October 2015 - keycloak-dev - Jboss List Archives

Re: [keycloak-dev] Kerberos, login with different user

by Michael Gerber

I don't like this approach if the "Account Chooser" page is only configurable per realm. Because, I think it is a bit annoying if you always have to go over the "Account Chooser" page. 99% of all uses want to log in with their kerberos credentials, there are only a few people which want to switch their account. But I think your approach is good, if you can enable the "Account Chooser" page per client and not only per realm. Am 02. Oktober 2015 um 16:31 schrieb Bill Burke <bburke(a)redhat.com>: On 10/2/2015 5:26 AM, Stian Thorgersen wrote: On 1 October 2015 at 20:49, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: Sorry for late reply. On 10/1/2015 3:13 AM, Stian Thorgersen wrote: > * If a user that was logged in using Kerberos logs out the user should > not just be automatically logged-in again for the current browser > session. Instead the user should be displayed with a regular > username/password field, but also with an option to login with Kerberos Don't like this idea. #1 Users that want to bypass kerberos have to know to logout first so they can login as a non-kerberos user. #2 username/password screen would have to have knowledge that kerberos is turned on and that the user was logged in via kerberos. I'm don't think this is possible with the current SPI. Could we not have a selector or something in the authentication flow that can select which authenticator to use? The selector could even be allowed to prompt the user for input, so we could implement a "Is this you" selector. > * A variant on the above where if a user has logged-out from Kerberos > the user would be displayed with a "Is this you?" when login, if the > user selects yes the Kerberos authenticator would continue, if not the > regular username/password form would be displayed This one might be easy to do with current SPI although not sure if kerberos plugin sets some session variables that need to be cleared. I was assuming that this option would also require user to logout first. "Is this you" would only be displayed after a logout. I don't like this "logout required" thing and the logout cookie. What is the big deal about having a screen "You are already logged in via Kerberos. Do you want to continue? Or log in as a different user?" This would be something that is optionally turned on and shown after the Kerberos/SPNEGO handshake. > * Implement account switcher - where a user can login to multiple > accounts at a time and select which account to use > Not sure how this is different than "Is this you?". "Is this you" would simply prompt the user if the user is the user that previously logged in from that browser. Account switcher would allow a user to be signed-in to Keycloak with multiple accounts and provide some mechanism for applications to select which account. Like GMail and others allow you to be logged-in to multiple accounts at a time. Again, this is very similar to the "Is this you?". The steps would be: 1. SPNEGO handshake successful 2. Show account switcher page with kerberos user as only choice. The only need for a logout persistent cookie is to remember successful logins. I would like this approach the best. > Other ideas? Points for ideas that requires no hacks in applications ;) > idp_hint is a much different animal, isn't it? idp_hint is provided by the application. skip_auth_mechanism would be something the user has to know about to type in the URL right? We should never have added idp_hint in the first place IMO. It leaks authentication semantics into applications and also only works if user is not logged in already. idp_hint is a good thing. If an app integrates with Facebook, they'll need to force the user to login via Facebook so they can obtain a Facebook token. skip_auth_mech could be implemented in applications as well but my same point stands here. It requires applications to be aware of authentication semantics. It seems that what's being proposed here is that admins manually add it to the login URL though, but that's just a horrible idea, period. skip_auth_mech is the opposite of auth_mechs_required. Something that I believe SAML has. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

8 years, 6 months

3
3
0 / 0

docs directory structure change

by Bill Burke

There is now: docbook/ /auth-server-docs /saml-adapter-docs The saml adapter is going to be standalone so it needs its own document. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

