Get Refresh token from Keycloak Identity Provider

1. The problem I’m having:

I am using Caddy as a reverse proxy to others protected microservices, and the user is able to access those microservices after authenticated with Keycloak, sample caddyfile here.

Caddy inject the Token from Keycloak in the browser and user is able to access the others resources.

However, lets say the token expires within 60 minutes. After this time the user needs to insert credentials again and then access the protected resources.

I was not able to refresh the token while the user is active, every 60 minutes the user must insert credentials again.

Objective

I am trying to keep the token valid as long as user is active.

2. Error messages and/or full log output:

No errors log applied.

3. Caddy version:

I am using caddy in docker:

FROM caddy:2.7-builder AS builder
LABEL org.opencontainers.image.source https://github.com/greenpau/caddy-auth-portal
LABEL org.opencontainers.image.source=https://github.com/greenpau/caddy-security

RUN xcaddy build \
    --with github.com/greenpau/caddy-security 

FROM caddy:2.7-alpine
 
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

COPY Caddyfile /etc/caddy/Caddyfile

COPY ./entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["sh", "/entrypoint.sh"]

CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]

4. How I installed and ran Caddy:

a. System environment:

b. Command:

caddy run --config /etc/caddy/Caddyfile --adapter caddyfile

c. Service/unit/compose file:

d. My complete Caddy config:

{
	https_port 443
	# debug
	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider keycloak {
			driver generic
			realm keycloak
			client_id {$KEYCLOAK_CLIENT_ID}
			client_secret {$KEYCLOAK_CLIENT_SECRET}
			scopes openid profile
			metadata_url https://{$HOST_DOMAIN_ADDRESS}/keycloak/realms/{$KEYCLOAK_REALM}/.well-known/openid-configuration
			base_auth_url https://{$HOST_DOMAIN_ADDRESS}/auth/
			enable id_token cookie
			enable logout
			delay_start 5
			retry_attempts 30
			retry_interval 20
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify from env JWT_SHARED_KEY
			enable identity provider keycloak
			cookie domain {$HOST_DOMAIN_ADDRESS}
			ui {
				links {
					"My Website" https://{$HOST_DOMAIN_ADDRESS}/ icon "las la-star"
					"My Identity" "/auth/whoami" icon "las la-user"
				}
			}
		}

		authorization policy mypolicy {
			set auth url /auth/oauth2/keycloak
			allow roles authp/admin authp/user authp/guest
			inject headers with claims
			inject header "X-User-Name" from "userinfo|name"
			inject header "X-Org" from "userinfo|name"
			crypto key verify from env JWT_SHARED_KEY
		}
	}
}

(internal_config) {
	# Routes to microservices resources
}

:80 {
	import internal_config
	redir https://{$HOST_DOMAIN_ADDRESS}{uri}
}

https://localhost:443, https://{$HOST_DOMAIN_ADDRESS}:443 {
	import internal_config
}

5. Links to relevant resources:

Adding some searched points:

• Is it possible to postpone the access_token expiration with every call? · Issue #335 · greenpau/caddy-security · GitHub
• breakfix: cookie/token is invalidated before it expires · Issue #348 · greenpau/caddy-security · GitHub

That doesn’t seem like an issue with Caddy itself, but with a plugin. So you should ask the plugin author for help (open an issue on github or whatever).

Thank you for your time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.