authenticationkeycloakzabbixopenid-connectkeycloak-gatekeeper

Zabbix HTTP authentication with Keycloak-proxy


I'm try to integrate Zabbix UI with Keycloak SSO, using keycloak-proxy. My setup is the following:

  1. Nginx is the entry point: it handles the "virtual host", forwarding the requests to keycloak-proxy.
  2. Keyclock-proxy is configured with client_id, client_secret, etc. to authenticate the users to Keycloak;
  3. Zabbix dashboard on Apache, default setup: I enable the HTTP authentication.

I've created a test user both in Keycloak and Zabbix. The authentication flow is ok: I'm redirected to KeyCloak, I do the authentication, but I always get "Login name or password is incorrect." from Zabbix UI.

What am I doing wrong? Has anyone tried to use OIDC authentication with Zabbix?

I'm using Zabbix 4.0, KeyCloak 4.4, Keycloak-proxy 2.3.0.

keycloak-proxy configuration:

client-id: zabbix-client
client-secret: <secret>

discovery-url: http://keycloak.my.domain:8080/auth/realms/myrealm
enable-default-deny: true
enable-logout-redirect: true
enable-logging: true
encryption_key: <secret>
listen: 127.0.0.1:10080
redirection-url: http://testbed-zabbix.my.domain
upstream-url: http://a.b.c.d:80/zabbix
secure-cookie: false
enable-authorization-header: true

resources:
- uri: /*
  roles:
    - zabbix

Solution

  • Zabbix expects PHP_AUTH_USER (or REMOTE_USER or AUTH_USER) header with the username, but keycloak-proxy doesn't provide it. Let's use email as a username (you can use any claim from the access token in theory). Add email to the request header in the keycloak-proxy config:

    add-claims:
    - email
    

    And create PHP_AUTH_USER variable from email header in the Zabbix Apache config:

    SetEnvIfNoCase X-Auth-Email "(.*)" PHP_AUTH_USER=$1
    

    Note: Conf syntax can be incorrect because it is off the top of my head - it may need some tweaks.

    BTW: there is a (hackish) user patch available - https://support.zabbix.com/browse/ZBXNEXT-4640, but keycloak-gatekeeper is a better solution

    For the record: keycloak-proxy = keycloak-gatekeeper (the project was renamed and migrated to keycloak org recently)