ibuetler / docker-keycloak-traefik-workshop

Docker with Keycloak and Traefik Workshop
243 stars 43 forks source link

Get user/realm after successful login #10

Closed HedgeShot closed 4 years ago

HedgeShot commented 5 years ago

Hi,

Thanks for this tutorial! I successfully set up Keycloak behind Traefik to serve a Flask webapp. I am really not familiar with 3rd party authentification and can't figure out how my flask webapp could get the user(name)/realm once a user has successfully logged in. Any idea?

Thanks again

HedgeShot commented 5 years ago

nevermind, everything is in the cookie

andersonDadario commented 4 years ago

It's also available under the headers authorization and x-auth-token. The standard would be to use the authorization header.

Here is the list of all headers sent from Keycloak Gate Keeper to my backend application after a successful authentication:

{
    "host": "localhost:8080",
    "user-agent": "Firefox",
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "accept-language": "en-US,en;q=0.5",
    "authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOHI4bmtvUUlJaDRpcURNdkhSUGpxN0hjbUJlSkJGQkxXWUt6aGFVWGdrIn0.eyJleHAiOjE1ODY2OTgxMjQsImlhdCI6MTU4NjY5ODA2NCwiYXV0aF90aW1lIjoxNTg2Njk3NDIyLCJqdGkiOiJiOWQxNGQyOC04NTk0LTRmNjktODkxYi0yNGIwOGVjNDI1NzciLCJpc3MiOiJodHRwOi8vZW5kaW5nLWlhbS1zdmM6OTAwMC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsiYXBpIiwibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI3Yzc0ZGEyNi1hYWE5LTRlYjYtOTczMi05NmZmZjU4MWY3NWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGkiLCJzZXNzaW9uX3N0YXRlIjoiYmY3NTA4NTgtYzliNS00YjljLWE0NGYtYTdlNDVmMjI5ZjFhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vMTI3LjAuMC4xOjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.OkqV7LaxhXEU8oGzS9gZb-K-k7abhl6UlMbuWbauRlrjz8PlHWzcbj2l4fJ4LR2_BZSxpoZXdCriIS7OfIvwk7TBEvKwZwbyaDA2b2fdjq9G3EwHyXP4VULEVfDvadAUyx2MVjOTr1H2kgk-XHjv6k0ef44O5XV_fJ_fXyFQRqEbDVVCg0WEeDteFEz3Q2VOsbN4vGOAIn_Mm7fND9wOrdBiZNZl9K1vQ4V-EQ2K7l6t9S-H_Vo3tJc8PwN1Ow6I1_XBrDXxcNKQ7l8Lkr3tNXxLKdV8BN2hz5n_ae-SZeZ4nmkE54D1d-xlkxsHPBwxOp98qtJa9kz2xrkXJMZNHg",
    "cache-control": "max-age=0",
    "cookie": "io=OPL5rwXBVmpy6u8nAAAD; request_uri=Lw==; OAuth_Token_Request_State=df7236ae-f37d-4eba-b038-82024d2b2100; kc-access=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOHI4bmtvUUlJaDRpcURNdkhSUGpxN0hjbUJlSkJGQkxXWUt6aGFVWGdrIn0.eyJleHAiOjE1ODY2OTgxMjQsImlhdCI6MTU4NjY5ODA2NCwiYXV0aF90aW1lIjoxNTg2Njk3NDIyLCJqdGkiOiJiOWQxNGQyOC04NTk0LTRmNjktODkxYi0yNGIwOGVjNDI1NzciLCJpc3MiOiJodHRwOi8vZW5kaW5nLWlhbS1zdmM6OTAwMC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsiYXBpIiwibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI3Yzc0ZGEyNi1hYWE5LTRlYjYtOTczMi05NmZmZjU4MWY3NWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGkiLCJzZXNzaW9uX3N0YXRlIjoiYmY3NTA4NTgtYzliNS00YjljLWE0NGYtYTdlNDVmMjI5ZjFhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vMTI3LjAuMC4xOjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.OkqV7LaxhXEU8oGzS9gZb-K-k7abhl6UlMbuWbauRlrjz8PlHWzcbj2l4fJ4LR2_BZSxpoZXdCriIS7OfIvwk7TBEvKwZwbyaDA2b2fdjq9G3EwHyXP4VULEVfDvadAUyx2MVjOTr1H2kgk-XHjv6k0ef44O5XV_fJ_fXyFQRqEbDVVCg0WEeDteFEz3Q2VOsbN4