Re: [keycloak-user] Keycloak and shared JWT secrets

Apologies if the answer to this is simple. I've poured through every doc I can get my hands on and am a bit overwhelmed. I'm trying to set up a shared account service that works across my static website, forum, and eventually on mobile apps. Given that security isn't a core competency, I decided to try using Keycloak for this. My first goal is to require authentication to example.com/members. I'm using the Caddy web server which has a JWT-based protection scheme built-in. Keycloak is running at example.com/auth. What I *thought* I'd do is set up my website as a confidential client with authorization enabled. Caddy needs a shared secret for the JWT, so I thought this would be the client secret. Also, since my website and Keycloak are on the same domain, I thought that if they shared a secret and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that authentication would just work. Alas, no. Here's my Caddy JWT configuration block: jwt { path /members redirect /auth/realms/myrealm/account token_source header token_source cookie KEYCLOAK_IDENTITY } Visiting /members just redirects me to my account page again and again, even if I'm logged in. Am I completely off the rails here? I thought about using the client library, but I don't know if that works for confidential authorization setups. I don't even know if I *need* a confidential authorization setup here, or if I'm completely misunderstanding. It also occurs to me that I'm redirecting to /auth/realms/myrealm/account. There's nothing in that URL indicating which client to use, and as such, which secret to generate the JWT with. So before I go too much further down this rabbit hole, I wanted to check my assumptions. Thanks for any help. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user