Versions Compared

Old Version 2

changes.mady.by.user Annegret Bernhardt

Saved on

compared with

New Version Current

changes.mady.by.user Annegret Bernhardt

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: excerpts exchanged to to content division

The Keycloak OAuth Policy is a Keycloak-specific OAuth2 policy to regulate access to APIs. Keycloak’s token format and auth mechanism facilitate excellent performance characteristics and enable users to easily tune the setup to meet their security requirements. In general, this is a good approach for achieving security without greatly impacting performance. Refer to API Security: Authentication and Authorization for more details.

Configuration Options

Basic Configuration

OptionDescriptionPossible ValuesDefault
Realm Enter the realm name. It must be a valid FQDN path including the realm name.a valid FQDN path FQDN path automatically set for your PAS installation

Advanced Configuration

OptionDescriptionPossible ValuesDefault
Keycloak Realm Certificate

To validate OAuth2 requests. Must be a PEM-encoded X.509 certificate. If you leave this field empty, the policy will try to fetch the public keys directly from your Keycloak realm. If you want to add the certificate manually, you can copy it from the Keycloak console. 

Expand
titleWhere to find the Keycloak certificate?

To copy the Keycloak certificate, open Keycloak > PAS Realm > Realm Settings > Keys. Click Certificate to display and copy the certificate. If your user has no access to the realm settings, ask a Keycloak administrator for help.


a string-
Strip Tokens Enable to remove any authorization header or token query parameter before forwarding traffic to the API.
  • enabled
  • disabled
disabled
Delegate Kerberos Ticket Enable to delegate any Kerberos ticket embedded in the Keycloak token to the API (via the authorization header).
  • enabled
  • disabled
disabled
Foward Roles

Enable this option to forward Keycloak roles to the Authorization policy. You should specify your required role(s) in the Authorization policy configuration.

  • enabled
  • disabled
disabled
Forward Keycloak Token Information

Fields from the token can be set as headers and forwarded to the API.

Multiexcerpt include
SpaceWithExcerptINTERNAL
MultiExcerptNameclaim_availability
PageWithExcerptINTERNAL:_api_excerpts

Option

Description

Possible ValuesDefault
Header

The header value to set (to paired field).

a string-
Field

The token field name.

a string-

Multiexcerpt include
SpaceWithExcerptINTERNAL
MultiExcerptNamepolicies_table_handling
PageWithExcerptINTERNAL:_api_excerpts

Working with Keycloak Tokens

Multiexcerpt include
SpaceWithExcerptINTERNAL
MultiExcerptNamekeycloak_tokens
PageWithExcerptINTERNAL:_api_excerpts

How to Get the Secret

Multiexcerpt include
SpaceWithExcerptINTERNAL
MultiExcerptNamekeycloak_tokens_get_secret
PageWithExcerptINTERNAL:_api_excerpts_big

How to Retrieve the Keycloak Token

Multiexcerpt include
SpaceWithExcerptINTERNAL
MultiExcerptNamekeycloak_tokens_retrieve_token
PageWithExcerptINTERNAL:_api_excerpts_big

How to Use the Token for a Request

Multiexcerpt include
SpaceWithExcerptINTERNAL
MultiExcerptNamekeycloak_tokens_usage
PageWithExcerptINTERNAL:_api_excerpts


Panel
titleOn this Page:

Table of Contents


Panel
titleRelated Pages: