Trying to understand access token use

Securing applications
1

Hello,
I’m using Keycloak (19.0.1-legacy) to secure several apps behind Traefik Proxy with traefik-forward-auth handling the OIDC SSO. This works well for user interactive logins. I can login to any one of my apps and the other apps are then also authenticated.

My trouble comes from trying to create a monitor (using NodeRed) to check a few web pages - basically to logon, request a page and report on the status code and response time.

I can use Postman to request an Access Token and then send a request to my app with the Bearer token, but it always redirects to the Keycloak login page.

user-interactive
http GET request app → redirect to keycloak login page → authentication → redirect back to app.

monitor
request access-token with six month expiry
http GET request app with bearer: access-token → redirect to keycloak to confirm valid token → redirect back to app. (does not work).

.

  • Is this the right concept for authenticating non-interactively?
  • Does the web app need to be changed in any way (I’m using a simple test app https://hub.docker.com/r/containous/whoami) ?
  • Does Keycloak need additional settings to accept the bearer token?
  • Do I need to set additional cookies?

Sorry for all the questions - I’ve been picking at this on and off for months, but still unsure where I need to focus my efforts.

2

Hi,

Traefik proxy should be able to validate incoming token on its own (using realm public cert), without any redirection to Keycloak for validation.

Even better would be not to use such long lived tokens. For system-system communication, an app should use client credentials flow to get token which has an hour (or so) expiration time.

3

For B-to-B you can also use the ‘service accounts’ mode, avoiding the client credential grants.
On the client (confidential) you activate "Service account Enabled’, and then limit this service account scopes using both the new ‘service account roles’ tab and the "scope’ tab (access rights are defined by the combination of theses).

Log in with a post on realms/<your realm>protocol/openid-connect/token, grant_type=client_credentials, and for the credentials use the client client_id and client_secret (so no ‘real’ user and password is required). Keycloak will respond with an access token (with a short or medium lifetime, I agree). No refresh token in the response, only this access token. Just check that the access token is still valid, and when it’s not valid anymore re-ask for a new one.

1 Like