guard icon indicating copy to clipboard operation
guard copied to clipboard

Published 20 hours ago • verified publisher icon kubeguard

Supporting a Keycloak/Generic Provider

Open vishalkuo opened this issue 5 years ago • 5 comments

We'd like to support keycloak (using OIDC) as a authn provider for our Guard setup. Is this something the team would accept as a PR / is there prior discussion around adding new providers that I should be aware of?

vishalkuo avatar Jan 28 '20 04:01 vishalkuo

Thanks, @vishalkuo for opening the issue. For OIDC, what support in needed in Guard? I thought, you just need to configure kubectl properly:

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl

tamalsaha avatar Jan 28 '20 04:01 tamalsaha

I think we just want to manage all our authn via guard instead of dividing it between guard and the kubectl API. I'm not sure if there's another easier way to have all auth, including generic OIDC, go through guard.

vishalkuo avatar Jan 28 '20 04:01 vishalkuo

Can you please outline the changes/additions needed in Guard?

tamalsaha avatar Jan 28 '20 04:01 tamalsaha

I imagine what we'd want is a new provider here of type generic or keyclock. This provider would probably be similar to the google one as it'll verify claims and construct a authv1.UserInfo populated with the necessary user information.

vishalkuo avatar Jan 28 '20 05:01 vishalkuo

Sounds good. If you want to open prs, you are welcome. Please note that you need to add e2e tests to make sure things work.

tamalsaha avatar Jan 28 '20 06:01 tamalsaha