Skip to content

Demonstrates the configuration of the mod_auth_oidc Apache Module for use with Keycloak.

Notifications You must be signed in to change notification settings

thomasdarimont/keycloak_mod_auth_oidc_example

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Keycloak Client with apache and mod_auth_oidc

This example project demonstrates how to configure mod_auth_openidc for use with Keycloak. For simplicity reasons we use a plain http configuration instead of setting up https.

More information about the mod_auth_oidc configuration can be found here: https://github.com/pingidentity/mod_auth_openidc

A more sophisticated configuration with https / TLS can be found here: https://github.com/cyclone-project/cyclone-federation-provider-apache-oidc-demo

Define the Keycloak client for the mod_auth_openidc client

Note that the docker host and the Keycloak instance is available via the IP: 172.17.0.1. Keycloak runs on port 8081.

The Docker container has the IP: 172.17.0.2

Setup a new client under the "Clients" section of your realm configuration.

Copy the client secret from the credentials page, e.g.: 4a932456-6562-42fe-998c-32f7e69f29dc

Now you should create a user in your realm.

mod_auth_openidc Apache module configuration

#LoadModule auth_openidc_module modules/mod_auth_openidc.so

ServerName ${HOSTIP}

<VirtualHost *:80>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    #this is required by mod_auth_openidc
    OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer

    OIDCProviderMetadataURL ${KEYCLOAK_ADDR}/auth/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration
    
    OIDCClientID ${CLIENT_ID}
    OIDCClientSecret ${CLIENT_SECRET}
    OIDCRedirectURI http://${HOSTIP}/demo/redirect_uri
   
    # maps the prefered_username claim to the REMOTE_USER environment variable 
    OIDCRemoteUserClaim preferred_username

    <Location /demo/>
        AuthType openid-connect
        Require valid-user
    </Location>
</VirtualHost>

Build the image

docker build -t keycloak-mod-oidc .

Create the container

docker run \
       -it \
       --rm \
       -e HOSTIP=172.17.0.2 \
       -e KEYCLOAK_ADDR=http://172.17.0.1:8081 \
       -e KEYCLOAK_REALM=master \
       -e CLIENT_ID=mod_oidc_example_client \
       -e CLIENT_SECRET=4a932456-6562-42fe-998c-32f7e69f29dc \
       --name keycloak-mod-oidc-demo \
       keycloak-mod-oidc

Browse to demo application

Open http://172.17.0.2/ and click on the link Access mod_oidc protected page. Your browser should now redirect to the keycloak login page of the master realm. After login you should see a page that greets you with your username and a list of headers provided by Keycloak. Clicking on logout should log you out of your SESSION session and redirect you to the index page.

An example for the provided headers can be seen below:

(
    [Host] => 172.17.0.2
    [Connection] => keep-alive
    [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    [Upgrade-Insecure-Requests] => 1
    [User-Agent] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36
    [Referer] => http://172.17.0.2/
    [Accept-Encoding] => gzip, deflate, sdch
    [Accept-Language] => en-US,en;q=0.8,de;q=0.6
    [Cookie] => mod_auth_openidc_session=d3ac0da9-bd54-48c9-beed-896f7b72298b;Path=/;HttpOnly;mod_auth_openidc_session=d3ac0da9-bd54-48c9-beed-896f7b72298b
    [OIDC_CLAIM_name] => Theo Tester
    [OIDC_CLAIM_sub] => 7e1bafd9-5c77-4508-a706-034f17a513dd
    [OIDC_CLAIM_email] => tom+tester@localhost
    [OIDC_CLAIM_preferred_username] => tester
    [OIDC_CLAIM_given_name] => Theo
    [OIDC_CLAIM_family_name] => Tester
    [OIDC_CLAIM_jti] => ef77e2d8-6ea6-4392-99ff-46fe642b7aaf
    [OIDC_CLAIM_nbf] => 0
    [OIDC_CLAIM_exp] => 1464901382
    [OIDC_CLAIM_iss] => http://172.17.0.1:8081/auth/realms/master
    [OIDC_CLAIM_iat] => 1464901322
    [OIDC_CLAIM_aud] => mod_oidc_example_client
    [OIDC_CLAIM_typ] => ID
    [OIDC_CLAIM_azp] => mod_oidc_example_client
    [OIDC_CLAIM_nonce] => uaLm6CvBIefgiKdYbU26uCZi82X_dy7QFtyv5LgtYyo
    [OIDC_CLAIM_session_state] => d69c9478-6331-4e70-a4e7-6799bfc0aff1
    [OIDC_access_token] => eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjNTRlZGUyNS1lYWQ2LTRiNzYtOTYwYS1jOWQyMzY0MThlNmYiLCJleHAiOjE0NjQ5MDEzODIsIm5iZiI6MCwiaWF0IjoxNDY0OTAxMzIyLCJpc3MiOiJodHRwOi8vMTcyLjE3LjAuMTo4MDgxL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6Im1vZF9vaWRjX2V4YW1wbGVfY2xpZW50Iiwic3ViIjoiN2UxYmFmZDktNWM3Ny00NTA4LWE3MDYtMDM0ZjE3YTUxM2RkIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibW9kX29pZGNfZXhhbXBsZV9jbGllbnQiLCJub25jZSI6InVhTG02Q3ZCSWVmZ2lLZFliVTI2dUNaaTgyWF9keTdRRnR5djVMZ3RZeW8iLCJzZXNzaW9uX3N0YXRlIjoiZDY5Yzk0NzgtNjMzMS00ZTcwLWE0ZTctNjc5OWJmYzBhZmYxIiwiY2xpZW50X3Nlc3Npb24iOiIyYjFkMTAxNC05MTE4LTRhODMtOWYzZS1mNzI0ZDNlNzZkZmEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE3Mi4xNy4wLjIvKiIsImh0dHA6Ly8xNzIuMTcuMC4yOjgwLyoiXSwicmVzb3VyY2VfYWNjZXNzIjp7Im1vZF9vaWRjX2V4YW1wbGVfY2xpZW50Ijp7InJvbGVzIjpbInVzZXIiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiVGhlbyBUZXN0ZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0ZXIiLCJnaXZlbl9uYW1lIjoiVGhlbyIsImZhbWlseV9uYW1lIjoiVGVzdGVyIiwiZW1haWwiOiJ0b20rdGVzdGVyQGxvY2FsaG9zdCJ9.PMtCiZrplUXSXtnEAdn12zlmOlmG2kZibWCMgMFuNXjQMgvTJdv_pXezN_zo4aHKJAX_EeX_APS5OwWXWyjPRa1gdTe-46j0kMVj3D0XpNeXk7odw2Cukw7XY6Gww8e9jJppz1_YZsmjgxG9GfF8pxpz0rcguXmoZO7CpeimODrbmG3JOL9YnTzVrdJaud33IhmgWShrjZXtpMSYAiLNABjoUIxphI37LzaC_ZYYGCRI8lcWL6AbRSxTkAap4SJxjsGcuX3SJdhM_6dZTZ-XJdra49ukyjhVFWSkSKm7ii0YkftNMYjLCyvhCh5kLyLLDEQrRiLP5YfjebFEx0yN7Q
    [OIDC_access_token_expires] => 1464901382
)

Troubleshooting

Docker container cannot access Keycloak

If your container cannot access the keycloak instance running on the host you could relax the iptables rules for the local docker0 network interface.

sudo iptables -A INPUT -i docker0 -j ACCEPT

About

Demonstrates the configuration of the mod_auth_oidc Apache Module for use with Keycloak.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages