Join GitHub today
Using mod_auth_openidc with Keycloak
One can use mod_auth_openidc as an OpenID Connect Relying Party with Keycloak, which is described hereafter, or one can use it as an OAuth 2.0 Resource Server, whose setup is described at https://github.com/pingidentity/mod_auth_openidc/wiki/OAuth-2.0-Resource-Server#keycloak.
There's a sample setup for local OpenID Connect testing using Docker at https://github.com/Reposoft/openidc-keycloak-test.
You create an
openid-connect type "client" in your Keycloak realm. Set access type to "Confidential", get a secret, put that secret in a conf with something like:
OIDCProviderMetadataURL https://keycloak.example.net/auth/realms/Testrealm/.well-known/openid-configuration OIDCRedirectURI https://myserver.example.not/oauth2callback OIDCCryptoPassphrase 0123456789 OIDCClientID testclient OIDCClientSecret ca446a2d-a65f-4e84-95a7-d20eb36989d8 # See https://github.com/Reposoft/openidc-keycloak-test/issues/7 OIDCProviderTokenEndpointAuth client_secret_basic OIDCRemoteUserClaim email OIDCScope "openid email"
OICDRemoteUserClaim you'd get usernames like
[user-uuid]@[keycloak-realm-url] which is unuseful. E-mail works well with Keycloak:
email@example.com can authenticate as both
user and the full address.
Single Sign On (SSO) works. Just duplicate your config in multiple
VirtualHosts or httpd instances and modify the
OIDCRedirectURI accordingly. You can add multiple "Valid Redirect URIs" in the Keycloak admin ui.