refactored admin reset email and required actions
by Bill Burke
Admin console can send a reset password email to the user. Originally
it just executed update password. I changed this so that it sets an
Update Password required action on the User. The email link click runs
all required actions set for the user, then displays a message that the
Account has been updated.
When I get back, I'm also going to change the admin console behavior and
look too. Instead of a "Reset Password Email" button on Credentials
tab, there will be a button next to the Required Actions selection box
on user detail, something like "Email Required Actions" (I need a
better name). Clicking on this button will send an email to user
"Your adminstrator has requested that you update and/or reset some of
your account settings. Please click the link below to perform these
actions."
We do it this way because there may be multiple credentials the admin
wants the user to reset. These credentials may be custom authenticators.
Also I refactored the CONFIG_TOTP, UPDATE_PROFILE, and UPDATE_PASSWORD
required actions. They are now fully encapsulated under the required
actions SPI and are not hardcoded with any special cases. I still need
to refactor verify email. Ran out of time.
Finally, I need to add a check to user-initiated Reset Credentials. I
haven't put back in the cookie check to make sure not to log in the user
if its not the same browser.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years, 4 months
Offline tokens
by Marek Posolda
Some thoughts around offline tokens impl:
- Client has switch "Allow offline tokens" . Offline token can be
requested just if the switch is enabled
- Offline token can be requested if parameter "scope=offline" is sent.
Offline token is sent alone, no IDToken or refreshToken is sent together
with it.
Question: Should be offline tokens available just for
ResourceOwnerPasswordCredentials and ServiceAccounts or also for classic
web based authorization code flow?
- There are methods on UserModel to track which offline tokens were
issued for particular user. Like:
List<String> getOfflineTokens();
void addOfflineToken(String offlineToken);
void removeOfflineToken(String offlineToken);
- Offline token will never expire. Or should we eventually add another
timeout for offline token (With some big default value like 1 month or so)?
- Offline token is not refreshable.
- Offline token can be validated by current OIDC endpoint for token
validation. Offline token is not valid if UserModel doesn't have token
anymore on it. But offline token is still valid even if corresponding
UserSession doesn't exist. So we can still have offline tokens valid for
1 year even if SsoSessionMaxLifespan is just 10 hours.
- Offline token can be logged out. Logout will remove offline token from
corresponding UserModel.
- In Account management applications page can user see list of offline
tokens issued for individual clients and he can revoke them. Not sure if
put another "Revoke offline token" or use current "Revoke grant" action,
which will revoke both consents and offline tokens?
- Admin can see the offline tokens for user in admin console and can
revoke them too . Current button "Logout All" in sessions tab will
revoke offline tokens from all users . For performance reasons, we may
need method on UserProvider, so it's possible to clean whole DB table
"OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
users.
- For adapters, we should likely have an option, so the REST endpoint
adapter has possibility to validate offline token by always sending
validation request to KC server. We didn't need it for access tokens,
which are valid just for 1 minute or so, but offline tokens are long
lived so adapter should have this possibility IMO.
WDYT?
Marek
9 years, 4 months
Re: [keycloak-dev] Offline tokens
by Marek Posolda
Hi Mike,
actually we likely won't support the cookie on the adapter side in the
end. However you can achieve the same/similar effect by enable "remember
me" for your realm in Keycloak admin console and increase the realm
timeouts accordingly ("max session timeout" and "idle timeout" ). In
this case, the keycloak server cookies are persistent and you will be
logged automatically when you open your application next time from your
browser/phone.
Marek
On 21/08/15 14:17, Mike Cirioli wrote:
> I think this sounds like an excellent idea - my team has been getting
> requests to saml enable mobile applications, and particularly in the
> case of internal applications that we require OTP auth for, this
> sounds like it would enable us to secure those apps with relatively
> little pain for the user (OTP auth on your mobile device is a bit of a
> PITA). Requiring the user to only go through that process once and
> then having the app save the offline token to be used for subsequent
> access would be perfect.
>
> Is this use case something that makes sense in this context?
>
> thanks
> -mike cirioli
>
>
> On 8/21/15 8:09 AM, Marek Posolda wrote:
>> On 21/08/15 13:30, Marek Posolda wrote:
>>> Some thoughts around offline tokens impl:
>>>
>>> - Client has switch "Allow offline tokens" . Offline token can be
>>> requested just if the switch is enabled
>>>
>>> - Offline token can be requested if parameter "scope=offline" is sent.
>>> Offline token is sent alone, no IDToken or refreshToken is sent
>>> together
>>> with it.
>>> Question: Should be offline tokens available just for
>>> ResourceOwnerPasswordCredentials and ServiceAccounts or also for
>>> classic
>>> web based authorization code flow?
>>>
>>> - There are methods on UserModel to track which offline tokens were
>>> issued for particular user. Like:
>>>
>>> List<String> getOfflineTokens();
>>> void addOfflineToken(String offlineToken);
>>> void removeOfflineToken(String offlineToken);
>>>
>>> - Offline token will never expire. Or should we eventually add another
>>> timeout for offline token (With some big default value like 1 month
>>> or so)?
>>>
>>> - Offline token is not refreshable.
>>>
>>> - Offline token can be validated by current OIDC endpoint for token
>>> validation. Offline token is not valid if UserModel doesn't have token
>>> anymore on it. But offline token is still valid even if corresponding
>>> UserSession doesn't exist. So we can still have offline tokens valid
>>> for
>>> 1 year even if SsoSessionMaxLifespan is just 10 hours.
>>>
>>> - Offline token can be logged out. Logout will remove offline token
>>> from
>>> corresponding UserModel.
>>>
>>> - In Account management applications page can user see list of offline
>>> tokens issued for individual clients and he can revoke them. Not
>>> sure if
>>> put another "Revoke offline token" or use current "Revoke grant"
>>> action,
>>> which will revoke both consents and offline tokens?
>>>
>>> - Admin can see the offline tokens for user in admin console and can
>>> revoke them too . Current button "Logout All" in sessions tab will
>>> revoke offline tokens from all users . For performance reasons, we may
>>> need method on UserProvider, so it's possible to clean whole DB table
>>> "OFFLINE_TOKEN" (similarly for mongo) instead of iterating through all
>>> users.
>>>
>>> - For adapters, we should likely have an option, so the REST endpoint
>>> adapter has possibility to validate offline token by always sending
>>> validation request to KC server. We didn't need it for access tokens,
>>> which are valid just for 1 minute or so, but offline tokens are long
>>> lived so adapter should have this possibility IMO.
>> - Actually, for the frontend adapters (both server and keycloak.js ) I
>> am thinking about adding the persistent cookie, which will be put on the
>> application after successful login and is valid for the same time like
>> the offline token (so couple of months). When browser is opened next
>> time, the adapter will find the cookie and send the validation request
>> to KC to check if offline token is still valid. This will allow the
>> browser application to be logged with the same offline token for couple
>> of months.
>>
>> I also wonder if we should put the IP address checking when validating
>> offline token (Offline token is valid just if validation request come
>> from same address like the original request) ?
>>
>> Mare
>>>
>>> WDYT?
>>>
>>> Marek
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
9 years, 4 months
Issue with multi tenancy
by Satyajit Das
>
> Hi Team,
>
> I have configured PathBasedKeycloakConfigResolver in my package:
> com.demo.util.
>
> The context param has been set on web.xml
> <context-param>
> <param-name>keycloak.config.resolver</param-name>
>
> <param-value>org.keycloak.example.PathBasedKeycloakConfigResolver</param-value>
> </context-param>
>
> I deployed the application on Tomcat. I have registered the context.xml in
> meta-inf with the required adapter.
>
> Tomcat lib directory has all the required keycloak jar files.
>
> But PathBasedKeycloakConfigResolver never gets called on any request to
> the url.
> One strange thing i find that in eclipse if I remove the maven dependency
> from deployment assembly(right click on project-> properties->deployment
> assembly) it works But if i put it back it fails. Maven dependency is a
> must.
>
After debugging String configResolverClass =
context.getServletContext().getInitParameter("keycloak.config.resolver");
of AbstractKeycloakAuthenticatorValve class
Got the following error: when PathBasedKeycloakConfigResolver is being
instantiated.
java.lang.ClassCastException:
org.keycloak.example.PathBasedKeycloakConfigResolver cannot be cast to
org.keycloak.adapters.KeycloakConfigResolver
But PathBasedKeycloakConfigResolver implements
org.keycloak.adapters.KeycloakConfigResolver.
Regards,
Satya.
9 years, 4 months
Where to store data for the SSO session?
by Hermann Hill
Hi,
I'm currently working on attaching an internal authentication API to Keycloak by implementing an UserFederationProvider.
Basically it is working, but I'm wondering where I'm supposed to store additional data that should be tied to the lifetime of the SSO session of an user. The KeycloakSession object seems to be recreated on every access to the server and I got lost in its subobjects without finding something usable.
Is there any documentation on the recommended way to do that? If not, could somebody please be so kind and point me in the right direction?
Best regards,
Hermann Josef Hill
Software Architect
optile GmbH
Ganghoferstraße 39 | 80339 München
Mobil +49 (151) 5385 0784
hermann.hill(a)optile.net | www.optile.net
USt.Id.-Nr. DE268847980
Geschäftsführer: Daniel Smeds
Handelsregister München HRB 183178
+++ Besuchen Sie uns auf der dmexco 2015 am 16. & 17. September, Köln, Halle 7.1 Stand F013 +++
9 years, 4 months
Issue with MultiTenancy on Tomcat
by Satyajit Das
Hi Team,
I have configured PathBasedKeycloakConfigResolver in my package:
com.demo.util.
The context param has been set on web.xml
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>org.keycloak.example.PathBasedKeycloakConfigResolver</param-value>
</context-param>
I deployed the application on Tomcat. I have registered the context.xml in
meta-inf with the required adapter.
Tomcat lib directory has all the required keycloak jar files.
But PathBasedKeycloakConfigResolver never gets called on any request to the
url.
One strange thing i find that in eclipse if I remove the maven dependency
from deployment assembly(right click on project-> properties->deployment
assembly) it works But if i put it back it fails. Maven dependency is a
must.
Kindly comment.
9 years, 5 months
Issue with PathBasedKeycloakConfigResolver
by Satyajit Das
Hi Team,
I have configured PathBasedKeycloakConfigResolver in my package:
com.demo.util.
The context param has been set on web.xml
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>org.keycloak.example.PathBasedKeycloakConfigResolver</param-value>
</context-param>
I deployed the application on Tomcat. I have registered the context.xml in
meta-inf with the required adapter.
Tomcat lib directory has all the required keycloak jar files.
But PathBasedKeycloakConfigResolver never gets called on any request to the
url.
Kindly comment.
Regards,
Satya.
9 years, 5 months
Query on multi Tenancy
by Satyajit Das
Hi Team,
I have some query on multi tenancy.
Scenario:
a)
I have a webservice (named: SampleService) that is to be shared across
multi tenants , i.e in other words, the service will be present in multiple
realms.
The number of realms are dynamic, they can be increased based on new client
onboard.
Configuration:
I have multiple keycloak.json files present in resource folder of
SampleService such as:
realm1-keycloak.json
realm2-keycloak.json.
TO resolve this multiple jsons, I have a path resolver in web.xml of
SampleService:
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>com.crunchify.restjersey.PathBasedKeycloakConfigResolver</param-value>
</context-param>
b)
I have a UI application, that gets authenticated by calling the the service
to get the token:
example
new HttpPost(KeycloakUriBuilder.fromUri("http://localhost:8080/auth")
.path(ServiceUrlConstants.TOKEN_PATH).build(realmName));
Now My question is. I have the token for a particular realm(say realm1) and
I want to call the SampleService using that token. How will SampleService
come to know which keycloakJson to use to resolve the token validation:
Note my service call URI doesn't change as per realm: example:
URI are
localhost:8080/sampleService/getRequsitionDetails
or
localhost:8080/sampleService/postRequsitionDetails
and not
localhost:8080/sampleService/realm1/getRequsitionDetails
or
localhost:8080/sampleService/realm2/postRequsitionDetails.
Kindly respond to the above case.
Please let me know in case of any issues.
9 years, 5 months
Groups design
by Bill Burke
I would like to nail down what we want Groups to look like in Keycloak.
And also propose a separate RoleGroups structure.
GROUPS:
* Groups have an id, name, and description
* Groups have an arbitrary set of name/value pair attributes
* Realm/Client roles can be associated with a Group. This is like a
UserRoleMapping, except it is a GroupRoleMapping.
* Groups can be members of one or more groups
* Users can be members of one or more groups
* Users inherit attributes of the groups they belong to.
* UserModel now has a getGroups(), hasGroup(), grantGroup(), deleteGroup()
* Similar to default roles, we also have default groups.
Features we probably want:
* Groups can have a set of protocol Mappers organized by protocol.
* Clients inherit protocol Mappers from the groups a user belongs to.
Questions:
* Do we want to expand the concept of a Group so that clients and
identity brokers can belong to a Group? Or just create a separate
composite structure for this?
ROLEGROUPS:
RoleGroups are just a namespace for Roles. I want to remove the concept
of realm level and client level roles and just have the concept of a
RoleGroup. The reasoning for this is that I've seen people ask for it.
They want to share a set of roles between clients and realm-level
roles might end up having name clashes, if you are following me.
* RoleGroups have an id, name and description.
* RoleGroups define a set of roles.
* Users are *NOT* members of RoleGroups
* For migration, a "realm" RoleGroup is created. a RoleGroup for each
client that has defined roles is created. The name will be the clientId
of the client.
* I want to deprecate the "use-resource-role-mappings" switch in the
adapter.
* I want to deprecate the JWT extension we made for roles and have
something completely flat (like SAML) with a URI that identifies each
role (like in UMA spec).
* We will remove these deprecated features in the final cut of community
that we fork to move into product.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years, 5 months
Upgrade Angular?
by Stan Silvert
We are using AngularJS 1.2.13. The latest version is 1.4.4.
The reason I ask is because I am a little worried about performance as
we begin to use angular-translate. We are going to end up with a lot of
$$watchers, which will eventually make the UI sluggish.
There is a solution starting with Angualr 1.3 that lets you specify a
one-time-binding using double colons like this {{ ::value }}.
Any reason why we can't upgrade?
Stan
9 years, 5 months