Authentication with OIDC and Keycloak

Warning: this document is no longer supported. See Archive.

Key Value
Summary Learn how to set up Charmed Kubeflow authentication with OpenID Connect and Keycloak
Categories docs, kubeflow
Difficulty 3
Author Rob Gibbon


Duration: 2:00

Charmed Kubeflow delivers a powerful, sophisticated end-to-end MLOps platform which you can deploy in half an hour or less, using MicroK8s or another conformant Kubernetes distribution.

In this tutorial, we will learn how to configure Charmed Kubeflow for multi-user collaboration with OpenID Connect (OIDC) using Keycloak for user authentication.

We’ll be using the Keycloak federated SSO system for this how-to guide.

What you’ll learn

  • How to configure Keycloak for integration with Charmed Kubeflow
  • How to add user credentials to Keycloak
  • How to configure Charmed Kubeflow to use Keycloak for OIDC-based SSO authentication

What you’ll need

  • A Kubernetes cluster (eg. MicroK8s running on Ubuntu 20.04 with one or more nodes running Charmed Kubeflow - see the install guide to get up and running
  • Some command line knowledge


Quick install Keycloak

Duration: 5:00

For this how-to guide, we’ll install Keycloak on the Kubernetes cluster to help get you started quickly. However in a typical production setting, Keycloak will likely be deployed and managed outside of the Charmed Kubeflow environment - if that’s the case for you, then you can skip this first step and just follow the rest of the guide.

kubectl create namespace keycloak
kubectl create -f -n keycloak

You’ll need to wait up to a few minutes until Keycloak successfully deploys. You can check the status using the kubectl command. When you see output similar to the output below, you’ll be good to go:

kubectl get pods -n keycloak -o wide
NAME                        READY   STATUS    RESTARTS   AGE   IP            ...
keycloak-555bfb8b94-tdlns   1/1     Running   8          10s   ...

Configure Keycloak

Duration: 10:00

The next step is to access the Keycloak login page using your favourite browser. You can find the IP address of the Keycloak server in the output of the kubectl get pods command listed above. If Keycloak is running on a remote cluster, you can use sshuttle to help you access it. Run the following commands:

sudo apt install sshuttle -y
sshuttle -r <USERNAME>@<HOST> <keycloak_server>

Then point your browser to http://<keycloak_server>:8080/ and click on Administration Console

You should now see the login page, use the default credentials admin/admin to log in to Keycloak.

Once you have logged in, navigate to the Realm Settings screen, scroll down, and click OpenID Endpoint Configuration. From the JSON code that’s shown, find the issuer value and make a note of it, as you will need it later.

Now we’re going to create a new client configuration, so navigate to the Clients screen and click Create client. Select Client type as OpenID Connect, enter your preferred clientid, for example you could enter “CKF” then click Next. We’ll use the clientid a bit later, so make a note of the value that you chose.

Next turn on Client authentication and hit Save.

In Valid Redirect URI, add your Charmed Kubeflow deployment’s public URL with the path as follows – it should be similar to http://<YOUR FQDN>/dex/callback – and press +. Make a note of this URL as you will need it later. Scroll down and hit Save.

You should now see a new tab at the top of the screen, Credentials - navigate to it, and make a note of the client secret as you will need it later.

User configuration

Go to Users, click Add user, and create a new user by filling in Username, Email, and checking Email Verified. Hit Create.

Now go to the Credentials tab and click Set password (turn off Temporary). Hit Save.

Client scopes configuration

Navigate to the Client screen and select your client, eg. CKF. Navigate to the Client Scopes tab, Choose Evaluate enter the username. Go to the Generated Access Token tab, and make a note of the scopes that are shown in the JSON code shown, as you will need this information later. Typically they are likely to be openid, profile and email.

Configure Charmed Kubeflow

Duration: 5:00

We should have the following information noted from configuring Keycloak:

  • issuer
  • clientid
  • client-name
  • client-secret
  • callback URL
  • Scopes

With that information, we can configure the Dex OIDC connector for Charmed Kubeflow. Run the following commands, making sure to substitute the placeholders for the values that you noted down whilst configuring Keycloak. If you’re missing a setting, go back over the previous tasks and check to find it before proceeding!

cat > oidc-connector.json <<EOF
   "id": "keycloak",
   "name": "OpenID Connect",
   "type": "oidc",
   "config": {
     "issuer": "<ISSUER>",
     "clientID": "<CLIENT_NAME>",
     "clientSecret": "<CLIENT_SECRET>",
     "redirectURI": "<DEX_CALLBACK>",
     "userNameKey": "preferred_username",
     "scopes": [
juju config dex-auth connectors="$(cat oidc-connector.json)"

Log into Charmed Kubeflow

Duration: 2:00

You’ve reached the last step!! Log into Charmed Kubeflow by selecting Log in with OpenID Connect. After you enter the username and password, you should be redirected to the new user onboarding workflow in the Kubeflow UI. You are ready to explore Charmed Kubeflow now!

It’s a wrap

Duration: 1:00

Congratulations! You should now have an OIDC setup based on Keycloak successfully connected to your Charmed Kubeflow MLOps platform! But if you’re having difficulties, don’t worry - head over to the forum to ask a question and get in touch with the community.

Further reading

Duration: 1:00

Have questions? Contact our sales team now.


Hi…This doesnt seem to be working! Any insights? Im geting an:

upstream connect error or disconnect/reset before headers. reset reason: connection failure

@hmactavish13, I am glad to hear you are trying Charmed Kubeflow. That is quite a generic message, so we would need a few more details in order to help you out:

  • Did you already manage to deploy / use Charmed Kubeflow before trying this step?
  • Could you showcase the result of the command watch -c juju status --color?

Hi @munteanuandreea .Thanks for taking the time to reply.On deeper inspection i found out that dex-auth is not working…It says that its in crash loopback and i tried manually restarting it via juju but it still doesnt start.

Hi @hmactavish13,

Can you provide the debug-log for the dex charm (I think juju debug-log -i dex-auth/0) and logs for the dex processes kubectl logs [any dex pods]? Those might give us some hints as to what is going on

I’m getting the same error and I think it’s due to a certificate issue. Relevant part of the truncated log for dex-auth:

failed to initialize server: server: Failed to open connector keycloak: failed to open connector: failed to create connector keycloak: failed to get provider: Get “”: x509: certificate is valid for ingress.local, not

I’ve since tried another solution (Dex using Oauth) but am getting no error message from Dex. When I click “Login with Github” it just says “Internal server error” and “Login Error.” Does anyone know how I can get more detailed logs from Dex (“microk8s.kubectl logs dex-auth-0 -n kubeflow” does not provide any information)?

Hi @ca-scribner I’m pasting the logs for dex-auth .It says error unmarshalling in go…attaching a screenshot for reference!