Is there a way to obtain user data if the Keycloak authentication is done on Apache level, not front-end application
Question
Generally, there are at least 2 options of securing applications using Keycloak OpenID Connect stack:
- Use it on the application using Keycloak
adapters(in my case, a SPA javascript front end) - Use it on Apache using
mod_auth_openidc
If I choose to use number 2, how can I obtain the user data (username, for example)?
------------------------Edit due to @Cyril Dangerville answer -----------------
While I understand the general approach, my way is seemed very forced.
Now my authenticated, my request has session cookie and access token headers, but cannot access any header due to being initial page load
Perform an call to any protected resource to get access Header value
Use the access token to call the userinfo end point (But this is on another domain so the cookie wont get submitted)
Can you help me by explain where I should go here?
1 answers
solution1
2 ACCPTED 2018-08-15 19:01:41
With mod_auth_openidc, you pass user data to applications as Apache environment variables and/or HTTP headers. The latter is useful if using Apache as reverse proxy for remote apps (mod_proxy). The proxy case is addressed briefly in mod_auth_openidc project's FAQ .
You can find more details about how to configure this translation of OpenID Connect token claims - including the authenticated user data - to environment variables/headers in the configuration file: auth_openidc.conf ; two properties in particular:
- For the REMOTE_USER variable:
OIDCOAuthRemoteUserClaim <claim-name> [<regular-expression>] - For others:
OIDCPassClaimsAs [none|headers|environment|both].
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.