Proxying to External Keycloak Auth Protected API Endpoint?

[mike-kaminski]

I'm trying (desperately) to set this up for a reverse proxy (using mod_proxy) from a Docker container running behind SSL termination. I'm certain that I am very close but close doesn't count for much. Here is my current config (edited to remove identifying data):

<VirtualHost *:80>
  ServerName api.test.dev.env
  ProxyPreserveHost Off
  RequestHeader set X-Forwarded-Proto "https" early
  RequestHeader set X-Forwarded-Port 443 early

  # SSL setup for backend HTTPS endpoints
  SSLProxyEngine On
  SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  SSLHonorCipherOrder On
  SSLCompression      Off
  SSLSessionTickets   Off

  OIDCProviderMetadataURL "https://auth.external.com/auth/realms/<realm>/.well-known/openid-configuration"
  OIDCClientID "<clientid_key"
  OIDCClientSecret "<client_secret>"
  OIDCRedirectURI "https://api.test.dev.env/openid" # This doesn't actually exist anywhere
  OIDCProviderTokenEndpointAuth client_secret_basic # From https://github.com/zmartzone/mod_auth_openidc/wiki/Keycloak
  OIDCCryptoPassphrase 3KpAHrxjYoIXvye14xjU # Random string
  OIDCScope "CUSTOM.SCOPE" # We use a custom scope provided by the external provider.

  LogLevel auth_openidc:debug

  ProxyPass "/" "https://apisandbox.external.com/" retry=0 connectiontimeout=2700 timeout=2700 Keepalive=On
  ProxyPassReverse "/" "https://apisandbox.external.com/"
  ProxyRequests Off
  AllowEncodedSlashes On

  <Proxy "*">
    AuthType openid-connect
    Require valid-user
  </Proxy>

</VirtualHost>

From there, using Postman, I try to hit a simple GET endpoint (for example: https://api.test.dev.env/things) that should return a json document with some data in it. But instead, I get:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
	<title>Error</title>

</head>

<body>
	<p>Error:
		<pre>OpenID Connect Provider error: unauthorized_client</pre>
	</p>
	<p>Description:
		<pre>Client+is+not+allowed+to+initiate+browser+login+with+given+response_type.+Standard+flow+is+disabled+for+the+client.</pre>
	</p>
</body>

</html>

Digging further around through Google isn't turning up anything really useful, does anyone have any advice here?

Thanks!

[zandbelt]

it's really a Keycloak question but I believe that the configuration for your client clientid_key in Keycloak should be modified to allow the Authorization Code grant type

[mike-kaminski]

Ahh, I see. I don't have access to change any of that. Here's what the config says we have available:

"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],

I vaguely recall seeing documentation on configuring that with the module by a thrown bone would be immensely helpful ;) We're trying to pass the token as a bearer header to the API.

[zandbelt]

you'll need to modify "the configuration for your client clientid_key in Keycloak should be modified to allow the Authorization Code grant type" in Keycloak.. if you cannot do that, then it won't work

[mike-kaminski]

I dunno why I missed it before, authorization_code is the first one on the grant_types_supported list 😞, maybe because I'm working on a Sunday. FWIW, the logs do show a successful transaction with the auth endpoint, but it's definitely not flipping that token to the outbound proxy connection as a bearer token. I've tried a couple suggested approaches to that from other threads/"bug" reports with no luck today but I get the impression that I'm almost there. I'm not sure if you're (@zandbelt) open to a direct message, I think it might be a no-brainer for you but I'm not comfortable sharing config details and logs publicly to help you help me publicly. If you are, let me know and I'll provide the specific configuration and logs there for your inspection. If we can get this working I'll scrub the working config of specifics and post it up here to benefit the next person chasing a similar solution. I can't imagine that an example, working, HTTP to HTTPS reverse proxy with OID auth to an external Keycloak system (not managed by the same org/company running the proxy) wouldn't be a nice-to-have.