This example project demonstrates how to configure mod_auth_openidc for use with Keycloak. For simplicity reasons we use a plain http configuration instead of setting up https.
More information about the mod_auth_oidc configuration can be found here: https://github.com/pingidentity/mod_auth_openidc
A more sophisticated configuration with https / TLS can be found here: https://github.com/cyclone-project/cyclone-federation-provider-apache-oidc-demo
Note that the docker host and the Keycloak instance is available via the IP: 172.17.0.1. Keycloak runs on port 8081.
The Docker container has the IP: 172.17.0.2
Setup a new client under the "Clients" section of your realm configuration.
- client_id: mod_oidc_example_client
- access_type: confidential
- Valid Redirect Urls
- Base Url
- Web Origins
Copy the client secret from the credentials page, e.g.: 4a932456-6562-42fe-998c-32f7e69f29dc
Now you should create a user in your realm.
#LoadModule auth_openidc_module modules/mod_auth_openidc.so
ServerName ${HOSTIP}
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
#this is required by mod_auth_openidc
OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
OIDCProviderMetadataURL ${KEYCLOAK_ADDR}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration
OIDCClientID ${CLIENT_ID}
OIDCClientSecret ${CLIENT_SECRET}
OIDCRedirectURI http://${HOSTIP}/demo/redirect_uri
# maps the prefered_username claim to the REMOTE_USER environment variable
OIDCRemoteUserClaim preferred_username
<Location /demo/>
AuthType openid-connect
Require valid-user
</Location>
</VirtualHost>
docker build -t keycloak-mod-oidc .
docker run \
-it \
--rm \
-e HOSTIP=172.17.0.2 \
-e KEYCLOAK_ADDR=http://172.17.0.1:8081 \
-e KEYCLOAK_REALM=master \
-e CLIENT_ID=mod_oidc_example_client \
-e CLIENT_SECRET=4a932456-6562-42fe-998c-32f7e69f29dc \
--name keycloak-mod-oidc-demo \
keycloak-mod-oidc
Open http://172.17.0.2/ and click on the link Access mod_oidc protected page
.
Your browser should now redirect to the keycloak login page of the master realm.
After login you should see a page that greets you with your username and
a list of headers provided by Keycloak.
Clicking on logout should log you out of your SESSION session and redirect you to the
index page.
An example for the provided headers can be seen below:
(
[Host] => 172.17.0.2
[Connection] => keep-alive
[Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
[Upgrade-Insecure-Requests] => 1
[User-Agent] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36
[Referer] => http://172.17.0.2/
[Accept-Encoding] => gzip, deflate, sdch
[Accept-Language] => en-US,en;q=0.8,de;q=0.6
[Cookie] => mod_auth_openidc_session=d3ac0da9-bd54-48c9-beed-896f7b72298b;Path=/;HttpOnly;mod_auth_openidc_session=d3ac0da9-bd54-48c9-beed-896f7b72298b
[OIDC_CLAIM_name] => Theo Tester
[OIDC_CLAIM_sub] => 7e1bafd9-5c77-4508-a706-034f17a513dd
[OIDC_CLAIM_email] => tom+tester@localhost
[OIDC_CLAIM_preferred_username] => tester
[OIDC_CLAIM_given_name] => Theo
[OIDC_CLAIM_family_name] => Tester
[OIDC_CLAIM_jti] => ef77e2d8-6ea6-4392-99ff-46fe642b7aaf
[OIDC_CLAIM_nbf] => 0
[OIDC_CLAIM_exp] => 1464901382
[OIDC_CLAIM_iss] => http://172.17.0.1:8081/auth/realms/master
[OIDC_CLAIM_iat] => 1464901322
[OIDC_CLAIM_aud] => mod_oidc_example_client
[OIDC_CLAIM_typ] => ID
[OIDC_CLAIM_azp] => mod_oidc_example_client
[OIDC_CLAIM_nonce] => uaLm6CvBIefgiKdYbU26uCZi82X_dy7QFtyv5LgtYyo
[OIDC_CLAIM_session_state] => d69c9478-6331-4e70-a4e7-6799bfc0aff1
[OIDC_access_token] => eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjNTRlZGUyNS1lYWQ2LTRiNzYtOTYwYS1jOWQyMzY0MThlNmYiLCJleHAiOjE0NjQ5MDEzODIsIm5iZiI6MCwiaWF0IjoxNDY0OTAxMzIyLCJpc3MiOiJodHRwOi8vMTcyLjE3LjAuMTo4MDgxL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6Im1vZF9vaWRjX2V4YW1wbGVfY2xpZW50Iiwic3ViIjoiN2UxYmFmZDktNWM3Ny00NTA4LWE3MDYtMDM0ZjE3YTUxM2RkIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibW9kX29pZGNfZXhhbXBsZV9jbGllbnQiLCJub25jZSI6InVhTG02Q3ZCSWVmZ2lLZFliVTI2dUNaaTgyWF9keTdRRnR5djVMZ3RZeW8iLCJzZXNzaW9uX3N0YXRlIjoiZDY5Yzk0NzgtNjMzMS00ZTcwLWE0ZTctNjc5OWJmYzBhZmYxIiwiY2xpZW50X3Nlc3Npb24iOiIyYjFkMTAxNC05MTE4LTRhODMtOWYzZS1mNzI0ZDNlNzZkZmEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE3Mi4xNy4wLjIvKiIsImh0dHA6Ly8xNzIuMTcuMC4yOjgwLyoiXSwicmVzb3VyY2VfYWNjZXNzIjp7Im1vZF9vaWRjX2V4YW1wbGVfY2xpZW50Ijp7InJvbGVzIjpbInVzZXIiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiVGhlbyBUZXN0ZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0ZXIiLCJnaXZlbl9uYW1lIjoiVGhlbyIsImZhbWlseV9uYW1lIjoiVGVzdGVyIiwiZW1haWwiOiJ0b20rdGVzdGVyQGxvY2FsaG9zdCJ9.PMtCiZrplUXSXtnEAdn12zlmOlmG2kZibWCMgMFuNXjQMgvTJdv_pXezN_zo4aHKJAX_EeX_APS5OwWXWyjPRa1gdTe-46j0kMVj3D0XpNeXk7odw2Cukw7XY6Gww8e9jJppz1_YZsmjgxG9GfF8pxpz0rcguXmoZO7CpeimODrbmG3JOL9YnTzVrdJaud33IhmgWShrjZXtpMSYAiLNABjoUIxphI37LzaC_ZYYGCRI8lcWL6AbRSxTkAap4SJxjsGcuX3SJdhM_6dZTZ-XJdra49ukyjhVFWSkSKm7ii0YkftNMYjLCyvhCh5kLyLLDEQrRiLP5YfjebFEx0yN7Q
[OIDC_access_token_expires] => 1464901382
)
If your container cannot access the keycloak instance running on the host you could relax the iptables rules for the local docker0 network interface.
sudo iptables -A INPUT -i docker0 -j ACCEPT