vGOAIn_Mm7fND9wOrdBiZNZl9K1vQ4V-EQ2K7l6t9S-H_Vo3tJc8PwN1Ow6I1_XBrDXxcNKQ7l8Lkr3tNXxLKdV8BN2hz5n_ae-SZeZ4nmkE54D1d-xlkxsHPBwxOp98qtJa9kz2xrkXJMZNHg; kc-state=bAAI9NWalX7aEpadLbFq24SEVqnvcuqW7DPYAQxLmW7LonFOL4I9h9QH4RqPOD3q72PpFGLBcFr4HRtSHBKsaYzvbWOYLZF5dW0jFR6BbkGMPh7SXwzYN3Ns7vtRtFitPKZVy1TcSgoa/qIumsOCycp5QZZfuyCvC9YvmwAJNXcAJ7qWNr7uaZcV7GiuAKWqcOYGB4hVQLazmaERTqDorMiCuAAFMvEPCrE9UcTyrzSJevy49fHrOa1fKp9RpX0gMzQYty+FJ2eN2V22h5Rgj4kIGepRo7vt8v1XyQ41zEcbFPwL8XngZ2YYlsY4hs9cbOD9ZmPZ/jYT3LZP70F3o+Rkp/P/hM26954I3iO9+nIlwlKF1kHe+kJnrKB4trV316lCRppM2AqivowQoIrNlNn19UuhMKT295PXg/qAuE2uSHq7f/3xZmPtdM6+4EO1zWpeD2diacXJk0FqeetNyg0EFOZZRsMaaiMeZ06y8CtCNBxGucKR94SyalDpndHT5FmI3Lt0iCF8RKN50cGVqWgmZB/ZUy3p66MA3jIvOVkyY3x5BD50f1DU/BZm9ozvsdChWIDSBVaWhO5heXYMJZ8YKD2DRTeehRJzNqSQUhCVrml/IXHlz84xuQ3JIu888X09rYaSP20YSeQp+lzODOhawIhMgnxCbDd5ZWrFTMvPU8TQvH6R2qdydcHKostLATFTG//+xcWIiOiuPcSZoEjkoXfVGuV/HwDt/plN8Bgh5h1DPE5uqoD5fuF/191mi+XtF92PO/ML0IC7oQNCDzMV2YQlWpqLyTgdHNuQsKfuFR/FsmNOWG1cXIfslaoav+os00x4U84vunYlemU",
    "dnt": "1",
    "upgrade-insecure-requests": "1",
    "x-auth-audience": "api,master-realm,account",
    "x-auth-email": "",
    "x-auth-expiresin": "2020-04-12 13:28:44 +0000 UTC",
    "x-auth-groups": "",
    "x-auth-roles": "create-realm,offline_access,admin,uma_authorization,master-realm:view-realm,master-realm:view-identity-providers,master-realm:manage-identity-providers,master-realm:impersonation,master-realm:create-client,master-realm:manage-users,master-realm:query-realms,master-realm:view-authorization,master-realm:query-clients,master-realm:query-users,master-realm:manage-events,master-realm:manage-realm,master-realm:view-events,master-realm:view-users,master-realm:view-clients,master-realm:manage-authorization,master-realm:manage-clients,master-realm:query-groups,account:manage-account,account:manage-account-links,account:view-profile",
    "x-auth-subject": "7c74da26-aaa9-4eb6-9732-96fff581f75b",
    "x-auth-token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOHI4bmtvUUlJaDRpcURNdkhSUGpxN0hjbUJlSkJGQkxXWUt6aGFVWGdrIn0.eyJleHAiOjE1ODY2OTgxMjQsImlhdCI6MTU4NjY5ODA2NCwiYXV0aF90aW1lIjoxNTg2Njk3NDIyLCJqdGkiOiJiOWQxNGQyOC04NTk0LTRmNjktODkxYi0yNGIwOGVjNDI1NzciLCJpc3MiOiJodHRwOi8vZW5kaW5nLWlhbS1zdmM6OTAwMC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsiYXBpIiwibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI3Yzc0ZGEyNi1hYWE5LTRlYjYtOTczMi05NmZmZjU4MWY3NWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGkiLCJzZXNzaW9uX3N0YXRlIjoiYmY3NTA4NTgtYzliNS00YjljLWE0NGYtYTdlNDVmMjI5ZjFhIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vMTI3LjAuMC4xOjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.OkqV7LaxhXEU8oGzS9gZb-K-k7abhl6UlMbuWbauRlrjz8PlHWzcbj2l4fJ4LR2_BZSxpoZXdCriIS7OfIvwk7TBEvKwZwbyaDA2b2fdjq9G3EwHyXP4VULEVfDvadAUyx2MVjOTr1H2kgk-XHjv6k0ef44O5XV_fJ_fXyFQRqEbDVVCg0WEeDteFEz3Q2VOsbN4vGOAIn_Mm7fND9wOrdBiZNZl9K1vQ4V-EQ2K7l6t9S-H_Vo3tJc8PwN1Ow6I1_XBrDXxcNKQ7l8Lkr3tNXxLKdV8BN2hz5n_ae-SZeZ4nmkE54D1d-xlkxsHPBwxOp98qtJa9kz2xrkXJMZNHg",
    "x-auth-userid": "admin",
    "x-auth-username": "admin",
    "accept-encoding": "gzip",
    "x-forwarded-proto": "",
    "x-forwarded-host": "127.0.0.1:8080"
}

