keycloak

package module
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 3, 2023 License: MPL-2.0 Imports: 10 Imported by: 0

README

Keycloak Secrets via Vault

The purpose of this plugin is to provide Keycloak client secrets from Vault.

Setup

Please read the Vault Plugin documentation for how to enable and handle plugins in Vault.

Register plugin

Unzip the release file and copy the plugin binary into the vault plugin folder:

unzip vault-plugin-secrets-keycloak_0.4.0_linux_amd64.zip
cp vault-plugin-secrets-keycloak_v0.4.0 /etc/vault/plugin/keycloak-client-secrets

Then register the plugin:

vault plugin register -sha256=<checksum of the plugin binary> secret keycloak-client-secrets

Now, the plugin can be used in Vault.

Mount backend

Next, you have to mount a keycloak-client-secrets backend. Do this either by command line:

vault secrets enable --path=keycloak-client-secrets keycloak-client-secrets

or with Terraform:

resource "vault_mount" "keycloak-client-secrets" {
  type        = "keycloak-client-secrets"
  path        = "keycloak-client-secrets"
}
Create client

Create a client in Keycloak which should be used by vault to access the client secrets. You can use our Terraform plugin to this:

provider "keycloak" {
  url       = "https://auth.example.org/auth"
  client_id = "admin-cli"
}

module "keycloak_vault_config" {
  source          = "Serviceware/keycloak-client/vaultkeycloak"
  version         = "0.1.2"
  realm           = "master"
  vault_client_id = "vault"
}

The plugin takes the credentials from the Keycloak provider.

Default Configure connection

Now, you can register a connection to Keycloak with:

vault write keycloak-client-secrets/config/connection \
    server_url="https://auth.example.org/auth" \
    realm="master" \
    client_id="vault" \
    client_secret="secr3t"

or by using our vaultkeycloak Terraform provider:

resource "vaultkeycloak_secret_backend" "keycloak-client-secrets-config" {
  path = "keycloak-client-secrets"
  
  server_url    = "https://auth.example.org/auth"
  realm         = "master"
  client_id     = "vault"
  client_secret = "secr3t"
}

The client secret is taken from the credentials tab of the client configuration in Keycloak.

Configure connection for specific realm
vault write keycloak-client-secrets/config/realms/realm123/connection \
    server_url="https://auth.example.org/auth" \
    client_id="vault" \
    client_secret="secr3t"
Read client secret of "default" realm

Assuming, you have a client my-client in Keycloak you can finally read the client secret with:

vault read keycloak-client-secrets/clients/my-client/secret

The output looks like this:

Key              Value
---              -----
client_secret    some-very-secret-value
client_id        my-client
issuer           https://auth.example.org/auth/realms/master
Read client secret of specific realm
vault read keycloak-client-secrets/realms/my-realm/clients/my-client/secret

The output looks like this:

Key              Value
---              -----
client_secret    some-very-secret-value
client_id        my-client
issuer           https://auth.example.org/auth/realms/master

Test Run

export VAULT_ADDR="http://127.0.0.1:8200

make build && make start

make enable
vault write keycloak/config/connection \
    server_url="http://localhost:8080/auth" \
    realm="master" \
    client_id="vault" \
    client_secret="sec3t"

vault read keycloak/clients/foo/secret

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Factory 

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Factory configures and returns Keycloak backends

Types

type ConnectionConfig added in v0.3.0 

type ConnectionConfig struct {
	ServerUrl    string `json:"server_url"`
	Realm        string `json:"realm"`
	ClientId     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`
}

ConnectionConfig contains the information required to make a connection to a RabbitMQ node

type GoCloakBasedKeycloakService added in v0.3.0 

type GoCloakBasedKeycloakService struct {
	// contains filtered or unexported fields
}

func (*GoCloakBasedKeycloakService) GetClientSecret added in v0.3.0 

func (g *GoCloakBasedKeycloakService) GetClientSecret(ctx context.Context, token string, realm string, clientID string) (*gocloak.CredentialRepresentation, error)

func (*GoCloakBasedKeycloakService) GetClients added in v0.3.0 

func (g *GoCloakBasedKeycloakService) GetClients(ctx context.Context, token string, realm string, params gocloak.GetClientsParams) ([]*gocloak.Client, error)

func (*GoCloakBasedKeycloakService) GetWellKnownOpenidConfiguration added in v0.3.0 

func (g *GoCloakBasedKeycloakService) GetWellKnownOpenidConfiguration(ctx context.Context, realm string) (*keycloakservice.WellKnownOpenidConfiguration, error)

func (*GoCloakBasedKeycloakService) LoginClient added in v0.3.0 

func (g *GoCloakBasedKeycloakService) LoginClient(ctx context.Context, clientID string, clientSecret string, realm string) (*gocloak.JWT, error)

implement KeycloakService and delegate methods to gocloakClient

type GoCloakFactory 

type GoCloakFactory struct {
}

func (*GoCloakFactory) NewClient 

func (b *GoCloakFactory) NewClient(ctx context.Context, connConfig keycloakservice.ConnectionConfig) (keycloakservice.KeycloakService, error)

Source Files

View all Source files

Directories

Path Synopsis
cmd
vault-plugin-secrets-keycloak

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.