[keycloak-user] OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server

Dmitry Telegin dt at acutus.pro
Thu Nov 8 22:45:55 EST 2018 

Hello Fabrizio,

Indeed, string templates like "/realms/{realm-name}/protocol/openid-connect/auth" are hardcoded into Keycloak adapters [1] [2].

Luckily, there seems to be a workaround. In Keycloak, there is a mechanism for multitenancy [3]; it requires you to supply a resolver that would return a KeycloakDeployment instance based on request parameters.
One of its bonus features is that you can completely redefine the behavior of KeycloakDeployment. For example, you can extend org.keycloak.adapters.KeycloakDeployment and override its resolveUrls() method, to make the URLs point to your 3rd party IDP.

This approach doesn't require any modifications to the adapter code, so I'd recommend you start with it. However, I wouldn't rule out further incompatibilities that could pop up.

Another option is installing an intermediary Keycloak (server), configuring brokering to 3rd party IDP and pointing your adapter to Keycloak. Though sounds like an overkill, it's a bulletproof solution that should work 100% (and it also has some other benefits).

There are of course other options like using 3rd party IDP's equivalent for Keycloak adapter (is it Intuit BTW?), or using other OpenID Connect Java libraries [4], or even proxy-level adapters like apache-mod_auth_openidc [5] or Keycloak Gatekeeper [6]. But I understand that this would probably require code rewrite, so you should consider these options only as the last resort.

As for SAML and why it used to work: Keycloak adapter uses standard SAML SP metadata for configuration, which defines URLs strictly and unambiguously; here we need to admit that SAML is more mature and feature-complete.

OIDC, on the contrary, allows for some freedom. At the moment, Keycloak OIDC adapter doesn't use any standard metadata, but rather generates URLs using hardcoded templates. I think Keycloak adapter could use OIDC's rough equivalent for SAML metadata, namely "well-known" URLs.

You can experiment with your IDP and append ".well-known/openid-configuration" to its URL. If my conjecture about Intuit is correct, then it should look like this:
https://oauth.platform.intuit.com/op/v1/.well-known/openid-configuration

In theory, Keycloak OIDC adapter could ingest this metadata instead of hardcoding URL templates. To me, this could be a valuable addition, but surprisingly I don't see any related JIRA issue. Maybe Keycloak developers could give us some feedback.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

[1] https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/constants/ServiceUrlConstants.java#L26
[2] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java#L161
[3] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
[4] https://openid.net/developers/certified/
[5] https://github.com/zmartzone/mod_auth_openidc
[6] https://github.com/keycloak/keycloak-gatekeeper

On Thu, 2018-11-08 at 14:13 +0000, Usai, Fabrizio wrote:
> Dear,
> 
> 
> > We are using Keycloak Java adapter 4.5.0 in combination with EAP7.1. When we configure our keycloak.json we have for auth-server-url the url https://authentication.country.com/op/v1/auth (the original url is changed for privacy reasons). So far so good.
> 
> When we navigate to our application, we are forwarded to https://authentication.country.com/op/v1/auth/realms/KeycloakOIDCRealm/protocol/openid-connect/auth?response_type=code&client_id=fac9d161-d27d-493d-uze896zed78&redirect_uri=.....
> 
> This is not good, since we use our own identity provider. Removing the realms/KeycloakOIDCRealm/protocol/openid-connect/ part of the url, forwards it correctly to the identity provider. So the Keycloak adapter adds it by default, assuming we will always use Keycloak as an identity provider. Before we were using SAML and didn't had this issue.
> 
> How can we configure the keycloak.json for the adapter to leave out the addition of realms/KeycloakOIDCRealm/protocol/openid-connect/?
> 
> We don't understand why with SAML we didn't had this issue at all, and now with OpenID it seems very difficult to solve this issue. Our current guess to solve this, is to overwrite some Keycloak Java class and make sure the url is built the correct way. Although it is a bit dirty, we could accept this as solution (if it is possible), but we prefer to do this via configuration.
> 
> 
> Kind regards,
> 
> Fabrizio Usai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list