Don't forget to validate the JWT in the backend app, if you don't have a networking isolation that is. Otherwise other components could do direct requests to your backend app, bypassing the Keycloak Agent.

The key to verify the signature from the JWT can be found at http://<keycloak-addr>/auth/realms/<realmName>/protocol/openid-connect/certs. This URL is provided in the Open ID Connect endpoint in the Keycloak in the Realm Settings -> Endpoints.

If you copy the first key from the list available on the link above and place it no https://jwt.io you should see that the signature of the JWT matches.

Key example:

{"kid":"18r8nkoQIIh4iqDMvHRPjq7HcmBeJBFBLWYKzhaUXgk","kty":"RSA","alg":"RS256","use":"sig","n":"gpEai8dNcLFkiWGkYrc8oJa_tfmvKELcAI0P94b368tSs58VUIF1y3dNQNPeklaqmk6qoJ9yuip-3geW67PVdGvL11ZgFs4OI-r0YgwOsolNAjuaEQwcnVf09C9C1dW9c4mbirdJNeWy5SoDjF_0Hfvl97Z3h1T09YA1NYcgRHYRocD3SRSpjJgB3STb_8U_NU6BqV5fqwgStJFNU7YhL6dnOJVhgIuupdY0ndXrk7O2ekd44TwvtfIGwTnsqPySJJtcYlJPgjM5q8ryG4FKetfT0e5n-wHBwKC7NFU3paAC1HXDudaFJZhw0UwdKlgiNwSxg_E8yOV_oJoKhtNrNQ","e":"AQAB","x5c":["MIICmzCCAYMCBgFxbi99EjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwNDEyMTEzNzE4WhcNMzAwNDEyMTEzODU4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCCkRqLx01wsWSJYaRitzyglr+1+a8oQtwAjQ/3hvfry1KznxVQgXXLd01A096SVqqaTqqgn3K6Kn7eB5brs9V0a8vXVmAWzg4j6vRiDA6yiU0CO5oRDBydV/T0L0LV1b1ziZuKt0k15bLlKgOMX/Qd++X3tneHVPT1gDU1hyBEdhGhwPdJFKmMmAHdJNv/xT81ToGpXl+rCBK0kU1TtiEvp2c4lWGAi66l1jSd1euTs7Z6R3jhPC+18gbBOeyo/JIkm1xiUk+CMzmryvIbgUp619PR7mf7AcHAoLs0VTeloALUdcO51oUlmHDRTB0qWCI3BLGD8TzI5X+gmgqG02s1AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACEpprOlhPQsprJEScKLqfYdvftRBI5geriUNYTSMSDrX5J4ERSGCBFA4+ABPMpi26iXnHtr+nblmT3GdyMO80/2VzI5ysbkx7hWP/ljwlDjbr4AxspPcbaicZhJOr5JEEMS/3vOK6c5oebkBOL4E8KVNo/0WQ+gglljwaR4z4Bqx1RM3mLmQm5AaVYoMfu0togrLIaOccSyhTgRFDpf42RBUPcxuXqDdoiJTLzvDRrC8jVBGwUK+TXfVVBahJoTiqWV19Zmdvo+STp+sczAmnJLWvsj325vnUmNFJjVDXo7mxvSTFAdJ0RsQ04YFxr0dWbL1O8sqImV12IKgxhgqpI="],"x5t":"ALEANTFv6JCq0iJE3c9PiOIXA0U","x5t#S256":"B1mXf7bOh_IkIocUNyoiq8jCEeUfQdrEhIovOgpmT4c"}