Open hillinsor opened 2 years ago
Sample configs:
apiVersion: getambassador.io/v2 kind: Filter metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"getambassador.io/v2","kind":"Filter","metadata":{"annotations":{},"name":"keycloak-filter","namespace":"ambassador"},"spec":{"OAuth2":{"audience":"ambassador-dev","authorizationURL":"https://keycloak.jnxt.cdf2.usae.bah.com/auth/realms/jllis","clientID":"ambassador-dev","insecureTLS":true,"protectedOrigins":[{"origin":"https://development.jnxt.cdf2.usae.bah.com"}],"secret":"4c9d4eff-de2e-466d-963e-342d9ecfb51f"}}} creationTimestamp: "2022-04-21T19:08:54Z" generation: 5 managedFields:
apiVersion: getambassador.io/v2 kind: FilterPolicy metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"getambassador.io/v2","kind":"FilterPolicy","metadata":{"annotations":{},"name":"httpbin-policy","namespace":"ambassador"},"spec":{"rules":[{"filters":[{"arguments":{"scopes":["offline_access"]},"name":"keycloak-filter","namespace":"ambassador"}],"host":"*","path":"/"}]}} creationTimestamp: "2022-04-21T19:08:54Z" generation: 3 managedFields:
apiVersion: getambassador.io/v2 kind: Mapping metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"getambassador.io/v3alpha1","kind":"Mapping","metadata":{"annotations":{},"name":"jnxt-api","namespace":"jllis-development"},"spec":{"host":"development.jnxt.cdf2.usae.bah.com","host_regex":true,"prefix":"/api","rewrite":"/api","service":"api:9090"}} creationTimestamp: "2022-04-21T18:57:28Z" generation: 1 managedFields:
apiVersion: getambassador.io/v2 kind: Mapping metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"getambassador.io/v3alpha1","kind":"Mapping","metadata":{"annotations":{},"name":"hjnxt-webui","namespace":"jllis-development"},"spec":{"add_request_headers":{"x-test-auth":{"value":"%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"}},"add_response_headers":{"x-test-ip":{"value":"%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"}},"host":"development.jnxt.cdf2.usae.bah.com","prefix":"/","rewrite":"/","service":"webui:8080"}} creationTimestamp: "2022-04-21T18:57:28Z" generation: 5 managedFields:
Still having issues passing the working with jwt filter and oauth filter.
The formatting makes it hard to tell, but we think the FilterPolicy might be off. Could you repost it using code fencing / backticks?
---FILTER POLICY---
''' apiVersion: getambassador.io/v2 kind: FilterPolicy metadata: annotations: managedFields:
@hillinsor maybe I could help you out with my configurations~ Here is my filter(you might be missing 'grantType' 'internalOrigin')
apiVersion: getambassador.io/v3alpha1
kind: Filter
metadata:
name: keycloak-filter
namespace: {{.NameSpace}}
spec:
OAuth2:
grantType: AuthorizationCode
authorizationURL: http://keycloak.{{.NameSpace}}.svc/auth/realms/caas
audience: ambassador
clientID: {{.OAuth2Client}}
secret: {{.OAuth2ClientSecret}}
protectedOrigins:
- origin: {{.EntryPoint}}
internalOrigin: '*://*'
and the filterpolicy (a '*' in 'path' )
apiVersion: getambassador.io/v3alpha1
kind: FilterPolicy
metadata:
name: iam-policy-distro
namespace: {{.NameSpace}}
spec:
rules:
- host: "*"
path: /*
filters:
- name: keycloak-filter
arguments:
scope: ["profile"]
Ambassador Edgestack 2.2.2 Keycloak v12 Rancher Federal v2.6.3 RKE v1.22.9+rke2r1
New to Ambassador and Keycloak configuration. We have gone through the following instructions for setting up keycloak/ambassador (https://www.getambassador.io/docs/edge-stack/latest/howtos/sso/keycloak/) We are trying to configure Ambassador and RedhatSSO/Keycloak to support the following flow:
The problem we are seeing is that Ambassador or Keycloak is not supplying an OIDC / Access token in the redirect Our application is expecting an ODIC / Access in the header in order to authorize the user. How can we determine if we are getting right information as expected. (edited)