1 =================================
2 Keycloak integration with RadosGW
3 =================================
5 Keycloak can be setup as an OpenID Connect Identity Provider, which can be used by mobile/ web apps
6 to authenticate their users. The Web token returned as a result of authentication can be used by the
7 mobile/ web app to call AssumeRoleWithWebIdentity to get back a set of temporary S3 credentials,
8 which can be used by the app to make S3 calls.
13 Installing and bringing up Keycloak can be found here: https://www.keycloak.org/docs/latest/server_installation/.
15 Configuring Keycloak to talk to RGW
16 ===================================
18 The following configurables have to be added for RGW to talk to Keycloak::
20 [client.radosgw.gateway]
21 rgw sts key = {sts key for encrypting/ decrypting the session token}
22 rgw s3 auth use sts = true
24 Example showing how to fetch a web token from Keycloak
25 ======================================================
27 Several examples of apps authenticating with Keycloak are given here: https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md
28 Taking the example of app-profile-jee-jsp app given in the link above, its client id and client secret, can be used to fetch the
29 access token (web token) for an application using grant type 'client_credentials' as given below::
33 KC_CLIENT_SECRET=<client secret>
37 # Request Tokens for credentials
40 -H "Content-Type: application/x-www-form-urlencoded" \
42 -d "grant_type=client_credentials" \
43 -d "client_id=$KC_CLIENT" \
44 -d "client_secret=$KC_CLIENT_SECRET" \
45 "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
49 KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
51 An access token can also be fetched for a particular user with grant type 'password', using client id, client secret, username and its password
55 KC_USERNAME=<username>
56 KC_PASSWORD=<userpassword>
58 KC_CLIENT_SECRET=<client secret>
62 # Request Tokens for credentials
65 -H "Content-Type: application/x-www-form-urlencoded" \
67 -d "grant_type=password" \
68 -d "client_id=$KC_CLIENT" \
69 -d "client_secret=$KC_CLIENT_SECRET" \
70 -d "username=$KC_USERNAME" \
71 -d "password=$KC_PASSWORD" \
72 "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
76 KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
79 KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in
82 Attaching tags to a user in Keycloak
83 ====================================
85 We need to create a user in keycloak, and add tags to it as its attributes.
87 Add a user as shown below:
89 .. image:: ../images/keycloak-adduser.png
92 Add user details as shown below:
94 .. image:: ../images/keycloak-userdetails.png
97 Add user credentials as shown below:
99 .. image:: ../images/keycloak-usercredentials.png
102 Add tags to the 'attributes' tab of the user as shown below:
104 .. image:: ../images/keycloak-usertags.png
107 Add a protocol mapper for the user attribute to a client as shown below:
109 .. image:: ../images/keycloak-userclientmapper.png
113 After following the steps shown above, the tag 'Department' will appear in the JWT (web token), under 'https://aws.amazon.com/tags' namespace.
114 The tags can be verified using token introspection of the JWT. The command to introspect a token using client id and client secret is shown below::
117 KC_CLIENT=<client id>
118 KC_CLIENT_SECRET=<client secret>
119 KC_SERVER=<host>:8080
124 -u "$KC_CLIENT:$KC_CLIENT_SECRET" \
125 -d "token=$KC_ACCESS_TOKEN" \
126 "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect" \