TNS
VOXPOP
Will JavaScript type annotations kill TypeScript?
The creators of Svelte and Turbo 8 both dropped TS recently saying that "it's not worth it".
Yes: If JavaScript gets type annotations then there's no reason for TypeScript to exist.
0%
No: TypeScript remains the best language for structuring large enterprise applications.
0%
TBD: The existing user base and its corpensource owner means that TypeScript isn’t likely to reach EOL without a putting up a fight.
0%
I hope they both die. I mean, if you really need strong types in the browser then you could leverage WASM and use a real programming language.
0%
I don’t know and I don’t care.
0%
 
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Next-Gen Observability: Monitoring and Analytics in Platform Engineering
Sep 12th 2023 4:00am, by Robert Kimani
Is Policy as Code the Cure for Multicloud Config Chaos?
Sep 11th 2023 12:13pm, by Tzvika Shahaf
Unlock Data’s Full Potential with a Mature Analytics Strategy
Sep 8th 2023 10:16am, by Venkat Ramakrishnan
Achieve Cloud Native without Kubernetes
Sep 7th 2023 8:57am, by Rak Siva
Change Data Capture for Real-Time Access to Backend Databases
Sep 5th 2023 8:05am, by Jim Moffitt
Harden Ubuntu Server to Secure Your Container and Other Deployments
Sep 16th 2023 6:00am, by Jack Wallen
Run GUI Applications as Containers with x11docker
Sep 9th 2023 6:00am, by Jack Wallen
Dive: A Simple App for Viewing the Contents of a Docker Image
Sep 2nd 2023 3:00am, by Jack Wallen
Kubernetes Isn't Always the Right Choice
Aug 21st 2023 7:02am, by Rak Siva
Monitor, Control and Debug Docker Containers with WhaleDeck
Aug 19th 2023 7:00am, by Jack Wallen
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by Saad Malik
Cloud to Edge AI with a Mobile Database Platform
Aug 28th 2023 8:42am, by Mark Gamble
Dev News: React Still King, Vercel AI Tools, Netlify Connect
Jun 17th 2023 4:00am, by Loraine Lawson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
A Microservices Outcome: Testing Boomed
Sep 15th 2023 11:15am, by Alex Williams
Event-Driven Microservices Offer Flexibility and Real-Time Responsiveness
Sep 13th 2023 10:00am, by Hugh McKee
Britive: Just-in-Time Access across Multiple Clouds
Sep 7th 2023 3:00am, by Susan Hall
7 Steps to Highly Effective Kubernetes Policies
Sep 6th 2023 7:37am, by Wito Delnat
Setting up Multicluster Service Mesh with Rafay CLI
Aug 30th 2023 10:12am, by Pravin Tatti
Performant and Programmable Telco Networking with eBPF
Aug 11th 2023 10:00am, by Bill Mulligan
Create a Samba Share and Use from in a Docker Container
Jul 29th 2023 6:00am, by Jack Wallen
CIOs, Heed On-Premises App and Infrastructure Performance
Jul 5th 2023 1:21pm, by Gregg Ostrowski
Hasura Launches New Data Network for APIs Only
Jun 29th 2023 9:36am, by Chris J. Preimesberger
Unveiling the Future of Application Networking: Trends and Impacts
Jun 28th 2023 11:06am, by Bilgin Ibryam
The Security-First Mindset to Unlocking the AWS Opportunity 
Aug 9th 2023 8:14am, by David Melamed
3 Reasons Why Teams Move Away from AWS Lambda
Jul 18th 2023 10:00am, by Jonathan Michaux
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
Unlock Data’s Full Potential with a Mature Analytics Strategy
Sep 8th 2023 10:16am, by Venkat Ramakrishnan
Ditching Databases for Apache Kafka as System of Record
Aug 25th 2023 7:53am, by Andreas Evers
A Brief DevOps History: Databases to Infinity and Beyond, Part 2
Aug 16th 2023 7:15am, by Kat Cosgrove and Matty Stratton
