[keycloak-user] Using Keycloak with Apache and mod_auth_oidc
Niels Bertram
nielsbne at gmail.com
Fri Jun 3 21:29:43 EDT 2016
yes that is my understanding
On Sat, Jun 4, 2016 at 12:57 AM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:
> Hello Niels,
>
> I think you're right here - apachectl -L says:
> OIDCCryptoPassphrase (mod_auth_openidc.c)
> Passphrase used for AES crypto on cookies and state.
> Allowed in *.conf only outside <Directory>, <Files>, <Location>, or <If>
>
> I did not read the docks properly. So this OIDCCryptoPassphrase is only
> used by
> Apache mod_oidc & mod_balancer & not by keycloak if I understand you
> correctly.
>
> So I could simply change:
>
> OIDCCryptoPassphrase currently-not-supported-by-keycloak
> to
> OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
>
> ... to make it more clear that this secret should really be a secret and
> is not used by Keycloak, right?
>
> Cheers,
> Thomas
>
> 2016-06-03 16:34 GMT+02:00 Niels Bertram <nielsbne at gmail.com>:
>
>> Hi Thomas,
>>
>> just a comment on your example project, the Apache directive
>> OIDCCryptoPassphrase is (AFAIK) used by the apache module to en/decrypt
>> the state parameter that is sent with the redirect params to the OP. This
>> is a mandatory settings and you will have to make sure its random and
>> secured (otherwise someone can steal your users session). If you run the
>> apache behind a load balancer, this value needs to be the same on all
>> nodes, else the module will return invalid state errors.
>>
>> Cheers,
>> Niels
>>
>> On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>>> Hello group,
>>>
>>> Just wanted to let you know that I build a small example [0] that
>>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>>> with Docker + Apache + PHP.
>>>
>>> Works like a charm :)
>>>
>>> Cheers,
>>> Thomas
>>>
>>> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>>> [1] https://github.com/pingidentity/mod_auth_openidc
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160604/8b77ada1/attachment.html
More information about the keycloak-user
mailing list