[keycloak-dev] Keycloak integration with mod_auth_openidc broken
Stefan Schlesinger
sts at ono.at
Wed Feb 1 15:06:50 EST 2017
Hello,
it looks like its currently not possible to use mod_auth_openidc with Keycloak for authorization of legacy applications. The current workaround described by mod_auth_openidc is to use OpenID Connect for authentication and use the apache ldap module for authorization, which is a rather ugly workaround IMHO.
The problem currently is twofold:
1) One can use mod_auth_openidc to verify claims, but it doesn’t come with JSON path support[1], so matching the claims in realm_access.roles isn’t possible, only arrays in a flat JSON tree are supported[2].
2) This wouldn’t cause any issues, as Keycloak comes with a User Realm Role mapper, which is able to map roles to a different key (in my example below the key is ‘roles’).
{
"jti": "01667279-a161-47ae-a093-b08643a1b7b5",
"exp": 1485977685,
…
"realm_access": {
"roles": [
“application_x",
“application_y",
"uma_authorization",
]
},
"roles": “[application_x, application_y, uma_authorization]",
}
The problem with the mapper is that the value of roles, is served as a string instead of an array and mod_auth_openidc cannot handle this properly[3].
Btw. the same thing goes for the User Client Role mapper! Which looks like this:
{
"client_role": "[login]”
}
An issue for this has already been created: https://issues.jboss.org/browse/KEYCLOAK-4205
It would be so great to get this fixed in the next release!!
Best,
Stefan.
[1] https://groups.google.com/forum/#!topic/mod_auth_openidc/QOMMYeXt5Jc
[2] https://github.com/pingidentity/mod_auth_openidc/blob/master/src/authz.c#L85
[3] https://github.com/pingidentity/mod_auth_openidc/blob/master/src/authz.c#L67
More information about the keycloak-dev
mailing list