Forum Discussion
JorenC
Nimbostratus
NimbostratusKeycloak as idp for APM
Dear devcentral,
Has anyone successfully integrated keycloak as an OIDC backend for APM on F5?
We are running v13.1 so this version should be able to use this feature, right?
So far I have ...
JorenCNimbostratus
Nimbostratus@sebastien doucet your setup is indeed a bit different then mine but error seems related.
We are using ou F5 APM as a full OIDC client, redirecting the user to IDP logon page, requesting token etc..
Regarding the custom scope validation request, mine is more or less the same. Not so many params though, bare minimum only:
What really helped me is to place an iRule between the F5 and keycloak to capture the SSL keys so you can decode the HTTPS traffic in the TCP dump. From there you can decode the tokens etc using jwt.io and validate whats is in there.
#START
when CLIENTSSL_HANDSHAKE {
log local0. "TCP source port client_side: [TCP::remote_port]"
log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
log local0. "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"
}
when SERVERSSL_HANDSHAKE {
log local0. "TCP source port serv_side: [TCP::local_port]"
log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
log local0. "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"
}
#END
reference: https://support.f5.com/csp/article/K16700
Also: Is your keycloak server behind an F5 virtual server? If so, make sure you did config keycloak to understand it is running behind a loadbalancer. cfr: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
avengingNimbostratus
NimbostratusThanks JorenC. I was finally able to made this working.
Capturing the RSA was not working due to RSA-DHE but I find another way using request logger in keycloak server : https://mirocupak.com/logging-requests-with-undertow/
And it seems that the f5 introspect request is not working as excepted in v15.1 because using the Keycloak scope request posted above the result was :
2020-03-09 13:06:30,504 INFO [io.undertow.request.dump] (default task-15)
----------------------------REQUEST---------------------------
URI=/auth/realms/master/protocol/openid-connect/token/introspect
characterEncoding=null
contentLength=1666
contentType=[application/x-www-form-urlencoded]
header=Proxy-Connection=Keep-Alive
header=Accept=*/*
header=User-Agent=F5 OAuth Client
header=Authorization=Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ5bzhwdzhZcHJ1UG96QzVuX0cyVHZVSVbOzSDkNlPyDi5A
header=oauth_dns_resolver_name=/Common/172.xx.xx.xx
header=oauth_serverssl_name=/Common/keycloak-publicssl
header=Expect=100-continue
header=Content-Type=application/x-www-form-urlencoded
header=Content-Length=1666
header=Host=keycloak.xxxxx.lu:8443
locale=[]
method=POST
protocol=HTTP/1.1
queryString=
remoteAddr=/172.xx.xx.xx:17741
remoteHost=172.xx.xx.xx
scheme=https
host=keycloak.xxxxx.lu:8443
serverPort=8443
isSecure=true
body=
%{session.oauth.client.last.access_token}=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ5bzhwdzhZcHJ1UG96QzVuX0cyVHZVSVbOzSDkNlPyDi5A
token_type_hint=access_token
--------------------------RESPONSE--------------------------
contentLength=72
contentType=application/json
header=Connection=keep-alive
header=Content-Type=application/json
header=Content-Length=72
header=Date=Mon, 09 Mar 2020 12:06:30 GMT
status=401
And we see now that the F5 :
- send %{session.oauth.client.last.access_token} in place of token
- miss to send the client-id and client-secret parameters in the body
- send to much useless info to the keycloak like dns resolvers IP, backend server IP, ssl profile....
So I rebuild the request using only custom fields even for those by default like token, client-id...:
and then now it works ! 🙂
I do the same for userinfo request also.
----------------------------REQUEST---------------------------
URI=/auth/realms/master/protocol/openid-connect/token/introspect
characterEncoding=null
contentLength=1699
contentType=[application/x-www-form-urlencoded]
header=Proxy-Connection=Keep-Alive
header=Accept=*/*
header=User-Agent=F5 OAuth Client
header=Authorization=Bearer hVhS2-trG8FsmeRyThTJ7zMGspLxZFGxV9kYjo
header=oauth_dns_resolver_name=/Common/172.xxx.xx.xx
header=oauth_serverssl_name=/Common/keycloak-publicssl
header=Expect=100-continue
header=Content-Length=1699
header=Content-Type=application/x-www-form-urlencoded
header=Host=keycloak.xxxxx.lu:8443
locale=[]
method=POST
protocol=HTTP/1.1
queryString=
remoteAddr=/172.xx.xx.xx:47015
remoteHost=172.xx.xx.xx
scheme=https
host=keycloak.xxxxx.lu:8443
serverPort=8443
isSecure=true
body=
client_id=F5-APM-Client
client_secret=db51def3-xxxx-xxxx-xxxx-xxxxx
token=hVhS2-trG8FsmeRyThTJ7zMGspLxZFGxV9kYjo
token_type_hint=access_token
--------------------------RESPONSE--------------------------
contentLength=913
contentType=application/json
header=Connection=keep-alive
header=Content-Type=application/json
header=Content-Length=913
header=Date=Mon, 09 Mar 2020 13:33:59 GMT
status=200
==============================================================
Using the F5 as a Client and Ressource server for keycloak IDP is also working using f5 request without modification:
So I can confirm that another workaround for the issuer port problem you encounter is to publish your keycloak to a non standard port.
Thanks for your help, I will do a complete configuration guide when I have time available.