I have a wordpress website -
Currently I’m using mini Orange plugin which kind of works, however it still redirects to the keycloak url rather than present login etc using the main url of the web site.
Which is the easiest way to achieve this.
Our web server is plesk and OIDC is not liking Plesk very much - would mod auth melon be a better option ?
I am open to anything that allows us to set this up simply on Plesk.
Not entirely what you want to achieve here,
Use mod_auth_melon (or similarly mod_auth_oidc) to delegate the authentication process from wordpress to the webserver?
What does plesk do in that scenario?
In either case however, there seems to be a conflict between the idea of an external IdP (keycloak) and having a direct login form in the application. The forward to the IdP using OIDC/SAML is the most common integration pattern.
There exists an authentication flow in keycloak (Direct Grant) Securing Applications and Services Guide which wordpress then would have to implement. But the list of disadvantages for this flow from the keycloak perspective is lenghty. Not sure anyone bothered to implement a wordpress auth plugin to support it.
The object is not to log a person into wordpress, just to create a gateway portal infront of wordpress so authentication is required to view the wordpress site not actually log the person in.
The Flow would be
Wordpress url > Authenticate to keycloak > Access to wordpress.(not login to wordpress)
I have it working but the authentication window goes WordpressURL >Keycloak > Wordpress
Rather than staying on on the wordpress URL I really wanted to just have keycloak held on the same URL this is possible with a reverse proxy but Wordpress on Plesk is very difficult to set up - with that in mind I did set up a separate Standalone VM for the wordpress site with a reverse proxy in front, I am unsure if Nginx or Apache would best suit the application.
I want the session to end once the window closes also which currently it doesn’t.
With the above in mind I was wondering which method would be best.
I have set up TOTP so a user is asked to set up a TOTP first.
So authentication is
User name (email)
Password (From keycloak)
TOTP
I see that using any password is frowned upon so possibly this should change so after first login
just email
TOTP
should be used
or maybe non initially accessing the site just an email filed is presented and then an email is sent to set up TOTP so no passwords are used.
I have keycloak set up as standalone on Ubuntu (not docker) with mysql.
The keycloak server has an nginx reverse proxy in front to handle ssl etc and the certificates etc with FQDN are all good the server is workin gperfectly.
Indise or LAN the web server can contact Keycloak over http using its internal LAN address, from outside only https and FQDN are useable.
Oh. So general authentication. I’ve used mod_auth_oidc in the past for apache. Depending on the application that has a couple of implications (cookies, piling up, sessions timing out, while writing something in a form causing the form-submit to fail, …
Not sure how saml performs here, oidc kindof assumes short-lived renewable tokens.
Regarding the general login flow. I don’t want to say “you are not holding it correctly”, however, the thing you want to achieve and an external IdP such as keycloak don’t mix that well. OIDC and SAML both assume a trusted third party to handle the authentication and just trust their response. That however requires the forward to the IdP, unless you want to hack your own custom direct grant flow directly into the app.
Regarding passwordless login, there are possibilites on how to to configure the login-flows to only require otp or passwordless webauthn. No idea if that could be paired with a direct grant flow.
Before tackling that I’d first reconsider if you can live with the implications of saml/oidc or keycloak just doesn’t fit your usecase.