fix(auth/keycloak): enable Standard Token Exchange v2 on peer clients#116
Draft
aktech wants to merge 5 commits into
Draft
fix(auth/keycloak): enable Standard Token Exchange v2 on peer clients#116aktech wants to merge 5 commits into
aktech wants to merge 5 commits into
Conversation
Keycloak 26.2+ enables TOKEN_EXCHANGE_STANDARD_V2 by default. V2 routes the urn:ietf:params:oauth:grant-type:token-exchange grant through the new path which checks the requesting client's `standard.token.exchange.enabled` attribute. The legacy V1 fine-grained-authz wiring on the target client is silently ignored. Without this attribute every exchange returns `403 access_denied "Client not allowed to exchange"`. Both Nebi auto-auth at JupyterLab spawn and the jhub-apps environment selector fail silently as a result. ConfigureTokenExchange now sets the attribute on each peer client via UpdateClient before doing V1 wiring. V1 path kept intact for clusters running Keycloak <26 with V2 disabled.
Docker Images BuiltImages pushed to Quay.io for branch
Test the operator: kubectl apply -k https://github.com/nebari-dev/nebari-operator.git/config/default?ref=fix/token-exchange-v2-standard
kubectl set image deployment/nebari-operator-controller-manager manager=quay.io/nebari/nebari-operator:fix-token-exchange-v2-standard -n nebari-operator-system |
V2 also requires the target client to be in the requesting client's scope tree, otherwise Keycloak rejects with `400 invalid_request "Requested audience not available: <target>"`, even when the requester has standard.token.exchange.enabled=true. Add an oidc-audience-mapper on each peer client whose included.client.audience points to this NebariApp's clientId. Idempotent via name-based skip + 409 tolerance.
Docker Images BuiltImages pushed to Quay.io for branch
Test the operator: kubectl apply -k https://github.com/nebari-dev/nebari-operator.git/config/default?ref=fix/token-exchange-v2-standard
kubectl set image deployment/nebari-operator-controller-manager manager=quay.io/nebari/nebari-operator:fix-token-exchange-v2-standard -n nebari-operator-system |
47 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Keycloak 26.2+ defaults to V2 for the token-exchange grant. Operator only wired V1 fine-grained-authz, which V2 ignores → every exchange returns
403 "Client not allowed to exchange". Setsstandard.token.exchange.enabled=trueattribute on each peer client. V1 wiring kept for older Keycloak.