Authentication with OIDC and Keycloak

Charmed Kubeflow delivers a powerful, sophisticated end-to-end MLOps platform which you can deploy in half an hour or less, using MicroK8s or another conformant Kubernetes distribution.

In this tutorial, we will learn how to configure Charmed Kubeflow for multi-user collaboration with OpenID Connect (OIDC) using Keycloak for user authentication.

We’ll be using the Keycloak federated SSO system for this how-to guide.

What you’ll learn

• How to configure Keycloak for integration with Charmed Kubeflow
• How to add user credentials to Keycloak
• How to configure Charmed Kubeflow to use Keycloak for OIDC-based SSO authentication

What you’ll need

• A Kubernetes cluster (eg. MicroK8s running on Ubuntu 20.04 with one or more nodes running Charmed Kubeflow - see the install guide to get up and running
• Some command line knowledge

For this how-to guide, we’ll install Keycloak on the Kubernetes cluster to help get you started quickly. However in a typical production setting, Keycloak will likely be deployed and managed outside of the Charmed Kubeflow environment - if that’s the case for you, then you can skip this first step and just follow the rest of the guide.

kubectl create namespace keycloak
kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml -n keycloak

You’ll need to wait a bit until Keycloak successfully deploys. You can check the status using the kubectl command. When you see output similar to the output below, you’ll be good to go:

kubectl get pods -n keycloak -o wide
NAME                        READY   STATUS    RESTARTS   AGE   IP            ...
keycloak-555bfb8b94-tdlns   1/1     Running   8          10s    10.1.100.53   ...

The next step is to access the Keycloak login page using your favourite browser. You can find the IP address of the Keycloak server in the output of the kubectl get pods command listed above. If Keycloak is running on a remote cluster, you can use sshuttle to help you access it. Run the following commands:

sudo apt install sshuttle -y
sshuttle -r <USERNAME>@<HOST> <keycloak_server>

Then point your browser to http://<keycloak_server>:8080/ and use the default credentials admin/admin to log in to Keycloak.

Once you have logged in, navigate to the Realm Settings screen and click OpenID Endpoint Configuration. From the JSON code that’s shown, find the issuer value and make a note of it, as you will need it later.

Now we’re going to create a new client configuration, so navigate to the Clients screen and click Create. Enter your preferred clientid, for example you could enter “CKF”, select the protocol openid-connect and hit save. We’ll use the clientid a bit later, so make a note of the value that you chose.

Next change Access Type to confidential and in Valid Redirect URI, add your Charmed Kubeflow deployment’s public URL with the path as follows – it should be similar to http://<YOUR FQDN>/dex/callback – and press +. Make a note of this URL as you will need it later. Scroll down and hit Save.

You should now see a new tab at the top of the screen, Credentials - navigate to it, and make a note of the client secret as you will need it later.

User configuration

Go to Users, click Add user, and create a new user by filling in Username, Email, and checking Email Verified. Hit save.

Now go to the Credentials tab and add a new password (unchecking Temporary). Hit Save.

Client scopes configuration

Navigate to the Client screen and select your client, eg. CKF. Navigate to the Client Scopes tab, Choose Evaluate enter the username and hit the evaluate button. Go to the Generated Access Token tab, and make a note of the scopes that are shown in the JSON code shown, as you will need this information later. Typically they are likely to be openid, profile and email.

We should have the following information noted from configuring Keycloak:

• issuer
• clientid
• client-name
• client-secret
• callback URL
• Scopes

With that information, we can configure the Dex OIDC connector for Charmed Kubeflow. Run the following commands, making sure to substitute the placeholders for the values that you noted down whilst configuring Keycloak. If you’re missing a setting, go back over the previous tasks and check to find it before proceeding!

cat > oidc-connector.json <<EOF
[
 {
   "id": "keycloak",
   "name": "OpenID Connect",
   "type": "oidc",
   "config": {
     "issuer": "<ISSUER>",
     "clientID": "<CLIENT_NAME>",
     "clientSecret": "<CLIENT_SECRET>",
     "redirectURI": "<DEX_CALLBACK>",
     "userNameKey": "preferred_username",
     "scopes": [
       <SCOPES>
     ]
   }
 }
]
EOF
juju config dex-auth connectors="$(cat oidc-connector.json)"

You’ve reached the last step!! Log into Charmed Kubeflow by selecting Log in with OpenID Connect. After you enter the username and password, you should be redirected to the new user onboarding workflow in the Kubeflow UI. You are ready to explore Charmed Kubeflow now!

Congratulations! You should now have an OIDC setup based on Keycloak successfully connected to your Charmed Kubeflow MLOps platform! But if you’re having difficulties, don’t worry - head over to the forum to ask a question and get in touch with the community.

• Read the Charmed Kubeflow authentication guide
• How to setup authentication with OpenLDAP for Charmed Kubeflow
• How to use Charmed Kubeflow with GPUs