PlatformProduct updates

Alternative authentication methods for agent

By default the agent is using mTLS authentication to obtain the access token for BE communication.

Recent modifications to our company's VPN tools and the need to support SaaS required us to adopt a alternative methods of communication with the backend, a method not reliant on mTLS.

Alternative authentication methods

Two new alternative authentication methods were introduced for the agent:

  • Resource Owner Password Credentials Grant Flow - Confidential Client

  • User Authentication

Resource Owner Password Credentials Grant Flow - Confidential client

For this flow a single user is setup in keycloak and all agents will connect using the same user.

Keycloak client configuration

  1. Open Keycloak user management

  2. Go to ‘Clients’

  3. Create a new client → ‘agent_v2’

  4. Select ‘Access Type’ as ‘confidential’:

  5. Expand ‘Authentication Flow Overrides’, Select ‘direct grant’ as ‘Direct Grant Flow’

  6. Save the changes. A new tab ‘Credentials’ will appear.

  7. Under ‘Client Authenticator’ select ‘Client Id and Secret’. The secret will be required by the agent to successfully retrieve the access token.

Adding a password for agent user

  1. Go to ‘Users’, edit user ‘agent’ (or create a new user)

  2. Go to tab ‘Credentials’ and set a password for the user (but not a temporary one). The password will be required by the agent to successfully retrieve the access token.

Preparing installerConfig.json

The agent must be installed with a properly setup installerConfig.json file.

We prepared a simple tool to make this process easier:

30MB
GVClient.Tools.SetupHelper (1).zip
archive

  1. Start GVClient.Tools.SetupHelper.exe. A simple console application will show up.

  2. Enter the address of the cluster, has to start with https://, the tool will strip all unnecessary data.

  3. Use SSL

  4. Enter the language

  5. Pick visual style

  6. Pick PasswordGrant as Keycloak Auth Type

  7. Enter the keycloak username

  8. Enter the password of the user

  9. Enter the keycloak client secret

The tool will show the generated json in the console and also save the file in the same directory from which it was run.

User authentication

For this flow each user can log in using their individual accounts.

This authentication flow is only supported starting from agent v5.

Keycloak client configuration

  1. Open Keycloak user management

  2. Go to ‘Clients’

  3. Create a new client → agent-user-authentication

  4. Set Valid redirect URIs to getvisibility-agent://* - this step is crucial as the agent has registered a custom scheme handler for this exact scheme. Whenever the browser is forwarded to getvisibility-agent://* the agent will be started by the system and the whole URI will be passed on to the agent.

  5. Disable Client authentication

  6. Enable Standard flow

Agent configuration

In order to enable user authentication in the agent - the agent must be installed with a proper installerConfig.json file:

{
	"ServerAddress": "cluster_address.com",
	"ServerUseSsl": true,
	"Language": "en",
	"KeycloakClientId": "agent-user-authentication",
	"KeycloakAuthType": 2
}

The login flow:

24MB
20240313-1537-36.3850604.mp4

Add label

PreviousReseller Keycloak Quick Installation GuideNextEDC - All Documents

Last updated

Was this helpful?