keycloak no id_token

[omario36]

Hello

Using the latest version of keycloak 20.x

my jwt token looks like :

{ "exp": 1670518964, "iat": 1670518904, "auth_time": 1670518904, "jti": "5ec29444-3409-4d6a-8999-c442a1942e0b", "iss": "https://#######/realms/master", "sub": "131d20a2-79d4-40ec-9e65-e4baaa488145", "typ": "Bearer", "azp": "test-caddy", "nonce": "N2giK5dZPbxpgivEMMvE50l0afvGUK00", "session_state": "e755a31c-12bd-4bb6-829a-9afe4cad4772", "scope": "profile email", "sid": "e755a31c-12bd-4bb6-829a-9afe4cad4772", "email_verified": true, "name": "Omar Omari", "groups": [ "authp/admin", "default-roles-master", "authp/user", "authp/guest", "offline_access", "uma_authorization" ], "preferred_username": "oomari", "given_name": "Omar", "family_name": "Omari", "email": "########" }

I have this error

{"level":"debug","ts":1670518426.718966,"logger":"security","msg":"failed fetching OAuth 2.0 access token from the authorization server","session_id":"L4qZa6GSvpwfxej0lrPgQ0AshlmISYR20O2dm86l","request_id":"e0a6d25f-b162-4ce0-a175-483db6900fdb","error":"authorization server response has no \"id_token\" field"}

[greenpau]

@omario36 , what is the config you are using?

[greenpau]

@omario36, try setting the following in your provider config.

  required_token_fields access_token

[omario36]

  admin off
  debug
  http_port 880
  https_port 4443

	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider keycloak {
			driver generic
			realm master
			client_id test-caddy
			client_secret 8KfOcqKQaSxczrM6Y0BqusTJofC4NkHO
			scopes email profile
			required_token_fields access_token
			metadata_url https://auth.internal.XXXX.fr/realms/master/.well-known/openid-configuration

		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify "MIICozCCAYsCBgGE8VsXujANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDAp0ZXN0LWNhZGR5MB4XDTIyMTIwODEwNDgwOVoXDTMyMTIwODEwNDk0OVowFTETMBEGA1UEAwwKdGVzdC1jYWRkeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpSarOnJJcGUiIDreS7SQdeoKhYK1h2ll0T7xqcreV+4MLKGvwvDvL949h3AdJiZ+mPoYkMr5cb+ac8bN7ipTMMSrdvyPFUpWKUrmNzCW9/M/UFhWKho4SmHrrFiEFwDnDgGEKoPobdAQIKJeGOYp93FsrHJ5Wl0Y0EOUA0j7Iobrt+F/xpVIC5qDXRhWCrYkNlnpJWz2jxmf0Kbgwh6QS1S/Jdtv1RCXIpFuToFlvjDecwJ0vHgbR5cJsMiGXYwo9KjxOnR7HG19ksoBUY3uYhyzngsQyqKpzU1jrVIECKndpFJ5GM9gpzmNMpkbuBZciKhrAyj5DTq3oaDtOiWb0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAlVWcedprkXWg7vGXLxI55CX/d10s60oUeLhID12CEimmpsVLDt5iGDzqbpayA6xs14yl/PGGSWlDlKGecdrQZbIVBVPzjq8po+9a6DnWtlEivw9sGAj9hyJdCEBrjbVe8AGcrObdKMscf850rD1TPhNsHUvZ5gjrNoBRljbStjAGRG9Ai6EQXGT5v6G3iGj1zxzm67eMhITLf/1on95jXHd4TgnD3OWHQcn8Q2VOZ5H2oy6DP3hIjL9KAKQiDGr0kFmOu/vCWfPBSkdEM4CMr9gG5inGlsQ2aRJ6bm4OYAR4yhQr/QpQe5LDGeBcMQuDExZFIeDUmpYnRRl8koo2sQ=="
			enable identity provider keycloak
			cookie domain localhost
			ui {
				links {
					"My Website" https://assetq.localhost:4443/ icon "las la-star"
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin keycloak
				action add role authp/user
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.localhost:4443/
			allow roles authp/admin authp/user
			crypto key verify "MIICozCCAYsCBgGE8VsXujANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDAp0ZXN0LWNhZGR5MB4XDTIyMTIwODEwNDgwOVoXDTMyMTIwODEwNDk0OVowFTETMBEGA1UEAwwKdGVzdC1jYWRkeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpSarOnJJcGUiIDreS7SQdeoKhYK1h2ll0T7xqcreV+4MLKGvwvDvL949h3AdJiZ+mPoYkMr5cb+ac8bN7ipTMMSrdvyPFUpWKUrmNzCW9/M/UFhWKho4SmHrrFiEFwDnDgGEKoPobdAQIKJeGOYp93FsrHJ5Wl0Y0EOUA0j7Iobrt+F/xpVIC5qDXRhWCrYkNlnpJWz2jxmf0Kbgwh6QS1S/Jdtv1RCXIpFuToFlvjDecwJ0vHgbR5cJsMiGXYwo9KjxOnR7HG19ksoBUY3uYhyzngsQyqKpzU1jrVIECKndpFJ5GM9gpzmNMpkbuBZciKhrAyj5DTq3oaDtOiWb0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAlVWcedprkXWg7vGXLxI55CX/d10s60oUeLhID12CEimmpsVLDt5iGDzqbpayA6xs14yl/PGGSWlDlKGecdrQZbIVBVPzjq8po+9a6DnWtlEivw9sGAj9hyJdCEBrjbVe8AGcrObdKMscf850rD1TPhNsHUvZ5gjrNoBRljbStjAGRG9Ai6EQXGT5v6G3iGj1zxzm67eMhITLf/1on95jXHd4TgnD3OWHQcn8Q2VOZ5H2oy6DP3hIjL9KAKQiDGr0kFmOu/vCWfPBSkdEM4CMr9gG5inGlsQ2aRJ6bm4OYAR4yhQr/QpQe5LDGeBcMQuDExZFIeDUmpYnRRl8koo2sQ=="
		}
	}
}

whoami.localhost:4443 {
  route {
		authenticate with myportal
  }	
  reverse_proxy whoami:80
  tls internal
}

auth.localhost:4443 {
	tls internal
	authenticate with myportal
}

assetq.localhost:4443 {
	tls internal	
	authorize with mypolicy
	respond "assetq is running"
}

log

[omario36]

@greenpau any news please ?
@axi92 can you please share with me your realm export and/or some screenshot, eventually where I have to add the mappers ... ?
Thanks a lot

[axi92]

This is our config maybe it helps you.
I had the problem that I imported my realm config into keycloak and the keys are not in this export. So you have to regenerate all keys after the import and give the caddy the new key too.

{
	email [email protected]
	#debug

	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider keycloak {
			driver generic
			realm keycloak
			client_id {env.KEYCLOAK_CLIENT_ID}
			client_secret {env.KEYCLOAK_CLIENT_SECRET}
			scopes openid email profile
			#metadata_url https://keycloak.domain.com/auth/realms/master/.well-known/openid-configuration
			metadata_url https://keycloak.domain.com/realms/master/.well-known/openid-configuration
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity provider keycloak
			cookie domain domain.link
			ui {
				links {
					"alertmanager-03" https://alertmanager-03.domain.link icon "las la-link"
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin keycloak
				action add role authp/user
			}
			transform user {
				match origin local
				action add role authp/user
				ui link "Portal Settings" /settings icon "las la-cog"
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.domain.link/
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
		}
		authorization policy apipolicy {
			set token sources header query
			crypto key verify from directory /home/user/sfw-proxy/jwt-public-keys/api
			crypto key token name api_token
			allow roles service
			acl default deny
			validate path acl
		}
		authorization policy monitoring {
			set auth url https://auth.domain.link/
			allow email [email protected]
			crypto key verify {env.JWT_SHARED_KEY}
		}
	}
}

[axi92]

@omario36 You got "realm master" we have "realm keycloak" try to change that?

[omario36]

@axi92 ok I will try to create a new realm "keycloak" and will keep you informed, many thanks

[axi92]

I dont think you have to do that, my only realm in my keycloak instance is called "mater" but in my caddy config its working with "realm keycloak". Maybe the caddy plugin does not treat the realm like a "keycloak realm". Instead the whole keycloak is the "realm"

What realm you use is configured by the metadata_url url you give to the authp plugin
See:

[omario36]

I have these client scopes :

and in the email scope I added the groups mapper :

Is it the same config you have ?

[omario36]

@axi92 thank you now Its ok for the token I have :
{"level":"info","ts":1670842683.5485365,"logger":"security","msg":"Successful login","session_id":"AX9RwuGA0daWpjY9Ev7h00TVc9VzWDnCkRtIFS9","request_id":"4979ccf2-49ba-4754-aee3-fb0f4f539c08","backend":{"name":"keycloak","realm":"keycloak","method":"oauth"},"user":{"addr":"192.168.96.1","email":"[email protected]","exp":1670846283,"family_name":"Omari","given_name":"Omar","iat":1670842683,"iss":"https://whoami.localhost:4443/oauth2/keycloak/","jti":"AX9RwuGA0daWpjY9Ev7h00TVc9VzWDnCkRtIFS9","name":"Omar Omari","nbf":1670842623000,"origin":"keycloak","realm":"keycloak","roles":["authp/admin","default-roles-master","authp/user","authp/guest","offline_access","uma_authorization"],"sub":"131d20a2-79d4-40ec-9e65-e4baaa488145"}}

But now I have something like an infinite login loop with this test url :
https://whoami.localhost:4443/*

[axi92]

The scopes should not matter, as you give every user that comes from keycloak the authp/user

			transform user {
				match origin keycloak
				action add role authp/user
			}

And you allow in your policy:
allow roles authp/admin authp/user
Everybody can access from keycloak.

[axi92]

I don't know if this config is valid:

whoami.localhost:4443 {
  route {
		authenticate with myportal
  }	
  reverse_proxy whoami:80
  tls internal
}

You don't need to check the /whoami endpoint, authp denies access to that endpoint if you dont have a valid session. So no need to have that config IMHO.

You should see the Whoami endpoint on the linklist after the login is successful.

[greenpau]

don't know if this config is valid:

@omario36 , this is nor a valid config.

@axi92 , thank you for helping out!

[omario36]

@axi92 sorry but here whoami is the service that I want to secure buy keycloak oauth
To clarify the situation : I have a whoami docker service running on the same network with caddy
so to expose it, I have to do something like that : whoami.localhost:4443 { tls internal reverse_proxy whoami:80 authenticate with myportal }

The new config is :

{
  admin off
  debug
  http_port 880
  https_port 4443

	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider keycloak {
			driver generic
			realm keycloak
			client_id test-caddy
			client_secret 8KfOcqKQaSxczrM6Y0BqusTJofC4NkHO
			scopes openid email profile
			#required_token_fields access_token
			metadata_url https://auth.domain.tld/realms/master/.well-known/openid-configuration

		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify "qwerty"
			enable identity provider keycloak
			cookie domain localhost
			ui {
				links {
					"whoami" https://whoami.localhost:4443/  icon "las la-star"
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin keycloak
				action add role authp/user
			}

			transform user {
				match origin local
				action add role authp/user
				ui link "Portal Settings" /settings icon "las la-cog"
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.domain.tld/
			allow roles authp/admin authp/user
			crypto key verify "qwerty"
		}
		authorization policy monitoring {
			set auth url https://auth.domain.tld/
			allow email [email protected]
			crypto key verify "qwerty"
		}
	}
}

whoami.localhost:4443 {
   tls internal
   reverse_proxy whoami:80
   authenticate with myportal
}

log

Thanks for your support, I realy need to secure for example this whoami or another service proxied by the caddy.

[omario36]

maybe because the domain of my keycloak auth and the whoami service is different ? so AUTHP_SESSION_ID cookie is rejected ?

[omario36]

YEEES @axi92 @greenpau thanks Now its ok

[omario36]

@greenpau any link to update the documentation for using keycloak v20 + ?