Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using keycloak as external OIDC provider on kubeflow (instead of dex) #2513

Closed
zibuyule opened this issue Aug 22, 2023 · 3 comments
Closed

Comments

@zibuyule
Copy link

kubeflow version: v1.7.0

My keycloak server is "http://10.86.26.178:8081".
Before using keycloak, I can access my kubeflow page through "http://10.86.26.241".

$ cd kubeflow/manifests/common/oidc-authservice/base
$ cat params.env

OIDC_PROVIDER=http://10.86.26.178:8081/realms/kubeflow
OIDC_AUTH_URL=http://10.86.26.178:8081/realms/kubeflow/protocol/openid-connect/auth
OIDC_SCOPES=profile email
SKIP_AUTH_URI=/realms

AUTHSERVICE_URL_PREFIX=/authservice/

REDIRECT_URL=http://10.86.26.241/login/oidc

USERID_HEADER=kubeflow-userid
USERID_PREFIX=
USERID_CLAIM=email
PORT="8080"
STORE_PATH=/var/lib/authservice/data.db

$ cat secret_params.env

CLIENT_ID=kubeflow
CLIENT_SECRET=7HRNuyvjeAlXAWuxAKunVROeisxxxxx

$ kustomize build common/oidc-authservice/base |kubectl delete -f -
$ kustomize build common/oidc-authservice/base |kubectl apply -f -

When I visit http://http://10.86.26.241 through the browser, the page is redirected to the keycloak page 
and is asked to enter the username and password. Once I enter the username and password created
 in the realm of kubeflow in keycloak, I will get a display "too many redirects".

The keycloak realms kubelow set the  valid redirect uris "http://10.86.26.241/login/oidc" or 
"http://10.86.26.241/login/oidc/*" or "http://10.86.26.241/*", still all getting the above error page.
@juliusvonkohout
Copy link
Member

/close

duplicate of #2379

@google-oss-prow
Copy link

@juliusvonkohout: Closing this issue.

In response to this:

/close

duplicate of #2379

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@gioargyr
Copy link

Since it took me a lot of testing, I am trying to saving some people's time here by saying that except for what is mentioned here, what worked for me was to define:
REDIRECT_URL: https://<my_kubeflow_server:port>/authservice/oidc/callback in params.env, or in ConfigMap oidc-authservice-parameters (for those who installed Kubeflow in Kubernetes)
and the same value in my Keycloak in "Valid redirect URIs"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants