Scope Param with Keycloak
by Tomas Cerny
Hi all,
I am trying to use the scope param with keycloak, which is part of the open
id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
)
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl...
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an
object?
I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...>
The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>
Thanks, Tom
Here a forum public users.
https://developer.jboss.org/message/934762#934762
6 years, 11 months
class not found
by Michael Gerber
Hi all,
I had to add the javax.mail.api module to the keycloak-services today, otherwise the reset password mail could not be sent. (Because the class javax.mail.Multipart could not be found)
I am using wildlfy 10 with the newest keycloak version.
Is this a known issue?
Michael
7 years, 10 months
Keycloak in Tomcat server
by mohammed althaf
Hi Team,
I was able to use keycloak for sso seamlessly in jboss /wildfly server.
Since my web application is running in tomcat ,i am trying to deploy the
keycloak server as well in Tomcat,
I followed
https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/
and i was able to spin up the keycloak in tomcat server.But it was using
the 1.0.2 version.
So i am trying to deploy the keycloak server 1.6.1.I faced the below issues.
1.Failed to provide mem for realmcache(please check failed to find provider
log)
So i removed the cache from keycloak-server.json
Not sure it is fine??
2 .Then i was able to procced but it again failed with h2.db
exception(please check lockout.log)
It will be great if you guys can help me resolve this issue.
Thanks,
Althaf
7 years, 10 months
Re: [keycloak-dev] [keycloak-user] How to implement long user sso sessions with reauthentication for important actions?
by Vlastimil Elias
Hi,
moving this discussion to the devel forum as it is about the feture
development now.
Toplevel issue I created for this feature is
https://issues.jboss.org/browse/KEYCLOAK-2076
I added some notes and thoughts from my investigation as a comment to
the KEYCLOAK-2076, there are some open questions how to implement it.
Originally I though I should be able to implement reauth support and
provide PR.
But I must say I'm not sure now if I'm able to implement it, looks like
it is a bit more complicated than I originally expected, so probably
some Keycloak core developer should do it.
But if you think you will not have resources to do it in 1.8 then I can
try it (with your support), as I believe it is a very important feature,
and we really want use it.
Cheers
Vlastimil
On 12.11.2015 14:50, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 14:49, Vlastimil Elias <velias(a)redhat.com
> <mailto:velias@redhat.com>> wrote:
>
> Thanks for quick reply Stian.
>
> I'm going to create JIRAs for all these things. I can volunter to
> implement some parts of this.
>
> For the last one, it should be probably cool to have
> "reauthenticate timeout" setting available in client section for
> every client (not only internal admin console and account
> management). It should allow simple implementation of "long user
> sso session" scheme even in environments where some clients can't
> be updated to set max_age on protocol level.
>
>
> Yep, that makes sense
>
>
>
> Vl.
>
>
> On 12.11.2015 14:39, Stian Thorgersen wrote:
>>
>>
>> On 12 November 2015 at 14:15, Vlastimil Elias <velias(a)redhat.com
>> <mailto:velias@redhat.com>> wrote:
>>
>> Hi,
>>
>> I'd like to use long session authentication mechanism known
>> from many
>> sites like google. facebook, linked in etc.
>> It is about really long user SSO sessions (eg. weeks or even
>> months)
>> with reauthentication for important actions when last
>> authentication
>> timestamp is older than some limit.
>>
>> Is this somehow possible with current Keycloak server and
>> Keycloak adapters?
>>
>> I see few subquestions in this problem for our use:
>>
>> *****
>> open-id connect protocol defines few auth request parameters
>> to support
>> this use case, mainly max_age or prompt=login. Are they correctly
>> implemented in Keycloak server?
>>
>>
>> We don't have support for max_age and we only support prompt=none
>> so these would have to be added
>>
>>
>>
>>
>> *****
>> Wildfly/EAP adapter - is it possible and is there some
>> example how to
>> use "reauth if auth is older than 30min" action in Java app
>> secured by
>> this adapter? Or is info about last auth timestamp somehow
>> available in
>> the app?
>>
>>
>> We don't set auth_time claim ATM so answer is no
>>
>>
>>
>>
>> *****
>> Keycloak user account application itself - it is part of the
>> Keycloak
>> server, but it contains sensitive actions which typically require
>> reathentication in this long session scheme (password change,
>> email
>> change, ...). Is it somehow possible to configure Keycloak to
>> force
>> timeout reauth for this app?
>>
>>
>> Not at the moment - but if we add what you want it would also
>> make sense to add that. Would need to be configurable through the
>> admin console. Would also be nice to have the same for the admin
>> console itself.
>>
>>
>>
>> Thanks in advance
>>
>> Vl.
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
7 years, 10 months
Re: [keycloak-dev] class not found
by Michael Gerber
Ok thank you.
But it worked a few weeks ago. I think it is since the "KEYCLOAK-1758 add-user script" commit.
Am 30. November 2015 um 09:03 schrieb Stian Thorgersen <sthorger(a)redhat.com>:
We do not support deploying Keycloak server on WildFly 10 yet.
On 30 November 2015 at 08:41, Michael Gerber <gerbermichi(a)me.com> wrote:
Hi all,
I had to add the javax.mail.api module to the keycloak-services today, otherwise the reset password mail could not be sent. (Because the class javax.mail.Multipart could not be found)
I am using wildlfy 10 with the newest keycloak version.
Is this a known issue?
