Keycloak setup

Keycloak

  • Select/create a Realm and Client. Select a Client and visit Settings.
  • Client Protocol: openid-connect
  • Access Type: confidential
  • Standard Flow Enabled: On
  • Configure Valid Redirect URIs.
  • Save.
  • Visit Credentials. Select Client ID and Secret and note the generated secret.

Vault

enable oidc auth vault auth enable oidc

create oidc config

vault write auth/oidc/config \
  oidc_client_id="vault"  \
  oidc_client_secret="1ce5cf35-b2bf-4465-86b5-cb79f63b6714" \
  default_role="demo" \
  oidc_discovery_url="http://keycloak.computingforgeeks.com:8080/auth/realms/computingforgeeks.com"

create oidc role

vault write auth/oidc/role/demo user_claim="uid" \
  allowed_redirect_uris="http://localhost:8200/oidc/callback,http://vault.computingforgeeks.com:8200/ui/vault/auth/oidc/oidc/callback"  \
  groups_claim="groups" \
  policies=default

References

https://www.janua.fr/mapping-ldap-group-and-roles-to-redhat-sso-keycloak/ https://devopstales.github.io/sso/hashicorp-sso/ https://www.vaultproject.io/docs/auth/jwt_oidc_providers/ https://www.vaultproject.io/docs/auth/jwt/