I am trying to enable an application to leverage keycloak for authentication. I got to the point that
keycloak returns cookies with and redirects to the application. However…
a) I don´t know how to set the signature algorithm, it is HS512 no matter what I tried
b) I´d like to include name and email, but adding scopes didn´t do the trick
c) can I pass the token on the URL rather than via a cookie? (I do understand the concerns).
@Joachim ,
If you’re talking about the KEYCLOAK_IDENTITY cookie, it is internal and should never be used by the applications. Instead, you should extract the authorization code returned as part of redirect, implement the code-to-token exchange (see the 4.1.3. Access Token Request section of the OAuth 2.0 spec) and use access and ID tokens instead. (Alternatively, use the Implicit flow to pass the token as part of the URL, if you really understand the concerns!) The payloads of those tokens, their signature algorithms etc. could be configured via the Keycloak Admin UI.
1 Like
@dteleguin, yes, I do understand the concerns for sure. However I admit, I am new to adopting an existing application to keycloak, and I cannot change the application beyond checking a token in the reverse proxy in front of the application.
Just changing standard to implicit flow resulted in an error “=Client+is+not+allowed+to+initiate+browser+login+with+given+response_type.+Standard+flow+is+disabled+for+the+client”. Selecting both also doesn´t help.
Would keycloak just add the token somehow or do I have to specify some template?
Is there any example how to configure this scenario? I noticed Configuring an Identity Provider with Implicit Flow but it is raising the same concerns but not answering the question.
I also tried using html+javascript to trigger authentication. I started with GitHub - hexadefence/keycloak-js-example with modifications to use local JavaScript, changing js to modules, etc..
I am using the following code to invoke keycloak:
var getUrl = window.location;
var baseUrl = getUrl.protocol + “//” + getUrl.host + “/”;
keycloak.init({
onLoad: ‘login-required’,
redirectUri: baseUrl
});
Authentication succeeds. There is no body (expected). The local part is
#state=b5f75fd8-40c3-46be-96e6-2565b76cd5cc&session_state=7bd39445-196d-4f8f-a003-0dd5afec0f96&iss=..&code=d8203870-08eb-44ff-a0ce-0c290d4c287c.7bd39445-196d-4f8f-a003-0dd5afec0f96.c617559e-4c4a-4f29-830a-d758c1473079
Where do I get the token from if I am not supposed to use any of the cookies?
Please see above reply - you will need to extract the code parameter and perform code-to-token exchange (aka authorization_code grant).
Alternatively, if your application is behind the reverse proxy, the latter can do the heavy lifting for you. For nginx, see this: Single Sign-On with Keycloak | NGINX Documentation
According to the link, only nginx plus can do this. I don´t have nginx plus and the price I googled is prohibitive.
How can I do the code-to-token exchange with keycloak.js? Is there any example I can check?
And what are the prerequesites in client configuration in keycloak?
Start with the official docs (Keycloak JavaScript adapter - Keycloak) for the js adapter. Once authenticated, you’ll find the properties of the authenticated user in the instance:
Keycloak JavaScript adapter - Keycloak
Probably idtokeParsed is what you want.