Has anyone successfully integrated keycloak as an OIDC backend for APM on F5?
We are running v13.1 so this version should be able to use this feature, right?
So far I have successfully setup a provider using the autodiscover OpenID URI.
Created a client application on the keycloak server with the client_id and secret.
Next I'm somewhat confused on how to proceed? From what I read in the docs I need to configure the custom requests for keycloak. Though I can't seem the find these.
but When I try to create a custom f5 keycloak scope request, I always have the same issue : error: HTTP error 401, Error: invalid_request: Authentication failed.
So I dont understand why ? i try to made tcpdump to see what exactly F5 send to keycloak but, not helped for the moment.
I see client credentials error in keycloak logs :
But double checked the parameters > same used in curl ...
@sebastien doucet your setup is indeed a bit different then mine but error seems related.
We are using ou F5 APM as a full OIDC client, redirecting the user to IDP logon page, requesting token etc..
Regarding the custom scope validation request, mine is more or less the same. Not so many params though, bare minimum only:
What really helped me is to place an iRule between the F5 and keycloak to capture the SSL keys so you can decode the HTTPS traffic in the TCP dump. From there you can decode the tokens etc using jwt.io and validate whats is in there.
Hello, just wanted to know if someone finally manage to make this work with F5 APM and keycloak openid (or any custom on premise oAuth2 or openid provider) and authorisation code flow, custom request requests...
I try to do the same for OpenID auth behind an API with v15.1 and AWAF but without success...
OK, may be I will not have the issue about the port for introspect / userinfo because the token issuer already include the port number as my keycloak is published under port 8443.
I fixed some mistake about the JWKS and now it seems that token is well validated at OAuth Scope(Internal) step but failed at OAuth Scope(External) step:
Mar 3 15:20:48 f5poc notice apmd[12760]: 01490291:5: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_ag: OAuth Scope: succeeded for jwt-provider-list '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_providerList_keycloak-provider'
Mar 3 15:20:48 f5poc notice apmd[12760]: 014902ae:5: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_1_ag: OAuth Scope: getting list of scopes, associated with access_token, from server '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthServer_keycloak-provider' (resource_server_id=F5-APM-Client)
Mar 3 15:20:48 f5poc err apmd[12760]: 01490290:3: /Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer:Common:dcd521ef:/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthResourceServer_act_oauth_scope_0_1_ag: OAuth Scope: failed for server '/Common/API-Authori-F5ResourceOAuth.app/API-Authori-F5ResourceOAuth_oauthServer_keycloak-provider' (resource_server_id=F5-APM-Client), error: HTTP error 401, Error: invalid_request: Authentication failed.
It seems that using the f5 request type is not working but I dont understand how to made custom request for keycloak IDP in f5 config.
Thanks for the reply. the specific implementation i'm actually looking for is the resource owner password flow. do you have the documentation you used to get this successfully working?