After successfully logging in into a Keycloak realm with openid-connect protocol and response type code, Keycloak will redirect the browser into the redirect uri plus param session_state and code (https://{redirect_uri}/?session_state={session_state}&code={code})
How to let Keycloak server add an additional param to the url? is it needed to create an SPI?
Related
I'm trying to configure IdP initiated SSO with Google acting as an IdP in order to be able to authenticate to our web app, which supports SSO authentication via Keycloak, by clicking on custom SAML app in Google Workspace popup (basically it's just a link to https://accounts.google.com/o/saml2/initsso?idpid=[IDP ID]&spid=[SP ID]&forceauthn=false) but the problem I have is that the request to Keycloak (ACS URL) fails with the following error:
If I set Start URL field in Google SSO configuration, with for example my webapp's SSO login page, then it fails with another error:
Failing HTTP request:
URL: https://[KEYCLOAK DOMAIN]/realms/[REALM]/broker/[IDENTITY BROKER]/endpoint
Method: POST
Status Code: 400
Form Data: SAMLResponse=[LONG BASE64]&RelayState=[EMPTY OR Start URL VALUE]
This is the configuration I use for Google custom SAML app:
ACS URL: https://[KEYCLOAK DOMAIN]/realms/[REALM]/broker/[IDENTITY BROKER]/endpoint
Entity ID: https://[KEYCLOAK DOMAIN]/realms/[REALM]
Signed response: ON
Name ID format: EMAIL
Name ID: Basic Information > Primary email
Keycloak Identity Provider SAML Config:
Service Provider Entity ID: https://[KEYCLOAK DOMAIN]/realms/[REALM]
Single Sign-On Service URL: https://accounts.google.com/o/saml2/idp?idpid=[IDP ID]
Single Logout Service URL: https://accounts.google.com/o/saml2/idp?idpid=[IDP ID]
NameID Policy Format: Email
Principal Type: Subject NameID
HTTP-POST Binding Response: ON
HTTP-POST Binding for AuthnRequest: ON
Validate Signature: ON
Validating X509 Certificates: [...]
Keycloak Version: 17.0.0
So my question is what could be wrong with this setup and whether it needed to put some URL into Start URL field?
Also do I need to configure a separate Keycloak client as I couldn't find any relation between Google SAML / Keycloak IdP and Keycloak client configurations?
UPDATE:
Network recording in HAR format
I'm trying to set up SAML integration between Skyspark as service provider and keycloak as Identity Provider. I have done below,
Copy Skyspark SAML metadata xml and created a client in keyclaok with the xml file
Get the metdata URL from keycloak and added into the Skyspark SAML SSO
When I access skyspark it redirects to keycloak login page and showing an error Invalid requester. The backend has below errors,
ERROR [org.keycloak.protocol.saml.SamlService] (default task-4) request validation failed: org.keycloak.common.VerificationException: SigAlg was null
I tried with disabling Client Signature Required, It shows me the login page, But after successful authentication skyspark shows up SAML Authentication Failed. I see there is SAML response in the browser network tab.
Is there any signature validation issue at both ends? Should I do any other config apart from above ?
I'm using Spring Cloud Gateway with Keycloak, and authentication works from browser.
But, there is no Authorization header with the token, but SESSION cookie instead.
I don't want to use cookies at all, but token instead.
Currently, if I post to http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token to get tokens and try to put access_token in Authorization header with Bearer it doesn't work, but returns login page.
Also if I add keycloak.js to browser page, and after successful login try to add xhttp.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);
to Ajax call, it again returns login page.
So how to use Spring Cloud Gateway with Keycloak, from any client with provided valid token at all?
Here is my gateway configuration, and web app behind it with /web/ route doesn't have any security applied. Keycloak is configured with basic public client.
#Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http,
ReactiveClientRegistrationRepository clientRegistrationRepository) {
http.oauth2Login();
http.logout(logout -> logout
.logoutSuccessHandler(new OidcClientInitiatedServerLogoutSuccessHandler(clientRegistrationRepository)));
http.authorizeExchange().pathMatchers("/web/private").authenticated()
.pathMatchers("/web/**").permitAll()
.anyExchange().authenticated();
http.headers().frameOptions().mode(Mode.SAMEORIGIN);
http.csrf().disable();
return http.build();
}
If you want to make requests to Spring Gateway with access token you need to make it a resource server: https://stackoverflow.com/a/66923312/11122338
I have problems setting up Keycloak for a project I do.
Keycloak is running on http://localhost:8180.
Thorntail server is running on http://localhost:8080/users which serves data for an
Angular frontend on http://localhost:4200/*. What I want to do is that a User can only see http://localhost:4200/sign-in without logging in. Once logged in they can access for example http://localhost:4200/list-user.
I was using this guide to set up Keycloak, but I'm not sure what I my Client settings should be. This is what I thought:
Root URL: http://localhost:4200/sign-in
*Valid Redirect URIs: http://localhost:4200/list-user
Base URL: http://localhost:4200/sign-in
Admin URL: http://localhost:8080
Somebody please explain the purpose of these settings as I struggle to understand.
Root url is just a value that will be used for relative paths resolving.
Root: http://localhost:4200/sign-in
Valid Redirects: /* (After login user could be redirected to any URI that matches pattern http://localhost:4200/sign-in/*)
Base URL: / (Is not mandatory. Used when keycloak need to calculate application url by client_id only)
Admin URL: / (Used when Keycloak need to notify applications about revocation or when user logs out. For example when user logs out in application A if he has session in application B, Keycloak will send backchannel request to Admin URL of application B, so Application B will also flush user session in it)
Check out docs and info badges in Admin Console
I have 2 clients within same realm in Keycloak,let's say: localhost:9090/first/ and localhost:9090/second/. What i want is - when user types: localhost:9090/first/ and log in, Keycloak should redirect him/her to localhost:9090/second/ . But Keycloak server throws: "invalid url" when i save first client's "redirect uri" as: localhost:9090/second/. Is it possible to redirect to another client?
You need to add this url in valid url section of keycloak