I am using Keycloak to authenticate a Vue app that is running on Docker. Currently, my configuration includes using grant_type=password along with client-id and client-secret to authenticate a client.
Because I want to make client-secret configurable, what is the best way to use keycloak client-secret in docker-compose.
Related
Recently we split a big monolithic enterprise application in a bunch of microservices in CloudFoundry. Just one of them is on the apigee proxy and communicates with a service exposed externally. Now i have a requirement to invoke the service using curl command with Autosys. How do i call the mtls enabled apigee microservice with Curl command?
In postman, i will pass key & secret and get the bearer token and then call the microservice, then it works fine. Everytime, the bearer token will change atleast for few hours. How do i deal this level of authentication with curl command? Any advise on this use case of calling mTLS enabled apigee hosted microservice from curl command?
We are running the Jenkins with the SAML authentication. Now, we are trying to extract build user info from Jenkins buildURL xmi path and need to authenticated with the jenkins server. I created api token using my user and this is used by every build to communicate with buildURL job.
Is there any way, we can create a common api credential to authenticate with Jenkins.
Thanks
I currently have the following architecture
APP -> API -> KeyCloak
I want the APP to be able to send requests to my API which will then internally proxy certain requests to KeyCloak. For example, I'd like to make a request to the /userinfo endpoint in KeyCloak through my API. If I can figure this out I can then perform more complex features.
APP -> http://api:port/api/userinfo
API -> http://keycloak:port/auth/realms/quartech/protocol/openid-connect/userinfo
I have a valid JWT Bearer token. As I can directly make the request to KeyCloak successfully, however if I attempt to make the request via my API it returns 401. Even though it is using the same JWT Bearer token.
I believe it has something to do with configuring the KeyCloak client to allow requests to come from the API. But so far I haven't been able to figure it out.
I've discovered it required a DNS entry to local development within a Docker container.
I've edited the hosts file and added a 127.0.0.1 keycloak and then al
Searching through the Internet, I have seen that EKS only enables IAM authentication for IAM users.
Is it possible to configure client certificate authentication manually? I mean, create Kubernetes users and roles internally and not use IAM authentication.
Kubernetes supports several authentication modules, for example:
X509 client certificates
Service account tokens
OpenID Connect tokens
Webhook token authentication
Authenticating proxy, etc.
You can find more details regarding them in the official documentation.
However, Amazon EKS uses only one specific authentication method, an implementation of a webhook token authentication to authenticate Kube API requests. This webhook service is implemented by an open source tool called AWS IAM Authenticator, which has both client and server sides.
In short, the client sends a token (which includes the AWS IAM identity—user or role—making the API call) which is verified on the server-side by the webhook service.
So the answer to your question is: if you choose to use EKS you only have one authentication option which is IAM.
I hope it helps.
I'm developing a solution that has: an Authorization Server (AS), a Resource Server and two clients. The two clients are: a web app with Angular 2 and a mobile app with Angular 2 + Ionic 2. I have started to develop the Authorization Server following this sample https://github.com/Baeldung/spring-security-oauth
For both the clients, I have decided to use the "Password Code Grant" because the client are trusted by the AS.
But now I have a problem storing the "client secret code" on the apps. Because the API (.../oauth/token) is secured by Basic Authentication so every time that I ask a token to the AS I need to send something like that:
curl.exe -v -u client_id:client_secret http://localhost:8080/backend/oauth/token -d grant_type=password -d client_id=client_id -d username=admin -d password=admin
So, the questions are:
Where I can store safely the client secret code on the apps?
Is it safe to remove the Basic Authentication from the oauth API?
Have I use another code grant type?
Thank you,
Paolo
Applications running in a browser (Angular) are not able to keep their secrets safe, so I would choose the OAuth2 Implicit flow. The implicit flow requires the use of HTTPS for communication with your Authorization Server, since the tokens are transferred over the network.
You should not remove the authentication from the token endpoint - it would compromise other flow types. For example the authorization grant flow doesn't require the client to be served by HTTPS and the auth code can be visible to anyone, so the token endpoint secret is important there (the Resource Server must ask for the tokens using HTTPS).
Using the implicit flow, you will have to check the validity time of the access token and request a new one before the current one expires. For example using the prompt=none auth request parameter.