OnDemand-Keycloak-IDM authentication


#1

I’ve been following the directions at https://osc.github.io/ood-documentation/master/authentication/tutorial-oidc-keycloak-rhel7.html and have an OnDemand server and Keycloak server with Keycloak configured with a User Federation LDAP provider that is our IDM system. I’ve confirmed data transfer between the OnDemand and Keycloak servers and between the Keycloak and IDM servers, but authentication (on OnDemand server with IDM identity) isn’t working. (Keycloak correctly retrieves names, email, etc. from IDM.) The error I’m seeing (invalid_user_credentials) seems to mean invalid password because for a username that doesn’t exist, a different error is obtained.

Differences that I have from tutorial:

  • Tutorial is for keycloak-3.1.0 and I’m using keycloak-4.2.1.
  • As a consequence, the Keycloak admin interface is a little different and all settings from steps 2.3 and 2.4 were set for the client as there’s no longer a separate entity of ‘client template’.
  • I only completed steps 1-3, not 4 (add custom theme).
    (All servers are RHEL 7.5. OnDemand is version 1.3.7.)

Are there any tests I can do to isolate this issue? Is there any specialized config needed for IDM that is different from other identity providers? Might using a newer version of keycloak be better?


#2

You can try authenticating with just mod_auth_openidc if that’s how you configured OnDemand to use Keycloak. We have something like this at /opt/rh/httpd24/root/etc/httpd/conf.d/test.conf:

Alias /secure /var/www/html/secure
<Location /secure>
  AuthType openid-connect
  Require valid-user
</Location>

I then have this at /var/www/html/secure/index.php

<html>
<head><title>OIDC Variables</title></head>
<body>
<table>
<?php
ksort($_SERVER);
foreach ($_SERVER as $key => $value) {
   echo "<tr><td>$key</td><td>$value</td></tr>\n";
}
?>
</table>
</body>
</html>

This will tell you if REMOTE_USER is getting set which is what is used by OnDemand IIRC.