12:51 p.m.
Yes, that's the JWT plugin I'm using.
I will eventually need roles. Can I do this without enabling
authorization on the client? I'll be using Caddy's JWT module to
authorize access to some resources. I don't know if this means I need
authorization support to enable roles, or if I *don't* need
authorization support because I'm not asking Keycloak to grant or deny
access to my pages based on their URLs.
When you say to use a public client because Caddy won't handle this,
what specifically do you mean? It won't handle setting a public key? It
does seem to via the JWT_PUBLIC_KEY environment variable as you noted. I
imagine I'll need to retrieve that from a .well-known endpoint?
Otherwise, I'm not sure what isn't being handled here. Sorry if I seem
dense--this is a bit overwhelming and I'd like to get it right.
I'm not using the JS adapter because I don't have an app as such. For
now I just have some static pages generated by Hugo, and I'm trying to
gate access to a /members section. In the future I'll probably have a
few different levels of access, which I'll represent by roles, so
/members/gold, /members/silver, etc. may be gated by role. This blocking
is happening on the server side. I'm not immediately clear on how the JS
library would help in this case, since my pages are just being served up
directly.
Thanks for the pointer on the wrong redirect URL. I used the /account
endpoint because it at least prompts me to log in if I'm not. When I say
that I'm being redirected, I mean that hitting /members doesn't take me
to the members-only page, but takes me to the account redirect if I'm
logged into Keycloak, which I definitely am.
Thanks for the help.
On 4/11/19 12:22 PM, Sebastien Blanc wrote:
Hi,
Are you using
https://github.com/BTBurke/caddy-jwt/blob/master/README.md ?
So I never used Caddy but a couple of things :
* Keycloak uses RSA to sign the token, so you need to specify
JWT_PUBLIC_KEY in Caddy and not the JWT_SECRET.
* Just use a public client (because Caddy JWT probably don't handle
this) and do not enable authorization (you just want authentication
right ?)
* the redirect field from your config block looks like to be the
endpoint for authenticating your user, not sure why you are using the
/account endpoint, this is a completely different thing ( this is the
"space" where logged-in users can manage their account : reset
password etc ...) , the redirect value would looks like something as :
http://localhost:8180/auth/realms/myrealmprotocol/openid-connect/auth?cli...
<http://localhost:8180/auth/realms/katacoda/protocol/openid-connect/auth?c...
If you are app is just an service endpoint you probably don't need the
redirect field to be set since you will obtain the token differently :
You said that you kept being redirected even when you are logged in ,
what does that means "logged in" ? Did you managed to log in with
Keycloak ? Are you using the Keycloak Javascript adapter in your
webapp to obtain your token ?
On Thu, Apr 11, 2019 at 4:38 PM Nolan Darilek <nolan(a)thewordnerd.info
<mailto:nolan@thewordnerd.info>> wrote:
Apologies if the answer to this is simple. I've poured through
every doc
I can get my hands on and am a bit overwhelmed.
I'm trying to set up a shared account service that works across my
static website, forum, and eventually on mobile apps. Given that
security isn't a core competency, I decided to try using Keycloak
for this.
My first goal is to require authentication to example.com/members
<http://example.com/members>;. I'm
using the Caddy web server which has a JWT-based protection scheme
built-in. Keycloak is running at example.com/auth
<http://example.com/auth>;.
What I *thought* I'd do is set up my website as a confidential client
with authorization enabled. Caddy needs a shared secret for the
JWT, so
I thought this would be the client secret. Also, since my website and
Keycloak are on the same domain, I thought that if they shared a
secret
and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that
authentication
would just work. Alas, no. Here's my Caddy JWT configuration block:
jwt {
path /members
redirect /auth/realms/myrealm/account
token_source header
token_source cookie KEYCLOAK_IDENTITY
}
Visiting /members just redirects me to my account page again and
again,
even if I'm logged in.
Am I completely off the rails here? I thought about using the client
library, but I don't know if that works for confidential
authorization
setups. I don't even know if I *need* a confidential authorization
setup
here, or if I'm completely misunderstanding. It also occurs to me
that
I'm redirecting to /auth/realms/myrealm/account. There's nothing
in that
URL indicating which client to use, and as such, which secret to
generate the JWT with. So before I go too much further down this
rabbit
hole, I wanted to check my assumptions.
Thanks for any help.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user