Forum Discussion

JorenC's avatar
JorenC
Icon for Nimbostratus rankNimbostratus
Apr 23, 2019

Keycloak as idp for APM

Dear devcentral,   Has anyone successfully integrated keycloak as an OIDC backend for APM on F5? We are running v13.1 so this version should be able to use this feature, right?   So far I have ...
BIG-IP
BIG-IP Access Policy Manager (APM)
keycloak
oidc
security
JorenC's avatar
JorenC
Icon for Nimbostratus rankNimbostratus

We do have it running here. But haven't found the time to do full a write-up on the basic setup via APM.. :(

 

Any specific questions you have regarding the APM integration?

avenging's avatar
avenging
Icon for Nimbostratus rankNimbostratus
Mar 03, 2020

OK, may be I will not have the issue about the port for introspect / userinfo because the token issuer already include the port number as my keycloak is published under port 8443.

I fixed some mistake about the JWKS and now it seems that token is well validated at OAuth Scope(Internal) step but failed at OAuth Scope(External) step:

 

Mar 3 15:20:48 f5poc notice apmd[12760]: 01490291:5: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_ag: OAuth Scope: succeeded for jwt-provider-list '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_providerList_keycloak-provider'
 
Mar 3 15:20:48 f5poc notice apmd[12760]: 014902ae:5: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_1_ag: OAuth Scope: getting list of scopes, associated with access_token, from server '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthServer_keycloak-provider' (resource_server_id=F5-APM-Client)
 
Mar 3 15:20:48 f5poc err apmd[12760]: 01490290:3: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_1_ag: OAuth Scope: failed for server '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthServer_keycloak-provider' (resource_server_id=F5-APM-Client), error: HTTP error 401, Error: invalid_request: Authentication failed.

 

It seems that using the f5 request type is not working but I dont understand how to made custom request for keycloak IDP in f5 config.

Here is my https://keycloak.xxxxx.lu:8443/auth/realms/master/.well-known/openid-configuration (dont know if this help...) :

 

{
 
 "issuer": "https://keycloak.xxxxx.lu:8443/auth/realms/master",
 
 "authorization_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/auth",
 
 "token_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/token",
 
 "token_introspection_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/token/introspect",
 
 "userinfo_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/userinfo",
 
 "end_session_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/logout",
 
 "jwks_uri": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/certs",
 
 "check_session_iframe": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
 
 "grant_types_supported": [
 
   "authorization_code",
 
   "implicit",
 
   "refresh_token",
 
   "password",
 
   "client_credentials"
 
 ],
 
 "response_types_supported": [
 
   "code",
 
   "none",
 
   "id_token",
 
   "token",
 
   "id_token token",
 
   "code id_token",
 
   "code token",
 
   "code id_token token"
 
 ],
 
 "subject_types_supported": [
 
   "public",
 
   "pairwise"
 
 ],
 
 "id_token_signing_alg_values_supported": [
 
   "RS256"
 
 ],
 
 "id_token_encryption_alg_values_supported": [
 
   "RSA-OAEP",
 
   "RSA1_5"
 
 ],
 
 "id_token_encryption_enc_values_supported": [
 
   "A128GCM",
 
   "A128CBC-HS256"
 
 ],
 
 "userinfo_signing_alg_values_supported": [
 
   "RS256",
 
   "none"
 
 ],
 
 "request_object_signing_alg_values_supported": [
 
   "RS256",
 
   "none"
 
 ],
 
 "response_modes_supported": [
 
   "query",
 
   "fragment",
 
   "form_post"
 
 ],
 
 "registration_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/clients-registrations/openid-connect",
 
 "token_endpoint_auth_methods_supported": [
 
   "private_key_jwt",
 
   "client_secret_basic",
 
   "client_secret_post",
 
   "client_secret_jwt"
 
 ],
 
 "token_endpoint_auth_signing_alg_values_supported": [
 
   "RS256"
 
 ],
 
 "claims_supported": [
 
   "aud",
 
   "sub",
 
   "iss",
 
   "auth_time",
 
   "name",
 
   "given_name",
 
   "family_name",
 
   "preferred_username",
 
   "email"
 
 ],
 
 "claim_types_supported": [
 
   "normal"
 
 ],
 
 "claims_parameter_supported": false,
 
 "scopes_supported": [
 
   "openid",
 
   "gatekeeperClientScope",
 
   "F5-APM-ClientScope",
 
   "address",
 
   "email",
 
   "microprofile-jwt",
 
   "offline_access",
 
   "phone",
 
   "profile",
 
   "roles",
 
   "web-origins"
 
 ],
 
 "request_parameter_supported": true,
 
 "request_uri_parameter_supported": true,
 
 "code_challenge_methods_supported": [
 
   "plain",
 
   "S256"
 
 ],
 
 "tls_client_certificate_bound_access_tokens": true,
 
 "introspection_endpoint": "https://keycloak.xxxxx.lu:8443/auth/realms/master/protocol/openid-connect/token/introspect"
 
}

 

Thanks in advance.