Skip to main content
Skip table of contents

Keycloak OAuth

The Keycloak OAuth Policy is a Keycloak-specific OAuth2 policy to regulate access to APIs. Keycloak’s token format and auth mechanism facilitate excellent performance characteristics and enable users to easily tune the setup to meet their security requirements. In general, this is a good approach for achieving security without greatly impacting performance.

Do not use the Keycloak OAuth policy together with the other authentication policies BASIC Authentication and JWT. The chaining of these policies does not currently work, but this may change in future versions.

Use the provided links underneath the fields Delegate Kerberos Ticket and Header to open further information on the subjects.

Configuration Options

Option
TypeDescriptionPossible ValuesDefault
Require OAuth
Boolean

Terminate request if no OAuth token is provided.


Make sure that this option is true if you want to use this policy for authentication.


true / falsetrue
Require Transport Security
Boolean

Any request used without transport security will be rejected. OAuth2 requires transport security (e.g. TLS, SSL) to provide protection against replay attacks.

Please disable the TLS check if you are using Scheer PAS 21.1 or a newer version, because all PAS components are running behind a proxy server.

true / falsefalse
Blacklist Unsafe Tokens
BooleanAny tokens used without transport security will be blacklisted in all gateways to mitigate associated security risks. Uses distributed data store to share blacklist.true / falsefalse
Strip Tokens
BooleanRemove any Authorization header or token query parameter before forwarding traffic to the API.true / falsefalse
Realm
StringEnter the realm name. It must be a full ISS domain path, for example http://scheer-keycloak:8080/pas-doc/keycloak/realms/PAS--
Keycloak Realm Certificate
String

To validate OAuth2 requests. Must be a PEM-encoded X.509 certificate. You can copy it from the Keycloak console.

If you leave this field empty, the policy will try to get the public keys directly from your Keycloak.

--
Forward Authorization Roles
Enum

Choose the type of roles to forward.

It is not possible to forward realm and application roles, only one or the other.

Forward Realm Roles

Forward Application Roles

Forward Realm Roles
Forward Realm Roles?
Boolean Select wether to forward realm roles. true / falsefalse
Forward Application Roles?
Boolean Select whether to forward application roles. true / falsefalse
Application Name
String

Which application roles to forward. If you choose to forward application roles, you must provide the  applicationName.

--
Delegate Kerberos Ticket
BooleanDelegate any Kerberos Ticket embedded in the Keycloak token to the API (via the Authorization header).true / falsefalse
Header
Array[<forwardAuthInfo>] Set auth information from the token into header(s).
--

Forward AuthInfo Options
HeadersStringThe header value to set (to paired field).

FieldStringThe token field name.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.