[keycloak-dev] Keycloak integration with mod_auth_openidc broken

Hello, it looks like its currently not possible to use mod_auth_openidc with Keycloak for authorization of legacy applications. The current workaround described by mod_auth_openidc is to use OpenID Connect for authentication and use the apache ldap module for authorization, which is a rather ugly workaround IMHO. The problem currently is twofold: 1) One can use mod_auth_openidc to verify claims, but it doesn’t come with JSON path support[1], so matching the claims in realm_access.roles isn’t possible, only arrays in a flat JSON tree are supported[2]. 2) This wouldn’t cause any issues, as Keycloak comes with a User Realm Role mapper, which is able to map roles to a different key (in my example below the key is ‘roles’). { "jti": "01667279-a161-47ae-a093-b08643a1b7b5", "exp": 1485977685, … "realm_access": { "roles": [ “application_x", “application_y", "uma_authorization", ] }, "roles": “[application_x, application_y, uma_authorization]", } The problem with the mapper is that the value of roles, is served as a string instead of an array and mod_auth_openidc cannot handle this properly[3]. Btw. the same thing goes for the User Client Role mapper! Which looks like this: { "client_role": "[login]” } An issue for this has already been created: https://issues.jboss.org/browse/KEYCLOAK-4205 It would be so great to get this fixed in the next release!! Best, Stefan. [1] https://groups.google.com/forum/#!topic/mod_auth_openidc/QOMMYeXt5Jc [2] https://github.com/pingidentity/mod_auth_openidc/blob/master/src/authz.c#L85 [3] https://github.com/pingidentity/mod_auth_openidc/blob/master/src/authz.c#L67