keycloak-documentation translation
by Hiroyuki Wada
Hello,
We have a plan to translate keycloak-documentation to Japanese for the
community at our company.
Because there is no place to manage the translation resources in
keycloak-documentation repository,
we are planning to put the resources into own repository and publish
the built documents to our corporate site.
Do you have any concerns?
Of course, we can contribute it if there are any plans to translate it
officially.
Best Regards,
--
Hiroyuki Wada,
Nomura Research Institute, Ltd.
5 years, 4 months
Authenticating Desktop Applications with Keycloak and the keycloak-installed adapter
by Thomas Darimont
Hello folks,
I played a bit with the undocumented? [0] keycloak-installed adapter [1]
for integrating
desktop applications with Keycloak SSO and found some issues with it, which
I'd like to share.
Small explanation for those who are reading the list but don't know the
adapter... [2]
First some general notes / suggestions:
Is the keycloak-installed adapter something that will stay in keycloak or
was this just a PoC?
In the former case I think there are some things that could be improved or
extended a bit:
- Allow users to customize the locale used for the login pages opened by
the adapter
- Provide customizable response templates (perhaps by leveraging a provided
ResourceBundle)
- Allow to customize pages shown after login / logout served by the
keycloak-installed adapter
- Add support for TLS (with custom certificates) for https:// with localhost
I noticed that some browsers (e.g. Chrome) show an error page when trying
to
redirect to the local mini-webserver after a successful login since the
mini-webserver
(...server-socket) embedded in the adapter doesn't respond with a valid
HTTP response.
With that fixed, it worked with all browsers I tested (IE, Firefox, Chrome).
My current modifications of the keycloak-installed adapter
(with HTTP response fixes and response customizations) are here:
https://github.com/thomasdarimont/keycloak/commit/b8ee52a946e73503b1737f5...
An extended example (using the the modified keycloak-installed adapter) can
be found here:
https://gist.github.com/thomasdarimont/c59c14f45ea2ee00d7b6fbe2c013c5f1
WDYT?
Cheers,
Thomas
[0] Not mentioned here:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java...
[1] https://github.com/keycloak/keycloak/tree/master/adapters/oidc/installed
[2] For those that haven't seen the adapter yet, it allows to authenticate
against Keycloak
from a desktop app (e.g. swing, javafx) by opening a desktop browser window
where a user
uses the regular keycloak login pages to login.
The trick is now that login page is opened with redirect URL that points to
a small local
"web server" (server-socket) on a free ephemeral port which is started by
the adapter.
After logging in the mini web-server receives performs the authenorization
code flow and eventually receives the tokens (access_token, refresh_token,
id_token) which can then be
used to call backend services from the client or retrieve new tokens
A nice side effect of this is, that the desktop application never sees a
users
password and one can leverage existing SSO sessions.
Btw. the google cloud cli uses the same approach to authenticate with gcp.
The Keycloak repo contains a small example for this:
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
5 years, 8 months
ProviderFactory::postDeploy?
by Dmitry
Hi,
At the moment, the ProviderFactory::postInit() method is not called
during hot (re)deployment of providers, only during server startup.
This is considered a bug (see discussion in keycloak-user, KEYCLOAK-
5131 and PR #4282).
Meanwhile, Marek and I have been discussing the problem of accessing
data model from postInit (see the keycloak-user post). Turns out that
the semantics should be significantly different depending on whether
postInit() is called during server startup or hot deploy. In the first
case, one should listen for PostMigrationEvent. In the second case, the
event is not available and thus shouldn't be listened for. However, the
provider should be able to somehow distinguish the cases. There are
some hacks like analyzing current thread name, querying JNDI or
Resteasy, but maybe we can come up with something more clean and
simple?
Marek has suggested that the new method should be introduced on the
ProviderFactory interface, with empty default implementation (in order
not to break the code). What do you think?
Dmitry
5 years, 10 months
thoughts on file migration?
by Bill Burke
Need input on this JIRA:
https://issues.jboss.org/browse/KEYCLOAK-4715
The problem is that our json exports do not have a version assigned to
them and we may have org.keycloak.migration.migrators.Migration
objects that need to run.
Should we force people doing upgrades in this way to add a version tag
somewhere in the json? We should then add a "fromJson" MIgration
method to be invoked for each appropriate migrator.
That sound like a plan?
