Light Dark Auto

Keycloak

Authentication filter that talks to Keycloak

The gm-jwt-keycloak filter validates incoming requests against Keycloak and generates a Grey Matter JWT token.

Filter Configuration Options

Required Parameters

  • endpoint(String, default: "[http://keycloak-host:80](http://keycloak-host:80)") - Full Keycloak URL.
  • authnHeaderName(String, default: "access_token") - Name of header used for validating incoming and passing outgoing authentication tokens.
  • authzheaderName(String, default: "user_info") - Name of header used for validating incoming and passing outgoing authorization tokens.
  • realm(String, default: "greymatter") - Name of the realm to be used in Keycloak.
  • jwtPrivateKeyPath(String, default: "./certs/private_key.pem") - Private jwt key for Greymatter signing and validation.
  • jwks(stringified JSON, default: "{"keys":[{"crv":"P-521","kid":"1","kty":"EC","x":"AStrIEK2lPMCEPCiOA-vhIx65kwGL1tCYXGNmhIAFJU8BrGlPO8WYm3aUcmCXNJD76wYL3oh9Wu5d7iJifAdZhbg","y":"AehFcEyvkz0-8MvMGQSUfw5GVdYQTaWSRiOIiGVjK2FJCcl7n70CCIlNKpK3c2LNJu2BzrQmh7y21Ug7jvSafbQI"}]}") - Public JSON web key sets for internal validation of tokens.
  • sharedJwtKeycloakSecret(String, default: "password123") - User-created synthetic password for logging in users to Keycloak.

Additional Parameters

  • keyPath(String, default: "./certs/server.key") - Keyfile path
  • caPath(String, default: "./certs/intermediate.crt") - Certificate authority or intermediate certificate path.
  • insecureSkipVerify(Boolean, default: false) - Should calls to keycloak require hostname verification in certs?
  • timeoutMs(Integer, default: 1000ms) - Timeout in milliseconds for the connection between gm-proxy and gm-jwt-keycloak service. Set to a negative number to disable timeouts completely, though this is not advised as it can cause an infinite hang in the sidecar.
  • maxRetries(Integer, default: 0) - Number of retries after failed connection between gm-proxy and keycloak.
  • retryDelayMs(Integer, default: 0) - Amount of time in milliseconds between each unsuccessful retry.
  • cacheLimit(Integer, default: 100) - Maximum number of tokens held in cache. If negative, caching is disabled, must be > 0 to enable caching.
  • cachedTokenExp(Integer, default: 10m) - Time in minutes to hold tokens in the cache. If negative, caching is disabled, must be > 0 to enable caching.
  • writeBody(Boolean, default: false) - Should tokens be written to the response body instead of headers?
  • fetchFullToken(Boolean, default: false) - Should the full token be fetched from Keycloak's /userinfo endpoint instead of logging in the client from the /token endpoint?
  • authenticateOnly(Boolean, default: false) - If true, filter will only validate incoming tokens and will not reach out to keycloak to create new tokens.