Re: [keycloak-dev] Looking for a workaround...
by Stian Thorgersen
Adding list back to thread, please remember to reply to all
----- Original Message -----
> From: "Michael Gerber" <gerbermichi(a)me.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Sent: Monday, January 26, 2015 2:10:59 PM
> Subject: Re: [keycloak-dev] Looking for a workaround...
>
>
>
> ----- Original Message -----
> From: "Michael Gerber" <gerbermichi(a)me.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, January 26, 2015 1:37:53 PM
> Subject: [keycloak-dev] Looking for a workaround...
> Hi all,
> I receive a lot of bug reports from our test team because of the following
> two issues:
> - Reset password leads to 400 Bad Request (
> https://issues.jboss.org/browse/KEYCLOAK-1014 )
>
> This is a tricky one - we can't ignore the state variable as that would make
> it vulnerable.
>
> We could probably come up with an alternative way to generate and verify
> state variable though. Could be a HMAC for example.
> So you would remove the state cookie?
It could potentially be a solution - I started a separate thread on keycloak-dev to discuss this.
>
>
> - Login attempt after "Login user action lifespan" leads to "Invalid username
> or password." ( https://issues.jboss.org/browse/KEYCLOAK-1015 )
>
> I agree that the error message is not very good, but I disagree with removing
> the expiration. Why not increase it to say 30 min? That's probably a more
> sensible timeout for reset password as well.
> I prefer an expiration of 5 min for the password update process, but thats a
> bit short for the authentication or password reset process.
> I think the best solution would be different expiration times for the
> different processes, wouldn't it?
Maybe - we do try to keep configuration options to a minimum as these introduce complexity as well as potentials for bug/security issues.
>
>
> Do you have any good ideas for a workaround?
> Best
> Michael
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
11 years, 1 month
Rest Service authentication.
by Juan Escot
Hi,
I'm developing an application with AngularJS and Rest Services. I'm using
Keycloak for authentication and role management.
Mi Angular project is registered as 'confidential' and work's fine. It
refresh tokens and sends it on header like this: 'Authorization:Bearer
eyJhbGciOiJSUzI1Ni...'
Mi java project is defined as 'bearer only' and it's developed with Java
EJBs as Rest Services. I need more control over permissions and roles, so I
don't want to secure my project with security-contraints at web.xml. I'd
like to get user info and roles inside my Rest methods from token received.
I have checked I received the token with this line:
String token = request.getHeader("authorization");
But, I can't get any additional information about user. I have tried
different approaches but I can't fin a solution. Could I have a Keycloak
object with user info?.
This is a fragment of my code with all my attemps:
@Stateless
@LocalBean
@Path("/promociones")
@SecurityDomain("keycloak")
public class PromocionRest {
@Context
HttpServletRequest request;
@Context
SecurityContext securityContext;
@Resource
SessionContext sc;
@GET
@Produces("application/json")
@Path("/list")
//@RolesAllowed({ "user" }) <-- If I use this annotation y get an error.
@PermitAll
public RespuestaListaBase<Promocion> listadoPromociones(...){
KeycloakPrincipal principal =
(KeycloakPrincipal)securityContext.getUserPrincipal();
KeycloakSecurityContext session = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
if (sc!=null && sc.getCallerPrincipal()!=null){
System.out.println("Principal's name according to EJB: " +
sc.getCallerPrincipal().getName());
}
System.out.println("Is user in role 'user'? " +
request.isUserInRole("user"));
String token = request.getHeader("authorization");
HttpClient client = new
HttpClientBuilder().disableTrustManager().build();
try {
String url = request.getRequestURL().toString();
url = url.substring(0, url.indexOf('/', 8));
HttpGet get = new HttpGet(url + "/auth/admin/realms/demo/roles");
get.addHeader("Authorization", "Bearer " + token);
try {
HttpResponse response = client.execute(get);
if (response.getStatusLine().getStatusCode() != 200) {
//throw new Failure(response.getStatusLine().getStatusCode());
}
HttpEntity entity = response.getEntity();
InputStream is = entity.getContent();
} catch (IOException e) {
throw new RuntimeException(e);
}
} finally {
client.getConnectionManager().shutdown();
}
}
}
I also have configured jboss-web.xml like this:
<jboss-web>
<security-domain>keycloak</security-domain>
</jboss-web>
And web.xml like this:
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Some notes about the code:
- KeycloakPrincipal principal =
(KeycloakPrincipal)securityContext.getUserPrincipal(); <-- principal is
always null
- KeycloakSecurityContext session = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName()); <-- session
is always null
- sc.getCallerPrincipal().getName() <-- returns 'anonymous', so it seems it
isn't taking security-domain?
- request.isUserInRole("user") <-- returns null
- HttpResponse response = client.execute(get) <-- throws an exception:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
- If I use @RolesAllowed({ "user" }) annotation I get this error: JBAS014502:
The invocation is not allowed in the method
- String token = request.getHeader("authorization"); <-- I get
'Authorization:Bearer eyJhbGciOiJSUzI1Ni...'
I suppose i'm doing it wrong, but I don't know what is the correct form.
Could I get user information from token received?
Thanks in advance,
Juan Escot
11 years, 1 month
Provider modules
by Stian Thorgersen
As I said to make sure we're all on the same page here's my view on what we've just discussed:
1. A user creates a module for the provider
2. The user copies the module into '/modules'
3. The user registers the module with the auth-server subsystem. This can be done either by directly editing standalone.xml or through CLI. Example snippet from standalone.xml would look like:
<subsystem xmlns="urn:jboss:domain:keycloak:1.0">
<auth-server name="main-auth-server">
<enabled>true</enabled>
<web-context>auth</web-context>
<providers>
<module name="org.acme.userprovider" />
<module name="org.acme.anotherprovider" />
</providers>
</auth-server>
</subsystem>
4. When a new provider module is registered Keycloak would need to be reloaded
This will require some changes to how Keycloak loads/finds providers as it needs to not only look in its own ClassPath for providers, but also in all ModuleClassPath that is referenced in the subsystem.
11 years, 1 month
reset password leads to no state cookie
by Michael Gerber
Hi
I use the wildfly adapter and receive a "No state cookie" error message if I open the reset password link in another browser.
It's totally clear why I receive this message, because my cookie does not exist anymore. But that looks a bit strange for a user.
Is there a workaround to fix this issue?
Best
Michael
11 years, 1 month
Importing users to Keycloak
by James Scicluna
Hello Keycloak Team,
at Medeo we are currently evaluating the possibility of using Keycloak as our authorization provider. In particular we are very excited about the comprehensive feature set that Keycloak offers.
Our users (and authorization) are currently handled by our main application but we want to move them out to a separate authorization provider for SSO. So far we thought about doing this in two ways:
- replicate our database, connect it to Keycloak and implement the matching hashing algorithms for user passwords
- federate the users to our existing database
Are these two plausible solutions? And, are there any other possible solutions?
Thank you
--
James Scicluna
SOFTWARE ENGINEER
[cid:028E41F2-51B2-462F-BD26-73EFE5C31630]
Stay Healthy.
@medeo<http://twitter.com/medeo>
Office +1 888-297-2973
Fax +1 604-608-9761
For Health Providers medeohealth.com<http://www.medeohealth.com/>
11 years, 1 month
