Bug squashing time
by Stian Thorgersen
We're not accepting any contributions for new features until we start on
Keycloak 4.x. Most likely that'll be mid-December. Any PRs for new features
until then will not be reviewed or merged, but feel free to send if you
want.
We do however have a fair amount of outstanding bugs and would love help
from the community to get as many as possible resolved in the next month!
If you'd like to help take a look at
https://issues.jboss.org/projects/KEYCLOAK/versions/12333692 look for
issues that are not assigned to someone. Remember we want tests as well.
6 years, 5 months
Use LDAP's PasswordPolicy
by Rafael Ladislau
Hello, I'm pretty new here, but I've been using Keycloak with an OpenLDAP
as the user federation and I've noted some problems that I had to fix by
myself and I would like to share with the community the fixes I've made.
I'm Software Developer at NYU and I had to change the Keycloak source code
to make it works in one of our Projects. It's not a big refactoring. It's
reasonable.
Problems and my solutions:
1 - Keycloak changes the password of the users coming from LDAP sending a
replace command to LDAP using a connection bound to the LDAP administrator.
(WRITE mode). It allows the users not respect the
password policy installed in LDAP if it has it installed. In order to fix
it, you need to use a connection bound to the user changing the password,
and Keyucloak should send two commands to LDAP: a command to delete the
password field with the current password value and a command to add the
password field with the new value. It makes Keycloak respect the password
policy installed in LDAP, the operation raises an exception when the
password is not compliant, after my fixes, I'm handling this exception and
I'm letting the user knows about the error. (I'm doing this in the
UPDATE_PASSWORD required action and in the manage account screen)
2 - Because I was making Keycloak respect the password policy in LDAP, I
had to create a Password Policy User Account Control Mapper. This Mapper is
based on the MSAD User Account Control Mapper. It has the same idea, but it
writes the properties "pwdReset" and "pwdAccountLockedTime" to make
Keycloak knows and let OpenLDAP knows when the user must reset his password
and when the user is locked.
3 - The step 2 is necessary because when you have a password policy in LDAP
saying the min age is one day, and you set a temporary password for the
user. If Keycloak doesn't set the pwdReset flag, the user will not be able
to change his password. (only after 24 hours)
4 - I've made some changes in the User Federation Configuration in order to
allow the Keycloak administrator turn on and turn off this feature.
The issue https://issues.jboss.org/browse/KEYCLOAK-4052 has made the users
coming from LDAP go through the Keycloak's Password Policy before they
change their passwords, but what I'm proposing is making Keycloak be aware
of the Password Policy installed in LDAP.
Do you think it would be a good feature?
6 years, 5 months
Keycloak 3.4.0.CR1 released
by Stian Thorgersen
We've just released Keycloak 3.4.0.CR1.
To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
HighlightsToken exchange
The token exchange service allows clients to exchange tokens for different
tokens. There's quite a few options available so check out the docs
<http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange>
for
more details.
Fine-grained permissions for admin endpoints
By leveraging our authorization services we've made it possible to control
permissions in the admin endpoints almost exactly how you want. For more
details check the docs
<http://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_p...>
.
Cross DC
A lot more work has gone into this release around cross DC support. Docs
are still not ready and there's still some minor polish left. This will
come soon.
Upgraded to WildFly 11 Final
We've upgraded the underlying container to WildFly 11 Final.
Support MySQL and PostgreSQL in main Keycloak Docker image
We used to have separate Docker images for MySQL and PostgreSQL, but now we
have one that supports them all.
AsciiDoctor
Our docs used to be built and hosted on GitBook. We've recently moved to
using pure AsciiDoctor to build the docs. The main reason behind this move
was to closer align with how we build documentation for the productized
version of Keycloak (RH-SSO).
Loads more..
- Script based protocol mapper for OIDC - thanks to thomasdarimont
<https://github.com/thomasdarimont>
- Blacklisted password policy- thanks to thomasdarimont
<https://github.com/thomasdarimont>
- Login with PayPal - thanks to petlys <https://github.com/petlys>
- Almost 200 - we almost resolved 200 issues for this one (197!)
The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
.
Upgrading
Before you upgrade remember to backup your database and check the upgrade
guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
anything that may have changed. Release candidates are not recommended in
production and we do not support upgrading from release candidates.
6 years, 5 months
Issue with BrowserHandler using the saml2 adapter in wildfly 10
by Daniel Schmidt
Hi everybody,
I just started to use the SAML2-authentication-adapter of Keycloak in
Wildfly 10. I use it according to this documentation:
http://www.keycloak.org/docs/3.0/securing_apps/topics/saml/java/jboss-ada...
As it did not work, I debugged into the adapter code and narrowed the
problem down to
org.keycloak.adapters.saml.undertow.UndertowSamlAuthenticator.createBrowserHandler(HttpFacade,
SamlDeployment, SamlSessionStore) where a
org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler is
instantiated.
This BrowserHandler always passes null as samlRequest, samlResponse and
relayState. When I create a
org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler
instead, the code works as expected.
Is this a bug in the BrowserHandler or am I missing some important
configuration option?
--
Another question on this topic:
The configuration with <secure-deployment >...</secure-deployment>
bypasses any existing <login-module> as far as I can see. Is this the case?
Is there any possibility to configure a custom login-module that could
authenticate a user before using the Keycloak authentication mechanism?
I would like to use the Keycloak authentication as a fallback only.
Thanks in advance,
Daniel Schmidt
6 years, 5 months
Access Token getting truncated when apache HTTPD is in front
by Pharande Rahul
Hello Team,
I'm facing issue of "Access Token getting truncated when apache HTTPD is in front".
Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here :)
Below are more details on same.
Environnent :
o Server : Keycloak v3.x
o Proxy server : Apache HTTPD 2.4.x
o Client: Angular2 application using OIDC library.
Issue Description / Steps to reproduce:
* Create realm in Keycloak
* Create client for realm along with redirect url etc.
* Create ~70 role/permissions for client with longer names ~25 characters in permission name.
* Create user and assign all above permissions for newly created client.
* Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied.
* After entering valid user credentials, keycloak redirects to Application's redirect URL
* However error shown on browser console that, "failed at_hash".
o This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received.
Important point here:
* Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server.
My analysis:
* As per my analysis, I see Keycloak returns access_token information in response header during redirect
* Apache has restriction of handling response header or cookies of size upto 8k
* Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error.
Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response..
Thanks and Regards.
Rahul Pharande
6 years, 5 months
[New feature idea] Add complex filtering to endpoints which are resposible for listing and counting users.
by Marek Chmiel
*Current approach*
Currently the*/admin/realms/{realmName}/users* endpoint filter accepts the
following query string parameters:
*search, lastName, firstName, email, username, first, name*
The limitation is we cannot filter users by their custom attributes and
we cannot use complex filtering logic either.
Additionally, since the */**admin/realms/{realmName}**/users/count *accepts
no parameters,
we're unable to retrieve an actual count of all users matching certain
criteria.
*Improvement idea*
The idea is to support additional query string parameter when querying the
REST APIs
on */users* and */users/count* endpoints to manipulate the returned data
so that it is possible to filter user records by any custom attributes and
use complex filtering logic.
The example can be taken from OData spec's $filter attribute
<http://www.odata.org/documentation/odata-version-2-0/uri-conventions/#Fil...>
or Forgerock OpenAM's filtering capabilities
<https://backstage.forgerock.com/docs/openam/13/dev-guide/#rest-api-filter...>
.
Both of this solutions introduce a filter parameter, the value of which is
basically a query DSL.
My suggestion is to implement the *$filter* query string parameter of the
following form to match user attributes:
*attribute operator value*
where *attribute *represents one of user's attributes, *operator *is the
operator code, *value *is the value to match.
The operators codes can be as follows:
- For matching strings:
*equals *
*startswith *
*endswith *
*contains *
- For matching other value types:
*ge *- greater than or equal to
*gt *- greater than
*le *- less than or equal to
*lt *- less than
Filters are read left-to-right.
Filters can be composed of multiple expressions by using boolean operators
*and*, *or*, *not *and by using parentheses, *(expression)* to group
expressions.
The *$filter* parameter must be URL-encoded.
I think it's possible to extend Keycloak with such a filter DSL because
underlying user storage is either SQL or LDAP based
and it's fairly easy to translate DSL query to either an SQL query or an
LDAP filter query.
Examples of filter values:
*firstName **startswith **Mar **and **age **gt **18*
*fullName **equals **"Mark Harmon" **or **myCustomLdapMappedAttribute *
*contains **customValue*
Is this something Keycloak might have implemented?
What you think, guys?
6 years, 5 months
Merge of Node.js modules
by Bruno Oliveira
Aloha,
We're considering the merge keycloak-nodejs-connect and keycloak-nodejs-auth-utils into a single codebase for the next release. What does that mean? That the whole codebase will live under keycloak-nodejs-connect repository and module.
The reason behind is that there are few good reasons to keep both separated today. This is going to make our release process better, as well the maintenance of the codebase.
I would like to gather some feedback before moving forward. So comments on this thread are more than welcome!
--
abstractj
6 years, 5 months
