SSO authorization in Directus using the keycloak provider - keycloak

Good afternoon, how can I set up sso authorization from keycloak in my directus application? Below I will give the settings for my directus image. And the error that occurs when trying to log into the account.

So I ran into this the other day and redirect_uri is picked up from the PUBLIC_URL environment variable, which should be set as well. So you may wish to ensure this is set. You may also want to consider making your root url and base url simply http://localhost:8055 and making /* your valid redirect url, and narrow it down from there.

Related

Keycloak 18.0.2 problem with post_logout_redirect_url and missing id_token_hint

We have a keycloak instance running which received an update from 15 to 18.0.2.
According to the specs
https://openid.net/specs/openid-connect-rpinitiated-1_0.html
There is a RECOMMENDED id_token_hint which should be provided along the post_logout_redirect_uri parameter to avoid unauthorized logout from other sources. But it seems not mandatory.
However, since its complicated in our case to get the token id after application logout, we decided to not provide the id_token_hint but let the user click on the logout form that appears when no id_token_hint is provided and redirect them afterwards.
But it seems not to work with
http://keycloak.host/realms/test_realm/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Ftest.redirect.com%2F&state=123be78239823baa239328ef&scope=profile%20email&response_type=code&approval_prompt=auto&client_id=test-client
The error is
Missing parameters: id_token_hint
Like mentioned, we don't have the id_token here we could provide.
Strange is, that on another keycloak instance, the url is working correctly and the prompt appears. Unfortunately we can't find any difference in config. Is there some config in keycloak which will influence the described behavior somehow?
Any other ideas?

How to activate the REST API of keycloak?

I have installed keycloack server 4.3.4.
How to activate the REST API of keycloak (Add a user, enabled user, disabled a user ...) ?
Regards
First step to do that is create an admin account (which you would have been prompted to do as soon as you would have opened {keycloak-url}/auth ).
Next steps depend on how you want to create config. Through Admin console GUI or through Rest API.
Steps to do this through Admin Rest API.
First , you will have to get a token from {keycloak-url}/auth/realms/master/protocol/openid-connect/token like this:
Note that only change you have to do in below call is your keycloak server address and value of admin username and password.
Once you obtain a token from above call, you can use it on other Admin Rest API calls by setting Authorization header, with Bearer token_value. (replace token_value with one obtained in step 1 above)
(Sharing an example below of sample rest call which gets list of users - https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_users_resource )
{{SERVER}}/auth/admin/realms/myRealm/users
EDIT:
As pointed out by #Shane : as of Keycloak version 19.0.1 the /auth part of the urls have been removed.
In complement to the answer above, even with your access token, you might not have access to certain endpoints if you do not have permissions for that. To do so, you need to be assigned to specifics realm roles. For instance:
Available in the Roles>Composite Roles>Client roles. Or you can set it up in user role-mapping tab.
It happened to me once ago. Without these assigned roles, I could get the access token, but empty clients list, for example.

Okta is returning an invalid redirect uri when connected to IdentityServer 3 and performing sign out

I'm trying to integrate Okta as a third party Identity Provider for a system I am working on that is using the IdentityServer 3 framework to support my customers that use Okta. I have everything working great except log out. When a user logs out of my system, it initiates the end session call back to Okta to log the user out. My problem is that the Identity Server is sending a session id along with the post logout redirect uri for context, but Okta refuses to accept the redirect uri because it is not known. I've tried multiple variations in the setup in Okta for this url but because the id value is dynamic, i'm not able to specify an exact url. Is there a way to have it support any urls that are going to a specific hostname or even up to the page path? I've tried adding my host into the API security area for trusted origins but it did not work either. I've also tried overriding the postback url for my system to be a static page, but then the IdentityServer Signout message cookie is never cleaned up correctly. This same code works without any problems when running for Azure as the IDP. Has anyone run into this before and have any thoughts? Any help is appreciated.
An example of the post to Okta at signout with the postback url is something like this,
https://dev-xx.oktapreview.com/oauth2/default/v1/logout?post_logout_redirect_uri=https%3a%2f%2fmyurl.com%2fidp%2flogout%2f%3fid%3d83617adbc6769e5d4d0fbca4dced3991&max_age=5&id_token_hint=eyJraWQiOiJ1aXJYc1RYTkTVVGenBXU1JfMWt6WndNSXBQQUVqT0dndWhjbloxR3pNIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHU4eTlrajNyT2NreW11cTBoNyIsIm5hbWUiOiJKYW1lcyBSZWFtZXMiLCJsb2NhbGUiOiJlbi1VUyIsImVtYWlsIjoiamFtZXMucmVhbWVzQHJlYWxwYWdlLmNvbSIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9kZXYtNDg5MDgyLm9rdGFwcmV2aWV3LmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6IjBvYWVvdXMycWFJTWJ3U0dhMGg3IiwiaWF0IjoxNTM2MjQ5NzY2LCJleHAiOjE1MzYyNTMzNjYsImp0aSI6IklELlVUem5sTC1FRUY0aHFoZlNSbG5wV1cyUGRxQzlBRk1PcDZiOTh6UERRUUEiLCJhbXIiOlsicHdkIl0sImlkcCI6IjAwbzh5OWZycXVmOFlpaG50MGg3Iiwibm9uY2UiOiI2MzY3MTg0NjU0NTA1NzI4ODQuWldOaVlqZG1aamt0Wm1Fd01TMDBNVGc1TFRreE4yTXRaR1kzTWpreVl6ZGpOekprTm1GbU16WTJaRFl0TURBeE15MDBNMkUwTFdJM01ERXRNek5oWTJOaU1qZ3daamd4IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamFtZXMucmVhbWVzQHJlYWxwYWdlLmNvbSIsImdpdmVuX25hbWUiOiJKYW1lcyIsImZhbWlseV9uYW1lIjoiUmVhbWVzIiwiem9uZWluZm8iOiJBbWVyaWNhL0xvc19BbmdlbGVzIiwidXBkYXRlZF9hdCI6MTUyMzYyNjUzMiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF1dGhfdGltZSI6MTUzNjI0OTc2NiwiY19oYXNoIjoiMWoxa1JTSGhObGRGWGNmSDdCQXRBUSJ9.gvG_8dnlAMr9XI-atCjIKVF04L4oMzerXmeT0BAG76RLle-q2pgb8PDvV4cTicLH16QLzboSgocC6t6WoegbUeJLLuzZHd2rQkm8Y4iRheoV05uKhd2mpLA9LyexlJ9oVJ8Xi_D4BqN_bygphAv79B4L8-Ezz3YgGDmSkK3WutB55_r_7XM0OCCCetvNu4S8KXbKHUxgg5cpQ6y7o-d5eIH6I8bpoOoA0gy7Liwsm7IyQUe5_jdorObgBHIEfDx4mjNRENJUQ7InASwbL7eND7COZYyXRwzn7vHU0_XkBaUW9wsY-VJUaihOwEcgVS1MPbGLoSUY9k0TmcUVN3-Q&state=83617adbc6769e5d4d0fbca4dced3991&x-client-SKU=ID_NET&x-client-ver=1.0.40306.1554
the id=83617... is what is tripping up Okta from trusting the redirect url. I've tried adding all of these combinations of urls into the logout redirect uri setup and none let it accept it,
https://myurl.com/idp/logout/
https://myurl.com/idp/logout/?id=
https://myurl.com/idp/logout?id=
https://myurl.com
https://myurl.com/
https://myurl.com/idp
https://myurl.com/idp/
https://myurl.com/idp/logout
None seem to work.

How to get a JWT from Auth0 hosted login

According to the "tutorial" (the docs themseleves say nothing) Auth0 should set a JWT for me on login, but it's not clear what it means by this. How do I get that JWT?
We already have a login flow in place that uses a hosted page that is accessed through a CNAME CNAME.example.com. Following this process:
I go to example.com/login
I am redirected to the CNAME CNAME.example.com/authorize?...
Then again to CNAME.example.com/login
Username and Password are POSTed to CNAME.example.com/usernamepassword/login
This returns a form containing the JWT and automatically POSTs to CNAME.example.com/login/callback
This then redirects back to our main site example.com/langing-page but the JWT is not received here.
Because it's a CNAME, Auth0 would be able to set an HTTP Only, Secure cookie for our domain, that would be enough.
I've only just jumped on this project and understand that if it was built from scratch we could use the API directly to get the JWT but I can't work out how to do it for the existing flow.
I'm sure we're missing something simple, but the documentation is not forthcoming. Do I need to do a login via the API instead?
EDITED: To clarify the login flow exists and works using a hosted page on auth0, I need to get the JWT after the user has logged in.
MORE INFO: We're using the Auth0 WordPress Plugin which correctly logs us in as the right user (as well as helps us create new users) but does not seem to expose the JWT. That page does mention getting JWTs but refers to the deprecated wp-jwt-auth plugin
The links provided is for general information about JWT's; for accomplishing an authentication through Auth0 there are better suited documentation. In particular, you should start with the quickstarts (https://auth0.com/docs/quickstarts) to check if there's any that is directly associated with the application and stack you're building.
In addition to that, you can also check the docs associated more with protocol flows (assuming you want OIDC/OAuth 2.0): https://auth0.com/docs/api-auth/which-oauth-flow-to-use
The above should guide you about which flow to use and then for each you can follow the links to have a better understanding of how the flow can be implemented.
As an additional note the /login endpoint should be treated as an implementation detail; for OIDC/OAuth 2.0 you need to start the request at /authorize.

Fiware get access token seems to get wrong

We are having troubles with getting the access token from fiware since 4th August.
We are using this URL to ask for the token: https://orion.lab.fiware.org/token but it seems like it does not work.
Before using that URL we used to ask for this one:
http://cloud.lab.fi-ware.org:4730/v2.0/tokens
Could anyone, please, help us?
Thank you in advance.
It depends on how you want to get the token. The current OAuth2 URL to get the tokens is https://account.lab.fiware.org/oauth2/token. This is the central authority for authentication, if you are accessing any common GE, but you will need to register your application in FIWARE Account and use your application credentials and some OAuth2 grant to get it.
If you want to get the token for the global instance without using a registered application, the URL you have mentioned contains a token service that can give you a valid token for your user and that purpose. You can test it (and see an example) with the following script:
https://raw.githubusercontent.com/fgalan/oauth2-example-orion-client/master/token_script.sh