All Products
Search

This Product

    Alibaba Cloud Service Mesh:Integrate Keycloak with ASM to implement SSO

    Document Center

    Alibaba Cloud Service Mesh:Integrate Keycloak with ASM to implement SSO

    Last Updated:Mar 11, 2026

    When multiple applications run in a service mesh, each one typically needs its own authentication logic -- duplicating effort and creating inconsistent login experiences. Service Mesh (ASM) solves this by delegating authentication to an external identity provider (IdP) at the mesh gateway level. You configure it once, and every application in the mesh is protected without any code changes.

    This guide walks you through setting up a self-managed Keycloak instance as an OpenID Connect (OIDC) IdP for ASM. After you complete the setup, unauthenticated users are automatically redirected to Keycloak to log in, and authenticated requests are forwarded to your applications with the user's identity information attached.

    How it works

    The SSO flow involves four components working together:

    ComponentRole
    Keycloak (IdP)Stores user accounts, credentials, roles, and scopes. Issues OIDC tokens after successful authentication.
    oauth2-proxyAn authentication proxy deployed by ASM as part of its custom authorization service. Redirects unauthenticated users to Keycloak and validates tokens on return.
    ASM AuthorizationPolicyAn Istio CUSTOM authorization policy on the ingress gateway. Intercepts incoming requests and delegates authentication decisions to oauth2-proxy.
    Application (httpbin)The backend application. Receives requests only after oauth2-proxy confirms the user is authenticated.

    Request flow:

    Browser ──HTTPS──> ASM ingress gateway
                        │
                  AuthorizationPolicy
                  (action: CUSTOM)
                        │
                   oauth2-proxy
                     /       \
          [unauthenticated]  [authenticated]
                 │                  │
            Redirect to         Forward request
            Keycloak login      with user info
                 │              to application
            User logs in
                 │
            Keycloak issues
            OIDC token
                 │
            Redirect back
            to oauth2-proxy

    Prerequisites

    Before you begin, make sure you have:

    Key concepts

    ConceptDescription
    IdP (identity provider)A system that stores and verifies digital identities. In this guide, Keycloak serves as the IdP.
    OIDC (OpenID Connect)An identity authentication protocol built on OAuth 2.0. For more information, see the OpenID Connect specification.
    ScopeA mechanism in OIDC that controls which categories of user information (such as email or profile) an application can access after authentication.

    Step 1: Deploy the demo application and Keycloak

    Deploy httpbin as the demo backend application and Keycloak as the IdP, both in the default namespace of your ACK cluster.

    Deploy httpbin

    Save the following YAML to a file named httpbin.yaml and apply it:

    kubectl apply -n default -f httpbin.yaml
    apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

    Deploy Keycloak

    Save the following YAML to a file named keycloak.yaml and apply it:

    kubectl apply -n default -f keycloak.yaml
    apiVersion: v1
kind: Service
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  selector:
    app: keycloak
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
      - name: keycloak
        image: quay.io/keycloak/keycloak:latest
        args: ["start-dev"]
        env:
        - name: KEYCLOAK_ADMIN
          value: "admin"
        - name: KEYCLOAK_ADMIN_PASSWORD
          value: "admin"
        - name: KC_PROXY
          value: "edge"
        ports:
        - name: http
          containerPort: 8080
        readinessProbe:
          httpGet:
            path: /realms/master
            port: 8080
    Important

    This deployment uses keycloak:latest and a hardcoded admin password for demonstration purposes. In production, pin a specific Keycloak version and store credentials in a Kubernetes Secret.

    Verify the deployments

    Run the following command to confirm both pods are running:

    kubectl get pods -n default -l 'app in (httpbin,keycloak)'

    Both pods should show Running status with all containers ready (2/2, including the sidecar).

    Step 2: Expose the application and Keycloak through the ASM ingress gateway

    This step creates an ASM gateway rule and virtual service to expose:

    • httpbin over HTTPS on port 443

    • Keycloak console over HTTP on port 80

    Create a TLS certificate

    Create a certificate named myexample-credential for the HTTPS service. For detailed instructions, see Enable secure HTTPS services using an ASM gateway.

