Request for Help
by Muhammad Usman Siddiqui
Dear Mentors/Seniors,
I am really interested in your Keycloak-IoT security,because it had
always attracted me.I had a passion for hacking and i think its time to
become a white hat. Can't wait to contribute my skills in this projoect
at GSOC-15.Could Anyone please help me out?
Cheers,
M.Usman Siddiqui.
11 years
Log Admin associated (edit/modify) Events.
by Giriraj Sharma
I propose, as recommended by stian, that all admin activities
(edited/modified) shall be logged in other than just user related admin
events.
User related events will continue to be logged in all cases as is currently.
In addition,
#1. We can simply log in all other activities too by admin.
OR
#2. Provide an option (on/off) for the admin to choose if he wishes to log
in all other admin events too.
--
Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
11 years
Client cert authentication
by Tom Arnold
Hey all,
First, just wanted to say that Keycloak looks great. It seems like the
project has come a long way in a very short time!
Are there plans to support client cert (X.509) authentication?
Thanks,
Tom
11 years
Regarding Keycloak - Internationalization support
by MUDIT SAXENA
Hello,
I was looking forward to work on this particular idea in GSOC-2015. But
today as I checked out on the ideapage that this this idea has been taken
off. Any specific reasons for it?
Regard,
Mudit Saxena
11 years
Kerberos progress
by Marek Posolda
I've already pushed initial version of Kerberos broker. It uses existing
brokering mechanism from Pedro and allows to login users to KC with
SPNEGO/Kerberos token. There are still things I need to address (more
testing + automated testing, Credentials delegation etc).
I have a question about automatic Kerberos login without displaying
login form. Browsers support this very well - when server returns
response with status 401, header "WWW-Authenticate: Negotiate" and HTML
with login page, browsers are able to handle it and:
* In case that user has Kerberos ticket, browser will send it back in
additional HTTP request with "Authorization: Negotiate <ticket>" . In
this case login form is not displayed to user
* In case that user hasn't Kerberos ticket, browser just displays HTML
with login form
You can try https://saml.redhat.com/idp/ to see what I mean.
JBoss Negotiation supports this, so I believe we should address it too.
I have some ideas how to do it:
1) Configure default broker on server side per-realm. If used, login
request will automatically redirect to configured broker. It may be also
possible to override default broker per client?
2) Add on/off switch to broker configuration to specify if it should be
default or not
3) Leverage existing "k_idp_hint" parameter. I am thinking about adding
option "idp_hint" into AdapterConfig . In case it's configured, adapter
will use it for attach "k_idp_hint" parameter to login request. This
will allow per-application configuration and no changes on auth-server
side, but all applications will need to use it in their adapter
configuration.
4) Don't configure anything, but hard-code that Kerberos will be always
used by default if configured. Basically add new method "boolean
isDefault()" to IDentityProvider interface. It will return "true" for
Kerberos impl and "false" for other broker types we currently have.
I like (1) or (2) most. Thoughts?
Marek
11 years
(no subject)
by Juan Escot
Hi,
I just updated my jboss eap 6.3 server to keycloak 1.10 final. When i try
to make a call to a Rest service authenticated with keycloak, i get this
exception:
"ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(http-/0.0.0.0:8080-1) Failed to verify token:
org.keycloak.VerificationException: Invalid token signature."
I'm trying preconfigured demo project to test my server and, when I run
'angular product example' I take this error too when it calls a rest
service on "database service" demo project.
I have configured my realm, added the projects and updated keycloak.json
file for each project.
I have revised all keycloak configuration and seems to be ok. The full
stack trace for the exception is this:
ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(http-/0.0.0.0:8080-1) Failed to verify token:
org.keycloak.VerificationException: Invalid token signature.
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:26)
[keycloak-core-1.1.0.Final.jar:1.1.0.Final]
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16)
[keycloak-core-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:67)
[keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:62)
[keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:45)
[keycloak-adapter-core-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:192)
[keycloak-tomcat-core-adapter-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:26)
[keycloak-as7-adapter-1.1.0.Final.jar:1.1.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:173)
[keycloak-tomcat-core-adapter-1.1.0.Final.jar:1.1.0.Final]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
What's wrong?
Thanks in advance,
Juan Escot
11 years
Introduction- GSOC 2015
by MUDIT SAXENA
Hello,
I am Mudit Saxena from India. I am pursuing B.Tech in Computer Science &
Engineering . I am a java developer and have commited myself to different
projects in JAVA. I looking forward to GSOC-2015 and want be a part of the
open source community.
Thank you,
Regard,
Mudit Saxena
11 years
apps access to and refresh of facebook tokens
by Bill Burke
At least for openid connect, I think we hashed this through on our dev
call today.
* There will be a Protocol Claim Mapper that can add a facebook token
and expiration claim to the application's access token.
* the refreshToken endpoint will accept a "scope" parameter. The
application can then request the refresh of any external token by
specifying this token in the "scope parameter.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years
