Scope Param with Keycloak
by Tomas Cerny
Hi all,
I am trying to use the scope param with keycloak, which is part of the open
id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
)
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl...
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an
object?
I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...>
The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>
Thanks, Tom
Here a forum public users.
https://developer.jboss.org/message/934762#934762
8 years, 3 months
Publishing events to JMS topic
by Thomas Raehalme
Hi!
We have a need to publish Keycloak events to external systems, for example
when user updates her profile. I was thinking of publishing messages to a
JMS topic by implementing an event listener.
What do you think, would you be interested in such a pull request? I think
the topic should be preconfigured in Keycloak/Wildfly, but the admin would
enable the functionality by adding "jms" to event listeners in the admin
console.
Best regards,
Thomas
8 years, 9 months
Office 365
by gambol
Was wondering if anyone has or knows if Keycloak supports adding office 365
as a identity provider?
8 years, 11 months
Fwd: Bad Request
by Alex Gouvêa Vasconcelos
Hi guys. I'm running into some trouble here...
I have a very simple application which should authenticate against keycloak
and return to the main page. This is triggered through the web.xml in my
application.
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>teste</module-name>
<filter>
<filter-name>CORSFilter</filter-name>
<filter-class>br.com.test.tms.teste.util.CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORSFilter</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>
<distributable />
<security-constraint>
<web-resource-collection>
<web-resource-name>teste</web-resource-name>
<url-pattern>/rest/exemploService/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>realmtest</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
The server side has a REST API and the client side is an angular
application. Everything very simple to just try the development
environment. What happens is that, after filling the login page and return
to the index.html (actually it's not returning), I receive a 400 BAD
REQUEST for the uri:
http://localhost:8080/teste/?code=X8VlnUNxYzofJDHzkx1ZmMgO2BP0ZDJ-e2l7uB0...
It seems to me, that the malformed URI is because of the ?code=... If I
reload the page with the same URL, it just return the same 400... if I
remove the ? portion, it reloads the page and again redirects to and from
the keycloak server, and recovers the ? portion, repeating the same 400.
I'm running everything in the same application under wildfly 10. Both the
server and client sides in the same deployed WAR.
I'd appreciate any help.
Best regards.
Alex Gouvea Vasconcelos
[image: Imagem inline 1]
8 years, 11 months
advice on back button
by Bill Burke
The current thinking for browser back button is to set:
Cache-Control: no-store, must-revalidate, max-age=0
There are possible security issues with this that I don't know if we
should do this or not. Don't know if you remember how ClientSessionCode
works, it uses a hash of the client session id and the action key
currently stored in the. When you switch from authentication to
required actions, the action key changes. Now, if you hit the back
button on a required action page, it would take you back to an
authentication screen. The code check would fail because the action
keys don't match.
Do we actually need this action key stuff? Can we just let the flow
manager put the browser in the correct state? So if an "authenticate"
url is hit and the flow is on required actions, just redirect to the
required actions URL. I just worry that this is some sort of security
hole somehow. Maybe we're better off just reseting and restarting the
flow entirely.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 11 months
mod_auth_mellon
by Michal Hajas
Hi,
I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider.
Steps:
1. Install apache and mod_auth_mellon module
2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to /mellon directory
3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory
4. Configure auth_mod_mellon with enclosed file auth_mellon.conf
5. Create client in keycloak from xml file generated in step 2 (There must be enabled Sign Documents, Sign Assertions signing and Force POST Binding)
Login works, when I access /auth, mellon redirect me to keycloak and after successful login it redirect me back to protected resource.
Problem:
I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it doesn't destroy session in keycloak and in apache's error log there is:
Current identity provider does not support single logout. Destroying local session only.
Only way I was able to log out is change
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/auth/realms/mellon-test/protocol/saml"/>
to
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/auth/realms/mellon-test/protocol/saml"/>
POST -> Redirect
in idp_metadata.xml and set "Logout Service Redirect Binding URL" to http://localhost/mellon/logout in admin console.
Is it correct or it should work with POST binding too?
Thank you,
Michal.
8 years, 11 months
client export import?
by Bill Burke
Can we export/import an individual client to and from the
ClientRepresentation format? This will be crucial for debugging
problems in support cases.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 11 months
new browser back button behavior
by Bill Burke
PR is building...
Browser back button will now either restart the flow (and create a new
client session) or not allow you off your current page depending on the
protocol and where you are in the flow.
* If your protocol is initiated by a GET request and the back button
brings you to the 1st rendered page (username/password) this starts a
new flow
* If your protocol is initiated by a POST request (SAML Post binding)
things work a bit differently. This initial post request will redirect
you to the "authenticate" URL. Then if your back button brings you to
the username/password page, you will not see it and just stay on your
current page.
* If your back button click brings you to the 2nd page in the flow, you
will just be stuck on your current page.
Try it out. Hopefully all these refresh and back button issues are done
now.
Some changes to make this happen:
* The "code" in the URL o the flow used to be generated by hashing the
current action key, the current action (AUTHENTICATE, REQUIRE_ACTION),
and the realm secret key. The action key changed whenever you changed
the current action...NOW the action key does NOT change for the whole
flow. The action key is automatically generated once when you create
the ClientSession and never changed again.
* Consent page no longer changes the current action to OAUTH_GRANT.
Consent page is now considered a REQUIRED_ACTION action and treated as
such. This was to support back button here too.
* Cache-Control: no-store, must-revalidate, max-age=0 is now set in the
response for every endpoint on LoginActionsService and any protocol
entry point.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 11 months
Keycloak SAML response 'Destination' Element is always validated.
by Arulkumar Ponnusamy
As per OASIS/SAML spec recommendation, If the message is signed, the
Destination XML attribute in the root SAML element of the protocol message
MUST contain the URL to which the sender has instructed the user agent to
deliver the message. The recipient MUST then verify that the value matches
the location at which the message has been received.
However, in keycloak, always validate the 'Destination' on saml response.
irrespective of response is signed or not.
is not a defect?
Thanks,
Arul kumar P.
8 years, 11 months