[keycloak-user] Using Keycloak with Apache and mod_auth_oidc

Anthony Fryer anthony.fryer at gmail.com
Thu Jun 2 19:20:15 EDT 2016


Just need to keep in mind if you want to use mod_auth_oidc to secure urls
using keycloak roles, there can be issues.  Is it possible to somehow map
keycloak roles to a top level attribute in the access token as a work
around?

>>>>

No, it is not possible to use json path syntax,  patches would be welcome...

Expression can be of limited complexity today: 1-level deep arrays are
 supported as are regular expressions. So if you would be able to instruct
your OP to send the roles in a top-level attribute called
"realm_access.roles", then what you currently have configured would work.

Hans.

On Tue, May 24, 2016 at 3:50 PM, <anthony.fryer at gmail.com> wrote:

> I am using keycloak and have assigned some global roles (TOUPPER and
> REVERSE) to a user.  The decoded access token looks like this...
>
>         {
>   "jti" : "0a0541f2-9b74-4a41-b862-a20a3cbc2bcb",
>   "exp" : 1464097823,
>   "nbf" : 0,
>   "iat" : 1464097523,
>   "iss" : "https://my.keycloak.com/auth/realms/T
> <https://keycloak.cyberavenue.com.au/auth/realms/Glomex>enantA",
>   "aud" : "test-client",
>   "sub" : "20974f13-8272-4cd5-a172-5c8de4cdc782",
>   "typ" : "Bearer",
>   "azp" : "test-client",
>   "nonce" : "C_D0xDSCytoFaopJoYZu36BJcb6eMR2Xeg8VGP2nxeQ",
>   "session_state" : "b625d171-e01d-462c-9d01-d159b9b75635",
>   "name" : "",
>   "preferred_username" : "anthony",
>   "client_session" : "80b0ac34-5ee8-41f2-97da-649cf1abbd81",
>   "allowed-origins" : [ ],
>   "realm_access" : {
>     "roles" : [ "TOUPPER", "REVERSE" ]
>   },
>   "resource_access" : { },
>   "groups" : [ "tenantA/brandA", "tenantA" ]
> }
>
>
> I'm now trying to configure mod_auth_openidc authorization on some url
> paths based on the roles in the "realm_access"."roles" path of the token.
> I've tried this configuration...
>
>         <Location /glomex-mds-webapp/api/v1/secure/demo/toupper>
>                 AuthType openid-connect
>                 #Require valid-user
>                 Require claim realm_access.roles:TOUPPER
>         </Location>
>
> This doesn't seem to work though.  Is it possible to use json path syntax
> for claim authorization?


On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello group,
>
> Just wanted to let you know that I build a small example [0] that
> demonstrates the usage of Keycloak with mod_auth_oidc [1]
> with Docker + Apache + PHP.
>
> Works like a charm :)
>
> Cheers,
> Thomas
>
> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
> [1] https://github.com/pingidentity/mod_auth_openidc
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/a84a2857/attachment.html 


More information about the keycloak-user mailing list