Scenario 9: Keycloak Authentication & SelfSubjectReview

Objective: Authenticate to the guest cluster using a Keycloak-issued ID token and verify that SelfSubjectReview returns the correct username, groups, and UID claim mappings.

KAS endpoint: https://api-brcox-sm-dev-hc.brcox.hcp-sm-azure.azure.devcluster.openshift.com:443

Overall Scenario 9: PASS — All 5 checks verified.

Step	Check	Result	Evidence
1	Obtain ID token from Keycloak via direct access grants	PASS	ID token returned from Keycloak token endpoint
2	ID token authenticates to guest cluster KAS	PASS	`kubectl auth whoami` returned user identity (not Unauthorized)
3	Username mapped from `email` claim (NoPrefix)	PASS	`keycloak-testuser-1@example.com`
4	Groups mapped from `groups` claim with `kc:` prefix	PASS	`kc:keycloak-testgroup-1`
5	UID mapped from `sub` claim	PASS	`85369ad3-...0fd9`

Commands & Outputs

Step 1: Obtain ID token from Keycloak

# Direct access grants flow (resource owner password credentials)
# Uses the public client "oc-cli-test" with test user credentials
$ ID_TOKEN=$(curl -s -X POST \
    --cacert /tmp/router-ca/ca-bundle.crt \
    "https://keycloak-keycloak.apps.brcox-mgmt.brcox.hypershift\
.devcluster.openshift.com/realms/master/protocol/openid-connect/token" \
    -d "grant_type=password&client_id=oc-cli-test\
&username=keycloak-testuser-1&password=************&scope=openid" \
    | jq -r '.id_token') && echo "Token obtained: ${ID_TOKEN:0:20}..."

Token obtained: eyJhbGciOiJSUzI1NiIs...

Authentication flow difference: Unlike Azure AD (Scenario 5) which used the device code flow (browser-based, suited for public clients on user devices), Keycloak here uses direct access grants (password-based, suited for testing and trusted CLIs). Both flows produce a valid OIDC ID token that KAS accepts via the configured JWT authenticator.

Steps 2–5: Authenticate to guest cluster and verify claim mappings

$ kubectl --server="https://api-brcox-sm-dev-hc.brcox.hcp-sm-azure\
.azure.devcluster.openshift.com:443" \
    --token="${ID_TOKEN}" --insecure-skip-tls-verify auth whoami

ATTRIBUTE                                           VALUE
Username                                            keycloak-testuser-1@example.com
UID                                                 85369ad3-...0fd9
Groups                                              [kc:keycloak-testgroup-1
                                                     system:authenticated]
Extra: authentication.kubernetes.io/credential-id   [JTI=85c28448-...8366]

Claim Mapping Verification

Claim	OIDC Config	Expected	Actual	Result
`email`	`username` (prefixPolicy: NoPrefix)	`keycloak-testuser-1@example.com`	`keycloak-testuser-1@example.com`	MATCH
`groups`	`groups` (prefix: `kc:`)	`kc:keycloak-testgroup-1`	`kc:keycloak-testgroup-1`	MATCH
`sub`	`uid`	Keycloak user UUID	`85369ad3-...0fd9`	MATCH

Key observations:

Unlike Azure AD which used preferred_username for username and oid for UID, Keycloak uses email for username and sub for UID — demonstrating that different claim mappings work correctly across providers
The group prefix changed from aad: (Azure AD) to kc: (Keycloak), confirming per-provider prefix isolation
The system:authenticated group is automatically added by KAS for all authenticated users
The Extra field contains the JTI (JWT Token Identifier), confirming structured authentication metadata is propagated

← Scenario 8 Scenario 10 →