Enable JWT auth with keycloak
1,361 views
Skip to first unread message
Michael D.
Feb 14, 2019, 6:06:58 AM2/14/19
to Vault
Hello,
I try to get started with Vault. So I just wanted to try our the jwt auth. So I tried to follow the documentation https://www.vaultproject.io/docs/auth/jwt.html#configuration
As I executed these commands, I just failed
> vault auth enable jwt
Success! Enabled jwt auth method at: jwt/
> vault write auth/jwt/config \
oidc_discovery_url="https://keycloak/auth/realms/dev/.well-known/openid-configuration" \
oidc_discovery_ca_pem="-----BEGIN CERTIFICATE-----
MII...
...
MrY=
-----END CERTIFICATE-----"
Error writing data to auth/jwt/config: Error making API request.
URL: PUT http://vault/v1/auth/jwt/config
Code: 400. Errors:
* error checking discovery URL: error creating provider with given values: 404 Not Found:
I enabled already the TRACE logs of Vault, but nothing helpful was found:
...
2019-02-14T10:41:46.697Z [INFO] core: successfully enabled credential backend: type=jwt path=jwt/
...
2019-02-14T10:42:46.698Z [DEBUG] rollback: attempting rollback: path=auth/jwt/
2019-02-14T10:42:46.698Z [DEBUG] rollback: attempting rollback: path=cubbyhole/
2019-02-14T10:42:46.698Z [DEBUG] rollback: attempting rollback: path=identity/
...So I wonder, how I can get to the root cause of this error message.
Regards,
Michael
Vasilev Vjacheslav
Feb 14, 2019, 7:49:42 PM2/14/19
to Vault
The discovery URL must include only domain name to your Keycloak server, without .well-known part.
https://www.vaultproject.io/api/auth/jwt/index.html#configure
Michael D.
Feb 19, 2019, 11:01:31 AM2/19/19
to Vault
Hi,
I upgraded to vault 1.0.3 and tried both "https://keycloak" and "keycloak"
I upgraded to vault 1.0.3 and tried both "https://keycloak" and "keycloak"
vault write auth/jwt/config \
oidc_discovery_url="https://keycloak" \
oidc_discovery_ca_pem="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----"
Error writing data to auth/jwt/config: Error making API request.
URL: PUT http://vault/v1/auth/jwt/config
Code: 400. Errors:
* error checking discovery URL: error creating provider with given values: 404 Not Found: <html><head><title>Error</title></head><body>404 - Not Found</body></html>vault write auth/jwt/config \
oidc_discovery_url="keycloak" \
oidc_discovery_ca_pem="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----"
Error writing data to auth/jwt/config: Error making API request.
URL: PUT http://vault/v1/auth/jwt/config
Code: 400. Errors:
* error checking discovery URL: error creating provider with given values: Get keycloak/.well-known/openid-configuration: unsupported protocol scheme ""We have also several realms. So https://keycloak/.well-known/openid-configuration does not exist, but this exists https://keycloak/auth/realms/dev/.well-known/openid-configuration
So how can I change the configuration that way?
Regards,
Michael
Vasilev Vjacheslav
Feb 19, 2019, 1:16:07 PM2/19/19
to Vault
Hi,
Don't know exact configuration, but Vault wasn't able to connect to a Keycloak server (1) because of wrong URL (2) because of missing http:// protocol prefix, and
oidc_discovery_ca_pem is only required for https communication.вторник, 19 февраля 2019 г., 18:01:31 UTC+2 пользователь Michael D. написал:
Jeff Mitchell
Feb 19, 2019, 2:46:34 PM2/19/19
to Vault
Hi,
Note that Vasilev suggested changing the URL to not specify the
.well-known part, but you then removed everything else along with it.
My guess it the URL needs to be https://keycloak/auth/realms/dev/
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/685217ce-6ca5-43a2-bf80-235a9b04cf4f%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Note that Vasilev suggested changing the URL to not specify the
.well-known part, but you then removed everything else along with it.
My guess it the URL needs to be https://keycloak/auth/realms/dev/
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/685217ce-6ca5-43a2-bf80-235a9b04cf4f%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Michael D.
Feb 20, 2019, 4:33:54 AM2/20/19
to Vault
Hi Jeff,
thanks. You're right. https://keycloak/auth/realms/dev (without slash at the end!) is working fine so far.
Regards,
Michael
Reply all
Reply to author
Forward
0 new messages