Reputation: 621
How does keycloak determine which signature algorithm to use?
I'm writing an application that uses keycloak as its user authentication service. I have normal users, who log in to keycloak from the frontend (web browsers), and service users, who log in from the backend (PHP on IIS). However, when I log in from the backend, keycloak uses HS256 as its signature algorithm for the access token, and thus rejects it for further communication because RS256 is set in the realm and client settings. To get around this issue, I would like to "pretend to be the frontend" to get RS256 signed access tokens for my service users.
For security reasons, I cannot give the HS256 key to the application server, as it's symmetrical and too many people can access the server's code.
I am currently debugging the issue using the same user/pw/client id/grant type both on the frontend and the backend, so that cannot be the issue.
So far I have tried these with no luck:
- copying the user agent
- copying every single HTTP header (Host, Accept, Content-Type, User-Agent, Accept-Encoding, Connection, even Content-Length is the same as the form data is the same)
- double checking if the keycloak login is successful or not - it is, it's just that it uses the wrong signature algorithm
So how does keycloak determine which algorithm to sign tokens with? If it's different from version to version, where should I look in keycloak's code for the answer?
EDIT: clarification of the flow of login and reasons why backend handles it.
If a user logs in, this is what happens:
- client --[login data]--> keycloak server
- keycloak server --[access and refresh token with direct token granting]--> client
- client --[access token]--> app server
- (app server validates access token)
- app server --[data]--> client
But in some occasions the fifth step's data is the list of users that exist in my realm. The problem with this is that keycloak requires one to have the view-users role to list users, which only exists in the master realm, so I cannot use the logged in user's token to retrieve it.
For this case, I created a special service user in the master realm that has the view-users role, and gets the data like this:
- client --[asks for list of users]--> app server
- app server --[login data of service user]--> keycloak server
- keycloak server --[access token with direct granting]-->app server
- app server --[access token]--> keycloak server's get user list API endpoint
- (app server filters detailed user data to just a list of usernames)
- app server --[list of users]--> client
This makes the the list of usernames effectively public, but all other data remains hidden from the clients - and for security/privacy reasons, I want to keep it this way, so I can't just put the service user's login data in a JS variable on the frontend.
In the latter list, step 4 is the one that fails, as step 3 returns a HS256 signed access token. In the former list, step 2 correctly returns an RS256 signed access token.
Upvotes: 5
Views: 6722
Answers (1)
Reputation: 1285
Thank you for the clarification. If I may, I will answer your question maybe differently than expected. While you focus on the token signature algorithm, I think there are either mistakes within your OAuth2 flows regarding their usage, or you are facing some misunderstanding.
The fact that both the backend and frontend use "Direct Access Granting" which refers to the OAuth2 flow Resources Owner Credentials Grant is either a false claim or is a mistake in your architecture.
As stated by Keycloak's own documentation (but also slightly differently in official OAuth.2 references):
Resource Owner Password Credentials Grant (Direct Access Grants) ... is used by REST clients that want to obtain a token on behalf of a user. It is one HTTP POST request that contains the credentials of the user as well as the id of the client and the client’s secret (if it is a confidential client). The user’s credentials are sent within form parameters. The HTTP response contains identity, access, and refresh tokens.
As far as I can see the application(s) and use case(s) you've described do NOT need this flow.
My proposal
Instead what I'd have seen in your case for flow (1) is Authorization Code flow ...
- assuming that "Client" refers to normal users in Browser (redirected to Keycloak auth. from your front app)
- and assuming you do not actually need the id and access tokens back in your client, unless you have a valid reasonable reason. As the flows allowing that are considered legacy/deprecated and no more recommended. In this case, we would be speaking of
Implicit Flow(andPassword Grantflow is also discouraged now).
So I think that the presented exchange (first sequence with points 1 to 5 in your post) is invalid at some point.
For the second flow (backend -> list users), I'd propose two modifications:
Allow users to poll the front end application for the list of users and in turn the front-end will ask the backend to return it. The backend having a service account to a client with
view-roleswill be able to get the required data:Client (logged) --> Request list.users to FRONTEND app --> Get list.users from BACKEND app (<--> Keycloak Server) <----------------------------------------- Return data.Use Client Credentials Grant (flow) for Backend <> Keycloak exchanges for this use case. The app will have a
service accountto which you can assign specific scopes+roles. It will not work on-behalf of any user (even though you could retrieve the original requester another way!) but will do its work in a perfectly safe manner and kept simple. You can even define a specificClientfor these exchanges that would bebearer-only.
After all if you go that way you don't have to worry about tokens signature or anything like that. This is handled automatically according to the scheme, flow and parties involved. I believe that by incorrectly making use of the flows you end up having to deal with tricky token issues. According to me that is the root cause and it will be more helpful than focusing on the signature problem. What do you think?
Did I miss something or am I completely wrong...? You tell me.
Upvotes: 0
Related Questions
- Do Keycloak Clients have a Client Secret?
- What are Keycloak's OAuth2 / OpenID Connect endpoints?
- How can I configure Keycloak to use HMAC algorithm as default instead of RSA?
- What exactly is meant by "Signature Algorithm" on a certificate? Which signature algorithm is being used to sign my certificate?
- How is the id generated for USER_ENTITY and USER_ATTRIBUTE table in Keycloak DB?
- How does a Keycloak client validate a token
- How does Keycloak use the LDAP attributes defined in User Federation?
- Why does multiple access tokens work in Keycloak?
- Keycloak cookies : KEYCLOAK_SESSION,Oauth_token_request_state, KEYCLOAK_IDENTITY
- How does the authorization rules are validated by keycloak authorization server using spring rest adapter