How to connect Drupal with Keycloak 18 for user creation - keycloak

I am trying to connect drupal with keycloak for login. I have added client id, client secret and Keycloak realm , getting from keycloak server.
Using modules - https://www.drupal.org/project/keycloak
Link - http://localhost/drupal/user/login
After clicked on the 'Login Keycloak button' , getting error
The website encountered an unexpected error. Please try again later.
Log Message - Symfony\Component\Routing\Exception\MissingMandatoryParametersException: Some mandatory parameters are missing ("openid_connect_client") to generate a URL for route "openid_connect.redirect_controller_redirect". in Drupal\Core\Routing\UrlGenerator->doGenerate() (line 181 of C:\xampp\htdocs\drupal\core\lib\Drupal\Core\Routing\UrlGenerator.php).
Please suggest. Thank you.

Looks like you might have not added the valid redirect uri in your local keycloak server page under Clients > Settings which I believe should be "http://localhost/drupal/openid-connect/keycloak" for your project.
And also you need to provide Keycloak base URL in your drupal "Configuration > Web Service> Open ID Connect" web page which most of the times if you are using local keycloak server is http://localhost:8080

Related

Google Auth API - idpiframe_initialization_failed on Production environment

I integrate Google's Auth API in my production website.
When I enter the login page, it throws an idpiframe_initialization_failed exceptions to the console.
I found out that I can fix it by enabling that API / Cookies in my chrome browser, but I want to find a comprehensive solution that will prevent those exceptions in my production environment.
So my two questions are:
What do you suggest me to do in order to achieve that?
In general, what is the meaning of those excpections?
Thanks :)
If you have a production url like http://godaddysite.com etc host your page there with a Webserver.
Opening a htnl page from your computer with javascript doesnot work as it is not hosted on webserver.
Please check your redirect url etc when you created Oauth client.
Go to the Credentials page.
Click Create credentials > OAuth client ID.
Select the Web application application type.
Name your OAuth 2.0 client and click Create
check origins
create new OAuth with correct origins.

Keycloak Provider login results in request-compose timeout error

Setup:
We have a HTTPS strapi application and keycloak is configured as an identity provider with the corresponding client id and secret from the keycloak client. Both strapi and keycloak are behind nginx.
We have a keycloak server, where the strapi is added as a client with the necessary redirect URIs configured.
Also, the provider.js and bootstrap.js is setup as suggested in the reference:
Strapi Documentation,
Issue:
Strapi throws an error when trying to access the client:
{"statusCode":400,"error":"Bad Request","message":{"message":"No access_token."},"data":{"message":"No access_token."}}
https://our.website.domain/strapi/auth/keycloak/callback?error=request-compose%3A%20timeout
In the logs, we see that the access token is not received and hence the error is thrown from strapi end. example provider.js line
Verification:
Strapi is able to use other social identity providers like GitHub to authenticate as expected.
We are able to use Postman to get the access token from keycloak by posting to https://our.website.domain/auth/realms/exampleRealmName/protocol/openid-connect/token as suggested in this comment (step1).
We are able to use the access token to get response from Strapi through Postman. https://our.website.domain/connect/IDP-Name/callback as suggested here (step 2)
Any inputs or advise on what could be the issue?
Thank you in advance.

"Unexpected error when authenticating with identity provider" error when Keycloak broker is configured as a client to another Keycloak instance

I am getting an error when I try to login to Keycloak by using it as a broker.1 I am using credentials from another keycloak instance to login. So far, I am redirected to the correct login page but after entering my credentials I receive an error.
I have set up Keycloack Identity Brokering on computer 1 by following the basic steps.2 I have used the generated redirection URI of the broker to register a new client on computer 2 in another Keycloak instance.3 The client configuration present on computer 2 4 is then used to fill in Authorization URL, Token URL, Client ID and Client Secret on the Identity Broker on Computer 1. 5
I may be leaving important fields missing. Pictures are attached for reference.
I have changed some settings to get the broker to work with the other Keycloak instance. I am now sending client secret as basic auth with signed verification off. I have also enabled back-channel logout. Hope this helps someone else.
I fixed this problem by regenerating the client secret on the identity provider side and using it on keycloak. The keycloak realm data import was not working very well for me apparently.
In my case I needed to empty the hosted domain field in the "Identity providers" configuration of my Google identity provider in Keycloak.
See also:
Keycloak Google identity provider error: "Identity token does not contain hosted domain parameter"

Keycloak Client settings, what URLs do I need?

I have problems setting up Keycloak for a project I do.
Keycloak is running on http://localhost:8180.
Thorntail server is running on http://localhost:8080/users which serves data for an
Angular frontend on http://localhost:4200/*. What I want to do is that a User can only see http://localhost:4200/sign-in without logging in. Once logged in they can access for example http://localhost:4200/list-user.
I was using this guide to set up Keycloak, but I'm not sure what I my Client settings should be. This is what I thought:
Root URL: http://localhost:4200/sign-in
*Valid Redirect URIs: http://localhost:4200/list-user
Base URL: http://localhost:4200/sign-in
Admin URL: http://localhost:8080
Somebody please explain the purpose of these settings as I struggle to understand.
Root url is just a value that will be used for relative paths resolving.
Root: http://localhost:4200/sign-in
Valid Redirects: /* (After login user could be redirected to any URI that matches pattern http://localhost:4200/sign-in/*)
Base URL: / (Is not mandatory. Used when keycloak need to calculate application url by client_id only)
Admin URL: / (Used when Keycloak need to notify applications about revocation or when user logs out. For example when user logs out in application A if he has session in application B, Keycloak will send backchannel request to Admin URL of application B, so Application B will also flush user session in it)
Check out docs and info badges in Admin Console

Keycloak integration with Pingfederate

What I want to do is this:
I have keycloak integrated with my application. So when my app is launched , keycloak login page is shown to user. Now , I am trying to provide an option to login with PingFedrate. So a button to login with PingFed appears(once a new SAML provider is configured in keycloak). On PingFedrate I tried to integrate SP inititated SSO:
I added a new SP connection and there I configured it as SSP initiated SSO. (It forced me to configure SOAP Authentication , where I selected basic and configured random username password). Then I downloaded metatdata.xml from this SP and imported in keycloak which autofilled the login url as : https://myserver:9031/idp/SSO.saml2 (i.e. without client id). After this when user clickon Login with PingFed - PingFed gives following error:
Unexpected System Error Sorry for the inconvenience. Please contact
your administrator for assistance and provide the reference number
below to help locate and correct the problem.
I found the solution to this.
Firstly, we need to add SP inititated SSO in Pingfed for keycloak.
Secondly, the reason I could not make SP inititated SSO work was that keycloak's entityId should be same as Pingfed SP connection's Partner's Entity Id / Connection Id.
Keycloak, by default keeps entity id equal to url of keyloak server containing your realm. E.g
https://(keycloak-server)/auth/realms/(realm-name)
(and I could not find a way to change it through Keycloak UI)
You need to enter this URL in Pingfed.
To avoid adding this manually, you can download the keycloak config from download export tab of identity provider.
And on Pingfed , import this file.
On a side note, though I was importing it earlier, I was changing value of Partenr id to some other name as I was not aware of above restriction until I started decoding the SAML tokens in request.