How Quantic Improved Developer Experience, Scalability
Aug 14th 2023 6:24am, by Vigyan Kaushik
How Vector Search Can Optimize Retail Trucking Routes
Aug 11th 2023 10:31am, by Aaron Ploetz
AI Frontend Development Software Development TypeScript WebAssembly Cloud Services Data Security
Dev News: A 'Nue' Frontend Dev Tool; Panda and Bun Updates
Sep 16th 2023 4:00am, by
3 Ways to Stop LLM Hallucinations
Sep 15th 2023 10:15am, by
Salesforce Spreads NLP-Enabled Einstein AI over Most of Its Apps
Sep 15th 2023 9:19am, by
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by
Free GPUs and AI Chips Are Available to Run AI
Sep 8th 2023 6:00am, by
Dev News: A 'Nue' Frontend Dev Tool; Panda and Bun Updates
Sep 16th 2023 4:00am, by
Self-Hosted CDEs Preferred to SaaS in Large Orgs, Says Coder
Sep 14th 2023 11:45am, by
Web Dev Platform Netlify Releases Software Development Kit
Sep 14th 2023 8:35am, by
Dedicated IDE for Rust Released by JetBrains
Sep 13th 2023 9:24am, by
How Attackers Bypass Commonly Used Web Application Firewalls
Sep 13th 2023 8:31am, by
Salesforce Spreads NLP-Enabled Einstein AI over Most of Its Apps
Sep 15th 2023 9:19am, by
Python Delights Excel Data Nerds Plus Data Lake Enthusiasts
Sep 15th 2023 8:35am, by
Can WebAssembly Get Its Act Together for a Component Model?
Sep 14th 2023 9:33am, by
Web Dev Platform Netlify Releases Software Development Kit
Sep 14th 2023 8:35am, by
Dedicated IDE for Rust Released by JetBrains
Sep 13th 2023 9:24am, by
Dev News: A 'Nue' Frontend Dev Tool; Panda and Bun Updates
Sep 16th 2023 4:00am, by
Dev News: Svelte 5 vs. VanillaJS and Google’s Project IDX
Aug 12th 2023 8:00am, by
Dev News: Dart Frog Now Stable, Redwood Updates Bundler
Aug 4th 2023 7:00am, by
Dev News: Spotify's TypeScript SDK, Retool Tools, Deno 1.35
Jul 15th 2023 7:00am, by
Quick Tips to Make Your SDK More Maintainable in TypeScript
Jul 5th 2023 10:21am, by
Can WebAssembly Get Its Act Together for a Component Model?
Sep 14th 2023 9:33am, by
WebAssembly Reaches a Cloud Native Milestone
Sep 11th 2023 7:50am, by
Is It too Early to Leverage AI for WebAssembly?
Sep 6th 2023 10:28am, by
Rust and C++ Work Better for WebAssembly
Aug 9th 2023 6:50am, by
Where Does WebAssembly Fit in the Cloud Native World?
Aug 3rd 2023 9:50am, by
Google Continues Expansion of AI in Workspace, Dev Tools
Aug 30th 2023 8:47am, by
Microsoft PowerShell Gallery Littered with Critical Vulnerabilities
Aug 30th 2023 3:00am, by
Simplifying Cluster Connectivity with Istio Service Mesh
Aug 23rd 2023 5:32am, by
How SaaS Companies Can Monetize Generative AI
Aug 18th 2023 10:00am, by
The Architect’s Guide to Thinking about Hybrid/Multicloud
Aug 18th 2023 8:22am, by
Python Delights Excel Data Nerds Plus Data Lake Enthusiasts
Sep 15th 2023 8:35am, by
Web Dev Platform Netlify Releases Software Development Kit
Sep 14th 2023 8:35am, by
Discover the Performance Gain with Retrieval Augmented Generation
Sep 12th 2023 10:00am, by
The Role of SQL in LLM Apps and How Snowflake Uses LangChain
Sep 12th 2023 8:51am, by
Getting Started with Infrastructure Monitoring
Sep 11th 2023 7:01am, by
Harden Ubuntu Server to Secure Your Container and Other Deployments
Sep 16th 2023 6:00am, by
How to Design Scalable SaaS API Security
Sep 15th 2023 8:50am, by
DevOps, DevSecOps, and SecDevOps Offer Different Advantages
Sep 15th 2023 5:00am, by
What Are CIS Benchmarks in Cloud Security?
Sep 14th 2023 6:51am, by
How Attackers Bypass Commonly Used Web Application Firewalls
