Skip to content

Add OIDC Provider to Keycloak

Warning

This is not a complete recipe - it's an optional component of the Keycloak recipe, but has been split into its own page to reduce complexity.

Having an authentication provider is not much use until you start authenticating things against it! In order to authenticate against Keycloak using OpenID Connect (OIDC), which is required for Traefik Forward Auth, we'll setup a client in Keycloak...

Ingredients

Summary

Existing:

New:

  • The URI(s) to protect with the OIDC provider. Refer to the Traefik Forward Auth recipe for more information

Preparation

Create Client

Within the "Master" realm (no need for more realms yet), navigate to Clients, and then click Create at the top right:

Navigating to the add user interface in Keycloak

Enter a name for your client (remember, we're authenticating applications now, not users, so use an application-specific name):

Adding a client in Keycloak

Configure Client

Once your client is created, set at least the following, and click Save

  • Access Type : Confidential
  • Valid Redirect URIs : <The URIs you want to protect>

Set Keycloak client to confidential access type, add redirect URIs

Retrieve Client Secret

Now that you've changed the access type, and clicked Save, an additional Credentials tab appears at the top of the window. Click on the tab, and capture the Keycloak-generated secret. This secret, plus your client name, is required to authenticate against Keycloak via OIDC.

Capture client secret from Keycloak

Summary

We've setup an OIDC client in Keycloak, which we can now use to protect vulnerable services using Traefik Forward Auth. The OIDC URL provided by Keycloak in the master realm, is https://<your-keycloak-url>/realms/master/.well-known/openid-configuration

Summary

Created:

  • Client ID and Client Secret used to authenticate against Keycloak with OpenID Connect

Chef's notes 📓

///Footnotes Go Here///

Tip your waiter (sponsor) 👏

Did you receive excellent service? Want to compliment the chef? (..and support development of current and future recipes!) Sponsor me on Github / Ko-Fi / Patreon, or see the contribute page for more (free or paid) ways to say thank you! 👏

Employ your chef (engage) 🤝

Is this too much of a geeky PITA? Do you just want results, stat? I do this for a living - I'm a full-time Kubernetes contractor, providing consulting and engineering expertise to businesses needing short-term, short-notice support in the cloud-native space, including AWS/Azure/GKE, Kubernetes, CI/CD and automation.

Learn more about working with me here.

Flirt with waiter (subscribe) 💌

Want to know now when this recipe gets updated, or when future recipes are added? Subscribe to the RSS feed, or leave your email address below, and we'll keep you updated.

Your comments? 💬