Overview
UDS Core leverages Keycloak and Authservice to implify authentication and authorization for applications. These tools enable seamless user authentication experiences while supporting various OAuth 2.0 and OpenID Connect (OIDC) flows.
UDS Core automates Keycloak Client configuration, secret management, and advanced templating, offering scalable support for a wide range of applications and authentication scenarios. The chart below illustrates the basic logical connection between these concepts:
When a new UDS Package CR with the sso configuration gets deployed, the UDS Operator creates a new Keycloak Client using the Dynamic Client Registration. The Registration Token that is used for updating and removing the newly created Keycloak Client is stored in Pepr Store. Once the Keycloak Client is ready, and the enableAuthserviceSelector is defined in the spec, the UDS Operator deploys Istio Request Authentication and AuthorizationPolicy for both JWT and Request Headers. Both actions combined enable seamless and transparent application authentication and authorization capabilities.
User Groups
UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. More details might be found in the Package CR spec.
Applications
Grafana
Grafana maps the groups from Keycloak to it’s internal Admin and Viewer groups.
| Keycloak Group | Mapped Grafana Group |
|---|---|
Admin | Admin |
Auditor | Viewer |
If a user doesn’t belong to either of these Keycloak groups the user will be unauthorized when accessing Grafana.
Neuvector
Neuvector maps the groups from Keycloak to it’s internal admin and reader groups.
| Keycloak Group | Mapped Neuvector Group |
|---|---|
Admin | admin |
Auditor | reader |
Keycloak
All groups are under the Uds Core parent group. Frequently a group will be referred to as Uds Core/Admin or Uds Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups.