Configuring OIDC Federated Identity Provider Initiated Logout in WSO2 Identity Server with Keycloak
Above diagram illustrates the OIDC federated identity provider initiated logout flow between WSO2, which acts as the primary identity provider and Keycloak, which acts as the federated identity provider. In this blog, We’ll be using two sample applications, Pickup-Dispatch and Pickup-Manager to demonstrate the OIDC federated identity provider initiated logout flow between these two servers.
This flow can be configured in 7 steps
- Configure WSO2 IS as a service provider in the Keycloak
- Create a user in the Keycloak
- Configure Keycloak as an identity provider in the WSO2 IS
- Import certificate of WSO2 IS to Keycloak keystore
- Import certificate of Keycloak into WSO2 IS keystore.
- Configure Pickup-Dispatch in WSO2 IS
- Configure Pickup-Manager in Keycloak
1. Configure WSO2 IS as a Service Provider in the Keycloak
- Download the Keycloak identity server from their website and extract the zip file. Run the following command inside the bin folder. This will start the Keycloak server in port 8090. (We use port offset as 10 since our sample applications will run on port 8080)
sh standalone.sh -Djboss.socket.binding.port-offset=10
- Now we need to create an admin user in the Keycloak. Go to http://localhost:8090/auth/ .
- In the Administration Console section, enter a username and a password for the new admin user. Once the user is created, click Administration Console and you’ll be prompted for login.
- Once you’re logged in, click Add realm under the Master. Give a suitable name and create the realm. In this blog we’ll be using ‘test’ as the realm name.
- Once the realm is created, go to Clients section under Configure and click Create. Give a preferred name for the client id and select ‘openid-connect’ as the client protocol.
In the Settings section of the client,
- Select confidential as the Access Type
- Enter ‘https://localhost:9443/commonauth’ as a Valid Redirect URI
- Enter the ‘https://localhost:9443/identity/oidc/slo’ as the Back-channel Logout URL
- Turn off the Backchannel Logout Session Required setting
- Save the settings
- After the above step, client will have a new tab named, Credentials. Note the Secret value.
2. Create a User in the Keycloak.
- Go to Users under the Manage section and select Add User. Enter a name for the user and save the settings.
- Once the user is created, go to Credentials tab and set a password to the user. Turn off the Temporary password setting since this is a test scenario.
3. Configure Keycloak as an Identity Provider in the WSO2 IS
- Run the WSO2 Identity Server. Use the following command inside the bin folder to start the server.
sh wso2server.sh
- Go to management console of the WSO2 IS (https://localhost:9443/carbon). Navigate to Main > Identity> Identity Providers and click on Add.
- Add the details of the identity provider. Here the Client Id should be same as the one configured in the Keycloak.
Authorization Endpoint: http://localhost:8090/auth/realms/test/protocol/openid-connect/authToken Endpoint: http://localhost:8090/auth/realms/test/protocol/openid-connect/tokenCallback URL: https://localhost:9443/commonauthUserInfo Endpoint: http://localhost:8090/auth/realms/test/protocol/openid-connect/userinfoLogout Endpoint: http://localhost:8090/auth/realms/test/protocol/openid-connect/logoutJWKS Endpoint: http://localhost:8090/auth/realms/test/protocol/openid-connect/certsIssuer Name: http://localhost:8090/auth/realms/test
- Use following endpoint of the Keycloak to get information on the endpoints, http://localhost:8090/auth/realms/test/.well-known/openid-configuration.
To ensure the trust relationship between WSO2 IS and Keycloak server, we need to import the public certificate of Keycloak into trust store of the WSO2 IS and vice versa.
4. Import certificate of Keycloak into WSO2 IS keystore.
- Shutdown Keycloak server and WOS2 Identity Server. Go to <KEYCLOAK_HOME>/standalone/configuration and use the following command to create a new keystore (If there’s an existing keystore, remove it).
