Keycloak authentification APS

narjisseatos · ‎28 Feb 2019

Hi,

I have a problem when I try to connect keycloak to APS

keycloak version: 3.4.3
APS version: 1.9.01

ACS version : 6.1

«localhost:9080/activiti-app» redirects to :

http://localhost:8080/auth/realms/alfresco-dbp/protocol/openid-connect/auth?response_type=code&clien...

then, after authentication, to

http://localhost:9080/activiti-app/sso/login?state=dcc9f547-19d4-44ce-b5a5-745e1ab233f9&session_stat...

activiti-identity-service.properties

# --------------------------------
# IDENTITY SERVICE (i.e. Keycloak)
# --------------------------------

keycloak.enabled=true
keycloak.realm=alfresco-dbp
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.ssl-required=none
keycloak.resource=alfresco-client
keycloak.principal-attribute=email
# set to true if access type is public for this client in keycloak
keycloak.public-client=true
keycloak.always-refresh-token=true
keycloak.autodetect-bearer-only=true
keycloak.token-store=cookie
keycloak.enable-basic-auth=true

alfresco-global.properties

jodconverter.enabled=true

# Identity Service (i.e. Keycloak)
# --------------------------------

# UNCOMMENT TO ENABLE Identity Service (i.e. Keycloak) for ACS
authentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm
identity-service.authentication.enabled=true
identity-service.enable-basic-auth=true
identity-service.authentication.defaultAdministratorUserNames=admin
identity-service.authentication.validation.failure.silent=false
identity-service.auth-server-url=http://localhost:8080/auth
identity-service.realm=alfresco-dbp
identity-service.resource=alfresco-client
identity-service.public-client=true
identity-service.ssl-required=none

Bassam Al-Sarori

bassam_al-saror · ‎1 Mar 2019

Looks like APS isn't able to connect to Keycloak. Are they both running on different containers?

narjisseatos · ‎1 Mar 2019

Thanks,

Yes, different containers

bassam_al-saror · ‎1 Mar 2019

The Keycloak URL isn't correct it should point to the Keycloak instance. I'm not sure how do it but you look into how to make the Keycloak accessible to APS. I guess docker has a way to make two containers accessible to each other.

keycloak.auth-server-url=http://localhost:8080/auth

narjisseatos · ‎1 Mar 2019

The Keycloak URL is correct when i call this URL

«localhost:9080/activiti-app» redirects me to :

http://localhost:8080/auth/realms/alfresco-dbp/protocol/openid-connect/auth?response_type=code&clien...

And the two dockers are accessible to each other

I don't understand your response

bassam_al-saror · ‎1 Mar 2019

The URL is pointing to localhost which isn't correct since Keycloak is on a different docker.

bassam_al-saror · ‎1 Mar 2019

In the exception you posted it's clear that Keycloak is unreachable "Connection refused".

adrianmiramar · ‎18 Feb 2020

I dont know if the problem was the same or similiar but in my case I had to set the "Require SSL" to NONE on the REALM, because the URL validation token has to be SSL and I has a self signed certificate

I don't understand why the error is 404 (I think this is wrong because is very confusing) but the real issue is for conection between APS and the Keycloak.