Versions Compared

Old Version 23

changes.mady.by.user Graham O'Regan (Unlicensed)

Saved on

compared with

New Version 24

changes.mady.by.user Graham O'Regan (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The service should then be available at this address;

https://dev-apiapps.lin.transformcloudnhs.netuk/auth/

Running locally

Keycloak is available from keycloak.org.  It is an application embedded in a JBoss WildFly JEE container.  The easiest way to get it working is to use an existing docker container.  This container is set up to use with a MySQL datastore.  To run Keycloak with a dockerized version of MySQL

...

The Apache configuration needs to be set up to talk to Keycloak.  There is an Apache configuration file fragment at https://github.com/Health-Education-England/TIS-SECURITY/blob/master/keycloak/httpd_openidconnect.conf.  

The main elements to configure manually are:

DirectiveValue
OIDCProviderMetadataURL

The URL for the OpenID Connect configuration on Keycloak. 

httphttps://localhost:8087/authdev-apps.lin.nhs.uk/auth/realms/heeadmin/.well-known/openid-configuration

OIDCClientIDThe name of the client created when setting up Keycloak
OIDCClientSecretThe secret for the client (available from the client's credentials page).  For Keycloak, this will be a UUID
OIDCRedirectURIA redirect URL within the area of the redirect URL set up on the Keycloak client page
ServerNameThe Apache virtual host.  (Apache will default to the first virtual host in a file if no virtual host name matches)
ProxyPassThe URL of the back-end application you want to protect
ProxyPassReverseThe same as ProxyPass.  (This is used by Apache to change the Location header in 302 responses)

...

Code Block
GET /test/ HTTP/1.1
Host: dev-api.transformcloud.net
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
Referer: https://dev-api.transformcloud.net/auth/realms/lin/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=revalidation&state=B0Lm2UsfMwGy_9sy5C62ymqxONQ&redirect_uri=https%3A%2F%2Fdev-api.transformcloud.net%2Ftest%2Ftest&nonce=iFCESi2NDbvM2xcBQJ7jrLLbxP5szHCZa7k5rwQwwfY
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: session=592cebb9-85db-48ae-9483-b065f86649ec
OIDC_CLAIM_family_name: Hudson
OIDC_CLAIM_sub: b1702d1c-c8bb-4882-99f7-2c7760681b05
OIDC_CLAIM_roles: [view-profile, manage-account, judges, admin, uma_authorization, offline_access]
OIDC_CLAIM_name: James Hudson
OIDC_CLAIM_groups: East of England
OIDC_CLAIM_given_name: James
OIDC_CLAIM_preferred_username: jamesh
OIDC_CLAIM_nbf: 0
OIDC_CLAIM_jti: 268c6c62-05f9-4d8d-b2b2-04cd353cf162
OIDC_CLAIM_session_state: 55ba70b9-2f15-4068-8f4f-4fd23564e24c
OIDC_CLAIM_typ: ID
OIDC_CLAIM_exp: 1476971360
OIDC_CLAIM_iss: https://dev-api.transformcloud.net/auth/realms/lin
OIDC_CLAIM_iat: 1476971060
OIDC_CLAIM_aud: revalidation
OIDC_CLAIM_auth_time: 1476971060
OIDC_CLAIM_azp: revalidation
OIDC_CLAIM_nonce: iFCESi2NDbvM2xcBQJ7jrLLbxP5szHCZa7k5rwQwwfY
OIDC_CLAIM_acr: 1
OIDC_access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHVFNIYkRwN0JSeVhORTQ2cWZtVFFvZ1lrOFF2MERldENNSEVjNkFFeDhzIn0.eyJqdGkiOiJlYzFkMjU1Mi1lNDJjLTRhMWUtYmIyOC0yMTlkNGM3MTY5M2IiLCJleHAiOjE0NzY5NzEzNjAsIm5iZiI6MCwiaWF0IjoxNDc2OTcxMDYwLCJpc3MiOiJodHRwczovL2Rldi1hcGkudHJhbnNmb3JtY2xvdWQubmV0L2F1dGgvcmVhbG1zL2xpbiIsImF1ZCI6InJldmFsaWRhdGlvbiIsInN1YiI6ImIxNzAyZDFjLWM4YmItNDg4Mi05OWY3LTJjNzc2MDY4MWIwNSIsInR5cCI6IkJlYXJlciIsImF6cCI6InJldmFsaWRhdGlvbiIsIm5vbmNlIjoiaUZDRVNpMk5EYnZNMnhjQlFKN2pyTExieFA1c3pIQ1phN2s1cndRd3dmWSIsImF1dGhfdGltZSI6MTQ3Njk3MTA2MCwic2Vzc2lvbl9zdGF0ZSI6IjU1YmE3MGI5LTJmMTUtNDA2OC04ZjRmLTRmZDIzNTY0ZTI0YyIsImFjciI6IjEiLCJjbGllbnRfc2Vzc2lvbiI6ImJlNjQ4ODY0LWE3Y2UtNDBlMS05MGQ4LTNkY2VkOWZlYTY5MSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2Rldi1hcGkudHJhbnNmb3JtY2xvdWQubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIiwianVkZ2VzIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sInJvbGVzIjoiW3ZpZXctcHJvZmlsZSwgbWFuYWdlLWFjY291bnQsIGp1ZGdlcywgYWRtaW4sIHVtYV9hdXRob3JpemF0aW9uLCBvZmZsaW5lX2FjY2Vzc10iLCJuYW1lIjoiSmFtZXMgSHVkc29uIiwiZ3JvdXBzIjpbIkVhc3Qgb2YgRW5nbGFuZCJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqYW1lc2giLCJnaXZlbl9uYW1lIjoiSmFtZXMiLCJmYW1pbHlfbmFtZSI6Ikh1ZHNvbiJ9.VxPtvyu8jlgsHumUEKEttM27jsOirn26KokGEp9MfoiOe-Z1L_IiEs-KYsdzW2J2Fwx7amgGidlvfD0uU_EuEaoU0Wrt1uuWRHMzaVztbc1ekl0vIqk7YYvz9I84ngKug8YITgTg3ZlKLOhBUrSVeT9Pz9mFTrJZhKfX7XARVsOc2HZJqgmMG5IYitZfD5uti0enuD9EfYNqnCv_6cEbc45lFNSAMjcyJWSkNN9VPEo-_NSZQrLVmOB3oNZ5vetsw5ijb6y9TQUcrDzUu6qu74_J3n2w9PrrRXVmYeYphetNZGE2LyBScJyMuYvzu6oAik2banzLc9jGiw22tGEuQQ
OIDC_access_token_expires: 1476971360
X-Forwarded-Proto: https
X-Forwarded-Port: 443
X-Forwarded-For: 89.16.226.104
X-Forwarded-Host: dev-api.transformcloud.net
X-Forwarded-Server: dev-api.transformcloud.net
Connection: Keep-Alive


