Closed Asteb612 closed 2 years ago
FlxPeters
commented
1 month ago @Asteb612 How did you solve this issue? We have a similar, problem with clients which ave only permissions to assign roles for specific clients. With an Admin client, everything works fine, but the lower privileged clients got the 401 response.
Asteb612
commented
1 month ago I'm sorry @FlxPeters but i'm not remembering the exact problem i have encountered. But at that time i wanted to connect to my k8s server by oauth using keykloak and oauth2-proxy. This i my actual configuration to do that.
data "keycloak_realm" "realm" {
realm = "master"
}
#######################
# Cluster Admin group #
#######################
resource "keycloak_group" "cluster_admin" {
realm_id = data.keycloak_realm.realm.id
name = "ClusterAdmin"
depends_on = [
data.keycloak_realm.realm
]
}
resource "kubernetes_cluster_role_binding" "oidc-admin-group" {
metadata {
name = "oidc-admin-group"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "Group"
name = "ClusterAdmin"
}
depends_on = [
data.keycloak_realm.realm
]
}
#######################
# Users #
#######################
data "keycloak_user" "default_admin_user" {
realm_id = data.keycloak_realm.realm.id
username = "administrator"
}
resource "keycloak_user" "asteb612" {
realm_id = data.keycloak_realm.realm.id
username = "asteb612"
enabled = true
email = "XXXX"
email_verified = true
first_name = "XXXX"
last_name = "XXXX"
}
resource "keycloak_user_groups" "aster612_groups" {
realm_id = data.keycloak_realm.realm.id
user_id = keycloak_user.asteb612.id
exhaustive = true
group_ids = [
keycloak_group.cluster_admin.id
]
}
resource "keycloak_user_groups" "admin_groups" {
realm_id = data.keycloak_realm.realm.id
user_id = data.keycloak_user.default_admin_user.id
group_ids = [
keycloak_group.cluster_admin.id
]
}
########################
# OpenID client scopes #
########################
resource "keycloak_openid_client_scope" "groups" {
realm_id = data.keycloak_realm.realm.id
name = "groups"
description = "When requested, this scope will map a user's group memberships to a claim"
include_in_token_scope = true
gui_order = 1
}
resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" {
realm_id = data.keycloak_realm.realm.id
client_scope_id = keycloak_openid_client_scope.groups.id
name = "group-membership-mapper"
claim_name = "groups"
full_path = false
add_to_id_token = true
add_to_access_token = true
add_to_userinfo = true
}
resource "keycloak_openid_client_scope" "audience" {
realm_id = data.keycloak_realm.realm.id
name = "audience"
description = "When requested, this scope will map a user's audience memberships to a claim"
include_in_token_scope = true
gui_order = 1
}
###############
# OAuth proxy #
###############
resource "keycloak_openid_client" "oauth2_proxy" {
realm_id = data.keycloak_realm.realm.id
client_id = "oauth2-proxy"
name = "oauth2-proxy"
enabled = true
access_type = "CONFIDENTIAL"
valid_redirect_uris = [
"https://${var.oauth2_proxy_url}/oauth2/callback"
]
client_secret = data.ansiblevault_path.keycloak_oauth2_proxy_secret.value
standard_flow_enabled = true
implicit_flow_enabled = false
direct_access_grants_enabled = true
}
resource "keycloak_openid_client_default_scopes" "oauth2_proxy_scopes" {
realm_id = data.keycloak_realm.realm.id
client_id = keycloak_openid_client.oauth2_proxy.id
default_scopes = [
"profile",
"email",
"roles",
"web-origins",
"groups",
"audience"
]
depends_on = [
keycloak_openid_client.oauth2_proxy,
keycloak_openid_client_scope.audience
]
}
resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" {
realm_id = data.keycloak_realm.realm.id
client_scope_id = keycloak_openid_client_scope.audience.id
name = "Audience"
included_client_audience = "oauth2-proxy"
add_to_access_token = true
add_to_id_token = false
depends_on = [
keycloak_openid_client.oauth2_proxy,
keycloak_openid_client_scope.audience
]
}I hope that will help you.
Asteb612
commented
1 month ago The two blocking points i remember it's that initial_login = false on the provider config and email_verified = true on the user.
Hello currently i meet this error with the provider.
Keycloak version
15.0.2Provider version>= 2.0.0I encounter this problem with the two authentication method password/credential. In the two cases in have granted the admin role to clients. My goal is to use the password authentication to maintain keycloak as IAC.
On my test i have checked that the query is correctly executed. Because that generate this stacktrace.
I would be delighted if you had an idea.