Scope Param with Keycloak
by Tomas Cerny
Hi all,
I am trying to use the scope param with keycloak, which is part of the open
id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
)
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl...
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an
object?
I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...>
The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>
Thanks, Tom
Here a forum public users.
https://developer.jboss.org/message/934762#934762
8 years, 3 months
Publishing events to JMS topic
by Thomas Raehalme
Hi!
We have a need to publish Keycloak events to external systems, for example
when user updates her profile. I was thinking of publishing messages to a
JMS topic by implementing an event listener.
What do you think, would you be interested in such a pull request? I think
the topic should be preconfigured in Keycloak/Wildfly, but the admin would
enable the functionality by adding "jms" to event listeners in the admin
console.
Best regards,
Thomas
8 years, 9 months
Conceptual Questions
by John Dennis
I would appreciate having the following Keycloak concepts
explained. Many thanks in advance!
* What are the predefined clients?
- When, why and where are you supposed to use these predefined
clients?
* What is the difference between realm roles and client roles?
- Why are realm roles and client roles distinct?
- How do they get assigned and for what purpose?
- Why aren't roles always visible in the Web UI? For instance
the available roles drop down box is often unpopulated even
though they seem to be predefined in the source code. Why
aren't they available for assignment in the Web UI?
* How does role mapping work?
- What is being mapped from and being mapped to?
- What is the intended usage for these mappings?
* What does it mean to create a role in the Web UI? What is it
bound to?
- How do roles created in the Web UI relate to the predefined
roles?
- Why does the Web UI allow me to create a new role with the
same name as a predefined role? Are they the same role or is
there a collision?
* What are effective roles?
- How are effective roles computed?
- In the Web UI I see lists for "Available Roles", "Assigned
Roles" and "Effective Roles". Sometimes I see a role in the
"Effective Roles" list which is not in the "Assigned Roles"
list. How and why does this happen?
* What are composite roles?
- How and where are they defined?
- How are composite roles meant to be used?
- When looking at a list of roles in the Web UI how does one
identify a single role from a composite role?
* What is the relationship between a Keycloak role and an OAuth2
scope?
* Are roles related to users in any fashion or is a role bound
exclusively to a client (appearing only in the client's token).
- How do you authenticate as a user and acquire specific roles?
- Is it because a user grants a role via an OAuth scope which
is then conveyed in the client token?)
- If so how is it determined what roles a user is permitted to
grant?
- For example how is an admin user created? How are the fine
grained admin roles bound to a user and how are these roles
then conveyed in the token after an admin user authenticates?
(see next question)
* The ClientRegistrationAuth.requireCreate() method requires the
bearer token from the realm administrator to have the
AdminRoles.MANAGE_CLIENTS or AdminRoles.CREATE_CLIENT roles in
the token, specifically in the resource_access part of the
token, but no matter what I do to add roles in the Web UI to a
realm admin the token roles remain unpopulated. How do these
roles get assigned and propagated in the token?
* How does a client differ from an application?
- They seem to be closely related. How, why and when do you use
one vs. the other?
- The name "application" suggests they are external
applications which might be secured by Keycloak but that
doesn't seem to be the case, rather applications seem to be
internal Keycloak entities. Are applications called
applications because they are implemented as as servlets in
Keycloak?
- If so, is the reason applications are servlets is so their
endpoints can have their own authn and authz?
* What are adapters?
* What is a service account?
- How is a service account supposed to be used and for what
purpose?
- How is a service account created?
- How is a service account authenticated?
* How does OAuth2 client authentication work in Keycloak?
- Are public clients authenticated? The OAuth2 spec talks a lot
about the server authenticating the client but if the client
is a public client it's not clear to me how this is done. How
are public clients authenticated?
--
John
8 years, 9 months
Added DB indexes
by Marek Posolda
I've did loads of testing for create/load/delete big number of users
into database and I've send PR for add some additional indexes into
database to improve performance of operations with big number of users
in DB - https://github.com/keycloak/keycloak/pull/2456
Note that adding DB indexes is tricky as the performance gain (or loss)
might be highly dependent on underlying database. Some example:
1) PostgreSQL is adding the indexes by default just for primary keys and
unique constraints. But it doesn't add indexes for foreign keys. So when
you have 50K users in DB and 150K role mappings (each user member of 3
roles), then this query take more than 20 ms:
select * from USER_ROLE_MAPPING where USER_ID='123';
2) MySQL is adding the btree indexes by default even for foreign keys.
So the same query like above took less than 1 ms by default.
So to improve the time on postgres, the index for USER_ID column in
USER_ROLE_MAPPING is needed, however for MySQL adding the index doesn't
have any effect as it's already there. In the end, I've explicitly added
the indexes into changelog file by default and I can see very good
performance for both mysql and postgresql and operations are not
dependent on number of users in DB.
However in theory, adding the indexes may have bad effect for some
databases and slow down the time for create new user etc. I personally
don't want to test performance with all supported DBs :) So another
approach might be to not explicitly add the indexes and let DBA to do
that. I've added the possibility to enable logging some overall
statistics from Hibernate, so people can check it by themselves. Let me
know if you rather want to go this way and not add indexes by default.
Marek
8 years, 9 months
Expected behaviour for rememberMe?
by Marek Posolda
Followup on the issue by Libor [1] . I can confirm to see the same
behaviour in the OOTB Keycloak, like Libor described in the JIRA. In
other words, when you refresh account page (
http://localhost:8080/auth/realms/myrealm/account ) but the UserSession
referenced from KEYCLOAK_IDENTITY cookie is expired, then all cookies
including KEYCLOAK_REMEMBERME are expired too.
IMO RememberMe cookie shouldn't be expired when session is expired.
We're using the rememberMe cookie as hint for username on the login
page. So even if user returns to page after a month, I am not seeing
anything bad that rememberMe cookie is still valid and user will see
"hint" with his username on login page and rememberMe checkbox checked
even if session was expired already for a long time. IMO the only
situation when we should expire KEYCLOAK_REMEMBERME cookie is, when user
unchecks the "Remember me" checkbox on login page.
[1] https://issues.jboss.org/browse/ORG-2956
Marek
8 years, 9 months
AbstractUsernameFormAuthenticator validateUserAndPassword process
by Ariel Carrera
Hi, I am developing a Federation Provider, and I have a question...
Why the method () checks if the user "is enabled" after validate the
password instead of before of the password validation?
AbstractUsernameFormAuthenticator.validateUserAndPassword: line 141/151
...
if (invalidUser(context, user)){
return false;
}
* if (!validatePassword(context, user, inputData)){*
* return false;*
* }*
* if(!enabledUser(context, user)){*
* return false;*
* }*
...
If the user is disabled... why validate his password and return a password
validation error message?
--
Ariel Carrera
8 years, 9 months
Async HTTP Request Processing
by Pedro Igor Silva
Hi,
I'm working with the AuthZ Java API in order to make it more event-driven and non-blocking. During our F2F, I've discussed some very interesting requirements with Marc Savy around that.
I would like to know if makes sense to enable JAX-RS Async support to some AuthZ REST endpoints, which are basically using this API to evaluate policies using different providers (where these providers can be executed in parallel).
Regards.
Pedro Igor
8 years, 9 months
Import/export realm
by Fadi Abdin
Has anyone imported a realm from an older version keycloak and it worked ?
I imported a realm from a 1.2 to 1.9 and the users not working as they
suppose to .
I'm wondering if there is something i need to do to get that to work !
8 years, 9 months