Supporting a Keycloak/Generic Provider

[vishalkuo]

We'd like to support keycloak (using OIDC) as a authn provider for our Guard setup. Is this something the team would accept as a PR / is there prior discussion around adding new providers that I should be aware of?

[tamalsaha]

Thanks, @vishalkuo for opening the issue. For OIDC, what support in needed in Guard? I thought, you just need to configure kubectl properly:

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl

[vishalkuo]

I think we just want to manage all our authn via guard instead of dividing it between guard and the kubectl API. I'm not sure if there's another easier way to have all auth, including generic OIDC, go through guard.

[tamalsaha]

Can you please outline the changes/additions needed in Guard?

[vishalkuo]

I imagine what we'd want is a new provider here of type generic or keyclock. This provider would probably be similar to the google one as it'll verify claims and construct a authv1.UserInfo populated with the necessary user information.

[tamalsaha]

Sounds good. If you want to open prs, you are welcome. Please note that you need to add e2e tests to make sure things work.