Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
external-auth-server with keycloak and ambassador
See original GitHub issueHi,
So my setup is: Ambassador v: 0.72.0 Keycloak v: 5.0.0 And external-auth-server as middle-ware providing openid-connect authentication to a webservice.
I followed the setup first for the Traefik example, substituting config where it was needed. My configuration for the external-auth-server values.yaml looks as follows:
configTokenSignSecret: ZQTJMHgsRUYD4vaDJnmutYMU
configTokenEncryptSecret: MAuZtmwxfvcJCabSmhrvcAjv
issuerSignSecret: mEAYPr9bcZk8dFda8T6dBmzK
issuerEncryptSecret: QjjgXyVvVyVyUfBW6ZhFTG3w
cookieSignSecret: 5spCwm2jCtekwEb3G6Hcnav8
cookieEncryptSecret: YwX3gzTZmPNUL9v5RMhwsnZq
sessionEncryptSecret: jMV5WtUCfSme4xx9Qkmu2Jv2
logLevel: "info"
redis-ha:
enabled: false
In addition i made a couple of changes to the service.yaml to accommodate ambassadors annotation-based configuration… These looks like this:
annotations:
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: AuthService
name: authentication
auth_service: {{ include "external-auth-server.fullname" . }}
proto: http
allowed_request_headers:
- authorization
include_body:
max_bytes: 4096
allow_partial: true
---
apiVersion: ambassador/v1
kind: Mapping
name: eas_mapping
prefix: /eas/
bypass_auth: true
service: {{ include "external-auth-server.fullname" . }}
I managed to create a CONFIG_TOKEN for the keycloak. The configuration for the plugin added to generate-config-token.js that i used was:
{
type: "oidc",
issuer: {
/**
* via discovery (takes preference)
*/
discover_url: "http://keycloak.default.svc.cluster.local/auth/realms/master/.well-known/openid-configuration",
},
client: {
/**
* manually defined (preferred)
*/
client_id: "lightningbadger",
client_secret: "4dbd29da-5b81-417e-a230-abad914de57e"
/**
* via client registration
*/
//registration_client_uri: "",
//registration_access_token: "",
},
scopes: ["openid", "email", "profile"], // must include openid
/**
* static redirect URI
* if your oauth provider does not support wildcards place the URL configured in the provider (that will return to this proper service) here
*/
redirect_uri: "http://api.lightningbadger.io/eas/oauth/callback",
features: {
/**
* how to expire the cookie
* true = cookies expire will expire with tokens
* false = cookies will be 'session' cookies
* num seconds = expire after given number of seconds
*/
cookie_expiry: true,
/**
* how frequently to refresh userinfo data
* true = refresh with tokens (assuming they expire)
* false = never refresh
* num seconds = expire after given number of seconds
*/
userinfo_expiry: true,
/**
* how long to keep a session (server side) around
* true = expire with tokenSet (if applicable)
* false = never expire
* num seconds = expire after given number of seconds (enables sliding window)
*
* sessions become a floating window *if*
* - tokens are being refreshed
* or
* - userinfo being refreshed
* or
* - session_expiry_refresh_window is a positive number
*/
session_expiry: true,
/**
* window to update the session window based on activity if
* nothing else has updated it (ie: refreshing tokens or userinfo)
*
* should be a positive number less than session_expiry
*
* For example, if session_expiry is set to 60 seconds and session_expiry_refresh_window value is set to 20
* then activity in the last 20 seconds (40-60) of the window will 'slide' the window
* out session_expiry time from whenever the activity occurred
*/
session_expiry_refresh_window: 86400,
/**
* will re-use the same id (ie: same cookie) for a particular client if a session has expired
*/
session_retain_id: true,
/**
* if the access token is expired and a refresh token is available, refresh
*/
refresh_access_token: true,
/**
* fetch userinfo and include as X-Userinfo header to backing service
*/
fetch_userinfo: true,
/**
* check token validity with provider during assertion process
*/
introspect_access_token: false,
/**
* which token (if any) to send back to the proxy as the Authorization Bearer value
* note the proxy must allow the token to be passed to the backend if desired
*
* possible values are id_token, access_token, or refresh_token
*/
authorization_token: "access_token"
},
assertions: {
/**
* assert the token(s) has not expired
*/
exp: true,
/**
* assert the 'not before' attribute of the token(s)
*/
nbf: true,
/**
* assert the correct issuer of the token(s)
*/
iss: true,
/**
* custom userinfo assertions
*/
userinfo: [
],
/**
* custom id_token assertions
*/
id_token: [
]
},
cookie: {
//name: "_my_company_session",//default is _oeas_oauth_session
//domain: "example.com", //defaults to request domain, could do sso with more generic domain
//path: "/",
},
// see HEADERS.md for details
headers: {},
}
However, here comes the part on which i got stuck. The examples provided in this repo uses Traefik configuration and adds this to the
ingress.kubernetes.io/auth-url: https://eas.example.com/verify?fallback_plugin=0&config_token=PLACE_CONFIG_TOKEN_OUTPUT_HERE
However, since we are using ambassador this is not an option. So I expect I need to mount the configuration into a secret with the env adapter. Which i tried without any luck. So i tried adding the following to my values.yaml
configTokenStores:
primary:
adapter: env
options:
cache_ttl: 3600
var: < I HAVE NO IDEA WHAT TO ADD HERE>
configTokens:
1: <MY CONFIG TOKEN NOT URL ENCODED >
Can you maybe help me out with this configuration 😃 Then i can maybe help with writing some documentation 😛
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:71 (36 by maintainers)
Top Results From Across the Web
Single Sign-On with Keycloak | Edge Stack
With Keycloak as your IdP, you will need to create a Client to handle authentication requests from Ambassador Edge Stack. The below instructions...
Read more >SSO — Multiple Identity Providers with Keycloak — Tutorial
In External Auth Server you configure another client. This is the way, through OIDC (OpenID Connect), to let both sides know each other...
Read more >API gateway/Ingress controller with Keycloak SSO support
Combined with a service like external-auth-server, keycloak can be used to implement ... Ambassador has limited support in its free edition, ...
Read more >external-auth-server vs authentik - compare differences and ...
OpenLDAP + LDAP Account Manager (LAM) + Keycloak + External Auth Server (EAS) + Traefik. authentik. Posts with mentions or reviews of authentik ......
Read more >Envoy openid connect - Caritas Castellaneta
Keycloak is built on standard protocols so you can use any OpenID Connect ... Connect (OIDC) identity providers with the included external auth...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I just landed initial support for ambassador in
latestas an FYI.In case you want some debug info… these are the configuration of that last call that fails: