I want to connect Keycloak to the identity provider of my organization but it is failing.
To test the connection between Keycloak and other identity providers I have used Github and connected it with Keycloak using the default template of Keycloak for Github and it worked.
Now I am trying to connect Github with Keycloak using the generic "OpenID Connect v1.0" configuration to check if it can help me somehow, but I didn't succeed. I was redirected to the Github login page, logged in but then, when redirected back to Keycloak, Keycloak is sending the error "Unexpected error when authenticating with identity provider".
Has anyone managed to connect Github to Keycloak using the generic "OpenID Connect v1.0" configuration?
In Keycloak I have used this configuration:
Authorization URL:
https://github.com/login/oauth/authorize
Token URL:
https://github.com/login/oauth/access_token
In Github I have configured the application with:
Homepage URL:
https://MY_IP/auth/realms/REALM_NAME/broker/githubcustom/endpoint
Authorization callback URL:
https://MY_IP/auth/realms/REALM_NAME/broker/githubcustom/endpoint
GitHub supports OAuth and not OpenID Connect v1.0. So I wouldn't expect that it will be working. I would use Social->GitHub provider type.
Related
I have a keycloak Server running on my localhost with port 8081.
I'm trying to connect my Quarkus application with it to secure REST-Endpoints.
However I'm not able to Login to my Keycloak server.
I annotated an /test endpoint with #RolesAllowed("user"). Since then I can't access the endpoint but I get an Empty page with a 401 Unauthorized error in the Web console.
What I want is that I get redirected to the Keycloak default page so I can authorize myself. Any ideas why that is not happening?
Here is my application.properties Keycloak configuration:
quarkus.oidc.auth-server-url=http://localhost:8081/realms/TestRealm
quarkus.oidc.client-id=testclient
quarkus.oidc.credentials.secret=MYSECRET
quarkus.oidc.tls.verification=none
quarkus.keycloak.policy-enforcer.enable=false
logging.level.org.keycloak=DEBUG
resteasy.role.based.security=true
quarkus.http.cors=true
quarkus.http.port=8080
when I set policy enforcer to true I can't access any endpoint.
TestRealm has a Resource configured with a /test endpoint.
In the Quarkus documentation for keycloak they said that you don't need to setup your own Keycloak Server in Dev mode since Quarkus comes with one. Might that be the Problem? is my Quarkus Application not connecting to my Keycloak server? And if so, how can I force quarkus in dev mode to use my Keycloak server?
EDIT: I figured out that I have access to my endpoint if I send the request with the Bearer token, so I guess Quarkus is accessing my Keycloak instance.
Still, why don't I get forwarded to the default Keycloak login page when trying to access my Rest endpoint via my browser? Am I missing any configuration?
For anyone with the same issue I fixed it by adding:
quarkus.oidc.auth-mechanism=keycloak
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
To the config
I have an issue when validating tokens using the keycloak-nodejs-connect library deployed to a kubernetes cluster - specifically when using the internal kubernete's service address for keycloak as the auth-server-url. I am using keycloak version 10.0.1.
Our workflow is as follows - our web app authenticates with a public keycloak client to obtain an access token. This token is attached to requests to the db for data. The db (hasura) uses an auth hook to validate the token before allowing access to its data. This auth hook implements the keycloak-nodejs-connect lib and through the provided middleware calls the grantManager's validateToken. However when the connect lib is configured with kubernete's service address (http://keycloak:8080/auth/) it is guaranteed to error on the issuer match because the issuer property in the JWT token (iss) will be the frontend url configured in the keycloak server (https://keycloak.public.address.uk/auth/).
Is there a way to provide a frontend and backend url to the keycloak-nodejs-connect library so that the issuer validation can occur whilst using the backend url to speak to keycloak via a kubernete's service - or should I be configuring keycloak a certain way so that the issuer is different? I am specifically needing to use a kubernete's service address here rather than a public address for keycloak communications in my cluster.
The following source location hyperlinks try to highlight the issue in code:
nodejs connect server url config (note only one url available used
for both keycloak server communication and issuer validation)
Where the config is applied
Where the token issuer is validated against the configured keycloak auth server
Keycloak server's front end url
One example of how the issuer is set to the frontend url when the token
is being generated
Many thanks for any help,
Andy.
