[https://github.com/kiali/kiali/issues/2056]
Kiali supports OAuth 2.0 natively with OpenID connect integration (Keycloak)
Is above supported now in kiali version > 1.22.x ?
Yes.
See Kiali docs: https://kiali.io/documentation/latest/installation-guide/#_openid_connect
UPDATE: https://kiali.io/documentation/latest/configuration/authentication/openid/
@jmazzitelli
Thank you.
I configured it exactly as in the documentation link.
Unfortunately, after the successful (OIDC) login I get the following errors:
Login unsuccessful: Token is not valid or is expired.
But i see a valid id_token in Chrome Browser log and no any other error than authenticate 401
My environment:
- Azure AKS
- Keycloak is installed in the cluster and accessed via ingress
- kiali operator v1.23.0
- kiali_cr.istio-system
auth:
strategy: openid
openid:
api_proxy: “”
api_proxy_ca_data: “”
authentication_timeout: 300
authorization_endpoint: https://keycloak.sample.com/auth/realms/platform-services/protocol/openid-connect/auth
client_id: kiali-client
insecure_skip_verify_tls: false
issuer_uri: https://keycloak.sample.com/auth/realms/platform-services
scopes:
- openid
- profile
- email
username_claim: sub
Also tried with a ClusterRoleBinding to add user to have access to Kiali.
I seen this:
[https://github.com/kiali/kiali/pull/3142]
[https://github.com/kiali/kiali/issues/3042]
With AKS Do i have setup a proxy as kube-oidc-proxy for openid auth ?
Any way kiali login works with auth.strategy: token.
Hi, @bethmage
Docs have been updated and I hope they are clearer. Read the new OpenID docs: https://kiali.io/documentation/latest/configuration/authentication/openid/. Make sure to read the “Requirements” section.
I haven’t used Azure AKS, but from comments from other users, I understand that Azure AKS doesn’t provide the required options to integrate AKS to KeyCloak. However, AKS provides integration to Azure AD, which is OpenID-enabled (I think this is the MS docs about it: https://docs.microsoft.com/en-us/azure/aks/managed-aad).
So, as far as I know, if you can switch to Azure AD, that will provide the better integration. But if you need KeyCloak, well, I think you will need to use a proxy (like kube-oidc-proxy) to workaround the AKS limitation.
By the way, if you only need authentication and you don’t need RBAC, I invite you to upvote this issue: https://github.com/kiali/kiali/issues/3084.
Did you get kiali working with keycloak auth? I am facing the same issue and I have the same setup.
Can you describe what error are you getting?
issue: https://github.com/kiali/kiali/issues/3084 is finished now.
[Set-up with no RBAC support(https://kiali.io/documentation/latest/configuration/authentication/openid/#_set_up_with_no_rbac_support)
Works fine now.
Big thanks to everyone involved
1 Like
@bethmage Hey! can you share how your working config wound up being?