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7 years, 10 months
User registration: OTP flow
by Bruno Oliveira
Ahoy, I was looking at this Jira
https://issues.jboss.org/browse/KEYCLOAK-1998 and trying to reproduce
the issue reported by Stian.
What I did was:
1. Get the latest changes from master
2. Run mvn clean install -DskipTests=true && mvn -f
testsuite/integration/pom.xml exec:java -Pkeycloak-server
3. Go to "Realm Settings" and enable "User Registration"
4. Go to "Authentication" > "Required Actions"
5. On Configure Totp mark the checkbox "Default Action"
6. Now logout and try to register
7. After the registration I get the TOTP screen
Stian was following a different workflow
1. Get the latest changes from master
2. Run mvn clean install -DskipTests=true && mvn -f
testsuite/integration/pom.xml exec:java -Pkeycloak-server
3. Go to "Realm Settings" and enable "User Registration"
4. Flows > Browser
5. OTP form marked as required
6. After the registration I won't get the TOTP screen
After I managed to reproduce the real issue, I got confused about what
would be the expected behavior in the situation where I have "OTP
form" as required and "Required actions > Configure Totp > Default
action" unchecked.
To me it seems like OTP form is unnecessary, but I can be 110% wrong.
Thoughts?
7 years, 10 months
Reset Actions
by Stian Thorgersen
The new reset actions doesn't require the user to authenticate prior to
performing them. Is it not a bit dangerous that the user can change the
email address without authentication?
For reset password we obviously need to be able to do it without requiring
authentication, but shouldn't "bypassing" authentication be limited as much
as possible?
7 years, 10 months
Implicit and hybrid flow
by Marek Posolda
I've sent PR https://github.com/keycloak/keycloak/pull/1885 with initial
support for implicit flow and hybrid flow.
Some summary:
- Added switches on client in admin console to enable/disable standard
flow, implicit flow, direct grant flow and service accounts. Removed
"direct grants only" switch (Disable both standard and implicit defacto
means enabling of previous "direct grants only")
- Added more proper support for "response_type" parameter. This is about
_what_ is sent in response from AuthorizationEndpoint to client
application. According to specs, possible values are "code", "id_token",
"token" and some combination of them. See [1] . Until now, we supported
just value "code" (standard AuthorizationCode flow). According to specs,
implicit flow is about "token" and "id_token". Hybrid flow is about code
+ some of the tokens.
In addition to specs, I've added also support for "refresh_token" . So
if you use "response_type=token%20id_token%20refresh_token", the
AuthorizationEndpoint will send all 3 tokens. The OIDC specs doesn't
support sending refreshToken in implicit flow. However in Keycloak case,
we are using access tokens with very short lifespan by default (1
minute). Having just accessToken and idToken would make the implicit
flow quite unusable, as application will need to re-login each 1 minute.
For example Google doesn't support sending refreshToken in implicit
flow, however it makes much more sense for them as their access token is
valid for 60 minutes. This is even longer than our refresh token (30
minutes by default). WDYT about support for refresh token?
- Added support for "response_mode" parameter. This specifies _how_ are
OIDC parameters (code, state, ... ) sent from AuthorizationEndpoint to
client. More details in specs [2]. Valid values are:
-- query - Params sent in query string (
http://localhost?code=foo&state=bar ). We always supported this
-- fragment - Params sent in fragment (
http://localhost#code=foo&state=bar ). This is needed for implicit and
hybrid flow support. Specs doesn't allow to sent tokens in query string.
-- form_post - Params are sent in body of POST method. There is separate
specs for this [3] . I've added just server-side support for this. It
may be interesting to add support on our server adapters, as IMO it's a
bit safer alternative when code+state are sent in POST body instead of
in GET method query string. But I guess this is not big priority?
- keycloak.js changes - I've added 2 new init config options. Option
"response_mode" with possible values "query" and "fragment" (see above
what they mean). Second is option "flow" with possible values:
a) "standard" - will use response_type=code . This is what we always
supported
b) "implicit" - will use response_type=id_token%20token%20refresh_token
(So sending all 3 tokens)
c) "hybrid" - will use
response_type=code%20id_token%20token%20refresh_token (Sending code and
all 3 tokens). Not sure if we really need to support "hybrid" option.
Specs provides hybrid flow for semi-confidential application, which can
decide if they need refreshToken (in that case app must send request to
exchange code) or if they don't need refresh token and access+id tokens
are sufficient. But in Keycloak, since we support sending refresh_token
directly in implicit flow (see above), this flow is not very useful for us.
Default values for options are response_type=code and
response_mode=fragment. So we still use "code" and standard flow by
default, however we sent code+state in fragment now. This is better and
safer than query string. In qery string, the code+state were always sent
in request to the client application. This is not needed, keycloak.js
needs them available just on browser side. With fragment, code and state
are not sent to client application, so it's one less possibility how
they can be compromised.
- Added support for "nonce" check in keycloak.js. It's useful for some
kind of attacks and specs wants it for implicit flow.
Possible pending work:
- Fix integration-arquillian as PR is failing now
- Possibly add server-side support for "at_hash" to IDToken ? Not sure
if at_hash support has any real advantages for us, however specs
requires that and even Google supports it.
- Add docs and tests. Not sure about adding separate example? Until now,
I've tested with existing js-console example and added support here for
easily set init parameters to keycloak.init, so people can use different
flow or responseMode here.
WDYT?
Marek
[1]
http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combina...
[2]
http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Respons...
[3] http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
7 years, 10 months
