Liferay Keycloak integration - SSO and SLO implementation

Liferay Keycloak - Single Sign On / Single Logout


Overview
Previous article ( https://lifedev-solutions.blogspot.com/2019/10/liferay-keycloak-integration-using.html ) describes steps to configure Keycloak SSO Authorization in Liferay using OpenID Connect Provider.
However, this approach has several limitations:
- it can't be used as a default login mechanism: user needs to click "Sign In", chose "OpenId Connect", select "OpenId Connect Provider", and only then he is redirected to the Keycloak sign-in form;
- After logging out from Liferay user stays logged in in Keycloak.
This article will show how to overcome these issues.

SSO with Servlet Filter
For automatic redirection to Keycloak's Sign In form the servlet filter may be implemented:
@Component(
        immediate = true,
        property = {
                "servlet-context-name=",
                "servlet-filter-name=Keycloak Login Filter",
                "url-pattern=/c/portal/login"        },
        service = Filter.class)
public class KeycloakLoginFilter implements Filter {

    @Override    public void init(FilterConfig filterConfig) {
    }

    @Override    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, 
                         FilterChain filterChain) throws IOException, ServletException {
        try {
            HttpServletRequest request = (HttpServletRequest) servletRequest;
            HttpServletResponse response = (HttpServletResponse) servletResponse;

            //Get OpenId Providers            Collection<String> openIdConnectProviderNames = 
                    _openIdConnectProviderRegistry.getOpenIdConnectProviderNames();
            if (openIdConnectProviderNames == null || openIdConnectProviderNames.size() == 0) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }

            String openIdConnectProviderName = openIdConnectProviderNames.iterator().next();
            _openIdConnectServiceHandler.requestAuthentication(openIdConnectProviderName, request, response);

        } catch (Exception e) {
            _log.error("Error in KeycloakLoginFilter: " + e.getMessage(), e);
        } finally {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    @Override    public void destroy() {
    }

    @Reference    private OpenIdConnectProviderRegistry _openIdConnectProviderRegistry;
    @Reference    private OpenIdConnectServiceHandler _openIdConnectServiceHandler;

    private static final Log _log = LogFactoryUtil.getLog(KeycloakLoginFilter.class);
}

It intercepts all requests to "/c/portal/login" URL and invokes the OpenID authentication, which redirects user to Keycloak Sign In form.
Check also the article about Servlet Filters.



SLO with Logout Post Action
To make user automatically logged out from Keycloak after logging out in Liferay - a custom Login Post Action may be implemented:
@Component(
        immediate = true,
        property = "key=logout.events.post",
        service = LifecycleAction.class)
public class KeycloakLogoutPostAction implements LifecycleAction {

    @Override    public void processLifecycleEvent(LifecycleEvent lifecycleEvent) throws ActionException {

        try {
            HttpServletRequest request = lifecycleEvent.getRequest();
            HttpServletResponse response = lifecycleEvent.getResponse();

            Collection<String> openIdConnectProviderNames = 
                    _openIdConnectProviderRegistry.getOpenIdConnectProviderNames();
            if (openIdConnectProviderNames == null || openIdConnectProviderNames.size() == 0) {
                _log.warn("No OpenID Connect Providers found.");
                return;
            }

            String openIdConnectProviderName = openIdConnectProviderNames.iterator().next();
            OpenIdConnectProvider openIdConnectProvider = 
                    _openIdConnectProviderRegistry.getOpenIdConnectProvider(openIdConnectProviderName);
            Object oidcProviderMetadata = openIdConnectProvider.getOIDCProviderMetadata();
            String oidcJson = oidcProviderMetadata.toString();
            JSONObject oidcJsonObject = JSONFactoryUtil.createJSONObject(oidcJson);
            Object authEndpoint = oidcJsonObject.get("authorization_endpoint");
            String authEndpointUrl = authEndpoint.toString();
            String logoutEndpoint = StringUtil.replaceLast(authEndpointUrl, "/auth", "/logout");

            String redirectUri = getRedirectUrl(request);

            String logoutUrl = logoutEndpoint + "?redirect_uri=" + redirectUri;
            response.sendRedirect(logoutUrl);

        } catch (Exception e) {
            _log.error("Error in KeycloakLogoutPostAction: " + e.getMessage(), e);
        }
    }

    private String getRedirectUrl(HttpServletRequest request) {
        String portalURL = _portal.getPortalURL(request);
        long companyId = _portal.getCompanyId(request);
        PortletPreferences preferences = _prefsProps.getPreferences(companyId);
        String logoutPath =  _prefsProps.getString(preferences, PropsKeys.DEFAULT_LOGOUT_PAGE_PATH);
        return portalURL + logoutPath;
    }

    @Reference    private Portal _portal;
    @Reference    private PrefsProps _prefsProps;
    @Reference    private OpenIdConnectProviderRegistry _openIdConnectProviderRegistry;

    private static final Log _log = LogFactoryUtil.getLog(KeycloakLogoutPostAction.class);
}
 
This action is invoked after used has been logged out from Liferay. It performs a call to Keycloak's logout endpoint and then redirects back to a portal page.

Enjoy 😉




Comments

  1. AnonymousDecember 16, 2022 at 4:54 PM

    Getting null , I am using liferay 7.4.3.11

    ReplyDelete

Post a Comment

Popular posts from this blog

Liferay Search Container Example

Or how to implement a custom search container in Liferay Overview   Search Containers are used in Liferay to display the table data. This article shows a simple example of how to implement a custom search container.  Example < liferay-portlet :renderURL varImpl ="iteratorURL" /> < liferay-ui :search-container total =" <%= ProjectLocalServiceUtil. getProjectsCount (scopeGroupId) %> "                              delta ="10"                              emptyResultsMessage ="no-projects-found"                              iteratorURL =" <%= iteratorURL %> " >     < liferay-ui :search-container-results             results =" <%= ProjectLocalServiceUtil. getProjects (scopeGroupId, searchContainer.getStart(), searchContainer.getEnd()) %> " />     < liferay-ui :search-container-row className ="com.sample.sb.model.Project" modelVar ="project" keyP
Read more

Liferay DXP - max upload file size

Image
Liferay DXP - increase Maximum Upload Request Size By default, Liferay has limit to 100 MB for file upload. Sometimes you need to upload larger files, and this restriction can be changed in configuration. Go to Control Panel -> Configuration -> System Settings -> Infrastructure. Click on "Upload Servlet Request". Modify " Overall Maximum Upload Request Size"  value and set which you need: Save the configuration. Now you should be able to upload large files to your Liferay DXP instance.
Read more

Liferay Keycloak integration

Image
Liferay Keycloak integration using OpenID Overview This tutorial explains how to configure OpenID SSO between Liferay 7.2 and Keycloak 7.0.1 Installation instructions KeyCloak Configuration 1. Install and startup Keycloak server Download latest Keycloak server:  https://www.keycloak.org/downloads.html Unzip keycloak-7.0.1.zip folder. Run  keycloak-7.0.1/bin/standalone.sh  (or  keycloak-7.0.1/bin/standalone.bat ) file. Keycloak should be started on 8080 port:  http://localhost:8080 2. Create default admin user: and sign in to Admin Console. 3. Check OpenID configuration Click on "OpenID Endpoint Configuration": JSON configuration should appear, like this: { "issuer": "http://localhost:8080/auth/realms/master", "authorization_endpoint": "http://localhost:8080/auth/realms/master/protocol/openid-connect/auth", "token_endpoint": "http://localhost:8080/auth/realms/master/protocol/openid-con
Read more