github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/user-management/keycloak.md (about)

     1  # Keycloak
     2  
     3  # Integrating Keycloak and ArgoCD
     4  
     5  These instructions will take you through the entire process of getting your ArgoCD application authenticating with Keycloak. 
     6  You will create a client within Keycloak and configure ArgoCD to use Keycloak for authentication, using groups set in Keycloak
     7  to determine privileges in Argo.
     8  
     9  ## Creating a new client in Keycloak
    10  
    11  First we need to setup a new client. Start by logging into your keycloak server, select the realm you want to use (Master by default)
    12  and then go to __Clients__ and click the __create__ button top right.
    13  
    14  ![Keycloak add client](../../assets/keycloak-add-client.png "Keycloak add client")
    15  
    16  Configure the client by setting the __Access Type__ to _confidential_ and set the Valid Redirect URIs to the callback url for your ArgoCD
    17  hostname. It should be https://{hostname}/auth/callback (you can also leave the default less secure https://{hostname}/* ). You can also set the
    18  __Base URL__ to _/applications_.
    19  
    20  ![Keycloak configure client](../../assets/keycloak-configure-client.png "Keycloak configure client")
    21  
    22  Make sure to click __Save__. You should now have a new tab called __Credentials__. You can copy the Secret that we'll use in our ArgoCD 
    23  configuration.
    24  
    25  ![Keycloak client secret](../../assets/keycloak-client-secret.png "Keycloak client secret")
    26  
    27  ## Configuring the groups claim
    28  
    29  In order for ArgoCD to provide the groups the user is in we need to configure a groups claim that can be included in the authentication token.
    30  To do this we'll start by creating a new __Client Scope__ called _groups_.
    31  
    32  ![Keycloak add scope](../../assets/keycloak-add-scope.png "Keycloak add scope")
    33  
    34  Once you've created the client scope you can now add a Token Mapper which will add the groups claim to the token when the client requests
    35  the groups scope. Make sure to set the __Name__ as well as the __Token Claim Name__ to _groups_.
    36  
    37  ![Keycloak groups mapper](../../assets/keycloak-groups-mapper.png "Keycloak groups mapper")
    38  
    39  We can now configure the client to provide the _groups_ scope. You can now assign the _groups_ scope either to the __Assigned Default Client Scopes__ 
    40  or to the __Assigned Optional Client Scopes__. If you put it in the Optional category you will need to make sure that ArgoCD requests the scope in
    41  it's OIDC configuration. 
    42  
    43  ![Keycloak client scope](../../assets/keycloak-client-scope.png "Keycloak client scope")
    44  
    45  Since we will always want group information, I recommend using the Default category. Make sure you click __Add selected__
    46  and that the _groups_ claim is in the correct list on the __right__.
    47  
    48  ![Keycloak client scope selected](../../assets/keycloak-client-scope-selected.png "Keycloak client scope selected")
    49  
    50  Create a group called _ArgoCDAdmins_ and have your current user join the group.
    51  
    52  ![Keycloak user group](../../assets/keycloak-user-group.png "Keycloak user group")
    53  
    54  ## Configuring ArgoCD OIDC
    55  
    56  Let's start by storing the client secret you generated earlier in the argocd secret _argocd-secret_.
    57  
    58  1. First you'll need to encode the client secret in base64: `$ echo -n '83083958-8ec6-47b0-a411-a8c55381fbd2' | base64`
    59  2. Then you can edit the secret and add the base64 value to a new key called _oidc.keycloak.clientSecret_ using `$ kubectl edit secret argocd-secret`.
    60     Your Secret should look something like this:
    61      ```yaml
    62      apiVersion: v1
    63      kind: Secret
    64      metadata:
    65        name: argocd-secret
    66      data:
    67        ...
    68        oidc.keycloak.clientSecret: ODMwODM5NTgtOGVjNi00N2IwLWE0MTEtYThjNTUzODFmYmQy   
    69        ...
    70      ```
    71  
    72  Now we can configure the config map and add the oidc configuration to enable our keycloak authentication.
    73  You can use `$ kubectl edit configmap argocd-cm`.
    74  
    75  Your ConfigMap should look like this:
    76  
    77  ```yaml
    78  apiVersion: v1
    79  kind: ConfigMap
    80  metadata:
    81    name: argocd-cm
    82  data:
    83    url: https://argocd.example.com
    84    oidc.config: |
    85      name: Keycloak
    86      issuer: https://keycloak.example.com/auth/realms/Master
    87      clientID: argocd
    88      clientSecret: $oidc.keycloak.clientSecret
    89      requestedScopes: ["openid", "profile", "email", "groups"]
    90  ```
    91  
    92  Make sure that:
    93  - __issuer__ ends with the correct realm (in this example _Master_)
    94  - __clientID__ is set to the Client ID you configured in Keycloak
    95  - __clientSecret__ points to the right key you created in the _argocd-secret_ Secret
    96  - __requestedScopes__ contains the _groups_ claim if you didn't add it to the Default scopes
    97  
    98  ## Configuring ArgoCD Policy
    99  
   100  Now that we have an authentication that provides groups we want to apply a policy to these groups.
   101  We can modify the _argocd-rbac-cm_ ConfigMap using `$ kubectl edit configmap argocd-rbac-cm`.
   102  
   103  ```yaml
   104  apiVersion: v1
   105  kind: ConfigMap
   106  metadata:
   107    name: argocd-rbac-cm
   108  data:
   109    policy.csv: |
   110      g, ArgoCDAdmins, role:admin
   111  ```
   112  
   113  In this example we give the role _role:admin_ to all users in the group _ArgoCDAdmins_.
   114  
   115  ## Login
   116  
   117  You can now login using our new Keycloak OIDC authentication:
   118  
   119  ![Keycloak ArgoCD login](../../assets/keycloak-login.png "Keycloak ArgoCD login")