Scope Param with Keycloak
by Tomas Cerny
Hi all,
I am trying to use the scope param with keycloak, which is part of the open
id
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Here is an sample URL (from
https://openid.net/specs/openid-connect-basic-1_0.html#AuthenticationRequest
)
Which is
https://server.example.com/authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
note the state param there
with keycloak this is my auth URL:
http://127.0.0.1:8080/auth/realms/example/protocol/openid-connect/auth?cl...
When I pass scope param, then it is ignored.
Does keycloak support scope param? Can I intercept it to make a custom
handler? (e.g. lookup DB data)
Sample Use Case: Keycloak has my custom UserFederation provides where I
issue user lookup to my SQL DB, and determine access, next basing on the
scope I like to post back to the app roles relevant to the scope param.
I know keycloak has static roles, but I need it contextual, such as - user
is master in scope = A, but reader in scope = B. Since the range of scopes
is dynamic and large, the use of client-ids is not sufficient.
I assume the scope can help me solving situation such as am I owned of an
object?
I did days of debugging keycloak code and cannot find much even thought
there is OAuth2Constants.Scope but may be that is something different?
and I seem some dead sample here: FishEye: changeset
d309fab8251d95f50f94c77e4d08e6e8c2977994
<https://source.jboss.org/changelog/Keycloak?cs=d309fab8251d95f50f94c77e4d...>
The alternative OpenAM supports scope param it - OpenAM Project - About
OpenAM <http://openam.forgerock.org/>
Thanks, Tom
Here a forum public users.
https://developer.jboss.org/message/934762#934762
8 years, 2 months
Proof of Concept for User Activity Dashboard
by Thomas Darimont
Hello group,
a few months ago I raised the feature request "Activity dashboard" in the
Keycloak JIRA.
https://issues.jboss.org/browse/KEYCLOAK-1840
This weekend I gave this a spin and I think I got pretty far with it,
see attached annotated screenshot.
The idea was to leverage the information from the stored event data
to compute some Keycloak usage statistics over time.
My current prototype supports JPA (user / event) storage provider
and works with postgresql but could be adapted to other databases including
MongoDB.
Since I need to compute the usage statistics based on the event data,
events need to be stored and some views (3) need to be defined to
make the data accessible from JPA in a generic fashion.
Since the queries are quite complex I wanted to keep them out
of the code and therefore used named native queries via orm.xml.
The actual queries use some database specific date/time functions
that I wanted to keep out of the code - thus I created views
that could be adapted for each database and provisioned via liquibase.
The view definitions can be found here:
https://gist.github.com/thomasdarimont/24e11be101c6ed8773f22e1defc5d66e
For MongoDB one could define appropriate aggregation framework pipelines
to express the same query logic.
I basically exposed the data from those views per realm via a newly
introduced AnalyticsProvider interface that is accessible via
KeycloakSession.
Data from this AnalyticsProvider is then exposed as a REST resource called
"DashboardResource".
Data from this REST endpoint is then consumed by the admin frontend in a
new section
called "dashboard".
In the frontend I used basic patternfly components, e.g.: cards & tables:
https://rawgit.com/patternfly/patternfly/master/tests/cards.html
For the heatmap I used http://cal-heatmap.com/#start which is based on d3js.
There is also an angularjs directive that could be used as well.
https://github.com/shekhargulati/angular-cal-heatmap-directive
The current hacky code can be found here.:
https://github.com/thomasdarimont/keycloak/commits/poc/KEYCLOAK-1840-dash...
The relevant commit is:
https://github.com/thomasdarimont/keycloak/commit/40a7956f8e547edc148d2dd...
The code still needs a decent amount of polishing but I wanted to share
this with
you guys first to see if this could make it into Keycloak at some point.
Cheers,
Thomas
8 years, 6 months
Support for LDAP referrals
by Mitya
Hi,
In replicated LDAP setups, it's a common situation where the slave is
read-only, and if a write operation is attempted, it returns a so-
called referral (see more here). Simply put, a referral is an
instruction to proceed with the same LDAP operation but using different
URL, contained within response. In a replicated setup, this URL would
point to master instance, which is read-write.
Currently, KeyCloak cannot use such a slave replica as a federation
provider in a WRITABLE edit mode. LDAP entries are imported
successfully; but further attempts to modify them in KeyCloak admin
console give success message, while the actual values are not modified.
If Sync Registrations is on, attempt to create a user results in the
following exception:
javax.naming.PartialResultException: [LDAP: error code 10 - Referral];
remaining name 'uid=foo,ou=People,dc=foobar,dc=com'
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at
com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Compone
ntDirContext.java:341)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Pa
rtialCompositeDirContext.java:268)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Pa
rtialCompositeDirContext.java:256)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirCon
text.java:197)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirCon
text.java:197)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.exec
ute(LDAPOperationManager.java:434)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.exec
ute(LDAPOperationManager.java:431)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execut
e(LDAPOperationManager.java:536)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.create
SubContext(LDAPOperationManager.java:431)
LDAP referrals are fully supported by JNDI and LDAP stack; the only
thing we need is to set a Context.REFERRAL ("java.naming.referral")
environment property to "follow" before creating an InitialLdapContext.
I've noticed that in org.keycloak.federation.ldap.LDAPConfig, there is
an initial support for additional connection properties (currently
hardcoded to return null). Are there any plans to implement this?
Cheers,
Mitya
8 years, 6 months
Re: [keycloak-dev] standalone-full in keycloak standalone
by Stian Thorgersen
It's not supported to deploy JEE apps to the Keycloak server and we
recommend having a separate WildFly instance for your apps. At the moment
in theory it's possible, but we may remove and/or alter the config of the
underlying WildFly which would break your apps in the future. You can also
use the overlay and add it to an existing WildFly, but we only support one
specific version of WildFly and again your applications may require config
that conflicts with what Keycloak requires.
On 31 May 2016 16:41, "Brooks Isoldi" <brooks.isoldi(a)traversed.com> wrote:
Hi Stian,
Thanks for that.
Is it therefore not recommended to try to deploy a JEE application to the
keycloak provided wildfly server? Or is it not recommended to deploy any
applications to the keycloak provided wildfly server?
If either is the case, than how would we configure the web.xml to
authenticate via keycloak (e.g. the below):
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>app-name</realm-name>
</login-config>
I'm trying to deploy a JEE application (which requires standalone-full) to
the keycloak provided wildfly server so that I don't need to have separate
instances but if the development bundle is not recommended for production,
what would be the recommended method of deploying a JEE application to the
production-ready keycloak/wildfly server?
Thanks again.
-Brooks
On 05/30/2016 01:34 AM, Stian Thorgersen wrote:
The server distribution is a standalone Keycloak server bundle. It's not a
JEE app server and hence doesn't need a full configuration (for example
full contains messaging, which standard config doesn't). The development
bundle is a WildFly JEE app server, with Keycloak server added. This is
recommended mainly for development.
On 27 May 2016 at 22:01, Brooks Isoldi <brooks.isoldi(a)traversed.com> wrote:
> Hi all,
>
> I noticed the Keycloak standalone server distribution does not contain a
> standalone-full.xml file, whereas the development bundle does.
>
> Is there a reason and how would I use standalone-full with the keycloak
> standalone distribution?
>
> Thanks.
>
>
>
> -Brooks
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Brooks Isoldi, Software Developer
Traversed
7164 Columbia Gateway Drive, Suite 120A
Columbia, MD 21046
8 years, 7 months
Stackoverflow login
by Bill Burke
I am unable to set up social login with Stackoverflow. Is it possible
to use it with a localhost callback? Anybody know any special settings
here?
8 years, 7 months
standalone-full in keycloak standalone
by Brooks Isoldi
Hi all,
I noticed the Keycloak standalone server distribution does not contain a
standalone-full.xml file, whereas the development bundle does.
Is there a reason and how would I use standalone-full with the keycloak
standalone distribution?
Thanks.
-Brooks
8 years, 7 months
Keycloak 1.9.5.Final Released
by Stian Thorgersen
Keycloak 1.9.5.Final has just been released. There's one change worth
highlighting in this release. We've increased the default password hashing
intervals to 20000. Yes, you read that right. We've actually recommended
using 20000 for a while now, but the default was only 1. This is a clear
trade-off between performance and how secure passwords are stored. With 1
password hashing interval it takes less than 1 ms to hash a password, while
with 20000 it takes tens of ms.
For the full list of resolved issues check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
and
to download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
8 years, 7 months
Native mobile authentication
by Jorge M.
Hi,
I'm trying to figure out the currently best approach for mobile app
authentication with keycloak.
Is it possible to do this with native apps? IOS, Android + Windows phone?
(Without webview). Is there any examples?
