3 =================================
4 Integrating Keycloak with RadosGW
5 =================================
7 If Keycloak is set up as an OpenID Connect Identity Provider, it can be used by
8 mobile apps and web apps to authenticate their users. By using the web token
9 returned by the authentication process, a mobile app or web app can call
10 AssumeRoleWithWebIdentity, receive a set of temporary S3 credentials, and use
11 those credentials to make S3 calls.
16 Documentation for installing and operating Keycloak can be found here:
17 https://www.keycloak.org/guides.
19 Configuring Keycloak to talk to RGW
20 ===================================
22 To configure Keycloak to talk to RGW, add the following configurables::
24 [client.radosgw.gateway]
25 rgw sts key = {sts key for encrypting/ decrypting the session token}
26 rgw s3 auth use sts = true
28 Fetching a web token with Keycloak
29 ==================================
31 Several examples of apps authenticating with Keycloak can be found here:
32 https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md.
34 Here you might consider the example of the app-profile-jee-jsp app (in the link
35 above). To fetch the access token (web token) for such an application using the
36 grant type 'client_credentials', one can use client id and client secret as
41 KC_CLIENT_SECRET=<client secret>
45 # Request Tokens for credentials
48 -H "Content-Type: application/x-www-form-urlencoded" \
50 -d "grant_type=client_credentials" \
51 -d "client_id=$KC_CLIENT" \
52 -d "client_secret=$KC_CLIENT_SECRET" \
53 "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
57 KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
59 It is also possible to fetch an access token for a particular user with the
60 grant type 'password'. To fetch such an access token, use client id, client
61 secret, username, and password as follows::
64 KC_USERNAME=<username>
65 KC_PASSWORD=<userpassword>
67 KC_CLIENT_SECRET=<client secret>
71 # Request Tokens for credentials
74 -H "Content-Type: application/x-www-form-urlencoded" \
76 -d "grant_type=password" \
77 -d "client_id=$KC_CLIENT" \
78 -d "client_secret=$KC_CLIENT_SECRET" \
79 -d "username=$KC_USERNAME" \
80 -d "password=$KC_PASSWORD" \
81 "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
85 KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
87 ``KC_ACCESS_TOKEN`` can be used to invoke ``AssumeRoleWithWebIdentity``: see
90 Adding tags to a user in Keycloak
91 =================================
93 To create a user in Keycloak and add tags to it as its attributes, follow these
98 .. image:: ../images/keycloak-adduser.png
103 .. image:: ../images/keycloak-userdetails.png
106 #. Add user credentials:
108 .. image:: ../images/keycloak-usercredentials.png
111 #. Add tags to the 'attributes' tab of the user:
113 .. image:: ../images/keycloak-usertags.png
116 #. Add a protocol mapper that maps the user attribute to a client:
118 .. image:: ../images/keycloak-userclientmapper.png
121 After these steps have been completed, the tag 'Department' will appear in the
122 JWT (web token), under the 'https://aws.amazon.com/tags' namespace.
124 Tags can be verified by performing token introspection on a JWT. To introspect
125 a token, use ``client id`` and ``client secret`` as follows::
128 KC_CLIENT=<client id>
129 KC_CLIENT_SECRET=<client secret>
130 KC_SERVER=<host>:8080
135 -u "$KC_CLIENT:$KC_CLIENT_SECRET" \
136 -d "token=$KC_ACCESS_TOKEN" \
137 "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect" \