OpenID Connect

The following guide will setup and configure Kpow with any standard OpenID provider (for example Keycloak, Ping Identity, etc).

IdP configuration

When creating the Kpow application inside your IdP (eg, Keycloak, Ping Identity) set the following values:

  • Callback/redirect URI: https://kpow.mycorp.com/oauth2/openid/callback
  • Initiate/login URI: https://kpow.mycorp.com/oauth2/openid

Kpow configuration

The following is an example configuration to integrate Kpow with OpenID authentication:

AUTH_PROVIDER_TYPE="openid"
OPENID_ACCESS_TOKEN_URI="http://localhost:8080/realms/master/protocol/openid-connect/token"
OPENID_AUTH_URI="http://localhost:8080/realms/master/protocol/openid-connect/auth"
OPENID_CLIENT_ID="my-client"
OPENID_CLIENT_SECRET="aS50emK11A02i5lZovcBFu5MXWf93zeu"
OPENID_SCOPES="email,roles"
OPENID_USER_FIELD="sub" # Optional, defines which field in the access token maps to a user's name (default: sub)

Issuer

By default, Kpow will check if the domain of the OPENID_AUTH_URI matches the iss (issuer) field of the JWT token payload.

This is done to validate the claims of the JWT token.

If your iss field is something other than the domain of the IdP (for example a URN) then you can use the OPENID_ISSUER field.

For example:

OPENID_ISSUER=urn:isan:0000-0000-2CEA-0000-1-0000-0000-Y

Scopes

Use the OPENID_SCOPES environment variable to specify which resources will be available to Kpow during authentication.

OPENID_SCOPES should be a comma separated list of scopes you wish to give Kpow.

At a minimum we recommend email or profile scopes and a roles scope for User authorization.

Note: the name of these scopes will vary depending on your OpenID provider. Refer to their documentation for more information on scopes.

Custom SSL certificates

To use self-signed certificates for SSL in OpenID URLs, provide them in a truststore and override the JVM default truststore with the following JVM parameter on startup.

To alter JVM startup parameters on startup when using the Kpow Docker container, set the same but as the JAVA_TOOL_OPTIONS environment variable.

  -Djavax.net.ssl.trustStore=/etc/kpow-truststore/kpow-truststore.jks -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=***

User authorization

The following is an example Role Based Access Control file that integrates with OpenID:

# Allow all users who can authenticate access to the app
authorized_roles:
  - "*"

# Specify the path in the JWT token that maps to the roles of a user
openid:
  role_path: ["realm_access", "roles"]
  roles_from: access_token # Optional. Either access_token or id_token (default: access_token)

# Specify that users with 'admin' role are Admins
admin_roles:
  - "admin"

# Define some RBAC policies
policies:
  - resource: ["cluster", "N9xnGujkR32eYxHICeaHuQ"]
    effect:   "Allow"
    actions:  ["TOPIC_INSPECT", "TOPIC_PRODUCE"]
    role:     "admin"

Roles mapping

By default, Kpow will use the roles field in the payload of the JWT token.

Use the RBAC yaml's role_path config to specify a different attribute in the JWT token payload to use for roles.

Use the RBAC yaml's roles_from config to specify which JWT token should be inspected for roles information, either access_token or id_token (default: access_token).

Examples

Custom field

If your JWT token payload is contains a scopes field you would like to use for roles:

{
  "scopes": ["admin-role", "kpow-role"],
  "client_id": "xxxxx",
  "iss": "xxxxx",
  "aud": "xxxx",
  "sub": "xxxx"
  "exp": 1667526313
}

Use the following RBAC configuration:

openid:
  role_path: ["scopes"]

Nested field

If your JWT token payload contians some nested path for roles:

{
  "realm_access": {"roles": ["admin-role", "kpow-role"]},
  "client_id": "xxxxx",
  "iss": "xxxxx",
  "aud": "xxxx",
  "sub": "xxxx"
  "exp": 1667526313
}

Use the following RBAC configuration:

openid:
  role_path: ["realm_access", "roles"]