[keycloak-user] Keycloak and shared JWT secrets

[Nolan Darilek]

Yes, that's the JWT plugin I'm using.


I will eventually need roles. Can I do this without enabling 
authorization on the client? I'll be using Caddy's JWT module to 
authorize access to some resources. I don't know if this means I need 
authorization support to enable roles, or if I *don't* need 
authorization support because I'm not asking Keycloak to grant or deny 
access to my pages based on their URLs.


When you say to use a public client because Caddy won't handle this, 
what specifically do you mean? It won't handle setting a public key? It 
does seem to via the JWT_PUBLIC_KEY environment variable as you noted. I 
imagine I'll need to retrieve that from a .well-known endpoint? 
Otherwise, I'm not sure what isn't being handled here. Sorry if I seem 
dense--this is a bit overwhelming and I'd like to get it right.

I'm not using the JS adapter because I don't have an app as such. For 
now I just have some static pages generated by Hugo, and I'm trying to 
gate access to a /members section. In the future I'll probably have a 
few different levels of access, which I'll represent by roles, so 
/members/gold, /members/silver, etc. may be gated by role. This blocking 
is happening on the server side. I'm not immediately clear on how the JS 
library would help in this case, since my pages are just being served up 
directly.

Thanks for the pointer on the wrong redirect URL. I used the /account 
endpoint because it at least prompts me to log in if I'm not. When I say 
that I'm being redirected, I mean that hitting /members doesn't take me 
to the members-only page, but takes me to the account redirect if I'm 
logged into Keycloak, which I definitely am.

Thanks for the help.

On 4/11/19 12:22 PM, Sebastien Blanc wrote:
> Hi,
>
> Are you using 
> https://github.com/BTBurke/caddy-jwt/blob/master/README.md ?
>
> So I never used Caddy but a couple of things :
>
> * Keycloak uses RSA to sign the token, so you need to specify 
> JWT_PUBLIC_KEY in Caddy and not the JWT_SECRET.
> * Just use a public client (because Caddy JWT probably don't handle 
> this) and do not enable authorization (you just want authentication 
> right ?)
> * the redirect field from your config block looks like to be the 
> endpoint for authenticating your user, not sure why you are using the 
> /account endpoint, this is a completely different thing ( this is the 
> "space" where logged-in users can manage their account : reset 
> password etc ...)  , the redirect value would looks like something as :
>
> http://localhost:8180/auth/realms/myrealmprotocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2Flocalhost%3A8080&response_mode=fragment&response_type=code 
>
> <http://localhost:8180/auth/realms/katacoda/protocol/openid-connect/auth?client_id=quarkus-front&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&state=6d7a4fdb-ee71-41d6-846d-1e0a4b7060ab&response_mode=fragment&response_type=code>
>
> If you are app is just an service endpoint you probably don't need the 
> redirect field to be set since you will obtain the token differently :
>  You said that you kept being redirected even when you are logged in , 
> what does that means "logged in"  ? Did you managed to log in with 
> Keycloak ? Are you using the Keycloak Javascript adapter in your 
> webapp to obtain your token ?
>
>
>
>
>
> On Thu, Apr 11, 2019 at 4:38 PM Nolan Darilek <nolan at thewordnerd.info 
> <mailto:nolan at thewordnerd.info>> wrote:
>
>     Apologies if the answer to this is simple. I've poured through
>     every doc
>     I can get my hands on and am a bit overwhelmed.
>
>
>     I'm trying to set up a shared account service that works across my
>     static website, forum, and eventually on mobile apps. Given that
>     security isn't a core competency, I decided to try using Keycloak
>     for this.
>
>
>     My first goal is to require authentication to example.com/members
>     <http://example.com/members>. I'm
>     using the Caddy web server which has a JWT-based protection scheme
>     built-in. Keycloak is running at example.com/auth
>     <http://example.com/auth>.
>
>
>     What I *thought* I'd do is set up my website as a confidential client
>     with authorization enabled. Caddy needs a shared secret for the
>     JWT, so
>     I thought this would be the client secret. Also, since my website and
>     Keycloak are on the same domain, I thought that if they shared a
>     secret
>     and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that
>     authentication
>     would just work. Alas, no. Here's my Caddy JWT configuration block:
>
>
>     jwt {
>        path /members
>        redirect /auth/realms/myrealm/account
>        token_source header
>        token_source cookie KEYCLOAK_IDENTITY
>     }
>
>     Visiting /members just redirects me to my account page again and
>     again,
>     even if I'm logged in.
>
>
>     Am I completely off the rails here? I thought about using the client
>     library, but I don't know if that works for confidential
>     authorization
>     setups. I don't even know if I *need* a confidential authorization
>     setup
>     here, or if I'm completely misunderstanding. It also occurs to me
>     that
>     I'm redirecting to /auth/realms/myrealm/account. There's nothing
>     in that
>     URL indicating which client to use, and as such, which secret to
>     generate the JWT with. So before I go too much further down this
>     rabbit
>     hole, I wanted to check my assumptions.
>
>
>     Thanks for any help.
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>