Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keycloak support for client_credentials grant via Service Account Roles #851

Closed
ldgriswold opened this issue Oct 2, 2024 · 0 comments · Fixed by #852
Closed

Keycloak support for client_credentials grant via Service Account Roles #851

ldgriswold opened this issue Oct 2, 2024 · 0 comments · Fixed by #852
Assignees
@ldgriswold
Labels
enhancement New feature or request

Comments

@ldgriswold
Copy link
Contributor

Is your feature request related to a problem? Please describe.

We are deploying an API that has a multi-tenancy issue to solve, but the users of the API are automated processes / servers.

Describe the solution you'd like

  • Given An automated process needs to obtain a claim to a broad resource pool for an API
  • When The automated process is triggered via an upload or webhook
  • Then It hits the API to either access files in S3 or kick off workflows
  • And I want to limit one automated process to only its resources even though the API has access to all of them

Describe alternatives you've considered

We considered deploying the API to multiple namespaces (one per client) but thought that was hacky. We looked at using device auth flow but don't have a user to interact with any of the flows.

Additional context

Service Account Roles keycloak docs
Client Credentials Grant oauth docs
@ldgriswold ldgriswold added the enhancement New feature or request label Oct 2, 2024
@ldgriswold ldgriswold self-assigned this Oct 2, 2024
@ldgriswold ldgriswold mentioned this issue Oct 2, 2024
Merged
5 tasks
mjnagel added a commit that referenced this issue Oct 9, 2024
@ldgriswold @bburky @mjnagel
feat: add service accounts options to sso (#852)
1029162 
## Description
This enables support for service account roles in keycloak for client
credentials type grants
...

## Related Issue

Fixes #851

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

---------

Co-authored-by: Blake Burkhart <[email protected]>
Co-authored-by: Micah Nagel <[email protected]>
docandrew pushed a commit that referenced this issue Oct 17, 2024
@ldgriswold @bburky
@mjnagel @docandrew
feat: add service accounts options to sso (#852)
1f4df34 
## Description
This enables support for service account roles in keycloak for client
credentials type grants
...

## Related Issue

Fixes #851

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

---------

Co-authored-by: Blake Burkhart <[email protected]>
Co-authored-by: Micah Nagel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ldgriswold ldgriswold

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add service accounts options to sso defenseunicorns/uds-core
1 participant
@ldgriswold