Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Authorizing multi-language microservices with oauth2-proxy

May 20, 2021
Rarm Nagalingam
Related topics:
LinuxKubernetesMicroservicesSecurity
Related products:
Red Hat OpenShift

Share:

    In an article published in August 2020, Authorizing multi-language microservices with Louketo Proxy, I explained how to use Louketo Proxy to provide authentication and authorization to your microservices. Since then, the Louketo Proxy project has reached its end of life, with developers recommending the oauth2-proxy project as an alternative.

    In this article, I will outline how to secure a microservice with Keycloak and oauth2-proxy.

    Using Keycloak

    The following sections describe how to set up Keycloak on Red Hat OpenShift for the scenario in this article.

    Test and deploy the Keycloak server

    Begin by testing the Keycloak server. Use the following commands to deploy the Keycloak server on OpenShift:

    $ export PROJECT="keyauth"
     
    $ oc new-project ${PROJECT}
    $ oc new-app --name sso \
       --docker-image=quay.io/keycloak/keycloak \
       -e KEYCLOAK_USER='admin' \
       -e KEYCLOAK_PASSWORD='oauth2-demo' \
       -e PROXY_ADDRESS_FORWARDING='true' \
       -n ${PROJECT}
     
    $ oc create route edge --service=sso -n ${PROJECT}

    We now need to add a client configuration to Keycloak so it can secure our application.

    Create and configure the oauth2 authentication client

    Log in to Keycloak with the username admin and password oauth2-demo. On the Keycloak user interface (UI), select Clients on the left navigation bar and select Create. On the Add Client page, fill out all the necessary fields, and click Save to create a new client, as shown in Figure 1.

    Add the required field values on the add client page on the Keycloak UI
    Figure 1: Add the required field values on the Add Client page on the Keycloak UI.

    After adding the new client, go to the Oauth2-proxy page, and switch the client's Access Type field from public to confidential, as shown in Figure 2.

    Switch the access type field (client protocol) from public to confidential on the oauth2-proxy page
    Figure 2: Switch the Access Type field (client protocol) from public to confidential on the Oauth2-proxy page.

    Next, set a valid callback URL for our oauth2-proxy securing our application. In this scenario, oauth2-proxy is securing a flask app. The URL is similar to the Keycloak URL, although instead of the prefix sso, it uses flask. For example, if your Keycloak URL is:

    https://sso-keyauth.apps-crc.testing

    you should set the following URL in the Valid Redirect URIs field:

    https://flask-keyauth.apps-crc.testing/oauth2/callback

    Figure 3 shows the dialog to create the redirect URL.

    Set a valid redirect callback URL using flask and take note of the generated secret
    Figure 3: Set a valid redirect callback URL using flask and take note of the generated secret.

    Then click Save on the client protocol of confidential, the page displays a new tab, Credentials. Click the tab and take note of the generated secret

    Configure the mappers

    Keycloak supports passing group memberships of users to the microservice as X-Forwarded-Groups. This can be enabled by configuring a group mapper. This is a useful way to expose authorization functions within the microservice. For example we could restrict privileged functions of the microservices to users in the admin group.

    Select the Mappers tab on the Create Protocol Mapper page, add a new mapper and enter all the groups using the following settings:

    • Name: groups
    • Mapper Type: Group Membership
    • Token Claim Name: groups
    • Full group path: OFF

    Click Save when the fields are complete. Figure 4 shows the Create Protocol Mapper page with all fields complete.

    Create a new mapper with all the necessary field values to the microservice for X forwarded groups
    Figure 4: Create a new mapper with all the necessary field values to the microservice for X-Forwarded-Groups.

    Configure the user groups

    Now select Groups from the left navigation bar and add two groups:

    • admin
    • basic_user

    Configure the user

    From the left navigation bar, select Users and add a user. Enter an email address and a password for the new user, and add the user to the basic_user and admin groups you've just created. Now you are ready to configure oauth2-proxy and the example application.

    Deploy the application with oauth2-proxy sidecar

    Now let's deploy our application with an oauth2-proxy sidecar. To make life easier, here is a Git repository with all of the OpenShift templates. Clone the repository and cd into the folder and run the following script to configure and deploy all of the templates, simply passing the OpenShift project name as a variable:

    $ git clone https://github.com/snowjet/demo-oauth2-proxy.git
    $ cd demo-oauth2-proxy
    
    # deploy flask with oauth2-proxy in project keyauth
    $ ./create_app.sh keyauth

    The script above deploys a number of templates for the application. However, the important templates relating to oauth2-proxy are the configuration maps.

    • Configmap_ssopubkey.yml contains the Keycloak Public Certificate to validate the JSON Web Token (JWT) passed by oauth2-proxy
    • Configmap-oauth.yml contains the variables required to configure oauth2-proxy. These include:
      • oidc_issuer_url
      • client_secret
      • redirect_url
      • cookie_secret
      • whitelist_domains
      • cookie_domains

    The remaining templates complete the deployment:

    • DeploymentConfig for the application with a sidecar for oauth2-proxy
    • Service pointing to the oauth2-proxy
    • Route pointing to the service for the oauth2-proxy

    Testing the configuration

    Once deployed, test the configuration and then browse to the example application. Remember to sign out of the admin portion of Keycloak before trying to sign in to the Keycloak web app. Then, on the Sign in screen, click Sign in with Keycloak, as shown in Figure 5.

    Sign in to test the configuration and browse to the example application
    Figure 5: Sign in to test the configuration and browse to the example application.

    Once you are redirected to the Keycloak login dialog, type the username or email address and the password for the application user, as shown in Figure 6. Then click the login button to complete your entries.

    On the Keycloak login dialog type the username or email address and password for the application user
    Figure 6: On the Keycloak login dialog, type the username or email address and password for the application user.

    After you are successfully authenticated, you will be redirected to an application page that returns a JSON file like the one shown in Figure 7. The file exposes the headers passed along by oauth2-proxy:

    Redirects to an application page that returns a JSON file
    Figure 7: Redirects to an application page that returns a JSON file.

    Conclusion

    This article was an introduction to oauth2-proxy, a replacement for Louketo Proxy that provides authentication for your applications without making you code OpenID Connect clients within microservices. As always, I welcome your questions and any feedback and details you share in the comments.

    Last updated: August 26, 2022

    Recent Posts

    • How to deploy language models with Red Hat OpenShift AI

    • AI search with style: Fashion on OpenShift AI with EDB

    • What qualifies for Red Hat Developer Subscription for Teams?

    • How to run OpenAI's gpt-oss models locally with RamaLama

    • Using DNS over TLS in OpenShift to secure communications

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue