[keycloak-dev] Keycloak integration with mod_auth_openidc broken

Stian Thorgersen sthorger at redhat.com
Mon Feb 13 07:36:56 EST 2017 

I'm afraid it's too late to include new things for 2.5.

On 13 February 2017 at 12:16, Stefan Schlesinger <sts at ono.at> wrote:

> Hi Stian,
>
> is this something which could make it into one of the next 2.5 releases
> (especially,
> because 2.5 should be a version included in redhat, IIRC)?
>
> A working integration with mod_auth_openidc would be essential.
>
> Best,
>
> Stefan.
>
> > On 02 Feb 2017, at 07:10, Stian Thorgersen <sthorger at redhat.com> wrote:
> >
> > It should support multi-valued and mapping to a array rather than a
> comma-separated list.
> >
> > On 1 February 2017 at 21:06, Stefan Schlesinger <sts at ono.at> wrote:
> > Hello,
> >
> > it looks like its currently not possible to use mod_auth_openidc with
> Keycloak for authorization of legacy applications. The current workaround
> described by mod_auth_openidc is to use OpenID Connect for authentication
> and use the apache ldap module for authorization, which is a rather ugly
> workaround IMHO.
> >
> > The problem currently is twofold:
> >
> >  1) One can use mod_auth_openidc to verify claims, but it doesn’t come
> with JSON path support[1], so matching the claims in realm_access.roles
> isn’t possible, only arrays in a flat JSON tree are supported[2].
> >
> >  2) This wouldn’t cause any issues, as Keycloak comes with a User Realm
> Role mapper, which is able to map roles to a different key (in my example
> below the key is ‘roles’).
> >
> > {
> >   "jti": "01667279-a161-47ae-a093-b08643a1b7b5",
> >   "exp": 1485977685,
> >    …
> >   "realm_access": {
> >     "roles": [
> >       “application_x",
> >       “application_y",
> >       "uma_authorization",
> >     ]
> >   },
> >   "roles": “[application_x, application_y, uma_authorization]",
> > }
> >
> > The problem with the mapper is that the value of roles, is served as a
> string instead of an array and mod_auth_openidc cannot handle this
> properly[3].
> >
> > Btw. the same thing goes for the User Client Role mapper! Which looks
> like this:
> >
> > {
> >   "client_role": "[login]”
> > }
> >
> > An issue for this has already been created: https://issues.jboss.org/
> browse/KEYCLOAK-4205
> >
> > It would be so great to get this fixed in the next release!!
> >
> > Best,
> >
> > Stefan.
> >
> >
> > [1] https://groups.google.com/forum/#!topic/mod_auth_openidc/QOMMYeXt5Jc
> > [2] https://github.com/pingidentity/mod_auth_openidc/
> blob/master/src/authz.c#L85
> > [3] https://github.com/pingidentity/mod_auth_openidc/
> blob/master/src/authz.c#L67
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list