adapter subsystems no longer import dependencies
by Bill Burke
My latest PR will have:
Previously, if you had installed our saml or oidc keycloak subsystem
adapters into Wildfly or JBoss EAP, we would
automatically include Keycloak client jars into
EVERY application irregardless if you were using Keycloak or not.
These libraries are now only added to your
deployment if you have keycloak authentication turned on for that adapter
(via the subsystem, or auth-method in web.xml
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 10 months
servlet-filter-adapter Principal NPE
by Harold Campbell
The servlet-filter-adapter causes an NPE when a user authed either
through Basic or Bearer attempts to retrieve the Principal from the
HttpServletRequest. This is because completeBearerAuthentication,
unlike completeOAuthAuthentication, does not add an OidcKeycloakAccount
to the session. If a user is authed via OAuth, everything works fine.
The attached patch against 1.8.x takes care of the problem. It appears
the same problem exists in master, though with files moved around the
patch will not apply directly. This patch makes completeBearer...
essentially identical to completeOAuth..., so for 1.9.x (or indeed
1.8.x if someone wants to redo this) these might oughta be combined
into a single method.
--
Harold Campbell <hcamp(a)muerte.net>
The more data I punch in this card, the lighter it becomes, and the
lower the mailing cost.
-- S. Kelly-Bootle, "The Devil's DP Dictionary"
8 years, 10 months
1.9.0.Beta release
by Stian Thorgersen
We're planning to release 1.9.0.Beta on Thursday morning (my time). I've
moved some issues to 1.9.0.CR1, but there's still some issues left. I also
need help with testing the release tomorrow.
8 years, 11 months
in-memory users
by Bill Burke
This used to be on the priority list, but we dropped it. Just thought
of a better way to support this. Just write an Infinispan model
provider and turn off user caching. Sessions would store a URI to the
user and use that to locate the user if it is not in storage. Might be
relatively simple to implement.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 11 months
Developing Shibboleth Discovery Service in front of SAML Provider
by Jérôme Blanchard
Hi,
I plan to develop the Shibboleth Discovery Functionnality over the current
SAML Provider.
The goal is to provide a simple way to integrate an identity federation
(like shibboleth) with a single provider.
So I plan to add a new Identity Provider that will fork the SAML one but
adding the capability of parsing a federation metadata file periodically in
order to maintain the list of federation available IdPs and a theme to
produce a simple choice list for the federation IdPs...
To perform this I need to parse an online xml file periodically (1 hour).
What is the best way to include this schedulled job in keycloak ? Is there
any service where to put this code ?
I also plan to maintain the parsed IdP list in memory but it should be good
to store it somewhere ?
Finally, I need a small Resource in order to retreive the accurate list of
IdP from the login form but this should be easy to add in the provider
package.
Using this will allow me to avoid aving 250 IdPs in keycloak and 250
endpoints to provide in the ServiceProvider entity descriptor.
Best regards, Jérôme.
8 years, 11 months
client export import?
by Bill Burke
Can we export/import an individual client to and from the
ClientRepresentation format? This will be crucial for debugging
problems in support cases.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 11 months
new browser back button behavior
by Bill Burke
PR is building...
Browser back button will now either restart the flow (and create a new
client session) or not allow you off your current page depending on the
protocol and where you are in the flow.
* If your protocol is initiated by a GET request and the back button
brings you to the 1st rendered page (username/password) this starts a
new flow
* If your protocol is initiated by a POST request (SAML Post binding)
things work a bit differently. This initial post request will redirect
you to the "authenticate" URL. Then if your back button brings you to
the username/password page, you will not see it and just stay on your
current page.
* If your back button click brings you to the 2nd page in the flow, you
will just be stuck on your current page.
Try it out. Hopefully all these refresh and back button issues are done
now.
Some changes to make this happen:
* The "code" in the URL o the flow used to be generated by hashing the
current action key, the current action (AUTHENTICATE, REQUIRE_ACTION),
and the realm secret key. The action key changed whenever you changed
the current action...NOW the action key does NOT change for the whole
flow. The action key is automatically generated once when you create
the ClientSession and never changed again.
* Consent page no longer changes the current action to OAUTH_GRANT.
Consent page is now considered a REQUIRED_ACTION action and treated as
such. This was to support back button here too.
* Cache-Control: no-store, must-revalidate, max-age=0 is now set in the
response for every endpoint on LoginActionsService and any protocol
entry point.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 11 months
Keycloak SAML response 'Destination' Element is always validated.
by Arulkumar Ponnusamy
As per OASIS/SAML spec recommendation, If the message is signed, the
Destination XML attribute in the root SAML element of the protocol message
MUST contain the URL to which the sender has instructed the user agent to
deliver the message. The recipient MUST then verify that the value matches
the location at which the message has been received.
However, in keycloak, always validate the 'Destination' on saml response.
irrespective of response is signed or not.
is not a defect?
Thanks,
Arul kumar P.
8 years, 11 months
