Integrating pomerium with keycloak

Sidhant · October 22, 2024, 3:26pm

What happened?

I am getting a error 404 trying to access the service ,

What did you expect to happen?

I am using pomerium as a reverse proxy in my minor project to demonstrate Zero Trust Architecture . i want to integrate pomerium with keycloak , so that if i want to access a service which i hosted on localhost pomerium will intercept it and redirect to keycloak for authentication .

i want to be redirected to keycloak for authentication when i try to access a backend service hosted on localhost:2000

How’d it happen?

What’s your environment like?

i have setup pomerium in docker

Pomerium version: pomerium:v0.27.1
Server Operating System/Architecture/Cloud: Windows 11

What’s your config.yaml?

authenticate_service_url: http://localhost:8080/auth/realms/minor-project/protocol/openid-connect/auth
authenticate_service:
id: “pomerium-auth”
issuer: “http://localhost:8080/auth/realms/Minor-Project”
client_id: “student”
client_secret: “ug4fIl9V0aFfomvuu8oGSwWNu9EcySxg”
cookie_secret: “a0796abba0a645402b78d011c74229dd0421c0df35893ab24d3f9d4c7169df16”
scopes: [“openid”, “profile”, “email”]

routes:

from: “https://localhost”
to: “http://localhost:2000”
auth: true

My docker-compose.yml
version: ‘3’
services:
pomerium:
image: pomerium/pomerium:v0.27.1
ports:
- “443:443”
restart: always
environment:
POMERIUM_DEBUG: “true”
POMERIUM_INSECURE_SERVER: “true”
POMERIUM_PROXY_AUTHENTICATE_URL: “http://localhost:8080/auth/realms/minor-project/protocol/openid-connect/auth”
POMERIUM_PROXY_AUTHORIZE_URL: “http://localhost:8080/auth/realms/minor-project/protocol/openid-connect/token”
POMERIUM_PROXY_FORWARD_AUTH_URL: “http://localhost:8080/auth/realms/minor-project/protocol/openid-connect/userinfo”
POMERIUM_IDP_PROVIDER: “keycloak”
POMERIUM_IDP_CLIENT_ID: “student” # Ensure this matches your Keycloak client ID
POMERIUM_IDP_CLIENT_SECRET: “ug4fIl9V0aFfomvuu8oGSwWNu9EcySxg”
POMERIUM_IDP_ISSUER_URL: “http://localhost:8080/auth/realms/minor-project”
POMERIUM_COOKIE_SECRET: “a0796abba0a645402b78d011c74229dd0421c0df35893ab24d3f9d4c7169df16”
POMERIUM_JWT_SECRET: “c5d19263db199de69cca97ff20f99e830c853f75c8b6600bf48deeb18fddf69d”
POMERIUM_ZERO_TOKEN: “AMf-vBzBUXNoj6p-cjmC39BRnjedi5hcIDa8jl7ssmNHxBX6DjwoBwI2zFmLnNF80Y5BAuhbkeEVNn3PhLKRsO9wF1A2P4Olqf2mCfe9C_wJmKL_kaPUjGGEhtRj526Q_n2fqenxzOy_sqSAnyWGlniazRoKWai2ThtN2qV8U_o9E9pstTzRP2UGF22PO6A6hKS1VkQdtV_K”
POMERIUM_ROUTES: |
- from: “https://localhost”
to: “http://localhost:2000” # Your Student Service app
auth: true
XDG_CACHE_HOME: “/var/cache”
volumes:
- pomerium-cache:/var/cache
networks:
main:
aliases:
- verify.eternal-polliwog-2484.pomerium.app

verify:
image: cr.pomerium.com/pomerium/verify:latest
networks:
main:
aliases:
- verify

networks:
main: {}

kjenkins · October 22, 2024, 7:02pm

Hi Sidhant,

There is a guide in the documentation for setting up a self-hosted Keycloak with Pomerium: OIDC | Pomerium. I would recommend starting there.

The configuration you’ve posted here is very confusing:

There’s a mix of YAML, environment variables, and a Pomerium Zero token. However if you want to use Pomerium Zero you can’t mix in other configuration options. You’ll want to pick one or the other. (If you want to try out Pomerium Zero, please follow the quickstart here: https://www.pomerium.com/docs/quickstart.)
Most of the environment variable names are not correct (most options do not use a POMERIUM_ prefix). But most of these are duplicates of options defined in the YAML config file, so you’d be better off removing these from the Docker Compose file.
There are also some incorrect keys in the config.yaml file. Please refer to Configuration & Settings Reference | Pomerium for information on how to set different Pomerium options.

Again, I would suggest starting from the guide at OIDC | Pomerium and build from there.

Hope that helps.

Thanks,
Ken

Sidhant · October 24, 2024, 10:12am

I followed the guide but i am facing this error

C:\Users\Sidhant Malik\Desktop\Minor project>docker compose up
[+] Running 4/4
Network minorproject_default Created 0.0s
Container minorproject-mykeycloak-1 Created 0.2s
Container minorproject-verify-1 Created 0.2s
Container minorproject-pomerium-1 Created 0.2s
Attaching to mykeycloak-1, pomerium-1, verify-1
verify-1 | {“level”:“info”,“project-id”:“detect-project-id”,“time”:“2024-10-24T10:11:49Z”,“message”:“connecting to firestore”}
verify-1 | {“level”:“error”,“error”:“fetching creds: google: could not find default credentials. See Set up Application Default Credentials | Authentication | Google Cloud for more information”,“time”:“2024-10-24T10:11:49Z”,“message”:“failed to create firestore client, falling back to in-memory storage”}
verify-1 | {“level”:“info”,“bind-addr”:“:8000”,“time”:“2024-10-24T10:11:49Z”,“message”:“starting http server”}
Gracefully stopping… (press Ctrl+C again to force)
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting “/run/desktop/mnt/host/c/Users/Sidhant Malik/Desktop/Minor project/config.yaml” to rootfs at “/pomerium/config.yaml”: mount /run/desktop/mnt/host/c/Users/Sidhant Malik/Desktop/Minor project/config.yaml:/pomerium/config.yaml (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

Topic		Replies	Views
OIDC behind pomerium route Support docker , idp	4	728	August 2, 2023
Deployment architecture Support	5	426	August 26, 2022
Pomerium / nginx with google Support	11	405	December 20, 2021
Using Keycloak as an identity provider with Pomerium Support idp	0	459	December 27, 2021
Pomerium Demo 0.25.1 via Docker refusing connection Support docker	3	267	March 25, 2024