Hello,
I'm trying for days now to complete my setup for an authentication with
keycloak and Apache2.
Login over keycloak works and the apache logs show that all need
information (username, email) is set by apache.
But I can't get the setup on the Openxpki side to work.
Here are my settings:
Apache2:
<VirtualHost *:443>
ServerAlias *
DocumentRoot /var/www/
RewriteEngine On
LogFormat "%h %l %{REMOTE_USER}e %{HTTP_X_REMOTE_USER}e
%{OPENXPKI_SSO_ROLE}e %t \"%r\" %>s %b" openxpki_debug
CustomLog /var/log/apache2/openxpki_debug.log openxpki_debug
SSLEngine On
SSLCertificateFile '/etc/certs/default_cert.crt'
SSLCertificateKeyFile '/etc/certs/default_key.key'
SSLCACertificateFile /etc/certs/ca_selfsigned.crt
SSLVerifyClient optional_no_ca
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
# HTTPS specific preparation for Mojolicious based client services
<IfModule mod_headers.c>
Use OxiForwardEnv SSL_CLIENT_S_DN
Use OxiForwardEnv SSL_CLIENT_CERT
</IfModule>
# Minimum mod_auth_openidc configuration
OIDCProviderMetadataURL
https://<keycloak-machine>:8443/realms/<myrealm>/.well-known/openid-configuration
OIDCClientID openxpki
OIDCClientSecret "mypassword"
OIDCRedirectURI "https://<keycloak02-machine>/oidc_callback"
OIDCCryptoPassphrase "mypassphrase"
OIDCRemoteUserClaim preferred_username
OIDCScope "openid profile email"
OIDCPassClaimsAs environment
# GLOBAL after OIDC, bfore Proxy!
RequestHeader set X-Remote-User "%{OIDC_CLAIM_preferred_username}e"
RequestHeader set X-Email "%{OIDC_CLAIM_email}e"
RewriteRule .* - [E=OPENXPKI_SSO_ROLE:User,NE]
<Location />
AuthType openid-connect
Require valid-user
</Location>
<Location /oidc_callback>
AuthType openid-connect
Require valid-user
</Location>
...
stack.yaml:
_System:
handler: System
BasicAuth:
handler: NoAuth
label: "Keycloak SSO"
param:
username_env: OIDC_CLAIM_preferred_username
role_env: OPENXPKI_SSO_ROLE
handler.yaml:
# Those stacks are usually required so you should not remove them
Anonymous:
type: Anonymous
label: Anonymous
System:
type: Anonymous
role: System
# Read the userdata from a YAML file defined in auth/connector.yaml
LocalPassword:
type: Password
user@: connector:auth.connector.userdb
NoAuth:
type: NoAuth
client.d/service/webui/default.yaml:
...
# customize redirect target on "first contact"
# might be replaced / merged with new realm overview
login:
# Preset an auth stack to use, prevents the drop down
stack: BasicAuth
# Redirect to a inline page handler instead of the default login screen
# With the source module, this makes it easy to show some text
# FIXME - this is currently not working!
# page: source!html!file!login
# Redirect to an external page, can be a local or absolute external url
# url: https://login.example.com/
...
realm:
# Controls how requests are mapped to realms
# select
# Shows a realm selection page (default if nothing is set).
# path|hostname
# Expects a map defined in the [realm] section (see below)
mode: path
# Layout of the realm selection page:
# card
# Display realm cards in a grid (default)
# list
# Display realm cards as a vertical list
layout: card
# fixed mode
#value: democa
# map path compontent / hostname to realm (based on mode)
map:
# with mode: path
myrealm: myrealm
# rootca: rootca
# with mode: hostname
# demo.pki.example.com: democa
I'm really frustrated that I can't figure out where the problem is.
Can anybody help me on this topic?
Kind regards,
Thomas
--
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de
Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19
Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
