Forum Discussion
JorenC
Nimbostratus
NimbostratusKeycloak as idp for APM
Dear devcentral,
Has anyone successfully integrated keycloak as an OIDC backend for APM on F5?
We are running v13.1 so this version should be able to use this feature, right?
So far I have ...
avengingNimbostratus
NimbostratusHello, just wanted to know if someone finally manage to make this work with F5 APM and keycloak openid (or any custom on premise oAuth2 or openid provider) and authorisation code flow, custom request requests...
I try to do the same for OpenID auth behind an API with v15.1 and AWAF but without success...
JorenCNimbostratus
NimbostratusWe do have it running here. But haven't found the time to do full a write-up on the basic setup via APM.. :(
Any specific questions you have regarding the APM integration?
- avenging
OK I tried to use the f5 as a resource server to validate JWT token.
Did you manage to do it using the oauth provider configuration with OpenID Connect discovery like https://keycloakhost:keycloakport/auth/realms/master/.well-known/openid-configuration ?
Because for me, the discovery works but if I use the auto-JWT part, on save, f5 tell me about an issue of certificate (the CA bunble provided in config is the one of the certificate for the OpenId discovery link, may be not the same use by master realm to sign token or authorisation code). So I created the JWKS part manualy.
A request to the f5 APM VIP well redirect to the keycloack for AUTH but once authenticated the F5 tell that it cannot validate the token or auth code provided by the keycloak.
As the password grant type has been deprecated, did you manage to make it work using the authorisation code flow?
Also, wonder if for the step scope validation, you use the f5 type or have created some specific for keycloak?.
Yes, if someone have time to do a detailed write up on dev central on how to configure APM with OpenID as Client and/or Ressource server for using with keycloak or any on premise custom Provider, I think this will help a lot of people.
Thanks.
- JorenC
yes we are indeed using the OIDC discovery.
If I'm not mistaking the CA bundle used here is just needed to connect to the keycloak endpoint. So like you said, it has nothing to do with the signing cert for tokens.
In our case, we have our keycloak running behind a virtual server on F5 with a public signed digicert certificate. So for the autodiscovery CA bundle I've imported the digicert bundle so F5 can validate this.
Regarding the flows, we had the password flow working more or less out of the box. The codeflow did have an issue. We kept receiving a 401 on the userinfo requests. Is this what you see? The keycloak logs will mention something like invalid_credentials.
In our case: After some tracing and the help of F5 support (big thanks to @Stanislaw Tsiarnouski) we noticed the issue is that keycloak adds the portnumber to the host header when calling introspect / userinfo. But the issuer in the token does not contain this portnumber.. This makes keycloak fail the check. (I still have a case open at RedHat for this but no solution on their part yet..)
So what I did to work around the issue is to remove the portnumber from the Host header if specific requests are passed to the VS of our server.
As a quick and dirty example:
if {[HTTP::method] eq "POST" && [HTTP::host] eq "keycloak.company.com:443"}{ HTTP::header replace Host "keycloak.company.com" }This then works for both the code flow and password flow.
Do note: All requests have been custom made for keycloak (Access > Federation : OAuth Client / Resource Server : Request). Based on the info from their doc and curl-command used to obtain tokens etc. I found this the least well documented part of the entire setup actually.. 😥
HTH
Joren
- avenging
ok Thanks JorenC.
No I'm not able to go to scope validation part for the moment, I was just asking if we need to make custom request or if using the preconfigured F5 type was working.
I'm only at the token auth code validation internally on the F5 using JWKS or externally but I'm not able to made this works. I will post the details next week as I have no access to the F5 until monday.
- avenging
OK, may be I will not have the issue about the port for introspect / userinfo because the token issuer already include the port number as my keycloak is published under port 8443.
I fixed some mistake about the JWKS and now it seems that token is well validated at OAuth Scope(Internal) step but failed at OAuth Scope(External) step:
Mar 3 15:20:48 f5poc notice apmd[12760]: 01490291:5: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_ag: OAuth Scope: succeeded for jwt-provider-list '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_providerList_keycloak-provider' Mar 3 15:20:48 f5poc notice apmd[12760]: 014902ae:5: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_1_ag: OAuth Scope: getting list of scopes, associated with access_token, from server '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthServer_keycloak-provider' (resource_server_id=F5-APM-Client) Mar 3 15:20:48 f5poc err apmd[12760]: 01490290:3: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_1_ag: OAuth Scope: failed for server '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthServer_keycloak-provider' (resource_server_id=F5-APM-Client), error: HTTP error 401, Error: invalid_request: Authentication failed.It seems that using the f5 request type is not working but I dont understand how to made custom request for keycloak IDP in f5 config.
Here is my https://keycloak.xxxxx.lu:8443/auth/realms/master/.well-known/openid-configuration (dont know if this help...) :
{ "issuer": "https://keycloak.xxxxx.lu:8443/auth/realms/master", "authorization_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/auth", "token_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/token", "token_introspection_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/token/introspect", "userinfo_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/userinfo", "end_session_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/logout", "jwks_uri": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/certs", "check_session_iframe": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials" ], "response_types_supported": [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], "subject_types_supported": [ "public", "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "id_token_encryption_alg_values_supported": [ "RSA-OAEP", "RSA1_5" ], "id_token_encryption_enc_values_supported": [ "A128GCM", "A128CBC-HS256" ], "userinfo_signing_alg_values_supported": [ "RS256", "none" ], "request_object_signing_alg_values_supported": [ "RS256", "none" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "registration_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "client_secret_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "RS256" ], "claims_supported": [ "aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email" ], "claim_types_supported": [ "normal" ], "claims_parameter_supported": false, "scopes_supported": [ "openid", "gatekeeperClientScope", "F5-APM-ClientScope", "address", "email", "microprofile-jwt", "offline_access", "phone", "profile", "roles", "web-origins" ], "request_parameter_supported": true, "request_uri_parameter_supported": true, "code_challenge_methods_supported": [ "plain", "S256" ], "tls_client_certificate_bound_access_tokens": true, "introspection_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/token/introspect" }Thanks in advance.