Question posted in
Some documentation to get you started can be found here.

Apache – Keycloak with mod_auth_openidc, retriving code and id_token

I’m trying to configure Keycloak with mod_auth_openidc. I’m using Apache 2.4 and simple Java servlets/html pages. I have Keycloak authenticating a user and redirecting to the protected resource.
Now, I would like to get access to the user profile. I’m assuming that I have to extract the “code” from the URL query string and then exchange it for the id_token by calling one of the Keycloak APIs. Is that correct?
I’m not sure how to get this “code”. I see the code in the URL that hits my OIDCRedirectURI. But I’m not sure how to get to it. If my OIDCRedirectURI is a servlet, even though I see the redirect to the servlet, the doGet method isn’t being hit so there is no way for me to get to the request and access the query parameters. I believe I’m doing something wrong. Could you help me figure out how to get the code and ultimately get the id_token?
Thank you!

Tags:

2

Answers


  1. 0

    You can’t get the “code” and don’t need to do it in your protected apps because mod_auth_openidc exchange it to ID token instead of you apps (It’s a mod_auth_openidc job). If you want to access to the user profile in the ID token, you can find them in the HTTP request headers. mod_auth_openidc expands the claims into the HTTP request headers automatically with OIDC_CLAIM_ prefix in the following image.

    enter image description here

    Login or Signup to reply.
  2. 0

    Some Apache security modules silently drop out headers with underscores…

    • First make sure OIDCPassClaimsAs parameter is set to “headers” or “both” in the Apache configuration file.
    • Then change OIDC claims prefix to “OIDC-” via OIDCClaimPrefix

    All the claims should appear in the request headers. Except for the access token because its prefix is hardcoded in mod_auth_openidc code (in current version)

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search