Auth for Service Accounts/Keycloak Clients

[tmaroschik]

In Keycloak one can activate a service account for every client. This client can then get a token via the client_credentials grant. This is used in cases where no user is interacting, for example in CI environments. See here for more details https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/oidc/service-accounts.adoc

We're using a gatekeeper in front of nexus that takes care of auth. It resolves the token properly and permits access to nexus. Unfortunately it appears, that the nexus keycloak plugin cannot find the user/service account from the access token. These service accounts don't get listed in the users view of nexus. Those client tokens contain the client ID prefixed with "service-account-". There is also an API endpoint to retrieve those user names here, in case this ever changes. https://www.keycloak.org/docs-api/12.0/rest-api/index.html#_getserviceaccountuser

Would it be possible to support this type of auth via your plugin?

[flytreeleft]

@tmaroschik It is good advice, I will try to add the support into the plugin. Thank you :)

[flytreeleft]

@tmaroschik Why didn't you create a User Account for the CI building? I think it will be more convenient than the Service Account, because the Service Account is owned by the Client, it should be used by the Client for checking whether the user can log in to itself or not, not for logging in to another Client.

[tmaroschik]

@flytreeleft Imagine having a fleet of servers that are all OIDC clients. The same servers also need to pull packages from nexus. As they do this on their own, there is no user involved.

Of course we could create a user for every server, but this way we break the separation between machine and person accounts. In this keycloak realm, users cannot login via username and password, but only via other identity providers. It would be difficult to create "machine accounts" there as all those providers use two factor auth.

[flytreeleft]

@tmaroschik OK, I get the point. Let me think how to implement it for a while. :)

[flytreeleft]

@tmaroschik This feature is supported in the release 0.6.0-prev1-SNAPSHOT, you can have a try :).

Please use the client service account (which is prefixed with service-account-) as the username, and the client secret as the password for logging in.

[tmaroschik]

Thanks. This looks good. Will try it this week.

[tmaroschik]

@flytreeleft It has been some time, but I could finally test it. It didn't work with keycloak 12, which we've been using. The userinfo endpoint didn't work for service accounts.

With keycloak > 12 logging in with a service account token works now 👍

[flytreeleft]

@tmaroschik 👍 Thanks for your feedback. I will check what's the problem with Keycloak 12.

[tmaroschik]

Keycloak 12 quits with an error 500 if you try to get information about the service account. This is a known issue there and has been solved in the later versions.

[flytreeleft]

@tmaroschik Thanks, you saved my time, I just need to add a comment for warning this issue with Keycloak 12. 😄