Claims Mapping and Identity Federation
by Pedro Igor Silva
When brokering an identity provider, we also need to map claims in order to properly federate the users identities in Keycloak.
When doing identity federation, we may have different claims from different providers. We may also need to update those claims when re-authenticating with a specific provider.
Another possible situation is that we may have the same claim (eg.: same name) across different providers. So we need some way to identify this conflict and fix. Or just update the claim specific for a provider.
How that is being considered by the claim mapping that is being developed ?
Regards.
Pedro Igor
11 years
distribution of adapters
by Bill Burke
I think there is a different here between community and product.
In community:
* Adapters should each have a separate download. This has a side effect
of showing us which adapters are popular (not to mention increasing our
download numers ;)
* All adapters are released simultaneously with a server release
* Adapters can have individual patch releases.
* If we want to release a patched adapter, use a micro version scheme.
First 3 numbers correspond to the keycloak version the adapter was built
against. Last number is the patch number of the adapter:
We release Keycloak 1.1.0:
- keycloak-jetty-1.1.0.0
Werelease a patch of jetty adapter for keycloak 1.1.0
- keycloak-jetty-1.1.0.1
I'm not sure how all that effects product and git branches. Ideally
you'd have matching branches for major keycloak server release for the
adapter.
i.e.
Keycloak_server_branch_1.1.x
Keycloak_adapters_branch_1.1.x
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years
1.2.0.Beta1 release
by Stian Thorgersen
For 1.2.0.Beta1 we should at least include:
* Custom claims
* Identity brokering
* Kerberos federation
What's the ETA on those?
11 years
Multiple XSS vulnerabilities in Keycloak
by Bastian Ike
Hi together,
Yesterday I found two XSS vulnerabilities in Keycloak (after a quick view, there might be more).
I was wondering who I should contact about details so we can work together to resolve these issues.
Thanks,
Bastian
[cid:BF075044-5F71-4F12-AE62-AB2296BF7131]
Bastian Ike
Magento Developer
AOE GmbH
Kirchgasse 6
65185 Wiesbaden
Germany
Tel. +49 6122 70 70 7 -0
Fax. +49 6122 70 70 7 -399
e-Mail: bastian.ike(a)aoe.com
Web: http://www.aoe.com<http://www.aoe.com/>
Pflichtangaben laut Handelsgesetz §37a / Aktiengesetz §35a
USt-ID Nr.: DE250247455
Handelsregister: Wiesbaden B
Handelsregister Nr.: 22567
Stammsitz: Wiesbaden
Creditreform: 625.0209354
Geschäftsführer: Kian Toyouri Gould
Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail.
11 years
Migrating to keycloak
by Hector Bustillos
Hi,
We’re running web app and want to move authentication to keycloak but keep the same db that we have right now. of course there are a couple of questions that I want to clarify since I’m new in keycloak
- I know we can use a custom db source, but is this db source can be our existing mysql db?
- how can we migrate all users to keycloak?
Thanks
--
-----------------------------------------------
Hector Bustillos, Software Engineer
Crowd Interactive
@hecbuma
-----------------------------------------------
11 years
Keycloak in a VPS
by Hector Bustillos
HI I’m new in the stack and I’m trying to install keycloak in a digital ocean instance for testing, so far I’m able to make it run, everything is ok BUT I can’t access from outside the box. If I curl http://localhost:8080 it works but if I try to access from my browser with the http:/the-ip:8080 it doesn’t work neither this route auth/admin/index.html I get nothing.
So I went to the code to configuration/standalone.xml file and I added this:
<interface name="management">
<inet-address value="${jboss.bind.address.management:the-ip}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:the-ip}"/>
</interface>
Now I get a 404 - Not Found
Can you help me to configure this in a correct way?
--
-----------------------------------------------
Hector Bustillos, Software Engineer
Crowd Interactive
@hecbuma
-----------------------------------------------
11 years
How to refresh and update token
by Jae Choi
Is there a way to refresh token with Javascript Angular adaptor so that
Custom User Federator is updated again?
I'm actually storing token retrieved from another service provider as user
attribute. It is stored first time when the user logs in (and saves the
user data into the Keycloak database) but there isn't easy way to update
the attribute with the adaptor?
Thanks,
--
Kind Regards,
Jae Choi
11 years
Re: [keycloak-dev] Looking for a workaround...
by Michael Gerber
Hi All,
I've seen that both bugs have the Fix Version 1.1.1.Final, that's great.
Do you already know the release date for this version?
Best
Michael
Am 02. Februar 2015 um 09:32 schrieb Michael Gerber <gerbermichi(a)me.com>:
Am 02. Februar 2015 um 09:07 schrieb Stian Thorgersen <stian(a)redhat.com>:
----- Original Message -----
From: "Michael Gerber" <gerbermichi(a)me.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Sunday, 1 February, 2015 4:09:35 PM
Subject: Re: [keycloak-dev] Looking for a workaround...
I would look at the following scenario:
A user starts with the login process and then takes a long break (15 mins or
more) without locking his computer.
Is this not a relatively uncommon use-case? Would a error message with a link back to the application be a good enough solution?
Unfortunately, it isn't. We have got customers which use one computer for multiple users. And this users are used to logout from the application without closing the browser.
The new user then uses the same browser to login. And this action would lead to an error, which is for the user not understandable.
There are critical processes like password changes, which should definitely
expires after a view minutes and others like authentication which does not
matter if they don’t expire during this break.
As above we need to improve the error page in this case. With a way back to the application as well.
critical actions:
- OAUTH_GRANT
- CODE_TO_TOKEN (already seperate)
- VERIFY_EMAIL
- RECOVER_PASSWORD
- UPDATE_PROFILE
- CONFIGURE_TOTP
- UPDATE_PASSWORD
non-critical actions:
- AUTHENTICATE
- SOCIAL_CALLBACK
> Am 30.01.2015 um 14:25 schrieb Stian Thorgersen <stian(a)redhat.com>:
>
> What groups would you propose?
>
> ----- Original Message -----
>> From: "Michael Gerber" <gerbermichi(a)me.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
>> Sent: Monday, 26 January, 2015 4:23:49 PM
>> Subject: Re: [keycloak-dev] Looking for a workaround...
>>
>>> ----- Original Message -----
>>>> From: "Michael Gerber" <gerbermichi(a)me.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Sent: Monday, January 26, 2015 2:10:59 PM
>>>> Subject: Re: [keycloak-dev] Looking for a workaround...
>>>> ----- Original Message -----
>>>> From: "Michael Gerber" <gerbermichi(a)me.com>
>>>> To: keycloak-dev(a)lists.jboss.org
>>>>
>>>> Sent: Monday, January 26, 2015 1:37:53 PM
>>>> Subject: [keycloak-dev] Looking for a workaround...
>>>> Hi all,
>>>> I receive a lot of bug reports from our test team because of the
>>>> following
>>>> two issues:
>>>> - Reset password leads to 400 Bad Request (
>>>> https://issues.jboss.org/browse/KEYCLOAK-1014 )
>>>> This is a tricky one - we can't ignore the state variable as that would
>>>> make
>>>> it vulnerable.
>>>> We could probably come up with an alternative way to generate and verify
>>>> state variable though. Could be a HMAC for example.
>>>> So you would remove the state cookie?
>>>
>>> It could potentially be a solution - I started a separate thread on
>>> keycloak-dev to discuss this.
>>>
>>>> - Login attempt after "Login user action lifespan" leads to "Invalid
>>>> username
>>>> or password." ( https://issues.jboss.org/browse/KEYCLOAK-1015 )
>>>> I agree that the error message is not very good, but I disagree with
>>>> removing
>>>> the expiration. Why not increase it to say 30 min? That's probably a
>>>> more
>>>> sensible timeout for reset password as well.
>>>> I prefer an expiration of 5 min for the password update process, but
>>>> thats
>>>> a
>>>> bit short for the authentication or password reset process.
>>>> I think the best solution would be different expiration times for the
>>>> different processes, wouldn't it?
>>>
>>> Maybe - we do try to keep configuration options to a minimum as these
>>> introduce complexity as well as potentials for bug/security issues.
>>
>> I totaly understand that.
>> You have currently the following actions:
>> OAUTH_GRANT,
>> CODE_TO_TOKEN,
>> VERIFY_EMAIL,
>> UPDATE_PROFILE,
>> CONFIGURE_TOTP,
>> UPDATE_PASSWORD,
>> RECOVER_PASSWORD,
>> AUTHENTICATE,
>> SOCIAL_CALLBACK
>>
>> And it doesn't make sense to have a different conffiguration for every
>> one...
>> But maybe we can group it into different groups?
>>
>>>
>>>
>>>> Do you have any good ideas for a workaround?
>>>> Best
>>>> Michael
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
11 years
From 1.2->2.0
by Bill Burke
I think we still have a few major features to implement for 1.2 and
maybe 1.3. After this I'd like to focus on Keycloak 2.0 things like:
* Improving and nailing down our SPIs
* Splitting up code into private and public models so we can restrict
what APIs/SPIs we want to commercially support
* Pulling in and refactoring PL Federation
* Consolidating and improving our admin console UI
Really starting improving the core of Keycloak knowing that Keycloak 2.0
is what we're going to be supporting commercially for years and years
going forward.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years
