I have a Spring Cloud Gateway instance with Eureka and KeyCloak as the Resource Server.
Gateway is configured as;
security:
oauth:
registration:
gateway:
provider: keycloak
client-id: xxxx
client-authentication-method: none
scope: xxxx
provider:
keycloak:
issuer-uri: xxx/realms/realmOne
The micro-service behind the Gateway's settings are;
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: xxx/realms/realmOne
This KeyCloak Client is linked to Windows Active Directory (Standard Flow = ON Direct Access Grant = ON, Implicit Flow = OFF). So any URL hit on this service would redirect to the KeyCloak login page, after which the credentials are confirms by AD. After which the JWT issues and URL access can continue.
However we now have background processes which need to access these URL. Obviously, the background process will not be able to login.
Therefore, I believe that I need a new KeyCloak Client with "Authorization" enabled (Implicit Flow = ON, Service Account = ON Authorization = ON).
So can the current Gateway deal with more than one KeyCloak Client. If yes, how? If not, would I need a second Gateway to use the same KeyCloak Realm but to the new Client?
Related
I have a keycloak Server running on my localhost with port 8081.
I'm trying to connect my Quarkus application with it to secure REST-Endpoints.
However I'm not able to Login to my Keycloak server.
I annotated an /test endpoint with #RolesAllowed("user"). Since then I can't access the endpoint but I get an Empty page with a 401 Unauthorized error in the Web console.
What I want is that I get redirected to the Keycloak default page so I can authorize myself. Any ideas why that is not happening?
Here is my application.properties Keycloak configuration:
quarkus.oidc.auth-server-url=http://localhost:8081/realms/TestRealm
quarkus.oidc.client-id=testclient
quarkus.oidc.credentials.secret=MYSECRET
quarkus.oidc.tls.verification=none
quarkus.keycloak.policy-enforcer.enable=false
logging.level.org.keycloak=DEBUG
resteasy.role.based.security=true
quarkus.http.cors=true
quarkus.http.port=8080
when I set policy enforcer to true I can't access any endpoint.
TestRealm has a Resource configured with a /test endpoint.
In the Quarkus documentation for keycloak they said that you don't need to setup your own Keycloak Server in Dev mode since Quarkus comes with one. Might that be the Problem? is my Quarkus Application not connecting to my Keycloak server? And if so, how can I force quarkus in dev mode to use my Keycloak server?
EDIT: I figured out that I have access to my endpoint if I send the request with the Bearer token, so I guess Quarkus is accessing my Keycloak instance.
Still, why don't I get forwarded to the default Keycloak login page when trying to access my Rest endpoint via my browser? Am I missing any configuration?
For anyone with the same issue I fixed it by adding:
quarkus.oidc.auth-mechanism=keycloak
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
To the config
I have an issue when validating tokens using the keycloak-nodejs-connect library deployed to a kubernetes cluster - specifically when using the internal kubernete's service address for keycloak as the auth-server-url. I am using keycloak version 10.0.1.
Our workflow is as follows - our web app authenticates with a public keycloak client to obtain an access token. This token is attached to requests to the db for data. The db (hasura) uses an auth hook to validate the token before allowing access to its data. This auth hook implements the keycloak-nodejs-connect lib and through the provided middleware calls the grantManager's validateToken. However when the connect lib is configured with kubernete's service address (http://keycloak:8080/auth/) it is guaranteed to error on the issuer match because the issuer property in the JWT token (iss) will be the frontend url configured in the keycloak server (https://keycloak.public.address.uk/auth/).
Is there a way to provide a frontend and backend url to the keycloak-nodejs-connect library so that the issuer validation can occur whilst using the backend url to speak to keycloak via a kubernete's service - or should I be configuring keycloak a certain way so that the issuer is different? I am specifically needing to use a kubernete's service address here rather than a public address for keycloak communications in my cluster.
The following source location hyperlinks try to highlight the issue in code:
nodejs connect server url config (note only one url available used
for both keycloak server communication and issuer validation)
Where the config is applied
Where the token issuer is validated against the configured keycloak auth server
Keycloak server's front end url
One example of how the issuer is set to the frontend url when the token
is being generated
Many thanks for any help,
Andy.
How to implement logout of client side services after idle timeout?
Services are secured by Keycloak + Application gateway.
The Gateway is node.js app which protects services' urls using Keycloak node.js adapter, so that authentication will be required on browser access to the urls. (redirect to login url)
Services enforce authorization locally by inspecting roles present in the access token gateway receives and attaches to the request after successful authentication.
Keycloak is behind gateway too.
I thought about adding custom event listener in Keycloak code which would notify all the services interested in session timeout event via some message bus.
Thanks in advance.
Keycloak informs all clients participating in a session that gets terminated (by timeout or explicit logout request). The only prerequisite is that the "Admin URL" is set for the client (see Keycloak admin console - client settings).
Since you're using the Keycloak node.js adapter it should be able to handle the logout request from Keycloak.
See Keycloak Server Administration Guide (look for "Admin URL").
I need to implement a custom authentication and authorisation module for Kubernetes. This is going to have to be done via a web hook.
The documentation for the authentication and authorisation webhooks describes a config file that the API Server needs to be started with.
The config file looks identical for both authentication and authorisation and looks like this:
# clusters refers to the remote service.
clusters:
- name: name-of-remote-authn-service
cluster:
certificate-authority: /path/to/ca.pem # CA for verifying the remote service.
server: https://authn.example.com/authenticate # URL of remote service to query. Must use 'https'.
# users refers to the API server's webhook configuration.
users:
- name: name-of-api-server
user:
client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
client-key: /path/to/key.pem # key matching the cert
# kubeconfig files require a context. Provide one for the API server.
current-context: webhook
contexts:
- context:
cluster: name-of-remote-authn-service
user: name-of-api-sever
name: webhook
I can see that the clusters section refers to the remote service, i.e. it's defining the webhook, thereby answering the question the API Server needs to have answered: "what is the URL endpoint to hit when an authn/authz decision is required, and when I connect via HTTPS, who is the CA authority for the webhook's TLS certificate so that I know I can trust the remote webhook?"
I'm not sure of the users section. What is the purpose of the client-certificate and client-key fields? The comment in the file says "cert for the webhook plugin to use", but as this config file is given to the API Server, not the web hook, I don't understand what this means. Is this a certificate that will allow the webhook service to authenticate the connection that the API Server will initiate with it? i.e. the client certificate needs to go into the truststore of the webhook server?
Are both of these assumptions correct?
Kubernetes webhook is using two-way SSL authentication, so the fields in users section is used to configure the certificates for "client side's authentication".
clusters section configuration just works normal one way SSL authentication, which is server (here is your webhook module) will validate client's (here is Kubernetes) request with configured certificate.
As long as you configured certificates in users section, client (Kubernetes) could have the ability to validate server's (webhook module) response, just acting like a reverse CA authentication of one way SSL.
I am using Pivotal Cloud Foundry with Spring Cloud Services 1.0.0. I am wondering what the proper way to access the /encryption endpoint is on our Config Server service instance? I get an OAuth "Full authentication required" error when trying to access the endpoint but I am not sure with what credentials I should authenticate with I don't even know if the encryption endpoint is setup, there is nothing in the documentation to suggest it is or isn't available.
You either need to look at the logs during startup to capture the generated password OR you need to provide a password in your startup configs.
Add this to your bootstrap.yml
security:
user:
password: yourPasswordHere
Or add this to your bootstrap.properties:
security.user.password: yourPasswordHere
You can login with user/yourPasswordHere to authenticate once your application has been deployed.