January 2016 - keycloak-dev - Jboss List Archives

by Tomas Cerny

Hi all, I am trying to use the scope param with keycloak, which is part of the open id http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims Here is an sample URL (from https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest ) Which is https://server.example.com/authorize? response_type=code &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &scope=openid%20profile &state=af0ifjsldkj note the state param there with keycloak this is my auth URL: http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl... When I pass scope param, then it is ignored. Does keycloak support scope param? Can I intercept it to make a custom handler? (e.g. lookup DB data) Sample Use Case: Keycloak has my custom UserFederation provides where I issue user lookup to my SQL DB, and determine access, next basing on the scope I like to post back to the app roles relevant to the scope param. I know keycloak has static roles, but I need it contextual, such as - user is master in scope = A, but reader in scope = B. Since the range of scopes is dynamic and large, the use of client-ids is not sufficient. I assume the scope can help me solving situation such as am I owned of an object? I did days of debugging keycloak code and cannot find much even thought there is OAuth2Constants.Scope but may be that is something different? and I seem some dead sample here: FishEye: changeset d309fab8251d95f50f94c77e4d08e6e8c2977994 <https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...> The alternative OpenAM supports scope param it - OpenAM Project - About OpenAM <http://openam.forgerock.org/> Thanks, Tom Here a forum public users. https://developer.jboss.org/message/934762#934762

6 years, 11 months

2
3
0 / 0

Publishing events to JMS topic

by Thomas Raehalme

Hi! We have a need to publish Keycloak events to external systems, for example when user updates her profile. I was thinking of publishing messages to a JMS topic by implementing an event listener. What do you think, would you be interested in such a pull request? I think the topic should be preconfigured in Keycloak/Wildfly, but the admin would enable the functionality by adding "jms" to event listeners in the admin console. Best regards, Thomas

7 years, 5 months

4
14
0 / 0

Office 365

by gambol

Was wondering if anyone has or knows if Keycloak supports adding office 365 as a identity provider?

7 years, 7 months

4
5
0 / 0

Fwd: Bad Request

by Alex Gouvêa Vasconcelos

Hi guys. I'm running into some trouble here... I have a very simple application which should authenticate against keycloak and return to the main page. This is triggered through the web.xml in my application. <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <module-name>teste</module-name> <filter> <filter-name>CORSFilter</filter-name> <filter-class>br.com.test.tms.teste.util.CORSFilter</filter-class> </filter> <filter-mapping> <filter-name>CORSFilter</filter-name> <url-pattern>/rest/*</url-pattern> </filter-mapping> <distributable /> <security-constraint> <web-resource-collection> <web-resource-name>teste</web-resource-name> <url-pattern>/rest/exemploService/secure/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>realmtest</realm-name> </login-config> <security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>admin</role-name> </security-role> </web-app> The server side has a REST API and the client side is an angular application. Everything very simple to just try the development environment. What happens is that, after filling the login page and return to the index.html (actually it's not returning), I receive a 400 BAD REQUEST for the uri: http://localhost:8080/teste/?code=X8VlnUNxYzofJDHzkx1ZmMgO2BP0ZDJ-e2l7uB0... It seems to me, that the malformed URI is because of the ?code=... If I reload the page with the same URL, it just return the same 400... if I remove the ? portion, it reloads the page and again redirects to and from the keycloak server, and recovers the ? portion, repeating the same 400. I'm running everything in the same application under wildfly 10. Both the server and client sides in the same deployed WAR. I'd appreciate any help. Best regards. Alex Gouvea Vasconcelos [image: Imagem inline 1]

7 years, 7 months

3
6
0 / 0

advice on back button

by Bill Burke

The current thinking for browser back button is to set: Cache-Control: no-store, must-revalidate, max-age=0 There are possible security issues with this that I don't know if we should do this or not. Don't know if you remember how ClientSessionCode works, it uses a hash of the client session id and the action key currently stored in the. When you switch from authentication to required actions, the action key changes. Now, if you hit the back button on a required action page, it would take you back to an authentication screen. The code check would fail because the action keys don't match. Do we actually need this action key stuff? Can we just let the flow manager put the browser in the correct state? So if an "authenticate" url is hit and the flow is on required actions, just redirect to the required actions URL. I just worry that this is some sort of security hole somehow. Maybe we're better off just reseting and restarting the flow entirely. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

