Keycloak support

Keycloak support

launchpad blueprint:

As part of an on going effort to make vitrage to be able to work also in a non OpenStack environment (in addition to the default OpenStack environment). We should be able to make vitrage work with a different authorization server instead of keystone. An optional authorization server can be Keycloak which is an open source Identity and Access Management solution aimed at modern applications and services

Problem description

Vitrage at the moment can only work in an OpenStack environment because it needs Keystone for authorization. We should support other authorization such as Keycloak.

Proposed change

New auth_mode in api section in Vitrage config file:

auth_mode = keycloak

New keycloak section with the auth_url in Vitrage config:

auth_url = http://[keycloak server]:[keycloak port]/auth

The Vitrage server will use a new middleware which will authenticate with the Keycloak server once an api request is received.

A new auth plugin will be added to the vitrage client which will get the token from the Keycloak server and sent it with the api request.



Data model impact


REST API impact

When using the client we should use the keycloak-plugin

Versioning impact


Other end user impact


Deployer impact

To use the Keycloak Authorization there is a need to define it in the Vitrage config file.

Developer impact


Horizon impact




Primary assignee:


Work Items

  • Create Keycloak plugin in client

  • Create Keycloak plugin in server




This blueprint requires unit tests.

Documentation Impact

The usage of the KeyCloak authorization will be documented

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.