Keycloak Plugin
Akeyless provides an additional way of user authentication in the Keycloak Identity Platform using signed JWT tokens.
Users that have a valid JWT token issued by Akeyless, which includes their email address, can use this token to authenticate in Keycloak platform instead of using their username/password.
Installing Akeyless Keycloak Authenticator
Download the latest version of the plugin from:
https://akeyless.jfrog.io/artifactory/akeyless-keycloak/io/akeyless/akeyless-keycloak/
Or use the following Maven dependency definition:
<dependency>
<groupId>io.akeyless</groupId>
<artifactId>akeyless-keycloak</artifactId>
<version>Specify the plugin version here</version>
<scope>compile</scope>
</dependency>
In order to deploy this plugin into a Keycloak environment copy the akeyless-keycloak-<version>-jar-with-dependencies.jar
into your Keycloak deployments
folder.
Verify your deployment in Keycloak logs:
[org.jboss.as.repository] (DeploymentScanner-threads - 1) WFLYDR0001: Content added at location /opt/bitnami/keycloak/standalone/data/content/4d/ab9072c416eabb61fe0aa72f94bbc44acb1110/content
[org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0027: Starting deployment of "akeyless-keycloak-jar-with-dependencies.jar" (runtime-name: "akeyless-keycloak-jar-with-dependencies.jar"
[org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-2) Deploying Keycloak provider: akeyless-keycloak-jar-with-dependencies.jar
[org.keycloak.services] (MSC service thread 1-2) KC-SERVICES0047: akeyless-authenticator (io.akeyless.AkeylessAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice
[org.jboss.as.server] (DeploymentScanner-threads - 1) WFLYSRV0010: Deployed "akeyless-keycloak-jar-with-dependencies.jar" (runtime-name : "akeyless-keycloak-jar-with-dependencies.jar")
Note
When working with ephemeral containers,
deployments
folder should be mounted using persistent volumes.
Setting up Akeyless Keycloak Authenticator
After successful deployment, Keycloak administrator must configure the browser authentication flow to use Akeyless Authenticator as an alternative to other authentication methods.
Navigate to "Authentication", Select "Browser" in the combo-box, and click "Copy":
Name the flow as Akeyless Browser and click Save.
Click Add execution, select Akeyless from the combo-box and save:
Move "Akeyless" up and mark it as "Alternative" instead of "Disabled":
On the "Bindings" tab, select "Akeyless Browser" in the combo box next to the "Browser Flow" label. Click "Save":
Using Keycloak Authenticator
Akeyless Keycloak Authenticator uses JWT tokens signed by Akeyless to establish user identity.
Tokens used by Akeyless Authenticator must include user’s email address.
The token can be extracted via SAML authentication, and then retrieving the token from temporary credentials file:
$ akeyless auth --access-type saml --access-id <saml-access-id>
Authentication succeeded.
Token: <temporary token>
$ cat ~/.akeyless/.tmp_creds/<same-random-string-as-above> | jq .uam_creds -r
<JWT Token value>
This JWT token value should be used in Keycloak.
Initiate SAML authentication using your Keycloak deployment, and instead of using username/password on Keycloak login page, modify the URL by adding &creds=<jwt token value>
parameter, and hit “Enter”.
If the provided JWT token is valid, and includes an email address of an existing Keycloak user, that user will be authenticated successfully, and the user will be redirected to the final address.
Updated 11 months ago