Comments (17)
don't know if this config is valid:
@omario36 , this is nor a valid config.
@axi92 , thank you for helping out!
from authcrunch.github.io.
maybe because the domain of my keycloak auth and the whoami service is different ? so AUTHP_SESSION_ID cookie is rejected ?
from authcrunch.github.io.
@omario36 , what is the config you are using?
from authcrunch.github.io.
@omario36, try setting the following in your provider config.
required_token_fields access_token
from authcrunch.github.io.
admin off
debug
http_port 880
https_port 4443
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider keycloak {
driver generic
realm master
client_id test-caddy
client_secret 8KfOcqKQaSxczrM6Y0BqusTJofC4NkHO
scopes email profile
required_token_fields access_token
metadata_url https://auth.internal.XXXX.fr/realms/master/.well-known/openid-configuration
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify "MIICozCCAYsCBgGE8VsXujANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDAp0ZXN0LWNhZGR5MB4XDTIyMTIwODEwNDgwOVoXDTMyMTIwODEwNDk0OVowFTETMBEGA1UEAwwKdGVzdC1jYWRkeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpSarOnJJcGUiIDreS7SQdeoKhYK1h2ll0T7xqcreV+4MLKGvwvDvL949h3AdJiZ+mPoYkMr5cb+ac8bN7ipTMMSrdvyPFUpWKUrmNzCW9/M/UFhWKho4SmHrrFiEFwDnDgGEKoPobdAQIKJeGOYp93FsrHJ5Wl0Y0EOUA0j7Iobrt+F/xpVIC5qDXRhWCrYkNlnpJWz2jxmf0Kbgwh6QS1S/Jdtv1RCXIpFuToFlvjDecwJ0vHgbR5cJsMiGXYwo9KjxOnR7HG19ksoBUY3uYhyzngsQyqKpzU1jrVIECKndpFJ5GM9gpzmNMpkbuBZciKhrAyj5DTq3oaDtOiWb0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAlVWcedprkXWg7vGXLxI55CX/d10s60oUeLhID12CEimmpsVLDt5iGDzqbpayA6xs14yl/PGGSWlDlKGecdrQZbIVBVPzjq8po+9a6DnWtlEivw9sGAj9hyJdCEBrjbVe8AGcrObdKMscf850rD1TPhNsHUvZ5gjrNoBRljbStjAGRG9Ai6EQXGT5v6G3iGj1zxzm67eMhITLf/1on95jXHd4TgnD3OWHQcn8Q2VOZ5H2oy6DP3hIjL9KAKQiDGr0kFmOu/vCWfPBSkdEM4CMr9gG5inGlsQ2aRJ6bm4OYAR4yhQr/QpQe5LDGeBcMQuDExZFIeDUmpYnRRl8koo2sQ=="
enable identity provider keycloak
cookie domain localhost
ui {
links {
"My Website" https://assetq.localhost:4443/ icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match origin keycloak
action add role authp/user
}
}
authorization policy mypolicy {
set auth url https://auth.localhost:4443/
allow roles authp/admin authp/user
crypto key verify "MIICozCCAYsCBgGE8VsXujANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDAp0ZXN0LWNhZGR5MB4XDTIyMTIwODEwNDgwOVoXDTMyMTIwODEwNDk0OVowFTETMBEGA1UEAwwKdGVzdC1jYWRkeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpSarOnJJcGUiIDreS7SQdeoKhYK1h2ll0T7xqcreV+4MLKGvwvDvL949h3AdJiZ+mPoYkMr5cb+ac8bN7ipTMMSrdvyPFUpWKUrmNzCW9/M/UFhWKho4SmHrrFiEFwDnDgGEKoPobdAQIKJeGOYp93FsrHJ5Wl0Y0EOUA0j7Iobrt+F/xpVIC5qDXRhWCrYkNlnpJWz2jxmf0Kbgwh6QS1S/Jdtv1RCXIpFuToFlvjDecwJ0vHgbR5cJsMiGXYwo9KjxOnR7HG19ksoBUY3uYhyzngsQyqKpzU1jrVIECKndpFJ5GM9gpzmNMpkbuBZciKhrAyj5DTq3oaDtOiWb0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAlVWcedprkXWg7vGXLxI55CX/d10s60oUeLhID12CEimmpsVLDt5iGDzqbpayA6xs14yl/PGGSWlDlKGecdrQZbIVBVPzjq8po+9a6DnWtlEivw9sGAj9hyJdCEBrjbVe8AGcrObdKMscf850rD1TPhNsHUvZ5gjrNoBRljbStjAGRG9Ai6EQXGT5v6G3iGj1zxzm67eMhITLf/1on95jXHd4TgnD3OWHQcn8Q2VOZ5H2oy6DP3hIjL9KAKQiDGr0kFmOu/vCWfPBSkdEM4CMr9gG5inGlsQ2aRJ6bm4OYAR4yhQr/QpQe5LDGeBcMQuDExZFIeDUmpYnRRl8koo2sQ=="
}
}
}
whoami.localhost:4443 {
route {
authenticate with myportal
}
reverse_proxy whoami:80
tls internal
}
auth.localhost:4443 {
tls internal
authenticate with myportal
}
assetq.localhost:4443 {
tls internal
authorize with mypolicy
respond "assetq is running"
}
log
from authcrunch.github.io.
@greenpau any news please ?
@axi92 can you please share with me your realm export and/or some screenshot, eventually where I have to add the mappers ... ?
Thanks a lot
from authcrunch.github.io.
This is our config maybe it helps you.
I had the problem that I imported my realm config into keycloak and the keys are not in this export. So you have to regenerate all keys after the import and give the caddy the new key too.
{
email [email protected]
#debug
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider keycloak {
driver generic
realm keycloak
client_id {env.KEYCLOAK_CLIENT_ID}
client_secret {env.KEYCLOAK_CLIENT_SECRET}
scopes openid email profile
#metadata_url https://keycloak.domain.com/auth/realms/master/.well-known/openid-configuration
metadata_url https://keycloak.domain.com/realms/master/.well-known/openid-configuration
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
enable identity provider keycloak
cookie domain domain.link
ui {
links {
"alertmanager-03" https://alertmanager-03.domain.link icon "las la-link"
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match origin keycloak
action add role authp/user
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
}
authorization policy mypolicy {
set auth url https://auth.domain.link/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
}
authorization policy apipolicy {
set token sources header query
crypto key verify from directory /home/user/sfw-proxy/jwt-public-keys/api
crypto key token name api_token
allow roles service
acl default deny
validate path acl
}
authorization policy monitoring {
set auth url https://auth.domain.link/
allow email [email protected]
crypto key verify {env.JWT_SHARED_KEY}
}
}
}
from authcrunch.github.io.
@omario36 You got "realm master" we have "realm keycloak" try to change that?
from authcrunch.github.io.
@axi92 ok I will try to create a new realm "keycloak" and will keep you informed, many thanks
from authcrunch.github.io.
I dont think you have to do that, my only realm in my keycloak instance is called "mater" but in my caddy config its working with "realm keycloak". Maybe the caddy plugin does not treat the realm like a "keycloak realm". Instead the whole keycloak is the "realm"
What realm you use is configured by the metadata_url url you give to the authp plugin
See:
from authcrunch.github.io.
I have these client scopes :
and in the email scope I added the groups mapper :
Is it the same config you have ?
from authcrunch.github.io.
