Cloud-native IdP Integration

Maintainer ask: “investigate cloud native identity providers like Keycloak, SPIFFE/SPIRE…” This page explains how they map to AgentCube boundaries and checkpoints.

SPIFFE/SPIRE

Use case: Service-to-service identity for Router ↔ Workload Manager (Checkpoint 3).

  1. SPIRE issues X.509 SVIDs to workloads based on k8s selectors.
  2. Router fetches SVID via Workload API.
  3. Router calls Workload Manager over mTLS presenting SVID.
  4. Workload Manager verifies peer SPIFFE ID and authorizes.
spiffe://agentcube.volcano.sh/ns/agentcube-system/sa/router-sa

Keycloak (OIDC)

Use case: User auth for Caller → Router (Checkpoint 1 & 2).

  1. User authenticates to Keycloak (SSO/MFA supported).
  2. Keycloak issues JWT access token (OIDC).
  3. Caller sends token to Router.
  4. Router validates JWT via Keycloak JWKS + issuer/audience checks.
{ "sub": "alice", "email": "alice@example.com", "groups": ["developers", "production-users"], "realm_access": { "roles": ["agent-creator"] } }

Load provider details (from backend)

Click “Load” to fetch /api/v1/identity-providers (or show static sample).
Checkpoint 4 note: if clients call Workload Manager directly (bypassing Router), Workload Manager must enforce the same AuthN/AuthZ and namespace policies as Router.