strimzi / strimzi-kafka-oauth

OAuth2 support for Apache Kafka® to work with many OAuth2 authorization servers
Apache License 2.0
144 stars 89 forks source link

Keycloak relam definition for Kafka Strimzi #204

Open natbronislavska opened 1 year ago

natbronislavska commented 1 year ago

I am using Keycloak for authentication (oauth) and KafkaUser for authorization (simple) and I have currently only enabled this on the external listener. I created a simple Keycloak realm, strongly inspired by the one found in the examples: https://github.com/strimzi/strimzi-kafka-oauth/blob/main/examples/docker/keycloak-import/realms/demo-realm.json

I have two questions about this realm definition:

  1. client definition - "directAccessGrantsEnabled" - I have tested my installation with the value set to both true and false and it doesn't seem to have any impact on authentication. What is it used for?
  2. scopeMapping - "offline_access" - is it necessary? is it used?
scholzj commented 1 year ago

@mstruk might know ...

mstruk commented 1 year ago
  1. client definition - "directAccessGrantsEnabled"

As the Keycloak documentation says: "Direct Access Grants are used by REST clients to obtain tokens on behalf of users."

It is for use with OAuth clients that act as user agents (like REST services that serve users and require users to authenticate), rather than act in their own name (as is the case with service accounts). My advice would be to not enable Direct Access Grants unless you find that you need them in order for things to work. The Kafka client micro services that just run some message processing on data rather than serve individual users normally don't need this enabled as they use service accounts.

  1. scopeMapping - "offline_access"

This results in token endpoint returning a refresh token that never expires. It is useful when you authenticate with curl or wget directly to the token endpoint specifying scope=offline_access which returns a refresh_token that has no expiry (in addition to the access_token). You can then use that token as the value of oauth.refresh.token client configuration parameter.