Authenticate User with Keycloak Access Token to use the Rest API

Get Help
1

Hello,
we use Ansible AWX 22.7.1, Keycloak 22.0.5 and our own web application and backend services.
In AWX we set the settings for Generic OIDC settings to our Keycloak server.

We can login-in to the web-app over keycloak. So the user is authenticated.
In our web-app we make a call to the backend. The backend calls the AWX service.

Our problem now is, that we don’t know how to authenticate on the awx service with the generated access token from keycloak to start a template for example.

We also found out, that we can allow external users to create tokens. ansible-tower oauth2_token_auth at the bottom is the section which describe to enable external users to create tokens. But the steps how to do the auth process is not so clear for us.

So maybe someone can explain us how to auth an user over the rest api.

Best regards
Michael

2

Hello @Ilgmi,
Welcome, and congratulations on your first post to the forum!

I want to make sure I’m understanding correctly to ensure we’re assisting you the best way possible. Just to confirm, you are saying you can authenticate to the AWX UI via Keycloak but not the API?

Any additional details you can provide about what you are trying to achieve will better enable us to assist you. We want to be sure we understand what service you are referring to when you mention “web-app.”

Thank you for your time!

3

@djyasin I’m so sorry for the lack of details. I try to sketch it.

In the old version we used this approach:

  ┌──────────────────────────────────────────────────────┐
  │                                                      │
  │ ┌───────┐        ┌──────────────────┐     ┌────────┐ │
  │ │Web-App├───2────►  Backend-Service ├──6──►  AWX   │ │
  │ └───▲───┘        └───────┬────▲─────┘     └───▲────┘ │
  │     │                    │    │               │      │
  │     │                    3    5               │      │
  │     │                    │    │               │      │
  │     │             ┌──────▼────┴────┐          │      │
  │     │             │JWT-Auth-Service◄──────────4      │
  │     │             └────────────────┘                 │
  │     │                                                │
  │     1                ┌──────────┐                    │
  │     ─────────────────► Keycloak │                    │
  │                      └──────────┘                    │
  │                                                      │
  └──────────────────────────────────────────────────────┘
  1. Auth user in our web-app with keycloak.
  2. Call the Backend-Service, witch should use the AWX API to start a new Job
  3. Call JWT-Auth-Service to generate a Access-Token from AWX
  4. Create User if not exist. Create Access-Token for User. Also save the user and access-token to Vault. If user exist we can use the saved data.
  5. Return Access-Token to Backend Service
  6. Call the AWX Rest API to start a new Job

What we try or want to do know is:

  • remove the JWT-Auth-Service
  • use the Generic OIDC Settings from AWX

Something like this.

  ┌──────────────────────────────────────────────────────┐
  │                                                      │
  │ ┌───────┐        ┌──────────────────┐     ┌────────┐ │
  │ │Web-App├───2────►  Backend-Service ├──3──►  AWX   │ │
  │ └───▲───┘        └──────────────────┘     └───▲────┘ │
  │     │                                         │      │
  │     │                                         │      │
  │     │                                         │      │
  │     │                                         4      │
  │     │                                         │      │
  │     │                                         │      │
  │     │                                         │      │
  │     1                ┌──────────┐             │      │
  │     ─────────────────► Keycloak ◄─────────────┘      │
  │                      └──────────┘                    │
  │                                                      │
  └──────────────────────────────────────────────────────┘
  1. Auth user with Keycoak.
  2. Call a function on the Backend-Service. Here the Access Token from keycloak is given.
  3. Use the Rest API to start a Job. Here we want to give the keycloak to AWX
  4. AWX use the OIDC Generic settings to Auth the User

We added the Sozial Auth Map for Organisation and Team, so that the user is in the correct organization and team.
We also enabled the option “Allow external Users to Create OAuth2 Tokens”.

We also know that there is an option to create OAuth2 tokens but we don’t realy know how to do that. Also the documentation of Authentication_o_list could help us.

I hope this helps to help us :slight_smile:

4

Hello @Ilgmi,
Thank you so much for taking the time to sketch this out for us! We need to take a bit of time on our end to review this and understand what is happening here.

We did see you mention:

We also know that there is an option to create OAuth2 tokens but we don’t realy know how to do that. Also the documentation of Authentication_o_list could help us.

We do have documentation around this and wanted to go ahead and share that with you. This is more information regarding the application around it: 19. Token-Based Authentication — Ansible AWX community documentation

And this documentation has more information about how to set up tokens etc 16. The awx-manage Utility — Ansible AWX community documentation

Please let us know if this documentation is helpful! We will spend more time with the other information you provided and try to get you some assistance there.

5

@djyasin thanks for the information and your help.

I had another thought on how to solve our problem.

We decided to login the user in our AwxClient implementation over the OIDC URL.

  1. We call /sso/login/oidc/ . This gives us the location URL for keycloak. We also get the cookies for csrftoken and awx_sessionid.
  2. We call the location URL and set the KEYCLOAK_IDENTITY cookie with the user’s access token.
  3. This authenticates the user and gives us a new location URL /sso/complete/oidc/?state=&session_state=.
  4. We call this location with the cookies from step 1. This will give us the latest csrftoken and awx_sessionid for further API calls.
  5. The user is logged in and we can call the awx rest API with csrftoken and awx_sessionid.

It is now possible for us to remove the awx-jwt-authentication service, which was only there to create the user and also create a PAT token.