting/ decrypting the session token}
23 rgw s3 auth use sts = true
24 rgw_sts_token_introspection_url = {url for token introspection}
25 rgw_sts_client_id = {client-id}
26 rgw_sts_client_secret = {client-password}
28 Example showing how to fetch a web token from Keycloak
29 ======================================================
31 Several examples of apps authenticating with Keycloak are given here: https://github.com/keycloak/keycloak/tree/master/examples/demo-template
32 Taking the example of customer-portal app given in the link above, its client secret and client password, can be used to fetch the
33 access token (web token) as given below::
36 KC_CLIENT=customer-portal
37 KC_CLIENT_SECRET=password
41 # Request Tokens for credentials
44 -H "Content-Type: application/x-www-form-urlencoded" \
46 -d "grant_type=client_credentials" \
47 -d "client_id=$KC_CLIENT" \
48 -d "client_secret=$KC_CLIENT_SECRET" \
49 "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
53 KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
55 KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in
projects / ceph.git / blob