7 years, 7 months

5
8
0 / 0

mod_auth_mellon

by Michal Hajas

Hi, I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider. Steps: 1. Install apache and mod_auth_mellon module 2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to /mellon directory 3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory 4. Configure auth_mod_mellon with enclosed file auth_mellon.conf 5. Create client in keycloak from xml file generated in step 2 (There must be enabled Sign Documents, Sign Assertions signing and Force POST Binding) Login works, when I access /auth, mellon redirect me to keycloak and after successful login it redirect me back to protected resource. Problem: I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it doesn't destroy session in keycloak and in apache's error log there is: Current identity provider does not support single logout. Destroying local session only. Only way I was able to log out is change <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/auth/realms/mellon-test/protocol/saml"/> to <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/auth/realms/mellon-test/protocol/saml"/> POST -> Redirect in idp_metadata.xml and set "Logout Service Redirect Binding URL" to http://localhost/mellon/logout in admin console. Is it correct or it should work with POST binding too? Thank you, Michal.

7 years, 7 months

3
9
0 / 0

client export import?

by Bill Burke

Can we export/import an individual client to and from the ClientRepresentation format? This will be crucial for debugging problems in support cases. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

7 years, 8 months

3
12
0 / 0

new browser back button behavior

by Bill Burke

PR is building... Browser back button will now either restart the flow (and create a new client session) or not allow you off your current page depending on the protocol and where you are in the flow. * If your protocol is initiated by a GET request and the back button brings you to the 1st rendered page (username/password) this starts a new flow * If your protocol is initiated by a POST request (SAML Post binding) things work a bit differently. This initial post request will redirect you to the "authenticate" URL. Then if your back button brings you to the username/password page, you will not see it and just stay on your current page. * If your back button click brings you to the 2nd page in the flow, you will just be stuck on your current page. Try it out. Hopefully all these refresh and back button issues are done now. Some changes to make this happen: * The "code" in the URL o the flow used to be generated by hashing the current action key, the current action (AUTHENTICATE, REQUIRE_ACTION), and the realm secret key. The action key changed whenever you changed the current action...NOW the action key does NOT change for the whole flow. The action key is automatically generated once when you create the ClientSession and never changed again. * Consent page no longer changes the current action to OAUTH_GRANT. Consent page is now considered a REQUIRED_ACTION action and treated as such. This was to support back button here too. * Cache-Control: no-store, must-revalidate, max-age=0 is now set in the response for every endpoint on LoginActionsService and any protocol entry point. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

7 years, 8 months

2
1
0 / 0

Keycloak SAML response 'Destination' Element is always validated.

by Arulkumar Ponnusamy

As per OASIS/SAML spec recommendation, If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received. However, in keycloak, always validate the 'Destination' on saml response. irrespective of response is signed or not. is not a defect? Thanks, Arul kumar P.

7 years, 8 months

2
5
0 / 0

Keycloak vs. midPoint vs. Apache Syncope

by Thomas Darimont

Hello group, whilst browsing the security talks of this weeks FOSDEM 2016 [0], I stumbled upon two open source Identity Management solutions in that presentation [0.1] which I was totally unaware of: midpoint [1] [1.1] by evolveum and the Syncope [2] Apache project. Since I think that those could serve (at least) as an inspiration for Keycloak I wanted to share this with you. Midpoint seems to be a pretty mature product with good documentation and a wide feature palette as one can see here: [1.2]. Some of of those features might also be worth to be added to keycloak, e.g.: - Detailed information about user attribute / configuration changes via Deltas [1.3], [1.5] - Parametric Roles as part of their Hybrid RBAC support [1.4] - Support for Segregation of Duties by Role Exclusions [1.6] SSO support in midPoint is provided by a Spring Security integration as well as support for CAS, but I could not find an implementation for OAuth 2.0, Open ID Connect nor SAML - only a Google Summer of Code 2015 OAuth / Open Id Connect integration proposal. Midpoint seems to be a fully fledged IAM solution already but, IMHO with a much broader scope (enterprise IdM, IAM) than Keycloak (IdM for cloud products). Syncope [2.1] on the other hand seems to an effort to reimplement an IdM (provisioning) solution from scratch. Has anybody here heared of or investigated those projects? [0] https://fosdem.org/2016/schedule/track/security/ [0.1] https://fosdem.org/2016/schedule/event/midpointidm/ [1] https://evolveum.com/midpoint/ [1.1] https://github.com/Evolveum/midpoint [1.2] https://wiki.evolveum.com/display/midPoint/Features [1.3] https://wiki.evolveum.com/display/midPoint/Deltas [1.4] https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC [1.5] https://wiki.evolveum.com/display/midPoint/Relativity [1.6] https://wiki.evolveum.com/display/midPoint/Segregation+of+Duties [2] https://syncope.apache.org/ [2.1] https://github.com/apache/syncope Cheers, Thomas

7 years, 8 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev January 2016