Alternative authentication methods for agent

By default, the agent is using mTLS authentication to obtain the access token for BE communication.

Recent modifications to our company's VPN tool and the need to support SaaS required us to adopt an alternative method of communication with the backend, a method not reliant on mTLS.

Alternative authentication methods

Two new alternative authentication methods were introduced for the agent:
  • Resource Owner Password Credentials Grant Flow - Confidential Client
  • User Authentication

Resource Owner Password Credentials Grant Flow - Confidential client

For this flow a single user is setup in keycloak, and all agents will connect using the same user.

Keycloak client configuration

  1. Open Keycloak user management.
  2. Go to Clients.
  3. Create a new client > agent_v2.
  4. Select Access Type as confidential:

  5. Expand Authentication Flow Overrides, Select direct grant as Direct Grant Flow.

  6. Save the changes. A new tab Credentials will appear.
  7. Under Client Authenticator select Client Id and Secret. The secret will be required by the agent to successfully retrieve the access token.

Adding a password for agent user

  1. Go to Users, edit user agent (or create a new user).
  2. Go to tab Credentials and set a password for the user (but not a temporary one). The password will be required by the agent to successfully retrieve the access token.

Preparing installerConfig.json

The agent must be installed with a properly setup installerConfig.json file.

We prepared a simple tool to make this process easier: GVClient.Tools.SetupHelper (1).zip

  1. Start GVClient.Tools.SetupHelper.exe. A simple console application will show up.
  2. Enter the address of the cluster, has to start with https://, the tool will strip all unnecessary data.
  3. Use SSL
  4. Enter the language
  5. Pick visual style
  6. Pick PasswordGrant as Keycloak Auth Type.
  7. Enter the keycloak username
  8. Enter the password of the user
  9. Enter the keycloak client secret

The tool will show the generated json in the console and also save the file in the same directory from which it was run.

User authentication

For this flow each user can log in using their individual accounts.

Note: This authentication flow is only supported starting from agent v5.

Keycloak client configuration

  1. Open Keycloak user management.
  2. Go to Clients.
  3. Create a new client → agent-user-authentication.
  4. Set Valid redirect URIs to getvisibility-agent://* - this step is crucial as the agent has registered a custom scheme handler for this exact scheme. Whenever the browser is forwarded to getvisibility-agent://* the agent will be started by the system and the whole URI will be passed on to the agent.
  5. Disable Client authentication.
  6. Enable Standard flow.

Agent configuration

In order to enable user authentication in the agent - the agent must be installed with a proper installerConfig.json file:
{
	"ServerAddress": "cluster_address.com",
	"ServerUseSsl": true,
	"Language": "en",
	"KeycloakClientId": "agent-user-authentication",
	"KeycloakAuthType": 2
}