[keycloak-user] Cross Realm authorization

david_christian.herrmann at daimler.com david_christian.herrmann at daimler.com
Wed Dec 19 02:23:47 EST 2018 

Hi Dmitry,

in the meanwhile I tested with Keycloak 3.4.3 Final. Here I do not have the problem with the unauthorized.

Mit freundlichen Grüßen / With kind regards

David Herrmann
RD/UIA
Team Rising Stars


Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87

What3Words Address:
entfalten.jüngste.nehmen
choppy.impact.moisture
E-Mail: david_christian.herrmann at daimler.com


Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360
Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman),
Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber

-----Ursprüngliche Nachricht-----
Von: Herrmann, David Christian (059)
Gesendet: Dienstag, 18. Dezember 2018 09:24
An: 'Dmitry Telegin' <dt at acutus.pro>; keycloak-user at lists.jboss.org
Betreff: AW: AW: [keycloak-user] Cross Realm authorization

Hi Dmitry,

I used Keycloak 4.5.0.Final to test the implementation.

Mit freundlichen Grüßen / With kind regards

David Herrmann
RD/UIA
Team Rising Stars


Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87

What3Words Address:
entfalten.jüngste.nehmen
choppy.impact.moisture
E-Mail: david_christian.herrmann at daimler.com


Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber


-----Ursprüngliche Nachricht-----
Von: Dmitry Telegin [mailto:dt at acutus.pro]
Gesendet: Dienstag, 18. Dezember 2018 02:10
An: Herrmann, David Christian (059) <david_christian.herrmann at daimler.com>; keycloak-user at lists.jboss.org
Betreff: Re: AW: [keycloak-user] Cross Realm authorization

David,

Which version of Keycloak are you using?

The authorization subsystem undergoes changes from release to release, so I'm going to double check the BeerCloak works with the recent Keycloak versions and update it if necessary.

Cheers,
Dmitry

On Mon, 2018-12-17 at 13:09 +0000, david_christian.herrmann at daimler.com wrote:
> Hi Dmitry,
>
> I implemented it based on beercloak.
>
> Here in AbstractAdminRessource.java:
> AuthenticationManager.AuthResult authResult =
> authManager.authenticateBearerToken(session, realm);
>
> if (authResult == null) {
>     throw new NotAuthorizedException("Bearer"); }
>
> Still results in Unauthorized.
>
> I tried it with an user in master realm, that has "view-users" for the user realm and an admin user from the master realm. Both resulted in an 401 at the mentioned code point.
>
> The realm is set to master realm and the session seems to be injected ... Any ideas?
>
> Mit freundlichen Grüßen / With kind regards
>
> David Herrmann
> RD/UIA
> Team Rising Stars
>
>
> Daimler AG
> HPC G464
> 70546 Stuttgart
> Mobil: +49 176 309 369 87
>
> What3Words Address:
> entfalten.jüngste.nehmen
> choppy.impact.moisture
> E-Mail: david_christian.herrmann at daimler.com
>
>
> Daimler AG
> Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
> HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
> / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
> of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
> Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta
> Seeger, Hubertus Troska, Bodo Uebber
>
>
> -----Ursprüngliche Nachricht-----
> > Von: keycloak-user-bounces at lists.jboss.org
> > [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von
> > david_christian.herrmann at daimler.com
> Gesendet: Montag, 17. Dezember 2018 08:29
> > An: dt at acutus.pro; keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] Cross Realm authorization
>
> Hi Dmitry,
>
> thanks for your answer and the link to your project! I will try this out.
>
> Mit freundlichen Grüßen / With kind regards
>
> David Herrmann
> RD/UIA
> Team Rising Stars
>
>
> Daimler AG
> HPC G464
> 70546 Stuttgart
> Mobil: +49 176 309 369 87
>
> What3Words Address:
> entfalten.jüngste.nehmen
> choppy.impact.moisture
> E-Mail: david_christian.herrmann at daimler.com
>
>
> Daimler AG
> Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
> HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
> / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
> of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
> Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta
> Seeger, Hubertus Troska, Bodo Uebber
>
>
> -----Ursprüngliche Nachricht-----
> > Von: Dmitry Telegin [mailto:dt at acutus.pro]
> Gesendet: Montag, 17. Dezember 2018 05:09
> An: Herrmann, David Christian (059)
> <david_christian.herrmann at daimler.com>; keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] Cross Realm authorization
>
> Hello David,
>
> Please take a look at how it is done in BeerCloak:
> https://github.com/dteleguin/beercloak/tree/master/beercloak-module/sr
> c/main/java/beercloak/resources
>
> All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms.
>
> (Some musings: I dream of having AdminRealmResourceProvider with all
> that stuff OOTB; the idea has been around for years, but I'm afraid we
> won't have it in Keycloak anytime soon. Luckily, this can be done at a
> low price of introducing some boilerplate code into your project.)
>
> Good luck,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote:
> > Hello,
> >
> > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using:
> >
> > AuthenticationManager.AuthResult authResult =
> >       authManager.authenticateBearerToken(session);
> >
> > if (authResult == null) {
> >    throw new NotAuthorizedException("Bearer token required"); }
> >
> > And
> >
> >
> > if(!auth.hasClientRole(client,"view-users")){
> >    throw new NotAuthorizedException("Necessary permission not
> > available"); }
> >
> > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users.
> >
> > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm.
> >
> > Here
> >
> > AuthenticationManager.AuthResult authResult =
> >       authManager.authenticateBearerToken(session);
> >
> > if (authResult == null) {
> >    throw new NotAuthorizedException("Bearer token required"); }
> >
> > Always results in unauthorized.
> >
> > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal?
> >
> > Mit freundlichen Grüßen / With kind regards
> >
> >
> >
> > David Herrmann
> >
> > RD/UIA
> > Team Rising Stars
> > [Computergenerierter Alternativtext: RDIU]
> >
> > Daimler AG
> > HPC G464
> > 70546 Stuttgart
> > Mobil: +49 176 309 369 87
> >
> > What3Words Address:
> > ellbogen.sprüche.anfänge
> >
> > > E-Mail:
> > > david_christian.herrmann at daimler.com<mailto:david_christian.herrma
> > > nn
> > > @daimler.com>
> >
> >
> > Daimler AG
> > Sitz und Registergericht / Domicile and Court of Registry:
> > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des
> > Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
> > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender /
> > Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius,
> > Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber
> >
> >
> > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
>

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

More information about the keycloak-user mailing list