Force Token Authentication Method
by Tech
Dear experts,
we are integrating an application, Moodle, that apparently has an
openIdConnect plugin that is already working with Azure (we tested alredy).
Changing the IDP from Azure to Keycloak, we get the following error:
"Error in OpenID Connect: Code not valid"
line 54 of /auth/oidc/classes/utils.php: moodle_exception thrown
line 252 of /auth/oidc/classes/oidcclient.php: call to
auth_oidc\utils::process_json_response()
line 197 of /auth/oidc/classes/loginflow/authcode.php: call to
auth_oidc\oidcclient->tokenrequest()
line 85 of /auth/oidc/classes/loginflow/authcode.php: call to
auth_oidc\loginflow\authcode->handleauthresponse()
line 105 of /auth/oidc/auth.php: call to
auth_oidc\loginflow\authcode->handleredirect()
line 29 of /auth/oidc/index.php: call to auth_plugin_oidc->handleredirect()
Where the Code has the following format:
"hZvVPC6iqBAZk9sXNbGGFa4hyHSdfLvsQ8adtGXS1dI8789b5e7-2d4f-4336-9896-981621969138"
We opened the .well-known and we have:
"token_endpoint_auth_methods_supported": "private_key_jwt",
"client_secret_basic", "client_secret_post".
Checking online
https://github.com/Microsoft/o365-moodle/issues/200
We found out the identical stack trace and that other person resolved
the issue changing the Token Authentication Method to
client_secret_post, but from the .well-known, we saw that it's already
between the accepted auth methods for our Keycloak.
Have you any advise?
Thanks
7 years, 1 month
Login theme templates: getting the two-letter code for the page’s current language
by Paul Waite
I’m a front-end web developer working on a Keycloak login theme for the UK Home Office.
The root template.ftl file in the base theme does not include a lang attribute on its <html> tag:
<html xmlns="http://www.w3.org/1999/xhtml" class="${properties.kcHtmlClass!}">
I’m trying to add one, as it’s required by the W3C’s Web Content Accessibility Guidelines (WCAG):
- https://www.w3.org/TR/WCAG20/#meaning-doc-lang-id
- https://www.w3.org/TR/WCAG20-TECHS/H57.html
and useful for screen readers:
- https://www.paciellogroup.com/blog/2016/06/using-the-html-lang-attribute/
The value of the attribute should be the ISO 639 code for the main language (e.g. English, Italian) that the page is written in.
I tried getting this from the .locale template variable, but at least on the standalone server (2.5.4), this was always set to en_GB, even when internationalization was enabled and the default language was set to a different language (I tried with Italian).
I can’t see anywhere else to access the language code for the page’s current language.
My current workaround is to loop though locale.supported (if locale is defined), and if a supported locale’s label matches locale.current, grab the first two characters of the kc_locale query string parameter in the supported locale’s URL:
<#assign LANG_CODE = "en">
<#if .locale??>
<#assign LANG_CODE = .locale>
</#if>
<#if locale??>
<#list locale.supported>
<#items as supportedLocale>
<#if supportedLocale.label == locale.current>
<#if supportedLocale.url?contains("?kc_locale=")>
<#assign LANG_CODE = supportedLocale.url?keep_after("?kc_locale=")[0..1]>
</#if>
<#if supportedLocale.url?contains("&kc_locale=")>
<#assign LANG_CODE = supportedLocale.url?keep_after("&kc_locale=")[0..1]>
</#if>
</#if>
</#items>
</#list>
</#if>
<html xmlns="http://www.w3.org/1999/xhtml" class="${properties.kcHtmlClass!}" lang="${LANG_CODE}">
Obviously this depends on no two locales sharing the same label, and on the first two characters of kc_locale being sufficient.
It would be really useful if language code for the page’s current language were available in a template variable, and if this were used to populate the lang attribute on the HTML tag in the root login template.
Paul Waite
Associate
Transform
60 Great Portland Street
London W1W 7RT
Mobile: +447764 752508
Email: paul.waite(a)transformuk.com<mailto:paul.waite@transformuk.com>
Web: www.transformUK.com<http://www.transformUK.com>
Follow us on Twitter @TransformUK
Please ensure that any communication with Home Office Digital is via an official account ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. Communications via the digital.homeoffice.gov.uk domain may be automatically logged, monitored and/or recorded for legal purposes. This email message has been swept for computer viruses.
7 years, 1 month
fine-grain admin permissions with Authz
by Bill Burke
I'm looking into how we could implement fine-grain admin permissions
with Pedro's Authz service, i.e. fix our long standing bug that
manage-users allows people to grant themselves admin roles. I want to
do an exercise of how certain things can be modeled, specific user role
mappings.
Some things we want to be able to do
* admin can only assign specific roles to users
* admin can only assign specific roles to users of a specific group
The entire realm would be a Authz resource server. There's already a
client (resource server) for the realm "realm-management".
- A Scope of "user-role-mapping" would be defined.
These resources would be defined and would have the "user-role-mapping"
scope attached to them.
* "Users" resource. This resource represents all users in the system
* A resource is created per role
* A resource is created per group
Now, when managing roles for a user, we need to ask two questions:
1. Can the admin manage role mappings for this user?
2. Can the admin manage role mappings for this role?
For the first question, let's map the current behavior of Keycloak onto
the Authz service.
* A scoped-base permission would be created for the "Users" resource
with a scope of "user-role-mapping" and a role policy of role
"manage-users".
When role mapping happens, the operation would make an entitlement
request for "Users" with a scope of "user-role-mapping". This would
pass by default because of the default permission defined above. Now
what about the case where we only want an admin to be able to manage
roles for a specific group? In this case we define a resource for the
Group Foo. The Group Foo would be attached to the "user-role-mapping"
scope. Then the realm admin would define a scope-based permission for
the Group Foo resource and "user-role-mapping". For example, there
might be a "foo-admin" role. The scope permission could grant the
permission if the admin has the "foo-admin" role.
So, if the "Users"->"user-role-mapping" evaluation fails, the role
mapping operation would then cycle through each Group of the user being
managed and see if "Group Foo"->"user-role-mapping" evaluates correctly.
That's only half of a solution to our problem. We also want to control
what roles an admin is allowed to manage. In this case we would have a
resource defined for each role in the system. A scoped-based permission
would be created for the role's resource and the "user-role-mapping"
scope. For example, let's say we wanted to say that only admins with
the "admin-role-mapper" role can assign admin roles like "manage-users"
or "manage-realm". For the "manage-realm" role resource, we would
define a scoped-based permission for "user-role-mapping" with a role
policy of "admin-role-mapper".
So, let's put this all together. The role mapping operation would do
these steps:
1. Can the admin manage role mappings for this user?
1.1 Evaluate that admin can access "user-role-mapping" scope for "Users"
resource. If success, goto 2.
1.2 For each group of the user being managed, evaluate that the admin
can access "user-role-mapping" scope for that Group. If success goto 2
1.3 Fail the role mapping operation
2. Is the admin allowed to assign the specific role?
2.1 Evaluate that the admin can access the "user-role-mapping" scope for
the role's resource.
7 years, 1 month
Zero-knowledge proof of password?
by Peter K. Boucher
Suppose you don't want your passwords transmitted in the clear after SSL is
terminated by a proxy.
Has anyone developed a secure way for the client to prove they have the
password, rather than transmitting it in the body of a post?
7 years, 2 months
Feedback about our BOMs
by Sebastien Blanc
Hi,
One of the requirement to get added on the start.spring.io website is to
have BOMs and that is what we did. But now they are reviewing our request
and I got this as remark :
"
The version.keycloak version in your bom doesn't look right to me. If you
import a bom of version A.B.C it makes no sense to ask for D.E.F. (a
dependency may have been added/remove in that version). I'd rather
hard-code the version in each dependency (that will be updated by the
release process the same way as the property anyway). Also, that bom is a
child of your main pom which is usually a bad idea. I can see that you have
a repositories definition there that is going to pollute the Maven build.
Worse, you inherit from the dependency management of the whole
infrastructure (including Jackson, log4j and a bunch of 3rd party
libraries). We can't accept a bom that does that as it conflicts with
Spring Boot's dependency management.
"
Does that make all sense to you ? TBH I'm not a BOM expert but looks like
it make sense (at least for not using the keycloak parent pom)
7 years, 2 months
Use default methods in Provider and ProviderFactory
by Stian Thorgersen
The life-cycle methods on providers and provider factories (init, postInit,
close) are frequently not used, but providers have to add empty methods. To
reduce the amount of boilerplate in a provider I propose changing the
following to have empty default methods:
ProviderFactory:
* init
* postInit
* close
Provider:
* close
7 years, 2 months