Hi StackOverflow users,
I'm struggling with KeyCloak configuration because we want to change our current Identity provider to KeyCloak.
Our current solution exposes url with /openid prefix which causes i.e. issuer to be HOSTNAME/openid or event service discovery under HOSTNAME/openid/.well-known/openid-configuration.
When I'm trying to use KeyCloak everything what I have achieved is /auth/realms/openid/.well-known/openid-configuration.
Does anyone know how to remove /auth/realms prefix for KeyCloak?
Instead of changing keycloak urls (of course that is bit difficult). What if you can put a proxy in front of your keycloak to resolve '/openid/.well-known/openid-configuration' to '/auth/realms/openid/.well-known/openid-configuration'.
Or else by changing keycloak web.xml file's
<web-context>auth</web-context>
to
<web-context></web-context>
you can get rid of "auth" part.
Related
After changing the domain name, Keycloak is still trying to authenticate using the old domain name. I'm using the Keycloak version 16.1 with KeycloakJS on the frontend using PKCE, on a server that runs everything in docker containers behind an Nginx reverse proxy.
I have changed all the references of the old domain to the new one, but it still redirects to the old domain:
https://auth.old-domain.com/auth/realms/dev-realm/protocol/openid-connect/3p-cookies/step1.html
All the other resources are requested from the new domain, except the step1.html, which is calling the above link.
Any idea of what may be the culprit?
Found the problem. It's not related to Keycloak.
Even though I have changed the auth URL in the frontend application to the new domain, the CI/CD pipeline wasn't updating the docker image for the frontend application, so it used the old image that had the reference to the old domain.
Problem is, I'm starting the Quarkus service and a Keycloak in a docker-compose setup, where I need to configure the internal hostname and it won't be the same I will use to authenticate from outside.
In the following picture I want Swagger-UI to open the external url (http://localhost:8180 in my case) instead of the internal docker-compose url (http://keycloak:8080).
Is there a config property available to change this? I don't not find anything matching and tried out some stuff, but was unsuccessful.
I'm starting the Keycloak server in devmode and mount a custom realm during file.
To the Quarkus service I set the following properties:
environment:
QUARKUS_OIDC_AUTH_SERVER_URL: http://keycloak:8080/realms/WPLAT_dev-keycloak-realm
QUARKUS_OIDC_CLIENT_ID: my-service
QUARKUS_OIDC_CREDENTIALS_SECRET: secret
QUARKUS_OIDC_TOKEN_ISSUER: http://localhost:8180/realms/WPLAT_dev-keycloak-realm
(QUARKUS_OIDC_TOKEN_ISSUER was needed or otherwise the returned tokens weren't accepted)
I created a Rest-API and a frontend as a self contained system with Quarkus.
The frontend is served statically.
For Authentication i use a kleycloak server and have nearly the same configuration as in this guide from quarkus.
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
With this config i need to authenticate for the rest-api and the frontend. Thats what i want.
If i try to load the index.html i got redirected to keycloak and back. That works perfectly.
The problem is, that the same thing happens with the rest-api. I got redirected to keycloak with a "302 found"-status code. Here I would like to have an authentication with a bearer token and no redirect. Quarkus has the following configuration for this:
quarkus.oidc.application-type=service
That collides with the configuration for the frontend. Is there a way to use both, one for static files and one for the rest-api?
If I'm not wrong you're looking for a multi-tenant oidc setup(even though you're not designing tenants). The guide and example can be found on the official quarkus website here.
This way you'll have similar setup:
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.oidc.restapi.auth-server-url=http://localhost:8180/auth/your/path
quarkus.oidc.restapi.client-id=backend
quarkus.oidc.restapi.application-type=service
P.S you can replace restapi with more likable name.
I am using Kong and the JWT plugin to authenticate my upstream services. I have a use case where i would like to expose an endpoint in one of the services without having Kong authenticate against it. I was wondering if there is any way to specify exclusion patterns to let Kong know to ignore authentication for this endpoint?
Thanks in advance for any help!
Kong looks at the configured APIs in order of length. So it should be possible (without have tested it) that you use a longer uri (the one you want to make publicly accessible) without the JWT plugin, while keeping your current endpoint with the JWT plugin.
For example, if your current configuration is on /myApi and the path you want to make public is /myApi/login, then add an API on the latter without configuring the JWT on it.
Hello I am using Nexus OSS, and wanted to simulate SSO, using Remote User Token. Currently the Nexus is configured to LDAP authentication, and is working fine.
As per the instructions found here https://books.sonatype.com/nexus-book/reference/rutauth.html
Basically enabled Remote User Token and added header field Name "REMOTE_USER". This user is ldap and has access.
This instance is behind apache, so from apache, To test this RUT, I can set the header value REMOTE_USER, whoever, I don't see passed in user getting logged nor I see cookie being generated. I even tried firefox rest api client and set header, but with the same results. I can see that HTTP header is being set right.
Am I missing something?
Is there a way to debug that? Appreciate any help.
Thanks
S
RUT handles authentication, but the authenticated user still needs to be authorized to access the web UI. What this means is that you need an LDAP user or group mapping in Nexus which assigns the necessary roles and privileges to the user.
I had a similar issue with Nginx, the header was not set using the correct value.
This can be quite confusing, as the reverse proxy does not complain and simply sends a blank request header to Nexus.
Using Keycloak and Nginx (Lua), instead of a preferred_username field in the IdP response:
-- set headers with user info: this will overwrite any existing headers
-- but also scrub(!) them in case no value is provided in the token
ngx.req.set_header("X-Proxy-REMOTE-USER", res.preferred_username)
I had to use the preferred_username field returned in the response's id_token element:
-- set headers with user info: this will overwrite any existing headers
-- but also scrub(!) them in case no value is provided in the token
ngx.req.set_header("X-Proxy-REMOTE-USER", res.id_token.preferred_username)