I am working with java ee application where we authenticate via keycloak and during redirect we see AUTH_SESSION_ID in the cookie but after the log out its not there which might be creating problems (multiple redirect issue). SO we want to retrieve that and expire the cookie in the log out page.
update:
keycloak version is 3.4.3
we are using it to secure a java ee application running on wildfly 10
we use keycloak-wildfly adapter.
The multiple-redirect happens after the user is taken to application page after authentication.
Related
Have Integrated a Java struts based server side application with a keycloak OIDC and Oauth provider.
Java servlet adapter mentioned in the https://access.redhat.com/documentation/en-us/red_hat_single_sign-on_continuous_delivery/3/html-single/securing_applications_and_services_guide/index#servlet_filter_adapter is used for the same implemetation.
The redirect_uri configured on the server is something like https://env.application.com/contextpath/
When the we application session timeouts and the user clicks on any link in the application the redirect_uri that goes as part of authorization code grant flow adds the URI of the link in addition to the redirect_uri configured in keycloak server. This will something like for example https://env.application.com/contextpath**/submenu?name=menu**
This will result in an invalid redirect_uri error from the keycloak server.
The keycloak server doesn't allow to configure a placeholder * to be configured for security reasons.
Could someone please let me know how to handle we application session timeouts with integrated with keycloak OIDC and OAUTH provider.
Is there any other best practise availble to handle session timeouts in webapplications integrated with keyclaok OIDC.
I have an existing JSF application that is secured by a CAS Server (version 3.5.3).
Due to customizations I am not able to update the CAS Server to a new version. So there are no OIDC, OAuth2 or other state-of-the-art protocols available. Only CAS and an early version of SAML I think.
I would like to establish SSO to an external Keycloak of a service provider. They want me to set up an internal Identity Provider that connects to their external IDP.
I have done this before with Keycloak, but in that old case my internal Keycloak has been the single point of authentication. This time it's CAS.
Is there a way to pass the authentication from CAS 3.5.3 to my internal Keycloak without logging in again?
I have thought of implementing a Custom User Storage Provider SPI to connect to my existing user database. But then I would have to log in again to my Keycloak. Is this true?
Is this achievable by implementing the CAS protocol to my internal Keycloak using an CAS Extension? I think that this allows Keycloak to crate a client using CAS protocol, but not to SSO by an existing CAS server and the user has to login to my Keyloak. Please correct me, if I'm wrong.
Is there a way to pass the authentication from CAS 3.5.3 to my internal Keycloak without logging in again?
No, and if there is one, it will require LOTS and LOTS of coding and development. If you're not able to upgrade, you most likely will not be able to make such changes anyway.
There is an plugin for external SAML2 authentication here, which should allow CAS login requests to be redirected to an external SAML2 IDP:
https://github.com/UniconLabs/cas-saml-auth
If your keycloak supports SAML2, maybe this can work. Note that the plugin has not been touched since 2016, and there is no support for it from anyone. You will be 100% on your own, if you decide to go with it.
I'm working on an enterprise application and our UI is a web application. We are looking to add OAuth2 support and I don't understand what to provide for the redirect URI field to the OAuth provider.
For example, I have registered my app in github OAuth provider.
Homepage URL: https://localhost:7980/index.html
Authorization callback URL: https://localhost:7980/oauth_callback
Now this works fine with localhost as the hostname. But, when this application gets used by the customers they can install it on any of their boxes and invoke the web app from any device connected to our server via https://[hostname]:7980/index.html. In this case, if the customer wants to use OAuth2 authentication option, then I don't understand what should be the redirect URL. Obviously I cannot use localhost for redirect URL as the customer can access the web app from any machine. I wouldn't know the machine ip/hostname where the customers are going to be installing our server beforehand.
One suggestion was to use a server from our company which would handle redirect URLs for the OAuth2 authentication. Is this a good idea? Is there a standard way for handling the use case I have narrated above in OAuth2?
I have two applications, Let's say App1 and App2. App1 is protected using mod_auth_openidc and App2 is hosted on wildfly and protected using keycloak specific java adapter. The SSO works fine on both applications. However, the problem occurs in case of Logout. When I perform logout from App1, then both applications are redirected to login on next request (as expected). However, when I perform logout on App2, then App1 still works as normal rather than asking for login again on next request.
As per the keycloak documentation, Admin URL shall be set for a particular client that can be used by Keycloak server to send backend requests to the application for various tasks, like logout users or push revocation policies.
From the apache logs, I can not see any back-end request generated by keycloak against the logout perform from App2. If I generate the logout from keycloak admin utility then apache logs show a post action for k_logout.
I think, I am missing some configuration, but don't know what? Any idea/help in this regard will be much appreciated. Many thanks.
Further details:
App1 - Django based web application. This is hosted using Apache and protected using mod_auth_openidc. The apache and mod_auth_openidc configurations are given below.
App2 - Spring MVC (Java). This is deployed on Wildfly and is protected using keyclaok adapter (as per the procedure mentioned here).
Keycloak configurations - Both applications are configured in keycloak using the settings described here.
Apache and mod_auth_openidc configurations are:
WSGIDaemonProcess myproject python-home=path_to_v_env python-path=path_to_python
WSGIProcessGroup myproject
WSGIScriptAlias / path_to_wsgi.py
OIDCProviderMetadataURL http://keycloak_domain/auth/realms/demo/.well-known/openid-configuration
OIDCRedirectURI http://domain_name/testapp
OIDCCryptoPassphrase random4321
OIDCClientID testapp
OIDCClientSecret client_secret
OIDCDefaultLoggedOutURL http://domain_name/
OIDCScope "openid email profile"
<Location /testapp/>
AuthType openid-connect
Require valid-user
</Location>
The versions of different systems in use are:
mod_auth_openidc 2.3.7
apache 2.4.34
Ubuntu 16.4
Keycloak 4.2.1
We are about to integrate our JAVA application with SSO Federation. We will get a metadata in SAML2 Assertion format and all the session tracking is taken care by SSO federation.
I am not clear how the session tracking happens with each request in our JAVA application. Our main page URL is configured in the SSO federation and after user clicks the link control comes to our application. So if I navigate to other URL apart from the one configured, how the federation track the session? Do we need to pass any metadata for each and every request?
We have been asked to share the home page URL and certificate information and SSO federation will configure those in their portal.
A Java application server normally trackes a user session using a 'JSESSIONID' cookie. Once the SAML assertion generated by an IDP(say ADFS) has been validated by the SP(the java application here) a security context /session is created which is identified by a JSESSIONID. The browser sends JSESSIONID cookie with seubsquest requests and the application verifies it and servers the requetsed resource/URL.