Here the CN value and the host name of Keycloak should match.
keytool -genkey -alias server -keyalg RSA -keysize 2048 -validity 3650 -keystore truststore.jks -dname "CN=localhost,OU=Support,O=WSO2,L=Colombo,S=Western,C=LK" -storepass password -keypass password -noprompt
- Use the following command to extract the public certificate of the Keycloak server. We will use this in the next step.
keytool -export -alias server -file keycloak.crt -keystore truststore.jks -storepass password -noprompt
- Go to <IS_HOME>/repository/resources/security and use the following command to get the public key of WSO2 IS.
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file publickey.pem -storepass wso2carbon
- Go back to <KEYCLOAK_HOME>/standalone/configuration and use the following command to import the above generated file into the keystore of the Keycloak.
keytool -import -alias wso2 -file publickey.pem -keystore truststore.jks -storepass password
- Now we need to add the keystore configurations to the standalone.xml file under <subsystem> tag.
</spi>
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="${jboss.home.dir}/standalone/configuration/truststore.jks"/>
<property name="password" value="password"/>
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="enabled" value="true"/>
</properties>
</provider>
</spi>
5. Import Keycloak certificate into WSO2 Identity Server’s Trust-store
- Copy the keycloak.crt file into the folder and Go to <IS_HOME>/repository/resources/security and paste there. Now execute the following command and import the keycloak.crt to client-truststore.jks file.
keytool -import -trustcacerts -alias keycloak -file keycloak.crt -keystore client-truststore.jks -storepass wso2carbon -noprompt
- Restart the WSO2 server.
Deploying Sample Application
For the next two steps We’ll be using 2 WSO2 sample apps. You can get them from here. Download pickup-dispatch.war and pickup-manager.war from the releases page.
Note: You’ll need Apache Tomcat to run the applications. Place .war file inside the webapps folder in the tomcat installation location and start the tomcat server.
Refer [1] for more information on deploying applications.
6. Configure Pickup-Dispatch in WSO2 IS
- Navigate to Menu> Identity> Service Providers and click on Add.
- Navigate to Inbound Authentication Configuration > OAuth/OpenID Connect Configuration. Click on Configure.
Callback URL: http://localhost.com:8080/pickup-dispatch/oauth2clientBack-channel Logout URL: http://localhost.com:8080/pickup-dispatch/bclogout
- After the service provider configurations are saved, an OAuth Client Key and an OAuth Client Secret will be generated.
- Navigate to Local & Outbound Configuration and open the menu. Make the Authentication Type as Federated Authentication and the IdP as Keycloak.
- Go to <apache-tomcat-installation>/webapps/pickup-dispatch/WEB-INF/classes and add the Client Key and Client Secret in the dispatch.properties file.
7. Configure Pickup-Manager in Keycloak
- Go to Clients section under Configure and click Create. Give a preferred name for the client id and select openid-connect as the client protocol.
- In the Settings section of the client,
- Select confidential as the Access Type
- Enter http://localhost.com:8080/pickup-manager/oauth2client as a Valid Redirect URI
- Save the settings
- Note down the Client Secret from the Credentials tab.
- Go to <apache-tomcat-installation>/webapps/pickup-dispatch/WEB-INF/classes and add the Client Key and Client Secret to the manager.properties file. Also you need to configure the endpoints of the Keycloak in the same file replacing the existing WSO2 IS endpoints.
We have configured all the settings in the identity servers and now we can test the OIDC federated identity provider initiated logout flow.
- Access the following URL on a browser window, http://localhost.com:8080/pickup-dispatch/
- Click login. You will be redirected to the login page of the Keycloak server.
- Log in using the credentials of the user created in the Keycloak server. You will be redirected to the Pickup Dispatch application home page.
- Now access the following URL on another browser window to access the Pickup Manager application http://localhost.com:8080/pickup-manager/
- Once you click login, you will be automatically logged in and redirected to the Pickup Manager application home page.
- Log out of the Pickup Manager application. You will be redirected back to the login page of the application.
- Now attempt to access the Pickup Dispatch application. You will be automatically logged out of this application as well.
We have successfully triggered a OIDC federated identity provider initiated logout flow.
For further reading on the topic, refer the following articles.
- [1] https://is.docs.wso2.com/en/latest/learn/deploying-the-sample-app/
- OIDC Back-channel Logout Specification — https://openid.net/specs/openid-connect-backchannel-1_0.html