[keycloak-user] Keycloak as OpenID Connect provider for Liferay Portal 6.2
Sebastien Blanc
sblanc at redhat.com
Tue Feb 19 09:00:01 EST 2019
I'm not 100% but I think your :
openidconnect.issuer=https://<my keycloak and
port>/auth/realms/CMFIRST/protocol/openid-connect/certs
is not correct, did you tried to point just to your realm ? https://<my
keycloak and port>/auth/realms/CMFIRST
Also maybe this blog post could help you :
https://community.liferay.com/blogs/-/blogs/liferay-keycloak-integration
On Tue, Feb 19, 2019 at 2:46 PM Chris Smith <chris.smith at cmfirstgroup.com>
wrote:
> Liferay Portal has an OpenID Connect plugin, configured by a property file
> with these properties
>
> openidconnect.enableOpenIDConnect=true
> openidconnect.token-location=https://<my keycloak and
> port>/auth/realms/CMFIRST/protocol/openid-connect/token
> openidconnect.authorization-location=https://<my keycloak and
> port>/auth/realms/CMFIRST/protocol/openid-connect/auth
> openidconnect.profile-uri=https://<my keycloak and
> port>/auth/realms/CMFIRST/protocol/openid-connect/userinfo
> openidconnect.issuer=https://<my keycloak and
> port>/auth/realms/CMFIRST/protocol/openid-connect/certs
> openidconnect.client-id=Portal
> openidconnect.secret=<my secret>
> openidconnect.scope=openid profile email
>
> Property docs at end of email
>
> My keycloak Client is an out of the box setup
> Here are the realm keys.
>
> AES
>
> OCT
>
> <a uuid>
>
> 100
>
> aes-generated<
> https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/aes-generated/b00f30ba-49da-4dfb-8f21-c256b069ec5b
> >
>
> HS256
>
> OCT
>
> <a uuid>
>
> 100
>
> hmac-generated<
> https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/hmac-generated/c2362731-7a65-416f-918e-1b8c67ac7cb1
> >
>
> RS256
>
> RSA
>
> <something>
>
> 100
>
> rsa-generated<
> https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/rsa-generated/e57385c6-e6eb-421c-945e-725a30f189b5
> >
>
> Public key
>
> Certificate
>
>
> Liferay does not like the jwt signature
>
> 13:09:39,833 WARN [http-bio-8080-exec-10][Liferay62Adapter:46] The token
> was not valid: -- JWT --__Raw String:
> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJWTUtfTHpWbDY0T2plZW9NVkppajRTLTFNYTZ3aDU5b1dkWHpycXZ5MDJBIn0.eyJqdGkiOiJmZWY0MzVmMS0wOTI0LTQ5MWUtODk0MS1kMjFhMGRhZWNlY2EiLCJleHAiOjE1NTA1ODIwNzksIm5iZiI6MCwiaWF0IjoxNTUwNTgxNzc5LCJpc3MiOiJodHRwczovL21vYmlsZXBvcnRhbC5jbWZpcnN0dGVjaC5jb206OTI4MC9hdXRoL3JlYWxtcy9DTUZJUlNUIiwiYXVkIjoiUG9ydGFsIiwic3ViIjoiZmYwYmY1MWUtOWFmOS00M2JkLWE0NTQtZGQzZDM5OTM4ZjFhIiwidHlwIjoiSUQiLCJhenAiOiJQb3J0YWwiLCJhdXRoX3RpbWUiOjE1NTA1ODE3NzksInNlc3Npb25fc3RhdGUiOiI1YjE3NzVjZS0xYWZlLTQ3ODItYWM4OC1jOTgwZTg4NTIxOTUiLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJmbXNzdGFmZiJ9.APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL!
> 3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__Header:
> {"typ": "JWT", "alg": "RS256", "cty": "null" , "kid":
> "VMK_LzVl64OjeeoMVJij4S-1Ma6wh59oWdXzrqvy02A"}__Claims Set: {"iss":
> "https://<my kc host and port>/auth/realms/CMFIRST", "sub":
> "ff0bf51e-9af9-43bd-a454-dd3d39938f1a", "aud": ["Portal"], "exp":
> 1550582079, "nbf": "0", "iat": 1550581779, "jti":
> "fef435f1-0924-491e-8941-d21a0daececa", "typ": "ID" }__Signature:
> APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__---------
> [Sanitized]
>
> I don't have this problems in my web apps, they use the Tomcat adapter and
> no issue with the JWT sig.
> Any suggestions?
>
> Property docs
> Portal properties
> The following portal properties can be set. They are required unless
> specified as optional.
>
> openidconnect.enableOpenIDConnect
>
> Whether to enable the plugin (effectively allowing you to disable the
> plugin without uninstalling it). Boolean, either 'true' or 'false'. Default
> is false.
>
> openidconnect.authorization-location
>
> Complete url to the OpenID Connect Provider's authorization location.
> Example for Google: https://accounts.google.com/o/oauth2/v2/auth
>
> openidconnect.token-location
>
> Complete url to the OpenID Connect Provider's token location. Example for
> Google: https://www.googleapis.com/oauth2/v4/token
>
> openidconnect.profile-uri
>
> Complete URL to the 'user info' endpoint. Example for Google:
> https://www.googleapis.com/plus/v1/people/me/openIdConnect
>
> openidconnect.sso-logout-uri (Optional)
>
> openidconnect.sso-logout-param (Optional)
>
> openidconnect.sso-logout-value (Optional)
>
> Complete URL to the 'SSO logout' endpoint. Ignored if empty. After
> redirection to the given URL, the OpenID Connect Provider should redirect
> to the Lifery Portal home page (or another public after-logout-resource).
> This target may be included in this URL as a URL parameter or may be
> configured for the OpenID Connect Provider.
>
> openidconnect.issuer
>
> The information retrieved from the user info endpoint has to be verified
> against a preconfigured string, according to the OpenID Connect spec. This
> 'issuer' claim is used for that. Example for Google:
> https://accounts.google.com
>
> openidconnect.client-id
>
> Register your Liferay portal as a 'client app' with the Google developer
> console, and the resulting client id is the openid connect client id.
> Non-working example for Google:
> 7kasuf1-123123adfaafdsflni7me2kr.apps.googleusercontent.com
>
> openidconnect.secret
>
> Secret of the client, after registration of the Liferay portal, just like
> the client-id.
>
> openidconnect.scope
>
> Scope(s) of the access token (space separated), should be the same (or a
> subset) of the scopes allowed by the provider to the client. Default value:
> openid profile email
>
> openidconnect.provider (Optional)
>
> Type of OpenID Connect provider. Supported values: generic (default),
> azure. For most Provider implementations, the generic provider works. For
> Azure, use the value azure as this makes slight changes to the fields sent
> as UserInfo.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list