Keycloak and Forcing authentication on Error. #1201
Replies: 2 comments
-
OIDCRedirectURI https://${APACHE_FQDN}/secure/redirect?info=json&access_token_refresh_interval=60 is overloading the point of the redirect URI... it should really be: OIDCRedirectURI https://${APACHE_FQDN}/secure/redirect If Keycloak triggers OpenID Connect Logout (e.g. the Backchannel variant), it would kill the mod_auth_openidc's session. Not sure how to configure that in Keycloak. Furthermore it is up to the SPA itself to interpret a 401 and trigger a toplevel redirect, see e.g.: https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts#single-page-applications |
Beta Was this translation helpful? Give feedback.
-
Thanks for the update. I will modify our redirect to not have the extra details, and modify the SPA to refresh when we get a 401. One more question. If I configure OIDCRefreshAccessTokenBeforeExpiry, in keycloak if I logout the session, the library will notice it and send me a 401. But our SPA doesn't do any periodic calls, so if I let the session sit too long, Keycloak seems to remove it, but inside my SPA I can continue to make calls, even if I do a reload. I can set the OIDCSessionInactivityTimeout to be less, but lets say I have a token expiration of 5 minutes, and a session inactivity of 60 minutes. Somewhere in between is where keycloak is removing the session but I continue to be able to make calls. Is there another configuration that I'm missing? I appreciate you taking the time to help me understand this. I'm guessing most of this is some basic oauth or OpenIDC logic but it can be rather confusing. |
Beta Was this translation helpful? Give feedback.
-
I apologize if this is a simple question, and I'm guessing I've mis-configured something, but I've spent some time trying to read over the documentation and understand how to properly interface with Keycloak. I'm able to authenticate and work with Keycloak, but I feel that there is something wrong with my setup, I have a couple of issues I'm struggling to solve.
"OIDCRefreshAccessTokenBeforeExpiry 15 authenticate_on_error", but it doesn't seem to have any effect, and I have never been successful at the authenticate redirect.
Here is my current configuration, maybe someone can help me understand what I'm mis-configuring or missing.
If I set the OIDCSessionInactivityTimeout to say 90, at 90 seconds of inactivity I get a 401 as expected.
I have also noticed similar to this article https://github.com/OpenIDC/mod_auth_openidc/issues/388 I get "oidc_cache_shm_get_key: could not construct cache key since key size is too large" error messages in the logs. Is this causing my issues? I don't have the introspect configuration like the article had, is this something I would need to add?
Beta Was this translation helpful? Give feedback.
All reactions