Skip to content

Authentication and authorization

Talisman leverages role-based access control (RBAC) to ensure secure and efficient management of integration services through the Platform. We define two primary roles within the system to cater to different user needs and access levels:

  • talisman-user: This role is designed for users who require view-only access. Users assigned to the talisman-user role can monitor the health, performance, and metrics of the integration services but cannot modify any configurations or deployment settings. This role is ideal for stakeholders who need to stay informed about the system's status without directly managing the services.

  • talisman-developer: Users with the talisman-developer role have full control over the system. This includes the ability to create, modify, and delete integration services, manage deployment settings, and configure integrations with external systems. The talisman-developer role is suited for developers and engineers responsible for the development and maintenance of the integration services.

Talisman uses Keycloak OIDC for authentication and authorization

Keycloak configuration

  1. Create or select Reaml for Talisman users
  2. Create two clients

    FRONTEND
    Client Id TALISMAN-FRONTEND
    Client authentication Off
    Authentication flow Standard flow, Direct access grants, Implicit flow
    Root URL https://host
    Home URL https://host
    Valid redirect URIs https://host/*
    Valid post logout redirect URIs +
    Web origins *
    Front channel logout On
    Backchannel logout session required On
    BACKEND
    Client Id TALISMAN-BACKEND
    Client authentication On
    Authentication flow Standard flow, Direct access grants, Implicit flow
    Root URL https://host
    Home URL https://host
    Valid redirect URIs https://host/*
    Valid post logout redirect URIs +
    Web origins *
    Front channel logout On
    Backchannel logout session required On

    For BACKEND client generate Client Secret on Credentials Tab.

  3. Create two roles: talisman-user and talisman-developer

Talisman configuration

The following Secret should be added

apiVersion: "v1"
kind: "Secret"
metadata:
  name: "talisman"
stringData:
  karavan.keycloak.ur: "https://keycloack"
  karavan.keycloak.realm: "REALM_NAME"
  karavan.keycloak.frontend.clientId: "TALISMAN-FRONTEND"
  karavan.keycloak.backend.clientId: "TALISMAN-BACKEND"
  karavan.keycloak.backend.secret: "CLIENT_SECRET_GENERATED"
Secrets should be mapped to Environment variables in Talisman Deployment
apiVersion: "apps/v1"
kind: "Deployment"
metadata:
  name: "talisman"
spec:
  template:
    spec:
      containers:
      - env:
        - name: karavan.keycloak.url
          valueFrom:
            secretKeyRef:
              name: talisman
              key: karavan.keycloak.url
        - name: karavan.keycloak.realm
          valueFrom:
            secretKeyRef:
              name: talisman
              key: karavan.keycloak.realm
        - name: karavan.keycloak.frontend.clientId
          valueFrom:
            secretKeyRef:
              name: talisman
              key: karavan.keycloak.frontend.clientId
        - name: karavan.keycloak.backend.clientId
          valueFrom:
            secretKeyRef:
              name: talisman
              key: karavan.keycloak.backend.clientId
        - name: karavan.keycloak.backend.secret
          valueFrom:
            secretKeyRef:
              name: talisman
              key: karavan.keycloak.backend.secret

The following Environment variables should be configured

KARAVAN_KEYCLOAK_URL=https://keycloack
KARAVAN_KEYCLOAK_REALM=REALM_NAME
KARAVAN_KEYCLOAK_FRONTEND_CLIENTID=TALISMAN-FRONTEND
KARAVAN_KEYCLOAK_BACKEND_CLIENTID=TALISMAN-BACKEND
KARAVAN_KEYCLOAK_BACKEND_SECRET=CLIENT_SECRET_GENERATED

or set in docker run

-e KARAVAN_KEYCLOAK_URL=https://keycloack \
-e KARAVAN_KEYCLOAK_REALM=REALM_NAME \
-e KARAVAN_KEYCLOAK_FRONTEND_CLIENTID=TALISMAN-FRONTEND \
-e KARAVAN_KEYCLOAK_BACKEND_CLIENTID=TALISMAN-BACKEND \
-e KARAVAN_KEYCLOAK_BACKEND_SECRET=CLIENT_SECRET_GENERATED