defenseunicorns · slaskawi · Mar 19, 2025 · Mar 20, 2025 · Mar 20, 2025
@@ -14,6 +14,8 @@ A Keycloak plugin provides additional custom logic to our Keycloak deployment. B
 | [JSON Log Event Listener](https://github.com/defenseunicorns/uds-identity-config/blob/v0.5.2/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/eventListeners/JSONLogEventListenerProvider.java) | [EventListener](https://www.keycloak.org/docs-api/25.0.0/javadocs/org/keycloak/events/EventListenerProvider.html) | JSON Log Event listener converts Keycloak event logs into json strings for ease of use in Logging applications like Grafana. |
 | [User Group Path Mapper](https://github.com/defenseunicorns/uds-identity-config/blob/v0.5.2/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/CustomGroupPathMapper.java) | [OpenID Mapper](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.html) | Some application break when using a forward slash in the group naming, this mapper removes the leading slash and creates a new `groups` claim called `bare-groups`. See Warnings below regarding the use of this plugin. |
 | [User AWS SAML Group Mapper](https://github.com/defenseunicorns/uds-identity-config/blob/v0.6.0/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/CustomAWSSAMLGroupMapper.java) | [SAML Mapper](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/protocol/saml/mappers/AbstractSAMLProtocolMapper.html) | Amazon AppStream applications expect a specific group claim format when using Keycloak to pass authentication. This mapper allows for customizing the new attribute `name` field that will show up in SAML Requests that will contain the necessary concatenated groups string: `/parent-group/child-group1:/parent-group/child-group2`. |
+| [ClientIdAndKubernetesSecretAuthenticator](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/authentication/authenticators/client/ClientIdAndKubernetesSecretAuthenticator.java) | [ClientAuthenticator](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/authentication/ClientAuthenticator.html) | This authenticator is used to authenticate a client using a Kubernetes secret. It is used in the `ClientIdAndKubernetesSecret` authentication flow. |
+| [UDSClientPolicyPermissionsExecutor](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/clientpolicy/executor/UDSClientPolicyPermissionsExecutor.java) | [ClientPolicyExecutorProvider](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/clientpolicy/executor/ClientPolicyExecutorProvider.html) | This executor is used to check if a client has the necessary permissions to access a resource. It is used in the `UDSClientPolicyPermissions` client policy. |
 
 ### Warnings
 
@@ -106,6 +108,7 @@ In addition, modify the realm for keycloak, otherwise the realm will require plu
   * `UDS Registration`
   * `UDS Reset Credentials`
   * `UDS registration form`
+  * `UDS Client Credentials`
 
 * Make changes to authenticationExecutions from the `browser` authenticationFlow:
   * Remove `auth-cookie`
@@ -121,6 +124,7 @@ In addition, modify the realm for keycloak, otherwise the realm will require plu
   * `"browserFlow": "browser"`
   * `"registrationFlow": "registration"`
   * `"resetCredentialsFlow": "reset credentials"`
+  * `"clientAuthenticationFlow": "clients"`
 
 ### Disabling
 

@@ -4,6 +4,66 @@ title: Upgrading Versions
 
 This doc contains important information for upgrading uds-identity-config versions. It is not meant to be an exhaustive list of changes between versions, rather information and steps required to manually upgrade versions without a full redeploy of keycloak.
 
+## v0.11.0+
+
+<details open>
+<summary>Upgrade Details</summary>
+
+In uds-identity-config versions 0.10.3+, the UDS Operator can automatically switch to Client Credentials Grant from using the Dynamic Client Registration. The new method works faster, is more reliable and doesn't require storing Registration Tokens in Pepr Store. It is highly recommended to switch to it, which requires the following steps:
+    - Create the `uds-operator` Client:
+        - Go to `Clients` > `Client registration` > `Create`
+            - Client type: `openid-connect`
+            - Client ID: `uds-operator`
+            - Client Name: `uds-operator`
+            - Click `Next`
+            - Client authentication: on
+            - Uncheck all Authentications flows except from `Service account roles`
+            - Click `Next`
+            - Click `Save`
+        - Go to `Clients` > `uds-operator` > `Credentials` tab
+            - Set `Client Authenticator` to `Client Id and Kubernetes Secret`
+            - Click `Save`
+    - Configure the UDS Client Policy
+        - Go to `Realm Settings` > `Client Policies` > `Profiles`
+            - Click `Create Client Profile`
+                - Name: `uds-client-profile`
+                - Description: `UDS Client Profile`
+                - Click `Save`
+            - Click `Add Executor`
+                - Select `uds-operator-permissions`
+                - Click `Add`
+        - Go to `Realm Settings` > `Client Policies` > `Policies`
+            - Click `Create client policy`
+                - Name: `uds-client-policy`
+                - Description: `UDS Client Policy`
+            - Click `Add condition`
+            - Select `any-client`
+            - Click `Add`
+            - Click `Add client profile`
+            - Select `uds-client-profile`
+            - Click `Add` (there is a glitch in the UI where it seems all the profiles are selected, but only the selected one is actually chosen)
+    - Configure the Client Credentials Authentication Flow
+        - Go to `Authentication` > `Flows`
+            - Click `clients`
+                - Click `Actions` > `Duplicate`
+                    - Name: `UDS Client Credentials`
+                    - Description `UDS Client Credentials`
+                    - Click `Duplicate`
+            - Go to `Authentication` > `UDS Client Credentials`
+                - Click `Add Step`
+                    - Select `Client Id and Kubernetes Secret`
+                    - Click `Add`
+                - Select `Requirement` and set it to `Alternative`
+            - Go to `Authentication`, select three dots on the right side of the panel for `UDS Client Credentials` and select `Bind flows`
+                - Select `Client authentication flow`
+                - Click `Save`
+    - Verify that everything is configured correctly
+        - Deploy a new package or update the existing one
+        - Check UDS Operator logs and verify if there are no errors
+            - Use `uds zarf tools kubectl logs deploy/pepr-uds-core-watcher -n pepr-system | grep "Client Credentials Keycloak Client is available"` command to verify if the UDS Operator uses the Client Credentials flow.
+
+</details>
+
 ## v0.10.0+
 
 <details open>