TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Open Source / Security

How to Integrate OpenShift with Keycloak

Keycloak is an open source IAM solution, originally developed by Red Hat, that can provide more control over policies and access control rules.
May 30th, 2023 11:00am by
Featued image for: How to Integrate OpenShift with Keycloak
Image by Jon Moore from Unsplash.

If you want to integrate Red Hat OpenShift with an identity provider, such as Keycloak, you must first understand how user authentication and token management work. During the OAuth process, the user’s credentials are verified by the identity provider, and the user’s information is mapped to an identity in OpenShift.

But any changes made to the user’s information or credentials on the identity provider (such as deleting a user or adding a group) will not impact or invalidate an active bearer token from a previous authentication.

The API server validates the access token, but user authentication happens during the early OAuth process, so the token will remain active regardless of any changes made to the user’s information or credentials.

This means you’ve got a security vulnerability. If a bearer token remains active even after changes have been made to the user’s information or credentials, it could potentially be used by a hacker or malicious actor to access protected resources.

By default, the access token lifetime is set to 24 hours, but this can be configured using the steps described in the OpenShift documentation. When deciding on the token’s lifetime, consider how soon you want authorization-related changes made to an identity provider to take effect in the OpenShift cluster.

OpenShift Security and Manageability

One way to address these concerns is by integrating OpenShift with Keycloak. Keycloak is an open source identity and access management (IAM) solution, originally developed by Red Hat, that can provide more control over bearer token policies and enforce access control rules more effectively. In April, it was accepted as an incubating project at the Cloud Native Computing Foundation.

As an open source solution, it’s free to use and can be customized to meet specific requirements. Additionally, the community provides regular updates and security patches, ensuring the solution remains up-to-date and secure.

Integrating OpenShift with Keycloak provides a wide range of benefits that can improve security and access control in your cluster. Some of the main benefits of this integration include:

Federation support. Keycloak provides support for federation, allowing you to integrate with external identity providers, such as lightweight directory access protocol (LDAP) or Active Directory. This enables you to leverage existing user management systems and extend their capabilities to your OpenShift applications.

Fine-grained access control. Keycloak provides features such as multi-factor authentication (MFA), social login, and identity brokering that can enhance the security of your OpenShift applications. Keycloak can also enforce complex access control policies, such as role-based access control (RBAC) and attribute-based access control (ABAC), to ensure that only authorized users can access your OpenShift applications.

Flexible token management. By integrating OpenShift with Keycloak, you can gain more control over bearer token policies. Keycloak provides a token management system that allows you to set policies for token expiration, revocation and renewal. This can help prevent unauthorized access to your OpenShift applications and reduce the impact of a leaked token.

Customizable user interfaces. Keycloak provides customizable user interfaces that can be branded to match the look and feel of your OpenShift applications. This can help create a seamless user experience for your users and reinforce your brand.

Centralized authentication and authorization. With Keycloak, you can centralize authentication and authorization for all your OpenShift applications. This means that you can manage user access across all your applications and services from a single location, simplifying user management and improving security.

Keycloak provides support for MFA, allowing you to add an additional layer of security to your OpenShift applications. This can include options such as SMS authentication, Google Authenticator, and email-based one-time passwords.

Single sign-on. With Keycloak, you can enable single sign-on (SSO) for your OpenShift applications. This means that users only need to authenticate once, and they can then access all the applications and services that they are authorized to use, without the need for additional logins.

Integrating OpenShift with Keycloak: Getting Started

Step 1: Create a Keycloak Realm

To create a new realm in Keycloak, follow these steps:

  1. Log in to the Keycloak web console and navigate to the “Realms” tab.
  2. Click on the “Add realm” button and enter a name for your realm.
  3. Click on “Create” to create your new realm.

Log in to Keycloak:


Create a new realm:

Step 2: Create Keycloak Clients

To create a new client in Keycloak, follow these steps:

  1. Navigate to the “Clients” tab within your realm and click on “Create.”
  2. Enter a name for your client and click on “Save.”

Configure the client settings according to your requirements. For example, you can set the client protocol to “OpenID Connect” and specify the redirect URIs for your client.

Create a new client:

Step 3: Configure Authentication

To configure authentication for your OpenShift applications, you can follow these steps:

  1. Create an OpenID Connect identity provider within your Keycloak realm by navigating to the “Identity Providers” tab and clicking on “Add provider.”
  2. Configure the identity provider by specifying the client ID and client secret of your OpenShift client, along with the authorization and token endpoints.
  3. Configure your OpenShift application to use the OpenID Connect identity provider for authentication.

Create an OpenID Connect Identity Provider:

Step 4: Enforce Authorization

To enforce authorization policies for your OpenShift applications, you can follow these steps:

  1. Create groups, roles, and permissions within your Keycloak realm by navigating to the “Groups,” “Roles” and “Permissions” tabs.
  2. Assign the roles and permissions to your OpenShift clients by navigating to the “Clients” tab and selecting the client that you want to configure.
  3. Configure the access control policies according to your requirements. For example, you can create a role that allows read-only access to a particular resource, and assign this role to a specific group.

Create groups, roles and permissions within your Keycloak Realm:

Step 5: Integrate OpenShift with Keycloak

The final step is to create a new OpenShift OAuth2 provider by creating a new custom resource of type OAuth in the openshift-config namespace. This will allow OpenShift to use Keycloak for authentication and authorization.

Create a new OpenShift OAuth2 provider by creating a new custom resource of type OAuth in the openshift-config namespace. You can use the following YAML file as a template:


Replace <client-ID>, <client-secret>, <keycloak-url>, and <realm-name> with the appropriate values for your Keycloak realm and client.

Apply the YAML file to create the OAuth Custom Resource:


Verify that the OAuth custom resource has been created:

  1. Log in to the OpenShift console and navigate to the “OAuth” section. You should see “Keycloak” listed as an identity provider.
  2.  Test the integration by logging in to the OpenShift console using a user from your Keycloak realm.

By following these steps, you can fully integrate Keycloak with OpenShift and take advantage of its advanced authentication and authorization features.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.