johnpoth
commented
4 years ago Hi @lucidyan, refreshing oidc tokens automatically should be supported. Could you share the relevant part of your kubernetes config ? Thanks !
Closed lucidyan closed 4 years ago
johnpoth
commented
4 years ago Hi @lucidyan, refreshing oidc tokens automatically should be supported. Could you share the relevant part of your kubernetes config ? Thanks !
lucidyan
commented
4 years ago Hi, @johnpoth !
I have the Keycloak 8.0.1 configured to refresh tokens with some period. It controlled by Access Token Lifespan parameter.
K8S part of user config:
- name: USER_NAME
user:
auth-provider:
config:
client-id: kubernetes
client-secret: CLIENT_SECRET
id-token: ID_TOKEN
idp-issuer-url: https://{KEYCLOAK_SERVER_URL}/auth/realms/master
refresh-token: REFRESH-TOKEN
name: oidcThanks @lucidyan! I'm wondering if your provider supports the refresh_token grant type we use. To check, could you run
curl -X GET \ "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/.well-known/openid-configuration?client_id=kubernetes"
and share the output with us ? Specifically, you should see two response properties grant_types_supported and token_endpoint that are of interest to us, thanks !
lucidyan
commented
4 years ago @johnpoth
Of course! So I've got:
{
"authorization_endpoint": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/auth",
"check_session_iframe": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": false,
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"end_session_endpoint": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/logout",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A128GCM",
"A128CBC-HS256"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"introspection_endpoint": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/token/introspect",
"issuer": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master",
"jwks_uri": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/certs",
"registration_endpoint": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/clients-registrations/openid-connect",
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"scopes_supported": [
"openid",
"address",
"email",
"groups",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"username",
"web-origins"
],
"subject_types_supported": [
"public",
"pairwise"
],
"tls_client_certificate_bound_access_tokens": true,
"token_endpoint": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/token",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"token_introspection_endpoint": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/userinfo",
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
]
}@lucidyan awesome ! Now lets try refreshing the token ourselves with:
curl -X POST \ "https://{KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/token?grant_type=refresh_token&client_id=kubernetes&client_secret=${CLIENT_SECRET}&refresh_token=${REFRESH-TOKEN}"
It should give you an 400 error
astefanutti
commented
4 years ago @lucidyan not sure you get the response above as your handle was misspelled.
lucidyan
commented
4 years ago Sorry for later answer, I cannot reproduce this error after change of Keycloak parameters by server owners. I slightly modify @johnpoth script for further explorers, so it works:
export KEYCLOAK_SERVER_URL=""
export CLIENT_SECRET=""
export REFRESH_TOKEN=""
curl -X POST "https://${KEYCLOAK_SERVER_URL}/auth/realms/master/protocol/openid-connect/token" --data "grant_type=refresh_token&client_id=kubernetes&client_secret=${CLIENT_SECRET}&refresh_token=${REFRESH_TOKEN}" | python -m json.toolThanks @lucidyan. Let me close this then. Feel free to re-open if needed.
When using oidc authentification, kubebox don't get refresh tokens automatically. So we got every time:
But if we run any command with kubectl, it refresh token and kubebox will work before token refresh again.