Versions Compared

Old Version 4

changes.mady.by.user Ritu Sood

Saved on

compared with

New Version 5

changes.mady.by.user Ritu Sood

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Create a new Realm - ex: enterprise1
  • Add Users
  • Create a new Client under realm  name - ex: emco
  • Under Setting for client
    • Change assess type for client to confidential
    • Under Authentication Flow Overrides - Change Direct grant flow to direct grant
    • Update Valid Redirect URIs.
  • In Roles tab:
    • Add roles (ex. Admin and User)
    • Under Users assign roles from emco client to users ( Admin and User). Verify under Emco Client roles for user are in the role
  • Add Mappers
    • Under Emco Client under mapper tab create a mapper
      •  Mapper type - User Client role
      • Client-ID: emco
      • Token claim name: role
      • Claim JSON Type: string

For complete documentation of Keycloak refer to these links:

...

Code Block
languageyml
titleAuthentication Policy
---
  apiVersion: "authentication.istio.io/v1alpha1"
  kind: "Policy"
  metadata:
    name: "orchestrator-authn-policy"
    namespace: istio-system
  spec:
    origins:
      - jwt:
          issuer: "https://x.x.x.x:31567<url>/auth/realms/enterprise1"
          jwksUri: "http://x.x.x.x:32431<url>/auth/realms/enterprise1/protocol/openid-connect/certs"
      - jwt:
          issuer: "https://x.x.x.x:31567<url>/auth/realms/enterprise2"
          jwksUri: "http://x.x.x.x:32431<url>/auth/realms/enterprise2/protocol/openid-connect/certs"
    principalBinding: USE_ORIGIN

...

Code Block
languageyml
titleAuthservice configmap
---
kind: ConfigMap
apiVersion: v1
metadata:
name: emco-authservice-configmap
namespace: istio-system
data:
config.json: |
  {
    "listen_address": "127.0.0.1",
    "listen_port": "10003",
    "log_level": "trace",
    "threads": 8,
    "chains": [
      {
        "name": "idp_filter_chain_1",
        "match": {
          "header": ":path",
          "prefix": "/v2/projects/enterprise1"
        },
        "filters": [
        {
          "oidc":
            {
              "authorization_uri": "https://x.x.x.x:<port>/auth/realms/enterprise1/protocol/openid-connect/auth",
              "token_uri": "https://x.x.x.x:<port>/auth/realms/enterprise1/protocol/openid-connect/token",
              "callback_uri": "https://x.x.x.x:<port>/v2/projects/enterprise1/oauth/callback",
              "jwks": "{\"keys\":[{\"kid\":\"xxxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"zzzzzzz\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"z7Qrc2nAlK8EVmkiKtz0bOWxugE\",\"x5t#S256\":\"xxxxxxxxx\"}]}",
              "client_id": "emco",
              "client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
              "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",
              "scopes": [],
              "id_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              },
              "access_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              }
            }
          }
        ]
      },
      {
        "name": "idp_filter_chain_2",
        "match": {
          "header": ":path",
          "prefix": "/v2/projects/enterprise2"
        },
        "filters": [
        {
          "oidc":
            {
              "authorization_uri": "https://x.x.x.x:<port>/auth/realms/enterprise2/protocol/openid-connect/auth",
              "token_uri": "https://x.x.x.x:<port>/auth/realms/enterprise2/protocol/openid-connect/token",
              "callback_uri": "https://x.x.x.x:<port>/v2/projects/enterprise2/oauth/callback",
              "jwks": "{\"keys\":[{\"kid\":\"xxxx\",\"kty\":\"RSA\",\"alg\":\"RS256\",\"use\":\"sig\",\"n\":\"xxxx\",\"e\":\"AQAB\",\"x5c\":[\"xxxxxx\"],\"x5t\":\"xxxxxxx\",\"x5t#S256\":\"xxxxxxx\"}]}",
              "client_id": "emco",
              "client_secret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
              "trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\r\nxxxxxxxx\r\n-----END CERTIFICATE-----\r\n",
              "scopes": [],
              "id_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              },
              "access_token": {
                "preamble": "Bearer",
                "header": "Authorization"
              }
            }
          }
        ]
      }
    ]
  }

Authorization Policies with Istio 

As specified in Keycloak  section Role Mappers are created using Keycloak. These can be used apply authorizations for users. Some examples the can used:

Code Block
languageyml
titleAuthorization Policies
apiVersion: "security.istio.io/v1beta1"
kind: AuthorizationPolicy
metadata:
  name: allow-admin
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: ALLOW
  rules:
  - when:
    - key: request.auth.claims[role]
      values: ["ADMIN"]

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-user
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        paths: ["/v2/projects/enterprise1/*"]
    when:
    - key: request.auth.claims[role]
      values: ["USER"]