[keycloak-user] keycloak proxy - How to hide the path after the TLD
kevin_walsh at deichmann.com
kevin_walsh at deichmann.com
Thu Jan 25 04:55:01 EST 2018
Dear list,
I need to access static html views of our documentation server after
authenticating users using keycloak.
The html views are available at
http://documentation:8090/view/department1
http://documentation:8090/view/department2
http://documentation:8090/view/department3
...
My idea was to use the keycloak proxy as follows:
keycloak-proxy:8081 for department1
keycloak-proxy:8082 for department2
keycloak-proxy:8083 for department3
...
BUT I would like my users to see only keycloak_proxy:8081 not the
following path, while they get the information of the respective path. Can
I do this with keycloak proxy and which settings would I need?
In a next step I need to add a proxy for Internet users to access the
keycloak-proxy to hide even the "keycloak-proxy:PORT".
My current proxy_department1.json is this (obviously without any path
mappings):
-begin-----------------------------------------------------------------------
{
"target-url":"http://documentation:8090",
"bind-address":"0.0.0.0",
"http-port":"8081",
"applications":
[
{
"base-path":"/",
"adapter-config":
{
"realm": "Manuals",
"auth-server-url": "
http://keycloak-proxy:8080/auth",
"ssl-required": "none",
"resource": "keycloak-proxy",
"credentials": {"secret": "1234"},
"use-resource-role-mappings": false,
"confidential-port": 0
},
"constraints":
[
{
"pattern":"*",
"roles-allowed":["manuals_user"]
},
{
"pattern":"/view/manuals/*",
"roles-allowed":["manuals_user"]
}
]
}
]
}
-end-----------------------------------------------------------------------
Thank you & kind regards
Kevin Walsh
IT Software Development | Documentation
Phone: +49 201 8676 932
Fax: +49 201 8676 49932
Mobil: +49 177 6664666
kevin_walsh at deichmann.com
Von: keycloak-user-request at lists.jboss.org
An: keycloak-user at lists.jboss.org
Datum: 24.01.2018 14:26
Betreff: keycloak-user Digest, Vol 49, Issue 49 <Virus checked>
Gesendet von: keycloak-user-bounces at lists.jboss.org
Send keycloak-user mailing list submissions to
keycloak-user at lists.jboss.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
keycloak-user-request at lists.jboss.org
You can reach the person managing the list at
keycloak-user-owner at lists.jboss.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of keycloak-user digest..."
Today's Topics:
1. Re: Possibility to set new Provider in authentication flow
for non-unique usernames (Dominik Guhr)
2. Re: Validate User Credentials Without Creating a Session
(Marek Posolda)
3. Re: DB changes not refreshing on cluster nodes. (Marek Posolda)
4. Re: DB changes not refreshing on cluster nodes. (Angel Abella)
----------------------------------------------------------------------
Message: 1
Date: Wed, 24 Jan 2018 12:52:58 +0100
From: Dominik Guhr <pinguwien at gmail.com>
Subject: Re: [keycloak-user] Possibility to set new Provider in
authentication flow for non-unique usernames
To: keycloak-user at lists.jboss.org
Message-ID: <43b5c623-a20c-0c17-fab3-bd7d19f126d7 at gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
p.s. one provider uses Kerberos for Authentication, other does not.
Am 24.01.18 um 12:51 schrieb Dominik Guhr:
> So, further investigation notes:
>
> I think I should call the Provider like it's done here:
>
https://github.com/keycloak/keycloak/blob/master/examples/providers/user-storage-jpa/src/main/java/org/keycloak/examples/storage/user/EjbExampleUserStorageProviderFactory.java
> in the create method, which allows me to call the corresponding
> isValid(...) method of the required providers and only set the boolean
> return value of validatePassword to false if the credentials doesn't
> match in any of the providers.
>
> But to call this for ldap-providers set by admin interface, I need two
> things:
>
> a) a Componentmodel.
> Concrete Question: Anyone knows how to get the right ComponentModel
> instance to use from my AuthenticationFlowContext of
> AbstractUsernameFormAuthenticator.java? I've seen that it's possible to
> get a List of ComponentModels by calling
> context.getRealm().getComponents(), or by getComponent(String s), but I
> don't know which String would be the valid parameter or which Model I
> should take out of the List.
>
> b) the lookup-path.
> Concrete question 2: Anyone knows how to get it form the internally used
> Factories or s.th.?
>
> My Providers are 2 ldap directories which I want to iterate over for the
> username.
>
> Thanks in advance!
>
> Best regards,
> Dominik
>
> Am 24.01.18 um 09:27 schrieb Dominik Guhr:
>> Hi everyone,
>>
>> I'm implementing an authentication SPI execution on top of the
>> "normal" username/password form of kc 3.4.3.Final. ->
>>
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java
>>
>>
>> Sadly, usernames are not unique atm, so I need to change the
>> execution, so that it doesn't stop with "invalid credentials" for a
>> user who was found in one Provider.
>>
>> Instead of giving the "invalid credentials"-error, I want my execution
>> to first check all other providers for the same username, and then
>> check the credentials against all matches. And just in case of no
>> credentials matching, it should fail, or login a new session for this
>> user when one is found in any of my (3) Providers, which are added by
>> user federation feature (2 ADs, one by a custom user storage SPI).
