OpenShift 4

Prerequisites

  1. Installation of jq.

  2. X509_CA_BUNDLE configured in the container and set to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt.

Procedure

  1. Run the following command on the command line and note the OpenShift 4 API URL output.

    curl -s -k -H "Authorization: Bearer $(oc whoami -t)" \https://<openshift-user-facing-api-url>/apis/config.openshift.io/v1/infrastructures/cluster | jq ".status.apiServerURL"

  2. Click Identity Providers in the Keycloak menu.

  3. From the Add provider list, select Openshift.

    Add identity provider

    Add Identity Provider

  4. Copy the value of Redirect URI to your clipboard.

  5. Register your client using the oc command-line tool.

    $ oc create -f <(echo '
kind: OAuthClient
apiVersion: oauth.openshift.io/v1
metadata:
 name: keycloak-broker (1)
secret: "..." (2)
redirectURIs:
 - "<copy pasted Redirect URI from OpenShift 4 Identity Providers page>" (3)
grantMethod: prompt (4)
')
1 The name of your OAuth client. Passed as client_id request parameter when making requests to <openshift_master>/oauth/authorize and <openshift_master>/oauth/token. The name parameter must be the same in the OAuthClient object and the Keycloak configuration.
2 The secret Keycloak uses as the client_secret request parameter.
3 The redirect_uri parameter specified in requests to <openshift_master>/oauth/authorize and <openshift_master>/oauth/token must be equal to (or prefixed by) one of the URIs in redirectURIs. The easiest way to configure it correctly is to copy-paste it from Keycloak OpenShift 4 Identity Provider configuration page (Redirect URI field).
4 The grantMethod Keycloak uses to determine the action when this client requests tokens but has not been granted access by the user.

  1. In Keycloak, paste the value of the Client ID into the Client ID field.

  2. In Keycloak, paste the value of the Client Secret into the Client Secret field.

  3. Click Add.

See official OpenShift documentation for more information.