You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The Keycloak OAuth Policy is a Keycloak-specific OAuth2 policy to regulate access to APIs. Keycloak’s token format and auth mechanism facilitate excellent performance characteristics and enable users to easily tune the setup to meet their security requirements. In general, this is a good approach for achieving security without greatly impacting performance. Refer to API Security: Authentication and Authorization for more details.

Configuration Options

Basic Configuration

OptionDescriptionPossible ValuesDefault
Realm Enter the realm name. It must be a valid FQDN path including the realm name.a valid FQDN path FQDN path automatically set for your PAS installation

Advanced Configuration

OptionDescriptionPossible ValuesDefault
Keycloak Realm Certificate

To validate OAuth2 requests. Must be a PEM-encoded X.509 certificate. If you leave this field empty, the policy will try to fetch the public keys directly from your Keycloak realm. If you want to add the certificate manually, you can copy it from the Keycloak console. 

To copy the Keycloak certificate, open Keycloak > PAS Realm > Realm Settings > Keys. Click Certificate to display and copy the certificate. If your user has no access to the realm settings, ask a Keycloak administrator for help.

a string-
Strip Tokens Enable to remove any authorization header or token query parameter before forwarding traffic to the API.
  • enabled
  • disabled
disabled
Delegate Kerberos Ticket Enable to delegate any Kerberos ticket embedded in the Keycloak token to the API (via the authorization header).
  • enabled
  • disabled
disabled
Foward Roles

Enable this option to forward Keycloak roles to the Authorization policy. You should specify your required role(s) in the Authorization policy configuration.

  • enabled
  • disabled
disabled
Forward Keycloak Token Information

Fields from the token can be set as headers and forwarded to the API. All standard claims, custom claims and ID token fields are available (case sensitive). A special value of access_token will forward the entire encoded token. Nested claims can be accessed by using the JavaScript dot syntax (e.g: address.country, address.formatted).

Option

Description

Possible ValuesDefault
Header

The header value to set (to paired field).

a string-
Field

The token field name.

a string-

Click Add to create more rows in the table. Click Delete to remove selected rows.

MultiExcerpt named keycloak_tokens was not found -- Please check the page name and MultiExcerpt name used in the MultiExcerpt-Include macro

On this Page:
Related Pages:

  • No labels