acr and acr_values
by Martin Hardselius
We're in the process of adding support for different levels of assurance in
our custom installation, which means that proper support for acr and
acr_values is becoming more of a priority. What's the status on this? Can
we assist with a PR?
https://issues.jboss.org/browse/KEYCLOAK-3314
This might fit better into keycloak-user, but if you already have plans for
acr-stuff, or planned refactorings that would affect how this is
implemented, I'd be happy for some advice on how to proceed with a
temporary solution.
Regards,
Martin
8 years, 4 months
Adding IdentityProviderMappers
by frelibert@yahoo.com
Hi,
The identity-provider-mapper SPI is an internal one.Any chance you will make it public?
I'd like to use it to write our own mapper.I actually allready have.I know it is not recommended to depend on an internal spi but I have written a new mapper as I needed something with less work to configure the mapping of our brokered saml idp to user attributes. Our idp returns a lot of attributes and configuring each and every attribute is quite some work.
Moreover, you currently can't export this config from one realm to another in the same environment.My mapper is quite similar to the UserAttributeMapper but not limited to one attribute.It basically takes the incoming assertion and maps every saml attribute it finds to a user attribute with the same name.It has 5 config fields:- optional regex in order to filter out some attribute(s) you don't want to map.- name of attribute to use as firstName property.- name of attribute to use as lastName property.- name of attribute to use as email property.
- option to use saml friendlyName instead of Name to map with the user attribute name.
If you are interested, I am willing to share it with you.I like Keycloak a lot :-)
Kind regards,
Frederik Libert
8 years, 4 months
Re: [keycloak-dev] How to protect a PHP page
by Tech
Hello Abhi,
thanks for your reply. Is there any specific example that I might use?
Thanks!
On 02/15/2017 08:15 PM, abhishek raghav wrote:
> You can use any of the apache mods e.g. mod_auth_openidc or mod_mellon
> . These mods are agnostic to any programming language/platform and
> keycloak has a very good support for them.
> Hope it will help you.
> via Newton Mail
> <https://cloudmagic.com/k/d/mailapp?ct=pi&cv=9.4.52&pv=10.2.1&source=email...>
>
> On Wed, Feb 15, 2017 at 3:55 PM, Tech <tech(a)psynd.net> wrote:
>
> Dear experts,
>
> We are currently working with an application called Moodle, written in
> PHP, that already supports OIDC.
>
> The PHP is running over a simple Apache HTTPD, therefore we cannot use
> any of the Out Of The Box client adapters available for Keycloak.
>
> What should we do in this case? Is there any documentation or
> guide that
> we should follow?
>
> Thanks!
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8 years, 4 months
How to protect a PHP page
by Tech
Dear experts,
We are currently working with an application called Moodle, written in
PHP, that already supports OIDC.
The PHP is running over a simple Apache HTTPD, therefore we cannot use
any of the Out Of The Box client adapters available for Keycloak.
What should we do in this case? Is there any documentation or guide that
we should follow?
Thanks!
8 years, 4 months
Keycloak integration with mod_auth_openidc broken
by Stefan Schlesinger
Hello,
it looks like its currently not possible to use mod_auth_openidc with Keycloak for authorization of legacy applications. The current workaround described by mod_auth_openidc is to use OpenID Connect for authentication and use the apache ldap module for authorization, which is a rather ugly workaround IMHO.
The problem currently is twofold:
1) One can use mod_auth_openidc to verify claims, but it doesn’t come with JSON path support[1], so matching the claims in realm_access.roles isn’t possible, only arrays in a flat JSON tree are supported[2].
2) This wouldn’t cause any issues, as Keycloak comes with a User Realm Role mapper, which is able to map roles to a different key (in my example below the key is ‘roles’).
{
"jti": "01667279-a161-47ae-a093-b08643a1b7b5",
"exp": 1485977685,
…
"realm_access": {
"roles": [
“application_x",
“application_y",
"uma_authorization",
]
},
"roles": “[application_x, application_y, uma_authorization]",
}
The problem with the mapper is that the value of roles, is served as a string instead of an array and mod_auth_openidc cannot handle this properly[3].
Btw. the same thing goes for the User Client Role mapper! Which looks like this:
{
"client_role": "[login]”
}
An issue for this has already been created: https://issues.jboss.org/browse/KEYCLOAK-4205
It would be so great to get this fixed in the next release!!
Best,
Stefan.
[1] https://groups.google.com/forum/#!topic/mod_auth_openidc/QOMMYeXt5Jc
[2] https://github.com/pingidentity/mod_auth_openidc/blob/master/src/authz.c#L85
[3] https://github.com/pingidentity/mod_auth_openidc/blob/master/src/authz.c#L67
8 years, 4 months
auth token caching in cluster mode
by Michael Olshansky
I have set up a keycloak cluster using the domain config and have nodes
running in master/slave.
I noticed that the refresh tokens are cached across nodes, though the auth
tokens are not.
Are auth tokens supposed to be cached across nodes?
8 years, 4 months
refactor angular2-product-app
by Tair Sabirgaliev
Hi!
We integrated Keycloak to our angular2 application and used
angular2-product-app as a starting point. We had some issues
with it, so digged into the implementation and found that it
can be simplified.
We refactored the code and would like to suggest a patch, are
you interested?
8 years, 4 months