Sep 13th 2023 8:31am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Drive Platform Engineering Success with Humanitec and Port
Sep 15th 2023 7:18am, by Zohar Einy and Kaspar Von Grunberg
Demo: Building an Internal Developer Portal with Port
Sep 14th 2023 6:45am, by Heather Joslyn
Platform Engineering: What’s Hype and What’s Not?
Sep 13th 2023 6:43am, by Tommy McClung
How to Create an Internal Developer Portal MVP
Sep 12th 2023 7:22am, by Mor Paz
Next-Gen Observability: Monitoring and Analytics in Platform Engineering
Sep 12th 2023 4:00am, by Robert Kimani
The /Now Page Movement: Publicly Declaring What You Work on
Sep 17th 2023 6:00am, by David Cassel
Harden Ubuntu Server to Secure Your Container and Other Deployments
Sep 16th 2023 6:00am, by Jack Wallen
Drive Platform Engineering Success with Humanitec and Port
Sep 15th 2023 7:18am, by Zohar Einy and Kaspar Von Grunberg
Deploy Multilanguage Apps to Kubernetes with Open Source Korifi
Sep 15th 2023 1:06am, by Sylvain Kalache
Automating Retry for Failed Terraform Launches
Sep 14th 2023 10:53am, by Shira Ben-Dor
Lessons IT Can Steal from Hackers
Aug 31st 2023 3:00am, by Loraine Lawson
3 GitOps Myths Busted 
Aug 2nd 2023 3:00am, by B. Cameron Gain
Terraform Providers and the Rise of Infrastructure as a Service
Jul 31st 2023 10:00am, by Naor Paz
5 Common Developer Self-Service Challenges (and Solutions)
Jul 26th 2023 10:00am, by Derek Ashmore
Continuous Benchmarking eBPF in Rust with Bencher 
Jul 21st 2023 7:36am, by Everett Pompeii
Graydon Hoare Remembers the Early Days of Rust
Sep 10th 2023 6:00am, by David Cassel
Entrepreneurship for Engineers: a Post-Layoff Startup?
Sep 8th 2023 5:00am, by Emily Omier
Open Source Needs Maintainers. But How Can They Get Paid?
Sep 6th 2023 3:00am, by Heather Joslyn
How to Tackle Tool Sprawl Before It Becomes Tool Hell
Aug 31st 2023 6:18am, by Heath Newburn
SRE vs Platform Engineer: Can’t We All Just Get Along?
Aug 30th 2023 7:48am, by Jennifer Riggins
DevOps, DevSecOps, and SecDevOps Offer Different Advantages
Sep 15th 2023 5:00am, by John Ross
How to Create an Internal Developer Portal MVP
Sep 12th 2023 7:22am, by Mor Paz
Is Policy as Code the Cure for Multicloud Config Chaos?
Sep 11th 2023 12:13pm, by Tzvika Shahaf
How Platform Engineering Can Help Keep Cloud Costs in Check
Sep 11th 2023 10:18am, by Pravanjan Choudhury
Getting Started with Infrastructure Monitoring
Sep 11th 2023 7:01am, by Charles Mahler
A Microservices Outcome: Testing Boomed
Sep 15th 2023 11:15am, by Alex Williams
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by Saad Malik
WebAssembly Reaches a Cloud Native Milestone
Sep 11th 2023 7:50am, by B. Cameron Gain
Kubernetes Building Blocks: Nodes, Pods, Clusters
Sep 11th 2023 6:00am, by Robert Kimani
Can ChatGPT Save Collective Kubernetes Troubleshooting?
Sep 8th 2023 7:54am, by Blair Rampling
Top Ways to Reduce Your Observability Costs: Part 2
Sep 12th 2023 9:38am, by Amanda Mitchell
Next-Gen Observability: Monitoring and Analytics in Platform Engineering
Sep 12th 2023 4:00am, by Robert Kimani
Top Ways to Reduce Your Observability Costs: Part 1
Sep 5th 2023 6:44am, by Amanda Mitchell
4 Key Observability Best Practices
Sep 1st 2023 9:11am, by Sophie Kohler
More Lessons from Hackers: How IT Can Do Better
Sep 1st 2023 3:00am, by Loraine Lawson
Kubernetes 1.28 Accommodates the Service Mesh, Sudden Outages
Aug 18th 2023 10:08am, by Joab Jackson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Open Source / Security

