HelloI have a docker based traefik, keycloak, traefikforwardauth setup that is working for interactive logon.
https://github.com/stevegroom/traefikGateway/tree/master/traefik
I need to create an access token that I can append to requests to the traefik API service (or any other resource) I am Monitoring groups of services with a NodeRed dashboard.
I tried googling the solution but I'm not quite on the right path.
The OAuth 2.0 Authorization Framework: Bearer Token Usage 2.3. URI Query Parameter indicates that I should be able to add a query parameter
like this:
GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1
Host: server.example.com
I requested an access token but the returned variable is over 1300 bytes which seems rather excessive to add to a URL.
curl --location --request POST 'https://keycloak.mydomain/auth/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: AUTH_SESSION_ID=0e93b8fc-a236-4270-991a-3d7b23ab9d34.e8d8c72d2aee; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1iHaInR5cCIgOiAiSldUIiwia2lkIiA6ICIxMjIwY2M1OS1jYzVlLTRkMjYtODM2OC1hMmRlNjdjMDY3N2QifQ.eyJqdGkiOiJmYTg2Mjg2OS1hZmQwLTQ1MDQtOGI3Ny05MWI4MzIxYzY4MTYiLCJleHAiOjE1ODc3NTgwNTcsIm5iZiI6MCwiaWF0IjoxNTg3NzIyMDU3LCJpc3MiOiJodHRwczovL2tleWNsb2FrLmdyb29tcy5wYWdlvcmVhbG1zL21hc3RlciIsInN1YiI6IjZjZGY4NTMwLWVkMWMtNGU2My1iOWE1LTQ3MmUzYzc2NzBkMSIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIwZTkzYjhmYy1hMjM2LTQyNzAtOTkxYS0zZDdiNWZhYjlkMzQiLCJzdGF0ZV9jaGVja2VyIjoiM1FyeWVkdjJeG9MaVV4bC1SRThrdU9CNXBLeVY3ajdZMCJ9.yt3pwMpOPZL6RicLLZVpyCXNekVM_60sOSorfEd1fCA; KEYCLOAK_SESSION_LEGACY=master/6cdf8550-ed1c-4e63-b9a5-472e3c7670d1/0e93b8fc-a236-4270-9221a-3d7b5fab9d34; _forward_auth_csrf=8504ce17b0e1f60f8ee3ab5082ec53ef' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=generic' \
--data-urlencode 'client_secret=d6b195cb-b2a6-4093-ab1f-b553af5482fb' \
--data-urlencode 'scope=openid' \
--data-urlencode 'username=steve' \
--data-urlencode 'password=noyoudont!'
The returned body is a valid JWT. I tried the same with grant_type=password
as was suggested in other googled resources, but neither worked:
Recap:
I want to generate a api access code in order to have node-red authenticate to resources protected by Traefik 2.2 without an interactive login.
POST https://keycloak.mydomain/auth/realms/master/protocol/openid-connect/token
returned a valid JWT including access_token
GET https://whoami.mydomain?access_token=1300charactershere
returns:
Keycloak
We are sorry...
Invalid Request
Has anyone managed this type of access?
regards
Steve