Requesting to re-authenticate with Keycloak

[ayian2004]

Dear @AFaust I have successfully (???) installed and configured your Alfresco-Keycloak add-on in order to support integration with Keycloak Identity service.

However, I have the following situation: We have implemented a web-desktop application (https://qlack.com/webdesktop), that simulates a virtual desktop environment in one single browser window and allows multiple web applications to be integrated under the same environment. The web-desktop application is integrated with Keycloak/SSO in order to handle the authentication and authorization steps for the integrated applications.

After successfully logging in to our web-desktop application the user is presented with a list of applications, one of them being the Alfresco application. However, the user is prompted to re-enter his/hers SSO credentials.

Is there a way/configuration that would allow the Alfresco Share application to be accessed without the user having to re-enter his/hers credentials, since he/she are already authenticated? So what I want is to skip the above screen, since the user is already authenticated and simply navigate to this screen.

Thank you

[AFaust]

From the screenshot of the Share login form I doubt that the Keycloak module is configured correctly - it may be installed, but the login screen does not include the expected extra login button to use Keycloak for authentication. Please check the WIP documentation - simple configuration for a reference to the latest release candidate version. There you will also find the necessary configuration (force-keycloak-sso) to have Share force a redirect to Keycloak to avoid the separate login when the user is already authenticated there.

[ayian2004]

Hi @AFaust I have "followed" the instructions and the following was done:

1. Enabled the Token Exchange Feature by creating in my Keycloak docker instance the following file /opt/jboss/keycloak/standalone/configuration/profile.properties with a single entry: feature.token_exchange=enabled

2. Created new realm, named alfresco and inside two clients for Repository and Share ( Alfresco-Keycloak-Clients.zip ). However, I cannot define an authorisation policy on the pre-existing client realm-management, as I cannot find an "Authorization" tab. see below:

3. Enabled the Keycloak authentication subsystem in the alfresco-global.properties ( alfresco-global.zip )

4. Updated the /shared/classes/alfresco/web-extension/share-config-custom.xml share-config-custom.zip

5. I have restarted all involved containers.... and now I can see the missing "Login via SSO" button

However, when I click I get an invalid redirect uri as you can see: https://foresight.eurodyn.com/auth/realms/alfresco/protocol/openid-connect/auth?response_type=code&client_id=Alfresco-Share&redirect_uri=http%3A%2F%2Fforesight-server.eurodyn.com%3A8080%2Fshare%2Fpage&state=0561f0c6-a6f8-4a7e-8e35-864c012b137c&login=true&scope=openid

for some reason the redirect_uri as you can see is set to: http://foresight-server.eurodyn.com:8080/share/page

What am I doing now wrong?

Thanks for the help

[AFaust]

Note:

• direct auth host is not necessary to be specified if the protocol + host + port is exactly the same as in the auth server URL - it is only necessary when there is some form of NAT / DNS mapping involved
• the incorrect Share redirect looks to me like the result of an incorrect / incomplete proxy setup - unfortunately, quite a few examples you find on this on the net are incomplete, often lacking in handling the X-Forwarded-Proto or X-Forwarded-Port headers, and not setting a proxy port in Tomcat
• What version of Keycloak are you using and are you a full administrator? Your Client config for realm-management is missing quite a few elements I would expect to be there. See the following for reference from a relatively current Keycloak install (11.x)

Maybe the "bearer-only" is an important setting here - I have never used that access type in Keycloak before/yet.

[ayian2004]

Hi @AFaust

• I have removed the \<directAuthHost>
• Regarding the VM hosting Alfresco it is not publicly exposed. Instead I use a reverse proxy (nginx) on a machine that is exposed and it includes the following entries app.zip
• I am using Keycloak jboss/keycloak:11.0.3 and I am full admin
• Regarding the realm-management client what I've shown was the default from Keycloak when I created the new Alfresco realm. Is it possible to send me an exported realm-management client?

[AFaust]

The project already contains minimal realm exports, e.g. as part of Share's Docker setup

[ayian2004]

Hi @AFaust I have updated the realm-management client and created 2 new clients namely, alfresco and alfresco-share as per your instructions. However, I cannot create the realm-management client with Access Type set to "bearer-only", as this will disable all other configuration tabs, namely "Authorization" and "Service Account Roles" that are needed in order to configure the authorisation policy, as indicated in your instructions. Am I doing something wrong?

I am also attaching my complete master realm settings realm-export.zip.

[AFaust]

By choosing "bearer-only" you are removing / disabling the ability for Keycloak to authenticate the client, so it cannot have a "service account role" for that client because the client cannot login with that role. Subsequently, without a secure authentication, authorisation also goes out of the window, along with any functionalities that are based on that - either Keycloak-internally or for other clients. It would technically still be possible to have an integration without token exchange by using the same client for both Repository and Share, and disabling token exchange via the share-config-custom.xml config for the module. I generally don't test that as much as I consider it to be a hacky / incomplete integration - in fact it is how Alfresco's own Identity Management Service integration works, which is the only reason I included that option for a bit easier switch from AIMS to my module.

[ayian2004]

Regarding the the incorrect Share you suggested an incorrect / incomplete proxy setup on alfresco-share server.xml file. I have updated the file and now I am re-directed correctly. However, after login I get: ERROR [keycloak.adapters.OAuthRequestAuthenticator] [catalina-exec-2] failed to turn code into token javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:113) at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:577) at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:571) at de.acosix.alfresco.keycloak.deps.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:119) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554) at de.acosix.alfresco.keycloak.deps.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:114) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at de.acosix.alfresco.keycloak.deps.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111) at de.acosix.alfresco.keycloak.deps.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:335) at de.acosix.alfresco.keycloak.deps.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280) at de.acosix.alfresco.keycloak.deps.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:138) at de.acosix.alfresco.keycloak.share.web.KeycloakAuthenticationFilter.processFilterAuthentication(KeycloakAuthenticationFilter.java:717) at de.acosix.alfresco.keycloak.share.web.KeycloakAuthenticationFilter.processKeycloakAuthenticationAndActions(KeycloakAuthenticationFilter.java:615) at de.acosix.alfresco.keycloak.share.web.KeycloakAuthenticationFilter.doFilter(KeycloakAuthenticationFilter.java:488) at org.springframework.extensions.webscripts.servlet.BeanProxyFilter.doFilter(BeanProxyFilter.java:80) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:81) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834) 2021-05-13 10:09:51,717 WARN [share.web.KeycloakAuthenticationFilter] [catalina-exec-2] Keycloak authentication failed due to

[AFaust]

This error is due to the fact that you probably have a self-signed server certificate for SSL or are using a CA that is not in the default trusted CA set of the JVM. You have various options to deal with this:

• use directAuthHost configuration to have Share / ACS go directly to the Keycloak host via HTTP without going through the proxy (via auth-server-url)
• ensure the CA for your server certificate is added to the cacerts trust store or use a custom truststore via the relevant JVM -D flag(s)
• configure the Keycloak adapter with a custom truststore (potentially preferable to the global JVM truststore as it reduces chance of unforseen side effects) by configuring the truststore (path) and truststore-password properties (in the same way / place as the auth-server-url one)

[ayian2004]

Thank you @AFaust together with the comments from #12 I've managed to successfully authenticate via SSO/Keycloak.