OIDC Authentication (Neuralbank Stack)

In this module you will explore how the pre-deployed Neuralbank stack implements a full interactive OIDC flow with Keycloak using the OIDCPolicy CR from Red Hat Connectivity Link.

This module covers the pre-deployed neuralbank-stack namespace — not the apps you scaffolded. The pre-deployed stack uses a real Keycloak OIDC client (neuralbank-frontend) with interactive browser login. Your scaffolded apps use API Key authentication instead (see Module 4).

Architecture

The Neuralbank stack in the neuralbank-stack namespace:

Component Description

neuralbank-backend

Quarkus REST API exposing /api/v1/customers

neuralbank-db

PostgreSQL database with seed data

neuralbank-frontend

Web interface with OIDC login via Keycloak

neuralbank-gateway-istio

Istio ingress gateway (auto-managed by Gateway API)

Access the Frontend (OIDC Flow)

The pre-deployed frontend has a full interactive OIDC login:

  1. Open the frontend: https://neuralbank.apps.cluster.example.com

  2. You will be redirected to Keycloak login page.

  3. Enter your credentials:

Field Value

Username

user1

Password

Welcome123!

  1. After login, Keycloak redirects back to the frontend with a JWT token stored in a cookie.

  2. The frontend displays the credit visualization dashboard with data from the backend.

OIDCPolicy Configuration

The pre-deployed stack uses a real OIDCPolicy CR (Kuadrant extension) — different from the AuthPolicy with JWT validation used in scaffolded apps:

apiVersion: extensions.kuadrant.io/v1alpha1
kind: OIDCPolicy
metadata:
  name: neuralbank-oidc
  namespace: neuralbank-stack
spec:
  auth:
    tokenSource:
      authorizationHeader:
        prefix: Bearer
      cookie:
        name: jwt
  provider:
    authorizationEndpoint: https://rhbk.apps.cluster.example.com/realms/neuralbank/protocol/openid-connect/auth
    clientID: neuralbank-frontend
    issuerURL: https://rhbk.apps.cluster.example.com/realms/neuralbank
    redirectURI: https://neuralbank.apps.cluster.example.com/auth/callback
    tokenEndpoint: https://rhbk.apps.cluster.example.com/realms/neuralbank/protocol/openid-connect/token
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: neuralbank-api-route

This is a full OIDC integration: authorization endpoint, token endpoint, callback URI, and cookie-based token storage.

Key Difference: OIDCPolicy vs AuthPolicy JWT

OIDCPolicy (pre-deployed stack) AuthPolicy with oidc.jwt (scaffolded apps)

Type

Kuadrant Extension CR

Standard Kuadrant AuthPolicy

Flow

Interactive: browser redirect to Keycloak → login → callback

Passive: validates pre-existing Bearer tokens only

Token acquisition

Keycloak handles login + token issuance

External tool must obtain token first

Cookie support

Yes (cookie.name: jwt)

No

Frontend integration

Transparent: user sees login page

Manual: developer must pass API Key or obtain JWT programmatically

 
sequenceDiagram
    participant User
    participant Frontend as neuralbank.{cluster_domain}
    participant Gateway as Istio Gateway
    participant OIDC as OIDCPolicy
    participant Keycloak
    participant Backend

    User->>Frontend: Open https://neuralbank.{cluster_domain}
    Frontend->>Gateway: Request /api/v1/customers
    Gateway->>OIDC: Check authentication
    OIDC-->>User: 302 Redirect to Keycloak
    User->>Keycloak: Login (username/password)
    Keycloak-->>User: 302 Redirect + JWT cookie
    User->>Frontend: Request with JWT cookie
    Frontend->>Gateway: Request with cookie
    Gateway->>OIDC: Validate JWT
    OIDC->>Backend: Forward authenticated request
    Backend-->>User: 200 JSON response

Inspect the Resources

oc get gateway -n neuralbank-stack
oc get httproute -n neuralbank-stack
oc get oidcpolicy -n neuralbank-stack -o wide
oc get ratelimitpolicy -n neuralbank-stack -o wide

Test: Request Without Token (expect 302)

curl -s -o /dev/null -w "HTTP Status: %{http_code}\n" \
  https://neuralbank.apps.cluster.example.com/api/v1/customers
HTTP Status: 302

The OIDCPolicy redirects unauthenticated requests to Keycloak login.

Test: Obtain a Bearer Token Programmatically

For terminal testing, use the Resource Owner Password Credentials grant:

TOKEN=$(curl -s -X POST \
  "https://rhbk.apps.cluster.example.com/realms/neuralbank/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "client_id=neuralbank-frontend" \
  -d "username=user1" \
  -d "password=Welcome123!" \
  | python3 -c "import json,sys; print(json.load(sys.stdin)['access_token'])")

echo "Token obtained (first 50 chars): ${TOKEN:0:50}..."

Test: List All Customers (GET)

curl -s -H "Authorization: Bearer $TOKEN" \
  "https://neuralbank.apps.cluster.example.com/api/v1/customers" \
  | python3 -m json.tool | head -30

Test: Create a New Customer (POST)

curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "nombre": "Workshop",
    "apellido": "Demo",
    "email": "workshop.demo@neuralbank.io",
    "tipoCliente": "PERSONAL",
    "ciudad": "Buenos Aires",
    "pais": "Argentina"
  }' \
  "https://neuralbank.apps.cluster.example.com/api/v1/customers" \
  | python3 -m json.tool

Summary

The pre-deployed neuralbank-stack demonstrates a real interactive OIDC flow:

  • Users access the frontend at https://neuralbank.apps.cluster.example.com

  • The OIDCPolicy CR redirects to Keycloak for authentication

  • Credentials: user1 / Welcome123! (same as Developer Hub)

  • After login, the JWT is stored in a cookie for subsequent requests

This differs from the scaffolded apps (which use API Key authentication) because the pre-deployed stack includes a fully configured Keycloak OIDC client (neuralbank-frontend) in the neuralbank realm.