Hi Thomas,
AI does not play well with OpenXPKI Config - there is no such parameter
like username_env
You can either use REMOTE_USER or OPENXPKI_USER, passing other envvars
is described here
https://openxpki.readthedocs.io/en/master/configuration/realm.html#stack
BasicAuth:
handler: NoAuth
type: client
envkeys:
email: AUTH_PROVIDER_email_field
You must pass "username" and "role" via ENV - and if you are using the
new setup with Mojolicious you need to passthru the headers to the socket.
Easier solution: Get an EE License, there is a ready to use OIDC module
included ;)
Oliver
On 12/1/25 11:54, Thomas Gebert wrote:
Hello,
I'm trying for days now to complete my setup for an authentication
with keycloak and Apache2.
Login over keycloak works and the apache logs show that all need
information (username, email) is set by apache.
But I can't get the setup on the Openxpki side to work.
Here are my settings:
Apache2:
<VirtualHost *:443>
ServerAlias *
DocumentRoot /var/www/
RewriteEngine On
LogFormat "%h %l %{REMOTE_USER}e %{HTTP_X_REMOTE_USER}e
%{OPENXPKI_SSO_ROLE}e %t \"%r\" %>s %b" openxpki_debug
CustomLog /var/log/apache2/openxpki_debug.log openxpki_debug
SSLEngine On
SSLCertificateFile '/etc/certs/default_cert.crt'
SSLCertificateKeyFile '/etc/certs/default_key.key'
SSLCACertificateFile /etc/certs/ca_selfsigned.crt
SSLVerifyClient optional_no_ca
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
# HTTPS specific preparation for Mojolicious based client services
<IfModule mod_headers.c>
Use OxiForwardEnv SSL_CLIENT_S_DN
Use OxiForwardEnv SSL_CLIENT_CERT
</IfModule>
# Minimum mod_auth_openidc configuration
OIDCProviderMetadataURL
https://<keycloak-machine>:8443/realms/<myrealm>/.well-known/openid-configuration
OIDCClientID openxpki
OIDCClientSecret "mypassword"
OIDCRedirectURI "https://<keycloak02-machine>/oidc_callback"
OIDCCryptoPassphrase "mypassphrase"
OIDCRemoteUserClaim preferred_username
OIDCScope "openid profile email"
OIDCPassClaimsAs environment
# GLOBAL after OIDC, bfore Proxy!
RequestHeader set X-Remote-User "%{OIDC_CLAIM_preferred_username}e"
RequestHeader set X-Email "%{OIDC_CLAIM_email}e"
RewriteRule .* - [E=OPENXPKI_SSO_ROLE:User,NE]
<Location />
AuthType openid-connect
Require valid-user
</Location>
<Location /oidc_callback>
AuthType openid-connect
Require valid-user
</Location>
...
stack.yaml:
_System:
handler: System
BasicAuth:
handler: NoAuth
label: "Keycloak SSO"
param:
username_env: OIDC_CLAIM_preferred_username
role_env: OPENXPKI_SSO_ROLE
handler.yaml:
# Those stacks are usually required so you should not remove them
Anonymous:
type: Anonymous
label: Anonymous
System:
type: Anonymous
role: System
# Read the userdata from a YAML file defined in auth/connector.yaml
LocalPassword:
type: Password
user@: connector:auth.connector.userdb
NoAuth:
type: NoAuth
client.d/service/webui/default.yaml:
...
# customize redirect target on "first contact"
# might be replaced / merged with new realm overview
login:
# Preset an auth stack to use, prevents the drop down
stack: BasicAuth
# Redirect to a inline page handler instead of the default login
screen
# With the source module, this makes it easy to show some text
# FIXME - this is currently not working!
# page: source!html!file!login
# Redirect to an external page, can be a local or absolute
external url
# url: https://login.example.com/
...
realm:
# Controls how requests are mapped to realms
# select
# Shows a realm selection page (default if nothing is set).
# path|hostname
# Expects a map defined in the [realm] section (see below)
mode: path
# Layout of the realm selection page:
# card
# Display realm cards in a grid (default)
# list
# Display realm cards as a vertical list
layout: card
# fixed mode
#value: democa
# map path compontent / hostname to realm (based on mode)
map:
# with mode: path
myrealm: myrealm
# rootca: rootca
# with mode: hostname
# demo.pki.example.com: democa
I'm really frustrated that I can't figure out where the problem is.
Can anybody help me on this topic?
Kind regards,
Thomas
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
