Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

question: Authenticate agains two differentkeycloak realms #368

Open
theodotos opened this issue Nov 12, 2024 · 1 comment
Open

question: Authenticate agains two differentkeycloak realms #368

theodotos opened this issue Nov 12, 2024 · 1 comment
Assignees
@greenpau
Labels
need triage question Further information is requested

Comments

@theodotos
Copy link

We have two different realms in our Keycloak setup. Staff and external associates. We have a service that requires both realms to be authenticated on said web service. Is this possible to accomplice that with caddy-security? Any example configs on how to do that?
@theodotos theodotos added need triage question Further information is requested labels Nov 12, 2024
@em-
Copy link

em- commented Dec 3, 2024

I came up with a demo using two OpenID-Connect IdPs to protect some pages, which can then be adapted to any other IdP like Keycloak.

Put the config below in a Caddyfile file and then run docker run -p 8080:80 -v ./Caddyfile:/etc/caddy/Caddyfile ghcr.io/authcrunch/authcrunch, it uses oauth.wiremockapi.cloud to mock a real IdP and then in the whoami page you can check that the appropriate role has been set:

{
    auto_https off
    debug

    order authenticate before respond
    order authorize before basicauth
    
    security {
        oauth identity provider idp1 {
            driver generic
            realm idp1
            client_id the_client_id_for_idp1
            client_secret the_secret_for_idp1
            scopes openid email profile
            metadata_url https://oauth.wiremockapi.cloud/.well-known/openid-configuration
        }
        oauth identity provider idp2 {
            driver generic
            realm idp2
            client_id the_client_id_for_idp2
            client_secret the_secret_for_idp2
            scopes openid email profile
            metadata_url https://oauth.wiremockapi.cloud/.well-known/openid-configuration
        }
        authentication portal authportal {
            enable identity provider idp1
            enable identity provider idp2
            transform user {
                match realm idp1
                action add role idp1/user
            }
            transform user {
                match realm idp2
                action add role idp2/user
            }
            ui {
                links {
                    "whoami" /auth/whoami icon "las la-rocket"
                    "root" / icon "las la-sitemap"
                }
            }
        }
        authorization policy authpolicy {
            set auth url /auth
            allow roles idp1/user idp2/user
        }
    }
}

:80 {
    handle /auth* {
        authenticate with authportal
    }
    handle /* {
        authorize with authpolicy
        header Content-Type text/html
        respond <<HTML
          <html>
            <head><title>Caddy auth test</title></head>
            <body>
              <h1>It works!</h1>
              <a href=/auth/whoami>Check the auth token contents</a>
            </body>
          </html>
          HTML 200
    }
}

@em- em- mentioned this issue Dec 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
need triage question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@em- @greenpau @theodotos