The Keycloak OAuth Policy is aKeycloak-specific OAuth2 policy to regulate access to APIs. Keycloak’s token format and auth mechanism facilitate excellent performance characteristics and enable users to easily tune the setup to meet their security requirements. In general, this is a good approach for achieving security without greatly impacting performance. Refer toAPI Security: Authentication and Authorization for more details.
Configuration Options
Basic Configuration
Option
Description
Possible Values
Default
Realm
Enter the realm name. It must be a valid FQDN path including the realm name.
a valid FQDN path
FQDN path automatically set for your PAS installation
Advanced Configuration
Option
Description
Possible Values
Default
Keycloak Realm Certificate
To validate OAuth2 requests. Must be a PEM-encoded X.509 certificate. If you leave this field empty, the policy will try to fetch the public keys directly from your Keycloak realm. If you want to add the certificate manually, you can copy it from the Keycloak console.
Where to find the Keycloak certificate?
To copy the Keycloak certificate, open Keycloak > PAS Realm > Realm Settings > Keys. Click Certificate to display and copy the certificate. If your user has no access to the realm settings, ask a Keycloak administrator for help.
a string
-
Strip Tokens
Enable to remove any authorization header or token query parameter before forwarding traffic to the API.
enabled
disabled
disabled
Delegate Kerberos Ticket
Enable to delegate any Kerberos ticket embedded in the Keycloak token to the API (via the authorization header).
enabled
disabled
disabled
Foward Roles
Enable this option to forward Keycloak roles to the Authorization policy. You should specify your required role(s) in the Authorization policy configuration.
enabled
disabled
disabled
Forward Keycloak Token Information
Fields from the token can be set as headers and forwarded to the API. All standard claims, custom claims and ID token fields are available (case sensitive). A special value of access_token will forward the entire encoded token. Nested claims can be accessed by using the JavaScript dot syntax (e.g: address.country, address.formatted).
Option
Description
Possible Values
Default
Header
The header value to set (to paired field).
a string
-
Field
The token field name.
a string
-
Click Add to create more rows in the table. Click Delete to remove selected rows.
MultiExcerpt named keycloak_tokens was not found -- Please check the page name and MultiExcerpt name used in the MultiExcerpt-Include macro