0

I am stuck configuring keycloak as the authentication and authorisation service provider for eclipse hono on our Kubernetes cluster (Using Rancher).

The Documentation gives little to no help about that and every research on this topic results in suggestions to use keycloak for Eclipse Hono, but not how to actually install or configure hono to use keycloak.

Could someone help me out? Has someone already installed Eclipse Hono and set Keycloak as Autorisation and/or Authentication provider?

Setting up keycloak as the central authentication and authorisation service provider, in a kubernetes cluster, for an IoT platform using eclipse Hono and Eclipse Ditto.

Yannic Bürgmann
  • 6,301
  • 5
  • 43
  • 77
Futureman2007
  • 161
  • 10
  • Can you provide more details regarding your setup of Hono? Are you merely deploying the Getting Started setup, which uses a single Qpid Dispatch Router and an Artemis broker instance as the AMQP Messaging Network, or are you trying to deploy with a full fledged enMasse as the AMQP Messaging Network? – Kai Hudalla Jun 17 '19 at 08:57
  • At the moment, I can not provide more information because it is part of my bachelor thesis for computer science and I have to speak with my docent first, which is ATM not available. I will provide as much information as i can as soon as possible. – Futureman2007 Jun 17 '19 at 19:35
  • I found at https://github.com/eclipse/hono/blob/de1e04549fa9f6d0c2cc86eab93eec83acb6fff6/services/device-registry/src/main/java/org/eclipse/hono/deviceregistry/Application.java that the Registry Component uses the auth. server as a service. Maybe there i can put a wrapper or a facsade to build a bridge to keycloak? But how... kc does only provide "adapters" to config the server and to use kc. – Futureman2007 Jun 18 '19 at 17:54
  • This (stackoverflow) is not the right place for discussing fundamental concepts of Hono as there is no obvious, simple, off-you-go solution. I therefore propose to continue the discussion on the Hono mailing list (where you already had posted as well). – Kai Hudalla Jun 21 '19 at 07:22
  • Would you provide an answer there? – Futureman2007 Jun 21 '19 at 12:31
  • I already have ... – Kai Hudalla Jun 24 '19 at 13:15

1 Answers1

1

I can answer only half of the question. For Eclipse Ditto right now google is the only issuer that is supported for JWT based authentication. We would happily review a PR that allows to register additional issuers.

If you're using Ditto together with Hono and your usecase is to communicate via hono to ditto no JWT authentication is required as you communicate via an AMQP 1.0 connection. JWT is only relevant if you think about using the HTTP or Websocket API of Ditto.

Unfortunately I can't help you with Eclipse Hono.

Yannic Bürgmann
  • 6,301
  • 5
  • 43
  • 77
  • Appoligies to the first comment. One Use Case of this system would be (Hono Only): "Customer want to register a IoT device in eclipse Hono, by calling service at webpage x" "Befor the customer is allowed to register the device he has to authenticate himself via keycloak which will also check, if this customer is allowed to do so.” “After authenticating successfully a authorisation Code will be handed over to the customer” “The customer gives this code to his device” “The device will then get an access token from keycloak to register itself to the system as new device.” – Futureman2007 Jun 17 '19 at 13:28
  • Do you plan to create things (not devices.. unfortunately they're called differently in hono and ditto) in ditto via hono as well? This means you send a createThing command via hono to ditto? If this is the case then you don't have to authenticate at ditto using jwt. You just have to create a connection to hono in ditto. See https://www.eclipse.org/ditto/connectivity-overview.html. Looks like your main problem is authenticating at Hono where I couldn't be of any help. Sorry for that :( – Yannic Bürgmann Jun 17 '19 at 14:27
  • It is ok. I am happy that there are people trying their best to help. – Futureman2007 Jun 17 '19 at 20:09
  • Can somebody else help? – Futureman2007 Jun 19 '19 at 18:52
  • To set Keycloak as JWT provider for eclipse Ditto i need to change the buildJwtSubjectIssuersConfig() method to use my keycloak server am i right? – Futureman2007 Jun 26 '19 at 10:12
  • 1
    correct. You would have to add a new `JwtSubjectIssuerConfig` to the `configItems` Set. I could imagine making this configurable so future users would only have to define their issuers by config and no longer by code. – Yannic Bürgmann Jun 26 '19 at 14:37