[keycloak-user] patch for mod_auth_openidc apache module for keycloak oauth

classic Classic list List threaded Threaded
2 messages Options
c p
Reply | Threaded
Open this post in threaded view
|

[keycloak-user] patch for mod_auth_openidc apache module for keycloak oauth

c p
Dear All,

Just for sharing, have made the apache mod_auth_openidc module works with
keycloak token introspection, just apply the below patch to src/oauth.c
then set the OIDCOAuthIntrospectionEndpointParams
token_type_hint=refresh_token.



--- mod_auth_openidc/src/oauth.c        2017-05-15 16:20:48.698526596 +0800
+++ mod_auth_openidc_keycloak/src/oauth.c       2017-05-15
16:17:06.022631865 +0800
@@ -83,12 +83,19 @@
                        apr_table_addn(params, OIDC_PROTO_CLIENT_ID,
c->oauth.client_id);
                        apr_table_addn(params, OIDC_PROTO_CLIENT_SECRET,
                                        c->oauth.client_secret);
+
                } else {
                        basic_auth = apr_psprintf(r->pool, "%s:%s",
c->oauth.client_id,
                                        c->oauth.client_secret);
                }
+       }else{
+           if ((c->provider.client_id != NULL) &&
(c->provider.client_secret!=NULL)){
+               basic_auth = apr_psprintf(r->pool, "%s:%s",
c->provider.client_id,
+                                        c->provider.client_secret);
        }

+}
+
        /* call the endpoint with the constructed parameter set and return
the resulting response */
        return apr_strnatcmp(c->oauth.introspection_endpoint_method,
                        OIDC_INTROSPECTION_METHOD_GET) == 0 ?


Regards,

Steven
_______________________________________________
keycloak-user mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/keycloak-user
Reply | Threaded
Open this post in threaded view
|

Re: [keycloak-user] patch for mod_auth_openidc apache module for keycloak oauth

Hans Zandbelt
This post has NOT been accepted by the mailing list yet.
As a matter of fact this patch is not needed for that. You can just set `OIDCOAuthClientID` and `OIDCOAuthClientSecret` to the same values as `OIDCClientID` and `OIDCClientSecret` since for Keycloak token introspection they happen to be one and the same.

Hans.