Enabling keycloak as IdP

Includes a bug fix in the token introspection endpoint – name of the attribute returned by Keycloak in the discovery is "introspection_endpoint" (not "token_introspection_endpoint")
3scale-labs · Oct 29, 2020 · 950b1a6 · 950b1a6
1 parent c3d177d
commit 950b1a6
Show file tree

Hide file tree

Showing 6 changed files with 2,132 additions and 25 deletions.
diff --git a/auth-ruby/examples/config.yml b/auth-ruby/examples/config.yml
@@ -1,28 +1,21 @@
-localhost:8000:
+app:3000:
   enabled: true
 
   identity:
     - oidc:
-        name: test
-        endpoint: http://localhost:8080/auth/realms/test
-
-    - oidc:
-        name: demo
-        endpoint: https://localhost:8443/realms/demo/
-
-    - oidc:
-        name: admin
-        endpoint: https://localhost:8443/realms/admin/
+        name: keycloak
+        endpoint: http://keycloak:8080/auth/realms/ostia
 
   metadata:
     - userinfo:
-        oidc: test
-        client_id: test
-        client_secret: test
+        oidc: keycloak
+        client_id: auth-ruby
+        client_secret: 2e5246f2-f4ef-4d55-8225-36e725071dee
 
   authorization:
     - opa:
         uuid: 8fa79d93-0f93-4e23-8c2a-666be266cad1
+        endpoint: 'http://opa-service:8181'
         rego: |
           allow {
             http_request.method == "GET"
@@ -63,7 +56,7 @@ localhost:8000:
           }
 
           is_admin {
-            metadata.user_info.roles[_] == "admin"
+            identity.realm_access.roles[_] == "admin"
           }
     - jwt:
         enabled: false

diff --git a/auth-ruby/src/config/identity/oidc.rb b/auth-ruby/src/config/identity/oidc.rb
@@ -20,7 +20,8 @@ def endpoint
 end
 
 # not in the RFC, but keycloak has it
-OpenIDConnect::Discovery::Provider::Config::Response.attr_optional :token_introspection_endpoint
+OpenIDConnect::Discovery::Provider::Config::Response.attr_optional :token_introspection_endpoint, :introspection_endpoint
+OpenIDConnect::ResponseObject::IdToken.attr_optional :realm_access, :resource_access, :scope, :email_verified, :preferred_username, :email
 
 class Config::Identity::OIDC < Config::Identity
   def config
@@ -56,8 +57,8 @@ def to_s
       @token
     end
 
-    delegate :as_json, to: :@decoded, allow_nil: true
-    alias to_h as_json
+    delegate :raw_attributes, to: :@decoded, allow_nil: true
+    alias to_h raw_attributes # because OpenIDConnect::ResponseObject::IdToken#as_json will only return string values
 
     private def method_missing(symbol, *args, &block)
       return super unless @decoded

diff --git a/auth-ruby/src/config/metadata.rb b/auth-ruby/src/config/metadata.rb
@@ -12,7 +12,7 @@ def call(context)
       id = context.identity.fetch(oidc) { return }
       puts id
 
-      uri = URI(oidc.config.token_introspection_endpoint)
+      uri = URI(oidc.config.token_introspection_endpoint || oidc.config.introspection_endpoint)
       uri.user = client_id
       uri.password = client_secret
 

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -12,28 +12,33 @@ services:
     environment:
       LOG_LEVEL: debug
       COMPONENT_LOG_LEVEL: filter:trace,http:debug,router:debug
+      NGINX_HTTP_PORT_NUMBER: 8000
     expose:
-      - "80"
+      - "8000"
       - "8001"
     ports:
-      - "8000:80"
+      - "8000:8000"
       - "8001:8001"
 
   app:
     build:
       context: app
       dockerfile: Dockerfile
+    environment:
+      PORT: 3000
     networks:
       envoymesh:
         aliases:
           - app
     expose:
-      - "8080"
+      - "3000"
 
   ext-auth:
     build:
       context: auth-ruby
       dockerfile: Dockerfile
+    depends_on:
+      - opa-service
     networks:
       envoymesh:
         aliases:
@@ -70,5 +75,20 @@ services:
         aliases:
           - opa-service
 
+  keycloak:
+    image: jboss/keycloak
+    environment:
+      KEYCLOAK_USER: admin
+      KEYCLOAK_PASSWORD: p
+      KEYCLOAK_IMPORT: /tmp/import-realm.json -Dkeycloak.profile.feature.upload_scripts=enabled
+    volumes:
+      - ./keycloak-realm.json:/tmp/import-realm.json
+    ports:
+      - "8080:8080"
+    networks:
+      envoymesh:
+        aliases:
+          - keycloak
+
 networks:
   envoymesh: {}
diff --git a/envoy/envoy.yaml b/envoy/envoy.yaml
@@ -3,10 +3,10 @@ static_resources:
   - address:
       socket_address:
         address: 0.0.0.0
-        port_value: 80
+        port_value: 8000
     filter_chains:
     - filters:
-      
+
       - name: envoy.http_connection_manager
         typed_config:
           "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
@@ -109,7 +109,7 @@ static_resources:
             address:
               socket_address:
                 address: app
-                port_value: 8080
+                port_value: 3000
 
 admin:
   access_log_path: "/dev/null"