Keycloak and Ambassador configuration

hillinsor commented 2 years ago

Ambassador Edgestack 2.2.2 Keycloak v12 Rancher Federal v2.6.3 RKE v1.22.9+rke2r1

New to Ambassador and Keycloak configuration. We have gone through the following instructions for setting up keycloak/ambassador (https://www.getambassador.io/docs/edge-stack/latest/howtos/sso/keycloak/) We are trying to configure Ambassador and RedhatSSO/Keycloak to support the following flow:

User makes a request to a resource
After we are authenticated in Keycloak, Ambassador routes us to our client application with ODIC (Access Token / Bearer Token)
The application will grab the ODIC token, to grab user information to determine what the user authorization

The problem we are seeing is that Ambassador or Keycloak is not supplying an OIDC / Access token in the redirect Our application is expecting an ODIC / Access in the header in order to authorize the user. How can we determine if we are getting right information as expected. (edited)

hillinsor commented 2 years ago

Sample configs:

apiVersion: getambassador.io/v2 kind: Filter metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"getambassador.io/v2","kind":"Filter","metadata":{"annotations":{},"name":"keycloak-filter","namespace":"ambassador"},"spec":{"OAuth2":{"audience":"ambassador-dev","authorizationURL":"https://keycloak.jnxt.cdf2.usae.bah.com/auth/realms/jllis","clientID":"ambassador-dev","insecureTLS":true,"protectedOrigins":[{"origin":"https://development.jnxt.cdf2.usae.bah.com"}],"secret":"4c9d4eff-de2e-466d-963e-342d9ecfb51f"}}} creationTimestamp: "2022-04-21T19:08:54Z" generation: 5 managedFields:

apiVersion: getambassador.io/v2 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/last-applied-configuration: {} f:spec: .: {} f:OAuth2: .: {} f:audience: {} f:authorizationURL: {} f:clientID: {} f:insecureTLS: {} f:protectedOrigins: {} f:secret: {} manager: kubectl-client-side-apply operation: Update time: "2022-05-11T19:56:05Z" name: keycloak-filter namespace: ambassador resourceVersion: "152428090" uid: 3212d196-f22a-401e-8cf2-f1ead4ddd981 spec: OAuth2: audience: ambassador-dev authorizationURL: https://keycloak.jnxt.cdf2.usae.bah.com/auth/realms/jllis clientID: ambassador-dev insecureTLS: true protectedOrigins:
- origin: https://development.jnxt.cdf2.usae.bah.com secret: 4c9d4eff-de2e-466d-963e-342d9ecfb51f
  
  apiVersion: getambassador.io/v2 kind: FilterPolicy metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"getambassador.io/v2","kind":"FilterPolicy","metadata":{"annotations":{},"name":"httpbin-policy","namespace":"ambassador"},"spec":{"rules":[{"filters":[{"arguments":{"scopes":["offline_access"]},"name":"keycloak-filter","namespace":"ambassador"}],"host":"*","path":"/"}]}} creationTimestamp: "2022-04-21T19:08:54Z" generation: 3 managedFields:
apiVersion: getambassador.io/v2 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/last-applied-configuration: {} f:spec: .: {} f:rules: {} manager: kubectl-client-side-apply operation: Update time: "2022-04-21T19:08:54Z" name: httpbin-policy namespace: ambassador resourceVersion: "151873826" uid: 456839da-172e-4621-b958-b29706d32ac7 spec: rules:
filters:
- arguments: scopes:
  - offline_access name: keycloak-filter namespace: ambassador host: '*' path: /

apiVersion: getambassador.io/v2 kind: Mapping metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"getambassador.io/v3alpha1","kind":"Mapping","metadata":{"annotations":{},"name":"jnxt-api","namespace":"jllis-development"},"spec":{"host":"development.jnxt.cdf2.usae.bah.com","host_regex":true,"prefix":"/api","rewrite":"/api","service":"api:9090"}} creationTimestamp: "2022-04-21T18:57:28Z" generation: 1 managedFields:

