I'm looking for ways to secure different app deployments and considering using OAuth proxy with Keycloak. I'm curious if anyone has experience with this approach and can share recommendations or insights. From what I've gathered, it seems to easily manage access to web endpoints, but I'm a bit unclear about any non-HTTP endpoints. Also, how do you typically pull user information and groups into your applications? Are these passed along using headers or another method?
1 Answer
We use oauth2-proxy alongside Istio as a custom authentication provider, and it has really simplified the process for us. With oauth2-proxy, you can easily fetch user groups and claims through dedicated endpoints—something like /oauth/info, if I remember correctly.
Interesting! So, is the oauth-proxy just deployed as a pod or service in your namespace that Istio references? I've been using nginx, which seems straightforward since I can just add annotations to my app's ingress to point to my oauth2 endpoint that connects to Keycloak as a confidential client.