I have a keycloak server(v12) and I have an application server (tomcat+spring boot+keycloak adapter v16) with a confidential OAuth client configured.
Both servers are accessible by client, but no connection from one to the other server is possible (FW I cannot change)
application.properties:
spring.autoconfigure.exclude=
keycloak.enabled=true
keycloak.realm=my-realm
keycloak.realm-key=MIIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
keycloak.auth-server-url=https://keycloak-server/auth/
keycloak.ssl-required=all
keycloak.resource=my-app
keycloak.credentials.secret=xxxxxxx
keycloak.confidential-port=0
How do I convince spring boot and keycloak that it should use the defined realm-key, and not try to connect to the other server?
From my understanding it should be possible according to docu and OAuth2 standard.
Related
Have Integrated a Java struts based server side application with a keycloak OIDC and Oauth provider.
Java servlet adapter mentioned in the https://access.redhat.com/documentation/en-us/red_hat_single_sign-on_continuous_delivery/3/html-single/securing_applications_and_services_guide/index#servlet_filter_adapter is used for the same implemetation.
The redirect_uri configured on the server is something like https://env.application.com/contextpath/
When the we application session timeouts and the user clicks on any link in the application the redirect_uri that goes as part of authorization code grant flow adds the URI of the link in addition to the redirect_uri configured in keycloak server. This will something like for example https://env.application.com/contextpath**/submenu?name=menu**
This will result in an invalid redirect_uri error from the keycloak server.
The keycloak server doesn't allow to configure a placeholder * to be configured for security reasons.
Could someone please let me know how to handle we application session timeouts with integrated with keycloak OIDC and OAUTH provider.
Is there any other best practise availble to handle session timeouts in webapplications integrated with keyclaok OIDC.
i want to run webflux based web app using non blocking netty server and authentication using keycloak.
seems like keycloak does not support netty server. is there a way to override default behavior of keycloak and use netty instead of tomcat?
this is required becuase my webflux application does not work properly on other web servers.
i want to use keycloak for basic authentication but when i configure keycloak in my application and try to run it it does not come up on netty dependecies, only when i add tomcat to my webflux pom.xml then keycloak server comes up.
and idea how ot run keycloak on netty server?
I am using jBPM standalone to create workflows. By default, login is performed using the users.properties file.
I have an Identity server (created in Dot Net IdentityServer4 implementing OpenId) running and I registered a client (Ex: JBPM_CLIENT) and have the details (Scope, SecretKeys, etc..)
I am trying to redirect the authentication of jBPM through that Identity gateway.
While reading the documentation I thought KeyCloak can be used for this requirement.
But, when I see the KeyCloak GUI and configuration, it looks like KeyCloak something like IdentityServer4 and is useful to create an Identity Server instance.
My doubt is whether I can use KeyCloak as a client to connect to IdentityServer4?
Please suggest me a route.
Keycloak can act as an identity broker and it supports OIDC (OpenID Connect) identity providers. Using that capability, first configure your IdentityServer4 as the OIDC provider on Keycloak. Keycloak's documentation covers these details.
Once that's set, you can configure jBPM to use Keycloak client adapter for Wildfly and then create a suitable Keycloak client under the same realm where you had configured the OIDC identity provider. Details related to that are covered in this blog (outdated though).
we am trying to use open ID connect (OIDC) for authentication and authorization (AnA) for our micro-service architecture based on spring-cloud framework
As a part of requirement we want to achieve following:
Integrate (OIDC) with SSO Federation as a Identity provider which we are using federation to authenticate users (staff id)
How to customize access_token which in turn will be provided by a micro service (Authorization service)
I am looking at MITREid Connect as its based on spring framework and spring security
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
As a resutl of that, all requests to our services have to go through (OIDC) for (AnA)
I also check on https://cloud.spring.io/spring-cloud-security/ as I understand the Zuul server will get an access_token to relay to proxied services. But our scenarios are different as we want to expose other micro-services to external parties as well so that we want to have secure our services.
Any advices is highly appreciated.
I have a web application (gwt) that is running on a tomcat application server. This web application consumes several web services (login, application data transfer, queries, etc.). The web service client on the tomcat is implemented as apache axis2 web service client.
For user log on I provide a form in the web application with username and password. This data are transmitted via web service to authenticate the user.
It is planned to change the hole authentication mechanism to client certificated based authentication. The authentication still should be done on the web service provider side.
So my system has three relevant components: the web client, the tomcat application server and the web service provider.
Every user of the application has its own private client certificate (PKI Token, X.509- Auth-Cert). When the user connects to the web application his certificate is requested.
How can I forward the client certificates for use in the web services? (The tomcat will not be responsible for authentication).
1.) Is there a way to intercept the request and extract the client certificates before authentication error occurred?
I found some information about Servlet Filters what sounds really good, but I’m not sure where to implement it to intercept the certificates before they are verified against tomcats keystore.
2.) If it is possible, how can I pass after the client certificate to the web service?
Thank you for reading
No, not really. The real piece used in authentication is the private key associated with the certificate, not just the certificate itself. And, typically, you have no way of retrieving that from the web client. Therefore, you cannot really pass-through the credentials you receive from a web client on to the web service client. The certificate itself is readily available, but is useless for authentication without the corresponding private key.