apiVersion: getambassador.io/v3alpha1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/last-applied-configuration: {} f:spec: .: {} f:host: {} f:host_regex: {} f:prefix: {} f:rewrite: {} f:service: {} manager: kubectl-client-side-apply operation: Update time: "2022-04-21T18:57:28Z" name: jnxt-api namespace: jllis-development resourceVersion: "141313546" uid: a523faab-3df2-4891-b38f-7f038dda7006 spec: ambassador_id:
--apiVersion-v3alpha1-only--default host: development.jnxt.cdf2.usae.bah.com host_regex: true prefix: /api rewrite: /api service: api:9090

apiVersion: getambassador.io/v2 kind: Mapping metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"getambassador.io/v3alpha1","kind":"Mapping","metadata":{"annotations":{},"name":"hjnxt-webui","namespace":"jllis-development"},"spec":{"add_request_headers":{"x-test-auth":{"value":"%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"}},"add_response_headers":{"x-test-ip":{"value":"%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"}},"host":"development.jnxt.cdf2.usae.bah.com","prefix":"/","rewrite":"/","service":"webui:8080"}} creationTimestamp: "2022-04-21T18:57:28Z" generation: 5 managedFields:

apiVersion: getambassador.io/v3alpha1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/last-applied-configuration: {} f:spec: .: {} f:add_request_headers: .: {} f:x-test-auth: .: {} f:value: {} f:add_response_headers: .: {} f:x-test-ip: .: {} f:value: {} f:host: {} f:prefix: {} f:rewrite: {} f:service: {} manager: kubectl-client-side-apply operation: Update time: "2022-05-11T19:48:56Z" name: hjnxt-webui namespace: jllis-development resourceVersion: "152425311" uid: 1c2b3b53-bca9-4913-a0f3-9557dd082940 spec: add_request_headers: x-test-auth: value: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%' add_response_headers: x-test-ip: value: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%' ambassador_id:
--apiVersion-v3alpha1-only--default host: development.jnxt.cdf2.usae.bah.com prefix: / rewrite: / service: webui:8080

hillinsor commented 2 years ago

Still having issues passing the working with jwt filter and oauth filter.

cindymullins-dw commented 2 years ago

The formatting makes it hard to tell, but we think the FilterPolicy might be off. Could you repost it using code fencing / backticks?

hillinsor commented 2 years ago

---FILTER POLICY---

''' apiVersion: getambassador.io/v2 kind: FilterPolicy metadata: annotations: managedFields:

apiVersion: getambassador.io/v2 name: jnxt-policy namespace: ambassador spec: ambassador_id:
--apiVersion-v3alpha1-only--default rules:
filters:
- arguments: scopes:
  - offline_access ifRequestHeader: name: "" negate: false value: "" valueRegex: "" name: keycloak-filter namespace: ambassador onAllow: "" onDeny: "" host: '' path: / '''

arctan90 commented 2 years ago

@hillinsor maybe I could help you out with my configurations~ Here is my filter(you might be missing 'grantType' 'internalOrigin')

apiVersion: getambassador.io/v3alpha1
kind: Filter
metadata:
  name: keycloak-filter
  namespace: {{.NameSpace}}
spec:
  OAuth2:
    grantType: AuthorizationCode
    authorizationURL: http://keycloak.{{.NameSpace}}.svc/auth/realms/caas
    audience: ambassador
    clientID: {{.OAuth2Client}}
    secret: {{.OAuth2ClientSecret}}
    protectedOrigins:
    - origin: {{.EntryPoint}}
      internalOrigin: '*://*'

and the filterpolicy (a '*' in 'path' )

apiVersion: getambassador.io/v3alpha1
kind: FilterPolicy
metadata:
  name: iam-policy-distro
  namespace: {{.NameSpace}}
spec:
  rules:
  - host: "*"
    path: /*
    filters:
    - name: keycloak-filter
      arguments:
        scope: ["profile"]

emissary-ingress / emissary

Keycloak and Ambassador configuration #4239

origin: https://development.jnxt.cdf2.usae.bah.com secret: 4c9d4eff-de2e-466d-963e-342d9ecfb51f