Help needed in OIDC configuration for Karavan

[kasiviswanathan13]

I'm trying to integrate karavan with our Keycloak enterprise installation. I have configured the properties of keycloak mentioned in the secrets.yaml file. i.e KARAVAN_KEYCLOAK_FRONTEND_CLIENTID, KARAVAN_KEYCLOAK_BACKEND_CLIENTID, KARAVAN_KEYCLOAK_REALM, KARAVAN_KEYCLOAK_URL, KARAVAN_KEYCLOAK_BACKEND_SECRET. The redirection to teh keycloak login page is successful and from there back to teh karavan application. But inside Karavan, we are getting a 403 for the ui/users/me API call to get the profile. Not seeing anything on teh error logs. just before this call for 'me', we are seeing a successful call to get the 'protocol/openid-connect/token' token call. the token fetched from this call is correctly set as authorization header in teh 'me' all, but still we ar getting a 403. Need help to fix this. pls.

[kasiviswanathan13]

Does the token generated by keycloak need to be of a particular structure for this to work? any specific claims that the quarkus backend is looking for?

[kasiviswanathan13]

@mgubaidullin pls help!! Your help is much appreciated.

[mgubaidullin]

Hello @kasiviswanathan13
What version of Karavan? Docker or Kubernetes? Version of Keycloack?

[kasiviswanathan13]

Karavan 4.7.0, Kubernetes, I need to connect with the keycloak team for version details, I'll update as soon as I get it.

I was able to get it working by running Karavan in dev mode on my local, using profile OIDC. it worked as expected.

But when I deploy to Kubernetes, with 4.7.0 image from Github, with profile overloading, I get OIDC activated, then it's not working.

Question is should I try to get an image with profile given as OIDC and deploy this to get it working?

[mgubaidullin]

You need to use ghcr.io/apache/camel-karavan:4.7.0-oidc image

[kasiviswanathan13]

In my local , I took a build with OIDC profile, and keycloak integration looks fine now. We are stuck with another issue w.r.t committing source code to Bitbucket.

We have created a service user for karavan locally on our private Bitbucket. Configured Karavan with the creds. Then we have integrated Karavan with keycloak and we now have SSO. So the logged in user might different than the service user and then he tries to create and push an integration to Bitbucket. In our Bitbucket we have enabled user validations and hence now the commits are getting rejected.

Pls advice what can be done here.