[keycloak-user] Cross-realm authentication followed by realm-specific authorization in Keycloak

luis.villaca at petrobras.com.br luis.villaca at petrobras.com.br
Tue Jun 11 17:45:24 EDT 2019 


Greetings,

I would like to understand the best strategy to implement cross-realm
authentication with realm-specific authorization in Keycloak.

A "brief" context:

My company has maintained, for years, its own corporate authentication +
authorization Service (internal solution), for which every application gets
a distinct SOAP service, based on application-specific credentials.
This service, when provided with user and those app credentials,
authenticates and retrieves a list of user roles (application-specific).

We plan on replacing this service soon, and the first step we thought was
decoupling the applications from it.
First thing we did was configuring Keycloak instance to allow the usage of
OpenIDConnect. We created a JKS keystore for our certificate and set the
SSL properties in our standalone.xml.

Then we coded a Keycloak plugin (implementing
org.keycloak.storage.UserStorageProviderFactory, and extending
CredentialInputValidator) that interacts with our corporate service for
authenticating and pulling the roles based on configured values provided by
ProviderConfigurationBuilder.
We deployed this plugin and configured a Keycloak UserFederation.

We then configured two spring-boot apps, in realms A and B, setting their
certificates (PKEntry and Keycloak JKS). Using
spring-security-oauth2-autoconfigure dependency lib features, we configured
all keycloak connectivity settings (access token url, clientid, secret,
etc) for each realm.

At this point it works fine: each app redirects to the configured IDP (on
its specific realm) and is able to authenticate and pull their
client-specific mapped roles, further correlating them to secured resources
in a WebSecurityConfigurerAdapter extension (SpringSecurity).

Now we want SSO. Basically we would like to have authenticated users
identity propagated to other realms (as application may link to each
other), but pull authorizations according to realm-specific roles (a second
step).

The strategy I thought:

1) Create a single Realm (named GLOBALAUTH for instance) with a configured
user federation that calls our corporate authentication Service to
authenticate users
2) Set realms A and B with GLOBALAUTH broker configured as identity
providers
3) Maintain realms A and B with their specific UserFederation for further
pulling out user roles, calling our corporate application-specific
aothorization Service. (need to check

Is there a better strategy to follow to provide cross-realm authentication
with realm-specific authorization?


A side question from step 2 above - I got the following exception as we
access a secured resource in app B, a Bad Gateway.
Here is what is happening:

0 - Redirection happens (302) to https://b.com/login
1 - Redirection happens (302) to
https://corp.keycloak.com:9443/auth/realms/B/protocol/openid-connect/auth?
2 - Redirection happens (303) to
https://corp.keycloak.com:9443/auth/realms/B/broker/brkrGLOBALAUTH/login?
3 - Redirection happens (303) to
https://corp.keycloak.com:9443/auth/realms/GLOBALAUTH/protocol/openid-connect/auth?
	As we input a valid user /pass
4 - Redirection after POST
https://corp.keycloak.com:9443/auth/realms/GLOBALAUTH/login-actions/authenticate?
5 - Bad Gateway (502) on
https://corp.keycloak.com:9443/auth/realms/B/broker/brkrGLOBALAUTH/endpoint?
    Fails with "Unexpected error when authenticating with identity
provider"
		Keycloak logs show:
		09:49:48,572 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-161)
			:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

It seems like a trust issue, any ideas?

Thanks, regards,

Luis 
"O emitente desta mensagem é responsável por seu conteúdo e endereçamento. Cabe ao destinatário cuidar quanto ao tratamento adequado. Sem a devida autorização, a divulgação, a reprodução, a distribuição ou qualquer outra ação em desconformidade com as normas internas do Sistema Petrobras são proibidas e passíveis de sanção disciplinar, cível e criminal."
 
"The sender of this message is responsible for its content and addressing. The receiver shall take proper care of it. Without due authorization, the publication, reproduction, distribution or the performance of  any other action not conforming to Petrobras System internal policies and procedures is forbidden and liable to disciplinary, civil or criminal sanctions."
 
"El emisor de este mensaje es responsable por su contenido y direccionamiento. Cabe al destinatario darle el tratamiento adecuado. Sin la debida autorización, su divulgación, reproducción, distribución o cualquier otra acción no conforme a las normas internas del Sistema Petrobras están prohibidas y serán pasibles de sanción disciplinaria, civil y penal."

More information about the keycloak-user mailing list