8 years, 6 months

1
0
0 / 0

Re: [keycloak-dev] Kerberos, login with different user

by Michael Gerber

Ok, I see. Is there a way to pass an url query parameter through the wildfly adapter into an authenticator? Am 05. Oktober 2015 um 09:39 schrieb Stian Thorgersen <sthorger(a)redhat.com>: I don't think the account chooser is a good option. As you say users that login with Kerberos (and have enabled Kerberos for the Keycloak domain) will in 99% cases want to login with Kerberos. End of the day I don't really like any of these options, and so far Michael is the only person asking for something like this. With that in mind I think it's better that Michael would develop something custom on top of the authenticator spi, rather than us adding this to Keycloak. On 5 October 2015 at 08:01, Michael Gerber <gerbermichi(a)me.com> wrote: I don't like this approach if the "Account Chooser" page is only configurable per realm. Because, I think it is a bit annoying if you always have to go over the "Account Chooser" page. 99% of all uses want to log in with their kerberos credentials, there are only a few people which want to switch their account. But I think your approach is good, if you can enable the "Account Chooser" page per client and not only per realm. Am 02. Oktober 2015 um 16:31 schrieb Bill Burke <bburke(a)redhat.com>: On 10/2/2015 5:26 AM, Stian Thorgersen wrote: On 1 October 2015 at 20:49, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: Sorry for late reply. On 10/1/2015 3:13 AM, Stian Thorgersen wrote: > * If a user that was logged in using Kerberos logs out the user should > not just be automatically logged-in again for the current browser > session. Instead the user should be displayed with a regular > username/password field, but also with an option to login with Kerberos Don't like this idea. #1 Users that want to bypass kerberos have to know to logout first so they can login as a non-kerberos user. #2 username/password screen would have to have knowledge that kerberos is turned on and that the user was logged in via kerberos. I'm don't think this is possible with the current SPI. Could we not have a selector or something in the authentication flow that can select which authenticator to use? The selector could even be allowed to prompt the user for input, so we could implement a "Is this you" selector. > * A variant on the above where if a user has logged-out from Kerberos > the user would be displayed with a "Is this you?" when login, if the > user selects yes the Kerberos authenticator would continue, if not the > regular username/password form would be displayed This one might be easy to do with current SPI although not sure if kerberos plugin sets some session variables that need to be cleared. I was assuming that this option would also require user to logout first. "Is this you" would only be displayed after a logout. I don't like this "logout required" thing and the logout cookie. What is the big deal about having a screen "You are already logged in via Kerberos. Do you want to continue? Or log in as a different user?" This would be something that is optionally turned on and shown after the Kerberos/SPNEGO handshake. > * Implement account switcher - where a user can login to multiple > accounts at a time and select which account to use > Not sure how this is different than "Is this you?". "Is this you" would simply prompt the user if the user is the user that previously logged in from that browser. Account switcher would allow a user to be signed-in to Keycloak with multiple accounts and provide some mechanism for applications to select which account. Like GMail and others allow you to be logged-in to multiple accounts at a time. Again, this is very similar to the "Is this you?". The steps would be: 1. SPNEGO handshake successful 2. Show account switcher page with kerberos user as only choice. The only need for a logout persistent cookie is to remember successful logins. I would like this approach the best. > Other ideas? Points for ideas that requires no hacks in applications ;) > idp_hint is a much different animal, isn't it? idp_hint is provided by the application. skip_auth_mechanism would be something the user has to know about to type in the URL right? We should never have added idp_hint in the first place IMO. It leaks authentication semantics into applications and also only works if user is not logged in already. idp_hint is a good thing. If an app integrates with Facebook, they'll need to force the user to login via Facebook so they can obtain a Facebook token. skip_auth_mech could be implemented in applications as well but my same point stands here. It requires applications to be aware of authentication semantics. It seems that what's being proposed here is that admins manually add it to the login URL though, but that's just a horrible idea, period. skip_auth_mech is the opposite of auth_mechs_required. Something that I believe SAML has. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

8 years, 6 months

2
1
0 / 0

List users that have some client roles & be able to search on users custom attributes

by Remi Cartier

Hey there, Question 1: I was wondering if there was an existing mechanism to fetch users that have some specific client roles. My scenario is this one. As a SSO provider, different applications (clients) are created in Keycloak. A specific user can have roles for some of those clients. If, in one of my application, I want to list all the users that ‘belongs’ to me (that have roles for my application) how do I do that ? I don’t want to list all the users and they filter them by some criteria, that would be a very inefficient way to do it. (CPU + Bandwidth) Question 2: In the search REST admin endpoint, is there a mechanism to filter on specific custom attributes ? for example. I created a language attribute for a user. I now want to list all my users with custom attribute language=FR for example, how do I do that ? Syntax could be : /search?attribute1=language&value1=FR or /search?attribute_language=FR Thank for your time and great work. Sorry if those questions have already been asked (if so, please, simply point me to some reference without repeating yourself) Cheers ! ________________________________ REMI CARTIER B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner) IMETRIK GLOBAL INC. T : +1 514 448-6407 x2009 T : +1 866 276-5382 (toll free) F : +1 514 904-0611 740 Notre Dame St. West, Suite 1575 Montreal, Quebec, Canada H3C 3X6 imetrik.com<http://www.imetrik.com/>

8 years, 6 months

2
1
0 / 0

How to enable grant logging

by Michal Hajas

Hi, I would like to ask, which event type, in Login Events Settings form -> Saved Types input, stands for grant access? Michal.

