[keycloak-user] Keycloak and shared JWT secrets

Thu Apr 11 13:22:07 EDT 2019

Hi,

Are you using https://github.com/BTBurke/caddy-jwt/blob/master/README.md ?

So I never used Caddy but a couple of things :

* Keycloak uses RSA to sign the token, so you need to specify
JWT_PUBLIC_KEY in Caddy and not the JWT_SECRET.
* Just use a public client (because Caddy JWT probably don't handle this)
and do not enable authorization (you just want authentication right ?)
* the redirect field from your config block looks like to be the endpoint
for authenticating your user, not sure why you are using the /account
endpoint, this is a completely different thing ( this is the "space" where
logged-in users can manage their account : reset password etc ...)  , the
redirect value would looks like something as :

http://localhost:8180/auth/realms/myrealmprotocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2Flocalhost%3A8080&response_mode=fragment&response_type=code

<http://localhost:8180/auth/realms/katacoda/protocol/openid-connect/auth?client_id=quarkus-front&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&state=6d7a4fdb-ee71-41d6-846d-1e0a4b7060ab&response_mode=fragment&response_type=code>

If you are app is just an service endpoint you probably don't need the
redirect field to be set since you will obtain the token differently :
 You said that you kept being redirected even when you are logged in , what
does that means "logged in"  ? Did you managed to log in with Keycloak ?
Are you using the Keycloak Javascript adapter in your webapp to obtain your
token ?

On Thu, Apr 11, 2019 at 4:38 PM Nolan Darilek <nolan at thewordnerd.info>
wrote:

> Apologies if the answer to this is simple. I've poured through every doc
> I can get my hands on and am a bit overwhelmed.
>
>
> I'm trying to set up a shared account service that works across my
> static website, forum, and eventually on mobile apps. Given that
> security isn't a core competency, I decided to try using Keycloak for this.
>
>
> My first goal is to require authentication to example.com/members. I'm
> using the Caddy web server which has a JWT-based protection scheme
> built-in. Keycloak is running at example.com/auth.
>
>
> What I *thought* I'd do is set up my website as a confidential client
> with authorization enabled. Caddy needs a shared secret for the JWT, so
> I thought this would be the client secret. Also, since my website and
> Keycloak are on the same domain, I thought that if they shared a secret
> and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that authentication
> would just work. Alas, no. Here's my Caddy JWT configuration block:
>
>
> jwt {
>    path /members
>    redirect /auth/realms/myrealm/account
>    token_source header
>    token_source cookie KEYCLOAK_IDENTITY
> }
>
> Visiting /members just redirects me to my account page again and again,
> even if I'm logged in.
>
>
> Am I completely off the rails here? I thought about using the client
> library, but I don't know if that works for confidential authorization
> setups. I don't even know if I *need* a confidential authorization setup
> here, or if I'm completely misunderstanding. It also occurs to me that
> I'm redirecting to /auth/realms/myrealm/account. There's nothing in that
> URL indicating which client to use, and as such, which secret to
> generate the JWT with. So before I go too much further down this rabbit
> hole, I wanted to check my assumptions.
>
>
> Thanks for any help.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user