Keycloak OIDC integration #352
Comments
|
hi, did you solve it? i meet the same problem |
|
Encountering same problem |
|
Keycloak changed their implementation at some point. The change breaks the OIDC interoperability with the ATT&CK Workbench REST API. We have a fix for this in testing right now. |
|
Cool. I just wanted to ask about the update. What does the Keycloak OIDC integration look like for today? Are we able to support your testing? I would love to help, thanks. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Hi Team,
I am working on the Keycloak OIDC Integration + ATT&CK Workbench Frontend/RestAPI. Unfortunately, I still get "401 Unauthorized" after Keyclock redirects back to the application after authentication.
The testing flow:
Here is my setup / some listings attached:
[root@vps15 attack-workbench-frontend-2.1.0]# cat docker-compose.yml
version: "3.9"
services:
frontend:
container_name: attack-workbench-frontend
image: front-xxx
build: .
depends_on:
- rest-api
ports:
- "82:80"
volumes:
- ./docker-compose-resources/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
rest-api:
container_name: attack-workbench-rest-api
build: ../attack-workbench-rest-api
image: rest-xxx
depends_on:
- mongodb
ports:
- "3000:3000"
volumes:
- ./docker-compose-resources/rest-api/rest-api-service-config.json:/usr/src/app/resources/rest-api-service-config.json:ro
environment:
- DATABASE_URL=mongodb://attack-workbench-database/attack-workspace
- SERVICE_ACCOUNT_APIKEY_ENABLE=true
- JSON_CONFIG_PATH=./resources/rest-api-service-config.json
- WORKBENCH_HOST=http://attack-workbench-rest-api
- WORKBENCH_AUTHN_SERVICE_NAME=collection-manager
- AUTHN_MECHANISM=oidc
- ENABLE_CORS_ANY_ORIGIN=false
- AUTHN_OIDC_CLIENT_ID=workbench
- AUTHN_OIDC_CLIENT_SECRET=Y2lnS0XXXXXXXX6397WzXr9a1
- AUTHN_OIDC_ISSUER_URL=https://vps14.domain.com.pl/realms/edrmetry/.well-known/openid-configuration
- AUTHN_OIDC_REDIRECT_ORIGIN=https://vps15.domain.com
- LOG_LEVEL=debug
- SERVICE_ACCOUNT_OIDC_ENABLE=true
- WB_REST_SERVICE_ACCOUNT_CHALLENGE_APIKEY_ENABLE=true
mongodb:
container_name: attack-workbench-database
image: mongo
volumes:
- db-data:/data/db
ports:
- "27017:27017"
volumes:
db-data:
[root@vps15 attack-workbench-frontend-2.1.0]# cat docker-compose-resources/rest-api/rest-api-service-config.json
{
"serviceAuthn": {
"oidcClientCredentials": {
"enable": true,
"clients": [
{
"clientId": "workbench",
"serviceRole": "collection-manager"
}
]
}
}
}
[root@vps15 attack-workbench-frontend-2.1.0]# docker compose up
....
attack-workbench-rest-api | 2024-08-14T10:05:15.447Z [INFO] ATT&CK Workbench REST API app starting
attack-workbench-rest-api | 2024-08-14T10:05:15.448Z [INFO] Configuring the app
attack-workbench-rest-api | 2024-08-14T10:05:15.448Z [INFO] Starting express
attack-workbench-rest-api | 2024-08-14T10:05:15.872Z [INFO] CORS is not enabled
attack-workbench-rest-api | 2024-08-14T10:05:15.907Z [INFO] Enabling HTTP request logging
attack-workbench-rest-api | 2024-08-14T10:05:15.913Z [INFO] Enabling Swagger UI
attack-workbench-rest-api | 2024-08-14T10:05:16.638Z [INFO] Configuring static routes
attack-workbench-rest-api | 2024-08-14T10:05:17.683Z [INFO] Configured authentication mechanism: oidc
attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Configured authentication mechanism: bearer
attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Enabled service authentication: client credentials
attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Enabled service authentication: challenge apikey
attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Configuring REST API routes
attack-workbench-rest-api | 2024-08-14T10:05:18.071Z [INFO] Starting the scheduler
attack-workbench-rest-api | 2024-08-14T10:05:18.071Z [INFO] Starting the HTTP server...
attack-workbench-rest-api | 2024-08-14T10:05:18.079Z [INFO] Listening at http://:::3000
attack-workbench-rest-api | 2024-08-14T10:05:18.079Z [INFO] ATT&CK Workbench REST API start up complete
Keycloak realm has been created with support for OpenID. The Client has been created with Standard Authentication flow. Client authentication is on. Some users like admin@test.com have been added to the Keycloak.
I even modified the scripts/configureKeycloak.js for adding local users to the workbench database => I thought it would lead me to some clue => no luck.
What am I missing? Do you have any idea? Any little hint will be appreciated.
Thanks!
The text was updated successfully, but these errors were encountered: