I have two applications, Let's say App1 and App2. App1 is protected using mod_auth_openidc and App2 is hosted on wildfly and protected using keycloak specific java adapter. The SSO works fine on both applications. However, the problem occurs in case of Logout. When I perform logout from App1, then both applications are redirected to login on next request (as expected). However, when I perform logout on App2, then App1 still works as normal rather than asking for login again on next request.
As per the keycloak documentation, Admin URL shall be set for a particular client that can be used by Keycloak server to send backend requests to the application for various tasks, like logout users or push revocation policies.
From the apache logs, I can not see any back-end request generated by keycloak against the logout perform from App2. If I generate the logout from keycloak admin utility then apache logs show a post action for k_logout.
I think, I am missing some configuration, but don't know what? Any idea/help in this regard will be much appreciated. Many thanks.
Further details:
App1 - Django based web application. This is hosted using Apache and protected using mod_auth_openidc. The apache and mod_auth_openidc configurations are given below.
App2 - Spring MVC (Java). This is deployed on Wildfly and is protected using keyclaok adapter (as per the procedure mentioned here).
Keycloak configurations - Both applications are configured in keycloak using the settings described here.
Apache and mod_auth_openidc configurations are:
WSGIDaemonProcess myproject python-home=path_to_v_env python-path=path_to_python
WSGIProcessGroup myproject
WSGIScriptAlias / path_to_wsgi.py
OIDCProviderMetadataURL http://keycloak_domain/auth/realms/demo/.well-known/openid-configuration
OIDCRedirectURI http://domain_name/testapp
OIDCCryptoPassphrase random4321
OIDCClientID testapp
OIDCClientSecret client_secret
OIDCDefaultLoggedOutURL http://domain_name/
OIDCScope "openid email profile"
<Location /testapp/>
AuthType openid-connect
Require valid-user
</Location>
The versions of different systems in use are:
mod_auth_openidc 2.3.7
apache 2.4.34
Ubuntu 16.4
Keycloak 4.2.1
Related
Have Integrated a Java struts based server side application with a keycloak OIDC and Oauth provider.
Java servlet adapter mentioned in the https://access.redhat.com/documentation/en-us/red_hat_single_sign-on_continuous_delivery/3/html-single/securing_applications_and_services_guide/index#servlet_filter_adapter is used for the same implemetation.
The redirect_uri configured on the server is something like https://env.application.com/contextpath/
When the we application session timeouts and the user clicks on any link in the application the redirect_uri that goes as part of authorization code grant flow adds the URI of the link in addition to the redirect_uri configured in keycloak server. This will something like for example https://env.application.com/contextpath**/submenu?name=menu**
This will result in an invalid redirect_uri error from the keycloak server.
The keycloak server doesn't allow to configure a placeholder * to be configured for security reasons.
Could someone please let me know how to handle we application session timeouts with integrated with keycloak OIDC and OAUTH provider.
Is there any other best practise availble to handle session timeouts in webapplications integrated with keyclaok OIDC.
I have a JavaEE application deployed in Payara application cluster with more than two nodes. Application uses Keycloak servlet adapter to enable integration with Keycloak. I have Keycloak 11.0 deployed in production with domain clustered mode. I have manually registered application cluster nodes under application clustering section of client configuration. I used ${application.session.host} in admin URL to enable keycloak to send back-channel logout call to appropriate cluster node. Load balancer with sticky session is used in front of application cluster to provide single node view and distribute requests. Everything works fine.
Now, I need to upgrade Keycloak to newer version, I am trying to upgrade to 18.0.2 (legacy version). However, newer version complies to OIDC Back-channel logout standard, and have separate config parameter under client configuration for back channel logout, separate then admin URL.
The problem is my clustered system doesn't work with this, back-channel logout param doesn't support ${application.session.host} in URL. Consequently, back-channel functionality breaks.
Moreover, Servlet Filter adapter implementation from Keycloak doesn't support handling back-channel logout as per my knowledge. I have implemented my own library to handle back-channel call: validating things as per standard and logging out appropriate session. For this sake, library stores sessions in an application scoped bean. In single node deployment of application, everything works but I don't have solution for multiple node application deployment from Keycloak regarding this, because Keycloak wouldn't know which node back-channel logout request would go, considering the fact that application deployment on each node is independent and client request distribution is configured with sticky sessions.
One solution is to use the Payara inbuilt Hazelcast datagrid to store the web sessions, and then any node should be able to handle the back-channel logout call across cluster.
But I am interested to know If keycloak has any solution on this.
I am working with java ee application where we authenticate via keycloak and during redirect we see AUTH_SESSION_ID in the cookie but after the log out its not there which might be creating problems (multiple redirect issue). SO we want to retrieve that and expire the cookie in the log out page.
update:
keycloak version is 3.4.3
we are using it to secure a java ee application running on wildfly 10
we use keycloak-wildfly adapter.
The multiple-redirect happens after the user is taken to application page after authentication.
I want to create a POC which demonstrate the SSO between two different application hosted on the different server and different machine(1.e. App-1 :- Websphere App server 7.0.0.15 and App2 :-Jboss 6.2 EAP).
Both the application share the same LDAP (user repository) so user can navigate from One Application to Another application (App-1 to App-2 or vice versa).
Please suggest me which SSO technique would be feasible in such setup.
If they apps are not deployed in the same cookie domain (check https://www.rfc-editor.org/rfc/rfc6265) or deployed in a public suffix (https://publicsuffix.org/) you can not use an SSO mechanism based on cookies unless the 'product' offers a way to perform CDSSO (like OpenAM). Then you may need to use 'SAML2' or 'OAuth2/OIDC'.
I want to implement SSO with SAML tokens in JBossAS.
The scenario is as follows.
I have 2 applications app1 and app2 running on 2 JBoss instances.
Login into app1 and enter username / password using form based auth.
Once login, click on the link that should be redirected to the app2 page.
This should use SSO with SAML tokens on JBossAS for authentication and authorization of users.
Can anyone let me know how to do this?
I just now found your question and noticed it is still not answered.
You can take a look at JBoss picketlink. Said page describes the federation support in JBoss 5+ and Tomcat 5.5+.
Supported protocols are SAML2, WS-Trust and Open ID.
Since SAML2 users Assertion after authentication, using pure SAML2 on both apps would require you to register both apps as Service Providers - I believe.
I did a workaround using JBoss/Tomcat SSO valves: My (Seam) app 1 uses SAML2 for authentication and my other apps simply reuses that Principal (username, roles) created in the first app. I believe this corresponds to your situation. Log in at app 1, security constraint in app2, no log in in app2.
I had to create a custom valve to achieve this
https://github.com/jensaug/jbossweb-customsso
/Jens