8 years, 6 months

2
1
0 / 0

Account Chooser Flo

by Bill Burke

I would like to take the Account Chooser approach to the Kerberos bypass situation. The Flow would be: 1. Cookie - ALTERNATIVE 2. Chooser Flow - ALTERNATIVE a. Kerberos - OPTIONAL b. Account Chooser - ALTERNATIVE c. Forms ALTERNATIVE i. Username/Password - REQUIRED ii. OTP - OPTIONAL * An "accounts used" cookie needs to be optionally set depending on "remember me" switch. This should be a persistent cookie. * Account Chooser page is always shown unless the "account used" cookie is empty and no ClientSessionModel.getAuthenticatedUser is set. * If selected user == current ClientSessionModel.getAuthenticatedUser then return SUCCESSFUL * If selected user != NULL set ClientSessionModel.getAuthenticatedUser, return ATTEMPTED * If selected user == NULL clear ClientSessionModel.getAuthenticatedUser, return ATTEMPTED * Username/Password Form Authenticator does not display username, registration, and broker links if getAuthenticatedUser is already set * An improvement can be made to also perform OTP input on Username/Password page if a UserModel is already chosen. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

8 years, 6 months

2
1
0 / 0

Findings about keycloak--Important

by Satyajit Das

Hi Team, 1) I have the keycloak(1.4.0 final) set up in windows OS. 2) I have 2 services that i have secured using keycloak. The services are registered in keycloak and the respective keycloak.json is placed in resource folder. 3) When the services are are deployed in Ubuntu OS the authentication works as expected. by sharing the tokenid but then the services are deployed in centos machine the authentication fails. The error is Invalid token: Token is inactive. I tried the same setup and the same war files of services on different instances of centos , we are facing the same issue but the issue is not replicated on ubuntu different instances. Please let me know your thoughts. Regards, Satya.

8 years, 6 months

2
1
0 / 0

Kerberos, login with different user

by Michael Gerber

Hi all, I would like to use kerberos as my standard authentication mechanism, but I also want to have the possibility to log in as an admin over the login form. Therefore, I want to skip the kerberos authenticator after a successful logout. https://issues.jboss.org/browse/KEYCLOAK-1727 How would you solve this problem? I've got two solutions, one sets a logout session cookie after a logout and then skips the kerberos authentication and another which allows users to skip any kind of alternative authenticators with a query parameter. Logout Session Cookie https://github.com/gerbermichi/keycloak/commit/f804d9e13573cb666cf6d2eff1... Query Param https://github.com/gerbermichi/keycloak/commit/abd3bd87f5aa4c28914da67765... Michael

8 years, 6 months

4
17
0 / 0

Admin REST - User Roles

by Remi Cartier

Hi guys, first of all, thank you for that great piece of software, it’s amazing ! Now, down to business. When I do : keycloak = Keycloak.getInstance(getKeycloakServerURL(), getKeycloakRealm(), getKeycloakRealmAdminUsername(), getKeycloakRealmAdminPassword(), getKeycloakClientId()); for (UserRepresentation userRepresentation : keycloak.realm(getKeycloakRealm()).users().search(null, 0, Integer.MAX_VALUE)) { log.info(ToStringBuilder.reflectionToString(userRepresentation, ToStringStyle.JSON_STYLE)); } The information I get does not contain any roles, all the roles related fields are ‘null’. - {"self":null,"id":"0556717e-ffb9-4c2d-b85b-533d9396f243","createdTimestamp":1443542144845,"username":"admin","enabled":true,"totp":false,"emailVerified":true,"firstName":"first name","lastName":"last name","email":null,"federationLink":null,"serviceAccountClientId":null,"attributes":{key1=[value1]},"credentials":null,"requiredActions":[],"federatedIdentities":null,"realmRoles":null,"clientRoles":null,"clientConsents":null,"applicationRoles":null,"socialLinks":null} However in the admin interface I have setup roles at each layer : realm, client The user I am using to do the queries has all the *realm* roles associated. is there anything else I need to do ? thank you for your help ! ________________________________ REMI CARTIER B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner) IMETRIK GLOBAL INC. T : +1 514 448-6407 x2009 T : +1 866 276-5382 (toll free) F : +1 514 904-0611 740 Notre Dame St. West, Suite 1575 Montreal, Quebec, Canada H3C 3X6 imetrik.com<http://www.imetrik.com/>

8 years, 6 months

3
11
0 / 0

added a keycloak-common module

by Bill Burke

The SAML adapter had some dependencies on classes within keycloak-core. Unfortunately though, keycloak-core brings in Jackson JSON parser. So, I split out keycloak-core into keycloak-common and keycloak-core. PR is pending, but it should be in when the Europeans wake up. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

8 years, 6 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev October 2015