Alternative authentication methods for agent

By default the agent is using mTLS authentication to obtain the access token for BE communication.

Recent modifications to our company's VPN tools and the need to support SaaS required us to adopt a alternative methods of communication with the backend, a method not reliant on mTLS.

Alternative authentication methods

Two new alternative authentication methods were introduced for the agent:

Resource Owner Password Credentials Grant Flow - Confidential Client
User Authentication

Resource Owner Password Credentials Grant Flow - Confidential client

For this flow a single user is setup in keycloak and all agents will connect using the same user.

Keycloak client configuration

Open Keycloak user management
Go to ‘Clients’
Create a new client → ‘agent_v2’
Select ‘Access Type’ as ‘confidential’:
Expand ‘Authentication Flow Overrides’, Select ‘direct grant’ as ‘Direct Grant Flow’
Save the changes. A new tab ‘Credentials’ will appear.
Under ‘Client Authenticator’ select ‘Client Id and Secret’. The secret will be required by the agent to successfully retrieve the access token.

Adding a password for agent user

Go to ‘Users’, edit user ‘agent’ (or create a new user)
Go to tab ‘Credentials’ and set a password for the user (but not a temporary one). The password will be required by the agent to successfully retrieve the access token.

Preparing installerConfig.json

The agent must be installed with a properly setup installerConfig.json file.

We prepared a simple tool to make this process easier:

Start GVClient.Tools.SetupHelper.exe. A simple console application will show up.
Enter the address of the cluster, has to start with https://, the tool will strip all unnecessary data.
Use SSL
Enter the language
Pick visual style
Pick PasswordGrant as Keycloak Auth Type
Enter the keycloak username
Enter the password of the user
Enter the keycloak client secret

The tool will show the generated json in the console and also save the file in the same directory from which it was run.

User authentication

For this flow each user can log in using their individual accounts.

This authentication flow is only supported starting from agent v5.

Keycloak client configuration

Open Keycloak user management
Go to ‘Clients’
Create a new client → agent-user-authentication
Set Valid redirect URIs to getvisibility-agent://* - this step is crucial as the agent has registered a custom scheme handler for this exact scheme. Whenever the browser is forwarded to getvisibility-agent://* the agent will be started by the system and the whole URI will be passed on to the agent.
Disable Client authentication
Enable Standard flow

Agent configuration

In order to enable user authentication in the agent - the agent must be installed with a proper installerConfig.json file:

{
	"ServerAddress": "cluster_address.com",
	"ServerUseSsl": true,
	"Language": "en",
	"KeycloakClientId": "agent-user-authentication",
	"KeycloakAuthType": 2
}