greenpau
question: Not redirected back to the app from keycloak
Not redirected back to the app from keycloak
We already have a working keycloak setup.
- keycloak.example.com is the keycloak setup
- app.example.org is the application where authcrunch serves as a reverse proxy
The problem is when we are redirected to keycloak.example.com we are not prompted for login and we are not redirected back to app.example.org. Instead we get a json response from Keycloak:
realm: "master"
public_key: "Some Public Key here"
token-service: "https://keycloak.example.com/auth/realms/master/protocol/openid-connect"
account-service: "https://keycloak.example.com/auth/realms/master/account"
tokens-not-before: 0
The configuration is:
Configuration
{
auto_https off
debug
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider keycloak {
driver generic
realm keycloak
client_id client-test
client_secret SecretFor_client-test
scopes openid email profile
metadata_url https://keycloak.example.com/auth/realms/master/.well-known/openid-configuration
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify PassphraseForPrivateKey
enable identity provider keycloak
cookie domain example.org
ui {
links {
"My Website" https://app.example.org icon "las la star"
"My Identity" "/whoami" icon "las la user"
}
}
transform user {
match origin keycloak
action add role users
}
}
authorization policy mypolicy {
set auth url https://keycloak.example.com/auth/realms/master
allow roles admin users
crypto key verify PassphraseForPrivateKey
}
}
}
app.example.org:443 {
root * /srv/app.example.org/app/webroot
php_fastcgi localhost:3000 {
index index.php
header_up Host {http.request.host}
header_up X-Forwarded-For {http.request.remote}
header_up X-Forwarded-Proto {http.request.scheme}
}
file_server
reverse_proxy /ws/* websocket_pool {
header_up Connection "upgrade"
header_up Upgrade {http.request.header.Upgrade}
}
@rewritePath {
path_regexp path ^/(.*)$
}
rewrite @rewritePath /index.php?__path__=/{http.regexp.path.1}
tls /etc/letsencrypt/live/app.example.org/fullchain.pem /etc/letsencrypt/live/app.example.org/privkey.pem
authorize with mypolicy
authenticate with myportal
respond "app is running"
log {
output file /srv/authcrunch/log/access.log
level DEBUG
format console
}
@dotFiles {
path */.*
not path /.well-known/*
}
}
Version Information
I use authcrunch v1.0.11 on Linux AMD64.
Here's a list of modules:
# ./bin/authcrunch list-modules --versions | grep -E "(auth|security)"
http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.28
http.handlers.authenticator v1.1.28
security v1.1.28
security.secrets.aws_secrets_manager v1.0.1
Expected behavior
I expect to be prompted for login on nextcloud and be redirected back after the successful login.
I read this guide:
https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-0011-keycloak
and based my configuration on this example:
https://github.com/greenpau/caddy-auth-docs/blob/main/assets/conf/oauth/keycloak/Caddyfile
Any idea what I am doing wrong?
@theodotos , also, I think you misunderstand how plugins work.
the following is invalid
authorize with mypolicy authenticate with myportal
please see the issue pinned to the βIssuesβ. It has working config, where route directive is being used.
`
Yes it seems I have misunderstood some things. I removed the authenticate with myportal line and add the correct URL:
--- etc/Caddyfile-mypolicy 2024-11-11 14:34:53.146784597 +0000
+++ etc/Caddyfile-mypolicy-v2 2024-11-11 14:35:09.418727879 +0000
@@ -33,7 +33,7 @@
}
authorization policy mypolicy {
- set auth url https://login-test.example.com/auth/realms/master
+ set auth url https://login-test.example.com/auth
allow roles admin exampleusers
crypto key verify PassphraseForPrivateKey
}
@@ -63,7 +63,6 @@
rewrite @rewritePath /index.php?__path__=/{http.regexp.path.1}
tls /etc/letsencrypt/live/server.example.com/fullchain.pem /etc/letsencrypt/live/server.example.com/privkey.pem
- authenticate with myportal
authorize with mypolicy
respond "phabricator is running"
Now i get redirected to the auth site of keycloak but I am not redirected back after successful authentication.
Thank you @greenpau, we managed to get it working with a config similar to the one I posted on https://github.com/greenpau/caddy-security/issues/368#issuecomment-2514443806
We only had to tweak the Keycloak config to drop the key using the RSA-OAEP algorithm since it is currently not in the list of valid algorithms (RSA-OAEP-256 is already there, RSA-OAEP is not). Would you like us to open a new issue on https://github.com/greenpau/go-authcrunch/ to add it to the list?
