Change authentication url in Quarkus' Swagger-UI - keycloak

Problem is, I'm starting the Quarkus service and a Keycloak in a docker-compose setup, where I need to configure the internal hostname and it won't be the same I will use to authenticate from outside.
In the following picture I want Swagger-UI to open the external url (http://localhost:8180 in my case) instead of the internal docker-compose url (http://keycloak:8080).
Is there a config property available to change this? I don't not find anything matching and tried out some stuff, but was unsuccessful.
I'm starting the Keycloak server in devmode and mount a custom realm during file.
To the Quarkus service I set the following properties:
environment:
QUARKUS_OIDC_AUTH_SERVER_URL: http://keycloak:8080/realms/WPLAT_dev-keycloak-realm
QUARKUS_OIDC_CLIENT_ID: my-service
QUARKUS_OIDC_CREDENTIALS_SECRET: secret
QUARKUS_OIDC_TOKEN_ISSUER: http://localhost:8180/realms/WPLAT_dev-keycloak-realm
(QUARKUS_OIDC_TOKEN_ISSUER was needed or otherwise the returned tokens weren't accepted)

Related

Keycloak Cookie Not Found Error when behind a Web Proxy

I am trying to have users access Keycloak from a different hostname through a proxy. Instead of the actual AWS hostname aws.exampleurl.com:8080 I have a proxy which routes all traffic from example.hostname.com/auth to the AWS url. I am able to access the Keycloak welcome screen and kick off the administrator login (with failed CSS loads which I assume is due to the same issue but I'm not sure), but when I input a set of credentials I am told that there was no cookie found. I have the cookies set to allow all in my browser (Brave).
I have set the HOSTNAME_URL env var to example.hostname.com/auth, tried using a mixture of the HOSTNAME and HOSTNAME_PATH env vars. I have tried setting HOSTNAME_STRICT to false, but to no luck. I've tried restarting the service and restarting the database I have running with Keycloak but these changes have also not worked.
Any ideas on how to get this running correctly would be amazing. Let me know if more info is needed to reproduce.

KeyCloak - How to change "/auth/realm/<realm_name>" to "/<realm_name>"?

Hi StackOverflow users,
I'm struggling with KeyCloak configuration because we want to change our current Identity provider to KeyCloak.
Our current solution exposes url with /openid prefix which causes i.e. issuer to be HOSTNAME/openid or event service discovery under HOSTNAME/openid/.well-known/openid-configuration.
When I'm trying to use KeyCloak everything what I have achieved is /auth/realms/openid/.well-known/openid-configuration.
Does anyone know how to remove /auth/realms prefix for KeyCloak?
Instead of changing keycloak urls (of course that is bit difficult). What if you can put a proxy in front of your keycloak to resolve '/openid/.well-known/openid-configuration' to '/auth/realms/openid/.well-known/openid-configuration'.
Or else by changing keycloak web.xml file's
<web-context>auth</web-context>
to
<web-context></web-context>
you can get rid of "auth" part.

What's the hostname of openshift master server for internal access?

If I want to access the REST API of the openshift master server from anywhere in my company I use https://master.test04.otc-test.company.com:8443 which works just fine.
Now I'm writing an admin application that is accessing the REST API and is deployed in this openshift cluster. Is there a generic name or environment variable in openshift to get the hostname of the master server?
Background: My admin application will be deployed on multiple openshift clusters which do not have the same URL. It would be very handy to have them autodiscover the hostname of the current master server instead of configuring this value for every deployment.
Use environment variables:
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT
In the container, unless service account details are not being mounted, you can also access the directory:
/var/run/secrets/kubernetes.io/serviceaccount
In this you can then find a token file which contains the access token for the service account the container runs as. This means you can create a separate service account for the application in that project, and use RBAC to control what it can do via the REST API.
That same directory also has a namespace file so you know what project the container is running in, and files with certificates to use when accessing the REST API over a secure connection.
This is the recommended approach, rather than trying to pass an access token to your application through its configuration.
Note that in OpenShift 4, if you need to access the OAuth server endpoint, it is on a separate URL to what the REST API is. In 3.X, they were on the same URL.
In 4.0, you can access the path /.well-known/oauth-authorization-server on the REST API URL, to get information about the separate OAuth server endpoint.
For additional information on giving REST API access to an application via a service account, see:
https://cookbook.openshift.org/users-and-role-based-access-control/how-do-i-enable-rest-api-access-for-an-application.html
Note that that page currently says you can use https://openshift.default.svc.cluster.local as URL, but this doesn't work in OpenShift 4.

Rancher Keycloak authentication setup

I'm trying to setup Rancher to use Keycloak as an authentication provider and following the setups laid out here. The last step says to export the metadata in the SAML Metadata IDPSSODescriptor format but I only see SAML Metadata SPSSODescriptor as an option. I've tried using that but authentication isn't working - it opens another window with the same Keycloak setup page when clicking the Authenticate with Keycloak button to validate the setup. There are no errors in the Docker logs for either the Rancher or Keycloak containers when running docker logs CONTAINER command.
I'm wondering if I need to do something specific to setup Keycloak as an IDP to get the correct metadata option but I can't find anything in their documentation.
For Keycloak 6.0 and up, along with the location of the IDPSSODescriptor even its format has changed. This doc explains how that can be edited to be used by Rancher
From the Installation tab, choose the SAML Metadata IDPSSODescriptor format option and download your file.
Or you can directly visit Keycloak URL with IDPSSODescriptor metadata:
https://<keycloak-domain>/auth/realms/<realm>/protocol/saml/descriptor

how can I pass dynamic IP address in keycloak realm redirect URL?

I have created keycloak docker image and deployed in kubernates in my on premise server and setup localhost: as redirect URLs and when I am accessing it from other systems, it should be the IP address of that system, instead of localhost. Could you please help me to get dynamic IP setup in my keycloak from Kubernetes script?
I think you can just set the redirectUris in your realm config to *. Otherwise each system to be accessible needs to be added to the realm, which you can do from the admin console or through the API.
In Activiti we distribute a keycloak helm chart with a custom realm for activiti installations. In that we set redirectUris to * and allow that to be overridden at install time. We're doing that in a helm chart but if you weren't using a helm template then you could do a sed to replace a string. But that is for a shareable distribution. If you've just got a single installation then I'd expect you to be adding applications/clients to the realm through the console or API.