[keycloak-dev] Few Questions on usage
thomas.darimont at googlemail.com
Mon May 21 13:17:36 EDT 2018
The scripting support can be disabled for the whole server with a feature
Anil Saldanha <asaldanha1947 at gmail.com> schrieb am Mo., 21. Mai 2018, 15:40:
> Bill - while I see the benefits of dynamic scripting in authentication
> flows, I wonder if it opens a can of worms in terms of security holes. How
> do you sandbox scripts?
> What do you think ?
> > On May 21, 2018, at 8:21 AM, Bill Burke <bburke at redhat.com> wrote:
> >> On Mon, May 21, 2018 at 9:00 AM, gambol <gambol99 at gmail.com> wrote:
> >> Hiya
> >> Apologizes for the wide range questions .. but figured a number for be
> >> useful for the user base.
> >> - Using the current scripted authentication in Authentication Flows
> >> it possible to use script to say if clientid == x and user have role x,
> >> permitted else not. Also do you have a repo with some examples of
> >> similar to https://github.com/auth0/rules
> > Yes, you could do that. No repo, sorry. This was a community
> > contribution and we don't have much more than basic docs.
> >> - Will the scripting always be global level, or is there any plan to
> >> it per client? or perhaps a better question would be will authentication
> >> flow always be at the realm level.
> > You can assign a specific authentiction flow to a specific client, but
> > we do not have anything like "step up" authentication yet.
> >> - Assuming a realm with multiple identity providers, is there any means
> >> which a client and enforce that a use came in via a specific identity
> >> provider? or if i come in via provider x they need to use MFA (would
> >> be done with a Post Login Flow on the provider perhaps?).
> > That might work, but post login flow was implemented mainly to resolve
> > import from external provider.
> >> - Is the any plans to make Groups per client and under the client ui? as
> >> for realms which have many disassociated applications but common user
> >> it makes it easier for them to manage.
> > You are the first to ask, but we should do something similar to what
> > was done for roles.
> >> - Are the any plans to expose metrics (or perhaps they are already
> >> exposed)? via jmx, stats, prometheus etc .. around logins, successful,
> >> failed etc, any latency measures on identity providers, infinispan /
> >> database operations etc
> > Something that should be scheduled. We have audit logs for all
> > different types of events, but I'm pretty sure we don't tabulate any
> > of it. We have basic generic metrics that any "application server"
> > would provide through Wildfly.
> >> - Is there any way to turn off the internal passwords and force via
> >> identity provider? .. i guess this is where scripting becomes useful ..
> >> if client = y get the provider name and deny if not y etc
> > Elaborate? Not sure what you mean.Not understanding this one.
> > --
> > Bill Burke
> > Red Hat
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev