Token Expiry Handling between OKTA and Keycloak

Question

Token Expiry Handling between OKTA and Keycloak

Closed this issue 7 months ago · 4 comments

We are using OKTA which would push the User/Group data to Keycloak. In OKTA we are using the SCIM App that supports Header Auth and have currently configured the access token as Bearer Token and is working fine. Even though i can increase the life time of the token, still after the life time expiry of the token would happen. Then we need to reconfigure the Token in OKTA, which is not desirable and what we wanted to avoid.

OKTA also has SCIM App that supports Basic Auth, where we enter just the Username and Password, however that authentication fails. I guess, it is directly using the basic Auth on the SCIM API's instead of using it to generate the token and then use that token for access

Need your inputs on the How to make sure that Only ONe Time Configuration is done in OKTA and SCIM would work forever without any issues from Keycloak.

Thanks,
Saravana

Answer 1 · 2024-04-20T09:08:03.000Z

If you are pushing users and groups from OKTA to keycloak, you are on the wrong track.
You are trying to create a SCIM Client configuration correct?

A SCIM Client configuration makes Keycloak a SCIM Client and does not add authentication access for remote SCIM providers.
You need to enable the SCIM Server configuration for the realm to which OKTA should push the users and groups.

Delete your SCIM Client configuration. You would need this if you would try to push users and groups from Keycloak to OKTA
Create an OpenID Connect Client configuration in Keycloak for OKTA and assign this client in the Authorization section of of the SCIM webadministration to the realm.

Answer 2 · 2024-04-21T20:06:39.000Z

Hi @Captain-P-Goldfish Thanks for the Reply. I was creating the SCIM Server configuration only in Keycloak. As you mentioned, i had created a OpenID Connect Client and added this client as Authorized.

For OKTA to make authenticated SCIM API calls to Keycloak, i would need to configure either the username/password or access token in the OKTA Portal. (I would get this username/password or token from Keycloak . That access token is what i'm referrring.

I was able to have the authenticaton/authroization successfully from OKTA to Keycloak and users were created dynamically from OKTA to Keycloak. The Only challenge that i have is that the token which i got from the endpoint in the keycloak /protocol/openid-connect/token has a limited time. So configuring this token in OKTA will allow SCIM to work between OKTA and Keycloak for that limited time. After that, we need to again generate token from Keycloak and configure in OKTA which is not desirable.

Is there a way to configure the authentication details in OKTA, so that OKTA and Keycloak can handshake SCIM protocol permanently, without the need to reconfigure.

Thanks in advance for your support.

Thanks,
Saravana

Answer 3 · 2024-04-22T05:27:54.000Z

You need to create a long-life AccessToken in Keycloak for a specific client. To do this you will need to increase the max-session lifetime in the realm-settings -> Sessions -> SSO Session Max
and then override the token-lifetime for that specific client in the advanced tab in the clients configuration. The value entered there will never exceed the SSO Session Max. The Keycloak implementation handles it like this:

Math.getMinimum(ssoSessionMax, client.getTokenLifetime)

Answer 4 · 2024-04-30T11:07:38.000Z

Thanks for Suggestion @Captain-P-Goldfish . Closing this Issue