Oauth2 / JWT / OIDC authentication on API

UXabre · March 10, 2020, 11:04am

Hello,

Can somebody confirm that they got token based authentication working in combination with a OIDC provider (in our case keycloak)? We want to integrate this with our process tools and I’d like to forward the JWT of the authenticated user to Foreman and further validate authority to create objects there…

Currently I only know of a pre-shared secret; but I wouldn’t want to have that in my scripts in cleartext anywhere

I’m using Foreman 1.24.2

Kindest of regards,
UXabre

ekohl · March 10, 2020, 1:10pm

In Foreman 2.1 we’ll add (partial) installer support for it. The actual commit

The relevant code has some inline documentation:

github.com

theforeman/puppet-foreman/blob/15c85f46796ab7775a4555549be16bf74e7ddd9e/manifests/config/apache.pp#L241-L256


      
          # This file is generated by keycloak-httpd-client-install and that manages
          # the content. The command would be:
          #
          # keycloak-httpd-client-install --app-name ${keycloak_app_name} --keycloak-server-url $KEYCLOAK_URL --keycloak-admin-username $KEYCLOAK_USER --keycloak-realm ${keycloak_realm} --keycloak-admin-realm master --keycloak-auth-role root-admin --client-type openidc --client-hostname ${servername} --protected-locations /users/extlogin
          #
          # If $suburi is used, --location-root should also be passed in
          #
          # By defining it here we avoid purging it and also tighten the
          # permissions so the world can't read its secrets.
          # This is functionally equivalent to apache::custom_config without content/source
          file { "${apache::confd_dir}/${keycloak_app_name}_oidc_keycloak_${keycloak_realm}.conf":
            ensure => file,
            owner  => 'root',
            group  => 'root',
            mode   => '0640',
          }

UXabre · March 10, 2020, 2:19pm

Hi, @ekohl,

Thanks for the quick reply! I actually managed to set-up keycloak integration via the current method (and it seems to work great!) I just couldn’t figure out if this approach also reflects on the API itself?

Meaning; will it just be as simple as passing along my JWT as a BEARER authentication token in the header? Or won’t that work as expected?

Kr,
UXabre