rgw/sts: configuration steps to add tags to a user in

Keycloak.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>

diff --git a/doc/images/keycloak-adduser.png b/doc/images/keycloak-adduser.png
new file mode 100644 (file)
index 0000000..03d9048
Binary files /dev/null and b/doc/images/keycloak-adduser.png differ

diff --git a/doc/images/keycloak-userclientmapper.png b/doc/images/keycloak-userclientmapper.png
new file mode 100644 (file)
index 0000000..814b5e0
Binary files /dev/null and b/doc/images/keycloak-userclientmapper.png differ

diff --git a/doc/images/keycloak-usercredentials.png b/doc/images/keycloak-usercredentials.png
new file mode 100644 (file)
index 0000000..a01ab79
Binary files /dev/null and b/doc/images/keycloak-usercredentials.png differ

diff --git a/doc/images/keycloak-userdetails.png b/doc/images/keycloak-userdetails.png
new file mode 100644 (file)
index 0000000..3251a39
Binary files /dev/null and b/doc/images/keycloak-userdetails.png differ

diff --git a/doc/images/keycloak-usertags.png b/doc/images/keycloak-usertags.png
new file mode 100644 (file)
index 0000000..ee3fecf
Binary files /dev/null and b/doc/images/keycloak-usertags.png differ

diff --git a/doc/radosgw/keycloak.rst b/doc/radosgw/keycloak.rst
index ccb156d20da549533bcc3113a4ac4d3d7614d79b..534c4733abb46136dd5b7612052c62868c9d1a26 100644 (file)
--- a/doc/radosgw/keycloak.rst
+++ b/doc/radosgw/keycloak.rst
@@ -15,8 +15,7 @@ Installing and bringing up Keycloak can be found here: https://www.keycloak.org/
 Configuring Keycloak to talk to RGW
 ===================================
 
-The following configurables have to be added for RGW to talk to Keycloak. 
-The format of token inspection url is https://[base-server-url]/token/introspect::
+The following configurables have to be added for RGW to talk to Keycloak::
 
   [client.radosgw.gateway]
   rgw sts key = {sts key for encrypting/ decrypting the session token}
@@ -26,8 +25,8 @@ Example showing how to fetch a web token from Keycloak
 ======================================================
 
 Several examples of apps authenticating with Keycloak are given here: https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md
-Taking the example of app-profile-jee-jsp app given in the link above, its client secret and client password, can be used to fetch the
-access token (web token) as given below::
+Taking the example of app-profile-jee-jsp app given in the link above, its client id and client secret, can be used to fetch the
+access token (web token) for an application using grant type 'client_credentials' as given below::
 
     KC_REALM=demo
     KC_CLIENT=<client id>
@@ -49,5 +48,80 @@ access token (web token) as given below::
 
     KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
 
+An access token can also be fetched for a particular user with grant type 'password', using client id, client secret, username and its password
+as given below::
+
+    KC_REALM=demo
+    KC_USERNAME=<username>
+    KC_PASSWORD=<userpassword>
+    KC_CLIENT=<client id>
+    KC_CLIENT_SECRET=<client secret>
+    KC_SERVER=<host>:8080
+    KC_CONTEXT=auth
+
+   # Request Tokens for credentials
+    KC_RESPONSE=$( \
+    curl -k -v -X POST \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "scope=openid" \
+    -d "grant_type=password" \
+    -d "client_id=$KC_CLIENT" \
+    -d "client_secret=$KC_CLIENT_SECRET" \
+    -d "username=$KC_USERNAME" \
+    -d "password=$KC_PASSWORD" \
+    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \
+    | jq .
+    )
+
+    KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
+
+
 KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in
 :doc:`STS`.
+
+Attaching tags to a user in Keycloak
+====================================
+
+We need to create a user in keycloak, and add tags to it as its attributes.
+
+Add a user as shown below:
+
+.. image:: ../images/keycloak-adduser.png
+   :align: center
+
+Add user details as shown below:
+
+.. image:: ../images/keycloak-userdetails.png
+   :align: center
+
+Add user credentials as shown below:
+
+.. image:: ../images/keycloak-usercredentials.png
+   :align: center
+
+Add tags to the 'attributes' tab of the user as shown below:
+
+.. image:: ../images/keycloak-usertags.png
+   :align: center
+
+Add a protocol mapper for the user attribute to a client as shown below:
+
+.. image:: ../images/keycloak-userclientmapper.png
+   :align: center
+
+
+After following the steps shown above, the tag 'Department' will appear in the JWT (web token), under 'https://aws.amazon.com/tags' namespace.
+The tags can be verified using token introspection of the JWT. The command to introspect a token using client id and client secret is shown below::
+
+    KC_REALM=demo
+    KC_CLIENT=<client id>
+    KC_CLIENT_SECRET=<client secret>
+    KC_SERVER=<host>:8080
+    KC_CONTEXT=auth
+
+    curl -k -v \
+    -X POST \
+    -u "$KC_CLIENT:$KC_CLIENT_SECRET" \
+    -d "token=$KC_ACCESS_TOKEN" \
+    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect" \
+    | jq .

diff --git a/doc/radosgw/session-tags.rst b/doc/radosgw/session-tags.rst
index ee8d42bb177947a65ad823d77cd14fb98d0f5fb9..abfb89e87cfc057d4d214e462146991a1326383a 100644 (file)
--- a/doc/radosgw/session-tags.rst
+++ b/doc/radosgw/session-tags.rst
@@ -43,6 +43,8 @@ An example of the session tags that are passed in by the IDP in the web token is
         "active": true
     }
 
+Steps to configure Keycloak to pass tags in the web token are described here:doc:`keycloak`.
+
 The trust policy must have 'sts:TagSession' permission if the web token passed in by the federated user contains session tags, otherwise
 the AssumeRoleWithWebIdentity action will fail. An example of the trust policy with sts:TagSession is as follows: