Operational monitoring of Keycloak server
by Vlastimil Elias
Hi,
as we deployed KC to production mode for https://developers.redhat.com
we started to think about operational monitoring, for example from
Nagios or other systems of this type.
KC user guide doesn't contain any chapter covering this topic, also no
any success over google search, so looks like KC doesn't have any
solution for this yet.
But I believe this is an important area which must be solved when KC is
used for production.
I can imagine monitoring of JDBC connection if JPA is used, monitoring
of Mongo connection if used as store, monitoring of LDAP connection if
LDAP federation is used etc.
Also some statistics like numbers of active sso session, number of
logins per minute etc should be provided there.
Monitoring is not about Keycloak core itself, it should be available for
extension developers also. For example we implemented own
UserFederationProvider which calls backend REST services.
We should be able to add info about this integration into monitoring
endpoint to be able to catch problems with this REST API.
It should be probably implemented same way as used by underlying
WildFly/EAP (JPA/JDBC is probably available for monitoring there). I'm
not sure if JMX is used there still or if some new framework is
available for it.
Or KC should use some form of KC REST API for this, which should be
extended by additional info from KC extensions?
What do you think?
Vlastimil
P.S we have https://issues.jboss.org/browse/RHD-552 for Red Hat
Developer instance of KC
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
9 years, 3 months
groups vs. organizations
by Bill Burke
Scott,
I'm trying to wrap my head around how your concept of an organization is
different than a group. Wouldn't an organization just be a more
stricter form of a group? A group could have any arbitrary roles and
attributes associated with it. An organization could too.
Is the difference that the organization has a specific common set of
attributes? i.e. what's in saml organization descriptors.
My thinking is that we'd have both organizations and groups. They would
work the same exact way except organization would have some pre-defined
attribute types.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years, 4 months
RFC: organizations
by Scott Rehorn
Hello Bill, Stian, and the rest of the keycloak-dev list from Dell Software
(software division of Dell Computers).
As Bill and Stian already know, our team at Dell has been integrating our
own extensions to Keycloak to build a SaaS-based identity broker, and Bill
and Stian suggested that we run the first of our main extensions out into
the mailing list for further discussion. Here is an overview to solicit
some first impressions and additional ideas in this area. We think this
extension is necessary for our own use cases, and, if it seems like a
broadly useful modification, then we can contribute the code for it.
Proposal: introduce a new entity called "organizations" to provide a means
of delivering specific claim values to authenticated users known in that
organization
Rationale: in our group at Dell Software, we have to support the notion of
tenancy within a single realm, but we are trying to avoid the term ‘tenant’
as it’s too overloaded. Our typical use case is to use Keycloak+our
extensions as an external system which acts as identity broker for a
constrained set of IdPs and claims authority for users. If we use
realm-per-organization, then we wind up with a large set of repeated IdP
configurations. By introducing an entity for “organizations” then we have a
centralized place to store metadata for users and related client/RP
instances.
Example: clients A and B are SSO apps which both use KC for authentication
and authorization. If a user logs into client A, he is redirected to an IdP
(via Keycloak brokering) where he authenticates. After authentication, the
user of client A receives in his claimset additional assertions, e.g.,
subscriptionId=2057 and organizationName=CheeseCompany which are derived
from the org definition which says that the authenticated user belongs to
Cheese Company under a particular subscription. A different user in a
different organization would have a different subscription to and would
receive a different subscriptionId and organizationName.
Implementation strategy and code impact: our current implementation is
derived from the IdentityProviders model and exposes an API only at
'/organizations'. We haven’t done the UI level, but it would be similar to
the identity providers UX (top-level admin managed item in left menu).
Relationship to ‘groups’: we think that the concept of organizations is
conceptually distinct enough to treat it as a hierarchical construct. An
organization can have IdPs and users it recognizes, and such grouping of
related clients needing common assertions could be accomplished with
groups, but our current thinking is that the groups-everywhere approach is
a little too general – e.g., you **can** simulate relational database
semantics with tags and selections based on combinations of tags, but when
something is clearly hierarchical, why not use a hierarchy? Groups would be
a separate construct could then be treated as tags to enable multiple
memberships etc., much like roles are handled in KC now.
Thanks for your attention and we look forward to working with you.
- scott r
9 years, 4 months
Re: [keycloak-dev] Kerberos with IE does not work
by Michael Gerber
The ClearAuthenticationCache command deletes the following data:
- Session cookies
- sessionStorage
- HTTP Authentication (e.g. Digest or Basic HTTP credentials)
- HTTPS Client Certificates (e.g. sites that use certificates or SmartCards)
But keycloak needs the session cookie, otherwise the user has to relogin after each page reload.
Isn't the clientSecret anyway public if it is send in the Authorization header?
Am 29. Juli 2015 um 14:27 schrieb Bill Burke <bburke(a)redhat.com>:
The trick you found earlier doesn't work?
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces...
Also, what if in keycloak.js if kc.clientSecret is null? Just remove
the client secret IMO. You shouldn't be exposing the client secret as
it is now public to everybody in the world....
On 7/29/2015 8:05 AM, Michael Gerber wrote:
I could find a solution for my IE problem.
IE overwrites the Authorization header in the XMLHttpRequest
(/protocol/openid-connect/token) with "Authorization: Negotiate".
To solve this problem, I added on the client the client_id
and client_secret to the form and changed the authorizeClient method, so
it checks first the form data instead of the authorization http header.
Have a look at my code:
https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01...
Should I create a pull request for the changes or do you have a better
solution?
cheers
Michael
Am 22. Juli 2015 um 11:46 schrieb Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>>:
Hi Michael,
No idea if there is other solution, I've never tried SPNEGO with
Internet explorer TBH :(
Could you please create JIRA for this?
Thanks,
Marek
On 22.7.2015 10:07, Michael Gerber wrote:
Hi all
My kerberos configuration works fine with FireFox and Chrome, but it
does not work with IE.
It shows a prompt where the user has to enter a username and password.
I can successfully get an access code, but I can not get an access
token, because IE overwrites the Authorization header in the AJAX
request. (see
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces...)
I can fix this by adding
document.execCommand('ClearAuthenticationCache', 'false');
above of
var req = new XMLHttpRequest();
approximately at the line 374 in the keycloack.js file.
Is there another solution for this problem?
cheers
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9 years, 4 months
Securing Rest Services Via KeyCloak
by Satyajit Das
Hi Team,
I have 2 requirements:
1) I an authenticate y web login to visit my desired page. But after the
login I want to have the token to be sent to business layer for further
authentication. How can i get the token.
2) I want to secure the rest services. where in , If i make a call to any
restful service that produces and consumes jSON format data.
Scenario is: I make a call to the restful service. The authentication
should kick in. If success i can go ahead and play with other rest
services.
Any help will be highly appreciated.
Regards,
Satya.
9 years, 4 months
SAML 2.0 Profile for OAuth 2.0
by Bruno Oliveira
Good morning,
I was playing with SAML and was wondering if we have something close to
this RFC (https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23)
implemented or planned. I couldn't find anything related at the
documentation and examples.
The motivation behind this is the integration of native mobile clients with
providers implementing SAML.
Thanks in advance.
--
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
9 years, 4 months
Kerberos with IE does not work
by Michael Gerber
I could find a solution for my IE problem.
IE overwrites the Authorization header in the XMLHttpRequest (/protocol/openid-connect/token) with "Authorization: Negotiate".
To solve this problem, I added on the client the client_id and client_secret to the form and changed the authorizeClient method, so it checks first the form data instead of the authorization http header.
Have a look at my code:
https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01...
Should I create a pull request for the changes or do you have a better solution?
cheers
Michael
Am 22. Juli 2015 um 11:46 schrieb Marek Posolda <mposolda(a)redhat.com>:
Hi Michael,
No idea if there is other solution, I've never tried SPNEGO with Internet explorer TBH :(
Could you please create JIRA for this?
Thanks,
Marek
On 22.7.2015 10:07, Michael Gerber wrote:
Hi all
My kerberos configuration works fine with FireFox and Chrome, but it does not work with IE.
It shows a prompt where the user has to enter a username and password.
I can successfully get an access code, but I can not get an access token, because IE overwrites the Authorization header in the AJAX request. (see http://stackoverflow.com/questions/28615850/internet-explorer-11-repl...)
I can fix this by adding
document.execCommand('ClearAuthenticationCache', 'false');
above of
var req = new XMLHttpRequest();
approximately at the line 374 in the keycloack.js file.
Is there another solution for this problem?
cheers
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9 years, 4 months