kuberneteskeycloak-gatekeeper

Using KeyCloak Gateway in a K8S Cluster


I have KeyCloak Gateway running successfully locally providing Google OIDC authentication for the Kubernetes dashboard. However using the same settings results in an error when the app is deployed as a pod in the cluster itself.

The error I see when the Gateway is running in a K8S pod is:

unable to exchange code for access token    {"error": "invalid_request: Credentials in post body and basic Authorization header do not match"}

I'm calling the gateway with the following options:

--enable-logging=true
--enable-self-signed-tls=true
--listen=:443
--upstream-url=https://mydashboard
--discovery-url=https://accounts.google.com
--client-id=<client id goes here>
--client-secret=<secret goes here>
--resources=uri=/*

With these settings applied to a container in a pod I can browse to the Gateway, am redirected to Google to log in, and then am redirected back to the Gateway where the error above is generated.

What could account for the difference between running the application locally and running it in a pod that would generate the above error?


Solution

  • This turned out to be a copy/paste fail in the end, with the client secret being incorrect. The error message wasn't much help here, but at least it was a simple fix.