Link a service account to a user from Keycloak idp

Support
1

What happened?

We have deployed Pomerium Enterprise in order to use the Service Accounts functionality. When opening Pomerium Console, going to Service Accounts page and then creating a new service account, we are presented with a form where we can provide a “user id” to attach the service account to a specific user in our IDP.

Currently, it is not convenient to retrieve this user id. We have to ask the user to login, go to its pomerium user details page (/.pomerium) and send us the User Id value.

What did you expect to happen?

It seems that the field “User Id” could help with autocompletion, but only other service accounts appear when we edit this field.

In the logs of the Pomerium DataBroker, we have noticed a warning that could explain we don’t get autocompletion:

{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"service":"identity_manager","time":"2022-08-07T11:00:38Z","message":"refreshing directory users"}
{"level":"warn","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"service":"identity_manager","error":"unknown directory provider oidc","time":"2022-08-07T11:00:38Z","message":"failed to refresh directory users and groups"}

We are using Keycloak as our idp, so in Pomerium config we use “idp_provider: oidc”.

Could you help us understand if autocompletion for user id while creating a Service Account is supposed to work with generic IDP oidc ?

If it is not supported, do you have any suggestion to make the creation of a Service Account linked to a User from generic idp easier ?

What’s your environment like?

We have a Kubernetes cluster using Traefik as Ingress Controller and Pomerium for forward auth. We have configured Pomerium to use Keycloak as idp.

  • Pomerium version: 0.18.0
  • Kubernetes version: 1.20.11
  • Traefik version: 2.8.0
  • Keycloak version: 15.0.1

What’s your config.yaml?

address: :80
authenticate_service_url: https://pomerium-authenticate.external
authorize_service_url: http://pomerium-authorize.internal
databroker_service_url: http://pomerium-databroker.internal
dns_lookup_family: V4_ONLY
forward_auth_url: http://pomerium-proxy.internal
idp_client_id: <hidden>
idp_client_secret: <hidden>
idp_provider: oidc
idp_provider_url: https://keycloak.external
insecure_server: true
routes:
   ...

What did you see in the logs?

{"level":"info","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"service":"identity_manager","time":"2022-08-07T11:00:38Z","message":"refreshing directory users"}
{"level":"warn","config_file_source":"/etc/pomerium/config.yaml","bootstrap":true,"service":"identity_manager","error":"unknown directory provider oidc","time":"2022-08-07T11:00:38Z","message":"failed to refresh directory users and groups"}

Additional context

Our goal is to have Service Accounts linked to Users from the identity provider, so when we use the Service Account authentication token, Pomerium will fill the usual http header Claims containing the user details.

2

Hello,

After experimenting with ServiceAccount and idp Keycloak, I found another strange difference between the behavior of a ServiceAccount token and a Pomerium token obtained from log in the UI.
I have configured a Service Account to be linked to the same user I’m logging in the UI.

When I use the ServiceAccount token, I only get few Pomerium claims in the http headers: X-Pomerium-Email, X-Pomerium-Claim-User and X-Pomerium-Jwt-Assertion

When I use the token from the UI cookie, I get all claims: X-Pomerium-Claim-Groups, X-Pomerium-Claim-Username, X-Pomerium-Claim-Name, X-Pomerium-Email, X-Pomerium-Claim-User and X-Pomerium-Jwt-Assertion

I am using the same route, the only difference is the token.
Do you know why the backend service does not get the same claims when using different type of tokens ?