Keycloak authentification APS

cancel
Showing results for 
Search instead for 
Did you mean: 
narjisseatos
Member II

Keycloak authentification APS

Hi,

I have a problem when I try to connect keycloak to APS

keycloak version: 3.4.3
APS version: 1.9.01

ACS version : 6.1

«localhost:9080/activiti-app» redirects to :

http://localhost:8080/auth/realms/alfresco-dbp/protocol/openid-connect/auth?response_type=code&clien...

then, after authentication, to

http://localhost:9080/activiti-app/sso/login?state=dcc9f547-19d4-44ce-b5a5-745e1ab233f9&session_stat...Keycloack APS error

activiti-identity-service.properties

# --------------------------------
# IDENTITY SERVICE (i.e. Keycloak)
# --------------------------------

keycloak.enabled=true
keycloak.realm=alfresco-dbp
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.ssl-required=none
keycloak.resource=alfresco-client
keycloak.principal-attribute=email
# set to true if access type is public for this client in keycloak
keycloak.public-client=true
keycloak.always-refresh-token=true
keycloak.autodetect-bearer-only=true
keycloak.token-store=cookie
keycloak.enable-basic-auth=true

alfresco-global.properties

jodconverter.enabled=true

# Identity Service (i.e. Keycloak)
# --------------------------------

# UNCOMMENT TO ENABLE Identity Service (i.e. Keycloak) for ACS
authentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm
identity-service.authentication.enabled=true
identity-service.enable-basic-auth=true
identity-service.authentication.defaultAdministratorUserNames=admin
identity-service.authentication.validation.failure.silent=false
identity-service.auth-server-url=http://localhost:8080/auth
identity-service.realm=alfresco-dbp
identity-service.resource=alfresco-client
identity-service.public-client=true
identity-service.ssl-required=none

Bassam Al-Sarori

7 Replies
bassam_al-saror
Alfresco Employee

Re: Keycloak authentification APS

Looks like APS isn't able to connect to Keycloak. Are they both running on different containers?

narjisseatos
Member II

Re: Keycloak authentification APS

Thanks,

Yes, different containers

bassam_al-saror
Alfresco Employee

Re: Keycloak authentification APS

The Keycloak URL isn't correct it should point to the Keycloak instance. I'm not sure how do it but you look into how to make the Keycloak accessible to APS. I guess docker has a way to make two containers accessible to each other. 

keycloak.auth-server-url=http://localhost:8080/auth

narjisseatos
Member II

Re: Keycloak authentification APS

The Keycloak URL is correct when i call this URL

«localhost:9080/activiti-app» redirects me to :

http://localhost:8080/auth/realms/alfresco-dbp/protocol/openid-connect/auth?response_type=code&clien...

And the two dockers are accessible to each other

I don't understand your response

bassam_al-saror
Alfresco Employee

Re: Keycloak authentification APS

The URL is pointing to localhost which isn't correct since Keycloak is on a different docker.

bassam_al-saror
Alfresco Employee

Re: Keycloak authentification APS

In the exception you posted it's clear that Keycloak is unreachable "Connection refused".

adrianmiramar
Member II

Re: Keycloak authentification APS

I dont know if the problem was the same or similiar but in my case I had to set the "Require SSL" to NONE on the REALM, because the URL validation token has to be SSL and I has a self signed certificate

I don't understand why the error is 404 (I think this is wrong because is very confusing) but the real issue is for conection between APS and the Keycloak.