--
Bill Burke
Red Hat
5 years, 10 months
Use LDAP's PasswordPolicy
by Rafael Ladislau
Hello, I'm pretty new here, but I've been using Keycloak with an OpenLDAP
as the user federation and I've noted some problems that I had to fix by
myself and I would like to share with the community the fixes I've made.
I'm Software Developer at NYU and I had to change the Keycloak source code
to make it works in one of our Projects. It's not a big refactoring. It's
reasonable.
Problems and my solutions:
1 - Keycloak changes the password of the users coming from LDAP sending a
replace command to LDAP using a connection bound to the LDAP administrator.
(WRITE mode). It allows the users not respect the
password policy installed in LDAP if it has it installed. In order to fix
it, you need to use a connection bound to the user changing the password,
and Keyucloak should send two commands to LDAP: a command to delete the
password field with the current password value and a command to add the
password field with the new value. It makes Keycloak respect the password
policy installed in LDAP, the operation raises an exception when the
password is not compliant, after my fixes, I'm handling this exception and
I'm letting the user knows about the error. (I'm doing this in the
UPDATE_PASSWORD required action and in the manage account screen)
2 - Because I was making Keycloak respect the password policy in LDAP, I
had to create a Password Policy User Account Control Mapper. This Mapper is
based on the MSAD User Account Control Mapper. It has the same idea, but it
writes the properties "pwdReset" and "pwdAccountLockedTime" to make
Keycloak knows and let OpenLDAP knows when the user must reset his password
and when the user is locked.
3 - The step 2 is necessary because when you have a password policy in LDAP
saying the min age is one day, and you set a temporary password for the
user. If Keycloak doesn't set the pwdReset flag, the user will not be able
to change his password. (only after 24 hours)
4 - I've made some changes in the User Federation Configuration in order to
allow the Keycloak administrator turn on and turn off this feature.
The issue https://issues.jboss.org/browse/KEYCLOAK-4052 has made the users
coming from LDAP go through the Keycloak's Password Policy before they
change their passwords, but what I'm proposing is making Keycloak be aware
of the Password Policy installed in LDAP.
Do you think it would be a good feature?
5 years, 10 months
Issue with BrowserHandler using the saml2 adapter in wildfly 10
by Daniel Schmidt
Hi everybody,
I just started to use the SAML2-authentication-adapter of Keycloak in
Wildfly 10. I use it according to this documentation:
http://www.keycloak.org/docs/3.0/securing_apps/topics/saml/java/jboss-ada...
As it did not work, I debugged into the adapter code and narrowed the
problem down to
org.keycloak.adapters.saml.undertow.UndertowSamlAuthenticator.createBrowserHandler(HttpFacade,
SamlDeployment, SamlSessionStore) where a
org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler is
instantiated.
This BrowserHandler always passes null as samlRequest, samlResponse and
relayState. When I create a
org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler
instead, the code works as expected.
Is this a bug in the BrowserHandler or am I missing some important
configuration option?
--
Another question on this topic:
The configuration with <secure-deployment >...</secure-deployment>
bypasses any existing <login-module> as far as I can see. Is this the case?
Is there any possibility to configure a custom login-module that could
authenticate a user before using the Keycloak authentication mechanism?
I would like to use the Keycloak authentication as a fallback only.
Thanks in advance,
Daniel Schmidt
5 years, 10 months
Merge of Node.js modules
by Bruno Oliveira
Aloha,
We're considering the merge keycloak-nodejs-connect and keycloak-nodejs-auth-utils into a single codebase for the next release. What does that mean? That the whole codebase will live under keycloak-nodejs-connect repository and module.
The reason behind is that there are few good reasons to keep both separated today. This is going to make our release process better, as well the maintenance of the codebase.
I would like to gather some feedback before moving forward. So comments on this thread are more than welcome!
--
abstractj
5 years, 10 months
Permission and Obligation
by Pedro Igor Silva
Hi,
This is about https://issues.jboss.org/browse/KEYCLOAK-5728.
The idea is allow policies to push information to a policy enforcer (PEP)
in order to enrich the final decision if a resource can be accessed or not.
In XACML there is a well known concept called Obligation, which can be used
to pass information to a policy enforcer in order to take some action or
verify something before granting or denying access to a resource.
Suppose you have a JS policy and want to push obligations when evaluating a
permission:
if (someCondition) {
var permission = $evaluation.getPermission();
permission.addObligation('transfer.limit', '200');
}
On the resource server side, you will be able to obtain *transfer.limit*
and check whether a request satisfy the obligation.
Any comments ?
Regards.
Pedro Igor
5 years, 11 months
