I'm building a WebApp with Node- & ExpressJS. Currently I'm trying to connect my app to our company's Keycloak with the keycloak-connect module. I configured it as mentioned in different tutorials and it works (atleast mostly).
When I connect to my WebApp, I receive the keycloak login screen and the login procedure is successful (session created on keycloak). After the login procedure and the redirect I receive an "Access denied" error and in the logs "Could not obtain grant code: unable to get local issuer certificate".
WebApp runs on port 443 with valid certificates
I've googled everything I could and tried following solutions:
-- Disable rejecting unauthorized TLS --
Disabled TLS Rejection for unauthorized certificates with the node envorinment variable:
- process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0;
Works but isn't very secure... Log.
-- Add an extra CA certificate --
Installed dotenv module and set following env variable in .env file:
- NODE_EXTRA_CA_CERTS='/etc/pki/tls/cert.pem' (& ca-bundle.crt)
Included it in app.js with "require('dotenv').config();", doesn't work... Also tried to set it as a system environment variable with export.
It stands behind a proxy but I also configured express to trust all proxies with "app.set('trust proxy', true);".
-- Versions --
Node - v16.13.1
Express - ~4.16.1
Keycloak-connect - ^16.1.1
I've seen this problem on many different pages and they're mostly not fully resolved... Would be nice to find a solution for this problem.
Thanks in advance! :)
Yannic
CodePudding user response:
Well I've found a solution and it works perfectly!
This comment on a GitHub issue describes, how to send ca files with the HTTPS server from NodeJS.
You can enter your ca files / bundles in an array:
const trustedCa = [
'/etc/pki/tls/certs/ca-bundle.crt',
'/etc/pki/tls/cert.pem'
];
Then read them with fileSync and set them as the globalAgent.options.ca option for the HTTPS server:
https.globalAgent.options.ca = [];
for (const ca of trustedCa) {
https.globalAgent.options.ca.push(fs.readFileSync(ca));
}
And that's all that needs to be done! Now I can login via Keycloak and it successfully redirects me to my WebApp without any errors.
Hopefully this helps.
Yannic