Demonstrates the use of the SPIFFE Identity Provider for Keycloak enabling a Quarkus based to use Client Assertion for a Keycloak Confidential client to avoid the use of Client ID's and Secrets.
- Keycloak 26.5.0+
- Kubernetes Cluster with SPIFFE deployed / OpenShift with Zero Trust Workload Identity Manager (ZTWIM)
Within a standard Kubernetes, deploy SPIFFE using your preferred method (Helm Charts recommended). Ensure that the the SPIRE Server property default_jwt_svid_ttl is set to a short timespan (such as 5m). When deploying Zero Trust Workload Identity Manager on OpenShift, the default value of default_jwt_svid_ttl is set at 5m0s so no further modifications are necessary.
Deploy an instance of Keycloak to an infrastructure provider of your choosing (traditional machine or container/Kubernetes). When starting the Keycloak server, the client-auth-federated and spiffe features must be enabled.
See the Keycloak Configuration below for steps to configure the Keycloak instance.
Before beginning to configure components and deploy the Quarkus application, set the following environment variables
Set the SPIFFE trust domain
SPIFFE_TRUST_DOMAIN=<spiffe_trust_domain>Set the hostname for the Ingress that will be created for the Quarkus application
QUARKUS_HOST=<quarkus_host>Set whether the Kubernetes cluster is an OpenShift environment
OPENSHIFT=<true|false>Utilize these steps to configure the already deployed Keycloak instance.
- Click Manage realms
- Click Create realm
- Enter
keycloakcon - Click Create
- Within the keycloakcon realm, click Identity Providers
- Click SPIFFE. If you do not see it present in the list of available Identity Providers, ensure that Keycloak has been started with the required features enabled.
- Leave the alias at the default value (
spiffe) - Enter the SPIFFE Trust Domain (in format
spiffe://$SPIFFE_TRUST_DOMAIN) - Enter the location of the SPIFFE OIDC JWKs endpoint. This value can be found within the OIDC Well Known Endpoint documentation
Create a Confidential Client representing the Quarkus application
- Within the keycloakcon realm, click Clients
- Click Create client
- Enter
keycloakcon-spiffe-webappin the Client ID field and click Next - Enable Client Authentication and select Service account roles and click Next
- In the Valid redirect URIs field, enter the URL of the Quarkus Application and click Save
- On the Credentials tab, under Client authenticator, select Signed JWT - Federated
- Enter
spiffein the Identity provider field and enterspiffe://$SPIFFE_TRUST_DOMAIN/ns/keycloakcon/sa/keycloakcon-spiffe-webappin the Federated subject field. Click Save
Note: The values within the Federated subject may differ if you have chosen to customize either SPIFFE or the deployment of the Quarkus application
Create a user to authenticate to the Quarkus application
- Within the keycloakcon realm, click Users
- Click Create a new user
- Toggle Email verified to enabled
- Enter a Username (such as
keycloakcon-user) - Enter an Email (such as
[email protected]) - Enter a First name (such as
KeycloakCon) - Enter a Last name (such as
User) - Click Create
- Click the Credentials tab and click Set password
- Fill in a desired password in the Password and Password Confirmation fields. Unselect Temporary and then click Save
The Quarkus application is deployed to a Kubernetes/OpenShift cluster using Helm. The following variables are required
keycloak.issuerURL- URL of the Keycloakkeycloakconrealmingress.host- Hostname that will be exposed for this applicationopenshift- Whether to target a deployment to an OpenShift environment
Deploy the application by running the following command:
helm upgrade -i -n keycloakcon --create-namespace keycloakcon-spiffe-webapp charts/keycloakcon-spiffe-webapp --set keycloak.issuerURL=$KEYCLOAK_ISSUER_URL --set ingress.host=$QUARKUS_HOST --set openshift=$OPENSHIFTNavigate to the host as defined in the $QUARKUS_HOST field. You should be redirected to Keycloak to authenticate with the user created within the keycloakcon realm. Once successfully authenticated, details related to the SPIFFE JWT used for client assertion along with the JWT of the authenticated user will be displayed.