    Create the gateway rule

    In the ASM console, create the following gateway rule. For more information, see Manage gateway rules.

    apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: ingressgateway
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway  # Must match the existing ingress gateway selector
  servers:
    - hosts:
        - '*'
      port:
        name: http-httpbin      # HTTPS on port 443 for the demo application
        number: 443
        protocol: HTTPS
      tls:
        credentialName: myexample-credential
        mode: SIMPLE
    - hosts:
        - '*'
      port:
        name: keycloak          # HTTP on port 80 for the Keycloak console
        number: 80
        protocol: HTTP

    Create the virtual service

    Create a virtual service to route traffic to httpbin and Keycloak. For more information, see Manage virtual services.

    apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: ingressgateway-vs
  namespace: istio-system
spec:
  gateways:
    - ingressgateway
  hosts:
    - '*'
  http:
    - match:
        - port: 80
      name: keycloak
      route:
        - destination:
            host: keycloak.default.svc.cluster.local
            port:
              number: 8080
    - name: httpbin
      route:
        - destination:
            host: httpbin.default.svc.cluster.local
            port:
              number: 8000

    Verify Keycloak access

    Open http://<ingress-gateway-address> in a browser. The Keycloak welcome page should appear.

    Keycloak welcome page

    Click Administration Console and log in with the admin credentials specified in the Keycloak deployment (admin / admin).

    Step 3: Configure Keycloak

    Set up a realm, client, user, role, and client scope in Keycloak. Each object serves a specific purpose in the OIDC authentication flow:

    ObjectPurpose
    RealmAn isolated namespace in Keycloak that holds users, roles, and clients.
    ClientRepresents oauth2-proxy, the application that requests authentication from Keycloak.
    UserA test account for verifying the SSO flow.
    Role and scopeControl which identity claims are included in the JWT token that Keycloak issues.

    Create a realm

    1. In the Keycloak admin console, click the Master dropdown in the upper-left corner.

    2. Click Create Realm.

    3. Set the realm name to Test-oidc and click Create.

    Create Realm

    Create a client

    1. In the left navigation pane, click Clients > Create client.

    2. Set the following fields:

      FieldValue
      Client TypeOpenID Connect
      Client IDoauth2proxy

    3. Click Next, then enable Client authentication.

    4. Click Save.

    Create clientClient settings

    Create a test user

    1. In the left navigation pane, click Users > Add user.

    2. Enter a username and click Save.

    Create user

    1. On the User details page, click the Credentials tab.

    2. Click Set password, enter a password, turn off Temporary, and click Save.

    Set password

    Create a realm role

    1. In the left navigation pane, click Realm roles > Create role.

    2. Enter a role name and click Save.

    Create role

    Assign the role to the user

    1. Navigate back to the user you created. On the User details page, click the Role mapping tab.

    2. Click Assign role, select the role you created, and click Assign.

    Assign role

    Create a client scope and mapper

    A client scope groups the claims included in the JWT token. The mapper defines how Keycloak populates those claims. For example, you can map the user's realm role to a custom claim in the token so that downstream services can make authorization decisions based on user roles.

    1. In the left navigation pane, click Client scopes > Create client scope.

    2. Enter a name and click Save.

    Create client scope

    1. On the client scope page, click the Mappers tab > Configure a new mapper.

    2. Select a mapper type (for example, User Realm Role), configure the token claim name, and click Save.

    Add mapper

    1. Click the Scope tab. Select the role you created earlier and click Assign.

    Assign scope
    You can preview the resulting JWT token to verify your mapper configuration. In the Keycloak admin console, navigate to Clients > oauth2proxy > Client scopes > Evaluate. Select a user and generate a token preview to confirm the expected claims are present.

    Add the client scope to the client

    1. Navigate to the oauth2proxy client. Click the Client scopes tab.

    2. Click Add client scope, select the scope you created, and add it as a Default scope.

    Add default scope

    Configure the redirect URI

    1. On the oauth2proxy client settings page, locate the Valid redirect URIs field.

    2. Add the redirect URI for oauth2-proxy:

    https://<your-ASM-gateway-address>/oauth2/callback

    1. Click Save.

    Redirect URI
    Only the Keycloak service uses HTTP in this guide. All other services use HTTPS. The redirect URI must use https://.

