Keycloak - PHPMYADMIN - SSO
903 views
Skip to first unread message
Yadu Chandran
Sep 7, 2021, 12:33:56 PM9/7/21
to Keycloak User
Dear Team,
Any leads or documentations available for keycloak sso for phpmyadmin? Any help would be really appreciated.
Garth
Sep 7, 2021, 12:40:20 PM9/7/21
to Yadu Chandran, keyclo...@googlegroups.com
Looks like there is a `signon` auth type where you can implement the redirect and callback yourself. Someone started an example on Stack Overflow:
https://stackoverflow.com/questions/31971158/phpmyadmin-oauth-2-0-client
https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_auth_type
The other option would be to run an OAuth proxy in front of phpmyadmin like this:
https://oauth2-proxy.github.io/oauth2-proxy/
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/de54269e-d660-4d95-986a-9275f7ec9eebn%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/de54269e-d660-4d95-986a-9275f7ec9eebn%40googlegroups.com?utm_medium=email&utm_source=footer>.
https://stackoverflow.com/questions/31971158/phpmyadmin-oauth-2-0-client
https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_auth_type
The other option would be to run an OAuth proxy in front of phpmyadmin like this:
https://oauth2-proxy.github.io/oauth2-proxy/
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/de54269e-d660-4d95-986a-9275f7ec9eebn%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/de54269e-d660-4d95-986a-9275f7ec9eebn%40googlegroups.com?utm_medium=email&utm_source=footer>.
Yadu Chandran
Sep 7, 2021, 12:55:12 PM9/7/21
to Keycloak User
Thanks for your valuable comments.
How can we pass data from keycloak to phpmyadmin for user validation.
Garth
Sep 7, 2021, 12:56:50 PM9/7/21
to Yadu Chandran, keyclo...@googlegroups.com
It looks like using the `signon` method, you can store it yourself from what you get back from the token following the callback.
> https://groups.google.com/d/msgid/keycloak-user/254d4f96-605b-4f54-94b4-fc3cf33c120an%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/254d4f96-605b-4f54-94b4-fc3cf33c120an%40googlegroups.com?utm_medium=email&utm_source=footer>.
Yadu Chandran
Sep 7, 2021, 1:11:02 PM9/7/21
to Keycloak User
Dear Gath,
What i could understand is like,
I was able to list phpmyadmin under applications tab inside keycloak user profile.
There we need to click phpmyadmin, it will be redirected to phpmyadmin default page. There, we mentioned signon as auth type so it will go to signon url . Inside that signon url file we need to fetch the user details from keycloak. So how can we get that.
This is what i could understand, sorry if iam wrong
Garth
Sep 7, 2021, 1:23:11 PM9/7/21
to Yadu Chandran, 'Thomas Darimont' via Keycloak User
Look up "OIDC Authorization Code Flow".
Basically:
1. User goes to applications tab in Keycloak
2. User clicks on phpmyadmin
3. User is redirected to phpmyadmin where it uses the `signon` auth type to redirect back to Keycloak
4. User already has a session, so they are sent to the callback you defined in phpmyadmin with a "code" to use to request a token.
5. In the callback handler you wrote, take the code, and use it to call the Keycloak token endpoint to request a token. (https://www.keycloak.org/docs/latest/securing_apps/#token-endpoint)
6. The token that Keycloak will return is a JWT with the user details encoded in it. Looks like there are several PHP libraries for decoding a JWT.
7. If you need more information not in the JWT, you can call Keycloak's userinfo endpoint. (https://www.keycloak.org/docs/latest/securing_apps/#userinfo-endpoint)
> https://groups.google.com/d/msgid/keycloak-user/595aeb6a-a96c-4b6d-bbba-2b9317c07b82n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/595aeb6a-a96c-4b6d-bbba-2b9317c07b82n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Basically:
1. User goes to applications tab in Keycloak
2. User clicks on phpmyadmin
3. User is redirected to phpmyadmin where it uses the `signon` auth type to redirect back to Keycloak
4. User already has a session, so they are sent to the callback you defined in phpmyadmin with a "code" to use to request a token.
5. In the callback handler you wrote, take the code, and use it to call the Keycloak token endpoint to request a token. (https://www.keycloak.org/docs/latest/securing_apps/#token-endpoint)
6. The token that Keycloak will return is a JWT with the user details encoded in it. Looks like there are several PHP libraries for decoding a JWT.
7. If you need more information not in the JWT, you can call Keycloak's userinfo endpoint. (https://www.keycloak.org/docs/latest/securing_apps/#userinfo-endpoint)
Yadu Chandran
Sep 7, 2021, 1:45:58 PM9/7/21
to Garth, 'Thomas Darimont' via Keycloak User
Thank you Garth for all your support here. Let me try with your inputs and will keep you posted for any updates.
Reply all
Reply to author
Forward
0 new messages