[keycloak-user] Keycloak as OpenID Connect provider for Liferay Portal 6.2
Chris Smith
chris.smith at cmfirstgroup.com
Tue Feb 19 08:21:08 EST 2019
Liferay Portal has an OpenID Connect plugin, configured by a property file with these properties
openidconnect.enableOpenIDConnect=true
openidconnect.token-location=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/token
openidconnect.authorization-location=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/auth
openidconnect.profile-uri=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/userinfo
openidconnect.issuer=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/certs
openidconnect.client-id=Portal
openidconnect.secret=<my secret>
openidconnect.scope=openid profile email
Property docs at end of email
My keycloak Client is an out of the box setup
Here are the realm keys.
AES
OCT
<a uuid>
100
aes-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/aes-generated/b00f30ba-49da-4dfb-8f21-c256b069ec5b>
HS256
OCT
<a uuid>
100
hmac-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/hmac-generated/c2362731-7a65-416f-918e-1b8c67ac7cb1>
RS256
RSA
<something>
100
rsa-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/rsa-generated/e57385c6-e6eb-421c-945e-725a30f189b5>
Public key
Certificate
Liferay does not like the jwt signature
13:09:39,833 WARN [http-bio-8080-exec-10][Liferay62Adapter:46] The token was not valid: -- JWT --__Raw String: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJWTUtfTHpWbDY0T2plZW9NVkppajRTLTFNYTZ3aDU5b1dkWHpycXZ5MDJBIn0.eyJqdGkiOiJmZWY0MzVmMS0wOTI0LTQ5MWUtODk0MS1kMjFhMGRhZWNlY2EiLCJleHAiOjE1NTA1ODIwNzksIm5iZiI6MCwiaWF0IjoxNTUwNTgxNzc5LCJpc3MiOiJodHRwczovL21vYmlsZXBvcnRhbC5jbWZpcnN0dGVjaC5jb206OTI4MC9hdXRoL3JlYWxtcy9DTUZJUlNUIiwiYXVkIjoiUG9ydGFsIiwic3ViIjoiZmYwYmY1MWUtOWFmOS00M2JkLWE0NTQtZGQzZDM5OTM4ZjFhIiwidHlwIjoiSUQiLCJhenAiOiJQb3J0YWwiLCJhdXRoX3RpbWUiOjE1NTA1ODE3NzksInNlc3Npb25fc3RhdGUiOiI1YjE3NzVjZS0xYWZlLTQ3ODItYWM4OC1jOTgwZTg4NTIxOTUiLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJmbXNzdGFmZiJ9.APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__Header: {"typ": "JWT", "alg": "RS256", "cty": "null" , "kid": "VMK_LzVl64OjeeoMVJij4S-1Ma6wh59oWdXzrqvy02A"}__Claims Set: {"iss": "https://<my kc host and port>/auth/realms/CMFIRST", "sub": "ff0bf51e-9af9-43bd-a454-dd3d39938f1a", "aud": ["Portal"], "exp": 1550582079, "nbf": "0", "iat": 1550581779, "jti": "fef435f1-0924-491e-8941-d21a0daececa", "typ": "ID" }__Signature: APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__--------- [Sanitized]
I don't have this problems in my web apps, they use the Tomcat adapter and no issue with the JWT sig.
Any suggestions?
Property docs
Portal properties
The following portal properties can be set. They are required unless specified as optional.
openidconnect.enableOpenIDConnect
Whether to enable the plugin (effectively allowing you to disable the plugin without uninstalling it). Boolean, either 'true' or 'false'. Default is false.
openidconnect.authorization-location
Complete url to the OpenID Connect Provider's authorization location. Example for Google: https://accounts.google.com/o/oauth2/v2/auth
openidconnect.token-location
Complete url to the OpenID Connect Provider's token location. Example for Google: https://www.googleapis.com/oauth2/v4/token
openidconnect.profile-uri
Complete URL to the 'user info' endpoint. Example for Google: https://www.googleapis.com/plus/v1/people/me/openIdConnect
openidconnect.sso-logout-uri (Optional)
openidconnect.sso-logout-param (Optional)
openidconnect.sso-logout-value (Optional)
Complete URL to the 'SSO logout' endpoint. Ignored if empty. After redirection to the given URL, the OpenID Connect Provider should redirect to the Lifery Portal home page (or another public after-logout-resource). This target may be included in this URL as a URL parameter or may be configured for the OpenID Connect Provider.
openidconnect.issuer
The information retrieved from the user info endpoint has to be verified against a preconfigured string, according to the OpenID Connect spec. This 'issuer' claim is used for that. Example for Google: https://accounts.google.com
openidconnect.client-id
Register your Liferay portal as a 'client app' with the Google developer console, and the resulting client id is the openid connect client id. Non-working example for Google: 7kasuf1-123123adfaafdsflni7me2kr.apps.googleusercontent.com
openidconnect.secret
Secret of the client, after registration of the Liferay portal, just like the client-id.
openidconnect.scope
Scope(s) of the access token (space separated), should be the same (or a subset) of the scopes allowed by the provider to the client. Default value: openid profile email
openidconnect.provider (Optional)
Type of OpenID Connect provider. Supported values: generic (default), azure. For most Provider implementations, the generic provider works. For Azure, use the value azure as this makes slight changes to the fields sent as UserInfo.
More information about the keycloak-user
mailing list