Skip to content

Added configurable allow for JWK url as issuer #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Added configurable allow for JWK url as issuer #103

wants to merge 3 commits into from

Conversation

martin-ducar-gd
Copy link

Consider scenario:

  • k8s contains multi tenant micro services 1 service handling N tenants
  • keycloak is also mutli tenant but segregation is done on realm level
  • With current audience modifications for each relam/tenant the solution is pretty cumbersome (mountpoint per tenant if N >50 it gets messy plus restart of micro services on tenant CRUD)

Solution:

On K8s the issuer and audience is same as well as JWK.
Conditionally to allow another audience from k8s if specified in client attribute. Also risk is minimal as what we are doing is basically token exchange of k8s token (only auth than droped) and client from keycloak is than used (audience is correct at that moment).

FYI
Current main is broken since update to 26.4.0 of keycloak, needs a bit of refactor as Validate token vs ClientAuthenticator changed in keycloak, this MR is for 26.3.* versions

@martin-ducar-gd
Added configurable allow for JWK url as issuer
6cde49c 
on K8s the issuer and audience is same as well as JWK.
Allow conditionally to allow another issuer from k8s if
multi tenancy use-case is needed (multiple realms as tenants,
one k8s SA as client to access those realms).
@martin-ducar-gd
Add artefact upload when building as plugin
04f9b8a
@martin-ducar-gd
chore: make it configurable
e975443
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@martin-ducar-gd