I am new to Keycloak and have been through the manual, I have also seen the
code quickstarts, what I am missing is the same for the server setup.
I am aiming for a simple setup initially:
- running locally in stand alone mode (already done)
- one realm, two user roles
- users can register as one of the two roles
- client application uses the initialization code flow
- client is using spring boot (if that makes a difference)
Are there any walk throughs for server config?
I'm thinking of adding additional admin roles: "admin-console-users",
"admin-console-groups", "admin-console-clients" and a composite of all
three: "admin-console-access". These roles exist solely for the admin
console and determine whether or not the "Users", "Clients", or "Groups"
menu items show up. It is unfeasible to calculate this considering that
a restricted admin may have access to only one client in the admin
console or a specific set of users in a specific group.
Alternatively, I could just display the "Users', "Clients" and "Groups"
menu item no matter what role mappings or permissions the restricted
admin has. Then when they click on that menu item, query results are
filtered based on individual permissions. I like the latter better
because its a better user experience. For example, if a restricted
admin can only manage one client and nothing else, the admin console
could bring the admin directly to that client's management page.
The very thought of $subject seems like heresy. Why check in something
that is normally pulled using npm?
We have Angular 2 examples in Keycloak now. In the not-too-distant
future, our Account Management console will be written in Angular 2. So
node_modules has to be there somehow.
There are basically two options:
1) Merge node_modules into the Keycloak repo.
2) Don't merge and then run npm install at build time.
Productization standards push toward option #1. We need to have
consistent, repeatable builds.
But I'm looking for reasons that #1 might be bad. I can't come up with
a rational reason to do #2 except that it saves disk space.
A criticial vulnerability was discovered in Keycloak Node.js adapters. We
highly recommend everyone upgrades to version 3.1.0 of the adapter
immediately. This adapter will work with Keycloak 2 and upwards.
For more details see CVE-2017-7474
We are using Keycloak for some of our products. One of our clients scans every used library and tools, and they came across the issue of cross-site scripting in the used angular version (1.4.4) in Keycloak. Can this cause issues when using Keycloak? Why (not)?
I'd like to propose the feature of delegating authentication to an external authentication server on behalf of keycloak's browser-based authentication mechanism.
It might be said that it be the variant of Identity Brokering except for not using standard protocols for Identity Federation such as OpenID Connect and SAMLv2.
Its concept is similar to SP-Initiated SSO: POST/Artifact Bindings of SAMLv2.
- The authentication server has already existed.
- This authentication server has not implemented OpenID Connect protocol.
- You want to use keycloak for realizing secure identity and access management by OpenID Connect.
In this situation above, you could opt to port the authentication feature of the existing authentication server onto keycloak and use User Storage SPI provider for retrieving user information from the existing authentication server, or implementing OpenID Connect protocol to address Identity Brokering triggered by keycloak.
However, the followings make it hard or impossible.
- UI implementation cost : Responsive design, vast amount of customization based on various factors.
- Authentication porting cost : Requirements for high-level authentication that have already been implemented in the existing authentication server such as multi-factor authentication for LoA 3 conformance in ITU-T X.1254.
This authentication delegation mechanism resolves these difficulties by using the existing authentication server for authentication and retrieving authenticated user information by back-end communication between keycloak and the existing authentication server.
Prototype Implementation and PoV testing has been completed.
Implementing as additional providers and its factories for Authentication SPI and User Storage SPI in order to avoid impairing existing keycloak features.
Would you mind reviewing this concept and prototype implementation? If accepted, I'm willing to revise codes for PR.
Details is as follows.
Sample codes is the following.
I was just at the RedHat Summit this week and during the Keycloak session, it was mentioned that there wasn’t a GoLang adapter yet. I’d be interested in tackling this if there is a need. What is the process to get this started? We actually have an application written in GoLang that will need to be secured once we go live with Keycloak company wide (scheduled go-live within the next several months).