With Wildfly as an application server, it was possible to run KeyCloak as a service on a Windows Server as follows (for example behind an IIS):
.\service.bat install /name keycloak /display Keycloak /desc "Keycloak"
.\service.bat start /name Keycloak
Unfortunately, there is no service.bat anymore to run KeyCloak 18 as a service, since it'S backed with Quarkus now.
It seems, that there is only a kc.bat:
./kc.bat start
So, what's a propper way to run KeyCloak 18 with Quarkus as a service on a Windows Server?
Related
I have a keycloak Server running on my localhost with port 8081.
I'm trying to connect my Quarkus application with it to secure REST-Endpoints.
However I'm not able to Login to my Keycloak server.
I annotated an /test endpoint with #RolesAllowed("user"). Since then I can't access the endpoint but I get an Empty page with a 401 Unauthorized error in the Web console.
What I want is that I get redirected to the Keycloak default page so I can authorize myself. Any ideas why that is not happening?
Here is my application.properties Keycloak configuration:
quarkus.oidc.auth-server-url=http://localhost:8081/realms/TestRealm
quarkus.oidc.client-id=testclient
quarkus.oidc.credentials.secret=MYSECRET
quarkus.oidc.tls.verification=none
quarkus.keycloak.policy-enforcer.enable=false
logging.level.org.keycloak=DEBUG
resteasy.role.based.security=true
quarkus.http.cors=true
quarkus.http.port=8080
when I set policy enforcer to true I can't access any endpoint.
TestRealm has a Resource configured with a /test endpoint.
In the Quarkus documentation for keycloak they said that you don't need to setup your own Keycloak Server in Dev mode since Quarkus comes with one. Might that be the Problem? is my Quarkus Application not connecting to my Keycloak server? And if so, how can I force quarkus in dev mode to use my Keycloak server?
EDIT: I figured out that I have access to my endpoint if I send the request with the Bearer token, so I guess Quarkus is accessing my Keycloak instance.
Still, why don't I get forwarded to the default Keycloak login page when trying to access my Rest endpoint via my browser? Am I missing any configuration?
For anyone with the same issue I fixed it by adding:
quarkus.oidc.auth-mechanism=keycloak
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
To the config
i want to run webflux based web app using non blocking netty server and authentication using keycloak.
seems like keycloak does not support netty server. is there a way to override default behavior of keycloak and use netty instead of tomcat?
this is required becuase my webflux application does not work properly on other web servers.
i want to use keycloak for basic authentication but when i configure keycloak in my application and try to run it it does not come up on netty dependecies, only when i add tomcat to my webflux pom.xml then keycloak server comes up.
and idea how ot run keycloak on netty server?
I am trying to enable https for keycloak in a Jhipster-generated project. In Jhipster doc (https://www.jhipster.tech/security/), it says "In production, it is required by Keycloak that you use HTTPS. There are several ways to achieve this, including using a reverse proxy or load balancer that will manage HTTPS. We recommend that you read the Keycloak HTTPS documentation to learn more about this topic." And in the Keycloak doc, there are step that is "First, you must edit the standalone.xml, standalone-ha.xml, or host.xml file".
Sounds reasonable, right? But, if installing and running Keycloak server on mac, the configuration file is in /opt/jboss/keycloark..., but when running this keycloak within the jhipster-generated project (using the nice and easy command 'docker-compose -f src/main/docker/keycloak.yml up'), I find that there is no such folder /opt/jboss/... Either I did something wrong, or it was in some other space like Docker container, or Jhipter container, or somewhere else. So the question is, how should we enable https on this Keycloak shipped with the Jhipster generated project?
Would appreciate it very much for any help from the community. Thanks!
Expose https port 8443 of your Keycloak container and you will have selfsigned https, e.g.:
ports:
- 443:8443
+ use volumes if you have own TLS certificate, e.g.:
volumes:
- /path/my-cert.crt:/etc/x509/https/tls.crt
- /path/my-cert.key:/etc/x509/https/tls.key
I have two applications, Let's say App1 and App2. App1 is protected using mod_auth_openidc and App2 is hosted on wildfly and protected using keycloak specific java adapter. The SSO works fine on both applications. However, the problem occurs in case of Logout. When I perform logout from App1, then both applications are redirected to login on next request (as expected). However, when I perform logout on App2, then App1 still works as normal rather than asking for login again on next request.
As per the keycloak documentation, Admin URL shall be set for a particular client that can be used by Keycloak server to send backend requests to the application for various tasks, like logout users or push revocation policies.
From the apache logs, I can not see any back-end request generated by keycloak against the logout perform from App2. If I generate the logout from keycloak admin utility then apache logs show a post action for k_logout.
I think, I am missing some configuration, but don't know what? Any idea/help in this regard will be much appreciated. Many thanks.
Further details:
App1 - Django based web application. This is hosted using Apache and protected using mod_auth_openidc. The apache and mod_auth_openidc configurations are given below.
App2 - Spring MVC (Java). This is deployed on Wildfly and is protected using keyclaok adapter (as per the procedure mentioned here).
Keycloak configurations - Both applications are configured in keycloak using the settings described here.
Apache and mod_auth_openidc configurations are:
WSGIDaemonProcess myproject python-home=path_to_v_env python-path=path_to_python
WSGIProcessGroup myproject
WSGIScriptAlias / path_to_wsgi.py
OIDCProviderMetadataURL http://keycloak_domain/auth/realms/demo/.well-known/openid-configuration
OIDCRedirectURI http://domain_name/testapp
OIDCCryptoPassphrase random4321
OIDCClientID testapp
OIDCClientSecret client_secret
OIDCDefaultLoggedOutURL http://domain_name/
OIDCScope "openid email profile"
<Location /testapp/>
AuthType openid-connect
Require valid-user
</Location>
The versions of different systems in use are:
mod_auth_openidc 2.3.7
apache 2.4.34
Ubuntu 16.4
Keycloak 4.2.1
How can I add SPNEGO authentication to a WildFly 10.1 load balancer?
Background:
All nodes are running on Windows.
The nodes themselves are running on WildFly 8.2.1 (because the application is tight to it) in a Wildfly 8.2.1 domain
The load balancer is running WildFly 10.1
The nodes are registering with mod_cluster
You need to get the SPNEGO support into your application.
WildFly 8 and 9 don't have the Undertow SPNEGO integration ready (WFLY-2553) . You should either switch to WildFly 10.x, or try to use a custom SPNEGO authentication method on your worker nodes. Try to use either
servlet filter approach or this custom authenticator.
My strong recommendation is to upgrade to WildFly 10+.
There isn't much to go by in your post as to what is and is not working. This forum is more about what custom code you have created that isn't working, and we can help you there. It seems in this instance you are looking more for an approach on how to setup Kerberos authentication into your WildFly nodes through a load-balancer. As info, it doesn't matter that there is a load-balancer involved, except that you specify a VIP name for the nodes in DNS and have the VIP name be the fully-qualified DNS host part of the name in the SPN which you will need to setup in order for clients to do Kerberos SSO against the WildFly nodes. I don't know anything about WildFly specifically, but I found this link for you which may help get you started: WildFly 9 - Kerberos Authentication for Domain Management Over HTTP