Programmatic Access

The following script show how a JWT token can be acquired and how that token is used to make an authenticated request, in this case, our jamesh user;

Code Block
#! /bin/bash

# Step3
export TOKEN=$(curl -s 'https://dev-apps.lin.nhs.uk/auth/realms/lin/protocol/openid-connect/token' -d "client_id=admin-cli&username=jamesh&password=j4m3srul3z&grant_type=password" | jq -r .access_token)

# Step 2 - optional
curl https://dev-apps.lin.nhs.uk/auth/realms/lin/protocol/openid-connect/token/introspect \
	-d client_id=<client id> \
	-d client_secret=<client secret> \
	-d "token=${TOKEN}" \
	| python -m json.tool

# Step 3
curl -i -H "Authorization: bearer ${TOKEN}" \
 	https://dev-apps.lin.nhs.uk/api/revalidation/health

  1. Use use a password grant to exchange a username and password for a JWT token. The response from this command will be a JSON document with the access token with it;

    Code Block
    {
    "access_token": "<long string value>",
    "expires_in": 300,
    "id_token": "<long string value>",
    "not-before-policy": 0,
    "refresh_expires_in": 1800,
    "refresh_token": "<long string value>",
    "session_state": "<uuid>",
    "token_type": "bearer"
}
  2. In this step, we show how the token is validated using a client id and secret. This step will be completed by mod_auth_openidc and is included for completeness.
  3. In this step, we add the "Authorization: Bearer <access token>" header to our call. Apache will intercept the call, extract the JWT and validate it before forwarding the request to the target API.

LIN Keycloak Theme

We have updated the Keycloak theme for the login screens, the new code is held in https://github.com/Health-Education-England/TIS-KEYCLOAK-THEME

...