>>
>> So I drilled it down to the method validatePassword(...) in
>> AbstractUsernameFormAuthenticator.java ->
>>
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java
>> line 191, which I want to change accordingly. Sadly, I can't find a
>> method to get all Providers of the realm and check accordingly. The
>> code I want to change is:
>>
>> if (password != null && !password.isEmpty() &&
>>
context.getSession().userCredentialManager().isValid(context.getRealm(),
>> user, credentials)) {
>> ???????????? return true;
>> ???????? } else {...}
>>
>> instead of just checking isValid() for one provider, which is what
>> this does atm, I want to check all Providers. Like this pseudocode:
>>
>> if (password != null && !password.isEmpty() &&
>>
context.getSession().userCredentialManager().isValid(context.getRealm(),
>> user, credentials)) {
>> ???????????? boolean isValid = false;
>> ???????? List<Provider> realmProviders = context.getAllProviders();
>> ???????? for(Provider provider : realmProviders){
>> ???????????? isValid = provider.isValid(...);
>> ???????? }
>> ???????????? return isValid;
>> ???????? } else {...}
>> Could anyone perhaps give me a hint in how to achieve this? I haven't
>> found a method yet to get all Providers and check for isValid in any
>> of the given ones.
>>
>> Best regards,
>> Dominik
>>
>> p.s. I created a stackoverflow question here:
>>
https://stackoverflow.com/questions/48399622/keycloak-check-password-in-more-than-one-identity-provider
>> feel free to comment/answer there :)
------------------------------
Message: 2
Date: Wed, 24 Jan 2018 13:59:05 +0100
From: Marek Posolda <mposolda at redhat.com>
Subject: Re: [keycloak-user] Validate User Credentials Without
Creating a Session
To: Scott Finlay <scott.finlay at sixt.com>,
"keycloak-user at lists.jboss.org"
<keycloak-user at lists.jboss.org>
Message-ID: <97c207c9-6f96-bd7c-b37f-27449b0b033a at redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi Scott,
it's not available OOTB, but you can add your own REST endpoint to
verify username/password. Or alternatively you can just do directGrant
login (OAuth2 Resource Owner Password Credentials Grant) and then logout
session.
Marek
On 23/01/18 09:49, Scott Finlay wrote:
> Hi,
>
>
> We're currently using Keycloak 2.5.5.Final, and in this version it's not
possible
>
> to validate a user's credentials (username / password combination)
without
>
> actually logging the user in which results in a session (and our
sessions are long-
>
> lived). Is there any new functionality introduced in the later versions
of Keycloak
>
> to validate the credentials without actually logging the user in?
>
>
> Our use-case is that we have very long-lived tokens, but we want to
require the
>
> user to re-enter his/her password in order to perform some certain
sensitive tasks
>
> such as changing the password or username.
>
>
> If such functionality is not available, would it be possible to add
this?
>
>
> Regards,
>
> Scott
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
Message: 3
Date: Wed, 24 Jan 2018 14:00:56 +0100
From: Marek Posolda <mposolda at redhat.com>
Subject: Re: [keycloak-user] DB changes not refreshing on cluster
nodes.
To: Angel Abella <aabella at bkool.com>, keycloak-user at lists.jboss.org
Message-ID: <f29aac0f-e038-b725-9e81-68bfe0fb3f2d at redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
I guess your cluster is not correctly setup, hence the node doesn't
correctly propagate invalidation event to the other nodes and those
nodes still see the stale entries in their cache. See Keycloak
clustering documentation for more details how to setup/troubleshoot it.
Marek
On 23/01/18 13:01, Angel Abella wrote:
> Hello list!
>
> We are experiencing some problems with our standalone-ha setup of
Keycloak
> 2.4.0.
> Everithing works as expectd except ehn a user changes a password or is
> added or removed from a group. When this happens the node making the
change
> is aware of it, but the other one does not until it is restarted.
>
> Any idea of what is going on?
>
>
>
>
------------------------------
Message: 4
Date: Wed, 24 Jan 2018 14:16:14 +0100
From: Angel Abella <aabella at bkool.com>
Subject: Re: [keycloak-user] DB changes not refreshing on cluster
nodes.
To: Marek Posolda <mposolda at redhat.com>
Cc: keycloak-user at lists.jboss.org
Message-ID:
<CAAGXFYyqzqsR7Hs5+ZdOM2N5-VuPdurMdvsDx58LFrJg5Q8oow at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I've revised docs but everything seems to be ok.
I am attaching the configuration file just in case someone can see what
I'm
missing.
2018-01-24 14:00 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
> I guess your cluster is not correctly setup, hence the node doesn't
> correctly propagate invalidation event to the other nodes and those
nodes
> still see the stale entries in their cache. See Keycloak clustering
> documentation for more details how to setup/troubleshoot it.
>
> Marek
>
>
> On 23/01/18 13:01, Angel Abella wrote:
>
>> Hello list!
>>
>> We are experiencing some problems with our standalone-ha setup of
Keycloak
>> 2.4.0.
>> Everithing works as expectd except ehn a user changes a password or is
>> added or removed from a group. When this happens the node making the
>> change
>> is aware of it, but the other one does not until it is restarted.
>>
>> Any idea of what is going on?
>>
>>
>>
>>
>>
>
--
Angel Abella
*IT *
*BKOOL* *Connect* *| Sport*
mail: aabella at bkool.com
mob: +34 691 77 18 98
add: C/ San Joaqu?n 3 - 28231 Las Rozas - Madrid
www.bkool.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: standalone-ha.xml
Type: text/xml
Size: 30861 bytes
Desc: not available
Url :
http://lists.jboss.org/pipermail/keycloak-user/attachments/20180124/c4443609/attachment.xml
------------------------------
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
End of keycloak-user Digest, Vol 49, Issue 49
*********************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.gif
Type: image/gif
Size: 4157 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180125/6163389e/attachment.gif
More information about the keycloak-user
mailing list