@axi92 thank you now Its ok for the token I have :
{"level":"info","ts":1670842683.5485365,"logger":"security","msg":"Successful login","session_id":"AX9RwuGA0daWpjY9Ev7h00TVc9VzWDnCkRtIFS9","request_id":"4979ccf2-49ba-4754-aee3-fb0f4f539c08","backend":{"name":"keycloak","realm":"keycloak","method":"oauth"},"user":{"addr":"192.168.96.1","email":"[email protected]","exp":1670846283,"family_name":"Omari","given_name":"Omar","iat":1670842683,"iss":"https://whoami.localhost:4443/oauth2/keycloak/","jti":"AX9RwuGA0daWpjY9Ev7h00TVc9VzWDnCkRtIFS9","name":"Omar Omari","nbf":1670842623000,"origin":"keycloak","realm":"keycloak","roles":["authp/admin","default-roles-master","authp/user","authp/guest","offline_access","uma_authorization"],"sub":"131d20a2-79d4-40ec-9e65-e4baaa488145"}}
But now I have something like an infinite login loop with this test url :
https://whoami.localhost:4443/*
from authcrunch.github.io.
The scopes should not matter, as you give every user that comes from keycloak the authp/user
transform user {
match origin keycloak
action add role authp/user
}
And you allow in your policy:
allow roles authp/admin authp/user
Everybody can access from keycloak.
from authcrunch.github.io.
I don't know if this config is valid:
whoami.localhost:4443 {
route {
authenticate with myportal
}
reverse_proxy whoami:80
tls internal
}
You don't need to check the /whoami endpoint, authp denies access to that endpoint if you dont have a valid session. So no need to have that config IMHO.
You should see the Whoami endpoint on the linklist after the login is successful.
from authcrunch.github.io.
@axi92 sorry but here whoami is the service that I want to secure buy keycloak oauth
To clarify the situation : I have a whoami docker service running on the same network with caddy
so to expose it, I have to do something like that : whoami.localhost:4443 { tls internal reverse_proxy whoami:80 authenticate with myportal }
The new config is :
{
admin off
debug
http_port 880
https_port 4443
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider keycloak {
driver generic
realm keycloak
client_id test-caddy
client_secret 8KfOcqKQaSxczrM6Y0BqusTJofC4NkHO
scopes openid email profile
#required_token_fields access_token
metadata_url https://auth.domain.tld/realms/master/.well-known/openid-configuration
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify "qwerty"
enable identity provider keycloak
cookie domain localhost
ui {
links {
"whoami" https://whoami.localhost:4443/ icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match origin keycloak
action add role authp/user
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
}
authorization policy mypolicy {
set auth url https://auth.domain.tld/
allow roles authp/admin authp/user
crypto key verify "qwerty"
}
authorization policy monitoring {
set auth url https://auth.domain.tld/
allow email [email protected]
crypto key verify "qwerty"
}
}
}
whoami.localhost:4443 {
tls internal
reverse_proxy whoami:80
authenticate with myportal
}
log
Thanks for your support, I realy need to secure for example this whoami or another service proxied by the caddy.
from authcrunch.github.io.
YEEES @axi92 @greenpau thanks Now its ok
from authcrunch.github.io.
@greenpau any link to update the documentation for using keycloak v20 + ?
from authcrunch.github.io.
Related Issues (20)
- oauth: document enable logout directive
- ui: document meta author and description
- messaging: document file provider
- ldap: document fallback role directive
- ui: setting page directives
- document aws saml login HOT 3
- Azure OIDC Expired Tokens Redirect URL Issue HOT 2
- keycloak in the same Caddyfile HOT 1
- Build fails with Docker and xcaddy HOT 1
- How does authp interact with the acme challenge URLs? HOT 2
- Allow both unauthenticated and authenticated access HOT 1
- Unable to register new user without email verification. HOT 3
- fail to send mail to smtp-mail.outlook.com HOT 1
- google oauth: send "prompt" query param HOT 1
- Successful Oauth Login Immediately Redirects HOT 4
- Feature request: automaticaly activate newly self-registered users HOT 2
- Feature request: store users in database HOT 1
- Unable to type password HOT 11
- Update Keycloak Example HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authcrunch.github.io.