K
Q

Does Keycloak allow obtaining id tokens via web interface

1/30/2019

I am investigating how to possibly authenticate to a Kubernetes 1.13 cluster with OpenID Connect and Keycloak. I am new to this area.

This YouTube video ("Use Open ID Connect for Kubernetes API server") accomplishes part of what I want. An id token is initially obtained by making a HTTP request (with curl) to Keycloak citing grant type password. The resulting token is then subsequently used in further HTTP requests to the Kubernetes API. This works but has the disadvantage that clients directly handle users' permanent credentials.

Would it not be better if the token were issued by a secure web page that also required authentication via Keycloak (this time with grant type authorization code) and did nothing else but displaying a new token? Such tokens (transient credentials) could then e.g. be manually copied into kubeconfigs for further use?

Does Keycloak provide such interactive web pages (next to the REST endpoints for obtaining tokens programatically) or is this out of scope? If the second, are there other standard components for such tasks?

UPDATE This illustration from the Kubernetes documentation perhaps makes more clear what I am seeking. In step 1 a user should log into the Identity provider to obtain tokens which can then be configured into kubectl. Does Keycloak support this step, i.e. offer a web page where users could log in to obtain their tokens?

-- rookie099
keycloak
kubernetes
oauth-2.0
openid-connect
security

Similar Questions

OpenShift access service in other namespace without network join
Kubernetes connection refused on port 8080 - Windows 10
NetworkPolicy does not allow egress on HTTP/HTTPS ports
Node has no available volume zone in AWS EKS
RabbitMQ queue gets deleted immediately after creation. Why?

1 Answer

2/6/2019

If I am able to understand your question ,so you want to get the accesstoken via Java code so here is code you can write and call

  String obtainAccessToken = obtainAccessToken(username, password);
  putRequest.addHeader("Authorization", "bearer " + obtainAccessToken);
  putRequest.addHeader("content-type", MediaType.APPLICATION_JSON);

Here is the method you should call

public String obtainAccessToken(String UserName, String pwd)
    {
        AuthzClient authzClient = AuthzClient.create(configuration);
        AccessTokenResponse accessTokenResponse = authzClient.obtainAccessToken(UserName, pwd);
        String token = accessTokenResponse.getToken();
        return token;
    }

Here is the get realm method

public Response getAllRealms() {
        ObjectMapper mapper = JacksonObjectMapperProvider.getObjectMapper();
        CloseableHttpResponse response = null;
        List<SureRealmRepresentation> realmList = new ArrayList<SureRealmRepresentation>();
        int status;
        try {
            String urlGetAllRealms = URL + "/admin/realms";
            CloseableHttpClient httpclient = HttpClients.createDefault();
            HttpGet getRequest = new HttpGet(urlGetAllRealms);
            String obtainAccessToken = obtainAccessToken(username, password);
            getRequest.addHeader("Authorization", "bearer " + obtainAccessToken);
            getRequest.addHeader("content-type", MediaType.APPLICATION_JSON);
            response = httpclient.execute(getRequest);
            status = response.getStatusLine().getStatusCode();
            String responseBody = EntityUtils.toString(response.getEntity());
            if (status == 200) {
                RealmRepresentation[] realmArray = mapper.readValue(responseBody, RealmRepresentation[].class);
}
catch (Exception e) {
            if (e instanceof Exception) {
                throw (Exception) e;
            } else {
                throw ErrorHandler.wrap(new Exception("EroorType : "+ e.toString()));
            }
        }
-- Subodh Joshi
Source: StackOverflow