Keycloak
With Keycloak as your IdP, you will need to create a Client
to handle authentication requests from Ambassador Edge Stack. The below instructions are known to work for Keycloak 4.8.
Under "Realm Settings", record the "Name" of the realm your client is in. This will be needed to configure your
authorizationURL
.Create a new client: navigate to Clients and select
Create
. Use the following settings:- Client ID: Any value (e.g.
ambassador
); this value will be used in theclientID
field of the Keycloak filter - Client Protocol: "openid-connect"
- Root URL: Leave Blank
- Client ID: Any value (e.g.
Click Save.
On the next screen configure the following options:
- Access Type: "confidential"
- Valid Redirect URIs:
*
Click Save.
Navigate to the
Mappers
tab in your Client and clickCreate
.Configure the following options:
- Protocol: "openid-connect".
- Name: Any string. This is just a name for the Mapper
- Mapper Type: select "Audience"
- Included Client Audience: select from the dropdown the name of your Client. This will be used as the
audience
in the KeycloakFilter
.
Click Save.
Configure client scope as desired in "Client Scopes" (e.g.
offline_access
). It's possible to set up Keycloak to not use scope by removing all of them from "Assigned Default Client Scopes".Note: All "Assigned Default Client Scopes" must be included in the
FilterPolicy
scope
argument.
Configure Filter and FilterPolicy
Update the Keycloak Filter
and FilterPolicy
with the following:
---apiVersion: getambassador.io/v2kind: Filtermetadata:name: keycloak-filternamespace: defaultspec:OAuth2:authorizationURL: https://{KEYCLOAK_URL}/auth/realms/{KEYCLOAK_REALM}audience: ambassadorclientID: ambassadorsecret: {CLIENT_SECRET}protectedOrigins:- origin: https://{PROTECTED_URL}
---apiVersion: getambassador.io/v2kind: FilterPolicymetadata:name: httpbin-policynamespace: defaultspec:rules:- host: "*"path: /httpbin/ipfilters:- name: keycloak-filter ## Enter the Filter name from abovearguments:scope:- "offline_access"
Questions?
We’re here to help. If you have questions, join our Slack or contact us.