How to Integrate OpenShift with Keycloak

Keycloak is an open source IAM solution, originally developed by Red Hat, that can provide more control over policies and access control rules.
May 30th, 2023 11:00am by
Featued image for: How to Integrate OpenShift with Keycloak
Image by Jon Moore from Unsplash.

If you want to integrate Red Hat OpenShift with an identity provider, such as Keycloak, you must first understand how user authentication and token management work. During the OAuth process, the user’s credentials are verified by the identity provider, and the user’s information is mapped to an identity in OpenShift.

But any changes made to the user’s information or credentials on the identity provider (such as deleting a user or adding a group) will not impact or invalidate an active bearer token from a previous authentication.

The API server validates the access token, but user authentication happens during the early OAuth process, so the token will remain active regardless of any changes made to the user’s information or credentials.

This means you’ve got a security vulnerability. If a bearer token remains active even after changes have been made to the user’s information or credentials, it could potentially be used by a hacker or malicious actor to access protected resources.

By default, the access token lifetime is set to 24 hours, but this can be configured using the steps described in the OpenShift documentation. When deciding on the token’s lifetime, consider how soon you want authorization-related changes made to an identity provider to take effect in the OpenShift cluster.

OpenShift Security and Manageability

One way to address these concerns is by integrating OpenShift with Keycloak. Keycloak is an open source identity and access management (IAM) solution, originally developed by Red Hat, that can provide more control over bearer token policies and enforce access control rules more effectively. In April, it was accepted as an incubating project at the Cloud Native Computing Foundation.

As an open source solution, it’s free to use and can be customized to meet specific requirements. Additionally, the community provides regular updates and security patches, ensuring the solution remains up-to-date and secure.

Integrating OpenShift with Keycloak provides a wide range of benefits that can improve security and access control in your cluster. Some of the main benefits of this integration include:

Federation support. Keycloak provides support for federation, allowing you to integrate with external identity providers, such as lightweight directory access protocol (LDAP) or Active Directory. This enables you to leverage existing user management systems and extend their capabilities to your OpenShift applications.

Fine-grained access control. Keycloak provides features such as multi-factor authentication (MFA), social login, and identity brokering that can enhance the security of your OpenShift applications. Keycloak can also enforce complex access control policies, such as role-based access control (RBAC) and attribute-based access control (ABAC), to ensure that only authorized users can access your OpenShift applications.

Flexible token management. By integrating OpenShift with Keycloak, you can gain more control over bearer token policies. Keycloak provides a token management system that allows you to set policies for token expiration, revocation and renewal. This can help prevent unauthorized access to your OpenShift applications and reduce the impact of a leaked token.

Customizable user interfaces. Keycloak provides customizable user interfaces that can be branded to match the look and feel of your OpenShift applications. This can help create a seamless user experience for your users and reinforce your brand.

Centralized authentication and authorization. With Keycloak, you can centralize authentication and authorization for all your OpenShift applications. This means that you can manage user access across all your applications and services from a single location, simplifying user management and improving security.

