On Thu, Apr 11, 2019 at 7:57 PM Nolan Darilek <nolan(a)thewordnerd.info>
wrote:
Yes, that's the JWT plugin I'm using.
I will eventually need roles. Can I do this without enabling
authorization on the client? I'll be using Caddy's JWT module to
authorize access to some resources. I don't know if this means I need
authorization support to enable roles, or if I *don't* need
authorization support because I'm not asking Keycloak to grant or deny
access to my pages based on their URLs.
Looking at the Caddy JWT plugin, it looks like it can do some basic RBAC ,
it will be looking at the "groups" claim of the token. In Keycloak, roles
are not put by default in a "groups" claim by you can easily do that by
creating a custom mapper. And you don't need authorization enabled for
this.
When you say to use a public client because Caddy won't handle this,
what specifically do you mean? It won't handle setting a public key? It
does seem to via the JWT_PUBLIC_KEY environment variable as you noted. I
imagine I'll need to retrieve that from a .well-known endpoint?
Otherwise, I'm not sure what isn't being handled here. Sorry if I seem
dense--this is a bit overwhelming and I'd like to get it right.
What I meant is it does use the shared secret but the public key for
signature validation. So yes you have to set JWT_PULBIC_KEY harcoded or as
you said maybe the JWT caddy plugin can handle retrieving the key from JKWS
endpoint, if it can in keycloak the endpoint is there :
http://localhost:8180/auth/realms/myrealm/protocol/openid-connect/certs
I'm not using the JS adapter because I don't have an app as such. For
now I just have some static pages generated by Hugo, and I'm trying to
gate access to a /members section. In the future I'll probably have a
few different levels of access, which I'll represent by roles, so
/members/gold, /members/silver, etc. may be gated by role. This blocking
is happening on the server side. I'm not immediately clear on how the JS
library would help in this case, since my pages are just being served up
directly.
Thanks for the pointer on the wrong redirect URL. I used the /account
endpoint because it at least prompts me to log in if I'm not. When I say
that I'm being redirected, I mean that hitting /members doesn't take me
to the members-only page, but takes me to the account redirect if I'm
logged into Keycloak, which I definitely am.
Thanks for the help.
On 4/11/19 12:22 PM, Sebastien Blanc wrote:
> Hi,
>
> Are you using
>
https://github.com/BTBurke/caddy-jwt/blob/master/README.md ?
>
> So I never used Caddy but a couple of things :
>
> * Keycloak uses RSA to sign the token, so you need to specify
> JWT_PUBLIC_KEY in Caddy and not the JWT_SECRET.
> * Just use a public client (because Caddy JWT probably don't handle
> this) and do not enable authorization (you just want authentication
> right ?)
> * the redirect field from your config block looks like to be the
> endpoint for authenticating your user, not sure why you are using the
> /account endpoint, this is a completely different thing ( this is the
> "space" where logged-in users can manage their account : reset
> password etc ...) , the redirect value would looks like something as :
>
>
http://localhost:8180/auth/realms/myrealmprotocol/openid-connect/auth?cli...
>
> <
http://localhost:8180/auth/realms/katacoda/protocol/openid-connect/auth?c...
>
>
> If you are app is just an service endpoint you probably don't need the
> redirect field to be set since you will obtain the token differently :
> You said that you kept being redirected even when you are logged in ,
> what does that means "logged in" ? Did you managed to log in with
> Keycloak ? Are you using the Keycloak Javascript adapter in your
> webapp to obtain your token ?
>
>
>
>
>
> On Thu, Apr 11, 2019 at 4:38 PM Nolan Darilek <nolan(a)thewordnerd.info
> <mailto:nolan@thewordnerd.info>> wrote:
>
> Apologies if the answer to this is simple. I've poured through
> every doc
> I can get my hands on and am a bit overwhelmed.
>
>
> I'm trying to set up a shared account service that works across my
> static website, forum, and eventually on mobile apps. Given that
> security isn't a core competency, I decided to try using Keycloak
> for this.
>
>
> My first goal is to require authentication to
example.com/members
> <
http://example.com/members>. I'm
> using the Caddy web server which has a JWT-based protection scheme
> built-in. Keycloak is running at
example.com/auth
> <
http://example.com/auth>.
>
>
> What I *thought* I'd do is set up my website as a confidential client
> with authorization enabled. Caddy needs a shared secret for the
> JWT, so
> I thought this would be the client secret. Also, since my website and
> Keycloak are on the same domain, I thought that if they shared a
> secret
> and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that
> authentication
> would just work. Alas, no. Here's my Caddy JWT configuration block:
>
>
> jwt {
> path /members
> redirect /auth/realms/myrealm/account
> token_source header
> token_source cookie KEYCLOAK_IDENTITY
> }
>
> Visiting /members just redirects me to my account page again and
> again,
> even if I'm logged in.
>
>
> Am I completely off the rails here? I thought about using the client
> library, but I don't know if that works for confidential
> authorization
> setups. I don't even know if I *need* a confidential authorization
> setup
> here, or if I'm completely misunderstanding. It also occurs to me
> that
> I'm redirecting to /auth/realms/myrealm/account. There's nothing
> in that
> URL indicating which client to use, and as such, which secret to
> generate the JWT with. So before I go too much further down this
> rabbit
> hole, I wanted to check my assumptions.
>
>
> Thanks for any help.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user