Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
The Keycloak OAuth Policy is a Keycloak-specific OAuth2 policy to regulate access to APIs. Keycloak’s token format and auth mechanism facilitate excellent performance characteristics and enable users to easily tune the setup to meet their security requirements. In general, this is a good approach for achieving security without greatly impacting performance. Refer to API Security: Authentication and Authorization for more details.
Configuration Options
Basic Configuration
Option | Description | Possible Values | Default |
---|---|---|---|
Realm | Enter the realm name. It must be a valid FQDN path including the realm name. | a valid FQDN path | FQDN path automatically set for your PAS installation |
Advanced Configuration
Option | Description | Possible Values | Default | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Keycloak Realm Certificate | To validate OAuth2 requests. Must be a PEM-encoded X.509 certificate. If you leave this field empty, the policy will try to fetch the public keys directly from your Keycloak realm. If you want to add the certificate manually, you can copy it from the Keycloak console.
| a string | - | ||||||||
Strip Tokens | Enable to remove any authorization header or token query parameter before forwarding traffic to the API. |
| disabled | ||||||||
Delegate Kerberos Ticket | Enable to delegate any Kerberos ticket embedded in the Keycloak token to the API (via the authorization header). |
| disabled | ||||||||
Foward Roles | Enable this option to forward Keycloak roles to the Authorization policy. You should specify your required role(s) in the Authorization policy configuration. |
| disabled | ||||||||
Forward Keycloak Token Information | |||||||||||
Fields from the token can be set as headers and forwarded to the API. | |||||||||||
Option | Description | Possible Values | Default | ||||||||
Header | The header value to set (to paired field). | a string | - | ||||||||
Field | The token field name. | a string | - | ||||||||
|
Multiexcerpt include | ||||||
---|---|---|---|---|---|---|
|
Panel | ||
---|---|---|
| ||
|
Panel | ||
---|---|---|
|
Otp | ||
---|---|---|
|