Quarkus Keycloak authenticating users with x509 certificates - keycloak

I have been trying to figure how to get client authentication working using x509 certificates in the Quarkus version of Keycloak. #dasniko has a helpful video of doing it with the legacy version of Keycloak. I tried to follow what he and the Keycloak server admin guide suggests.
The expected behavior, based on #dasniko 's video is a certificate selection window should open up upon visiting the login url. However, only the login screen is displayed.
I have created a simple example to demonstrate what I'm attempting. There is a script to generate the certificates and import them into a jks. The script then copies the jks files to a directory. The compose.yml file mounts the cert directory when starting Keycloak up and points Keycloak to them as a keystore and truststore. Their is also a realm export to configure things.
Has anyone been able to figure this out? I haven't seen anything helpful on Keycloak's github forums or discourse.
My yaml file looks like the following
services:
keycloak:
image: quay.io/keycloak/keycloak:latest
command: [ "start-dev" ]
environment:
JAVA_OPTS_APPEND: "-Dcom.redhat.fips=false"
KC_HOSTNAME_STRICT: "false"
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
KC_LOG_LEVEL: info,org.infinispan:error,org.hibernate:warn
KC_HTTPS_KEY_STORE_FILE: /genCerts/server-keystore.jks
KC_HTTPS_KEY_STORE_PASSWORD: changeit
KC_HTTPS_TRUST_STORE_FILE: /genCerts/truststore.jks
KC_HTTPS_TRUST_STORE_PASSWORD: changeit
HTTPS_CLIENT_AUTH: require
ports:
- 8080:8080
- 8443:8443
volumes:
- ./genCerts:/genCerts

Related

Using Keycloak with Postgres socket

I am trying to containerize my keycloak application and I am trying to make it so that the keycloak instance connects to the psotgres socket instead of its hostname. But the keycloak instance crashes almost instantly.
Is it not possible to make keycloak connect to postgres socket? or am I using the wrong connection params?
POSTGRES_ENV:
POSTGRES_DB=keycloak
POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
KEYCLOAK_ENV:
DB_VENDOR=POSTGRES
DB_ADDR=/var/run/postgresql/.s.PGSQL.5432
DB_DATABASE=keycloak
DB_USER=postgres
DB_SCHEMA=public
DB_PASSWORD=postgres # change this in prod
I have tried changing my docker mount from bind into volumes. Tried changing the file permissions, and even tried different keycloak versions. It is always the same class of error.

Keycloak18 index page "Resource not found"

I would really appreciate some help with the current issue I am experiencing.
Context:
I have been upgrading my instance of keycloak from 16.x to 18.x.
After many hours of research, I have been defeated by this one issue.
Issue:
When I go to the site URL for this example https://thing.com/ I am greeted with the following "Resource not found", instead of the keycloak welcome page.
In my chrome network monitoring it will show the following:
Error with network monitor
Infra:
Keycloak lives on its machine. The URL reaches keycloak through a Caddy Service as a reverse proxy.
Relative scripts:
Docker-compose
version: "3.1"
services:
keycloak:
image: quay.io/keycloak/keycloak:18.0.2
environment:
JAVA_OPTS: "-XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0 -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=\"org.jboss.byteman\" -Djava.awt.headless=true"
KC_HOSTNAME_PORT: 8080
KC_HOSTNAME: ${KC_HOME}
KC_PROXY: edge
KC_DB_URL: 'jdbc:postgresql://${KEYCLOAK_DB_ADDR}/${KEYCLOAK_DB_DATABASE}?sslmode=require'
KC_DB: postgres
KC_DB_USERNAME: ${KEYCLOAK_DB_USER}
KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
KC_HTTP_RELATIVE_PATH: /auth
KC_HOSTNAME_STRICT_HTTPS: 'false'
command: start --auto-build
ports:
- 8080:8080
- 8443:8443
volumes:
- backup:/var/backup
healthcheck:
test: curl -I http://127.0.0.1:8080/
volumes:
backup:
NOTE: If I remove this KC_HTTP_RELATIVE_PATH: /auth it will behave as intended. However, I would prefer I do not remove this aspect of the service as it is tied to that relative path for a lot of the services using keycloak.
I can replicate this with a local docker image built using the same environment variables.
Does anyone perhaps know some secret ninja moves I could do to get it to direct to the welcome page?
Automatic redirect from / to KC_HTTP_RELATIVE_PATH is not supported in Keycloak 18 (see https://github.com/keycloak/keycloak/discussions/10274).
You have to add the redirect in the reverse proxy, in Caddy there is redir.

JDBC SSL connection PostgreSQL on AWS

I have an appication deployed on AWS EKS that uses an RDS PostgreSQL database. I have downloaded the intermediate and root certifcates, and added them to a trust store, as described in this post: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
However I cannot connect via SSL with sslmode=verify-full and I think it's because I do not have a copy of the certificate generated when RDS creates the DB instance and installs the certificate on the instance, as described here: https://aws.amazon.com/premiumsupport/knowledge-center/rds-connect-ssl-connection/
The certificate generated when the database is provisioned has the hostname of the server as the Common Name, and I think this is used to veryify the host when a client connects.
Does anyone know where I can download this certiifacte or if I have misunderstood how to do this, tell me what it is I am doing wrong?
Thanks
You need to do multiple things:
Download the ca certs from https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem.
Import this cert into the ca-certs of the JDK/JRE in your docker image by using this command keytool -importcert -alias aws-certs -trustcacerts -file /path/to/global-bundle.pem -storepass changeit -cacerts -noprompt
Note: You might have to run this command as root/sudo depending on the permissions on the cacerts file in the JDK_HOME/lib/security folder.
Make changes to your postgres jdbc url as decribed here; basically adding sslmode=verify-full

