[keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints!
max.allan+keycloak at surevine.com
Fri Jul 13 12:30:51 EDT 2018
The AWS ALB will allow you to authenticate to cognito or OIDC nowadays.
I thought "Great, I can connect it up to my KeyCloak".
Sadly not. Well, I can connect it to KeyCloak and see sensible looking
headers and JWTs flowing back and forth.
And then the ALB says "500 Internal Server Error" :-(
I can see a request to keycloak (from the client) :
And it 302 redirects back to the ALB :
On the KeyCloak server I can see the POST requests from the browser coming
in and hitting the authenticate URL, KC hands back a 302 (the URL above)
Then the ALB does a POST to the token endpoint and gets a 200 response with
a nice chunk of access token. I can decode it and see my details quite
happily. I even validated the signature. (Using jwt.io 's debugger.)
Although the ALB doesn't ask for the certificate at any stage, so I don't
think it even bothers validating it.
But it doesn't seem to like it. And gives me a 500 error.
(I can authenticate with Google OIDC without any trouble...)
(NB Any secrets in any of those strings won't get you very far, there is no
content yet :-) )
More information about the keycloak-user