Skip to content
Unicorn Delivery Service Unicorn Delivery Service

Overview

UDS Core leverages Keycloak and Authservice to implify authentication and authorization for applications. These tools enable seamless user authentication experiences while supporting various OAuth 2.0 and OpenID Connect (OIDC) flows.

UDS Core automates Keycloak Client configuration, secret management, and advanced templating, offering scalable support for a wide range of applications and authentication scenarios. The chart below illustrates the basic logical connection between these concepts:

Single Sign-On Flow Chart

When a new UDS Package CR with the sso configuration gets deployed, the UDS Operator creates a new Keycloak Client. This process happens in one of two modes - using Dynamic Client Registration or Keycloak Admin endpoint for managing Clients. Depending on the Keycloak Realm configuration, the Operator automatically picks the right mode. In the case of the former mode, the Registration Token that is used for updating and removing the newly created Keycloak Client is stored in Pepr Store. The latter mode reads the Client Secrets from the keycloak-client-secrets Kubernetes Secret deployed in keycloak namespace. This Secret is managed automatically by the UDS Operator. Once the Keycloak Client is ready, and the enableAuthserviceSelector is defined in the spec, the UDS Operator deploys Istio Request Authentication and AuthorizationPolicy for both JWT and Request Headers. Both actions combined, enables seamless and transparent application authentication and authorization capabilities.

Rotating the UDS Operator Client Secret

Section titled “Rotating the UDS Operator Client Secret”

The UDS Operator uses a dedicated Client in Keycloak. In some cases, the Client Secret needs to be rotated. In order to do so, you need to manually modify the keycloak-client-secrets Kubernetes Secret in the keycloak namespace and delete the uds-operator key. The UDS Operator will automatically re-create it.

User Groups

Section titled “User Groups”

UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. More details might be found in the Package CR spec.

Applications

Section titled “Applications”

Grafana

Section titled “Grafana”

Grafana maps the groups from Keycloak to its internal Admin and Viewer groups.

Keycloak GroupMapped Grafana Group
AdminAdmin
AuditorViewer

If a user doesn’t belong to either of these Keycloak groups the user will be unauthorized when accessing Grafana.

Neuvector

Section titled “Neuvector”

Neuvector maps the groups from Keycloak to its internal admin and reader groups.

Keycloak GroupMapped Neuvector Group
Adminadmin
Auditorreader

Keycloak

Section titled “Keycloak”

All groups are under the Uds Core parent group. Frequently a group will be referred to as Uds Core/Admin or Uds Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups.

Single Sign-On Contents

Section titled “Single Sign-On Contents”
  1. Authservice Protection
  2. Device Flow Clients
  3. Group Based Authorization
  4. Keycloak Session Timeout
  5. Recovering lost Keycloak credentials
  6. Service Account Roles Clients
  7. Client Attribute Validation
  8. Secret Templating
  9. Trusted Certificate Authority
Cookie Settings Privacy Policy