[keycloak-user] Keycloak and shared JWT secrets

Sebastien Blanc sblanc at redhat.com
Fri Apr 12 06:12:29 EDT 2019 

On Thu, Apr 11, 2019 at 7:57 PM Nolan Darilek <nolan at thewordnerd.info>
wrote:

> Yes, that's the JWT plugin I'm using.
>
>
> I will eventually need roles. Can I do this without enabling
> authorization on the client? I'll be using Caddy's JWT module to
> authorize access to some resources. I don't know if this means I need
> authorization support to enable roles, or if I *don't* need
> authorization support because I'm not asking Keycloak to grant or deny
> access to my pages based on their URLs.
>
Looking at the Caddy JWT plugin, it looks like it can do some basic RBAC ,
it will be looking at the "groups" claim of the token. In Keycloak, roles
are not put by default in a "groups" claim by you can easily do that by
creating a custom mapper. And you don't need authorization enabled for
this.

>
>
> When you say to use a public client because Caddy won't handle this,
> what specifically do you mean? It won't handle setting a public key? It
> does seem to via the JWT_PUBLIC_KEY environment variable as you noted. I
> imagine I'll need to retrieve that from a .well-known endpoint?
> Otherwise, I'm not sure what isn't being handled here. Sorry if I seem
> dense--this is a bit overwhelming and I'd like to get it right.
>
What I meant is it does use the shared secret but the public key for
signature validation. So yes you have to set JWT_PULBIC_KEY harcoded or as
you said maybe the JWT caddy plugin can handle retrieving the key from JKWS
endpoint, if it can in keycloak the endpoint is there :
http://localhost:8180/auth/realms/myrealm/protocol/openid-connect/certs

>
> I'm not using the JS adapter because I don't have an app as such. For
> now I just have some static pages generated by Hugo, and I'm trying to
> gate access to a /members section. In the future I'll probably have a
> few different levels of access, which I'll represent by roles, so
> /members/gold, /members/silver, etc. may be gated by role. This blocking
> is happening on the server side. I'm not immediately clear on how the JS
> library would help in this case, since my pages are just being served up
> directly.
>
> Thanks for the pointer on the wrong redirect URL. I used the /account
> endpoint because it at least prompts me to log in if I'm not. When I say
> that I'm being redirected, I mean that hitting /members doesn't take me
> to the members-only page, but takes me to the account redirect if I'm
> logged into Keycloak, which I definitely am.
>
> Thanks for the help.
>
> On 4/11/19 12:22 PM, Sebastien Blanc wrote:
> > Hi,
> >
> > Are you using
> > https://github.com/BTBurke/caddy-jwt/blob/master/README.md ?
> >
> > So I never used Caddy but a couple of things :
> >
> > * Keycloak uses RSA to sign the token, so you need to specify
> > JWT_PUBLIC_KEY in Caddy and not the JWT_SECRET.
> > * Just use a public client (because Caddy JWT probably don't handle
> > this) and do not enable authorization (you just want authentication
> > right ?)
> > * the redirect field from your config block looks like to be the
> > endpoint for authenticating your user, not sure why you are using the
> > /account endpoint, this is a completely different thing ( this is the
> > "space" where logged-in users can manage their account : reset
> > password etc ...)  , the redirect value would looks like something as :
> >
> >
> http://localhost:8180/auth/realms/myrealmprotocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2Flocalhost%3A8080&response_mode=fragment&response_type=code
> >
> > <
> http://localhost:8180/auth/realms/katacoda/protocol/openid-connect/auth?client_id=quarkus-front&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&state=6d7a4fdb-ee71-41d6-846d-1e0a4b7060ab&response_mode=fragment&response_type=code
> >
> >
> > If you are app is just an service endpoint you probably don't need the
> > redirect field to be set since you will obtain the token differently :
> >  You said that you kept being redirected even when you are logged in ,
> > what does that means "logged in"  ? Did you managed to log in with
> > Keycloak ? Are you using the Keycloak Javascript adapter in your
> > webapp to obtain your token ?
> >
> >
> >
> >
> >
> > On Thu, Apr 11, 2019 at 4:38 PM Nolan Darilek <nolan at thewordnerd.info
> > <mailto:nolan at thewordnerd.info>> wrote:
> >
> >     Apologies if the answer to this is simple. I've poured through
> >     every doc
> >     I can get my hands on and am a bit overwhelmed.
> >
> >
> >     I'm trying to set up a shared account service that works across my
> >     static website, forum, and eventually on mobile apps. Given that
> >     security isn't a core competency, I decided to try using Keycloak
> >     for this.
> >
> >
> >     My first goal is to require authentication to example.com/members
> >     <http://example.com/members>. I'm
> >     using the Caddy web server which has a JWT-based protection scheme
> >     built-in. Keycloak is running at example.com/auth
> >     <http://example.com/auth>.
> >
> >
> >     What I *thought* I'd do is set up my website as a confidential client
> >     with authorization enabled. Caddy needs a shared secret for the
> >     JWT, so
> >     I thought this would be the client secret. Also, since my website and
> >     Keycloak are on the same domain, I thought that if they shared a
> >     secret
> >     and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that
> >     authentication
> >     would just work. Alas, no. Here's my Caddy JWT configuration block:
> >
> >
> >     jwt {
> >        path /members
> >        redirect /auth/realms/myrealm/account
> >        token_source header
> >        token_source cookie KEYCLOAK_IDENTITY
> >     }
> >
> >     Visiting /members just redirects me to my account page again and
> >     again,
> >     even if I'm logged in.
> >
> >
> >     Am I completely off the rails here? I thought about using the client
> >     library, but I don't know if that works for confidential
> >     authorization
> >     setups. I don't even know if I *need* a confidential authorization
> >     setup
> >     here, or if I'm completely misunderstanding. It also occurs to me
> >     that
> >     I'm redirecting to /auth/realms/myrealm/account. There's nothing
> >     in that
> >     URL indicating which client to use, and as such, which secret to
> >     generate the JWT with. So before I go too much further down this
> >     rabbit
> >     hole, I wanted to check my assumptions.
> >
> >
> >     Thanks for any help.
> >
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list