Closed HedgeShot closed 4 years ago
nevermind, everything is in the cookie
It's also available under the headers authorization
and x-auth-token
.
The standard would be to use the authorization
header.
Here is the list of all headers sent from Keycloak Gate Keeper to my backend application after a successful authentication:
{
"host": "localhost:8080",
"user-agent": "Firefox",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"accept-language": "en-US,en;q=0.5",
"authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOHI4bmtvUUlJaDRpcURNdkhSUGpxN0hjbUJlSkJGQkxXWUt6aGFVWGdrIn0.eyJleHAiOjE1ODY2OTgxMjQsImlhdCI6MTU4NjY5ODA2NCwiYXV0aF90aW1lIjoxNTg2Njk3NDIyLCJqdGkiOiJiOWQxNGQyOC04NTk0LTRmNjktODkxYi0yNGIwOGVjNDI1NzciLCJpc3MiOiJodHRwOi8vZW5kaW5nLWlhbS1zdmM6OTAwMC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsiYXBpIiwibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI3Yzc0ZGEyNi1hYWE5LTRlYjYtOTczMi05NmZmZjU4MWY3NWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGkiLCJzZXNzaW9uX3N0YXRlIjoiYmY3NTA4NTgtYzliNS00YjljLWE0NGYtYTdlNDVmMjI5ZjFhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vMTI3LjAuMC4xOjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.OkqV7LaxhXEU8oGzS9gZb-K-k7abhl6UlMbuWbauRlrjz8PlHWzcbj2l4fJ4LR2_BZSxpoZXdCriIS7OfIvwk7TBEvKwZwbyaDA2b2fdjq9G3EwHyXP4VULEVfDvadAUyx2MVjOTr1H2kgk-XHjv6k0ef44O5XV_fJ_fXyFQRqEbDVVCg0WEeDteFEz3Q2VOsbN4vGOAIn_Mm7fND9wOrdBiZNZl9K1vQ4V-EQ2K7l6t9S-H_Vo3tJc8PwN1Ow6I1_XBrDXxcNKQ7l8Lkr3tNXxLKdV8BN2hz5n_ae-SZeZ4nmkE54D1d-xlkxsHPBwxOp98qtJa9kz2xrkXJMZNHg",
"cache-control": "max-age=0",
"cookie": "io=OPL5rwXBVmpy6u8nAAAD; request_uri=Lw==; OAuth_Token_Request_State=df7236ae-f37d-4eba-b038-82024d2b2100; kc-access=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOHI4bmtvUUlJaDRpcURNdkhSUGpxN0hjbUJlSkJGQkxXWUt6aGFVWGdrIn0.eyJleHAiOjE1ODY2OTgxMjQsImlhdCI6MTU4NjY5ODA2NCwiYXV0aF90aW1lIjoxNTg2Njk3NDIyLCJqdGkiOiJiOWQxNGQyOC04NTk0LTRmNjktODkxYi0yNGIwOGVjNDI1NzciLCJpc3MiOiJodHRwOi8vZW5kaW5nLWlhbS1zdmM6OTAwMC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsiYXBpIiwibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI3Yzc0ZGEyNi1hYWE5LTRlYjYtOTczMi05NmZmZjU4MWY3NWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGkiLCJzZXNzaW9uX3N0YXRlIjoiYmY3NTA4NTgtYzliNS00YjljLWE0NGYtYTdlNDVmMjI5ZjFhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vMTI3LjAuMC4xOjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.OkqV7LaxhXEU8oGzS9gZb-K-k7abhl6UlMbuWbauRlrjz8PlHWzcbj2l4fJ4LR2_BZSxpoZXdCriIS7OfIvwk7TBEvKwZwbyaDA2b2fdjq9G3EwHyXP4VULEVfDvadAUyx2MVjOTr1H2kgk-XHjv6k0ef44O5XV_fJ_fXyFQRqEbDVVCg0WEeDteFEz3Q2VOsbN4vGOAIn_Mm7fND9wOrdBiZNZl9K1vQ4V-EQ2K7l6t9S-H_Vo3tJc8PwN1Ow6I1_XBrDXxcNKQ7l8Lkr3tNXxLKdV8BN2hz5n_ae-SZeZ4nmkE54D1d-xlkxsHPBwxOp98qtJa9kz2xrkXJMZNHg; kc-state=bAAI9NWalX7aEpadLbFq24SEVqnvcuqW7DPYAQxLmW7LonFOL4I9h9QH4RqPOD3q72PpFGLBcFr4HRtSHBKsaYzvbWOYLZF5dW0jFR6BbkGMPh7SXwzYN3Ns7vtRtFitPKZVy1TcSgoa/qIumsOCycp5QZZfuyCvC9YvmwAJNXcAJ7qWNr7uaZcV7GiuAKWqcOYGB4hVQLazmaERTqDorMiCuAAFMvEPCrE9UcTyrzSJevy49fHrOa1fKp9RpX0gMzQYty+FJ2eN2V22h5Rgj4kIGepRo7vt8v1XyQ41zEcbFPwL8XngZ2YYlsY4hs9cbOD9ZmPZ/jYT3LZP70F3o+Rkp/P/hM26954I3iO9+nIlwlKF1kHe+kJnrKB4trV316lCRppM2AqivowQoIrNlNn19UuhMKT295PXg/qAuE2uSHq7f/3xZmPtdM6+4EO1zWpeD2diacXJk0FqeetNyg0EFOZZRsMaaiMeZ06y8CtCNBxGucKR94SyalDpndHT5FmI3Lt0iCF8RKN50cGVqWgmZB/ZUy3p66MA3jIvOVkyY3x5BD50f1DU/BZm9ozvsdChWIDSBVaWhO5heXYMJZ8YKD2DRTeehRJzNqSQUhCVrml/IXHlz84xuQ3JIu888X09rYaSP20YSeQp+lzODOhawIhMgnxCbDd5ZWrFTMvPU8TQvH6R2qdydcHKostLATFTG//+xcWIiOiuPcSZoEjkoXfVGuV/HwDt/plN8Bgh5h1DPE5uqoD5fuF/191mi+XtF92PO/ML0IC7oQNCDzMV2YQlWpqLyTgdHNuQsKfuFR/FsmNOWG1cXIfslaoav+os00x4U84vunYlemU",
"dnt": "1",
"upgrade-insecure-requests": "1",
"x-auth-audience": "api,master-realm,account",
"x-auth-email": "",
"x-auth-expiresin": "2020-04-12 13:28:44 +0000 UTC",
"x-auth-groups": "",
"x-auth-roles": "create-realm,offline_access,admin,uma_authorization,master-realm:view-realm,master-realm:view-identity-providers,master-realm:manage-identity-providers,master-realm:impersonation,master-realm:create-client,master-realm:manage-users,master-realm:query-realms,master-realm:view-authorization,master-realm:query-clients,master-realm:query-users,master-realm:manage-events,master-realm:manage-realm,master-realm:view-events,master-realm:view-users,master-realm:view-clients,master-realm:manage-authorization,master-realm:manage-clients,master-realm:query-groups,account:manage-account,account:manage-account-links,account:view-profile",
"x-auth-subject": "7c74da26-aaa9-4eb6-9732-96fff581f75b",
"x-auth-token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOHI4bmtvUUlJaDRpcURNdkhSUGpxN0hjbUJlSkJGQkxXWUt6aGFVWGdrIn0.eyJleHAiOjE1ODY2OTgxMjQsImlhdCI6MTU4NjY5ODA2NCwiYXV0aF90aW1lIjoxNTg2Njk3NDIyLCJqdGkiOiJiOWQxNGQyOC04NTk0LTRmNjktODkxYi0yNGIwOGVjNDI1NzciLCJpc3MiOiJodHRwOi8vZW5kaW5nLWlhbS1zdmM6OTAwMC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsiYXBpIiwibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI3Yzc0ZGEyNi1hYWE5LTRlYjYtOTczMi05NmZmZjU4MWY3NWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGkiLCJzZXNzaW9uX3N0YXRlIjoiYmY3NTA4NTgtYzliNS00YjljLWE0NGYtYTdlNDVmMjI5ZjFhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vMTI3LjAuMC4xOjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.OkqV7LaxhXEU8oGzS9gZb-K-k7abhl6UlMbuWbauRlrjz8PlHWzcbj2l4fJ4LR2_BZSxpoZXdCriIS7OfIvwk7TBEvKwZwbyaDA2b2fdjq9G3EwHyXP4VULEVfDvadAUyx2MVjOTr1H2kgk-XHjv6k0ef44O5XV_fJ_fXyFQRqEbDVVCg0WEeDteFEz3Q2VOsbN4vGOAIn_Mm7fND9wOrdBiZNZl9K1vQ4V-EQ2K7l6t9S-H_Vo3tJc8PwN1Ow6I1_XBrDXxcNKQ7l8Lkr3tNXxLKdV8BN2hz5n_ae-SZeZ4nmkE54D1d-xlkxsHPBwxOp98qtJa9kz2xrkXJMZNHg",
"x-auth-userid": "admin",
"x-auth-username": "admin",
"accept-encoding": "gzip",
"x-forwarded-proto": "",
"x-forwarded-host": "127.0.0.1:8080"
}
Don't forget to validate the JWT in the backend app, if you don't have a networking isolation that is. Otherwise other components could do direct requests to your backend app, bypassing the Keycloak Agent.