I have a Keycloak server hosted in Kubernetes. When I request to external identity provider (like Google/Facebook), the hostname was used in the redirect url automatically. How can I change the redirect URL for my identity provider?
The auto generated redirect_url from Keycloak:
http://keyclaok:8080/auth/realms/{MY_REALM}/borker/google/endpoint
What I'm expected:
http://www.example.com/my-custom-callback/endpoint, this url will redirect to the original keyclaok endpoint.
My identity provider settings in Keycloak
The auto_generated redirect_url (shown in the UI) should not be relevant for you.
Afaik keycloak just build up the url with the current hostname you are accessing keycloak.
So when you access your admin console via
http://keyclaok:8080/
Redirect URL for a google Identity Provider is shown as
http://keyclaok:8080/auth/realms/{MY_REALM}/broker/google/endpoint
If you access keycloak over your domain
http://www.example.com/auth
and try to authenticate over google, the valid redirect URL will be
http://www.example.com/auth/realms/{MY_REALM}/broker/google/endpoint
In my opinion you can't decide how the redirect url will look like (especially not the suffix realms/{MY_REALM}/broker/google/endpoint), because it's relative to the keycloak base URL and keycloak needs it internally to map a answer to the correct realm and IDP
But I think you shouldn't have a problem with such a url, as long as keycloak is accessible over your domain
I have added an identity provider with OpenID connect V1.0 and used Google endpoints. I have provided the option ?hd=X.com(https://accounts.google.com/o/oauth2/v2/auth?hd=X.com) to restrict the login, but as per the google doc, it says HD is an optional parameter. How to validate if the token received from Google after login from keycloak perspective and restrict login?
For anyone still curious about this answer, as of KC 11.0.0 the KeyCloak server is explicit that it will validate the response from Google matches the hd parameter you set in KeyCloak, as seen here:
I have a external openidconnect identity provider registered with Keycloak. When the client app tries to access the protected resource it gets redirected to KeyCloak login page. On the login page I have the external openidconnect provider buttons enabled. Once the user clicks on the button he is taken to the external identity provider (which is identityserver3 instance). The external provider does authenticate the user and send back a code.
Now the redirecturl for the registered client in the external identity provider is that of keycloak's. So after authentication is successful at the external IDP it send back the code(because it is Auth code flow) to keycloak at a redirect url:
http://localhost:5555/auth/realms/QA/broker/keycloak-client/endpoint?code=7bcf5157105199d50874e64eabf03858&state=wQhNIEKW0Ws6CotZg2EsvOorjDVQlWVvobcM2skPSXo.keycloak-client&session_state=rhgu-BXT8FniG9Z-UARKpp_f-V1nLN-VxFmSE3PSxDg.99b2d903367208e4261fefa475afb1eb
In the URL if you see it ends with endpoint. I don't think that's correct but I cannot change it in KeyCloak (it's disabled) and because of that in the external IDP client configuration.
KeyCloak does not understand above url and errors out with a message "unexpected error when authenticating with Identity Provider"
Isn't KeyCloak supposed to understand the code flow and make another request for token after receiving the code. Then the external IDP will respond with token and Keycloak will send back that token to client(will also store it for future use).
Can someone please share some knowledge on how Keycloak works with external openidconnect ID provider with code flow.
Usually the redirect URI for external identity providers take the form of {keycloak-host}/auth/realms/{realm}/broker/{provider}/endpoint. You have to specify this as the redirect URI when you register your client in the external identity provider. Once the user is authenticated through the external IdP, authorization code will be sent to this url, which in turn will redirect it to the redirect url of your client application (specified when registering the client in Keycloak).
Unexpected error when authenticating with Identity Provider is the general error message sent by Keycloak for several errors that occur during the OAuth flow. You won't be able to determine the actual cause without going through the stack trace or the logs in the prompt.
You are getting this error because keyclaok is unable to get token from identityserver3 by exchanging authorization code. Where did you hosted identityserver3? Does it have a real ca certificate or you are using self sign certificate? Have you configured client_id , secret, token endpoint properly in keycloak external IDP configuration? You can test manually my posting client_id, secret, code (that you received) in token endpoint of identityserver3.