Search code examples
keycloakmod-auth-openidc

Keycloak/mod_auth_openidc under reverse proxy

I have a landing page for my openid which will redirect to Keycloak if not yet authorized, then will redirect to my landing page once verified. I used my keycloak server under a Apache mod_proxy.

The configuration is successful. Now, my problem is that even though my applications (Gitbucket and Jenkins) use the same realm for my mod_auth_openidc, I still need to login for the applications (SSO setup) even though I was already verified when accessing my landing page. Please see image on the link: https://ibb.co/VND01SY !https://ibb.co/VND01SY

    DocumentRoot "/var/www/html"
    DirectoryIndex index.html index. cgi index.php index.shtml

    <Proxy "balancer://apache_mod_proxy">
            BalancerMember "http://192.168.122.125:8080"
    </Proxy>

    ProxyPreserveHost On
    ProxyPass "/auth/" "balancer://apache_mod_proxy/auth/"
    ProxyPassReverse "/auth/" "balancer://apache_mod_proxy/auth/"

    OIDCProviderMetadataURL "http://192.168.122.103/auth/realms/ci/.well-known/openid-configuration"
    OIDCClientID "apache24"
    OIDCClientName "apache24"
    OIDCClientSecret "cc251291-9254-42ef-8073-6f5b396f73cc"
    OIDCScope "openid email profile"
    OIDCProviderTokenEndPointAuth "client_secret_basic"

    OIDCRedirectURI http://192.168.122.103/test/redirect_uri
    OIDCCryptoPassphrase 0123456789
    OIDCRemoteUserClaim "preferred_username"

    <Location /test>
       AuthType openid-connect
       Require valid-user
    </Location>

^This is my current configurations.

My expected output should be:

If not yet verified by Keycloak: 1. Access index.html -> redirect to Keycloak if first time to login 2. Redirect to index.html after verification (this contains links to Jenkins and Gitbucket) 3. When link for applications are clicked, I dont need to relogin for the same realm.

Please correct me if my understanding for the scenario is correct.

I also dont know how to use logout and where to put logout for the landing page and SSO.

Solution

  • SSO to Jenkins and Gitbucket depends on how these applications are configured to recognize the user. They should be configured to depend on headers set by the reverse proxy running mod_auth_openidc in front of it.