The key to verify the signature from the JWT can be found at http://<keycloak-addr>/auth/realms/<realmName>/protocol/openid-connect/certs
. This URL is provided in the Open ID Connect endpoint in the Keycloak in the Realm Settings -> Endpoints.
If you copy the first key from the list available on the link above and place it no https://jwt.io
you should see that the signature of the JWT matches.
Key example:
{"kid":"18r8nkoQIIh4iqDMvHRPjq7HcmBeJBFBLWYKzhaUXgk","kty":"RSA","alg":"RS256","use":"sig","n":"gpEai8dNcLFkiWGkYrc8oJa_tfmvKELcAI0P94b368tSs58VUIF1y3dNQNPeklaqmk6qoJ9yuip-3geW67PVdGvL11ZgFs4OI-r0YgwOsolNAjuaEQwcnVf09C9C1dW9c4mbirdJNeWy5SoDjF_0Hfvl97Z3h1T09YA1NYcgRHYRocD3SRSpjJgB3STb_8U_NU6BqV5fqwgStJFNU7YhL6dnOJVhgIuupdY0ndXrk7O2ekd44TwvtfIGwTnsqPySJJtcYlJPgjM5q8ryG4FKetfT0e5n-wHBwKC7NFU3paAC1HXDudaFJZhw0UwdKlgiNwSxg_E8yOV_oJoKhtNrNQ","e":"AQAB","x5c":["MIICmzCCAYMCBgFxbi99EjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwNDEyMTEzNzE4WhcNMzAwNDEyMTEzODU4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCCkRqLx01wsWSJYaRitzyglr+1+a8oQtwAjQ/3hvfry1KznxVQgXXLd01A096SVqqaTqqgn3K6Kn7eB5brs9V0a8vXVmAWzg4j6vRiDA6yiU0CO5oRDBydV/T0L0LV1b1ziZuKt0k15bLlKgOMX/Qd++X3tneHVPT1gDU1hyBEdhGhwPdJFKmMmAHdJNv/xT81ToGpXl+rCBK0kU1TtiEvp2c4lWGAi66l1jSd1euTs7Z6R3jhPC+18gbBOeyo/JIkm1xiUk+CMzmryvIbgUp619PR7mf7AcHAoLs0VTeloALUdcO51oUlmHDRTB0qWCI3BLGD8TzI5X+gmgqG02s1AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACEpprOlhPQsprJEScKLqfYdvftRBI5geriUNYTSMSDrX5J4ERSGCBFA4+ABPMpi26iXnHtr+nblmT3GdyMO80/2VzI5ysbkx7hWP/ljwlDjbr4AxspPcbaicZhJOr5JEEMS/3vOK6c5oebkBOL4E8KVNo/0WQ+gglljwaR4z4Bqx1RM3mLmQm5AaVYoMfu0togrLIaOccSyhTgRFDpf42RBUPcxuXqDdoiJTLzvDRrC8jVBGwUK+TXfVVBahJoTiqWV19Zmdvo+STp+sczAmnJLWvsj325vnUmNFJjVDXo7mxvSTFAdJ0RsQ04YFxr0dWbL1O8sqImV12IKgxhgqpI="],"x5t":"ALEANTFv6JCq0iJE3c9PiOIXA0U","x5t#S256":"B1mXf7bOh_IkIocUNyoiq8jCEeUfQdrEhIovOgpmT4c"}
Hi,
Thanks for this tutorial! I successfully set up Keycloak behind Traefik to serve a Flask webapp. I am really not familiar with 3rd party authentification and can't figure out how my flask webapp could get the user(name)/realm once a user has successfully logged in. Any idea?
Thanks again