From 9114193d935a337a62bf3acd8278af1b73c33706 Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Thu, 16 Nov 2023 22:29:56 +0100 Subject: [PATCH] Update Keycloak examples Follow-up on https://github.com/Kuadrant/authorino-examples/pull/35 --- .../authenticated-rl-with-jwt-and-k8s-authnz.md | 8 ++++---- examples/toystore/authpolicy_jwt-k8s-authnz.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md b/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md index 5965592e9..1393c822b 100644 --- a/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md +++ b/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md @@ -131,7 +131,7 @@ spec: authentication: "keycloak-users": jwt: - issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant + issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant "k8s-service-accounts": kubernetesTokenReview: audiences: @@ -170,7 +170,7 @@ curl -H 'Host: api.toystore.com' http://localhost:9080/toy -i Obtain an access token with the Keycloak server: ```sh -ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=john' -d 'password=p' | jq -r .access_token) +ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=john' -d 'password=p' -d 'scope=openid' | jq -r .access_token) ``` Send a request to the API as the Keycloak-authenticated user while still missing permissions: @@ -340,13 +340,13 @@ Each user should be entitled to a maximum of 5 requests every 10 seconds. Send requests as the Keycloak-authenticated user: ```sh -while :; do curl --write-out '%{http_code}' --silent --output /dev/null -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done ``` Send requests as the Kubernetes service account: ```sh -while :; do curl --write-out '%{http_code}' --silent --output /dev/null -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done +while :; do curl --write-out '%{http_code}\n' --silent --output /dev/null -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy | egrep --color "\b(429)\b|$"; sleep 1; done ``` ## Cleanup diff --git a/examples/toystore/authpolicy_jwt-k8s-authnz.yaml b/examples/toystore/authpolicy_jwt-k8s-authnz.yaml index ce45a6bad..87b2c8fdf 100644 --- a/examples/toystore/authpolicy_jwt-k8s-authnz.yaml +++ b/examples/toystore/authpolicy_jwt-k8s-authnz.yaml @@ -19,7 +19,7 @@ spec: # Read more about this feature at https://github.com/Kuadrant/authorino/blob/v0.11.0/docs/user-guides/oidc-jwt-authentication.md. "keycloak-users": jwt: - issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant + issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant # Authorino will verify Kubernetes Service Account tokens, using Kubernetes TokenReview API, # as valid authentication tokens to consume the protected API.