[NEW] Keycloak: JWT login via REST API

[KonstantinCodes]

Closes #5521

PR for Docs needed.

TODO

This works perfectly fine. But I need help, to make the JWT signing Public Key configurable via the Admin interface. For now, you have to manually paste the Cert into the keycloak.js file.

Prerequisites

• You have to configure a custom OAuth Provider vie the Admin interface and call it keycloak.
• manually paste your keycloaks public key into the keycloak.js file.

How it works

Request

POST to http://localhost:3000/api/v1/login
Header: Content-Type: application/json
Content:

{
	"serviceName": "keycloak",
	"accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtBU0ZBU0ZQQVNGUEFTRmZzYWRmbnNmYXNmX2FzZmRhc2Zqa2FzbGYifQ.eyJleHAiOjE1NTIxNTgzNjMsInN1YiI6ImExMTQxYmE3LTc3NjAtNDA0Mi1hNzU1LTM4MDdiM2FlYzhlMCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoYXQiLCJhdXRoX3RpbWUiOjE1NDk1NjYzNjMsInNjb3BlIjoiZW1haWwiLCJnaXZlbl9uYW1lIjoiS29uc3RhbnRpbiIsImZhbWlseV9uYW1lIjoiQ29kZXMiLCJlbWFpbCI6ImtvbnN0YW50aW5Aa29uc3RhbnRpbi5jb2RlcyIsInVzZXJuYW1lIjoia29uc3RhbnRpbiJ9.NVikHsqr8lWpdIrGXCgi_apYAVrDXFL-R1Kyu1SHxFTdjqrVT_i8cWOK1N6YRsCGwwxYMILnqr5U-BfBd4LF0rjd_ycpSMd37EGUl2eQZW_VlPJPv6ZQqpIj6lE7glQ1vPNRvhOJLG0YQybXVgMzGOE2kDOGYyoB4o7xol1C6JY"
}

Response

like documented here: https://rocket.chat/docs/developer-guides/rest-api/authentication/login/#result

[splatch]

@KonstantinCodes - not sure of actual issue, can you make use of JWK set which is published by Keycloak? You should be able to read public key needed to verify issued tokens. Usually it is available at /auth/realms/{realm-name}/protocol/openid-connect/certs. Note that /auth prefix is not always necessary as Keycloak might be customized to run at /.

[KonstantinCodes]

@splatch Yes, you're right. I think it's a good idea to fetch the Public Key from the server.
We would need to implement a caching mechanism for that however and as you pointed out - a config option to specify the path to the cert.

[jpaniorte]

Hello,
I need this functionality. What is the state?

[splatch]

An additional note /auth part of URI is not mandatory. Its possible to have keycloak configured with /realms/{realm-name}/protocol/openid-connect/certs - meaning without /auth prefix. OpenID Connect settings (OAuth 2 endpoint description) can be read via /realms/{realm-name}/.well-known/openid-configuration. Contents of this configuration is fairly clear - more detailed description is available in specification: https://openid.net/specs/openid-connect-discovery-1_0.html.

[ralfbecker]

With the latest commits (pull request #14113) Rocket.Chat allows API access for all OAuth providers by checking accessTokens via the identity endpoint (/userinfo or /me).

[KonstantinCodes]

@ralfbecker Thanks for letting us know! I think this is great, but does require an extra HTTP request to the IDP.

I'd hope to polish this pr so that you can use any JWT and validate locally, just using the public key.

Do you have any input, how we can increase the quality of this PR to make it mergeable?

[ralfbecker]

Not sure I can help to get that PR mergeable, I'm not a project-member either.
I know you can create abitrary settings, even some only existing in a single custom OAuth provider and not the general one. Such a setting could store your public key necessary to validate your JWT. An other option would be, if you public certificate is available under some URL, as I believe OpenID Connect specifies or recommends it. Then RC could pull and cache it.
Validating the JWT makes sense in my opinion, as we (EGroupware) also use our own access-token to access the RC API, which has to call our /userinfo endpoint to validate it.

[charafsalmi]

Hi,

Is it possible to do it now ? I mean, use the rest api with a keycloak jwt token ?

Thanks,