We’re using Keycloak with a number of Atlassian products, using the OIDC plugin from miniOrange.
All seems to work well except that Keycloak always prompts for your username and password when authenticating with one of those products (Bamboo), even if you have authenticated with Keycloak already.
I’ve raised this with miniOrange and they’ve looked at various logs and traces. They believe it is a server configuration issue, although I cannot see any difference between the configuration for the Bamboo client and the other clients, other than the bits that should be different like the client ID.
Keycloak is definitely showing an active session for the Bamboo client and yet still prompts me to reauthenticate.
Does anyone have any suggestions on where I should be looking for the cause of this, or any information/diagnostics that I could provide to miniOrange that would show if it is a bug in their code?
Is it using its own login page, or redirecting to Keycloak for login? If it’s not using the Keycloak login it’s using resource owner credential grants, which does not support SSO. If it is using the Keycloak login page take a look at what params it sends when redirecting to the Keycloak login. There are options to force re-authentication.
Curiously, swapping out the OICD authentication plugin for Bamboo with a SAML one (from a different developer) has stopped the re-authentication problem. I’m going to try the SAML authentication plugin from miniOrange and, if that works, switch over to SAML instead of OICD.
I will see if I can spot the parameters sent to Keycloak but I’m not (yet) sure how to so that will take some research.
Just to share that I think I’ve found the cause for Keycloak always asking for authentication for one specific client.
The realm we’re using is called LDAP but this client was changing it to lowercase, i.e. to ldap, in the GET URL. Overriding the URL to fix the casing of the realm got Keycloak to handle the authentication without needing to re-enter it.
I’m a little bit surprised about Keycloak’s behaviour though. If a completely inaccurate realm name is provided, Keycloak reports a page not found error. It would seem to me that either Keycloak needs to handle realm names completely case-insensitively or, if Keycloak is going to be case-sensitive, it needs to treat an incorrect cased realm name in the same way as an invalid realm name.