Scope Param with Keycloak
by Tomas Cerny
Hi all,
I am trying to use the scope param with keycloak, which is part of the open
id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
)
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl...
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an
object?
I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...>
The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>
Thanks, Tom
Here a forum public users.
https://developer.jboss.org/message/934762#934762
7 years, 6 months
changes to browser-based flows
by Bill Burke
FYI: Not important if you are uninterested in design.
Prior to my last commit if you hit the browser refresh button you would
either have had the authentication flow completely reset or received an
error page. Also, changing the local on some required actions pages
would end up in an error condition.
So...To fix this I made some changes to browser based flows:
* After any successful action processing (i.e. a form POST), the browser
is sent a 302 redirect to a "safer" page. If you are in the
authentication phase, then this redirect will be to
/authenticate?code={code}, registration /register?code={code}, reset
credentials /reset-credentials?code={code}, required actions
/required-action?code={code}. When these URIs are executed, Keycloak
will figure out where the user is in the flow and render things
appropriately.
* After authentication, the browser will be 302 redirected to
/required-action?code={code}
The reason for these changes is to support when the user clicks the
browser refresh button. The refresh button will resubmit the previous
request. Prior to this change there were issues with this. For
example, previously, if there was a required action and you just logged
in via username and password, the URI in the browser would still point
to the username/password page even though the required action page was
being rendered. If the refresh button was hit, the previous username
password POST would be resent to the username/password page, Keycloak
would say "WTF are you doing?!?" and abort. There were similar issues
like this everywhere.
Other things effected by this fix:
* required actions no longer change the ACTION_KEY or the
ClientSessionModel.getAction().
* ClientSessionModel.getAction() will either be AUTHENTICATION,
REQUIRED_ACTIONS, EXECUTE_ACTIONS, LOGGED_OUT, or OAUTH_GRANT.
* After authentication, the flow manager will change the action from
AUTHENTICATION to REQUIRED_ACTIONS.
Overall, this is less performant as there are additional HTTP redirect
requests being thrown in, but should provide a better user experience.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 5 months
Plan for "First login with identity brokers"
by Marek Posolda
I went again through all the previous discussions, related JIRAs and
requirements. As of now, my plan is to:
- Use authentication SPI to handle the flow and related actions for
first social login. (Update user profile, Detect duplicated account,
Verify email or reauthenticate user if duplication is detected, Create
social link to existing account). This allows most flexibility for
admins to specify how exactly the linking should work
- Detecting duplication will be based on email only by default - (For
example duplication is detected if Facebook user with email
bob(a)gmail.com authenticates, but there is already Keycloak user with
email bob(a)gmail.com ). The people can provide their own execution if
they want different way for detect duplications
- It seems it's more proper to postpone creating user account later,
once we know that there is no duplication. In other words, if "Update
profile on first login" is enabled, the user account is not yet created
when the update profile page is shown. All the info related to
BrokeredIdentityContext stuff will be available on ClientSession. This
seems to me easier and more proper solution then creating temporary
account with email in some "temporary" attribute. Temporary accounts
have other challenges (Cleaner thread for delete outdated unmerged
accounts etc).
- If "trustEmail" flag is on for IdentityProvider, the provider link
will be created automatically. (For example if Facebook user
bob(a)gmail.com authenticates for the first time and there is already
Keycloak user with email bob(a)gmail.com and trustEmail is on, the
Facebook link is automatically created for Keycloak account
bob(a)gmail.com without any additional verification)
- If "trustEmail" flag is off, there would need to be other way to
verify user before creating social link. The user will first confirm if
he wants to merge the accounts. Then there will be either:
-- Email verification: The mail will be sent to bob(a)gmail.com like
"Someone authenticates to Keycloak server http://www.keycloak.org:8080
through Facebook account bob(a)gmail.com and wants to link Facebook
account with existing Keycloak account bob(a)gmail.com . If it is you,
click here" . After user clicks, the social link is created
-- Further authentication: User will need to authenticate to existing
bob(a)gmail.com keycloak account through password (or OTP or both or
something else)
All of this is configurable through flows, so admin can disable the "Do
you want to create social link?" screen, or enforce email verification
instead of authentication, configure required authenticators etc.
- I am not sure if we want to handle just merge with existing account
during first broker login, or if we also want to handle merging of
accounts in account management? For now, I am planning to handle just
the login flow and possibly address Account management later if there is
need for it. The merging accounts in account management might be quite a
challenge as there is merge of 2 already existing user accounts with
various issues related to it (Which roles/permissions should merged
account have? Which attributes it should have? Which federation link?
etc.). But at least, I am planning to address the issue with redirect to
login forms error screen instead of stay in account management -
https://issues.jboss.org/browse/KEYCLOAK-1822
Marek
8 years, 5 months
redesign of federation
by Bill Burke
In doing group model, I was thinking more about federation. Our SPI
kinda sucks. I was thinking that local storage (Model API) and
UserFederation should be the same exact SPI. Instead of just
RealmProvider and UserProvider, we might break it up into:
* RealmProvider - holds realms and clients
* UserProvider - holds username and attributes about the user
* UserRelationshipProvider - holds user role mappings, user group membership
* UserCredentialProvider - stores and authenticates credentials
* GroupProvider - holds group definitions
* RoleProvider - holds role definitions
One of the big problems we have is that roles and groups have to be
defined within Keycloak DB even though they might live in one or more
external stores.
Admin console would have to change too. You'd have to pick which
database you wanted to manage. i.e. if you wanted to add a role you
might want to add it to an LDAP store and not local storage.
This is something we'd really have to map out and design. I would love
to be able to do it before product, but I don't think we'll have enough
time to bake it in community. Maybe something we'll have to wait for
Keycloak 2.0.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 5 months
Help with keycloak evaluation
by Jorge M.
Hi,
I'm evaluating the keycloak to use in a multi-module system in production
and I need some help in the following topics:
- Is it possible to define groups of roles? For example, in
a scenario using groups as profiles and the roles as resources.
- Single login validation (only allow a single login session per user to
avoid account sharing)
- Is there any sample federation provider for RDBMS?
- Are you planning to develop an adapter to PHP web applications? Any
community adapter available?
Great Job!
Thank you!
8 years, 6 months
Adding a minimum TTL for token refreshes
by Benjamin Loy
Hello all,
We are using Keycloak in production and wanted to make a change to it to
handle tokens that are about to expire. We have a number of services that
rely on the bearer token sent from our web servers for authentication.
Users will land on the web server, we verify their token is alive, and
send the bearer token to a service. Our issue is sometimes the user has an
extremely small amount of time left, the bearer token expires by the time
we do the security checks on the services, and the request fails.
We are considering adding a minimum TTL
in RefreshableKeycloakSecurityContext that will refresh an active token if
it has less than a configurable amount of time left before it expires.
This will let us build a time window that will prevent the token from
expiring when interacting with services under normal circumstances.
Would you be interested in our work on this or have any interest to do this
yourselves? I can create a Jira and a pull request if you want us to
implement this feature.
Thanks,
Ben
--
Benjamin Loy
Senior Software Engineer
bloy(a)smartling.com | o: (866) 707 6278
smartling.com <http://www.smartling.com/> | linkedIn | @smartling
<https://twitter.com/smartling>
8 years, 6 months
Keycloak - unit tests
by Andrzej Goławski
Hi everyone!
I decided to implement KEYCLOAK-1797 and started to look at the code
(federation/ldap). I noticed lack of unit tests without which refactoring
may be very error prone. I like writing test so I can write tests for that
part. What are you thinking about it??
Best Regards,
Andrzej
8 years, 6 months
username guessing
by Michael Gerber
Hi all,
it is possible to guess the username of disabled users.
This was not possible in earlier versions of keycloak. Is this on purpose?
Best
Michael
8 years, 6 months
