[keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints!

Max Allan max.allan+keycloak at surevine.com
Fri Jul 13 12:30:51 EDT 2018 

 ​Hi,

The AWS ALB​ will allow you to authenticate to cognito or OIDC nowadays.

I thought "Great, I can connect it up to my KeyCloak".
Sadly not. Well, I can connect it to KeyCloak and see sensible looking
headers and JWTs flowing back and forth.
And then the ALB says "500 Internal Server Error" :-(

I can see a request to keycloak (from the client) :
https://auth.care.surevine.com/auth/realms/care/protocol/openid-connect/auth?client_id=jira&redirect_uri=https%3A%2F%2Fdev.care.surevine.com%2Foauth2%2Fidpresponse&response_type=code&scope=email&state=8sp1j3N3baPa1r%2BEjDViEe5S2%2BOFqfbafOydLei7YpkSf99waAoS32Ndkj4QUf%2FQ29LfaaUJNIMifQ4N53Tg%2BGSwb2zbgvsHrCfcARJWICHRhpZ2zpvGZbzJd8T%2FV5QUhHWL7kTGpscgOgpaMAPquI6QPbYLxRE2ekpN73XhRTQ4LBFoSUCfHW60x70vTJ3SbPTwkTFbwyZ%2FBVo%3D


And it 302 redirects back to the ALB :

https://dev.care.surevine.com/oauth2/idpresponse?state=8sp1j3N3baPa1r%2BEjDViEe5S2%2BOFqfbafOydLei7YpkSf99waAoS32Ndkj4QUf%2FQ29LfaaUJNIMifQ4N53Tg%2BGSwb2zbgvsHrCfcARJWICHRhpZ2zpvGZbzJd8T%2FV5QUhHWL7kTGpscgOgpaMAPquI6QPbYLxRE2ekpN73XhRTQ4LBFoSUCfHW60x70vTJ3SbPTwkTFbwyZ%2FBVo%3D&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..1WmnIXPxo_LeP7ERufRgtw.cFEmEJV_q94bhpBQLz0QEzSYitZtCgIGc5295VHbhwreJn9e4rxWolcRSPLz1VtliniI-MgSZ8wRoyNYYPiAUdXZ4z53__Z2CoRNMr0xNg96S0u5Xobo3EEzKy37x_9flU2ypWxfehQ-ZaXFoQhY6xL6y8QADlM-DmaR27bL5WUGYsTUQg5PY695PiygS7u3yQM1zUjHO2T3iROOuNr_5S-6LyaUo8GWD1XSMxp9ydlJTm-oC8Lmh2tCDvhRoJqj.amBQSuQIGlk7Ganopg4O2A


On the KeyCloak server I can see the POST requests from the browser coming
in and hitting the authenticate URL, KC hands back a 302 (the URL above)
Then the ALB does a POST to the token endpoint and gets a 200 response with
a nice chunk of access token. I can decode it and see my details quite
happily. I even validated the signature. (Using jwt.io 's debugger.)
Although the ALB doesn't ask for the certificate at any stage, so I don't
think it even bothers validating it.

But it doesn't seem to like it. And gives me a 500 error.

(I can authenticate with Google OIDC without any trouble...)


(NB Any secrets in any of those strings won't get you very far, there is no
content yet :-) )

More information about the keycloak-user mailing list