    Record the Keycloak configuration

    Save the following values for the next step:

    ParameterValueWhere to find it
    Realm IDTest-oidcThe realm name you created
    Client IDoauth2proxyThe client ID you created
    Client secret(auto-generated)Clients > oauth2proxy > Credentials tab

    Step 4: Enable ASM custom authorization with OIDC

    Connect ASM to Keycloak by configuring the OIDC provider settings and creating a virtual service for the oauth2-proxy callback path.

    Associate the OIDC authorization service

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. Click the name of your ASM instance. In the left-side navigation pane, choose Mesh Security Center > Custom Authorization Service.

    3. Click Associate Custom Authorization Service, select OIDC Identity Authentication And Authorization Service, and configure the following parameters:

    ParameterValueDescription
    IdP OIDC Issuer URLhttp://<ASM-gateway-address>/realms/Test-oidcThe OIDC discovery endpoint for your Keycloak realm. Replace <ASM-gateway-address> with the external IP of your ASM ingress gateway.
    ClientIDoauth2proxyThe client ID from Step 3.
    Client Secret(your client secret)The client secret from the Credentials tab in Step 3.
    ScopesopenidRequired. Add other scopes (such as email or profile) as needed.
    Cookie Secret(generated value)A random string used to encrypt the session cookie. See Generating a Cookie Secret.

    1. Click Create.

    Define Custom Authorization Service

    Create the oauth2-proxy virtual service

    Create a virtual service that routes /oauth2 requests to the oauth2-proxy service deployed by ASM:

    apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: oauth2-vs
  namespace: istio-system
spec:
  gateways:
    - ingressgateway
  hosts:
    - '*'
  http:
    - match:
        - uri:
            prefix: /oauth2
      name: oauth2
      route:
        - destination:
            host: asm-oauth2proxy-httpextauth-oidc.istio-system.svc.cluster.local
            port:
              number: 4180
    Replace the host value with the actual oauth2-proxy service name in the istio-system namespace of your ACK cluster.
    No other virtual service should match paths with the /oauth2 prefix. Conflicting route rules cause authentication callbacks to fail.

    Step 5: Create an authorization policy

    The authorization policy tells the ASM ingress gateway to enforce external authorization on all ports except port 80 (which serves the Keycloak HTTP console).

    1. In the ASM console, navigate to Mesh Security Center > AuthorizationPolicy for your ASM instance.

    2. Click Create With YAML.

    3. Select a Namespace and a Scenario Template, then apply the following YAML:

    apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oidc
  namespace: istio-system
spec:
  action: CUSTOM
  provider:
    name: httpextauth-oidc    # Must match the name of your custom authorization service
  rules:
    - to:
        - operation:
            notPorts:
              - '80'          # Exempt port 80 (Keycloak HTTP console) from authorization
  selector:
    matchLabels:
      istio: ingressgateway
    The provider.name must match the name of the custom authorization service you created in Step 4. Find the exact name in the Custom Authorization Service list in the ASM console.
    The notPorts: ['80'] rule keeps the Keycloak HTTP console on port 80 accessible without authentication. All other ports (including HTTPS on 443) require OIDC authentication.

    Verify the SSO integration

    Test SSO login

    1. Open https://<ASM-gateway-external-IP> in a browser. The oauth2-proxy sign-in page appears, confirming that SSO enforcement is active.

      SSO sign-in page

    2. Click Sign in with OpenID Connect. The browser redirects to the Keycloak login page.

    3. Enter the test username and password you created in Step 3 and click Log On. After successful authentication, the browser redirects to the httpbin application.

      httpbin application

    Inspect the JWT token

    To confirm that ASM correctly validates the OIDC token and forwards the authenticated identity to the application:

    1. In the httpbin UI, click Request inspection > /headers > try it out > Execute. The response headers include an Authorization header with a Bearer token.

      Request headers

    2. Copy the token value (everything after Bearer ) and paste it into a JWT debugger such as jwt.io. The decoded payload contains the user information from Keycloak, including the username, realm roles, and any custom claims configured through the mapper.

      Decoded JWT

    What's next