How to set role-based login for jenkins in keycloak

Question

I am very beginner of keycloak. I need some help.

I have SSO solution and I want to integrate it with jenkins. In this point, I want to permit some users based role.

OpenID -- keycloak -- jenkins : all users who are in openid can login jenkins (I don't want)

OpenID -- keycloak (check role) -- jenkins : all users who are in openid and also have specific role in keycloak can login jenkins (I want)

I think this is very simple and common example of using keycloak, but I can't find the solution.

steps I did are here.

1. install keycloak plugin in jenkins.
2. install keycloak (version 5.0.0 using helm)
3. create realm
4. create Identity Providers (OpenID)
5. create client (named jenkins)
6. Installation tab > copy Keycloak OIDC JSON to Jenkins

(refer. https://wiki.jenkins.io/display/JENKINS/keycloak-plugin)

now, I can login jenkins successfully.

7. create role in Roles in realm
8. In (jenkins) client, turn on Authorization Enabled
9. Authorization tab > Policies tab > Create Policy > role

select realm role and check required

10. update JSON in Jenkins config.

It's done, but it does not works.

Answer 1

I managed it the following way (Using Keycloak 8.0.1, Jenkins 2.208):

Keycloak:

1. create realm
2. create client "jenkins" - set root url to Jenkins-url (e.g. http://127.0.0.1:8080)
3. In client "jenkins" select tab "installation" - format "keycloak OIDC JSON" - copy to clipboard for Jenkins Setup below
4. create role "jenkins_admin"
5. create role "jenkins_readonly"
6. create user "admin" and assign role "jenkins_admin"
7. create named user and assign role "jenkins_readonly"

Jenkins

1. verify that you have the necessary plugins installed (if not, install them):

• "Keycloak Authentication Plugin"
• "Matrix Authorization Strategy Plugin"
• "Role-based Authorization Strategy plugin"

2. Switch authorization mode to Role-Based Strategy by going in "Configure Global Security" - Select "Authorization": "Role-Based Strategy" and then click on save

3. Add Keycloak authentication JSON by going to "Manage Jenkins" - "Configure System" - "Global Keycloak Settings" and paste the previously copied JSON (Keycloak step 3) to "Keycloak JSON" Area

4. Verify that an admin role is present by going to "Manage Jenkins" - "Manage and Assign Roles" - "Manage Roles" - "Global Roles". If not present, add the role "admin" with all checkboxes selected; then click on SAVE

5. Add a "read_only" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Manage Roles" - "Global Roles" and add role "read_only" with "Overall Read" selected; then click on SAVE
   

6. Create group "jenkins_admin" and assign to "admin" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Assign Roles" and add group "jenkins_admin" to global roles; then select "admin" and click on SAVE

7. Create group "jenkins_readonly" and assign to "read_only" role by going to "Manage Jenkins" - "Manage and Assign Roles" - "Assign Roles" and add group "jenkins_readonly" to global roles; then select "read_only" and click on SAVE
   

8. Change the "Security Realm" to Keycloak Authentication Plugin by going to "Configure Global Security" and selecting "Security Realm": "Keycloak Authentication Plugin", then click on save.
   

9. Logout

Now, when you try to perform a login, you should be redirected to the Keycloak login page. Try to log in as admin with admin rights, and as named user with read only rights.