If so, it has support social login?
Thank you.
JM
8 years, 7 months
OpenID Connect Certification Tests
by Thomas Darimont
Hello list,
sorry for the longer email...
I just noticed that Keycloak is currently not listed as a
certified OpenID Connect implementation under:
http://openid.net/certification/
As it turns out one can run the tests oneself by creating a test profile as
described here:
http://openid.net/certification/testing/
The OpenID Connect test can be configured here:
https://op.certification.openid.net:60000/
I just gave the test a spin by running a Keycloak Application instance
(Version 1.9.1.Final - as I had that running) embedded in a Spring Boot App
on Cloud Foundry which I exposed to the op.certification.openid.net test
server.
... it works and was a quick way to get Keycloak exposed to the test - and
yes I know
this is of course not a prod environment ;-)
The results looked not bad.
Note that you need to execute each step manually by clicking on it...
First run got me 23 green (+2 manually verified) out of 41 tests overall,
rest was 9 yellow and 6 red.
You can find a screenshot of the overall test results here:
http://s33.postimg.org/h6zawnbbz/screencapture_op_certification_openid_ne...
I think those tests are a great way to close gaps between specification and
implementation
and help to make Keycloak more compatible.
I also have the logs with the detailed request / response pairs with failed
tests and
explanations.
Please ping me if you want to have those for investigation (~600 kb text).
Some of the tests like ("Scope requesting all claims [Basic, Implicit,
Hybrid] (OP-scope-All)")
were yellow because the some claim information was missing in the user info
like:
['nickname', 'profile', 'picture', 'website', 'gender', 'birthdate',
'zoneinfo', 'locale', 'updated_at', 'phone_number',
'phone_number_verified'].
The red tests like "IDToken has kid [Basic, Implicit, Hybrid]
(OP-IDToken-kid)" mostly failed due to
missing values in the response e.g.
"[verify-signed-idtoken-has-kid]
status: ERROR
description: Verifies that the header of a signed IDToken includes a kid
claim.
info: Signed ID Token has no kid: header={u'alg': u'RS256'}"
If you want to try it out yourself here are the settings I used for the
OpenID Connect Test Application:
--------------------
Provider configuration:
"Does the OP have a .well-known/openid-configuration endpoint?"
yes
"What is the issuer path for this configuration information?"
https://tdlabs-keycloak-test2.cfapps.io/realms/test
"Do the provider support dynamic client registration?"
no (I know keycloak supports that but I couldn't get that working)
"Redirect uris"
https://op.certification.openid.net:60629/authz_cb
"Client id"
openid-cert
"Client secret"
4692ca28-daad-4d76-aa82-0991e518d931
Required info
"Which subject type do you want to use by default?"
public
"Which response type should be used by default?"
code
"Select supported features"
JWT signed with algorithm other than "none"
Encrypted JWT
Test specific request parameters:
"Login hint"
tom(a)example.com
"UI locales"
en de
"Claims locales"
en de
"Acr values"
2 1
"Webfinger url"
https://example.com/tom
"Webfinger email"
tom(a)example.com
E.g. bob(a)example.com
For testing purposes I created a new realm "test" with an additional
client "openid-cert" with "confidential" access type and
the valid redirect url provided by the op.certification.openid.net test
server.
I also created a user "tester" for the login tests.
Cheers,
Thomas
8 years, 7 months
SingleFileExportProvider always tries to export users
by Fabricio Milone
Hi devs,
I've been working with some realm configurations and today I wanted to
export all my work to a file so I tried to follow this:
http://keycloak.github.io/docs/userguide/keycloak-server/html/export-impo...
After some failed attempts due to my custom federator, I've decided to SKIP
users from the export using the SKIP property as described in the
documentation but it didn't work at all, so I've checked the code that is
performing the export action and found that the usersExportStrategy is not
being taken from the configuration but it is just set to TRUE instead.
Look at the lines 65 and 83 in this file:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
For now, I've just modified the code locally to get the configuration
correctly from the property I am passing at startup (like
MultipleStepsExportProvider.java is doing), but I would like to contribute
with a PR if necessary.
Is there any reason to not do this?
Thanks in advance.
Regards,
Fabricio
--
*Fabricio Milone*
Developer
*Shine Consulting *
30/600 Bourke Street
Melbourne VIC 3000
T: 03 8488 9939
M: 04 3200 4006
www.shinetech.com *a* passion for excellence
8 years, 7 months