Keycloak realm login page is not appearing

I'm trying keycloak and it's not easy :)
I've a problem with realm login page, login for admin panel is working perfect.
I'm running keycloak with docker-compose.yml
version: '3.3'
services:
postgres:
image: postgres:12.2
container_name: postgres
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
keycloak:
image: jboss/keycloak:10.0.1
container_name: keycloak
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: password
PROXY_ADDRESS_FORWARDING: "true"
ports:
- 8080:8080
depends_on:
- postgres
mailhog:
image: mailhog/mailhog:latest
container_name: mailhog
ports:
- "8025:8025"
I'm starting it with command docker-compose up --build and everything is starting.
I'm login as an admin and after that I'm creating realm with name myapp. After that I just want to see a realm login page, so I'm opening the link: http://localhost:8080/auth/realms/myapp/protocol/openid-connect/auth
and what I see is We are sorry...
I was looking for some answers in google but I didn't find any.
Do I need some additional profile config to make it work?
I also watch this but didn't help https://www.youtube.com/watch?v=duawSV69LDI here it seems working just like that.
Is any body have an idea what I can do?
Best regards!
The error message suggests, that the URL to the admin console, to which you are trying to connect directly, is wrong. You can obtain the correct URL to the realm's console by
Log in to the master realm
Switch to your realm "myapp"
Navigate to (Configure) Clients. You should see a client ID named "security-admin-console". (It should be created by default when you created the realm.)
Use its URL.
I found out answer to my question here:
https://robferguson.org/blog/2019/12/24/getting-started-with-keycloak/
and it's this link I was looking for:
http://localhost:10001/auth/realms/development/protocol/openid-connect/auth?response_type=code&client_id=YOUR_CLIENT_NAME&redirect_uri=http://localhost:8080/authorization-code/callback
I can log in and I'm getting code from keycloak server
Using the dockerized version of Keycloack, the user login url for the newly-created realm and user was:
http://localhost:[port]/realms/[realm-name]/account
Which in my case was
http://localhost:8080/realms/myrealm/account
Brief steps:
Select which SSO protocol you want to use SAML vs OIDC
Create SAML/OIDC client in the Keycloak with configuration, which will fits your SSO app needs
Configure client from 2.) in your SSO app
Login through your SSO app - your app generates correct parameters (response_type, client_id, state, ....) - it isn't simple
URL without URL parameters (actually, it can be - for example SAML IDP
initiated login, but it must be properly configured on the client
level)
You can find here detailed instructions how to integrate Keycloak with external OIDC Providers: https://ultimatesecurity.pro/tags/oidc/
This link will explain how to integrate Keycloak with external SAML Providers: https://ultimatesecurity.pro/tags/saml/

traefik and basic auth

I use traefik 1.7.14 and I want use basic auth for my grafana-docker-compose service.
I followed e.g. https://medium.com/#xavier.priour/secure-traefik-dashboard-with-https-and-password-in-docker-5b657e2aa15f
but I also looked at other sources.
In my docker-compose.yml I have for grafana:
grafana:
image: grafana/grafana
labels:
- "traefik.enable=true"
- "traefik.backend=grafana"
- "traefik.port=3000"
- "traefik.frontend.rule=Host:grafana.my-domain.io"
- "traefik.frontend.entryPoints=http,https"
- "traefik.frontend.auth.basic.users=${ADMIN_CREDS}
ADMIN_CREDS is in my .env file. I created the content with htpasswd -nbm my_user my_password I also tried htpasswd -nbB my_user my_password for not md5 but bcrypt encryption.
In .env
ADMIN_CREDS=test:$apr1$f0uSe/rs$KGSQaPMD.352XdXIzsfyY0
You see: I did not escape $ signs in the .env file.
When I inspect my container at runtime I see exactly the same encrypted password as in my .env file!
docker inspect 47aa3dbc3623 | grep test
gives me:
"traefik.frontend.auth.basic.users": "test:$apr1$f0uSe/rs$KGSQaPMD.352XdXIzsfyY0",
I also tried to put the user/password string directly into the docker-compose.yml. this time by escaping the $ sign.
The inspect command was successful too.
BUT: When I call my grafana-URL I get a basic auth dialog-box and when I type in my user/password combination I get always a
{"message":"Invalid username or password"}
What could be still wrong here? I have currently no idea.
This message actually means that you passed the basic auth of traefik. Because the basic auth window would pop up again if you would enter invalid credentials.
Grafana on its own uses basic auth and this one is failing.
DO NOT DO IT IN PRODUCTION: To prove it you could configure grafana to ask for the same user and password. Then it will accept the forwarded basic auth of traefik and would allow access.
However, you should either setup basic auth using traefik OR using the grafana basic auth.
You also might want to check the information on running grafana behind a reverse proxy: https://grafana.com/tutorials/run-grafana-behind-a-proxy/#1
and escpecially https://grafana.com/docs/grafana/latest/auth/auth-proxy/
Another option besides forwarding the auth headers would be to disable forwording it:
labels:
...
- "traefik.http.middlewares.authGrafana.basicauth.removeheader=true"
Now you should see the grafana login page.