Use Oathkeeper and Keto with a JWT from Keycloak

duytruong · February 10, 2020, 4:42am

Hi all,

Currently I am using Keycloak as IdP to store my user identity (signup will create a user in keycloak). Now I want to use Oathkeeper (jwt authenticator) and Keto for auth & authz, but the JWT returned from Keycloak contains a sub with UUID value, and preferred_username with value is my user’s username, so how can I make oathkeeper can validate that JWT and Keto can extract the username in the JWT as a sub to perform ACP rules?

Btw, does Kratos work with Keto now or we need to wait for future release?

Thanks

hackerman · February 10, 2020, 8:49am

We have an open issue to improve the ACP handler and allow use cases like this. I encourage you not to use usernames for ACPs but the UUIDs instead, that never change.

There is no integration of Kratos <-> Keto necessary at the moment, I do not believe that there will be one in the future. But both projects of course work together.

duytruong · February 10, 2020, 8:09am

Thanks for your reply, so currently we can use sub in JWT returned from Kratos (if we replace Keycloak by Kratos) and perform ACP rules in Oathkeeper normally. Is this true?

hackerman · February 10, 2020, 8:20am

Yes, you can replace Keycloak with Kratos! The example how to combine Kratos with Oathkeeper is in the quickstart: https://www.ory.sh/docs/kratos/quickstart