Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keycloak: How to make authentication automatic for logged-in Windows user?

I'm trying to create a C# application which would use Keycloak for authentication. Currently, I'm able to log in as user using OpenID Connect by sending the following REST request:

POST
http://{server}:{port}/auth/realms/{myRealm}/protocol/openid-connect/token

Body (x-www-form-urlencoded):
    client_id    {myClient}
    username     FooBar
    password     {userPassword}
    grant_type   password

Sending this request results in acquiring both access token and refresh token.

Now, I would like to be able to somehow login (acquire the tokens or otherwise authenticate the user) using the "currently active Windows session" by which I mean that the user (existing in Active Directory LDAP) which is currently logged into Windows should be authenticated without providing any credentials.

The User Federation in my Keycloak realm already contains configuration for the AD LDAP server so all the users are now also available in the Keycloak.

I went through the Keycloak documentation (especially the sections about LDAP and Active Directory and Kerberos) but didn't quite understand what exactly needs to be done in order to make it work.

I also searched here on SO but the only relevant thing I've found is some other user mentioning that this should be possible.

Can someone point me in the right direction?

like image 382
dva Avatar asked Jun 11 '19 14:06

dva


1 Answers

In keycloak terms, you are asking for SPNEGO authentication See https://www.keycloak.org/docs/latest/server_admin/index.html#_kerberos

In the realm authentication tab, you need to enable Kerberos Your Browser needs to have SPNEGO enabled. Different browsers do that differently. You enable a specific URL for SPNEGO

like image 125
Christopher Smith Avatar answered Oct 26 '22 12:10

Christopher Smith