Scope Param with Keycloak
by Tomas Cerny
Hi all,
I am trying to use the scope param with keycloak, which is part of the open
id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
)
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl...
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an
object?
I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...>
The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>
Thanks, Tom
Here a forum public users.
https://developer.jboss.org/message/934762#934762
8 years, 2 months
Publishing events to JMS topic
by Thomas Raehalme
Hi!
We have a need to publish Keycloak events to external systems, for example
when user updates her profile. I was thinking of publishing messages to a
JMS topic by implementing an event listener.
What do you think, would you be interested in such a pull request? I think
the topic should be preconfigured in Keycloak/Wildfly, but the admin would
enable the functionality by adding "jms" to event listeners in the admin
console.
Best regards,
Thomas
8 years, 8 months
rebasing
by Bill Burke
How you guys do this? I did a rebase -i and squashed everything but the
PR contained diffs of merged files and not just my changes.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 9 months
Office 365
by gambol
Was wondering if anyone has or knows if Keycloak supports adding office 365
as a identity provider?
8 years, 10 months
CRUD Using KeyCloak
by Yasser El-ata
Hello , i wan't to create CRUD using KeyCloak , i have an angularJS
application and it's use KeyCloak
My case is : i have screens in my application that contain sub screens and
every sub screen contain CRUD roles (CREATE , READ , UPDATE , DELETE) ,
it's may contain multi levels
the screenshot may make the case more clear
the normal client roles is not enough for me or maybe i miss understand
some thing
could you please help me how to create these roles in KeyCloak , or if
KeyCloak is support roles like this or if there is any other way to create
them ?
Thanks
--
Yasser El-Ata
Java Developer
BluLogix
737 Walker Rd Ste 3, Great Falls, VA 22066
t: 443.333.4100 | f: 443.333.4101
*www.blulogix.com <http://www.blueoss.com/>*
The information transmitted is intended only for the person(s) to whom it
is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.
8 years, 10 months
Keycload Admin page Failed Executing GET /admin/serverinfo
by Peter Krivansky
Hello,
I have a Keycloak cluster with two servers, in front of each Keaycloak is Apache running.
LB
/\
Host A Host B
Now, Host-A and Host-B are in different subnets, due to this design we are running jGroups via TCP.
Now everything is working fine, except for the Keycloak Admin console, once a user tries to log in, they get for a milisecond in to the Admin console, but then they get redirected to the login page immediately.
When I disable Host-A or Host-B on the Loadbalancer, (new sessions will land only on Hst-A or Host-B) the Login to Keycloak Admin Console will work normally.
During the immediate redirection there is only this one WARNING in the Server.log:
15:41:42,886 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-10) Failed executing GET /admin/serverinfo: org.jboss.resteasy.spi.UnauthorizedException: Bearer
at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:156)
at org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:209)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:81)
at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:60)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:102)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
I attached my domain.xml
Have I missed something, or what did I wrong?
With Kind regards Peter
8 years, 10 months
"Full Scope Allowed" seems to emit roles that the user actually doesn't have.
by Thomas Darimont
Steps to reproduce:
create client A with client id "client-a" with a newly defined role "user"
create client B with client id "client-b" with a newly defined role "user"
create user A with username "user-a" with "user" role granted for "client-a"
create user B with username "user-b" with "user" role granted for "client-b"
Goto applications tab in account page:
http://localhost:8082/auth/realms/eurodata.local/account/applications
login as user-a
Actual: The listing shows both applications client-a AND client-b
although the user-a only has a user-role to client-a.
Expected: Only client-a (+ account) applications should be shown
logout
login as user-b
Actual: The listing shows both applications client-a and client-b
although the user-b only has a user-role to client-b.
Expected: Only client-b (+ account) applications should be shown
By default a client has the "Full Scope Allowed" switch set to "on".
Changing this switch to "off" and explicitly assigning the client role
"user" to "client-a"
in the scope settings for client-a and to the user role for client-b in the
scope settings
for client-b solves the issue.
With this setting only the applications for which a user actually has the
"user" role is shown.
Even though the help text for "Full Scope Allowed" says: "Allows you to
disable all restrictions"
one would expect that "Full Scope Allowed" set to "on" would honor the
assigned roles.
Is there something wrong here or should the help text be more descriptive?
I think the piece of code that does this is: org.keycloak.protocol.oidc.
TokenManager.getAccess(String, boolean, ClientModel, UserModel)
Cheers,
Thomas
8 years, 10 months
Issue with logout.
by Satyajit Das
Hi Team we are facing the below issue with logout.
i use login/logout restful service:
after login
i get tokenid say "t1" and refreshtokenid say "rt1"
1) We have registered a webservice as a keycloak client (example demo123)
with access type as bearer.
2) When I call the logout rest service:
if (isPublic()) { // if client is public access type formparams.add(new
BasicNameValuePair(OAuth2Constants.CLIENT_ID, "demo123")); }
URI logoutUri = KeycloakUriBuilder.fromUri(getBaseUrl(request) + "/auth")
.path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) .build("RealmName");
the logout gives 204 for client's access type as open.
but when i again hit the service with the token id "t1" after logout.
Still i can get the response. *Note this response doesnt hit keycloak*.
Regards,
Satya
8 years, 10 months
