We have a microservice based environment running our own authentication server that will produce JWT tokens using the /oauth/token endpoint but this server does not provide a web login page.
For our front end application we have tried the oauth2Login setups but they all want to try and redirect the browser to the authentication server, authenticate and then redirect back to the application. Likewise oauth2Client setups add an AuthenticationProvider but that will only authenticate a OAuth2AuthorizationCodeAuthenticationToken but the user login request will generate a UsernamePasswordAuthenticationToken so oauth2Client provider never gets evaluated.
We were looking for something similar to the ldap authentication providers in that the username and password is collected locally and sent to the authorisation server. While we can write our own custom AuthencationProvider which accepts the UsernamePasswordAuthenticationToken, communicates with the oauth server and return the generated JWT. We were hoping there was something pre-existing that was part of the current spring-boot framework. If our understanding is correct then the oauth2Client setup is what we are after but can't work out how to enable the initial authentication.
We are using spring boot 2.2.5.
Related
Have Integrated a Java struts based server side application with a keycloak OIDC and Oauth provider.
Java servlet adapter mentioned in the https://access.redhat.com/documentation/en-us/red_hat_single_sign-on_continuous_delivery/3/html-single/securing_applications_and_services_guide/index#servlet_filter_adapter is used for the same implemetation.
The redirect_uri configured on the server is something like https://env.application.com/contextpath/
When the we application session timeouts and the user clicks on any link in the application the redirect_uri that goes as part of authorization code grant flow adds the URI of the link in addition to the redirect_uri configured in keycloak server. This will something like for example https://env.application.com/contextpath**/submenu?name=menu**
This will result in an invalid redirect_uri error from the keycloak server.
The keycloak server doesn't allow to configure a placeholder * to be configured for security reasons.
Could someone please let me know how to handle we application session timeouts with integrated with keycloak OIDC and OAUTH provider.
Is there any other best practise availble to handle session timeouts in webapplications integrated with keyclaok OIDC.
I'm designing a Web API that will be consumed by external web server.
Only the external web server must be authorized to access the internal API.
The end user will be authenticated against external web server, but the username must be forwarded to Internal API when requesting data, because there is some data filtering based on the username.
What authentication mechanism should in the internal web api server?
I started with X-API-Key header, but then how should I provide username? I would like to avoid passing username in querystrings
I was thinking about basic authentication, where password would be the X-API-Key
bearer token could theoretically work as well, but bearer tokens are usually generated by authorization server, which is not an option in this case.
EDIT:
Note, that the end user does not make any API calls. It simply access a website build using some CMS and the CMS internally fetches the data and generates HTML response.
I have a external openidconnect identity provider registered with Keycloak. When the client app tries to access the protected resource it gets redirected to KeyCloak login page. On the login page I have the external openidconnect provider buttons enabled. Once the user clicks on the button he is taken to the external identity provider (which is identityserver3 instance). The external provider does authenticate the user and send back a code.
Now the redirecturl for the registered client in the external identity provider is that of keycloak's. So after authentication is successful at the external IDP it send back the code(because it is Auth code flow) to keycloak at a redirect url:
http://localhost:5555/auth/realms/QA/broker/keycloak-client/endpoint?code=7bcf5157105199d50874e64eabf03858&state=wQhNIEKW0Ws6CotZg2EsvOorjDVQlWVvobcM2skPSXo.keycloak-client&session_state=rhgu-BXT8FniG9Z-UARKpp_f-V1nLN-VxFmSE3PSxDg.99b2d903367208e4261fefa475afb1eb
In the URL if you see it ends with endpoint. I don't think that's correct but I cannot change it in KeyCloak (it's disabled) and because of that in the external IDP client configuration.
KeyCloak does not understand above url and errors out with a message "unexpected error when authenticating with Identity Provider"
Isn't KeyCloak supposed to understand the code flow and make another request for token after receiving the code. Then the external IDP will respond with token and Keycloak will send back that token to client(will also store it for future use).
Can someone please share some knowledge on how Keycloak works with external openidconnect ID provider with code flow.
Usually the redirect URI for external identity providers take the form of {keycloak-host}/auth/realms/{realm}/broker/{provider}/endpoint. You have to specify this as the redirect URI when you register your client in the external identity provider. Once the user is authenticated through the external IdP, authorization code will be sent to this url, which in turn will redirect it to the redirect url of your client application (specified when registering the client in Keycloak).
Unexpected error when authenticating with Identity Provider is the general error message sent by Keycloak for several errors that occur during the OAuth flow. You won't be able to determine the actual cause without going through the stack trace or the logs in the prompt.
You are getting this error because keyclaok is unable to get token from identityserver3 by exchanging authorization code. Where did you hosted identityserver3? Does it have a real ca certificate or you are using self sign certificate? Have you configured client_id , secret, token endpoint properly in keycloak external IDP configuration? You can test manually my posting client_id, secret, code (that you received) in token endpoint of identityserver3.
I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?
I'm trying to understand whether my Owin-hosted Web Api needs to validate the certificate used to sign a JWT-token.
I've set up an identity provider using IdentityServer. On the "relying party"-side, I have an ASP.NET WebApi hosted using Owin. On the RP-side, I'm using UseOpenIdConnectAuthentication to install the OpenIdConnectAuthenticationMiddleware in the Owin pipeline.
What's working so far:
Any unauthenticated user visiting my web app is redirected to the login page on IdentityServer
The user logs on
The user is redirected back to my web app
My web app receives the JWT containing the id token and access token
My web app calls the user info endpoint to retrieve the claims using the access token
What I'm missing is logic to validate the certificate which was used to sign the JWT containing the identity token.
Using Fiddler, I've been able to see that the OpenIdConnectAuthenticationMiddleware retrieves the keys from the identity server (by calling https://myidentityserver.example.com/core/.well-known/jwks HTTP/1.1)
Is the OpenIdConnectAuthenticationMiddleware performing some kind of validation of the certificate? Or should I be writing this code myself?
The flow you describe relies on the fact that the verification certificate is pulled from a TLS protected endpoint (JWKs URL) that presents a valid SSL server certificate. This SSL server certificate guarantees that you're talking to the right OpenID Connect provider.
Found some explanations here
For validating reference tokens we provide a simple endpoint called the access token validation endpoint. This endpoint is e.g. used by our access token validation middleware, which is clever enough to distinguish between self-contained (JWT) and reference tokens and does the validation either locally or using the endpoint. All of this is completely transparent to the API.
You simply specify the Authority (the base URL of IdentityServer) and the middleware will use that to pull the configuration (keys, issuer name etc) and construct the URL to the validation endpoint