[keycloak-user] Keycloak and shared JWT secrets
Nolan Darilek
nolan at thewordnerd.info
Thu Apr 11 10:28:07 EDT 2019
Apologies if the answer to this is simple. I've poured through every doc
I can get my hands on and am a bit overwhelmed.
I'm trying to set up a shared account service that works across my
static website, forum, and eventually on mobile apps. Given that
security isn't a core competency, I decided to try using Keycloak for this.
My first goal is to require authentication to example.com/members. I'm
using the Caddy web server which has a JWT-based protection scheme
built-in. Keycloak is running at example.com/auth.
What I *thought* I'd do is set up my website as a confidential client
with authorization enabled. Caddy needs a shared secret for the JWT, so
I thought this would be the client secret. Also, since my website and
Keycloak are on the same domain, I thought that if they shared a secret
and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that authentication
would just work. Alas, no. Here's my Caddy JWT configuration block:
jwt {
path /members
redirect /auth/realms/myrealm/account
token_source header
token_source cookie KEYCLOAK_IDENTITY
}
Visiting /members just redirects me to my account page again and again,
even if I'm logged in.
Am I completely off the rails here? I thought about using the client
library, but I don't know if that works for confidential authorization
setups. I don't even know if I *need* a confidential authorization setup
here, or if I'm completely misunderstanding. It also occurs to me that
I'm redirecting to /auth/realms/myrealm/account. There's nothing in that
URL indicating which client to use, and as such, which secret to
generate the JWT with. So before I go too much further down this rabbit
hole, I wanted to check my assumptions.
Thanks for any help.
More information about the keycloak-user
mailing list