Keycloak provides support for MFA, allowing you to add an additional layer of security to your OpenShift applications. This can include options such as SMS authentication, Google Authenticator, and email-based one-time passwords.

Single sign-on. With Keycloak, you can enable single sign-on (SSO) for your OpenShift applications. This means that users only need to authenticate once, and they can then access all the applications and services that they are authorized to use, without the need for additional logins.

Integrating OpenShift with Keycloak: Getting Started

Step 1: Create a Keycloak Realm

To create a new realm in Keycloak, follow these steps:

  1. Log in to the Keycloak web console and navigate to the “Realms” tab.
  2. Click on the “Add realm” button and enter a name for your realm.
  3. Click on “Create” to create your new realm.

Log in to Keycloak:


Create a new realm:

Step 2: Create Keycloak Clients

To create a new client in Keycloak, follow these steps:

  1. Navigate to the “Clients” tab within your realm and click on “Create.”
  2. Enter a name for your client and click on “Save.”

Configure the client settings according to your requirements. For example, you can set the client protocol to “OpenID Connect” and specify the redirect URIs for your client.

Create a new client:

Step 3: Configure Authentication

To configure authentication for your OpenShift applications, you can follow these steps:

  1. Create an OpenID Connect identity provider within your Keycloak realm by navigating to the “Identity Providers” tab and clicking on “Add provider.”
  2. Configure the identity provider by specifying the client ID and client secret of your OpenShift client, along with the authorization and token endpoints.
  3. Configure your OpenShift application to use the OpenID Connect identity provider for authentication.

Create an OpenID Connect Identity Provider:

Step 4: Enforce Authorization

To enforce authorization policies for your OpenShift applications, you can follow these steps:

  1. Create groups, roles, and permissions within your Keycloak realm by navigating to the “Groups,” “Roles” and “Permissions” tabs.
  2. Assign the roles and permissions to your OpenShift clients by navigating to the “Clients” tab and selecting the client that you want to configure.
  3. Configure the access control policies according to your requirements. For example, you can create a role that allows read-only access to a particular resource, and assign this role to a specific group.

Create groups, roles and permissions within your Keycloak Realm:

Step 5: Integrate OpenShift with Keycloak

The final step is to create a new OpenShift OAuth2 provider by creating a new custom resource of type OAuth in the openshift-config namespace. This will allow OpenShift to use Keycloak for authentication and authorization.

Create a new OpenShift OAuth2 provider by creating a new custom resource of type OAuth in the openshift-config namespace. You can use the following YAML file as a template:


Replace <client-ID>, <client-secret>, <keycloak-url>, and <realm-name> with the appropriate values for your Keycloak realm and client.

Apply the YAML file to create the OAuth Custom Resource:


Verify that the OAuth custom resource has been created:

  1. Log in to the OpenShift console and navigate to the “OAuth” section. You should see “Keycloak” listed as an identity provider.
  2.  Test the integration by logging in to the OpenShift console using a user from your Keycloak realm.

By following these steps, you can fully integrate Keycloak with OpenShift and take advantage of its advanced authentication and authorization features.

Group Created with Sketch.
Robert is a systems engineer and open source advocate who loves sharing knowledge. He believes in helping others and is compassionate about giving back to the community. When he’s not geeking with Linux he likes hiking, mountain biking, and exploring...
Read more from Robert Kimani
SHARE THIS STORY
RELATED STORIES
Common Cloud Misconfigurations That Lead to Data Breaches The Cloud Is Under Attack. How Do You Secure It? Sonatype Offers Its Malicious Source Code Blocker as a Service Implementing DevSecOps Best Practices Security First! Strategies for Building Safer Software
TNS owner Insight Partners is an investor in: Pragma.
RELATED STORIES
Common Cloud Misconfigurations That Lead to Data Breaches The Cloud Is Under Attack. How Do You Secure It? Sonatype Offers Its Malicious Source Code Blocker as a Service Implementing DevSecOps Best Practices Security First! Strategies for Building Safer Software
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.