SOAP security with Keycloak
by Ryvlin, Andrey
Hi,
I am evaluating Keycloak server for my project and securing REST APIs and Web applications was very easy.
Now I have a task to secure some SOAP endpoints
Is it possible to do it with Keycloak? If so, what’s the best practice?
Thanks‼
-----------------
Andrey Ryvlin
Principal Software Engineer
Phone: 952-979-8492
5705 W Old Shakopee Road, Suite 100
Bloomington, MN 55437 USA
ARyvlin(a)MorphoTrust.com<mailto:ARyvlin@MorphoTrust.com>
www.MorphoTrust.com<http://www.morphotrust.com/>
[cid:image003.jpg@01CFF75A.60542BC0]
________________________________
This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately.
10 years, 2 months
denial-of-service (DoS)
by Michael Gerber
Hi all,
It’s very easy to produce an out of memory. Just make thousand of requests to the login page with a huge state parameter.
Keycloak allocates a new ClientSessionEntity for each request and stores it with the given state parameter in a ConcurrentHashMap (if the MemUserSessionProvider is used).
Do you think it is necessary to create a new ClientSessionEntity before the user is authenticated?
Wouldn’t it be possible to pass all necessary information via URL parameters? Create a LoginToken similar to the IDToken, encrypt it with the realm private key, and add it to the url as parameter.
Best
Michael
10 years, 2 months
Keycloak realm specific Certificate Management System
by Giriraj Sharma
Hi,
To support *first/initial cut of certificate management *for realm users,
we can have keys and X509 Certificate generation for each individual user
at the time of its creation. This will imply for realm admin too.
While viewing an individual user for any specific realm in administrative
console, we can have Keys View in addition to Attributes, Credentials, Role
Mappings and Sessions. Keys View (UI) will let user retrieve, validate,
revoke, renew(revoke+generate) and delete(optional) his keys/Certificates.
If it makes sense, I shall start working around it.
--
Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India
10 years, 2 months
advanced claim support
by Bill Burke
Wrote this awhile ago. I'm starting on this now. Discuss now, or
forever hold your peace :)
Current UserModel.attributes will be used for internal bookkeeping only.
Going to add a new "UserProfileType", "UserProfileValue" (name TBD)
type that contains:
UserProfileType:
* id
* name
* .css type
* type (bool, int, date, etc.)
* boolean displayOnRegistrationPage
Question, do I need a .css id to plug in a value too? How would we
display the german label name for "phone"?
UserProfileValue:
* id
* UserClaimType
* String value
OIDC clients will have a "Claim mapping" tab. SAML clients will have an
"Assertion Mapping" tab. These tabs will be able to map from
UserProfileValues to te appropriate claim/assertion and also be able to
set up whether or not a claim should be added to token/assertion list.
ClientModel.claimMask will go away. ClientModel will gain a list of
ClaimMappingModel
* id
* UserProfileType
* String claimNameMapping
Might want to eventually add a "ClaimTransformerProvider" pluggin
ability that can be attached to ClaimMappingModel...We might also want a
"TokenTransformerProvider" plugin too that can intercept token/saml doc
creation. We'll see...
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 2 months
How to use Nodejs application with Keycloak
by Jae Choi
Hi all,
I would like to use Nodejs application with Keycloak for dealing with
AngularJS as a auth provider.
How do I do this? Does it mean I need to deploy Node.js application to
Wildfly?
If so, is there any documentation for this process?
Thanks,
--
Kind Regards,
Jae Choi
10 years, 2 months
immutable ClaimType name?
by Bill Burke
I need some advice here. I'm trying to figure out how to model a
ClaimType for our persistent store. I'm thinking that the @Id of the
ClaimType will be the name of the claim itself (phone, street, etc.).
The name will be immutable once created.
Why do it this way?
* Simpler to store. UserModel can just have a Map<String, String> of
claim values
* More importantly, human readable files (json imports, and our
FileBased store) will be able to reference the claim type by name rather
than id. Users crafting an import file will not have to specify an ID
anywhere or generate one. This claim type is going to be referenced in
a few places:
- protocol claim mapping
- user claim value store
That sound ok?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 2 months
Representations values must be Objects
by Bill Burke
This is very important:
All Representation (json) classes must have Object, nullable attributes
types. The reason is for REST updates. The pattern we use is that if
the value is null, we don't update, if the value isn't null, we update.
So, boolean must be set as Boolean objects.
kthxbye,
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 2 months
REST based identity management
by Reza Rasouli
Hi,
regarding multi-tenancy in keycloak, where each tenant maps to a realm, I
wanted to ask for help on clarifying some key concepts in keycloak for aid
in implementing a simple REST based identity management POC.
Imagine there is a requirement for a multi-tenant environment where user
registration (=creation) , user login, user logout and knowing whether a
user is still logged in or not must be done over some wrapper REST service
which exposes the mentioned functionality to outside world.
With KeyCloak being deployed in a private network, I have written some
wrapper REST service which does create users for a desired tenant (=realm),
and this wrapper service itself calls KeyCloak's "*Direct Grant API*" from
an *OAuth* Client with *Super-User* Credentials both defined in the "
*master*" realm having sufficient privileges over all realms (as defined by
the documentation in "Chapter 17. Admin REST API").
Now I want to be able to wrap the logging-in and logging-out process of a
user into a tenant in the same way as user creation, which I don't know how
to work around this scenario exactly
there are some different questions in my head, regarding the situation
explained in my head which I wanted to ask :
- to be able to log a user in/out, *through a wrapper rest
service* , *which
has been passed the user credential to and wants to use KeyCloak REST APIs*,
should I create an OAuth client per each realm and login/log out the user,
using the related OAuth client in each realm ?
- Which REST API provides information on whether a specific user is
already logged in or not on a specific realm?
- How "Application" concept in keycloak differs from "OAuth Client" and
does it make sense to log a user to an application (over REST API), if yes
how this is different from logging a user into a realm with OAuth Client ?
Thanks Alot,
I really appreciate your help.
10 years, 2 months
