Have Integrated a Java struts based server side application with a keycloak OIDC and Oauth provider.
Java servlet adapter mentioned in the https://access.redhat.com/documentation/en-us/red_hat_single_sign-on_continuous_delivery/3/html-single/securing_applications_and_services_guide/index#servlet_filter_adapter is used for the same implemetation.
The redirect_uri configured on the server is something like https://env.application.com/contextpath/
When the we application session timeouts and the user clicks on any link in the application the redirect_uri that goes as part of authorization code grant flow adds the URI of the link in addition to the redirect_uri configured in keycloak server. This will something like for example https://env.application.com/contextpath**/submenu?name=menu**
This will result in an invalid redirect_uri error from the keycloak server.
The keycloak server doesn't allow to configure a placeholder * to be configured for security reasons.
Could someone please let me know how to handle we application session timeouts with integrated with keycloak OIDC and OAUTH provider.
Is there any other best practise availble to handle session timeouts in webapplications integrated with keyclaok OIDC.
Related
We have a microservice based environment running our own authentication server that will produce JWT tokens using the /oauth/token endpoint but this server does not provide a web login page.
For our front end application we have tried the oauth2Login setups but they all want to try and redirect the browser to the authentication server, authenticate and then redirect back to the application. Likewise oauth2Client setups add an AuthenticationProvider but that will only authenticate a OAuth2AuthorizationCodeAuthenticationToken but the user login request will generate a UsernamePasswordAuthenticationToken so oauth2Client provider never gets evaluated.
We were looking for something similar to the ldap authentication providers in that the username and password is collected locally and sent to the authorisation server. While we can write our own custom AuthencationProvider which accepts the UsernamePasswordAuthenticationToken, communicates with the oauth server and return the generated JWT. We were hoping there was something pre-existing that was part of the current spring-boot framework. If our understanding is correct then the oauth2Client setup is what we are after but can't work out how to enable the initial authentication.
We are using spring boot 2.2.5.
How to implement logout of client side services after idle timeout?
Services are secured by Keycloak + Application gateway.
The Gateway is node.js app which protects services' urls using Keycloak node.js adapter, so that authentication will be required on browser access to the urls. (redirect to login url)
Services enforce authorization locally by inspecting roles present in the access token gateway receives and attaches to the request after successful authentication.
Keycloak is behind gateway too.
I thought about adding custom event listener in Keycloak code which would notify all the services interested in session timeout event via some message bus.
Thanks in advance.
Keycloak informs all clients participating in a session that gets terminated (by timeout or explicit logout request). The only prerequisite is that the "Admin URL" is set for the client (see Keycloak admin console - client settings).
Since you're using the Keycloak node.js adapter it should be able to handle the logout request from Keycloak.
See Keycloak Server Administration Guide (look for "Admin URL").
As a RP, want to request the Websphere liberty OIDC provider to redirect to a url post logout. How to achieve that?
What parameters in the logout request needs to be passed?
Liberty supports openid connect session management, https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_oidc_session_mgmt_endpoint.html
We are about to integrate our JAVA application with SSO Federation. We will get a metadata in SAML2 Assertion format and all the session tracking is taken care by SSO federation.
I am not clear how the session tracking happens with each request in our JAVA application. Our main page URL is configured in the SSO federation and after user clicks the link control comes to our application. So if I navigate to other URL apart from the one configured, how the federation track the session? Do we need to pass any metadata for each and every request?
We have been asked to share the home page URL and certificate information and SSO federation will configure those in their portal.
A Java application server normally trackes a user session using a 'JSESSIONID' cookie. Once the SAML assertion generated by an IDP(say ADFS) has been validated by the SP(the java application here) a security context /session is created which is identified by a JSESSIONID. The browser sends JSESSIONID cookie with seubsquest requests and the application verifies it and servers the requetsed resource/URL.
I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?